From isp-list at TULSACONNECT.COM Fri Nov 1 00:58:06 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> References: <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> Message-ID: <5.1.1.6.2.20021031185507.04526d30@securemail.tulsaconnect.com> At 02:25 PM 10/26/2002 +0100, you wrote: >What I have been thinking about is a slightly more general system than >that. You set a parameter to be the name of a Perl function. You write the >function, which is passed a message and returns a result for that rule. >Then you can easily write plugins that do things like this. You also write >an initialisation function that is called at startup for you to setup any >global state such as database conections. > >And you can develop them entirely independent of the MS distribution so >upgrading is simple. Question on that.. in exim, if I specify something like this in the config file: domainlist relay_to_domains = mysql;SELECT DISTINCT domain from domains WHERE mx1='mx10.tulsaconnect.com' AND domain='${domain}'; ..it executes that sql statement for *every* message that passes through - it does not just pull the list of domains once and cache it. In the system you describe above for MailScanner, does it execute the Rule for each message that is processed? (I think it does, but I just want to make sure) --Mike From isp-list at TULSACONNECT.COM Fri Nov 1 01:00:55 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <5.1.1.6.2.20021031185507.04526d30@securemail.tulsaconnect. com> References: <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> Message-ID: <5.1.1.6.2.20021031185844.04519c48@securemail.tulsaconnect.com> >..it executes that sql statement for *every* message that passes through - >it does not just pull the list of domains once and cache it. In the system >you describe above for MailScanner, does it execute the Rule for each >message that is processed? (I think it does, but I just want to make sure) Oh - one more question, relating to SpamAssassin. If I were to use a Rule that set the SpamAssassin score on a *per domain* basis, will that work in "real-time" with the way that MailScanner loads the SpamAssassin Perl stuff into memory at initialization time? That is, would MS pass SA the score required on each message iteration or ? --Mike From hs at UKPS.GWDG.DE Fri Nov 1 07:47:53 2002 From: hs at UKPS.GWDG.DE (Howard Schultens) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found Message-ID: <3DC231A9.5000408@ukps.gwdg.de> Andy Wright wrote: > ... > > sophoswrapper is a script that comes with Mailscanner - not with Sophos > Sweep. Looks like you may have accidentaly deleted it when you did your > Sophos upgrade. > > Andy. > Sophos has apparently changed some things starting with the 3.62 distribution. The previous version that I used, 3.59, had a sophoswrapper and autoupdate in /usr/local/Sophos/bin Mailscanner has its own files sophos-wrapper and sophos-autoupdate in /opt/Mailscanner/lib. That is what has got me confused. I also can't find what module is asking for sophoswrapper (without the hyphen) as a configuration file (sic!), unless it is /usr/local/Sophos/bin/sweep. I can't verify if sophoswrapper in version 3.59 came from Sophos since I deleted the original tar file. This is what I love about systems administration and programming. Sometimes your whole world hangs on a hyphen. ..Howard hs@ukps.gwdg.de From richard at SARA.NL Fri Nov 1 07:55:20 2002 From: richard at SARA.NL (Richard van Drimmelen) Date: Thu Jan 12 21:16:16 2006 Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK References: <200211010746.gA17k8K20513@mta.sara.nl> Message-ID: <3DC23368.6040609@sara.nl> Dear mailscanner owner, I subscribed at jiscmail, but when I want to subscribe to the mailscanner list, I can't see it when clicking on 'Show all lists' and 'Submit'. I see that there are 50 lists available, but no 'mailscanner' list. I seem to misunderstand something...... L-Soft list server at JISCMAIL (1.8e) wrote: > You are not authorized to send mail to the MAILSCANNER list from your > richard@SARA.NL account. You might be authorized to send to the list from > another of your accounts, or perhaps when using another mail program which > generates slightly different addresses, but LISTSERV has no way to associate > this other account or address with yours. If you need assistance or if you have > any question regarding the policy of the MAILSCANNER list, please contact the > list owners: MAILSCANNER-request@JISCMAIL.AC.UK. > > > ------------------------------------------------------------------------ > > Subject: > incoming subdirectories > From: > Richard van Drimmelen > Date: > Fri, 01 Nov 2002 08:48:17 +0100 > > > Running mailscanner v4-01-8 (on Solaris 8): > > In /var/spool/MailScanner/incoming, there are loads of subdirectories. > All directories are numbers: the numbers of the processes that > mailscanner uses, or used. > When mailscanner spawns a new child, the old proces dies, but the old > directries are not removed. > > Is this fixed in a newer version ? > > > kind regardds, -- Richard van Drimmelen | email: richard@sara.nl System Services | phone: +31 20 5928080 SARA Computing Services | fax: +31 20 6683167 From mailscanner at BARENDSE.TO Fri Nov 1 08:26:48 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:16 2006 Subject: small hole in SpamAssassin check? In-Reply-To: <5.1.0.14.2.20021031224037.02360f18@imap.ecs.soton.ac.uk> Message-ID: Indeed, the option was set to no. Strange though because it is just a porn spam mail which should have triggered some of SA options. Anyways, will keep looking! On Thu, 31 Oct 2002, Julian Field wrote: > Compliments to Matt, I hadn't thought of that! :-) > > At 22:05 31/10/2002, you wrote: > >Ok, do you have the following things set in your mailscanner.conf? > > > >Use SpamAssassin = yes > >Always Include SpamAssassin Report = yes > > > >Note that a spamcheck header will not be included for nonspam mails unless > >the always include option is set. > > > >At 09:20 PM 10/31/2002 +0100, Remco Barendse wrote: > >>No, no exceptions made :) > >> > >>The mail is being bounced by a regular isp to my box, neither the ISP > >>domain nor the sender's domain are on any list. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at BARENDSE.TO Fri Nov 1 08:35:10 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:16 2006 Subject: "Greetings" -- sendmail block In-Reply-To: <5.1.0.14.2.20021030151402.07eacea8@imap.ecs.soton.ac.uk> Message-ID: Cool! Unfortunately the only way for me to try it would be on a production server because I don't use M$ Exchange at home :) Could several of these rules be used in the sendmail conf file because Exchange will send out unwanted messages with the following subjects: Delivery Status Notification (Success) Read: Not read: Gelezen: Niet gelezen: I wouldn't want to silently drop any regular mail that must go through the server. Is blocking these kinds of messages on the todo list of features to come :) :) ???? Remco On Wed, 30 Oct 2002, Julian Field wrote: > At 08:43 30/10/2002, you wrote: > >Would this also work for blocking the Delivery Status Notifications like > >Read Receipt and similar messages? > > Probably, yes. > > >Or would this start a war between the linux mail gateway and the exchange > >server resulting in tons of messages bouncing back and forth? > > You can send them to $#discard rather than $#error which, if I remember > rightly, will silently throw them away. > > > >On Fri, 25 Oct 2002, Julian Field wrote: > > > > > In case you want to block this with sendmail, so that it never gets in to > > > your site in the first place, this will do the job in your sendmail.cf > > file: > > > > > > HSubject: $>Check_Subject > > > D{FriendPat}you have an E-Card from > > > D{FriendMsg}This message is probably a nasty E-Card. > > > SCheck_Subject > > > R$* ${FriendPat} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > > > Remember that the whitespace before "$#error" has to be tabs and not > > spaces. > > > > > > If you want to expand the list of subjects, just make more pairs of "D" > > > lines to set the patterns and messages, and add a new R line for each one. > > > > > > At 17:18 25/10/2002, you wrote: > > > >At 17:06 25/10/2002, you wrote: > > > >>On Fri, 25 Oct 2002, Julian Field wrote: > > > >> > Would people prefer > > > >> > 1) Replace the content of messages containing "nasty" headers such as > > > >> this, > > > >> > as if it was a virus > > > >> > 2) Just flag is as spam and handle according to the normal "Spam > > Actions" > > > >> > ? > > > >> > > > > >> > I'm writing (1) at the moment, but it just occurred to me that (2) > > > >> might be > > > >> > better. > > > >> > > > > >> > Your votes please... > > > >> > > > >>This is mere speculation and may be impractical, but... > > > >> > > > >>How about making the behaviour (currently a proposed two-list of > > > >>"virus-like" or "spam-like") somehow selectable by the sys.admin.?? > > > > > > > >How did I know that someone was about to say that... > > > >:-) > > > > > > > >I'm going to go with the SpamAssassin solution for now, it means less work > > > >for me and I've had a long week. More brandy needed.... > > > >-- > > > >Julian Field Teaching Systems Manager > > > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > >Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Nov 1 09:08:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <3DC231A9.5000408@ukps.gwdg.de> Message-ID: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> At 07:47 01/11/2002, you wrote: >Andy Wright wrote: >>sophoswrapper is a script that comes with Mailscanner - not with Sophos >>Sweep. Looks like you may have accidentaly deleted it when you did your >>Sophos upgrade. > >Sophos has apparently changed some things starting with the 3.62 >distribution. The previous version that I used, 3.59, >had a sophoswrapper and autoupdate in /usr/local/Sophos/bin Those scripts were never a part of Sophos (I wrote them!), they were provided as part of the MailScanner version 3 distribution. >Mailscanner has its own files sophos-wrapper and sophos-autoupdate >in /opt/Mailscanner/lib. That is what has got me confused. With the release of MailScanner 4, they have been moved to /opt/MailScanner/lib and renamed slightly. >I also can't find what module is asking for sophoswrapper (without >the hyphen) as a configuration file (sic!), unless it is >/usr/local/Sophos/bin/sweep. Take a look in /opt/MailScanner/etc. There's a file "virus.scanners.conf" in there. >I can't verify if sophoswrapper in version 3.59 came from Sophos >since I deleted the original tar file. No it didn't. >This is what I love about systems administration and programming. >Sometimes your whole world hangs on a hyphen. :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 1 09:05:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <5.1.1.6.2.20021031185507.04526d30@securemail.tulsaconnect. com> References: <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> Message-ID: <5.1.0.14.2.20021101090204.04871a20@imap.ecs.soton.ac.uk> At 00:58 01/11/2002, you wrote: >At 02:25 PM 10/26/2002 +0100, you wrote: >>What I have been thinking about is a slightly more general system than >>that. You set a parameter to be the name of a Perl function. You write the >>function, which is passed a message and returns a result for that rule. >>Then you can easily write plugins that do things like this. You also write >>an initialisation function that is called at startup for you to setup any >>global state such as database conections. >> >>And you can develop them entirely independent of the MS distribution so >>upgrading is simple. > >Question on that.. in exim, if I specify something like this in the config >file: > >domainlist relay_to_domains = mysql;SELECT DISTINCT domain from domains >WHERE mx1='mx10.tulsaconnect.com' AND domain='${domain}'; > >..it executes that sql statement for *every* message that passes through - >it does not just pull the list of domains once and cache it. In the system >you describe above for MailScanner, does it execute the Rule for each >message that is processed? (I think it does, but I just want to make sure) It can do both :-) You get to write an "InitYourFunction" function which is called once at startup (or re-start, so it gets run once every 4 hours by default). This function can create database connections, do SQL queries and cache the results in a global variable, whatever you like. You also write the "YourFunction" function which is called for every message. Whether you make this do an SQL query to a database whose connection you cached, or whether you just look up the results in a global variable that was set by "InitYourFunction" is entirely up to you. One way gets you more speed, the other way picks up any data changes immediately. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 1 09:06:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <5.1.1.6.2.20021031185844.04519c48@securemail.tulsaconnect. com> References: <5.1.1.6.2.20021031185507.04526d30@securemail.tulsaconnect. com> <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> Message-ID: <5.1.0.14.2.20021101090524.04869268@imap.ecs.soton.ac.uk> At 01:00 01/11/2002, you wrote: >>..it executes that sql statement for *every* message that passes through - >>it does not just pull the list of domains once and cache it. In the system >>you describe above for MailScanner, does it execute the Rule for each >>message that is processed? (I think it does, but I just want to make sure) > >Oh - one more question, relating to SpamAssassin. If I were to use a Rule >that set the SpamAssassin score on a *per domain* basis, will that work in >"real-time" with the way that MailScanner loads the SpamAssassin Perl stuff >into memory at initialization time? That is, would MS pass SA the score >required on each message iteration or ? It will be work in "real-time". MS passes SA the required score for each message individually. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 1 09:12:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: "Greetings" -- sendmail block In-Reply-To: References: <5.1.0.14.2.20021030151402.07eacea8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101091154.04861c80@imap.ecs.soton.ac.uk> At 08:35 01/11/2002, you wrote: >Is blocking these kinds of messages on the todo list of features to come Yes, eventually. I still need some more examples of all the status message Exchange can produce (in English) so I can work out a robust way of spotting which ones I want to delete. >On Wed, 30 Oct 2002, Julian Field wrote: > > > At 08:43 30/10/2002, you wrote: > > >Would this also work for blocking the Delivery Status Notifications like > > >Read Receipt and similar messages? > > > > Probably, yes. > > > > >Or would this start a war between the linux mail gateway and the exchange > > >server resulting in tons of messages bouncing back and forth? > > > > You can send them to $#discard rather than $#error which, if I remember > > rightly, will silently throw them away. > > > > > > >On Fri, 25 Oct 2002, Julian Field wrote: > > > > > > > In case you want to block this with sendmail, so that it never gets > in to > > > > your site in the first place, this will do the job in your sendmail.cf > > > file: > > > > > > > > HSubject: $>Check_Subject > > > > D{FriendPat}you have an E-Card from > > > > D{FriendMsg}This message is probably a nasty E-Card. > > > > SCheck_Subject > > > > R$* ${FriendPat} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > > > > > Remember that the whitespace before "$#error" has to be tabs and not > > > spaces. > > > > > > > > If you want to expand the list of subjects, just make more pairs of "D" > > > > lines to set the patterns and messages, and add a new R line for > each one. > > > > > > > > At 17:18 25/10/2002, you wrote: > > > > >At 17:06 25/10/2002, you wrote: > > > > >>On Fri, 25 Oct 2002, Julian Field wrote: > > > > >> > Would people prefer > > > > >> > 1) Replace the content of messages containing "nasty" headers > such as > > > > >> this, > > > > >> > as if it was a virus > > > > >> > 2) Just flag is as spam and handle according to the normal "Spam > > > Actions" > > > > >> > ? > > > > >> > > > > > >> > I'm writing (1) at the moment, but it just occurred to me that (2) > > > > >> might be > > > > >> > better. > > > > >> > > > > > >> > Your votes please... > > > > >> > > > > >>This is mere speculation and may be impractical, but... > > > > >> > > > > >>How about making the behaviour (currently a proposed two-list of > > > > >>"virus-like" or "spam-like") somehow selectable by the sys.admin.?? > > > > > > > > > >How did I know that someone was about to say that... > > > > >:-) > > > > > > > > > >I'm going to go with the SpamAssassin solution for now, it means > less work > > > > >for me and I've had a long week. More brandy needed.... > > > > >-- > > > > >Julian Field Teaching Systems Manager > > > > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > >Tel. 023 8059 2817 University of Southampton > > > > > Southampton SO17 1BJ > > > > > > > > -- > > > > Julian Field Teaching Systems Manager > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > > > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Fri Nov 1 09:22:23 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:16 2006 Subject: version 4 config In-Reply-To: <5.1.0.14.2.20021031174151.061ac238@imap.ecs.soton.ac.uk> References: <200210311131.24989.lbergman@wtxs.net> <5.1.0.14.2.20021031174151.061ac238@imap.ecs.soton.ac.uk> Message-ID: Julian, On Thu, 31 Oct 2002 17:49:11 +0000, you wrote: >>The other question is on the "Spam List = " ruleset. What would be the general >>form of this? > >Space-separated list of blocklists, which are defined in >/etc/MailScanner/spam.lists.conf. I notice you have a number of domain-related RFC-IGNORANT blacklists in that file but you don't have RFC-IGNORANT-IPWHOIS in there with the IP-based blacklists. I have added the following blacklists: |WIREHUB-DNSBL blackholes.wirehub.net. |SPEWS spews.relays.osirusoft.com. |RFC-IGNORANT-IPWHOIS ipwhois.rfc-ignorant.org. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From raymond at PROLOCATION.NET Fri Nov 1 09:25:50 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, > >Sophos has apparently changed some things starting with the 3.62 > >distribution. The previous version that I used, 3.59, > >had a sophoswrapper and autoupdate in /usr/local/Sophos/bin > > Those scripts were never a part of Sophos (I wrote them!), they were > provided as part of the MailScanner version 3 distribution. Could you do a simple check with the RPM upgrade? I am using f-prot but have to delete the Sophos update script from the cron.daily every time i do a RPM upgrade. Thanks, Raymond. From mailscanner at ecs.soton.ac.uk Fri Nov 1 09:34:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: References: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101093358.065a4c28@imap.ecs.soton.ac.uk> At 09:25 01/11/2002, you wrote: >Hi Julian, > > > >Sophos has apparently changed some things starting with the 3.62 > > >distribution. The previous version that I used, 3.59, > > >had a sophoswrapper and autoupdate in /usr/local/Sophos/bin > > > > Those scripts were never a part of Sophos (I wrote them!), they were > > provided as part of the MailScanner version 3 distribution. > >Could you do a simple check with the RPM upgrade? I am using f-prot but >have to delete the Sophos update script from the cron.daily every time i >do a RPM upgrade. No need. The Sophos update cron job checks to see if you have Sophos installed before doing anything. If you haven't got it installed it just quietly exits. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From raymond at PROLOCATION.NET Fri Nov 1 09:52:26 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <5.1.0.14.2.20021101093358.065a4c28@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Could you do a simple check with the RPM upgrade? I am using f-prot but > >have to delete the Sophos update script from the cron.daily every time i > >do a RPM upgrade. > No need. The Sophos update cron job checks to see if you have Sophos > installed before doing anything. If you haven't got it installed it just > quietly exits. Sure, that works, but i'd rather not see it there :) Bye, Raymond. From mailscanner at ecs.soton.ac.uk Fri Nov 1 10:10:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: References: <5.1.0.14.2.20021101093358.065a4c28@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101101008.04a84340@imap.ecs.soton.ac.uk> At 09:52 01/11/2002, you wrote: >Hi! > > > >Could you do a simple check with the RPM upgrade? I am using f-prot but > > >have to delete the Sophos update script from the cron.daily every time i > > >do a RPM upgrade. > > > No need. The Sophos update cron job checks to see if you have Sophos > > installed before doing anything. If you haven't got it installed it just > > quietly exits. > >Sure, that works, but i'd rather not see it there :) And if you were to install Sophos after MailScanner? You would have to create the cron job yourself, which is more difficult than copying+editing one that is already there. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From raymond at PROLOCATION.NET Fri Nov 1 10:28:27 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <5.1.0.14.2.20021101101008.04a84340@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Sure, that works, but i'd rather not see it there :) > And if you were to install Sophos after MailScanner? > You would have to create the cron job yourself, which is more difficult > than copying+editing one that is already there. Normally, when someone used ?pgrade' thats not the case. =) But i'll delete it manuallt now :) Bye, Raymond. From P.G.M.Peters at civ.utwente.nl Fri Nov 1 10:31:04 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> References: <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> Message-ID: <3el4su4tnmqqeo2c4jbq7l6j6qg7q667sm@4ax.com> On Sat, 26 Oct 2002 15:59:19 +0100, you wrote: >If you want to give it a try, you'll find a new set of "mailscanner", >"Config.pm" and "CustomConfig.pm" files attached. Have a read of >CustomConfig.pm and see if it explains enough so you can see what you need >to do. I had problems finding the files inside the .zip file. It turned out I had to change it to a .gz file and the resulting file seemed to be a tar-file. And with that comes my question: There are two functions Initmyfunction and myfunction. But what if I open a database and would like to close it when it is time for MS to restart. Shouldn't there be function like Endmyfunction? -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Fri Nov 1 11:04:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <3el4su4tnmqqeo2c4jbq7l6j6qg7q667sm@4ax.com> References: <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101105645.05f7e978@imap.ecs.soton.ac.uk> At 10:31 01/11/2002, you wrote: >On Sat, 26 Oct 2002 15:59:19 +0100, you wrote: > > >If you want to give it a try, you'll find a new set of "mailscanner", > >"Config.pm" and "CustomConfig.pm" files attached. Have a read of > >CustomConfig.pm and see if it explains enough so you can see what you need > >to do. > >I had problems finding the files inside the .zip file. It turned out I >had to change it to a .gz file and the resulting file seemed to be a >tar-file. > >And with that comes my question: >There are two functions Initmyfunction and myfunction. But what if I >open a database and would like to close it when it is time for MS to >restart. Shouldn't there be function like Endmyfunction? Yes, that did occur to me. But the database should notice that the process on the client end of the function has exited and clear up anyway. Okay, I've added an "End" function to them. It will get called whenever the MailScanner processes die of old age or receive a "SIGHUP" (which forces them to be respawned). Hopefully this is the last change I will have to make, as changing this stuff requires people to change their CustomConfig.pm functions to match the new structure. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From carl.boberg at NRM.SE Fri Nov 1 12:24:58 2002 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:16:16 2006 Subject: Mime problem? Message-ID: Hi all, This logs to my console every now and then since I upgraded to MS 4 (from 3.x) ignoring text in character set `WINDOWS-1252' at /usr/lib/perl5/site_perl/5.6.1/MIME/Parser/Filer.pm line 646 Just wondering if this is something to be concerned about? If it is ignoring text kan it still check it for Spam? Maybe this really should be a question for SA? Tnx in advance. Regards --------------------------------- Carl Boberg System & Network Administrator Dept. of Information Technology Swedish Museum of Natural History Frescativ. 40 104 05 Stockholm carl.boberg@nrm.se Phone: 08-519 551 16 Mobile: 0701-82 40 55 --------------------------------- From hs at UKPS.GWDG.DE Fri Nov 1 12:38:59 2002 From: hs at UKPS.GWDG.DE (Howard Schultens) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found References: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> Message-ID: <3DC275E3.6010600@ukps.gwdg.de> Julian Field wrote, in part: >> > > With the release of MailScanner 4, they have been moved to > /opt/MailScanner/lib and renamed slightly. > >> I also can't find what module is asking for sophoswrapper (without >> the hyphen) as a configuration file (sic!), unless it is >> /usr/local/Sophos/bin/sweep. > > > Take a look in /opt/MailScanner/etc. There's a file "virus.scanners.conf" > in there. > > OK, I see # This is a list of the names of the virus scanning engines, along with the # filename of the command or script to run to invoke each one. sophos /opt/MailScanner/lib/sophos-wrapper in there, but still some part of MailScanner is unhappy and says Nov 1 13:00:02 tonne mailscanner[18621]: Configuration file /usr/local/Sophos/bin/sophoswrapper could not be opened for reading! And the count of viruses found is ALWAYS zero since I updated (to MS 401-8). I don't believe we're THAT clean! ...Howard From mike at CAMAROSS.NET Fri Nov 1 12:43:13 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <3DC275E3.6010600@ukps.gwdg.de> Message-ID: <00b901c281a4$58d88640$6501a8c0@mikedesk> Have you tried reinstalling Sophos with Julian's script? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Howard Schultens Sent: Friday, November 01, 2002 6:39 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sophoswrapper not found Julian Field wrote, in part: >> > > With the release of MailScanner 4, they have been moved to > /opt/MailScanner/lib and renamed slightly. > >> I also can't find what module is asking for sophoswrapper (without >> the hyphen) as a configuration file (sic!), unless it is >> /usr/local/Sophos/bin/sweep. > > > Take a look in /opt/MailScanner/etc. There's a file > "virus.scanners.conf" in there. > > OK, I see # This is a list of the names of the virus scanning engines, along with the # filename of the command or script to run to invoke each one. sophos /opt/MailScanner/lib/sophos-wrapper in there, but still some part of MailScanner is unhappy and says Nov 1 13:00:02 tonne mailscanner[18621]: Configuration file /usr/local/Sophos/bin/sophoswrapper could not be opened for reading! And the count of viruses found is ALWAYS zero since I updated (to MS 401-8). I don't believe we're THAT clean! ...Howard From mailscanner at ecs.soton.ac.uk Fri Nov 1 12:34:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: Mime problem? In-Reply-To: Message-ID: <5.1.0.14.2.20021101123150.05f9d690@imap.ecs.soton.ac.uk> At 12:24 01/11/2002, you wrote: >Hi all, >This logs to my console every now and then since I upgraded to MS 4 (from >3.x) > >ignoring text in character set `WINDOWS-1252' > at /usr/lib/perl5/site_perl/5.6.1/MIME/Parser/Filer.pm line 646 > >Just wondering if this is something to be concerned about? >If it is ignoring text kan it still check it for Spam? >Maybe this really should be a question for SA? I have already fixed this (couple of days ago) and this will be included in the security release of MailScanner 3 and 4 that I will be doing in a day or two. It's not actually very important at all, it doesn't affect the virus scanning. It only affects the attachment filenames, it does not affect the contents of the attachments. It's a MIME-tools problem, which fortunately I have worked around without anyone needing to patch the MIME-tools modules themselves. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 1 12:39:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <3DC275E3.6010600@ukps.gwdg.de> References: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101123806.044fc230@imap.ecs.soton.ac.uk> At 12:38 01/11/2002, you wrote: >Julian Field wrote, in part: > >> >>With the release of MailScanner 4, they have been moved to >>/opt/MailScanner/lib and renamed slightly. >> >>>I also can't find what module is asking for sophoswrapper (without >>>the hyphen) as a configuration file (sic!), unless it is >>>/usr/local/Sophos/bin/sweep. >> >> >>Take a look in /opt/MailScanner/etc. There's a file "virus.scanners.conf" >>in there. >> > >OK, I see > ># This is a list of the names of the virus scanning engines, along with the ># filename of the command or script to run to invoke each one. >sophos /opt/MailScanner/lib/sophos-wrapper > >in there, but still some part of MailScanner is unhappy and says > >Nov 1 13:00:02 tonne mailscanner[18621]: Configuration file >/usr/local/Sophos/bin/sophoswrapper could not be opened for reading! From the fact that it happened at 2 seconds past the hour points to an old cron job. >And the count of viruses found is ALWAYS zero since I updated (to MS >401-8). >I don't believe we're THAT clean! Test out running /opt/MailScanner/lib/sophos-wrapper /tmp and check it outputs something sensible. Also run the autoupdate script by hand and check it leaves a working "sophos-wrapper". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From hs at UKPS.GWDG.DE Fri Nov 1 13:36:26 2002 From: hs at UKPS.GWDG.DE (Howard Schultens) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found References: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021101123806.044fc230@imap.ecs.soton.ac.uk> Message-ID: <3DC2835A.8080301@ukps.gwdg.de> You really respond quickly! Julian Field wrote: > Test out running > /opt/MailScanner/lib/sophos-wrapper /tmp > and check it outputs something sensible. Also run the autoupdate > script by > hand and check it leaves a working "sophos-wrapper". I just installed MS 4.04-1, and this seems to have fixed the problem. I also did the test with sophos-autoupdate, and it seems to work fine. My crontab for root has the line: 01 08 * * * /opt/MailScanner/lib/sophos-autoupdate >> /var/log/sophos 2>&1 Should be OK(?). .. Howard Schultens hs@ukps.gwdg.de From LISTSERV at JISCMAIL.AC.UK Fri Nov 1 13:36:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: ellis@KAZAKCOMPOSITES.COM requested to join Message-ID: <200211011336.NAA10620@magpie.ecs.soton.ac.uk> Fri, 1 Nov 2002 13:36:31 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Steve Ellis . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER ellis@KAZAKCOMPOSITES.COM Steve Ellis The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+ellis%40KAZAKCOMPOSITES.COM+Steve+Ellis&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Fri Nov 1 13:49:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: phil.leonard@DSIONLINE.COM requested to join Message-ID: <200211011349.NAA12530@magpie.ecs.soton.ac.uk> Fri, 1 Nov 2002 13:49:51 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Philip Leonard . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER phil.leonard@DSIONLINE.COM Philip Leonard The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+phil.leonard%40DSIONLINE.COM+Philip+Leonard&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 1 Nov 2002 13:49:51 GMT Received: from KC1NOC01.noc.dsionline.com (kc1noc01.dsionline.com [12.105.149.130]) by ori.rl.ac.uk (8.11.1/8.11.1) with SMTP id gA1DngX13789 for ; Fri, 1 Nov 2002 13:49:42 GMT Received: from 172.17.1.58 by KC1NOC01.noc.dsionline.com (InterScan E-Mail VirusWall NT); Fri, 01 Nov 2002 07:49:35 -0600 Received: by kc1excon01.mail.dsionline.com with Internet Mail Service (5.5.2655.55) id ; Fri, 1 Nov 2002 07:47:04 -0600 Message-ID: <13D2388EC2C4F04EB343EA2674BC20F225A319@kc1exusr01.mail.dsionline.com> From: "Leonard, Phil" To: "'L-Soft list server at JISCMAIL (1.8e)'" Subject: RE: Command confirmation request (6C26816A) Date: Fri, 1 Nov 2002 07:49:34 -0600 Return-Receipt-To: "Leonard, Phil" MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-Type: text/plain From lbergman at wtxs.net Fri Nov 1 14:50:29 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:16 2006 Subject: relay hits not triggering automatic spam tag Message-ID: <200211010850.29220.lbergman@wtxs.net> I have noticed that if a message has a hit from an RBL that it is not automatically designated high scoring. I am sure this is by design. My questions are these: 1. I have MS doing the rbls not SA so where are the scores for the rbl's coming from? 3. If scores are gained from SA then I can use spam.assassin.prefs.conf to tune the score for the lists I trust for this to always reach the high score as mentioned in the conf file right? 2. If not 1 | 2 the should I change my setup to do all rbl lookups in SA so that I can use spam.assassin.prefs.conf to assign a higher score so that I am sure it is acted on? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Fri Nov 1 15:03:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: relay hits not triggering automatic spam tag In-Reply-To: <200211010850.29220.lbergman@wtxs.net> Message-ID: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> At 14:50 01/11/2002, you wrote: >I have noticed that if a message has a hit from an RBL that it is not >automatically designated high scoring. I am sure this is by design. My >questions are these: > >1. I have MS doing the rbls not SA so where are the scores for the rbl's >coming from? There is no "score" associated with an RBL hit found by MailScanner. >3. If scores are gained from SA then I can use spam.assassin.prefs.conf to >tune the score for the lists I trust for this to always reach the high score >as mentioned in the conf file right? You will need to make SA do the RBL lookups in this case, not MS. >2. If not 1 | 2 the should I change my setup to do all rbl lookups in SA so >that I can use spam.assassin.prefs.conf to assign a higher score so that I am >sure it is acted on? Yes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Fri Nov 1 15:19:04 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:16 2006 Subject: relay hits not triggering automatic spam tag In-Reply-To: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> Message-ID: <200211010919.04292.lbergman@wtxs.net> > >1. I have MS doing the rbls not SA so where are the scores for the rbl's > >coming from? > > There is no "score" associated with an RBL hit found by MailScanner. With this being the case I am wondering: What does the rbl check in MS do or what is it used for? I am sure I am missing something here I just don't know what. Time to hit the SA docs I guess. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From james at PCXPERIENCE.COM Fri Nov 1 15:33:35 2002 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? References: <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021101105645.05f7e978@imap.ecs.soton.ac.uk> Message-ID: <3DC29ECF.7070700@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > At 10:31 01/11/2002, you wrote: > >> On Sat, 26 Oct 2002 15:59:19 +0100, you wrote: >> >> >If you want to give it a try, you'll find a new set of "mailscanner", >> >"Config.pm" and "CustomConfig.pm" files attached. Have a read of >> >CustomConfig.pm and see if it explains enough so you can see what you >> need >> >to do. >> >> I had problems finding the files inside the .zip file. It turned out I >> had to change it to a .gz file and the resulting file seemed to be a >> tar-file. >> >> And with that comes my question: >> There are two functions Initmyfunction and myfunction. But what if I >> open a database and would like to close it when it is time for MS to >> restart. Shouldn't there be function like Endmyfunction? > > > Yes, that did occur to me. But the database should notice that the process > on the client end of the function has exited and clear up anyway. > > Okay, I've added an "End" function to them. It will get called whenever the > MailScanner processes die of old age or receive a "SIGHUP" (which forces > them to be respawned). > > Hopefully this is the last change I will have to make, as changing this > stuff requires people to change their CustomConfig.pm functions to match > the new structure. Alternatively you could use the DBIWrapper module I maintain (http://dbiwrapper.sf.net/) to make your connection to the database. When the object you instantiated goes out of scope I automatically close the connection to the database and cleanup. It currently only supports MySQL, PostgreSQL and ODBC DBI modules. - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9wp7PtUXjwPIRLVERAvRXAKC1ayB5JeQtmUhKCL5vpUYd6i2SVACgxWVs FSbctA3u5hYiJJaKYep+PyQ= =TXDp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Nov 1 15:32:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: relay hits not triggering automatic spam tag In-Reply-To: <200211010919.04292.lbergman@wtxs.net> References: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101153214.04636c88@imap.ecs.soton.ac.uk> At 15:19 01/11/2002, you wrote: > > >1. I have MS doing the rbls not SA so where are the scores for the rbl's > > >coming from? > > > > There is no "score" associated with an RBL hit found by MailScanner. >With this being the case I am wondering: >What does the rbl check in MS do or what is it used for? Presence in an RBL implies spam tag. > I am sure I am >missing something here I just don't know what. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From alex at IALEX.NET Fri Nov 1 15:31:30 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:16 2006 Subject: Mail Relay to Lotus Message-ID: Here's my problem, mail comes into the company via a web-proxy running on the firewall, that will be proxy'ing to the "mailscanner" machine. Call it mail-gw. My wish is it to scan the email and pass it on to the domino server. We run internal and external dns for this hostname, so how i had invisioned it is this. externally mx is ip of the firewall with the proxy internally mx is the ip of the domino server (5) and mail-gw (10) The problem is this, using that setup, any internal systems that require to email internally will try hitting the domino server. Perfect you think, wrong! the domino server (which isn't mine to administer) is setup to only accept connections from the mail-gw ip. Basically i'm trying to get rid of the mcafee scanner that currently sits on a winbox and replace it, but i'm finding it difficult telling mailscanner to scan and forward without relying on DNS. I suppose i could run a seperate dns server on the mailgw and mx is only the domino server, but i think that would be tremendous pain in the ass to have two independent dns servers. Any ideas.. at my old workplace i used amavis and just set DH in sendmail config file to the destination for all mail. Trying this with MailScanner basically got ignored ;) Alex From LISTSERV at JISCMAIL.AC.UK Fri Nov 1 16:55:25 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: elewis@STATE.LIB.GA.US left the list Message-ID: <200211011655.QAA08494@magpie.ecs.soton.ac.uk> Fri, 1 Nov 2002 16:55:25 Erik Lewis has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 1 Nov 2002 16:55:25 GMT Received: from hermes.state.lib.ga.us (hermes.state.lib.ga.us [168.28.68.21]) by ori.rl.ac.uk (8.11.1/8.11.1) with SMTP id gA1GtMX25207 for ; Fri, 1 Nov 2002 16:55:22 GMT Received: From HERMES.STATE.LIB.GA.US (168.28.68.21[168.28.68.21 port:1840]) by hermes.state.lib.ga.us Mail essentials (server 2.422) with SMTP id: <22946@hermes.state.lib.ga.us> for ; Fri, 1 Nov 2002 11:54:09 AM -0500 smtpmailfrom Received: by hermes.state.lib.ga.us with Internet Mail Service (5.5.2653.19) id ; Fri, 1 Nov 2002 11:54:09 -0500 Message-ID: <6D8B1CFE853CD411823B0008C7CFFE279DE1E7@hermes.state.lib.ga.us> From: "Lewis, Erik" To: "'LISTSERV@JISCMAIL.AC.UK'" Subject: Date: Fri, 1 Nov 2002 11:54:07 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" From mailscanner at ecs.soton.ac.uk Fri Nov 1 17:05:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: Mail Relay to Lotus In-Reply-To: Message-ID: <5.1.0.14.2.20021101170405.06062130@imap.ecs.soton.ac.uk> You should be able to use the same DNS/sendmail setup you used before. MailScanner does not get involved in the delivery process in any way whatsoever. Set sendmail+dns so it is doing the forwarding you want to happen, then just drop in MailScanner. At 15:31 01/11/2002, you wrote: >Here's my problem, mail comes into the company via a web-proxy running on >the firewall, that will be proxy'ing to the "mailscanner" machine. Call >it mail-gw. My wish is it to scan the email and pass it on to the domino >server. We run internal and external dns for this hostname, so how i had >invisioned it is this. > >externally mx is ip of the firewall with the proxy >internally mx is the ip of the domino server (5) and mail-gw (10) > >The problem is this, using that setup, any internal systems that require >to email internally will try hitting the domino server. Perfect you >think, wrong! the domino server (which isn't mine to administer) is setup >to only accept connections from the mail-gw ip. > >Basically i'm trying to get rid of the mcafee scanner that currently sits >on a winbox and replace it, but i'm finding it difficult telling >mailscanner to scan and forward without relying on DNS. I suppose i could >run a seperate dns server on the mailgw and mx is only the domino server, >but i think that would be tremendous pain in the ass to have two >independent dns servers. > >Any ideas.. at my old workplace i used amavis and just set DH in sendmail >config file to the destination for all mail. Trying this with MailScanner >basically got ignored ;) > >Alex -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at BARENDSE.TO Fri Nov 1 17:15:33 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:16 2006 Subject: Mail Relay to Lotus In-Reply-To: <5.1.0.14.2.20021101170405.06062130@imap.ecs.soton.ac.uk> Message-ID: or even simpler make an entry in your /etc/mail/mailertablefile like this yourdomain.com esmtp:[10.1.0.20] That's what I do to feed M$ Exchange on a local ip the []'s make sure that sendmail doesn't do a lookup for the ip Remco On Fri, 1 Nov 2002, Julian Field wrote: > You should be able to use the same DNS/sendmail setup you used before. > MailScanner does not get involved in the delivery process in any way > whatsoever. > > Set sendmail+dns so it is doing the forwarding you want to happen, then > just drop in MailScanner. > > At 15:31 01/11/2002, you wrote: > >Here's my problem, mail comes into the company via a web-proxy running on > >the firewall, that will be proxy'ing to the "mailscanner" machine. Call > >it mail-gw. My wish is it to scan the email and pass it on to the domino > >server. We run internal and external dns for this hostname, so how i had > >invisioned it is this. > > > >externally mx is ip of the firewall with the proxy > >internally mx is the ip of the domino server (5) and mail-gw (10) > > > >The problem is this, using that setup, any internal systems that require > >to email internally will try hitting the domino server. Perfect you > >think, wrong! the domino server (which isn't mine to administer) is setup > >to only accept connections from the mail-gw ip. > > > >Basically i'm trying to get rid of the mcafee scanner that currently sits > >on a winbox and replace it, but i'm finding it difficult telling > >mailscanner to scan and forward without relying on DNS. I suppose i could > >run a seperate dns server on the mailgw and mx is only the domino server, > >but i think that would be tremendous pain in the ass to have two > >independent dns servers. > > > >Any ideas.. at my old workplace i used amavis and just set DH in sendmail > >config file to the destination for all mail. Trying this with MailScanner > >basically got ignored ;) > > > >Alex > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lbergman at wtxs.net Fri Nov 1 17:17:36 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:16 2006 Subject: good version of SpamAssassin? Message-ID: <200211011117.36962.lbergman@wtxs.net> I vaguely remember there being some problem with a certain version of SA. Was I imagining this? I am about to go from 2.31 to 2.43 and wanted to ensure I wasn't buggering something up. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From LISTSERV at JISCMAIL.AC.UK Fri Nov 1 17:15:27 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: rhicks@MINES.EDU requested to join Message-ID: <200211011715.RAA11422@magpie.ecs.soton.ac.uk> Fri, 1 Nov 2002 17:15:27 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Robert Hicks . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER rhicks@MINES.EDU Robert Hicks The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+rhicks%40MINES.EDU+Robert+Hicks&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Fri Nov 1 17:20:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: good version of SpamAssassin? In-Reply-To: <200211011117.36962.lbergman@wtxs.net> Message-ID: <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> At 17:17 01/11/2002, you wrote: >I vaguely remember there being some problem with a certain version of SA. Was >I imagining this? I am about to go from 2.31 to 2.43 and wanted to ensure I >wasn't buggering something up. 2.40, 2.41 and 2.42 were trouble. 2.43 is fine. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From joelc at CTCHOUSTON.COM Fri Nov 1 17:27:32 2002 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:16:16 2006 Subject: Mail Relay to Lotus In-Reply-To: Message-ID: <000e01c281cb$f909fa00$c300a8c0@hewlett9por0s0> If I understand correctly your request, I would do this with mailertable in sendmail. You can get sendmail to bypass DNS lookup and go to a specific host for a domain. For example, in mailertable: Boffo.com smtp:[nextserver.boffo.com] This would tell sendmail to ignore DNS and MX rules and send all boffo.com mail to the specified host. Now internal systems can use DNS to find the way to mail out which may be completely different than the way in. I use this for testing all the time and don't have to mess with the cf file or dns to get my system to route mail to specific hosts. I also have clients that need to receive mail over a specific VPN route and this is how I make sure that mail goes out the proper link to the Internet. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Alex Short Sent: Friday, November 01, 2002 9:32 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mail Relay to Lotus Here's my problem, mail comes into the company via a web-proxy running on the firewall, that will be proxy'ing to the "mailscanner" machine. Call it mail-gw. My wish is it to scan the email and pass it on to the domino server. We run internal and external dns for this hostname, so how i had invisioned it is this. externally mx is ip of the firewall with the proxy internally mx is the ip of the domino server (5) and mail-gw (10) The problem is this, using that setup, any internal systems that require to email internally will try hitting the domino server. Perfect you think, wrong! the domino server (which isn't mine to administer) is setup to only accept connections from the mail-gw ip. Basically i'm trying to get rid of the mcafee scanner that currently sits on a winbox and replace it, but i'm finding it difficult telling mailscanner to scan and forward without relying on DNS. I suppose i could run a seperate dns server on the mailgw and mx is only the domino server, but i think that would be tremendous pain in the ass to have two independent dns servers. Any ideas.. at my old workplace i used amavis and just set DH in sendmail config file to the destination for all mail. Trying this with MailScanner basically got ignored ;) Alex From derek at csolve.net Fri Nov 1 17:46:12 2002 From: derek at csolve.net (Derek Buttineau) Date: Thu Jan 12 21:16:16 2006 Subject: Little Bug in V4 References: <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> <5.1.0.14.2.20021101090204.04871a20@imap.ecs.soton.ac.uk> Message-ID: <07f401c281ce$91fe3f80$8850a4cf@derek> In the address2userdomain routine, $user and $domain seem to be reversed.. Was trying to write a custom function and after a little head scratching, and some debugging found that $message->{todomain} contained the username not the domain :) Reversed the two in the function and all worked well :) Anyway, just FYI Derek From mark at TIPPINGMAR.COM Fri Nov 1 17:50:58 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:16:16 2006 Subject: relay hits not triggering automatic spam tag In-Reply-To: <200211010919.04292.lbergman@wtxs.net> References: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> Message-ID: <3DC24E82.18366.14990061@localhost> On 1 Nov 2002 at 9:19, Lewis Bergman wrote: > With this being the case I am wondering: > What does the rbl check in MS do or what is it used for? I am sure I am > missing something here I just don't know what. It's for the folks who are using Mailscanner without Spam Assasin. If you are using Spam Assasin in addition to MS, you probably want to let SA doe the rbl checks instead of MS. -- Mark W. Nienberg, SE Tipping Mar + associates 1906 Shattuck Ave, Berkeley, CA 94704 visit our website at http://www.tippingmar.com From sevans at FOUNDATION.SDSU.EDU Fri Nov 1 18:19:50 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:16 2006 Subject: good version of SpamAssassin? Message-ID: <6214C3F9233D764C9E7029396C355015331604@mail.foundation.sdsu.edu> Although my false negative rate is through the roof. Something to pay attention to. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, November 01, 2002 9:20 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: good version of SpamAssassin? At 17:17 01/11/2002, you wrote: >I vaguely remember there being some problem with a certain version of >SA. Was I imagining this? I am about to go from 2.31 to 2.43 and wanted >to ensure I wasn't buggering something up. 2.40, 2.41 and 2.42 were trouble. 2.43 is fine. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Fri Nov 1 18:28:00 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:16 2006 Subject: spam.assassin.conf Message-ID: <200211011228.00533.lbergman@wtxs.net> I know I am now testing everyone's patience but here I go again. In spam.assassin.conf at the end is this: # Added for MailScanner 14/6/2002 # If you specify these scores, SpamAssassin will do RBL checks as well as # MailScanner, which just wastes CPU power and network bandwidth. Either # do them here by uncommenting the rules below (if you have paid for them) # or else uncomment the "skip_rbl_checks" line above and let MailScanner # do the checks instead. # #score RCVD_IN_BL_SPAMCOP_NET 4 # These next 3 will cost you money, see mailscanner.conf. #score RCVD_IN_RBL 10 #score RCVD_IN_RSS 1 #score RCVD_IN_DUL 1 Which implies to me that only those rules will be invoked unless I add more or do the "score SOME_RULE 1" deal. But in /usr/local/share/spamassassin/20_head_tests.cf there are many more rules listed there like the following: RCVD_IN_OSIRUSOFT_COM X_OSIRU_OPEN_RELAY X_OSIRU_DUL X_OSIRU_SPAM_SRC X_OSIRU_SPAMWARE_SITE X_OSIRU_DUL_FH RCVD_IN_RELAYS_ORDB_ORG RCVD_IN_VISI RCVD_IN_SBL RCVD_IN_ORBS RCVD_IN_DSBL RCVD_IN_BONDEDSENDER RCVD_IN_DUL_FH So my question is do I need to go through and explicitely add a score for each one to make it take affect? It seems that the rest of the rules don't need this so I am a little confused(again). -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mkettler at EVI-INC.COM Fri Nov 1 18:49:43 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:16 2006 Subject: good version of SpamAssassin? In-Reply-To: <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> References: <200211011117.36962.lbergman@wtxs.net> Message-ID: <5.1.1.6.0.20021101134510.019d69c0@192.168.50.2> Agreed, aside from adjusting the SpamAssassin timeouts (look for my prior posting on that in this list just yesterday or the day before) I'm running SpamaAsassin 2.43 under MailScanner 3.24-1 without any problems. I personally also have the AWL disabled, but the 2.43 version doesn't have any significant AWL issues I'm aware of. I just feel that the AWL is a Bad Idea when applied as a single global database like MailScanner winds up doing. Lots of people use it this way without issues, but I see it as a serious minefield fraught with dangers. At 05:20 PM 11/1/2002 +0000, Julian Field wrote: >At 17:17 01/11/2002, you wrote: >>I vaguely remember there being some problem with a certain version of SA. Was >>I imagining this? I am about to go from 2.31 to 2.43 and wanted to ensure I >>wasn't buggering something up. > >2.40, 2.41 and 2.42 were trouble. 2.43 is fine. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mkettler at EVI-INC.COM Fri Nov 1 18:56:29 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:16 2006 Subject: spam.assassin.conf In-Reply-To: <200211011228.00533.lbergman@wtxs.net> Message-ID: <5.1.1.6.0.20021101135022.0187d640@192.168.50.2> The SpamAssassin user configuration over-rides the default scores present in 50_scores.cf. The "for pay" DNSbl's have default score values of 0, but if you re-define them as nonzero it turns them on. The zero-point score is explicitly specified in SpamAssassin's 50_scores.cf. All rules with a score of zero are disabled and do not run. Any rule with a nonzero score, no matter how small, runs. Hence that score disables these blacklists by default, unless later over-ridden by a user or site preferences file. Since lists like OSIRUSOFT are free to use without paying, SpamAssassin has nonzero default scores for those rules. You can over-ride those scores to be zero (effectively disabling the list) or to reduce or increase the score vs the default one. So by default you do NOT need to specify a score for the default set of free DNSBL's to be used by SpamAssassin. You do need Net::DNS installed in your version of Perl however. At 12:28 PM 11/1/2002 -0600, Lewis Bergman wrote: >So my question is do I need to go through and explicitely add a score for each >one to make it take affect? It seems that the rest of the rules don't need >this so I am a little confused(again). From derek at csolve.net Fri Nov 1 19:43:30 2002 From: derek at csolve.net (Derek Buttineau) Date: Thu Jan 12 21:16:16 2006 Subject: Fw: Little Bug in V4 Message-ID: <08a101c281de$f52a2d20$8850a4cf@derek> Scratch that, the error isn't in the address2userdomain function but in the one that calls it to populate the variables :) 162 push @{$this->{touser}}, $user; 163 push @{$this->{todomain}}, $user; It's just pushing the user variable into both arrays :) Derek ----- Original Message ----- From: "Derek Buttineau" To: Sent: Friday, November 01, 2002 12:46 PM Subject: Little Bug in V4 > In the address2userdomain routine, $user and $domain seem to be reversed.. > > Was trying to write a custom function and after a little head scratching, > and some debugging found that $message->{todomain} contained the username > not the domain :) Reversed the two in the function and all worked well :) > > Anyway, just FYI > > Derek > > From rhicks at MINES.EDU Fri Nov 1 19:54:01 2002 From: rhicks at MINES.EDU (Robert Hicks) Date: Thu Jan 12 21:16:16 2006 Subject: email tagged as Denial of Service but not being saved Message-ID: I upgraded from Mailscanner 1.x to 4.03-1 three days ago. The new version(4.03-1) is working great as far as I can tell with the exception of one thing. The issue is that over the past three days I have seen four "Denial of Service" messages logged to syslog but no attachments or body messages are being saved. The user does get an email that says "look here" with the correct message ID as I would expect but the message(and message ID directory) are never created in the quarantine area. Postmaster also does not get any email regarding the DoS message. Syslog normally would show "Saved entire message" or "Saved infected "filename"" but nothing shows in syslog other than "Denial of Service attack in in message gXXXXXXXXXXX." I need to allow the end user the option of at least seeing the quarantined data even if it is a broken or does not contain a properly attached document. Has anyone seen this problem before? From what I can tell, all virus infected files ARE being saved and logged properly. I have increased the timeout TNEF timeout in hope that it will help in some fashion even though it has nothing to do with creating quarantined directories and email postmaster of a DoS message. I just put 4.04-1 earlier today. I haven't seen any new DoS messages be tagged yet. Also..... Is there any way to prevent MailScanner from catching "external body" messages and tagging them? I have seen a couple of other posts on the subject but nothing concrete on being a future release option. AIX 5.1-002, Perl 5.6.0, TNEF=internal, Mcafee, TNEF Timeout = 120, Scanner Timeout=300,Quarantine Infections = yes, Quarantine Whole Message = yes Thanks in advance, Robert From LISTSERV at JISCMAIL.AC.UK Fri Nov 1 19:17:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: thang1.nguyen@MAILTEST.HAWAII.EDU left the list Message-ID: <200211011917.TAA25608@magpie.ecs.soton.ac.uk> Fri, 1 Nov 2002 19:17:35 Thang1 Nguyen has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 1 Nov 2002 19:17:34 GMT Received: from test01 (test01.its.hawaii.edu [128.171.94.190]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA1JHUX18793 for ; Fri, 1 Nov 2002 19:17:30 GMT Received: from conversion-daemon.test01.its.hawaii.edu by test01.its.hawaii.edu (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) id <0H4W00J01W8XDZ@test01.its.hawaii.edu>; Fri, 01 Nov 2002 09:17:21 -1000 (HST) Received: from mailtest.hawaii.edu (test01 [128.171.94.190]) by test01.its.hawaii.edu (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with ESMTP id <0H4W00F15W8XDG@test01.its.hawaii.edu>; Fri, 01 Nov 2002 09:17:21 -1000 (HST) Received: from [128.171.201.101] by test01.its.hawaii.edu (mshttpd); Fri, 01 Nov 2002 09:17:21 -1000 Date: Fri, 01 Nov 2002 09:17:21 -1000 From: Thang Nguyen To: LISTSERV@JISCMAIL.AC.UK Message-id: <286a47ce.47ce286a@mailtest.hawaii.edu> MIME-version: 1.0 X-Mailer: iPlanet Messenger Express 5.1 HotFix 1.4 (built Aug 5 2002) Content-type: text/plain; charset=us-ascii Content-language: en Content-transfer-encoding: 7bit Content-disposition: inline X-Accept-Language: en From alex at IALEX.NET Fri Nov 1 20:06:38 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:16 2006 Subject: Mail Relay to Lotus In-Reply-To: <000e01c281cb$f909fa00$c300a8c0@hewlett9por0s0> Message-ID: Joel, you rock, this is exactly the cluepon i needed. Thanks > If I understand correctly your request, I would do this with mailertable > in sendmail. You can get sendmail to bypass DNS lookup and go to a > specific host for a domain. For example, in mailertable: > > Boffo.com smtp:[nextserver.boffo.com] > > This would tell sendmail to ignore DNS and MX rules and send all > boffo.com mail to the specified host. > > Now internal systems can use DNS to find the way to mail out which may > be completely different than the way in. I use this for testing all the > time and don't have to mess with the cf file or dns to get my system to > route mail to specific hosts. I also have clients that need to receive > mail over a specific VPN route and this is how I make sure that mail > goes out the proper link to the Internet. > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Alex Short > Sent: Friday, November 01, 2002 9:32 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Mail Relay to Lotus > > Here's my problem, mail comes into the company via a web-proxy running > on > the firewall, that will be proxy'ing to the "mailscanner" machine. Call > it mail-gw. My wish is it to scan the email and pass it on to the > domino > server. We run internal and external dns for this hostname, so how i > had > invisioned it is this. > > externally mx is ip of the firewall with the proxy > internally mx is the ip of the domino server (5) and mail-gw (10) > > The problem is this, using that setup, any internal systems that require > to email internally will try hitting the domino server. Perfect you > think, wrong! the domino server (which isn't mine to administer) is > setup > to only accept connections from the mail-gw ip. > > Basically i'm trying to get rid of the mcafee scanner that currently > sits > on a winbox and replace it, but i'm finding it difficult telling > mailscanner to scan and forward without relying on DNS. I suppose i > could > run a seperate dns server on the mailgw and mx is only the domino > server, > but i think that would be tremendous pain in the ass to have two > independent dns servers. > > Any ideas.. at my old workplace i used amavis and just set DH in > sendmail > config file to the destination for all mail. Trying this with > MailScanner > basically got ignored ;) > > Alex > > > From mailscanner at ecs.soton.ac.uk Fri Nov 1 20:56:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: email tagged as Denial of Service but not being saved In-Reply-To: Message-ID: <5.1.0.14.2.20021101205550.0389bea0@imap.ecs.soton.ac.uk> Thanks for reporting that. It is now detecting and handling this correctly. At 19:54 01/11/2002, you wrote: >I upgraded from Mailscanner 1.x to 4.03-1 three days ago. >The new version(4.03-1) is working great as far as I can >tell with the exception of one thing. > >The issue is that over the past three days I have seen four "Denial of >Service" messages logged to syslog but no attachments or body messages are >being saved. >The user does get an email that says "look here" with the correct message >ID as I would expect but the message(and message ID >directory) are never created in the quarantine area. Postmaster also >does not get any email regarding the DoS message. Syslog normally would >show "Saved entire message" or "Saved infected "filename"" but nothing >shows in syslog >other than "Denial of Service attack in in message gXXXXXXXXXXX." >I need to allow the end user the option of at least seeing the >quarantined data even if it is a broken or does not contain a properly >attached document. > >Has anyone seen this problem before? From what I can tell, all virus >infected files ARE being saved and logged properly. I have increased the >timeout TNEF timeout in hope that it will help in some fashion >even though it has nothing to do with creating quarantined directories >and email postmaster of a DoS message. > >I just put 4.04-1 earlier today. I haven't seen any new DoS messages >be tagged yet. > >Also..... >Is there any way to prevent MailScanner from catching "external body" >messages and tagging them? I have seen a couple of other posts on >the subject but nothing concrete on being a future release option. > > >AIX 5.1-002, Perl 5.6.0, TNEF=internal, Mcafee, TNEF Timeout = 120, >Scanner Timeout=300,Quarantine Infections = yes, Quarantine Whole Message >= yes > > >Thanks in advance, > >Robert -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rhicks at MINES.EDU Fri Nov 1 21:35:45 2002 From: rhicks at MINES.EDU (Robert Hicks) Date: Thu Jan 12 21:16:16 2006 Subject: email tagged as Denial of Service but not being saved In-Reply-To: <5.1.0.14.2.20021101205550.0389bea0@imap.ecs.soton.ac.uk> Message-ID: Julian, Thanks for the quick response! Do I need to update anything or did my upgrade to 4.04-1 take care of it? Robert On Fri, 1 Nov 2002, Julian Field wrote: > Thanks for reporting that. It is now detecting and handling this correctly. > > At 19:54 01/11/2002, you wrote: > >I upgraded from Mailscanner 1.x to 4.03-1 three days ago. > >The new version(4.03-1) is working great as far as I can > >tell with the exception of one thing. > > > >The issue is that over the past three days I have seen four "Denial of > >Service" messages logged to syslog but no attachments or body messages are > >being saved. > >The user does get an email that says "look here" with the correct message > >ID as I would expect but the message(and message ID > >directory) are never created in the quarantine area. Postmaster also > >does not get any email regarding the DoS message. Syslog normally would > >show "Saved entire message" or "Saved infected "filename"" but nothing > >shows in syslog > >other than "Denial of Service attack in in message gXXXXXXXXXXX." > >I need to allow the end user the option of at least seeing the > >quarantined data even if it is a broken or does not contain a properly > >attached document. > > > >Has anyone seen this problem before? From what I can tell, all virus > >infected files ARE being saved and logged properly. I have increased the > >timeout TNEF timeout in hope that it will help in some fashion > >even though it has nothing to do with creating quarantined directories > >and email postmaster of a DoS message. > > > >I just put 4.04-1 earlier today. I haven't seen any new DoS messages > >be tagged yet. > > > >Also..... > >Is there any way to prevent MailScanner from catching "external body" > >messages and tagging them? I have seen a couple of other posts on > >the subject but nothing concrete on being a future release option. > > > > > >AIX 5.1-002, Perl 5.6.0, TNEF=internal, Mcafee, TNEF Timeout = 120, > >Scanner Timeout=300,Quarantine Infections = yes, Quarantine Whole Message > >= yes > > > > > >Thanks in advance, > > > >Robert > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Fri Nov 1 21:43:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: email tagged as Denial of Service but not being saved In-Reply-To: References: <5.1.0.14.2.20021101205550.0389bea0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101213754.038c6000@imap.ecs.soton.ac.uk> At 21:35 01/11/2002, you wrote: >Thanks for the quick response! Do I need to update anything or >did my upgrade to 4.04-1 take care of it? I'll be releasing an update for v3 and v4 in the next couple of days or so, as I've got a couple of minor security fixes to publish which I have back-ported to v3. The security issues have never been exploited by anyone, so I would prefer to get them fixed before anyone else finds them. I leave the commercial guys to delay fixing holes until they have been found and exploited :-) If it's really urgent, I can release earlier, but I would rather do some more testing first. >On Fri, 1 Nov 2002, Julian Field wrote: > > Thanks for reporting that. It is now detecting and handling this correctly. > > > > At 19:54 01/11/2002, you wrote: > > >I upgraded from Mailscanner 1.x to 4.03-1 three days ago. > > >The new version(4.03-1) is working great as far as I can > > >tell with the exception of one thing. > > > > > >The issue is that over the past three days I have seen four "Denial of > > >Service" messages logged to syslog but no attachments or body messages are > > >being saved. > > >The user does get an email that says "look here" with the correct message > > >ID as I would expect but the message(and message ID > > >directory) are never created in the quarantine area. Postmaster also > > >does not get any email regarding the DoS message. Syslog normally would > > >show "Saved entire message" or "Saved infected "filename"" but nothing > > >shows in syslog > > >other than "Denial of Service attack in in message gXXXXXXXXXXX." > > >I need to allow the end user the option of at least seeing the > > >quarantined data even if it is a broken or does not contain a properly > > >attached document. > > > > > >Has anyone seen this problem before? From what I can tell, all virus > > >infected files ARE being saved and logged properly. I have increased the > > >timeout TNEF timeout in hope that it will help in some fashion > > >even though it has nothing to do with creating quarantined directories > > >and email postmaster of a DoS message. > > > > > >I just put 4.04-1 earlier today. I haven't seen any new DoS messages > > >be tagged yet. > > > > > >Also..... > > >Is there any way to prevent MailScanner from catching "external body" > > >messages and tagging them? I have seen a couple of other posts on > > >the subject but nothing concrete on being a future release option. > > > > > > > > >AIX 5.1-002, Perl 5.6.0, TNEF=internal, Mcafee, TNEF Timeout = 120, > > >Scanner Timeout=300,Quarantine Infections = yes, Quarantine Whole Message > > >= yes > > > > > > > > >Thanks in advance, > > > > > >Robert > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rhicks at MINES.EDU Sat Nov 2 02:40:07 2002 From: rhicks at MINES.EDU (Robert Hicks) Date: Thu Jan 12 21:16:16 2006 Subject: email tagged as Denial of Service but not being saved In-Reply-To: <5.1.0.14.2.20021101213754.038c6000@imap.ecs.soton.ac.uk> Message-ID: <666ACD05-EE0C-11D6-A381-0003939CD990@Mines.edu> It isn't urgent enough to bypass testing. Thanks again... On Friday, November 1, 2002, at 02:43 PM, Julian Field wrote: > At 21:35 01/11/2002, you wrote: >> Thanks for the quick response! Do I need to update anything or >> did my upgrade to 4.04-1 take care of it? > > I'll be releasing an update for v3 and v4 in the next couple of days > or so, > as I've got a couple of minor security fixes to publish which I have > back-ported to v3. The security issues have never been exploited by > anyone, > so I would prefer to get them fixed before anyone else finds them. > > I leave the commercial guys to delay fixing holes until they have been > found and exploited :-) > > If it's really urgent, I can release earlier, but I would rather do > some > more testing first. > >> On Fri, 1 Nov 2002, Julian Field wrote: >> > Thanks for reporting that. It is now detecting and handling this >> correctly. >> > >> > At 19:54 01/11/2002, you wrote: >> > >I upgraded from Mailscanner 1.x to 4.03-1 three days ago. >> > >The new version(4.03-1) is working great as far as I can >> > >tell with the exception of one thing. >> > > >> > >The issue is that over the past three days I have seen four >> "Denial of >> > >Service" messages logged to syslog but no attachments or body >> messages are >> > >being saved. >> > >The user does get an email that says "look here" with the correct >> message >> > >ID as I would expect but the message(and message ID >> > >directory) are never created in the quarantine area. Postmaster >> also >> > >does not get any email regarding the DoS message. Syslog normally >> would >> > >show "Saved entire message" or "Saved infected "filename"" but >> nothing >> > >shows in syslog >> > >other than "Denial of Service attack in in message gXXXXXXXXXXX." >> > >I need to allow the end user the option of at least seeing the >> > >quarantined data even if it is a broken or does not contain a >> properly >> > >attached document. >> > > >> > >Has anyone seen this problem before? From what I can tell, all >> virus >> > >infected files ARE being saved and logged properly. I have >> increased the >> > >timeout TNEF timeout in hope that it will help in some fashion >> > >even though it has nothing to do with creating quarantined >> directories >> > >and email postmaster of a DoS message. >> > > >> > >I just put 4.04-1 earlier today. I haven't seen any new DoS >> messages >> > >be tagged yet. >> > > >> > >Also..... >> > >Is there any way to prevent MailScanner from catching "external >> body" >> > >messages and tagging them? I have seen a couple of other posts on >> > >the subject but nothing concrete on being a future release option. >> > > >> > > >> > >AIX 5.1-002, Perl 5.6.0, TNEF=internal, Mcafee, TNEF Timeout = 120, >> > >Scanner Timeout=300,Quarantine Infections = yes, Quarantine Whole >> Message >> > >= yes >> > > >> > > >> > >Thanks in advance, >> > > >> > >Robert >> > >> > -- >> > Julian Field Teaching Systems Manager >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> > Tel. 023 8059 2817 University of Southampton >> > Southampton SO17 1BJ >> > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sat Nov 2 16:25:08 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: moeeni@SHARIF.EDU requested to join Message-ID: <200211021625.QAA21192@magpie.ecs.soton.ac.uk> Sat, 2 Nov 2002 16:25:08 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Mohsen Moeeni . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER moeeni@SHARIF.EDU Mohsen Moeeni The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+moeeni%40SHARIF.EDU+Mohsen+Moeeni&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From David.While at UCE.AC.UK Sun Nov 3 11:47:08 2002 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:16 2006 Subject: ClamAV problem Message-ID: I have just started to use ClamAV with MS and have found an error: The following appears in the log file: ProcessClamAVOutput: unrecognised line "Autodetected 2 CPUs . Starting 2 threads.". Please contact the authors! I am running on a 2 CPU system and I believe ClamAV detects this hence the line in the log file. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 From mailscanner at ecs.soton.ac.uk Sun Nov 3 12:30:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: ClamAV problem In-Reply-To: Message-ID: <5.1.0.14.2.20021103123032.02492e88@imap.ecs.soton.ac.uk> Fixed in 4.05-1. Thanks for reporting that one. At 11:47 03/11/2002, you wrote: >I have just started to use ClamAV with MS and have found an error: > >The following appears in the log file: > >ProcessClamAVOutput: unrecognised line "Autodetected 2 CPUs . Starting 2 >threads.". Please contact the authors! > >I am running on a 2 CPU system and I believe ClamAV detects this hence the >line in the log file. > > > >----------------------------------------------------------------- >David While >Technical Development Manager >Faculty of Computing, Information & English >University of Central England >Tel: 0121 331 6211 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Nov 3 12:52:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: ANNOUNCE: Versions 3.26 and 4.05 released Message-ID: <5.1.0.14.2.20021103124356.02401078@imap.ecs.soton.ac.uk> I have just released versions 4.05 and 3.26. These improve the handling of attachments whose filenames are in unknown character encodings, and improve the handling of attachments whose filenames look malicious, removing a potential security problem before anyone else finds it or exploits it. Neither of these have ever been intentionally exploited. I leave it to the commercial outfits to only fix security vulnerabilities after they have been exploited! New features and changes for Version 4 only: - Can now put "$filename" in inline warning messages to give a comma-separated list of the infected attachment filenames. - Improvement to Trend parser when scanning archives. - Improvement to ClamAV parser for multi-CPU servers. - Added Dutch and Brazilian Portugese reports. - Added an "End" function to the Custom Functions usable in the main conf file. NOTE: If you have added your own Custom Functions to CustomConfig.pl, you will need to add an "End" function for each of them. Download it, as usual, from www.mailscanner.info Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From p.vanbrouwershaven at NETWORKING4ALL.COM Sun Nov 3 20:31:03 2002 From: p.vanbrouwershaven at NETWORKING4ALL.COM (Paul van Brouwershaven - Networking4ALL) Date: Thu Jan 12 21:16:17 2006 Subject: Console Messages (MailScanner-4.05-1) Message-ID: Hi, I installed MailScanner-4.05-1 and I went crazy now from the "Adding mailheader...(cleanheader)" and "Adding spamheader..." messages on my system console. Can you please remove this messages by default or make some configuration settings in the mailscanner.conf !!! Is this a message that must be reported with MailScanner::Log::WarnLog??? Adding mailheader...(cleanheader) Regards, Paul From mailscanner at ecs.soton.ac.uk Sun Nov 3 20:44:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Console Messages (MailScanner-4.05-1) In-Reply-To: Message-ID: <5.1.0.14.2.20021103204337.01e99cb8@imap.ecs.soton.ac.uk> Sorry about that. Some debug output from the new Exim code sneaked in. Fixed and released 4.05-2. At 20:31 03/11/2002, you wrote: >Hi, > >I installed MailScanner-4.05-1 and I went crazy now from the "Adding >mailheader...(cleanheader)" and "Adding spamheader..." messages on my >system console. > >Can you please remove this messages by default or make some >configuration settings in the mailscanner.conf !!! > >Is this a message that must be reported with >MailScanner::Log::WarnLog??? > Adding mailheader...(cleanheader) > >Regards, > >Paul -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sun Nov 3 20:35:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: r.spyker@HCCNET.NL left the list Message-ID: <200211032035.UAA25246@magpie.ecs.soton.ac.uk> Sun, 3 Nov 2002 20:35:16 Roel Spijker has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sun, 3 Nov 2002 20:35:16 GMT Received: from wapgw.hccnet.nl (wapgw.hccnet.nl [62.251.0.19]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA3KZBX11900 for ; Sun, 3 Nov 2002 20:35:11 GMT Received: from smtp.hccnet.nl by wapgw.hccnet.nl via smtp.hccnet.nl [62.251.0.13] with ESMTP for id VAA12424 (8.8.8/1.18); Sun, 3 Nov 2002 21:33:56 +0100 (MET) From: Received: from spare.hccnet.nl by smtp.hccnet.nl via spare.hccnet.nl [62.251.0.29] with ESMTP for id VAA18978 (8.8.8/1.13); Sun, 3 Nov 2002 21:32:41 +0100 (MET) Message-Id: <200211032032.VAA18978@smtp.hccnet.nl> MIME-Version: 1.0 X-Mailer: MIME::Lite 2.102 (B2.11; Q2.03) Date: Sun, 3 Nov 2002 20:32:41 UT To: LISTSERV@JISCMAIL.AC.UK Subject: SIGNOFF MAILSCANNER X-LSVline1: SIGNOFF MAILSCANNER From mail at projectandrew.com Sun Nov 3 21:31:02 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:17 2006 Subject: Small errors Message-ID: <3775.217.155.81.26.1036359062.squirrel@www.projectandrew.com> I just installed 4.05-2 and noticed this in the logs: MailScanner E-Mail Virus Scanner version 4.05-1 starting... Also, when I issue 'service MailScanner stop', I get: MailScanner: We haven't got any child processes, which isn't right!, No child processes at /usr/sbin/MailScanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /usr/sbin/MailScanner line 194. And when I issue it again, MailScanner stops correctly. Otherwise everything is working ok :) Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Sun Nov 3 21:38:06 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Small errors In-Reply-To: <3775.217.155.81.26.1036359062.squirrel@www.projectandrew.c om> Message-ID: <5.1.0.14.2.20021103213611.01e65618@imap.ecs.soton.ac.uk> At 21:31 03/11/2002, you wrote: >MailScanner E-Mail Virus Scanner version 4.05-1 starting... Fixed. >Also, when I issue 'service MailScanner stop', I get: > >MailScanner: We haven't got any child processes, which isn't right!, >No child processes at /usr/sbin/MailScanner line 191. >We have just tried to reap a process which wasn't one of ours!, No child >processes at /usr/sbin/MailScanner line 194. > >And when I issue it again, MailScanner stops correctly. Otherwise >everything is working ok :) What system are you running it on? I am vaguely hoping to get some more development kit, which will mean I can start to get this problem solved in a portable way. The Apache folks solved it by having a separate program (apachectl) to do the job, I'll probably have to go the same way. Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mail at projectandrew.com Sun Nov 3 22:28:26 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:17 2006 Subject: Small errors In-Reply-To: <5.1.0.14.2.20021103213611.01e65618@imap.ecs.soton.ac.uk> References: <3775.217.155.81.26.1036359062.squirrel@www.projectandrew.c om> <5.1.0.14.2.20021103213611.01e65618@imap.ecs.soton.ac.uk> Message-ID: <3862.217.155.81.26.1036362506.squirrel@www.projectandrew.com> > What system are you running it on? > I am vaguely hoping to get some more development kit, which will mean I > can start to get this problem solved in a portable way. The Apache folks > solved it by having a separate program (apachectl) to do the job, I'll > probably have to go the same way. I am running Red Hat 7.2. Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andersan at LTKALMAR.SE Sun Nov 3 22:33:56 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:17 2006 Subject: SV: Small errors Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC3A@lkl22.ltkalmar.se> Had the same problem, running v4 on RH8. Everthing seems to run ok but I get the same erors. Have to check what version Im runnign but I'll have to do that tomorrow. Anything else you need to know? > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 3 november 2002 22:38 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Small errors > > > At 21:31 03/11/2002, you wrote: > >MailScanner E-Mail Virus Scanner version 4.05-1 starting... > > Fixed. > > >Also, when I issue 'service MailScanner stop', I get: > > > >MailScanner: We haven't got any child processes, which > isn't right!, > >No child processes at /usr/sbin/MailScanner line 191. > >We have just tried to reap a process which wasn't one of > ours!, No child > >processes at /usr/sbin/MailScanner line 194. > > > >And when I issue it again, MailScanner stops correctly. Otherwise > >everything is working ok :) > > What system are you running it on? > I am vaguely hoping to get some more development kit, which > will mean I can > start to get this problem solved in a portable way. The > Apache folks solved > it by having a separate program (apachectl) to do the job, > I'll probably > have to go the same way. > > Jules. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Sun Nov 3 22:38:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner kaspersky output parsing patch Message-ID: <5.1.0.14.2.20021103223718.01ee0ec8@imap.ecs.soton.ac.uk> I have just added a patch to the Kaspersky output parser, contributed by Martin Lillepuu. I have added it to the 4.05 and 3.26 versions. >Date: Mon, 4 Nov 2002 02:05:05 +0200 (EET) >To: mailscanner@ecs.soton.ac.uk >Subject: Mailscanner kaspersky output parsing patch > >Here's a little patch to make mailscanner 4.05 work again with >latest Kaspersky Antivirus for linux workstations v4.0.2.2. It looks like >the scanner output is different when you specify one file with full path >or just the directory. When current directory '.' was specified, regexps >failed to parse message id correctly which caused infected messages >passing untouched. According syslog output is also included. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Nov 3 22:41:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: SV: Small errors In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EC3A@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20021103223936.039c2928@imap.ecs.soton.ac.uk> At 22:33 03/11/2002, you wrote: >Had the same problem, running v4 on RH8. >Everthing seems to run ok but I get the same erors. >Have to check what version Im runnign but I'll have to >do that tomorrow. Anything else you need to know? No. I haven't touched the init script for a while now. I'm going to have to see precisely what Apache does to solve this problem, as otherwise the init script will have to have loads of OS-specific switches in it. > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 3 november 2002 22:38 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: Small errors > > > > > > At 21:31 03/11/2002, you wrote: > > >MailScanner E-Mail Virus Scanner version 4.05-1 starting... > > > > Fixed. > > > > >Also, when I issue 'service MailScanner stop', I get: > > > > > >MailScanner: We haven't got any child processes, which > > isn't right!, > > >No child processes at /usr/sbin/MailScanner line 191. > > >We have just tried to reap a process which wasn't one of > > ours!, No child > > >processes at /usr/sbin/MailScanner line 194. > > > > > >And when I issue it again, MailScanner stops correctly. Otherwise > > >everything is working ok :) > > > > What system are you running it on? > > I am vaguely hoping to get some more development kit, which > > will mean I can > > start to get this problem solved in a portable way. The > > Apache folks solved > > it by having a separate program (apachectl) to do the job, > > I'll probably > > have to go the same way. > > > > Jules. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Mon Nov 4 06:06:16 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner kaspersky output parsing patch In-Reply-To: <5.1.0.14.2.20021103223718.01ee0ec8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021103223718.01ee0ec8@imap.ecs.soton.ac.uk> Message-ID: <162057786.1036389976@jemima.zanker.org> On 03 November 2002 22:38 +0000 Julian Field wrote: > I have just added a patch to the Kaspersky output parser, contributed > by Martin Lillepuu. > I have added it to the 4.05 and 3.26 versions. Presumably only the mailscanner rpm has changed between 4.05-1 and 4.05-3 so that is all that needs to be installed? Thanks, Mike. From mailscanner at ecs.soton.ac.uk Mon Nov 4 09:22:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner kaspersky output parsing patch In-Reply-To: <162057786.1036389976@jemima.zanker.org> References: <5.1.0.14.2.20021103223718.01ee0ec8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021103223718.01ee0ec8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021104092206.04685ea0@imap.ecs.soton.ac.uk> At 06:06 04/11/2002, you wrote: >On 03 November 2002 22:38 +0000 Julian Field > wrote: > >>I have just added a patch to the Kaspersky output parser, contributed >>by Martin Lillepuu. >>I have added it to the 4.05 and 3.26 versions. > >Presumably only the mailscanner rpm has changed between 4.05-1 and >4.05-3 so that is all that needs to be installed? Yes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 4 10:25:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner on OSDir.com (new O'Reilly site) Message-ID: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> O'Reilly have created a new website containing a directory of Open Source projects, including MailScanner. If some of you could take 5 minutes adding some comments / votes to the site, I would really appreciate it. The MailScanner project page is at http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=114&ttitle=MailScanner And the home page of their new site is of course http://osdir.com/ >Subject: Mailscanner on OSDir.com (new O'Reilly site) > >Hi Julian, > >I've just added Mailscanner to http://OSDir.com (new O'Reilly site). We'll >likely be building a book partly baed from the votes and comments there so >I invite our users to talk Mailscanner up a bit there: >http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=114&ttitle=MailScanner > >There's a link at the bottom of that page if you or any of them want >visitors to vote/comment on Mailscanner remotely from a website such as >your own. We'll likely be building a book partly based on comments and >votes so adding it to the Mailscanner site probably wouldn't hurt. > >Thanks and Cheers, >-- >Steve Mallett | steve@osdir.com >http://OSDir.com on the O'Reilly Network >http://opensource.org | webmaster@opensource.org >http://open5ource.net -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 10:43:27 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: darius@ROMAG.RO left the list Message-ID: <200211041043.KAA22500@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 10:43:27 Darius scaueru has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Mon, 4 Nov 2002 10:43:24 GMT Received: from romag.ro. (romag.ts.terrasat.ro [81.18.70.59]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA4AhAX01722 for ; Mon, 4 Nov 2002 10:43:12 GMT Received: from there (root@[192.168.10.154]) by romag.ro. (8.10.2/8.10.2) with SMTP id gA4Afn402015 for ; Mon, 4 Nov 2002 12:41:49 +0200 Message-Id: <200211041041.gA4Afn402015@romag.ro.> Content-Type: text/plain; charset="iso-8859-1" From: darius Organization: darius To: LISTSERV@JISCMAIL.AC.UK Subject: SIGNOFF MAILSCANNER Date: Mon, 4 Nov 2002 12:43:45 +0200 X-Mailer: KMail [version 1.3.1] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From P.G.M.Peters at civ.utwente.nl Mon Nov 4 12:41:57 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:17 2006 Subject: relay hits not triggering automatic spam tag In-Reply-To: <3DC24E82.18366.14990061@localhost> References: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> <200211010919.04292.lbergman@wtxs.net> <3DC24E82.18366.14990061@localhost> Message-ID: <4mqcsust6nllh3jba4a9uo5hqvbdasao5l@4ax.com> On Fri, 1 Nov 2002 09:50:58 -0800, you wrote: >On 1 Nov 2002 at 9:19, Lewis Bergman wrote: >> With this being the case I am wondering: >> What does the rbl check in MS do or what is it used for? I am sure I am >> missing something here I just don't know what. > >It's for the folks who are using Mailscanner without Spam Assasin. If you >are using Spam Assasin in addition to MS, you probably want to let SA >doe the rbl checks instead of MS. We use MS with SA but handle BL's in MS. We want to offer our users the posibility to decide for themselves what criteria they want to impose on the e-mail they receive. By having as much tags as possible we offer our users the most possibilities. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 12:48:52 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: security@MCGUINNESS.DE requested to join Message-ID: <200211041248.MAA10255@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 12:48:52 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Marc Mc Guinness . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER security@MCGUINNESS.DE Marc Mc Guinness The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+security%40MCGUINNESS.DE+Marc+Mc+Guinness&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Mon, 4 Nov 2002 12:48:52 GMT Received: from post.webmailer.de (natsmtp00.webmailer.de [192.67.198.74]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA4CmnX01410 for ; Mon, 4 Nov 2002 12:48:49 GMT Received: from there (pD9504591.dip.t-dialin.net [217.80.69.145]) by post.webmailer.de (8.9.3/8.8.7) with SMTP id NAA23752 for ; Mon, 4 Nov 2002 13:48:44 +0100 (MET) Message-Id: <200211041248.NAA23752@post.webmailer.de> Content-Type: text/plain; charset="iso-8859-15" From: Marc Mc Guinness To: LISTSERV@JISCMAIL.AC.UK Date: Mon, 4 Nov 2002 14:48:46 +0200 X-Mailer: KMail [version 1.3.1] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 12:50:43 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: moeeni@SHARIF.EDU left the list Message-ID: <200211041250.MAA10457@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 12:50:43 Mohsen Moeeni has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Mon, 4 Nov 2002 12:50:42 GMT Received: from sina.sharif.edu (sina.Sharif.AC.IR [194.225.40.9]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA4CoZX02272 for ; Mon, 4 Nov 2002 12:50:36 GMT Received: (from apache@localhost) by sina.sharif.edu (8.11.6/8.11.6) id gA4Ctoi00980 for LISTSERV@JISCMAIL.AC.UK; Mon, 4 Nov 2002 16:25:50 +0330 X-Authentication-Warning: sina.sharif.edu: apache set sender to moeeni@sharif.edu using -f Received: from 81.31.175.2 ( [81.31.175.2]) as user moeeni@localhost by my.sharif.edu with HTTP; Mon, 04 Nov 2002 16:25:50 +330 Message-ID: <1036414550.3dc66e56b5886@my.sharif.edu> Date: Mon, 04 Nov 2002 16:25:50 +330 From: Mohsen Moeeni To: LISTSERV@JISCMAIL.AC.UK Subject: SIGNOFF MAILSCANNER MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 3.1 From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 13:46:18 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: andy@COMODOGROUP.COM requested to join Message-ID: <200211041346.NAA17139@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 13:46:18 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Andy Davidson . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER andy@COMODOGROUP.COM Andy Davidson The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+andy%40COMODOGROUP.COM+Andy+Davidson&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 14:20:43 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: todd.williams@TFCCI.COM requested to join Message-ID: <200211041420.OAA21787@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 14:20:43 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Todd Williams . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER todd.williams@TFCCI.COM Todd Williams The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+todd.williams%40TFCCI.COM+Todd+Williams&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From thomas_duvally at BROWN.EDU Mon Nov 4 10:32:25 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:16:17 2006 Subject: good version of SpamAssassin? In-Reply-To: <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> Message-ID: <1036405945.2065.5.camel@toms> What were some of the issues? I attempted to use 2.41 and had to abandon it. If the issues were solved in 2.43, I may be able to re-enable it. On Fri, 2002-11-01 at 12:20, Julian Field wrote: > At 17:17 01/11/2002, you wrote: > >I vaguely remember there being some problem with a certain version of SA. Was > >I imagining this? I am about to go from 2.31 to 2.43 and wanted to ensure I > >wasn't buggering something up. > > 2.40, 2.41 and 2.42 were trouble. 2.43 is fine. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Thomas DuVally Brown University From security at MCGUINNESS.DE Mon Nov 4 14:24:47 2002 From: security at MCGUINNESS.DE (Marc Mc Guinness) Date: Thu Jan 12 21:16:17 2006 Subject: could not notify senders and postmaster Message-ID: <200211041424.PAA19297@post.webmailer.de> Hello, I've activated sending messages to the senders and to the postmaster, but it doesn't work: I'm using sendmail 8.12.6-6 on Debian 3.0. My entries in mailscanner.conf are: --------------------------------------------------------------------------- Deliver To Recipients = yes Deliver From Local Domains = yes Notify Senders = yes //the following 3 files are in the path Sender Virus Report =/etc/mailscanner/sender.virus.report.txt Sender Bad Filename Report = /etc/mailscanner/sender.filename.report.txt Sender Error Report = /etc/mailscanner/sender.error.report.txt Notify Local Postmaster = yes Local Postmaster = postmaster //also tried postmaster@mydomain.com -didn't work MTA = sendmail Sendmail = /usr/sbin/sendmail //Tried calling /usr/sbin/sendmail from command line and it worked --------------------------------------------------------------------------- The error message in /var/log/mail/mail.info says: --------------------------------------------------------------------------- Nov 4 13:27:55 spointmail1 mailscanner[10733]: Scanning 2 messages, 652868 bytes Nov 4 13:27:56 spointmail1 mailscanner[10733]: Found 1 viruses in messages gA4CRYC8010761 Nov 4 13:27:56 spointmail1 mailscanner[10733]: Scanned 2 messages, 652868 bytes in 1 seconds Nov 4 13:27:56 spointmail1 mailscanner[10733]: Saved infections to /var/spool/mailscanner/quarantine/20021104/gA4CRYC8010761 Nov 4 13:27:56 spointmail1 mailscanner[10733]: Could not notify senders Nov 4 13:27:56 spointmail1 mailscanner[10733]: Could not notify local postmaster Nov 4 13:27:56 spointmail1 mailscanner[10733]: Commercial disinfector f-secure returned 768 --------------------------------------------------------------------------- Can you please help me? Best regards, Marc Mc Guinness From security at MCGUINNESS.DE Mon Nov 4 14:25:13 2002 From: security at MCGUINNESS.DE (Marc Mc Guinness) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup Message-ID: <200211041425.PAA19966@post.webmailer.de> Hello, I don't know who I could ask. Probably you could help me... I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a copy of every email delivered to the user mailboxes under /var/mail/. This copy shall be saved in user mailboxes under /var/backup/mail/. How can I tell sendmail to write it's mails to two directories? Best regards, Marc Mc Guinness From mailscanner at ecs.soton.ac.uk Mon Nov 4 14:38:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: good version of SpamAssassin? In-Reply-To: <1036405945.2065.5.camel@toms> References: <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021104143809.04575040@imap.ecs.soton.ac.uk> At 10:32 04/11/2002, you wrote: >What were some of the issues? I attempted to use 2.41 and had to >abandon it. If the issues were solved in 2.43, I may be able to >re-enable it. Corruption of auto-whitelist. Upgrade to 2.43 and delete the auto-whitelist (which will be in ~root/.spamassassin). >On Fri, 2002-11-01 at 12:20, Julian Field wrote: > > At 17:17 01/11/2002, you wrote: > > >I vaguely remember there being some problem with a certain version of > SA. Was > > >I imagining this? I am about to go from 2.31 to 2.43 and wanted to > ensure I > > >wasn't buggering something up. > > > > 2.40, 2.41 and 2.42 were trouble. 2.43 is fine. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ >-- >Thomas DuVally >Brown University -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 4 14:40:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <200211041425.PAA19966@post.webmailer.de> Message-ID: <5.1.0.14.2.20021104143947.044d0700@imap.ecs.soton.ac.uk> At 14:25 04/11/2002, you wrote: >Hello, > >I don't know who I could ask. Probably you could help me... >I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a copy >of every email delivered to the user mailboxes under /var/mail/. >This copy shall be saved in user mailboxes under /var/backup/mail/. > >How can I tell sendmail to write it's mails to two directories? That's tricky in sendmail (I may be wrong, quite a few people on this list know more about sendmail than I do!). However, MailScanner 4 will do it for you. The "Archive Mail" feature can save mail messages to a directory or even to another email address, without the recipient noticing anything is happening. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From security at MCGUINNESS.DE Mon Nov 4 15:05:00 2002 From: security at MCGUINNESS.DE (Marc Mc Guinness) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <5.1.0.14.2.20021104143947.044d0700@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021104143947.044d0700@imap.ecs.soton.ac.uk> Message-ID: <200211041505.QAA05059@post.webmailer.de> Hello, Am Montag, 4. November 2002 15:40 schrieb Julian Field: > At 14:25 04/11/2002, you wrote: > >Hello, > > > >I don't know who I could ask. Probably you could help me... > >I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a > > copy of every email delivered to the user mailboxes under > > /var/mail/. This copy shall be saved in user mailboxes under > > /var/backup/mail/. > > > >How can I tell sendmail to write it's mails to two directories? > > That's tricky in sendmail (I may be wrong, quite a few people on > this list know more about sendmail than I do!). > > However, MailScanner 4 will do it for you. The "Archive Mail" > feature can save mail messages to a directory or even to another > email address, without the recipient noticing anything is > happening. I can't use version 4 at the moment (political reason). I've got the mailscanner 3.13.2-4 from debian stable. Probably someone else can help me with telling sendmail to do the backup? Best regards, Marc From Harish.Amin at DEG.STATE.WI.US Mon Nov 4 16:32:27 2002 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:16:17 2006 Subject: Majordomo sending messages as list-owner to a moderated list Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C6680@doamail04> Julian, I running Majordomo on Sun Solaris and sendmail as MTA. I have noticed after a messages is cleaned it sends/posts messages to the lists, which is a moderated list only one person can post. Can I prevent this in Mailscanner or should I have to tweak something on sendmail Your replies are greatly appreciated Thanx Harish Here's the log on /var/log/syslog Nov 4 09:32:11 badger sendmail[28681]: [ID 801593 mail.info] gA4FWBw28681: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 09:32:11 badger sendmail[28682]: [ID 801593 mail.info] gA4FWBc28682: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 09:32:57 badger sendmail[28713]: [ID 801593 mail.info] gA4FWvn28713: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 09:32:58 badger sendmail[28715]: [ID 801593 mail.info] gA4FWw128715: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 09:34:26 badger sendmail[28755]: [ID 801593 mail.info] gA4FYQR28755: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 09:34:30 badger sendmail[28768]: [ID 801593 mail.info] gA4FYU128768: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-wiscatl@Badger.state.wi.us using -f Nov 4 09:35:18 badger sendmail[28791]: [ID 801593 mail.info] gA4FZI628791: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-wiagedffa@Badger.state.wi.us using -f Nov 4 09:43:12 badger sendmail[28985]: [ID 801593 mail.info] gA4FhC228985: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-weccp@Badger.state.wi.us using -f Nov 4 09:45:43 badger sendmail[29051]: [ID 801593 mail.info] gA4Fjh129051: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-ysandsn@Badger.state.wi.us using -f Nov 4 10:00:42 badger sendmail[29313]: [ID 801593 mail.info] gA4G0gc29313: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:00:43 badger sendmail[29314]: [ID 801593 mail.info] gA4G0hJ29314: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:03:19 badger sendmail[29374]: [ID 801593 mail.info] gA4G3JC29374: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:07:31 badger sendmail[29441]: [ID 801593 mail.info] gA4G7Vu29441: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:07:31 badger sendmail[29442]: [ID 801593 mail.info] gA4G7Vv29442: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:08:20 badger sendmail[29461]: [ID 801593 mail.info] gA4G8Kg29461: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:08:20 badger sendmail[29462]: [ID 801593 mail.info] gA4G8Kk29462: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:09:08 badger sendmail[29484]: [ID 801593 mail.info] gA4G98N29484: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:09:08 badger sendmail[29485]: [ID 801593 mail.info] gA4G98G29485: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-web-alerts@Badger.state.wi.us using -f Nov 4 10:09:08 badger sendmail[29488]: [ID 801593 mail.info] gA4G98629488: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:10:01 badger sendmail[29514]: [ID 801593 mail.info] gA4GA1d29514: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:10:01 badger sendmail[29515]: [ID 801593 mail.info] gA4GA1B29515: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-microsoft-alerts@Badger.state.wi.us using -f Nov 4 10:10:01 badger sendmail[29518]: [ID 801593 mail.info] gA4GA1829518: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:12:24 badger sendmail[29599]: [ID 801593 mail.info] gA4GCOj29599: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:12:43 badger sendmail[29615]: [ID 801593 mail.info] gA4GChE29615: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:16:16 badger sendmail[29699]: [ID 801593 mail.info] gA4GGGp29699: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:16:16 badger sendmail[29700]: [ID 801593 mail.info] gA4GGGK29700: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-wiruralsch@Badger.state.wi.us using -f Nov 4 10:16:16 badger sendmail[29703]: [ID 801593 mail.info] gA4GGGv29703: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f From mailscanner at ecs.soton.ac.uk Mon Nov 4 16:56:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Majordomo sending messages as list-owner to a moderated list In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C6680@doamail04> Message-ID: <5.1.0.14.2.20021104165326.046e1ec0@imap.ecs.soton.ac.uk> At 16:32 04/11/2002, you wrote: >Julian, Hey, I'm not the *only* person who fixes problems on this list :-) >I running Majordomo on Sun Solaris and sendmail as MTA. >I have noticed after a messages is cleaned it sends/posts messages to the >lists, which is a moderated list >only one person can post. The errors are nothing to do with MailScanner (which does not get involved with message delivery at all anyway). >Can I prevent this in Mailscanner or should I have to tweak something on >sendmail You need to add "majordom" to the class T in your sendmail.cf file so that sendmail "trusts" majordom and allows it to change the "From" address in mail it creates. You probably already have lines in your sendmail.cf that say Troot Tdaemon Tuucp Just add Tmajordom to that list and restart both sendmail processes. >Here's the log on /var/log/syslog > >Nov 4 09:32:11 badger sendmail[28681]: [ID 801593 mail.info] gA4FWBw28681: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:11 badger sendmail[28682]: [ID 801593 mail.info] gA4FWBc28682: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:57 badger sendmail[28713]: [ID 801593 mail.info] gA4FWvn28713: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:58 badger sendmail[28715]: [ID 801593 mail.info] gA4FWw128715: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:34:26 badger sendmail[28755]: [ID 801593 mail.info] gA4FYQR28755: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:34:30 badger sendmail[28768]: [ID 801593 mail.info] gA4FYU128768: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiscatl@Badger.state.wi.us using -f >Nov 4 09:35:18 badger sendmail[28791]: [ID 801593 mail.info] gA4FZI628791: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiagedffa@Badger.state.wi.us using -f >Nov 4 09:43:12 badger sendmail[28985]: [ID 801593 mail.info] gA4FhC228985: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-weccp@Badger.state.wi.us using -f >Nov 4 09:45:43 badger sendmail[29051]: [ID 801593 mail.info] gA4Fjh129051: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-ysandsn@Badger.state.wi.us using -f >Nov 4 10:00:42 badger sendmail[29313]: [ID 801593 mail.info] gA4G0gc29313: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:00:43 badger sendmail[29314]: [ID 801593 mail.info] gA4G0hJ29314: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:03:19 badger sendmail[29374]: [ID 801593 mail.info] gA4G3JC29374: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:07:31 badger sendmail[29441]: [ID 801593 mail.info] gA4G7Vu29441: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:07:31 badger sendmail[29442]: [ID 801593 mail.info] gA4G7Vv29442: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:08:20 badger sendmail[29461]: [ID 801593 mail.info] gA4G8Kg29461: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:08:20 badger sendmail[29462]: [ID 801593 mail.info] gA4G8Kk29462: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29484]: [ID 801593 mail.info] gA4G98N29484: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29485]: [ID 801593 mail.info] gA4G98G29485: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-web-alerts@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29488]: [ID 801593 mail.info] gA4G98629488: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29514]: [ID 801593 mail.info] gA4GA1d29514: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29515]: [ID 801593 mail.info] gA4GA1B29515: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-microsoft-alerts@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29518]: [ID 801593 mail.info] gA4GA1829518: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:12:24 badger sendmail[29599]: [ID 801593 mail.info] gA4GCOj29599: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:12:43 badger sendmail[29615]: [ID 801593 mail.info] gA4GChE29615: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29699]: [ID 801593 mail.info] gA4GGGp29699: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29700]: [ID 801593 mail.info] gA4GGGK29700: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiruralsch@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29703]: [ID 801593 mail.info] gA4GGGv29703: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Harish.Amin at DEG.STATE.WI.US Mon Nov 4 17:13:28 2002 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:16:17 2006 Subject: Majordomo sending messages as list-owner to a moderated list Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C6683@doamail04> Julian, Thanks for responding so quickly. I think this will fix the problem. Is there anything for weekly or monthly reporting on the activity of MailScanner , so that I can show it my higher ups about how much scanning and cleaning , Mailscanner does or the period like MailStats or Mailog statistics etc Thanx again -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, November 04, 2002 10:56 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Majordomo sending messages as list-owner to a moderated list At 16:32 04/11/2002, you wrote: >Julian, Hey, I'm not the *only* person who fixes problems on this list :-) >I running Majordomo on Sun Solaris and sendmail as MTA. >I have noticed after a messages is cleaned it sends/posts messages to the >lists, which is a moderated list >only one person can post. The errors are nothing to do with MailScanner (which does not get involved with message delivery at all anyway). >Can I prevent this in Mailscanner or should I have to tweak something on >sendmail You need to add "majordom" to the class T in your sendmail.cf file so that sendmail "trusts" majordom and allows it to change the "From" address in mail it creates. You probably already have lines in your sendmail.cf that say Troot Tdaemon Tuucp Just add Tmajordom to that list and restart both sendmail processes. >Here's the log on /var/log/syslog > >Nov 4 09:32:11 badger sendmail[28681]: [ID 801593 mail.info] gA4FWBw28681: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:11 badger sendmail[28682]: [ID 801593 mail.info] gA4FWBc28682: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:57 badger sendmail[28713]: [ID 801593 mail.info] gA4FWvn28713: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:58 badger sendmail[28715]: [ID 801593 mail.info] gA4FWw128715: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:34:26 badger sendmail[28755]: [ID 801593 mail.info] gA4FYQR28755: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:34:30 badger sendmail[28768]: [ID 801593 mail.info] gA4FYU128768: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiscatl@Badger.state.wi.us using -f >Nov 4 09:35:18 badger sendmail[28791]: [ID 801593 mail.info] gA4FZI628791: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiagedffa@Badger.state.wi.us using -f >Nov 4 09:43:12 badger sendmail[28985]: [ID 801593 mail.info] gA4FhC228985: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-weccp@Badger.state.wi.us using -f >Nov 4 09:45:43 badger sendmail[29051]: [ID 801593 mail.info] gA4Fjh129051: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-ysandsn@Badger.state.wi.us using -f >Nov 4 10:00:42 badger sendmail[29313]: [ID 801593 mail.info] gA4G0gc29313: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:00:43 badger sendmail[29314]: [ID 801593 mail.info] gA4G0hJ29314: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:03:19 badger sendmail[29374]: [ID 801593 mail.info] gA4G3JC29374: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:07:31 badger sendmail[29441]: [ID 801593 mail.info] gA4G7Vu29441: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:07:31 badger sendmail[29442]: [ID 801593 mail.info] gA4G7Vv29442: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:08:20 badger sendmail[29461]: [ID 801593 mail.info] gA4G8Kg29461: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:08:20 badger sendmail[29462]: [ID 801593 mail.info] gA4G8Kk29462: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29484]: [ID 801593 mail.info] gA4G98N29484: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29485]: [ID 801593 mail.info] gA4G98G29485: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-web-alerts@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29488]: [ID 801593 mail.info] gA4G98629488: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29514]: [ID 801593 mail.info] gA4GA1d29514: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29515]: [ID 801593 mail.info] gA4GA1B29515: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-microsoft-alerts@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29518]: [ID 801593 mail.info] gA4GA1829518: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:12:24 badger sendmail[29599]: [ID 801593 mail.info] gA4GCOj29599: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:12:43 badger sendmail[29615]: [ID 801593 mail.info] gA4GChE29615: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29699]: [ID 801593 mail.info] gA4GGGp29699: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29700]: [ID 801593 mail.info] gA4GGGK29700: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiruralsch@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29703]: [ID 801593 mail.info] gA4GGGv29703: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 4 17:31:15 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Majordomo sending messages as list-owner to a moderated list In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C6683@doamail04> Message-ID: <5.1.0.14.2.20021104173025.0482ab00@imap.ecs.soton.ac.uk> At 17:13 04/11/2002, you wrote: >Julian, > >Thanks for responding so quickly. >I think this will fix the problem. >Is there anything for weekly or monthly reporting on the >activity of MailScanner , so that I can show it my higher ups about >how much scanning and cleaning , Mailscanner does or the period Search in the mailing list archives for any mention of MRTG and you will find the (many) conversations that have taken place on this topic before. Someone out there is already doing what you want to do... >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Monday, November 04, 2002 10:56 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Majordomo sending messages as list-owner to a moderated >list > > >At 16:32 04/11/2002, you wrote: > >Julian, > >Hey, I'm not the *only* person who fixes problems on this list >:-) > > >I running Majordomo on Sun Solaris and sendmail as MTA. > >I have noticed after a messages is cleaned it sends/posts messages to the > >lists, which is a moderated list > >only one person can post. > >The errors are nothing to do with MailScanner (which does not get involved >with message delivery at all anyway). > > >Can I prevent this in Mailscanner or should I have to tweak something on > >sendmail > >You need to add "majordom" to the class T in your sendmail.cf file so that >sendmail "trusts" majordom and allows it to change the "From" address in >mail it creates. You probably already have lines in your sendmail.cf that >say > Troot > Tdaemon > Tuucp >Just add > Tmajordom >to that list and restart both sendmail processes. > > >Here's the log on /var/log/syslog > > > >Nov 4 09:32:11 badger sendmail[28681]: [ID 801593 mail.info] gA4FWBw28681: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 09:32:11 badger sendmail[28682]: [ID 801593 mail.info] gA4FWBc28682: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 09:32:57 badger sendmail[28713]: [ID 801593 mail.info] gA4FWvn28713: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 09:32:58 badger sendmail[28715]: [ID 801593 mail.info] gA4FWw128715: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 09:34:26 badger sendmail[28755]: [ID 801593 mail.info] gA4FYQR28755: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 09:34:30 badger sendmail[28768]: [ID 801593 mail.info] gA4FYU128768: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-wiscatl@Badger.state.wi.us using -f > >Nov 4 09:35:18 badger sendmail[28791]: [ID 801593 mail.info] gA4FZI628791: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-wiagedffa@Badger.state.wi.us using -f > >Nov 4 09:43:12 badger sendmail[28985]: [ID 801593 mail.info] gA4FhC228985: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-weccp@Badger.state.wi.us using -f > >Nov 4 09:45:43 badger sendmail[29051]: [ID 801593 mail.info] gA4Fjh129051: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-ysandsn@Badger.state.wi.us using -f > >Nov 4 10:00:42 badger sendmail[29313]: [ID 801593 mail.info] gA4G0gc29313: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:00:43 badger sendmail[29314]: [ID 801593 mail.info] gA4G0hJ29314: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:03:19 badger sendmail[29374]: [ID 801593 mail.info] gA4G3JC29374: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:07:31 badger sendmail[29441]: [ID 801593 mail.info] gA4G7Vu29441: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:07:31 badger sendmail[29442]: [ID 801593 mail.info] gA4G7Vv29442: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:08:20 badger sendmail[29461]: [ID 801593 mail.info] gA4G8Kg29461: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:08:20 badger sendmail[29462]: [ID 801593 mail.info] gA4G8Kk29462: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:09:08 badger sendmail[29484]: [ID 801593 mail.info] gA4G98N29484: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:09:08 badger sendmail[29485]: [ID 801593 mail.info] gA4G98G29485: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-web-alerts@Badger.state.wi.us using -f > >Nov 4 10:09:08 badger sendmail[29488]: [ID 801593 mail.info] gA4G98629488: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:10:01 badger sendmail[29514]: [ID 801593 mail.info] gA4GA1d29514: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:10:01 badger sendmail[29515]: [ID 801593 mail.info] gA4GA1B29515: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-microsoft-alerts@Badger.state.wi.us using -f > >Nov 4 10:10:01 badger sendmail[29518]: [ID 801593 mail.info] gA4GA1829518: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:12:24 badger sendmail[29599]: [ID 801593 mail.info] gA4GCOj29599: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:12:43 badger sendmail[29615]: [ID 801593 mail.info] gA4GChE29615: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:16:16 badger sendmail[29699]: [ID 801593 mail.info] gA4GGGp29699: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:16:16 badger sendmail[29700]: [ID 801593 mail.info] gA4GGGK29700: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-wiruralsch@Badger.state.wi.us using -f > >Nov 4 10:16:16 badger sendmail[29703]: [ID 801593 mail.info] gA4GGGv29703: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From t.d.lee at DURHAM.AC.UK Mon Nov 4 18:06:00 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:17 2006 Subject: iframe dilemma: a compromise? Message-ID: Having lagged behind in 3.x, we recently jumped to 3.25-1. (Next step is 4.x, but that was a leeap too far at this point.) One of the things that caught us was the new "Allow IFrame Tags" option. Now I'll immediately confess to knowing absolutely nothing about the dark, inner workings of anything vaguely iframe-ish. And I'll also confess to having failed to pay attention to its discussion here during recent weeks. It seems the choice is currently a stark one: either permit iframe (and risk its possible dangers) or forbid iframe (and risk the dangers of unhappy users with big sticks). Might there be the possibility of a compromise? An option something like "convert iframe to text"? (Or was this discussed and deemed unworkable?) -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 17:38:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: joe_honnold@STARKEY.COM requested to join Message-ID: <200211041738.RAA21394@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 17:38:36 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Joe Honnold . The following subscription options have been requested: NOMIME DIGEST ACK NOREPRO. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER joe_honnold@STARKEY.COM Joe Honnold The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+joe_honnold%40STARKEY.COM+Joe+Honnold&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOMIME+DIGEST+ACK+NOREPRO+FOR+joe_honnold%40STARKEY.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 17:38:53 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: joe_honnold@STARKEY.COM requested to join Message-ID: <200211041738.RAA21469@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 17:38:53 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Joe Honnold . The following subscription options have been requested: NOMIME DIGEST CONCEAL. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER joe_honnold@STARKEY.COM Joe Honnold The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+joe_honnold%40STARKEY.COM+Joe+Honnold&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOMIME+DIGEST+CONCEAL+FOR+joe_honnold%40STARKEY.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 18:06:15 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: P.Holzleitner@UNIDO.ORG requested to join Message-ID: <200211041806.SAA24842@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 18:06:15 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Peter Holzleitner . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER P.Holzleitner@UNIDO.ORG Peter Holzleitner The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+P.Holzleitner%40UNIDO.ORG+Peter+Holzleitner&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From vguerrero at minar.com Mon Nov 4 18:25:05 2002 From: vguerrero at minar.com (Vicente Guerrero M.) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup References: <5.1.0.14.2.20021104143947.044d0700@imap.ecs.soton.ac.uk> <200211041505.QAA05059@post.webmailer.de> Message-ID: <004701c2842f$82046290$620aaa82@ADMINISTRATOR> maybe procmail can help, there is no major problem to install and configure. Hope this helps. vgm ----- Original Message ----- From: "Marc Mc Guinness" To: Sent: Monday, November 04, 2002 9:05 AM Subject: Re: Creating mail copies for backup > Hello, > > Am Montag, 4. November 2002 15:40 schrieb Julian Field: > > At 14:25 04/11/2002, you wrote: > > >Hello, > > > > > >I don't know who I could ask. Probably you could help me... > > >I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a > > > copy of every email delivered to the user mailboxes under > > > /var/mail/. This copy shall be saved in user mailboxes under > > > /var/backup/mail/. > > > > > >How can I tell sendmail to write it's mails to two directories? > > > > That's tricky in sendmail (I may be wrong, quite a few people on > > this list know more about sendmail than I do!). > > > > However, MailScanner 4 will do it for you. The "Archive Mail" > > feature can save mail messages to a directory or even to another > > email address, without the recipient noticing anything is > > happening. > > I can't use version 4 at the moment (political reason). I've got > the mailscanner 3.13.2-4 from debian stable. Probably someone else > can help me with telling sendmail to do the backup? > > Best regards, > > Marc > From mailscanner at ecs.soton.ac.uk Mon Nov 4 18:31:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: iframe dilemma: a compromise? In-Reply-To: Message-ID: <5.1.0.14.2.20021104182526.023b4238@imap.ecs.soton.ac.uk> At 18:06 04/11/2002, you wrote: >Having lagged behind in 3.x, we recently jumped to 3.25-1. (Next step is >4.x, but that was a leeap too far at this point.) One for Christmas, perhaps? If you start experimenting with V4 now, you may be in a position to go "live" over Christmas or thereabouts, as you still have 6 weeks or so to experiment and agree on the configuration. Feel free to recruit me if you want some help or advice with the implications of the various settings. I can remember why I wrote most of them :-) >One of the things that caught us was the new "Allow IFrame Tags" option. > >Now I'll immediately confess to knowing absolutely nothing about the dark, >inner workings of anything vaguely iframe-ish. And I'll also confess to >having failed to pay attention to its discussion here during recent weeks. > >It seems the choice is currently a stark one: either permit iframe (and >risk its possible dangers) or forbid iframe (and risk the dangers of >unhappy users with big sticks). > >Might there be the possibility of a compromise? An option something like >"convert iframe to text"? (Or was this discussed and deemed unworkable?) In version 4, you can allow IFrame tags from any given "trusted" address, which solves the problem. I am loathed to spend the time required to implement all the "domains file" code in version 3, it would be quite a bit of work. If you keep your Outlook and OE users well up to date with patches, then you probably won't have much problem as most of the current viruses that exploit this rely on you not having installed patches that were issued a year ago. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mail at projectandrew.com Mon Nov 4 18:42:42 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:17 2006 Subject: Startup script Message-ID: <1158.217.155.81.25.1036435362.squirrel@www.projectandrew.com> I am still trying to get MailScanner fully working with Ensim WEBppliance - the only part that is not working is a piece of custom ensim code that is normally called from the sendmail startup script. The two lines are: export LD_PRELOAD=/lib/libensimvwhbw.so export ENSIMVWH_BWSVCID=1 If I add these to the MailScanner startup script, MailScanner will accept mail, but will not deliver it to any chrooted site. I also get file not found errors thrown to the console. It seems to me then, to be something that must be passed from the sendmail config for this module to work, which is not passed by MailScanner - it is supposed to track the size of each mail passed through sendmail, so a monthly 'bandwidth allowance' can be applied to each virtual site within Ensim. I don't really know where to go next, and wondered if anybody who knows sendmail in more detail might have any ideas where to look? Does MailScanner refer to all the same sendmail config files that sendmail would if it was called using its own startup script? Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Mon Nov 4 18:57:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Startup script In-Reply-To: <1158.217.155.81.25.1036435362.squirrel@www.projectandrew.c om> Message-ID: <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> I'm not at all convinced this will work, but give it a try: Write a very short script that sets these variables and then calls sendmail, something like this #!/bin/sh export LD_PRELOAD=/lib/libensimvwhbw.so export ENSIMVWH_BWSVCID=1 /usr/sbin/sendmail "$@" and then call this script in MailScanner instead of directly invoking sendmail. You should just edit the "Sendmail =" setting in MailScanner.conf to refer to your script instead of sendmail itself. See what happens with this setup. At 18:42 04/11/2002, you wrote: >I am still trying to get MailScanner fully working with Ensim WEBppliance >- the only part that is not working is a piece of custom ensim code that >is normally called from the sendmail startup script. The two lines are: > > export LD_PRELOAD=/lib/libensimvwhbw.so > export ENSIMVWH_BWSVCID=1 > >If I add these to the MailScanner startup script, MailScanner will accept >mail, but will not deliver it to any chrooted site. I also get file not >found errors thrown to the console. It seems to me then, to be something >that must be passed from the sendmail config for this module to work, >which is not passed by MailScanner - it is supposed to track the size of >each mail passed through sendmail, so a monthly 'bandwidth allowance' can >be applied to each virtual site within Ensim. I don't really know where to >go next, and wondered if anybody who knows sendmail in more detail might >have any ideas where to look? > >Does MailScanner refer to all the same sendmail config files that sendmail >would if it was called using its own startup script? > >Andrew G Allen >email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >--- Disclaimer --- >This e-mail and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they are >addressed. If you have received this email in error, please notify the >system manager. > > > > > >-- >This message has been scanned for viruses and dangerous >content by MailScanner, and is believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Mon Nov 4 19:23:01 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <200211041425.PAA19966@post.webmailer.de> Message-ID: <5.1.1.6.0.20021104142138.01618a18@192.168.50.2> If you're using mailscanner, read your mailscanner.conf. It can do this for you. Also be aware that it might be illegal to do what you ask in some jurisdictions, consult your local lawyer :) From a Mailscanner 3.x conf file: # Do you want to archive all mail in a directory for later inspection? # Be warned if you are in the UK: this may well be illegal due to RIPA # and DPA restrictions! # This can be "yes", "no" or a filename. If it is a filename, the file # may contain complete addresses, domain names or wildcard domains names. # See the sample file for examples. #Archive Mail = /usr/local/MailScanner/etc/domains.to.archive.conf Archive Mail = no At 03:25 PM 11/4/2002 +0100, Marc Mc Guinness wrote: >Hello, > >I don't know who I could ask. Probably you could help me... >I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a copy >of every email delivered to the user mailboxes under /var/mail/. >This copy shall be saved in user mailboxes under /var/backup/mail/. > >How can I tell sendmail to write it's mails to two directories? > >Best regards, > >Marc Mc Guinness From lbergman at wtxs.net Mon Nov 4 19:36:25 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:17 2006 Subject: No virus loggings? Message-ID: <200211041336.25634.lbergman@wtxs.net> I am getting verbose spam logging as noted below. Nov 3 03:41:46 ns2 MailScanner[1437]: Message gA39fd302216 from 209.47.251.47 (bounce.rapid-e.net) is spam according to SpamAssassin (score=8.9, required 5, APPLY_ONLINE, BIG_FONT, CLICK_BELOW, CLICK_BELOW_CAPS, DATE_IN_FUTURE_06_12, DEAR_SOMEBODY, EXCUSE_1, EXCUSE_16, EXCUSE_7, HTML_FONT_FACE_ODD, HTTP_WITH_EMAIL_IN_URL, JAVASCRIPT, JAVASCRIPT_UNSAFE, LINES_OF_YELLING, LINES_OF_YELLING_2, LINES_OF_YELLING_3, MARKETING_PARTNERS, SPAM_PHRASE_08_13, UNSECURED_CREDIT, WEB_BUGS) But all I get about virus scanning is on this order: Nov 3 03:41:46 ns2 MailScanner[1437]: Virus and Content Scanning: Starting Nov 3 03:41:46 ns2 MailScanner[1437]: Uninfected: Delivered 1 messages I know the virus engine is doing its job because virus notices are sent out as configured. This is on MailScanner 4.04.-1 and f-prot 3.12b The -r is added to syslogd startup. What else am I missing here? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Mon Nov 4 19:40:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: No virus loggings? In-Reply-To: <200211041336.25634.lbergman@wtxs.net> Message-ID: <5.1.0.14.2.20021104193854.02357cf0@imap.ecs.soton.ac.uk> At 19:36 04/11/2002, you wrote: >I am getting verbose spam logging as noted below. > >Nov 3 03:41:46 ns2 MailScanner[1437]: Message gA39fd302216 from 209.47.251.47 >(bounce.rapid-e.net) is spam according to SpamAssassin (score=8.9, required >5, APPLY_ONLINE, BIG_FONT, CLICK_BELOW, CLICK_BELOW_CAPS, >DATE_IN_FUTURE_06_12, DEAR_SOMEBODY, EXCUSE_1, EXCUSE_16, EXCUSE_7, >HTML_FONT_FACE_ODD, HTTP_WITH_EMAIL_IN_URL, JAVASCRIPT, JAVASCRIPT_UNSAFE, >LINES_OF_YELLING, LINES_OF_YELLING_2, LINES_OF_YELLING_3, MARKETING_PARTNERS, >SPAM_PHRASE_08_13, UNSECURED_CREDIT, WEB_BUGS) > > >But all I get about virus scanning is on this order: >Nov 3 03:41:46 ns2 MailScanner[1437]: Virus and Content Scanning: Starting >Nov 3 03:41:46 ns2 MailScanner[1437]: Uninfected: Delivered 1 messages > >I know the virus engine is doing its job because virus notices are sent out as >configured. >This is on MailScanner 4.04.-1 and f-prot 3.12b >The -r is added to syslogd startup. What else am I missing here? It doesn't produce any "nothing interesting happened" log entries, after another user claimed it was logging too much. If it finds anything of interest, it will still log it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Mon Nov 4 19:41:47 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:16:17 2006 Subject: V4 Upgrade Experience Message-ID: <49210.129.80.22.133.1036438907.squirrel@tiger.dorfam.ca> I finally got around to upgrading from V3 last Saturday. I've been waiting until the dust settled before I did the deed. BTW, I'm running a Redhat 7.3 server with RH's sendmail/perl, and the latest version of spamassassin. V3 was working without problems before starting. After noticing that Julian had released a new version I grabbed it, untar'd the file, and ran the ./install script. It happily reported that most of the required perl files were already installed, updated a few, and added a couple of others. I modified the new mailscanner.conf file, added the MailScanner service per the doc's and, as I had the luxury, rebooted the server. I know the reboot wasn't necessary if I had shutdown the old deamons but I also wanted to be sure that the server would come back in case of power outages etc. Everything came up running without errors! I've only noticed a couple of minor things that needed tweaking. Small stuff like the f-prot-autoupdate script location had to be changed in my crontab file (it was still pointing to the old location). The bottom line is that this was a totally painless upgrade. Thank you Julian. Gerry From mailscanner at ecs.soton.ac.uk Mon Nov 4 19:43:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: V4 Upgrade Experience In-Reply-To: <49210.129.80.22.133.1036438907.squirrel@tiger.dorfam.ca> Message-ID: <5.1.0.14.2.20021104194257.024218c0@imap.ecs.soton.ac.uk> At 19:41 04/11/2002, you wrote: >The bottom line is that this was a totally painless upgrade. Thank you >Julian. Yay! Thankyou. Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From todd.williams at TFCCI.COM Mon Nov 4 19:39:47 2002 From: todd.williams at TFCCI.COM (Todd Williams) Date: Thu Jan 12 21:16:17 2006 Subject: Sendmail question with regards to MailScanner Message-ID: <00b801c28439$efbf5010$c802a8c0@toddntbox.tfcc.com> Hello, I've searched and not turned up a whole lot of useful help regarding this question, but perhaps someone else has seen what I'm seeing. If an internal user (accidentally?) writes an e-mail to a bogus or unreachable domain name (or in the case an internet connection is down), when sendmail 8.11.6 (with the appropriate command line options for queueonly and a queue directory of /var/spool/mqueue.inbox) takes the message, it attempts to munge on the message (seemingly ignoring the queueonly option), and because it sees the message as a "deferred" message, dumps the message directly into the /var/spool/mqueue directory, which effectively bypasses the MailScanner altogether. While this may be a non-issue, I just wanted to see if others have seen this same behaviour. I thought it odd that even when handed the "-ODeliveryMode=q -OQueueDirectory=/var/spool/mqueue.inbox" options, in the case of a deferred message, sendmail bypasses it's command line parameters and follows the sendmail.cf directive (?) to send it to the default queue directory. I even tried playing with the "-OErrorMode=q" option as well, setting it to "queue only" and the deferred messages still end up in the default /var/spool/mqueue directory the same as before. Everything else under normal conditions works fine. I suspect we could change the queueonly sendmail process to use a different sendmail.cf configuration file which specifies the QueueDirectory as the incoming MailScanner queue directory to force it through the MailScanner irregardless, but I was trying to avoid convoluting things more than necessary. Any thoughts? Thanks, Todd From David.While at UCE.AC.UK Mon Nov 4 19:53:53 2002 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:17 2006 Subject: MRTG etc Message-ID: A number of people have been asking about getting statistic output for MailScanner (quite often for the higher ups!) well I have produced a script that analyses the mail log file and produces the necessary output including MRTG. The first time you run the script it will produce the necessary MRTG config file. It has a number of configurable variables (at the top of the script) and can also use the sendmail access file to automatically ban those IP addresses that consistently send you spam. There have been a number of discussions about SpamCop etc - well this is one solution - turn off your spamcop settings in MailScanner and sendmail and let this script decide to put them into your own access file. After a period of time they are automatically removed again. Currently the virus analysis will only work for ClamAV and inoculan since I don't have access to any other scanners, however it is easy for me to add them in - all I need are some sample mail log file entries from the relevant scanners when they have detected a virus. For a sample of what it produces see http://www.boys-brigade.org.uk/mrtg and to get the script go to http://staff.cie.uce.ac.uk/~dwhile/mailstats/ It isn't a perfect script and if you have any problems please let me know - also if you find it useful let me know. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 From mailscanner at ecs.soton.ac.uk Mon Nov 4 19:55:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Sendmail question with regards to MailScanner In-Reply-To: <00b801c28439$efbf5010$c802a8c0@toddntbox.tfcc.com> Message-ID: <5.1.0.14.2.20021104195442.024199f8@imap.ecs.soton.ac.uk> I would report that as a sendmail bug if that really happens. It shouldn't over-ride its command-line options. At 19:39 04/11/2002, you wrote: >Hello, > >I've searched and not turned up a whole lot of useful help regarding this >question, but perhaps someone else has seen what I'm seeing. > >If an internal user (accidentally?) writes an e-mail to a bogus or >unreachable domain name (or in the case an internet connection is down), >when sendmail 8.11.6 (with the appropriate command line options for >queueonly and a queue directory of /var/spool/mqueue.inbox) takes the >message, it attempts to munge on the message (seemingly ignoring the >queueonly option), and because it sees the message as a "deferred" message, >dumps the message directly into the /var/spool/mqueue directory, which >effectively bypasses the MailScanner altogether. While this may be a >non-issue, I just wanted to see if others have seen this same behaviour. > >I thought it odd that even when handed the >"-ODeliveryMode=q -OQueueDirectory=/var/spool/mqueue.inbox" options, in the >case of a deferred message, sendmail bypasses it's command line parameters >and follows the sendmail.cf directive (?) to send it to the default queue >directory. I even tried playing with the "-OErrorMode=q" option as well, >setting it to "queue only" and the deferred messages still end up in the >default /var/spool/mqueue directory the same as before. Everything else >under normal conditions works fine. I suspect we could change the queueonly >sendmail process to use a different sendmail.cf configuration file which >specifies the QueueDirectory as the incoming MailScanner queue directory to >force it through the MailScanner irregardless, but I was trying to avoid >convoluting things more than necessary. > >Any thoughts? > >Thanks, > >Todd -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Mon Nov 4 19:59:36 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner on OSDir.com (new O'Reilly site) In-Reply-To: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> Message-ID: <37450.129.80.22.133.1036439976.squirrel@tiger.dorfam.ca> > O'Reilly have created a new website containing a directory of Open > Source projects, including MailScanner. If some of you could take 5 > minutes adding some comments / votes to the site, I would really > appreciate it. > > The MailScanner project page is at > http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=114&ttitle=MailScanner > > And the home page of their new site is of course http://osdir.com/ > >>Subject: Mailscanner on OSDir.com (new O'Reilly site) >> >>Hi Julian, >> >>I've just added Mailscanner to http://OSDir.com (new O'Reilly site). >> We'll likely be building a book partly baed from the votes and comments >> there so I invite our users to talk Mailscanner up a bit there: >>http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=114&ttitle=MailScanner >> >>There's a link at the bottom of that page if you or any of them want >> visitors to vote/comment on Mailscanner remotely from a website such as >> your own. We'll likely be building a book partly based on comments and >> votes so adding it to the Mailscanner site probably wouldn't hurt. >> >>Thanks and Cheers, >>-- >>Steve Mallett | steve@osdir.com >>http://OSDir.com on the O'Reilly Network >>http://opensource.org | webmaster@opensource.org >>http://open5ource.net > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ I don't understand this site. MailScanner has a total of 44 votes and an overall rating of 9.43 yet it doesn't appear in the top/popular app's?? Am I missing something? Gerry From mailscanner at ecs.soton.ac.uk Mon Nov 4 20:04:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: 4.05-3 update In-Reply-To: <5.1.1.6.2.20021104115351.00a65db0@mail.okanagan.net> References: <5.1.0.14.2.20021101084729.0487aaa0@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021031151431.00a63890@mail.okanagan.net> Message-ID: <5.1.0.14.2.20021104200225.0309ddd0@imap.ecs.soton.ac.uk> At 20:00 04/11/2002, you wrote: >i see u added SCO Openserver into the startup script, yes, it works fine!! Good. >new issue.. :) > >if you put 500 pieces of mail in the input directory (1000 files), >mailscanner croaks and complains about too many files. Of course, you >then get a spiral of death, more mail comes in... more files etc... > >example: > >Cannot build message from /var/spool/MailScanner/incoming/3964/g >/var/spool/mqueue.in/dfgA4I73L00650, Too many open files > >Commercial virus checker failed with real error: > Can't fork: Too many open files at > /opt/MailScanner/bin/MailScanner/SweepViruses.pm line 412. That's a fault in your OS. Find out how to increase the number of file handles you are allowed to open. Should be a configurable OS parameter. Some other OS has a low limit on the number of file locks allowed at once. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 4 20:06:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner on OSDir.com (new O'Reilly site) In-Reply-To: <37450.129.80.22.133.1036439976.squirrel@tiger.dorfam.ca> References: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021104200516.030b9f00@imap.ecs.soton.ac.uk> At 19:59 04/11/2002, you wrote: > > O'Reilly have created a new website containing a directory of Open > > Source projects, including MailScanner. If some of you could take 5 > > minutes adding some comments / votes to the site, I would really > > appreciate it. > > > > The MailScanner project page is at > > > http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=114&ttitle=MailScanner > > > > And the home page of their new site is of course http://osdir.com/ > > > >>Subject: Mailscanner on OSDir.com (new O'Reilly site) > >> > >>Hi Julian, > >> > >>I've just added Mailscanner to http://OSDir.com (new O'Reilly site). > >> We'll likely be building a book partly baed from the votes and comments > >> there so I invite our users to talk Mailscanner up a bit there: > >>http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=vi > ewdownloaddetails&lid=114&ttitle=MailScanner > >> > >>There's a link at the bottom of that page if you or any of them want > >> visitors to vote/comment on Mailscanner remotely from a website such as > >> your own. We'll likely be building a book partly based on comments and > >> votes so adding it to the Mailscanner site probably wouldn't hurt. > >> > >>Thanks and Cheers, > >>-- > >>Steve Mallett | steve@osdir.com > >>http://OSDir.com on the O'Reilly Network > >>http://opensource.org | webmaster@opensource.org > >>http://open5ource.net > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > > 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >I don't understand this site. MailScanner has a total of 44 votes and an >overall rating of 9.43 yet it doesn't appear in the top/popular app's?? >Am I missing something? I saw that too. I hope it's just die to them not updating the popular apps list very often. If it's still that way tomorrow then I'll ask them what's happening. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Mon Nov 4 20:09:16 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:17 2006 Subject: No virus loggings? In-Reply-To: <5.1.0.14.2.20021104193854.02357cf0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021104193854.02357cf0@imap.ecs.soton.ac.uk> Message-ID: <200211041409.16997.lbergman@wtxs.net> > It doesn't produce any "nothing interesting happened" log entries, after > another user claimed it was logging too much. If it finds anything of > interest, it will still log it. ooops. Your right. After further reveiw I found one such as: Nov 4 10:16:33 ns2 MailScanner[19348]: Virus Scanning: f-prot found 1 infections Nov 4 10:16:33 ns2 MailScanner[19348]: Virus Scanning: Found 1 viruses I vaguely remember something about differing virus scanners producing widely different output being the reason virus names are not output in the logs. Is this correct? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Mon Nov 4 20:14:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: No virus loggings? In-Reply-To: <200211041409.16997.lbergman@wtxs.net> References: <5.1.0.14.2.20021104193854.02357cf0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021104193854.02357cf0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021104201412.0237f398@imap.ecs.soton.ac.uk> At 20:09 04/11/2002, you wrote: > > It doesn't produce any "nothing interesting happened" log entries, after > > another user claimed it was logging too much. If it finds anything of > > interest, it will still log it. >ooops. Your right. After further reveiw I found one such as: >Nov 4 10:16:33 ns2 MailScanner[19348]: Virus Scanning: f-prot found 1 >infections >Nov 4 10:16:33 ns2 MailScanner[19348]: Virus Scanning: Found 1 viruses > >I vaguely remember something about differing virus scanners producing widely >different output being the reason virus names are not output in the logs. Is >this correct? Yes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From novirus at CARLO65.DE Mon Nov 4 20:25:42 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:17 2006 Subject: MRTG etc In-Reply-To: References: Message-ID: <1036441542.5743.96.camel@linroute> Hi David, Am Mon, 2002-11-04 um 20.53 schrieb David While: > A number of people have been asking about getting statistic output for > MailScanner (quite often for the higher ups!) well I have produced a script > that analyses the mail log file and produces the necessary output including > MRTG. The first time you run the script it will produce the necessary MRTG > config file. [...] thanks very much! Regards, Roland From novirus at CARLO65.DE Mon Nov 4 20:35:02 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:17 2006 Subject: MailScanner 4.x installation on SuSE 7.3 Message-ID: <1036442102.5743.107.camel@linroute> Hi, I realized a few difficulties when installing the recent version of MailScanner 4.x on my SuSE Linux 7.3 box from the rpm-Distribution. Just to share my experiences with you, perhaps it may help, some hints: Before starting the install.sh script, you need to make a link, because neither /usr/src/redhat nor /usr/src/RPM exists - "ln -s /usr/src/packages RPM" helps. If you have the sendmail-tls package, provided by SuSE, you need to add --nodeps to the line "rpm -Uhv mailscanner*..." in the install.sh script. Standard installation of SuSE with sendmail, has a subdirectory .hoststat in /var/spool/mqueue. You need to move this subdirectory to /var/spool (or wherever you want), than change the refering line in your /etc/sendmail.cf file. Regards, Roland From mailscanner at ecs.soton.ac.uk Mon Nov 4 20:44:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: MailScanner 4.x installation on SuSE 7.3 In-Reply-To: <1036442102.5743.107.camel@linroute> Message-ID: <5.1.0.14.2.20021104204242.030cef78@imap.ecs.soton.ac.uk> At 20:35 04/11/2002, you wrote: >Before starting the install.sh script, you need to make a link, because >neither /usr/src/redhat nor /usr/src/RPM exists - "ln -s >/usr/src/packages RPM" helps. If you have the sendmail-tls package, >provided by SuSE, you need to add --nodeps to the line "rpm -Uhv >mailscanner*..." in the install.sh script. Fixed in the next release. >Standard installation of SuSE with sendmail, has a subdirectory >.hoststat in /var/spool/mqueue. You need to move this subdirectory to >/var/spool (or wherever you want), than change the refering line in your >/etc/sendmail.cf file. Already fixed in the latest release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mail at projectandrew.com Tue Nov 5 01:03:39 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:17 2006 Subject: MRTG etc In-Reply-To: References: Message-ID: <1163.217.155.81.25.1036458219.squirrel@www.projectandrew.com> Some entries from my log file: Nov 4 17:15:30 host-2 MailScanner[1163]: New Batch: Scanning 1 messages, 140270 bytes Nov 4 17:15:30 host-2 MailScanner[1163]: Spam Checks: Starting Nov 4 17:15:30 host-2 MailScanner[1163]: Virus and Content Scanning: Starting Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in file ./gA4HFT803745/coords.scr Nov 4 17:15:31 host-2 MailScanner[1163]: Virus Scanning: sophos found 1 infections Nov 4 17:15:31 host-2 MailScanner[1163]: /var/spool/MailScanner/incoming/1163/gA4HFT803745/coords.scr Infection: W32/Klez.H@mm Nov 4 17:15:31 host-2 MailScanner[1163]: Virus Scanning: f-prot found 1 infections Nov 4 17:15:31 host-2 MailScanner[1163]: /var/spool/MailScanner/incoming/1163/./gA4HFT803745/coords.scr: Worm/Klez.H FOUND Nov 4 17:15:31 host-2 MailScanner[1163]: Virus Scanning: clamav found 1 infections Nov 4 17:15:31 host-2 MailScanner[1163]: Virus Scanning: Found 1 viruses Nov 4 17:15:31 host-2 MailScanner[1163]: Filename Checks: Possible virus hidden in a screensaver (coords.scr) Nov 4 17:15:31 host-2 MailScanner[1163]: Other Checks: Found 1 problems Nov 4 17:15:31 host-2 MailScanner[1163]: Saved infected "coords.scr" to /var/spool/MailScanner/quarantine/20021104/gA4HFT803745 Nov 4 17:15:31 host-2 MailScanner[1163]: Silent: Delivered 1 messages containing silent viruses I am currently using f-prot, sophos & clamav. Hope this helps... :) Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. > A number of people have been asking about getting statistic output for > MailScanner (quite often for the higher ups!) well I have produced a > script that analyses the mail log file and produces the necessary output > including MRTG. The first time you run the script it will produce the > necessary MRTG config file. > > It has a number of configurable variables (at the top of the script) and > can also use the sendmail access file to automatically ban those IP > addresses that consistently send you spam. There have been a number of > discussions about SpamCop etc - well this is one solution - turn off > your spamcop settings in MailScanner and sendmail and let this script > decide to put them into your own access file. After a period of time > they are automatically removed again. > > Currently the virus analysis will only work for ClamAV and inoculan > since I don't have access to any other scanners, however it is easy for > me to add them in - all I need are some sample mail log file entries > from the relevant scanners when they have detected a virus. > > For a sample of what it produces see http://www.boys-brigade.org.uk/mrtg > and to get the script go to > http://staff.cie.uce.ac.uk/~dwhile/mailstats/ > > It isn't a perfect script and if you have any problems please let me > know - also if you find it useful let me know. > > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English > University of Central England > Tel: 0121 331 6211 > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From smohan at vsnl.com Tue Nov 5 02:10:39 2002 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <004701c2842f$82046290$620aaa82@ADMINISTRATOR> Message-ID: <000001c28470$8aa92660$25405bca@18yamuna> Use .procmailrc in etc which is systemwide. Let the rule be as under :0 c Will copy all mails to a file. You can get the header values and based on that copy it to different files. Another alternative is to have a .procmailrc in each user's home directory. Then file name can be hardcoded for each user. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Vicente Guerrero M. Sent: Monday, November 04, 2002 11:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Creating mail copies for backup maybe procmail can help, there is no major problem to install and configure. Hope this helps. vgm ----- Original Message ----- From: "Marc Mc Guinness" To: Sent: Monday, November 04, 2002 9:05 AM Subject: Re: Creating mail copies for backup > Hello, > > Am Montag, 4. November 2002 15:40 schrieb Julian Field: > > At 14:25 04/11/2002, you wrote: > > >Hello, > > > > > >I don't know who I could ask. Probably you could help me... I'm > > >using sendmail 8.12.6-6 on Debian 3.0 and want to create a copy of > > >every email delivered to the user mailboxes under /var/mail/. This > > >copy shall be saved in user mailboxes under /var/backup/mail/. > > > > > >How can I tell sendmail to write it's mails to two directories? > > > > That's tricky in sendmail (I may be wrong, quite a few people on > > this list know more about sendmail than I do!). > > > > However, MailScanner 4 will do it for you. The "Archive Mail" > > feature can save mail messages to a directory or even to another > > email address, without the recipient noticing anything is happening. > > I can't use version 4 at the moment (political reason). I've got the > mailscanner 3.13.2-4 from debian stable. Probably someone else can > help me with telling sendmail to do the backup? > > Best regards, > > Marc > From brett at BRABYS.CO.ZA Tue Nov 5 06:28:26 2002 From: brett at BRABYS.CO.ZA (Brett Geer) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <200211041425.PAA19966@post.webmailer.de> References: <200211041425.PAA19966@post.webmailer.de> Message-ID: <1036477706.12618.18.camel@brett> procmail can do it as mentioned by others, MailScanner is quite happy to copy in the qf and df files, only issue with this idea is on a busy mail server you get directories with thousands and thousands of files in there real fast. My solution there was to shove the files at a database, I can ship you a copy of my scripts and schema's if you like brett > I don't know who I could ask. Probably you could help me... > I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a copy > of every email delivered to the user mailboxes under /var/mail/. > This copy shall be saved in user mailboxes under /var/backup/mail/. > > How can I tell sendmail to write it's mails to two directories? -- ------------------------------------------------------------------- This is UNIX country, on a quiet night you can hear Windows reboot From LISTSERV at JISCMAIL.AC.UK Tue Nov 5 00:13:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: wmullis@ESHCOM.COM requested to join Message-ID: <200211050013.AAA06617@magpie.ecs.soton.ac.uk> Tue, 5 Nov 2002 00:13:55 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Wesley Mullis . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER wmullis@ESHCOM.COM Wesley Mullis The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+wmullis%40ESHCOM.COM+Wesley+Mullis&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Tue Nov 5 08:43:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <1036477706.12618.18.camel@brett> References: <200211041425.PAA19966@post.webmailer.de> <200211041425.PAA19966@post.webmailer.de> Message-ID: <5.1.0.14.2.20021105084203.04610de8@imap.ecs.soton.ac.uk> At 06:28 05/11/2002, you wrote: >procmail can do it as mentioned by others, MailScanner is quite happy to >copy in the qf and df files MailScanner can now either copy the qf+df pair for each message, or a more readable headers+body file of the message. >, only issue with this idea is on a busy mail >server you get directories with thousands and thousands of files in >there real fast. Do it very selectively, and it's only a problem on naff OS's that can't handle big directories very quickly. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From carl.boberg at NRM.SE Tue Nov 5 09:01:35 2002 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:16:17 2006 Subject: F-secure logging Message-ID: Hi, Im trying really hard to make my F-secure log to the maillog as other scanners do, like: Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in file ./gA4HFT803745/coords.scr (this is a Sophos log entry) Has anyone any knowledge about how this could be done? I know it logs the virus type to std out when I run it manually on a virus infected file; ..... [root@pop 20021104]# /usr/lib/MailScanner/f-secure-wrapper * F-Secure Anti-Virus for i386-linux Release 4.15 build 4370 Frisk Software International F-PROT engine version 3.11 build 802 sign.def version 2002-11-04 fssign2.def version 2002-11-04 fsmacro.def version 2002-11-04 gA48ARS02843/.scr infection: W32/Klez.H@mm gA4BbfS11505/love.scr infection: W32/Lentin.F@mm gA4K6kS27585/friends.scr infection: W32/Lentin.F@mm 3 files scanned 3 infections found ..... So why doesnt it do the same in MS? Any ideas? Regards --------------------------------- Carl Boberg System & Network Administrator Dept. of Information Technology Swedish Museum of Natural History Frescativ. 40 104 05 Stockholm carl.boberg@nrm.se Phone: 08-519 551 16 Mobile: 0701-82 40 55 --------------------------------- From mailscanner at ecs.soton.ac.uk Tue Nov 5 09:07:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: F-secure logging In-Reply-To: Message-ID: <5.1.0.14.2.20021105090447.04aa5ec0@imap.ecs.soton.ac.uk> At 09:01 05/11/2002, you wrote: >Im trying really hard to make my F-secure log to the maillog as other >scanners do, like: > >Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in >file ./gA4HFT803745/coords.scr > >(this is a Sophos log entry) > >Has anyone any knowledge about how this could be done? >I know it logs the virus type to std out when I run it manually on a virus >infected file; >..... >[root@pop 20021104]# /usr/lib/MailScanner/f-secure-wrapper * >F-Secure Anti-Virus for i386-linux Release 4.15 build 4370 >Frisk Software International F-PROT engine version 3.11 build 802 >sign.def version 2002-11-04 >fssign2.def version 2002-11-04 >fsmacro.def version 2002-11-04 > >gA48ARS02843/.scr infection: W32/Klez.H@mm >gA4BbfS11505/love.scr infection: W32/Lentin.F@mm >gA4K6kS27585/friends.scr infection: W32/Lentin.F@mm > > 3 files scanned > 3 infections found >..... > >So why doesnt it do the same in MS? >Any ideas? Are you saying you would like a log entry for F-Secure that included the name of the virus found? The latest code already logs the whole of the line that includes the name of the virus (the latest version does, anyway), so you should get a log entry that says things like gA4K6kS27585/friends.scr infection: W32/Lentin.F@mm -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Tue Nov 5 12:57:27 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:17 2006 Subject: F-secure logging In-Reply-To: References: Message-ID: <200211050657.27425.lbergman@wtxs.net> On Tuesday 05 November 2002 03:01 am, Carl Boberg wrote: > Hi, > > Im trying really hard to make my F-secure log to the maillog as other > scanners do, like: > > Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in > file ./gA4HFT803745/coords.scr > > (this is a Sophos log entry) > > Has anyone any knowledge about how this could be done? Well, The code that does the following should be in the next release I would guess. Nov 5 06:52:41 ns2 MailScanner[8374]: Virus and Content Scanning: Starting Nov 5 06:52:41 ns2 MailScanner[8374]: /var/spool/MailScanner/incoming/8374/gA5Cqch11332/eicar_com.zip->eicar.com Infection: EICAR_Test_File Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: F-Prot found virus EICAR_Test_File Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: f-prot found 1 infections Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: Found 1 viruses Nov 5 06:52:41 ns2 MailScanner[8374]: Saved infected "eicar_com.zip" to /var/spool/MailScanner/quarantine/20021105/gA5Cqch11332 This is with f-prot but my output from the wrapper looks identical to yours so I would guess you might get the same output. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mail at projectandrew.com Tue Nov 5 13:35:01 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:17 2006 Subject: Startup script In-Reply-To: <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> References: <1158.217.155.81.25.1036435362.squirrel@www.projectandrew.c <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> Message-ID: <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> No luck :( I've tried doing this in the MailScanner.conf and in the MailScanner startup script. There are no errors produced this time, but no bandwidth is recorded. Is there anyway to decompile the shared library (/lib/libensimvwhbw.so)? I've attached the whole sendmail init script incase you can see something that can be copied/added to the MailScanner script. Is there someway of running MailScanner, but call sendmail using it's own init script? Just looking for ideas... Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. > I'm not at all convinced this will work, but give it a try: > Write a very short script that sets these variables and then calls > sendmail, something like this > > #!/bin/sh > export LD_PRELOAD=/lib/libensimvwhbw.so > export ENSIMVWH_BWSVCID=1 > /usr/sbin/sendmail "$@" > > and then call this script in MailScanner instead of directly invoking > sendmail. You should just edit the "Sendmail =" setting in > MailScanner.conf to refer to your script instead of sendmail itself. > > See what happens with this setup. > > At 18:42 04/11/2002, you wrote: >>I am still trying to get MailScanner fully working with Ensim >> WEBppliance - the only part that is not working is a piece of custom >> ensim code that is normally called from the sendmail startup script. >> The two lines are: >> >> export LD_PRELOAD=/lib/libensimvwhbw.so >> export ENSIMVWH_BWSVCID=1 >> >>If I add these to the MailScanner startup script, MailScanner will >> accept mail, but will not deliver it to any chrooted site. I also get >> file not found errors thrown to the console. It seems to me then, to be >> something that must be passed from the sendmail config for this module >> to work, which is not passed by MailScanner - it is supposed to track >> the size of each mail passed through sendmail, so a monthly 'bandwidth >> allowance' can be applied to each virtual site within Ensim. I don't >> really know where to go next, and wondered if anybody who knows >> sendmail in more detail might have any ideas where to look? >> >>Does MailScanner refer to all the same sendmail config files that >> sendmail would if it was called using its own startup script? >> >>Andrew G Allen >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 >> >>--- Disclaimer --- >>This e-mail and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error, please notify >> the system manager. >> >> >> >> >> >>-- >>This message has been scanned for viruses and dangerous >>content by MailScanner, and is believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- #!/bin/bash # # sendmail This shell script takes care of starting and stopping # sendmail. # # chkconfig: 2345 80 30 # description: Sendmail is a Mail Transport Agent, which is the program \ # that moves mail from one machine to another. # processname: sendmail # config: /etc/sendmail.cf # pidfile: /var/run/sendmail.pid # Source function library. . /etc/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Source sendmail configureation. if [ -f /etc/sysconfig/sendmail ] ; then . /etc/sysconfig/sendmail else DAEMON=no QUEUE=1h fi # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -f /usr/sbin/sendmail ] || exit 0 RETVAL=0 prog="sendmail" start() { # Start daemons. echo -n $"Starting $prog: " /usr/bin/newaliases > /dev/null 2>&1 for i in virtusertable access domaintable ; do if [ -f /etc/mail/$i ] ; then makemap hash /etc/mail/$i < /etc/mail/$i fi done mailertables= if [ -f /etc/mail/mailertable.virtual_domains ]; then mailertables="/etc/mail/mailertable.virtual_domains" fi if [ -f /etc/mail/mailertable ]; then mailertables="$mailertables /etc/mail/mailertable" fi if [ -n "$mailertables" ]; then cat $mailertables | makemap hash /etc/mail/mailertable.db fi genericstables= if [ -f /etc/mail/genericstable.siteadmins ]; then genericstables="/etc/mail/genericstable.siteadmins" fi if [ -f /etc/mail/genericstable ]; then genericstables="$mailertables /etc/mail/genericstable" fi if [ -n "$genericstables" ]; then cat $genericstables | makemap hash /etc/mail/genericstable.db fi export LD_PRELOAD=/lib/libensimvwhbw.so export ENSIMVWH_BWSVCID=1 daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ $([ -n "$QUEUE" ] && echo -q$QUEUE) RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail return $RETVAL } start-fast() { # Start daemons. echo -n $"Starting $prog: " /usr/bin/newaliases > /dev/null 2>&1 for i in virtusertable access domaintable ; do if [ -f /etc/mail/$i ] ; then makemap hash /etc/mail/$i < /etc/mail/$i fi done export LD_PRELOAD=/lib/libensimvwhbw.so export ENSIMVWH_BWSVCID=1 daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ $([ -n "$QUEUE" ] && echo -q$QUEUE) RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail return $RETVAL } stop() { # Stop daemons. echo -n $"Shutting down $prog: " killproc sendmail RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail return $RETVAL } # See how we were called. case "$1" in start) start ;; start-fast) start-fast ;; stop) stop ;; restart|reload) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/sendmail ]; then stop start RETVAL=$? fi ;; status) status sendmail RETVAL=$? ;; restart-fast) stop start-fast RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status|start-fast|restart-fast}" exit 1 esac exit $RETVAL From LISTSERV at JISCMAIL.AC.UK Tue Nov 5 13:15:52 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: m-list@PUGMARKS.COM requested to join Message-ID: <200211051315.NAA21988@magpie.ecs.soton.ac.uk> Tue, 5 Nov 2002 13:15:52 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Arminder Singh . The following subscription options have been requested: CONCEAL. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER m-list@PUGMARKS.COM Arminder Singh The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+m-list%40PUGMARKS.COM+Arminder+Singh&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+CONCEAL+FOR+m-list%40PUGMARKS.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From email at ace.net.au Tue Nov 5 14:28:32 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner on OSDir.com (new O'Reilly site) In-Reply-To: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> Message-ID: <200211060058320569.413A6B08@smtp1.ace.net.au> Where are we supoposed to add comments? *********** REPLY SEPARATOR *********** On 4/11/2002 at 10:25 AM Julian Field wrote: >O'Reilly have created a new website containing a directory of Open Source >projects, including MailScanner. If some of you could take 5 minutes adding >some comments / votes to the site, I would really appreciate it. > >The MailScanner project page is at >http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewd ownloaddetails&lid=114&ttitle=MailScanner > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From fred at NEVER-MIND.CH Tue Nov 5 14:20:50 2002 From: fred at NEVER-MIND.CH (Frederic Badel) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> References: <1158.217.155.81.25.1036435362.squirrel@www.projectandrew.c <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> Message-ID: <1036506054.2350.41.camel@bonzai> hi, I modified the sendmail init script to use the "queue delivery mode" : daemon /usr/sbin/sendmail -bd -OQueueDirectory=/var/spool/mqueue.in -ODeliveryMode=queueonly and modified the mailscanner init script and comented out every thing about sendmail ... i found some very usefull explanation on the rackshack forum (http://forum.rackshack.net), you should give look... i you want, i can send my modified startup scripts ... hth fred PS sorry for my poor english :( On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: > No luck :( I've tried doing this in the MailScanner.conf and in the > MailScanner startup script. There are no errors produced this time, but no > bandwidth is recorded. > > Is there anyway to decompile the shared library (/lib/libensimvwhbw.so)? > I've attached the whole sendmail init script incase you can see something > that can be copied/added to the MailScanner script. Is there someway of > running MailScanner, but call sendmail using it's own init script? Just > looking for ideas... > > Andrew G Allen > email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > > --- Disclaimer --- > This e-mail and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error, please notify the > system manager. > > > I'm not at all convinced this will work, but give it a try: > > Write a very short script that sets these variables and then calls > > sendmail, something like this > > > > #!/bin/sh > > export LD_PRELOAD=/lib/libensimvwhbw.so > > export ENSIMVWH_BWSVCID=1 > > /usr/sbin/sendmail "$@" > > > > and then call this script in MailScanner instead of directly invoking > > sendmail. You should just edit the "Sendmail =" setting in > > MailScanner.conf to refer to your script instead of sendmail itself. > > > > See what happens with this setup. > > > > At 18:42 04/11/2002, you wrote: > >>I am still trying to get MailScanner fully working with Ensim > >> WEBppliance - the only part that is not working is a piece of custom > >> ensim code that is normally called from the sendmail startup script. > >> The two lines are: > >> > >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> export ENSIMVWH_BWSVCID=1 > >> > >>If I add these to the MailScanner startup script, MailScanner will > >> accept mail, but will not deliver it to any chrooted site. I also get > >> file not found errors thrown to the console. It seems to me then, to be > >> something that must be passed from the sendmail config for this module > >> to work, which is not passed by MailScanner - it is supposed to track > >> the size of each mail passed through sendmail, so a monthly 'bandwidth > >> allowance' can be applied to each virtual site within Ensim. I don't > >> really know where to go next, and wondered if anybody who knows > >> sendmail in more detail might have any ideas where to look? > >> > >>Does MailScanner refer to all the same sendmail config files that > >> sendmail would if it was called using its own startup script? > >> > >>Andrew G Allen > >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >> > >>--- Disclaimer --- > >>This e-mail and any files transmitted with it are confidential and > >> intended solely for the use of the individual or entity to whom they > >> are addressed. If you have received this email in error, please notify > >> the system manager. > >> > >> > >> > >> > >> > >>-- > >>This message has been scanned for viruses and dangerous > >>content by MailScanner, and is believed to be clean. > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > > 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > -- > > This message has been scanned for viruses and dangerous > > content by MailScanner, and is believed to be clean. > > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > ---- > > #!/bin/bash > # > # sendmail This shell script takes care of starting and stopping > # sendmail. > # > # chkconfig: 2345 80 30 > # description: Sendmail is a Mail Transport Agent, which is the program \ > # that moves mail from one machine to another. > # processname: sendmail > # config: /etc/sendmail.cf > # pidfile: /var/run/sendmail.pid > > # Source function library. > . /etc/init.d/functions > > # Source networking configuration. > . /etc/sysconfig/network > > # Source sendmail configureation. > if [ -f /etc/sysconfig/sendmail ] ; then > . /etc/sysconfig/sendmail > else > DAEMON=no > QUEUE=1h > fi > > # Check that networking is up. > [ ${NETWORKING} = "no" ] && exit 0 > > [ -f /usr/sbin/sendmail ] || exit 0 > > RETVAL=0 > prog="sendmail" > > start() { > # Start daemons. > > echo -n $"Starting $prog: " > /usr/bin/newaliases > /dev/null 2>&1 > for i in virtusertable access domaintable ; do > if [ -f /etc/mail/$i ] ; then > makemap hash /etc/mail/$i < /etc/mail/$i > fi > done > mailertables= > if [ -f /etc/mail/mailertable.virtual_domains ]; then > mailertables="/etc/mail/mailertable.virtual_domains" > fi > if [ -f /etc/mail/mailertable ]; then > mailertables="$mailertables /etc/mail/mailertable" > fi > if [ -n "$mailertables" ]; then > cat $mailertables | makemap hash /etc/mail/mailertable.db > fi > genericstables= > if [ -f /etc/mail/genericstable.siteadmins ]; then > genericstables="/etc/mail/genericstable.siteadmins" > fi > if [ -f /etc/mail/genericstable ]; then > genericstables="$mailertables /etc/mail/genericstable" > fi > if [ -n "$genericstables" ]; then > cat $genericstables | makemap hash /etc/mail/genericstable.db > fi > export LD_PRELOAD=/lib/libensimvwhbw.so > export ENSIMVWH_BWSVCID=1 > daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > $([ -n "$QUEUE" ] && echo -q$QUEUE) > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > return $RETVAL > } > > start-fast() { > # Start daemons. > > echo -n $"Starting $prog: " > /usr/bin/newaliases > /dev/null 2>&1 > for i in virtusertable access domaintable ; do > if [ -f /etc/mail/$i ] ; then > makemap hash /etc/mail/$i < /etc/mail/$i > fi > done > export LD_PRELOAD=/lib/libensimvwhbw.so > export ENSIMVWH_BWSVCID=1 > daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > $([ -n "$QUEUE" ] && echo -q$QUEUE) > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > return $RETVAL > } > > stop() { > # Stop daemons. > echo -n $"Shutting down $prog: " > killproc sendmail > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail > return $RETVAL > } > > # See how we were called. > case "$1" in > start) > start > ;; > start-fast) > start-fast > ;; > stop) > stop > ;; > restart|reload) > stop > start > RETVAL=$? > ;; > condrestart) > if [ -f /var/lock/subsys/sendmail ]; then > stop > start > RETVAL=$? > fi > ;; > status) > status sendmail > RETVAL=$? > ;; > restart-fast) > stop > start-fast > RETVAL=$? > ;; > *) > echo $"Usage: $0 {start|stop|restart|condrestart|status|start-fast|restart-fast}" > exit 1 > esac > > exit $RETVAL > > From mailscanner at ecs.soton.ac.uk Tue Nov 5 14:53:06 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: F-secure logging In-Reply-To: <200211050657.27425.lbergman@wtxs.net> References: Message-ID: <5.1.0.14.2.20021105145207.03ff3b50@imap.ecs.soton.ac.uk> I have just added virus name logging for F-Secure. Please don't all ask for the others, some of them are almost impossible due to badly-designed virus scanner output by the manufacturers. At 12:57 05/11/2002, you wrote: >On Tuesday 05 November 2002 03:01 am, Carl Boberg wrote: > > Hi, > > > > Im trying really hard to make my F-secure log to the maillog as other > > scanners do, like: > > > > Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in > > file ./gA4HFT803745/coords.scr > > > > (this is a Sophos log entry) > > > > Has anyone any knowledge about how this could be done? >Well, The code that does the following should be in the next release I would >guess. > >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus and Content Scanning: Starting >Nov 5 06:52:41 ns2 MailScanner[8374]: >/var/spool/MailScanner/incoming/8374/gA5Cqch11332/eicar_com.zip->eicar.com >Infection: EICAR_Test_File >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: F-Prot found virus >EICAR_Test_File >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: f-prot found 1 >infections >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: Found 1 viruses >Nov 5 06:52:41 ns2 MailScanner[8374]: Saved infected "eicar_com.zip" to >/var/spool/MailScanner/quarantine/20021105/gA5Cqch11332 > >This is with f-prot but my output from the wrapper looks identical to yours so >I would guess you might get the same output. >-- >Lewis Bergman >Texas Communications >4309 Maple St. >Abilene, TX 79602-8044 >915-695-6962 ext 115 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 5 14:56:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Fwd: Mailscanner on OSDir.com (new O'Reilly site) In-Reply-To: <200211060058320569.413A6B08@smtp1.ace.net.au> References: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021105145523.03fea8e8@imap.ecs.soton.ac.uk> At 14:28 05/11/2002, you wrote: >Where are we supoposed to add comments? On the left-hand side, there is a "Submit" sub-heading. The first entry under this is "App Review". But I agree, it's hardly clear is it? >*********** REPLY SEPARATOR *********** > >On 4/11/2002 at 10:25 AM Julian Field wrote: > > >O'Reilly have created a new website containing a directory of Open Source > >projects, including MailScanner. If some of you could take 5 minutes >adding > >some comments / votes to the site, I would really appreciate it. > > > >The MailScanner project page is at > >http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewd >ownloaddetails&lid=114&ttitle=MailScanner > > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From tom at TILMANT.COM Tue Nov 5 15:23:46 2002 From: tom at TILMANT.COM (Tom Tilmant) Date: Thu Jan 12 21:16:18 2006 Subject: Stored Mail In-Reply-To: <5.1.0.14.2.20021105145523.03fea8e8@imap.ecs.soton.ac.uk> Message-ID: <001b01c284df$58f77120$6eeb14ac@doublet> When SPAM messages are stored in human "readable format (gA)", is there an easy way to send the message onto the person it was attended for without sending it as an attachment from the mail admin. The users are not local on the machine. Not being an expert in sendmail, I thought I would ask those who are :-). Thanks Tom From mail at projectandrew.com Tue Nov 5 15:44:39 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <1036506054.2350.41.camel@bonzai> References: <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> Message-ID: <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> Does your installation therefore require that the MailScanner & sendmail init scripts both have to be started? If this is the case, the only problem is that on reboot, only MailScanner will start, since when it was installed, sendmail was 'switched off' with chkconfig. Does bandwidth monitoring work ok? I'd still find it useful to see your modified init scripts :) Thanks. Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. > hi, > > I modified the sendmail init script to use the "queue delivery mode" : > daemon /usr/sbin/sendmail -bd -OQueueDirectory=/var/spool/mqueue.in > -ODeliveryMode=queueonly > > and modified the mailscanner init script and comented out every thing > about sendmail ... > > i found some very usefull explanation on the rackshack forum > (http://forum.rackshack.net), you should give look... > > i you want, i can send my modified startup scripts ... > > hth > > fred > > PS sorry for my poor english :( > > On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: >> No luck :( I've tried doing this in the MailScanner.conf and in the >> MailScanner startup script. There are no errors produced this time, >> but no bandwidth is recorded. >> >> Is there anyway to decompile the shared library >> (/lib/libensimvwhbw.so)? I've attached the whole sendmail init script >> incase you can see something that can be copied/added to the >> MailScanner script. Is there someway of running MailScanner, but call >> sendmail using it's own init script? Just looking for ideas... >> >> Andrew G Allen >> email: mail@projectandrew.com | voice: +44 (0) 7958 540596 >> >> --- Disclaimer --- >> This e-mail and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error, please notify >> the system manager. >> >> > I'm not at all convinced this will work, but give it a try: >> > Write a very short script that sets these variables and then calls >> sendmail, something like this >> > >> > #!/bin/sh >> > export LD_PRELOAD=/lib/libensimvwhbw.so >> > export ENSIMVWH_BWSVCID=1 >> > /usr/sbin/sendmail "$@" >> > >> > and then call this script in MailScanner instead of directly >> invoking sendmail. You should just edit the "Sendmail =" setting in >> > MailScanner.conf to refer to your script instead of sendmail >> itself. >> > >> > See what happens with this setup. >> > >> > At 18:42 04/11/2002, you wrote: >> >>I am still trying to get MailScanner fully working with Ensim >> >> WEBppliance - the only part that is not working is a piece of >> custom ensim code that is normally called from the sendmail startup >> script. The two lines are: >> >> >> >> export LD_PRELOAD=/lib/libensimvwhbw.so >> >> export ENSIMVWH_BWSVCID=1 >> >> >> >>If I add these to the MailScanner startup script, MailScanner will >> >> accept mail, but will not deliver it to any chrooted site. I also >> get file not found errors thrown to the console. It seems to me >> then, to be something that must be passed from the sendmail config >> for this module to work, which is not passed by MailScanner - it is >> supposed to track the size of each mail passed through sendmail, so >> a monthly 'bandwidth allowance' can be applied to each virtual site >> within Ensim. I don't really know where to go next, and wondered if >> anybody who knows sendmail in more detail might have any ideas >> where to look? >> >> >> >>Does MailScanner refer to all the same sendmail config files that >> >> sendmail would if it was called using its own startup script? >> >> >> >>Andrew G Allen >> >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 >> >> >> >>--- Disclaimer --- >> >>This e-mail and any files transmitted with it are confidential and >> >> intended solely for the use of the individual or entity to whom >> they are addressed. If you have received this email in error, >> please notify the system manager. >> >> >> >> >> >> >> >> >> >> >> >>-- >> >>This message has been scanned for viruses and dangerous >> >>content by MailScanner, and is believed to be clean. >> > >> > -- >> > Julian Field Teaching Systems Manager >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> Tel. 023 8059 2817 University of Southampton >> > Southampton SO17 1BJ >> > >> > >> > -- >> > This message has been scanned for viruses and dangerous >> > content by MailScanner, and is believed to be clean. >> >> >> >> -- >> This message has been scanned for viruses and dangerous >> content by MailScanner, and is believed to be clean. >> >> ---- >> > >> #!/bin/bash >> # >> # sendmail This shell script takes care of starting and stopping >> # sendmail. >> # >> # chkconfig: 2345 80 30 >> # description: Sendmail is a Mail Transport Agent, which is the >> program \ # that moves mail from one machine to another. >> # processname: sendmail >> # config: /etc/sendmail.cf >> # pidfile: /var/run/sendmail.pid >> >> # Source function library. >> . /etc/init.d/functions >> >> # Source networking configuration. >> . /etc/sysconfig/network >> >> # Source sendmail configureation. >> if [ -f /etc/sysconfig/sendmail ] ; then >> . /etc/sysconfig/sendmail >> else >> DAEMON=no >> QUEUE=1h >> fi >> >> # Check that networking is up. >> [ ${NETWORKING} = "no" ] && exit 0 >> >> [ -f /usr/sbin/sendmail ] || exit 0 >> >> RETVAL=0 >> prog="sendmail" >> >> start() { >> # Start daemons. >> >> echo -n $"Starting $prog: " >> /usr/bin/newaliases > /dev/null 2>&1 >> for i in virtusertable access domaintable ; do >> if [ -f /etc/mail/$i ] ; then >> makemap hash /etc/mail/$i < /etc/mail/$i >> fi >> done >> mailertables= >> if [ -f /etc/mail/mailertable.virtual_domains ]; then >> mailertables="/etc/mail/mailertable.virtual_domains" >> fi >> if [ -f /etc/mail/mailertable ]; then >> mailertables="$mailertables /etc/mail/mailertable" >> fi >> if [ -n "$mailertables" ]; then >> cat $mailertables | makemap hash /etc/mail/mailertable.db >> fi >> genericstables= >> if [ -f /etc/mail/genericstable.siteadmins ]; then >> genericstables="/etc/mail/genericstable.siteadmins" >> fi >> if [ -f /etc/mail/genericstable ]; then >> genericstables="$mailertables /etc/mail/genericstable" >> fi >> if [ -n "$genericstables" ]; then >> cat $genericstables | makemap hash >> /etc/mail/genericstable.db >> fi >> export LD_PRELOAD=/lib/libensimvwhbw.so >> export ENSIMVWH_BWSVCID=1 >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ >> $([ -n "$QUEUE" ] && echo -q$QUEUE) >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail >> return $RETVAL >> } >> >> start-fast() { >> # Start daemons. >> >> echo -n $"Starting $prog: " >> /usr/bin/newaliases > /dev/null 2>&1 >> for i in virtusertable access domaintable ; do >> if [ -f /etc/mail/$i ] ; then >> makemap hash /etc/mail/$i < /etc/mail/$i >> fi >> done >> export LD_PRELOAD=/lib/libensimvwhbw.so >> export ENSIMVWH_BWSVCID=1 >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ >> $([ -n "$QUEUE" ] && echo -q$QUEUE) >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail >> return $RETVAL >> } >> >> stop() { >> # Stop daemons. >> echo -n $"Shutting down $prog: " >> killproc sendmail >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail >> return $RETVAL >> } >> >> # See how we were called. >> case "$1" in >> start) >> start >> ;; >> start-fast) >> start-fast >> ;; >> stop) >> stop >> ;; >> restart|reload) >> stop >> start >> RETVAL=$? >> ;; >> condrestart) >> if [ -f /var/lock/subsys/sendmail ]; then >> stop >> start >> RETVAL=$? >> fi >> ;; >> status) >> status sendmail >> RETVAL=$? >> ;; >> restart-fast) >> stop >> start-fast >> RETVAL=$? >> ;; >> *) >> echo $"Usage: $0 >> {start|stop|restart|condrestart|status|start-fast|restart-fast}" >> exit 1 >> esac >> >> exit $RETVAL >> >> > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at CAMAROSS.NET Tue Nov 5 16:03:20 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:18 2006 Subject: Stored Mail In-Reply-To: <001b01c284df$58f77120$6eeb14ac@doublet> Message-ID: <006a01c284e4$dceaf1f0$6501a8c0@mikedesk> formail -Y -s /usr/sbin/sendmail user@new.address < /path/to/filename -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tom Tilmant Sent: Tuesday, November 05, 2002 9:24 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Stored Mail When SPAM messages are stored in human "readable format (gA)", is there an easy way to send the message onto the person it was attended for without sending it as an attachment from the mail admin. The users are not local on the machine. Not being an expert in sendmail, I thought I would ask those who are :-). Thanks Tom From fred at NEVER-MIND.CH Tue Nov 5 16:31:59 2002 From: fred at NEVER-MIND.CH (Frederic Badel) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> References: <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> Message-ID: <1036513920.2841.70.camel@bonzai> On Tue, 2002-11-05 at 16:44, Andrew G Allen wrote: > Does your installation therefore require that the MailScanner & sendmail > init scripts both have to be started? If this is the case, the only > problem is that on reboot, only MailScanner will start, since when it was > installed, sendmail was 'switched off' with chkconfig. Yes, both need to be run at startup, do a 'chkconfig --level 345 sendmail on' > > Does bandwidth monitoring work ok? I'd still find it useful to see your > modified init scripts :) The bandwith monitoring is working fine thks ;) i've attach the scripts... i've added some comments to let you see were are my modification (they are in CAPS) todo (there's only 24h in a day ;)) : i haven't add the last modification to the MailScanner init script to delete the dir under /var/spool/MailScanner/incoming hope this help cheers fred > > Thanks. > > Andrew G Allen > email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > > --- Disclaimer --- > This e-mail and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error, please notify the > system manager. > > > hi, > > > > I modified the sendmail init script to use the "queue delivery mode" : > > daemon /usr/sbin/sendmail -bd -OQueueDirectory=/var/spool/mqueue.in > > -ODeliveryMode=queueonly > > > > and modified the mailscanner init script and comented out every thing > > about sendmail ... > > > > i found some very usefull explanation on the rackshack forum > > (http://forum.rackshack.net), you should give look... > > > > i you want, i can send my modified startup scripts ... > > > > hth > > > > fred > > > > PS sorry for my poor english :( > > > > On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: > >> No luck :( I've tried doing this in the MailScanner.conf and in the > >> MailScanner startup script. There are no errors produced this time, > >> but no bandwidth is recorded. > >> > >> Is there anyway to decompile the shared library > >> (/lib/libensimvwhbw.so)? I've attached the whole sendmail init script > >> incase you can see something that can be copied/added to the > >> MailScanner script. Is there someway of running MailScanner, but call > >> sendmail using it's own init script? Just looking for ideas... > >> > >> Andrew G Allen > >> email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >> > >> --- Disclaimer --- > >> This e-mail and any files transmitted with it are confidential and > >> intended solely for the use of the individual or entity to whom they > >> are addressed. If you have received this email in error, please notify > >> the system manager. > >> > >> > I'm not at all convinced this will work, but give it a try: > >> > Write a very short script that sets these variables and then calls > >> sendmail, something like this > >> > > >> > #!/bin/sh > >> > export LD_PRELOAD=/lib/libensimvwhbw.so > >> > export ENSIMVWH_BWSVCID=1 > >> > /usr/sbin/sendmail "$@" > >> > > >> > and then call this script in MailScanner instead of directly > >> invoking sendmail. You should just edit the "Sendmail =" setting in > >> > MailScanner.conf to refer to your script instead of sendmail > >> itself. > >> > > >> > See what happens with this setup. > >> > > >> > At 18:42 04/11/2002, you wrote: > >> >>I am still trying to get MailScanner fully working with Ensim > >> >> WEBppliance - the only part that is not working is a piece of > >> custom ensim code that is normally called from the sendmail startup > >> script. The two lines are: > >> >> > >> >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> >> export ENSIMVWH_BWSVCID=1 > >> >> > >> >>If I add these to the MailScanner startup script, MailScanner will > >> >> accept mail, but will not deliver it to any chrooted site. I also > >> get file not found errors thrown to the console. It seems to me > >> then, to be something that must be passed from the sendmail config > >> for this module to work, which is not passed by MailScanner - it is > >> supposed to track the size of each mail passed through sendmail, so > >> a monthly 'bandwidth allowance' can be applied to each virtual site > >> within Ensim. I don't really know where to go next, and wondered if > >> anybody who knows sendmail in more detail might have any ideas > >> where to look? > >> >> > >> >>Does MailScanner refer to all the same sendmail config files that > >> >> sendmail would if it was called using its own startup script? > >> >> > >> >>Andrew G Allen > >> >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >> >> > >> >>--- Disclaimer --- > >> >>This e-mail and any files transmitted with it are confidential and > >> >> intended solely for the use of the individual or entity to whom > >> they are addressed. If you have received this email in error, > >> please notify the system manager. > >> >> > >> >> > >> >> > >> >> > >> >> > >> >>-- > >> >>This message has been scanned for viruses and dangerous > >> >>content by MailScanner, and is believed to be clean. > >> > > >> > -- > >> > Julian Field Teaching Systems Manager > >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >> Tel. 023 8059 2817 University of Southampton > >> > Southampton SO17 1BJ > >> > > >> > > >> > -- > >> > This message has been scanned for viruses and dangerous > >> > content by MailScanner, and is believed to be clean. > >> > >> > >> > >> -- > >> This message has been scanned for viruses and dangerous > >> content by MailScanner, and is believed to be clean. > >> > >> ---- > >> > > > >> #!/bin/bash > >> # > >> # sendmail This shell script takes care of starting and stopping > >> # sendmail. > >> # > >> # chkconfig: 2345 80 30 > >> # description: Sendmail is a Mail Transport Agent, which is the > >> program \ # that moves mail from one machine to another. > >> # processname: sendmail > >> # config: /etc/sendmail.cf > >> # pidfile: /var/run/sendmail.pid > >> > >> # Source function library. > >> . /etc/init.d/functions > >> > >> # Source networking configuration. > >> . /etc/sysconfig/network > >> > >> # Source sendmail configureation. > >> if [ -f /etc/sysconfig/sendmail ] ; then > >> . /etc/sysconfig/sendmail > >> else > >> DAEMON=no > >> QUEUE=1h > >> fi > >> > >> # Check that networking is up. > >> [ ${NETWORKING} = "no" ] && exit 0 > >> > >> [ -f /usr/sbin/sendmail ] || exit 0 > >> > >> RETVAL=0 > >> prog="sendmail" > >> > >> start() { > >> # Start daemons. > >> > >> echo -n $"Starting $prog: " > >> /usr/bin/newaliases > /dev/null 2>&1 > >> for i in virtusertable access domaintable ; do > >> if [ -f /etc/mail/$i ] ; then > >> makemap hash /etc/mail/$i < /etc/mail/$i > >> fi > >> done > >> mailertables= > >> if [ -f /etc/mail/mailertable.virtual_domains ]; then > >> mailertables="/etc/mail/mailertable.virtual_domains" > >> fi > >> if [ -f /etc/mail/mailertable ]; then > >> mailertables="$mailertables /etc/mail/mailertable" > >> fi > >> if [ -n "$mailertables" ]; then > >> cat $mailertables | makemap hash /etc/mail/mailertable.db > >> fi > >> genericstables= > >> if [ -f /etc/mail/genericstable.siteadmins ]; then > >> genericstables="/etc/mail/genericstable.siteadmins" > >> fi > >> if [ -f /etc/mail/genericstable ]; then > >> genericstables="$mailertables /etc/mail/genericstable" > >> fi > >> if [ -n "$genericstables" ]; then > >> cat $genericstables | makemap hash > >> /etc/mail/genericstable.db > >> fi > >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> export ENSIMVWH_BWSVCID=1 > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> start-fast() { > >> # Start daemons. > >> > >> echo -n $"Starting $prog: " > >> /usr/bin/newaliases > /dev/null 2>&1 > >> for i in virtusertable access domaintable ; do > >> if [ -f /etc/mail/$i ] ; then > >> makemap hash /etc/mail/$i < /etc/mail/$i > >> fi > >> done > >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> export ENSIMVWH_BWSVCID=1 > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> stop() { > >> # Stop daemons. > >> echo -n $"Shutting down $prog: " > >> killproc sendmail > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> # See how we were called. > >> case "$1" in > >> start) > >> start > >> ;; > >> start-fast) > >> start-fast > >> ;; > >> stop) > >> stop > >> ;; > >> restart|reload) > >> stop > >> start > >> RETVAL=$? > >> ;; > >> condrestart) > >> if [ -f /var/lock/subsys/sendmail ]; then > >> stop > >> start > >> RETVAL=$? > >> fi > >> ;; > >> status) > >> status sendmail > >> RETVAL=$? > >> ;; > >> restart-fast) > >> stop > >> start-fast > >> RETVAL=$? > >> ;; > >> *) > >> echo $"Usage: $0 > >> {start|stop|restart|condrestart|status|start-fast|restart-fast}" > >> exit 1 > >> esac > >> > >> exit $RETVAL > >> > >> > > > > -- > > This message has been scanned for viruses and dangerous > > content by MailScanner, and is believed to be clean. > > > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: sendmail.txt Type: text/x-sh Size: 3897 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021105/90ec85de/sendmail.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner.txt Type: text/x-sh Size: 4359 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021105/90ec85de/mailscanner.bin From mailscanner at ecs.soton.ac.uk Tue Nov 5 16:44:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Stored Mail In-Reply-To: <001b01c284df$58f77120$6eeb14ac@doublet> References: <5.1.0.14.2.20021105145523.03fea8e8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021105164348.0415e978@imap.ecs.soton.ac.uk> At 15:23 05/11/2002, you wrote: >When SPAM messages are stored in human "readable format (gA)", is there >an easy way to send the message onto the person it was attended for >without sending it as an attachment from the mail admin. The users are >not local on the machine. > >Not being an expert in sendmail, I thought I would ask those who are >:-). sendmail -t < /var/spool/MailScanner........ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From raymond at PROLOCATION.NET Tue Nov 5 16:47:46 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:18 2006 Subject: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) (fwd) Message-ID: Hi! Perhaps interesting for some of you... ---------- Forwarded message ---------- Date: Tue, 5 Nov 2002 12:14:35 +0100 (MET) From: Sebastian Krahmer To: bugtraq@securityfocus.com Subject: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: perl-MailTools Announcement-ID: SuSE-SA:2002:041 Date: Tue Nov 5 11:30:00 CET 2002 Affected products: 7.1, 7.2, 7.3, 8.0, 8.1 SuSE eMail Server III, 3.1 Vulnerability Type: remote command execution Severity (1-10): 6 SuSE default package: no Cross References: - Content of this advisory: 1) security vulnerability resolved: Remote command execution via Mail::Mailer package. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body. Vulnerable to this attack are custom auto reply programs or spam filters which use Mail::Mailer directly or indirectly. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.1 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/perl-MailTools-1.47-29.i586.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/perl-MailTools-1.47-29.src.rpm d41d8cd98f00b204e9800998ecf8427e SuSE-8.0 ftp://ftp.suse.com/pub/suse/i386/update/8.0/perl3/perl-MailTools-1.42-120.i386.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/perl-MailTools-1.42-120.src.rpm d41d8cd98f00b204e9800998ecf8427e SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/perl2/perl-MailTools-1.1401-187.i386.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/perl-MailTools-1.1401-187.src.rpm d41d8cd98f00b204e9800998ecf8427e SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/perl2/perl-MailTools-1.1401-187.i386.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/perl-MailTools-1.1401-187.src.rpm d41d8cd98f00b204e9800998ecf8427e SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/perl2/perl-MailTools-1.1401-188.i386.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/perl-MailTools-1.1401-188.src.rpm d41d8cd98f00b204e9800998ecf8427e Sparc Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/perl2/perl-MailTools-1.1401-65.sparc.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/perl-MailTools-1.1401-65.src.rpm d41d8cd98f00b204e9800998ecf8427e AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/perl2/perl-MailTools-1.1401-69.alpha.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/perl-MailTools-1.1401-69.src.rpm d41d8cd98f00b204e9800998ecf8427e PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/perl2/perl-MailTools-1.1401-110.ppc.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/perl-MailTools-1.1401-110.src.rpm d41d8cd98f00b204e9800998ecf8427e SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/perl2/perl-MailTools-1.1401-111.ppc.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/perl-MailTools-1.1401-111.src.rpm d41d8cd98f00b204e9800998ecf8427e ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: There is no additional information this time. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. ===================================================================== SuSE's security contact is or . The public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBPcelXXey5gA9JdPZAQGIhAf/ZouJs+LaHJo3nAU9BvnwHAWbY4vdbDqO Il9fPVu9UGaH03nnZdR/IxkBJHtvoUE33aBpWqW2q704h1o9p1jmxe6Us7AGSEq8 27MUPAodZMWzqVV1VrzcLzvRPU+/Ve8wfNhfzSx6/Jt0FF3syrxZ5P1NKtq3sJVj ZObi5tp+UPdpNxXx85vrk4kpBc8MaO5zJ6ugpwNBfK2sUpJx2R/jqYXYjGlDEiBN eRF/e+fHlVN2Tm2pAsg3tiuEEikKCP+3A5bDgX6705SGlu20T9VjfDCxN9VLzrwN coULhgDqNh3Qhr+F9xfLKT42ZysEeysLDXj0TCfvGQoWQUntgOtO0w== =Pwj8 -----END PGP SIGNATURE----- -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~ From mailscanner at ecs.soton.ac.uk Tue Nov 5 17:01:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) (fwd) In-Reply-To: Message-ID: <5.1.0.14.2.20021105170041.07447ec0@imap.ecs.soton.ac.uk> MailScanner does not use the Mail::Mailer mechanism to send mail. It always does that by calling sendmail directly. Therefore there is no reason to suspect that MailScanner might be vulnerable to this problem. At 16:47 05/11/2002, you wrote: >Hi! > >Perhaps interesting for some of you... > >---------- Forwarded message ---------- >Date: Tue, 5 Nov 2002 12:14:35 +0100 (MET) >From: Sebastian Krahmer >To: bugtraq@securityfocus.com >Subject: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) > > >-----BEGIN PGP SIGNED MESSAGE----- > >______________________________________________________________________________ > > SuSE Security Announcement > > Package: perl-MailTools > Announcement-ID: SuSE-SA:2002:041 > Date: Tue Nov 5 11:30:00 CET 2002 > Affected products: 7.1, 7.2, 7.3, 8.0, 8.1 > SuSE eMail Server III, 3.1 > Vulnerability Type: remote command execution > Severity (1-10): 6 > SuSE default package: no > Cross References: - > > Content of this advisory: > 1) security vulnerability resolved: Remote command execution via > Mail::Mailer package. > problem description, discussion, solution and upgrade information > 2) pending vulnerabilities, solutions, workarounds: - > 3) standard appendix (further information) > >______________________________________________________________________________ > >1) problem description, brief discussion, solution, upgrade information > > The SuSE Security Team reviewed critical Perl modules, including the > Mail::Mailer package. This package contains a security hole which allows > remote attackers to execute arbitrary commands in certain circumstances. > This is due to the usage of mailx as default mailer which allows commands > to be embedded in the mail body. > Vulnerable to this attack are custom auto reply programs or spam > filters > which use Mail::Mailer directly or indirectly. > > Please download the update package for your distribution and verify its > integrity by the methods listed in section 3) of this announcement. > Then, install the package using the command "rpm -Fhv file.rpm" to apply > the update. > Our maintenance customers are being notified individually. The packages > are being offered to install from the maintenance web. > > > i386 Intel Platform: > > SuSE-8.1 > >ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/perl-MailTools-1.47-29.i586.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/perl-MailTools-1.47-29.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > SuSE-8.0 > >ftp://ftp.suse.com/pub/suse/i386/update/8.0/perl3/perl-MailTools-1.42-120.i386.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/perl-MailTools-1.42-120.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > SuSE-7.3 > >ftp://ftp.suse.com/pub/suse/i386/update/7.3/perl2/perl-MailTools-1.1401-187.i386.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/perl-MailTools-1.1401-187.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > SuSE-7.2 > >ftp://ftp.suse.com/pub/suse/i386/update/7.2/perl2/perl-MailTools-1.1401-187.i386.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/perl-MailTools-1.1401-187.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > SuSE-7.1 > >ftp://ftp.suse.com/pub/suse/i386/update/7.1/perl2/perl-MailTools-1.1401-188.i386.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/perl-MailTools-1.1401-188.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > > Sparc Platform: > > SuSE-7.3 > >ftp://ftp.suse.com/pub/suse/sparc/update/7.3/perl2/perl-MailTools-1.1401-65.sparc.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/perl-MailTools-1.1401-65.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > > AXP Alpha Platform: > > SuSE-7.1 > >ftp://ftp.suse.com/pub/suse/axp/update/7.1/perl2/perl-MailTools-1.1401-69.alpha.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/perl-MailTools-1.1401-69.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > > PPC Power PC Platform: > > SuSE-7.3 > >ftp://ftp.suse.com/pub/suse/ppc/update/7.3/perl2/perl-MailTools-1.1401-110.ppc.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/perl-MailTools-1.1401-110.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > SuSE-7.1 > >ftp://ftp.suse.com/pub/suse/ppc/update/7.1/perl2/perl-MailTools-1.1401-111.ppc.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/perl-MailTools-1.1401-111.src.rpm > d41d8cd98f00b204e9800998ecf8427e > >______________________________________________________________________________ > >2) Pending vulnerabilities in SuSE Distributions and Workarounds: > > There is no additional information this time. > >______________________________________________________________________________ > >3) standard appendix: authenticity verification, additional information > > - Package authenticity verification: > > SuSE update packages are available on many mirror ftp servers all over > the world. While this service is being considered valuable and important > to the free and open source software community, many users wish to be > sure about the origin of the package and its content before installing > the package. There are two verification methods that can be used > independently from each other to prove the authenticity of a downloaded > file or rpm package: > 1) md5sums as provided in the (cryptographically signed) announcement. > 2) using the internal gpg signatures of the rpm package. > > 1) execute the command > md5sum > after you downloaded the file from a SuSE ftp server or its mirrors. > Then, compare the resulting md5sum with the one that is listed in the > announcement. Since the announcement containing the checksums is > cryptographically signed (usually using the key security@suse.de), > the checksums show proof of the authenticity of the package. > We disrecommend to subscribe to security lists which cause the > email message containing the announcement to be modified so that > the signature does not match after transport through the mailing > list software. > Downsides: You must be able to verify the authenticity of the > announcement in the first place. If RPM packages are being rebuilt > and a new version of a package is published on the ftp server, all > md5 sums for the files are useless. > > 2) rpm package signatures provide an easy way to verify the authenticity > of an rpm package. Use the command > rpm -v --checksig > to verify the signature of the package, where is the > filename of the rpm package that you have downloaded. Of course, > package authenticity verification can only target an un-installed rpm > package file. > Prerequisites: > a) gpg is installed > b) The package is signed using a certain key. The public part of this > key must be installed by the gpg program in the directory > ~/.gnupg/ under the user's home directory who performs the > signature verification (usually root). You can import the key > that is used by SuSE in rpm packages for SuSE Linux by saving > this announcement to a file ("announcement.txt") and > running the command (do "su -" to be root): > gpg --batch; gpg < announcement.txt | gpg --import > SuSE Linux distributions version 7.1 and thereafter install the > key "build@suse.de" upon installation or upgrade, provided that > the package gpg is installed. The file containing the public key > is placed at the top-level directory of the first CD (pubring.gpg) > and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . > > > - SuSE runs two security mailing lists to which any interested party may > subscribe: > > suse-security@suse.com > - general/linux/SuSE security discussion. > All SuSE security announcements are sent to this list. > To subscribe, send an email to > . > > suse-security-announce@suse.com > - SuSE's announce-only mailing list. > Only SuSE's security announcements are sent to this list. > To subscribe, send an email to > . > > For general information or the frequently asked questions (faq) > send mail to: > or > respectively. > > ===================================================================== > SuSE's security contact is or . > The public key is listed below. > ===================================================================== >______________________________________________________________________________ > > The information in this advisory may be distributed or reproduced, > provided that the advisory is not modified in any way. In particular, > it is desired that the clear-text signature shows proof of the > authenticity of the text. > SuSE Linux AG makes no warranties of any kind whatsoever with respect > to the information contained in this security advisory. > >Type Bits/KeyID Date User ID >pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team >pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key > >- -----BEGIN PGP PUBLIC KEY BLOCK----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: For info see http://www.gnupg.org > >mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff >4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d >M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO >QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK >XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE >D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd >G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM >CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE >myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr >YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD >wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d >NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe >QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe >LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t >XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU >D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 >0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot >1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW >cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E >ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f >AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E >Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ >HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h >t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT >tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM >523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q >2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 >QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw >JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ >1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH >ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 >wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY >EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol >0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK >CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co >SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo >omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt >A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J >/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE >GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf >ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT >ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 >RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ >8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb >B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X >11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA >8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj >qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p >WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL >hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG >BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ >AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi >RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 >zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM >/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 >whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl >D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz >dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI >RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI >DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= >=LRKC >- -----END PGP PUBLIC KEY BLOCK----- > > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.3i >Charset: noconv > >iQEVAwUBPcelXXey5gA9JdPZAQGIhAf/ZouJs+LaHJo3nAU9BvnwHAWbY4vdbDqO >Il9fPVu9UGaH03nnZdR/IxkBJHtvoUE33aBpWqW2q704h1o9p1jmxe6Us7AGSEq8 >27MUPAodZMWzqVV1VrzcLzvRPU+/Ve8wfNhfzSx6/Jt0FF3syrxZ5P1NKtq3sJVj >ZObi5tp+UPdpNxXx85vrk4kpBc8MaO5zJ6ugpwNBfK2sUpJx2R/jqYXYjGlDEiBN >eRF/e+fHlVN2Tm2pAsg3tiuEEikKCP+3A5bDgX6705SGlu20T9VjfDCxN9VLzrwN >coULhgDqNh3Qhr+F9xfLKT42ZysEeysLDXj0TCfvGQoWQUntgOtO0w== >=Pwj8 >-----END PGP SIGNATURE----- > >-- >~ >~ perl self.pl >~ $_='print"\$_=\47$_\47;eval"';eval >~ krahmer@suse.de - SuSE Security Team >~ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 5 17:02:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <51866.213.123.176.242.1036511079.squirrel@www.projectandre w.com> References: <1036506054.2350.41.camel@bonzai> <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> Message-ID: <5.1.0.14.2.20021105170153.073edb10@imap.ecs.soton.ac.uk> At 15:44 05/11/2002, you wrote: >Does your installation therefore require that the MailScanner & sendmail >init scripts both have to be started? No. The 2 sendmail processes required by MailScanner are both started by the MailScanner startup script. > If this is the case, the only >problem is that on reboot, only MailScanner will start, since when it was >installed, sendmail was 'switched off' with chkconfig. That's correct. > > hi, > > > > I modified the sendmail init script to use the "queue delivery mode" : > > daemon /usr/sbin/sendmail -bd -OQueueDirectory=/var/spool/mqueue.in > > -ODeliveryMode=queueonly > > > > and modified the mailscanner init script and comented out every thing > > about sendmail ... > > > > i found some very usefull explanation on the rackshack forum > > (http://forum.rackshack.net), you should give look... > > > > i you want, i can send my modified startup scripts ... > > > > hth > > > > fred > > > > PS sorry for my poor english :( > > > > On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: > >> No luck :( I've tried doing this in the MailScanner.conf and in the > >> MailScanner startup script. There are no errors produced this time, > >> but no bandwidth is recorded. > >> > >> Is there anyway to decompile the shared library > >> (/lib/libensimvwhbw.so)? I've attached the whole sendmail init script > >> incase you can see something that can be copied/added to the > >> MailScanner script. Is there someway of running MailScanner, but call > >> sendmail using it's own init script? Just looking for ideas... > >> > >> Andrew G Allen > >> email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >> > >> --- Disclaimer --- > >> This e-mail and any files transmitted with it are confidential and > >> intended solely for the use of the individual or entity to whom they > >> are addressed. If you have received this email in error, please notify > >> the system manager. > >> > >> > I'm not at all convinced this will work, but give it a try: > >> > Write a very short script that sets these variables and then calls > >> sendmail, something like this > >> > > >> > #!/bin/sh > >> > export LD_PRELOAD=/lib/libensimvwhbw.so > >> > export ENSIMVWH_BWSVCID=1 > >> > /usr/sbin/sendmail "$@" > >> > > >> > and then call this script in MailScanner instead of directly > >> invoking sendmail. You should just edit the "Sendmail =" setting in > >> > MailScanner.conf to refer to your script instead of sendmail > >> itself. > >> > > >> > See what happens with this setup. > >> > > >> > At 18:42 04/11/2002, you wrote: > >> >>I am still trying to get MailScanner fully working with Ensim > >> >> WEBppliance - the only part that is not working is a piece of > >> custom ensim code that is normally called from the sendmail startup > >> script. The two lines are: > >> >> > >> >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> >> export ENSIMVWH_BWSVCID=1 > >> >> > >> >>If I add these to the MailScanner startup script, MailScanner will > >> >> accept mail, but will not deliver it to any chrooted site. I also > >> get file not found errors thrown to the console. It seems to me > >> then, to be something that must be passed from the sendmail config > >> for this module to work, which is not passed by MailScanner - it is > >> supposed to track the size of each mail passed through sendmail, so > >> a monthly 'bandwidth allowance' can be applied to each virtual site > >> within Ensim. I don't really know where to go next, and wondered if > >> anybody who knows sendmail in more detail might have any ideas > >> where to look? > >> >> > >> >>Does MailScanner refer to all the same sendmail config files that > >> >> sendmail would if it was called using its own startup script? > >> >> > >> >>Andrew G Allen > >> >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >> >> > >> >>--- Disclaimer --- > >> >>This e-mail and any files transmitted with it are confidential and > >> >> intended solely for the use of the individual or entity to whom > >> they are addressed. If you have received this email in error, > >> please notify the system manager. > >> >> > >> >> > >> >> > >> >> > >> >> > >> >>-- > >> >>This message has been scanned for viruses and dangerous > >> >>content by MailScanner, and is believed to be clean. > >> > > >> > -- > >> > Julian Field Teaching Systems Manager > >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >> Tel. 023 8059 2817 University of Southampton > >> > Southampton SO17 1BJ > >> > > >> > > >> > -- > >> > This message has been scanned for viruses and dangerous > >> > content by MailScanner, and is believed to be clean. > >> > >> > >> > >> -- > >> This message has been scanned for viruses and dangerous > >> content by MailScanner, and is believed to be clean. > >> > >> ---- > >> > > > >> #!/bin/bash > >> # > >> # sendmail This shell script takes care of starting and stopping > >> # sendmail. > >> # > >> # chkconfig: 2345 80 30 > >> # description: Sendmail is a Mail Transport Agent, which is the > >> program \ # that moves mail from one machine to another. > >> # processname: sendmail > >> # config: /etc/sendmail.cf > >> # pidfile: /var/run/sendmail.pid > >> > >> # Source function library. > >> . /etc/init.d/functions > >> > >> # Source networking configuration. > >> . /etc/sysconfig/network > >> > >> # Source sendmail configureation. > >> if [ -f /etc/sysconfig/sendmail ] ; then > >> . /etc/sysconfig/sendmail > >> else > >> DAEMON=no > >> QUEUE=1h > >> fi > >> > >> # Check that networking is up. > >> [ ${NETWORKING} = "no" ] && exit 0 > >> > >> [ -f /usr/sbin/sendmail ] || exit 0 > >> > >> RETVAL=0 > >> prog="sendmail" > >> > >> start() { > >> # Start daemons. > >> > >> echo -n $"Starting $prog: " > >> /usr/bin/newaliases > /dev/null 2>&1 > >> for i in virtusertable access domaintable ; do > >> if [ -f /etc/mail/$i ] ; then > >> makemap hash /etc/mail/$i < /etc/mail/$i > >> fi > >> done > >> mailertables= > >> if [ -f /etc/mail/mailertable.virtual_domains ]; then > >> mailertables="/etc/mail/mailertable.virtual_domains" > >> fi > >> if [ -f /etc/mail/mailertable ]; then > >> mailertables="$mailertables /etc/mail/mailertable" > >> fi > >> if [ -n "$mailertables" ]; then > >> cat $mailertables | makemap hash /etc/mail/mailertable.db > >> fi > >> genericstables= > >> if [ -f /etc/mail/genericstable.siteadmins ]; then > >> genericstables="/etc/mail/genericstable.siteadmins" > >> fi > >> if [ -f /etc/mail/genericstable ]; then > >> genericstables="$mailertables /etc/mail/genericstable" > >> fi > >> if [ -n "$genericstables" ]; then > >> cat $genericstables | makemap hash > >> /etc/mail/genericstable.db > >> fi > >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> export ENSIMVWH_BWSVCID=1 > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> start-fast() { > >> # Start daemons. > >> > >> echo -n $"Starting $prog: " > >> /usr/bin/newaliases > /dev/null 2>&1 > >> for i in virtusertable access domaintable ; do > >> if [ -f /etc/mail/$i ] ; then > >> makemap hash /etc/mail/$i < /etc/mail/$i > >> fi > >> done > >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> export ENSIMVWH_BWSVCID=1 > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> stop() { > >> # Stop daemons. > >> echo -n $"Shutting down $prog: " > >> killproc sendmail > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> # See how we were called. > >> case "$1" in > >> start) > >> start > >> ;; > >> start-fast) > >> start-fast > >> ;; > >> stop) > >> stop > >> ;; > >> restart|reload) > >> stop > >> start > >> RETVAL=$? > >> ;; > >> condrestart) > >> if [ -f /var/lock/subsys/sendmail ]; then > >> stop > >> start > >> RETVAL=$? > >> fi > >> ;; > >> status) > >> status sendmail > >> RETVAL=$? > >> ;; > >> restart-fast) > >> stop > >> start-fast > >> RETVAL=$? > >> ;; > >> *) > >> echo $"Usage: $0 > >> {start|stop|restart|condrestart|status|start-fast|restart-fast}" > >> exit 1 > >> esac > >> > >> exit $RETVAL > >> > >> > > > > -- > > This message has been scanned for viruses and dangerous > > content by MailScanner, and is believed to be clean. > > > > >-- >This message has been scanned for viruses and dangerous >content by MailScanner, and is believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 5 17:03:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <1036513920.2841.70.camel@bonzai> References: <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> Message-ID: <5.1.0.14.2.20021105170250.0746cd80@imap.ecs.soton.ac.uk> At 16:31 05/11/2002, you wrote: >On Tue, 2002-11-05 at 16:44, Andrew G Allen wrote: > > Does your installation therefore require that the MailScanner & sendmail > > init scripts both have to be started? If this is the case, the only > > problem is that on reboot, only MailScanner will start, since when it was > > installed, sendmail was 'switched off' with chkconfig. > >Yes, both need to be run at startup, >do a 'chkconfig --level 345 sendmail on' NO THEY DON'T (it's my list, and I'll shout if I want to :-) Please see my posting of a minute ago. > > > hi, > > > > > > I modified the sendmail init script to use the "queue delivery mode" : > > > daemon /usr/sbin/sendmail -bd -OQueueDirectory=/var/spool/mqueue.in > > > -ODeliveryMode=queueonly > > > > > > and modified the mailscanner init script and comented out every thing > > > about sendmail ... > > > > > > i found some very usefull explanation on the rackshack forum > > > (http://forum.rackshack.net), you should give look... > > > > > > i you want, i can send my modified startup scripts ... > > > > > > hth > > > > > > fred > > > > > > PS sorry for my poor english :( > > > > > > On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: > > >> No luck :( I've tried doing this in the MailScanner.conf and in the > > >> MailScanner startup script. There are no errors produced this time, > > >> but no bandwidth is recorded. > > >> > > >> Is there anyway to decompile the shared library > > >> (/lib/libensimvwhbw.so)? I've attached the whole sendmail init script > > >> incase you can see something that can be copied/added to the > > >> MailScanner script. Is there someway of running MailScanner, but call > > >> sendmail using it's own init script? Just looking for ideas... > > >> > > >> Andrew G Allen > > >> email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > > >> > > >> --- Disclaimer --- > > >> This e-mail and any files transmitted with it are confidential and > > >> intended solely for the use of the individual or entity to whom they > > >> are addressed. If you have received this email in error, please notify > > >> the system manager. > > >> > > >> > I'm not at all convinced this will work, but give it a try: > > >> > Write a very short script that sets these variables and then calls > > >> sendmail, something like this > > >> > > > >> > #!/bin/sh > > >> > export LD_PRELOAD=/lib/libensimvwhbw.so > > >> > export ENSIMVWH_BWSVCID=1 > > >> > /usr/sbin/sendmail "$@" > > >> > > > >> > and then call this script in MailScanner instead of directly > > >> invoking sendmail. You should just edit the "Sendmail =" setting in > > >> > MailScanner.conf to refer to your script instead of sendmail > > >> itself. > > >> > > > >> > See what happens with this setup. > > >> > > > >> > At 18:42 04/11/2002, you wrote: > > >> >>I am still trying to get MailScanner fully working with Ensim > > >> >> WEBppliance - the only part that is not working is a piece of > > >> custom ensim code that is normally called from the sendmail startup > > >> script. The two lines are: > > >> >> > > >> >> export LD_PRELOAD=/lib/libensimvwhbw.so > > >> >> export ENSIMVWH_BWSVCID=1 > > >> >> > > >> >>If I add these to the MailScanner startup script, MailScanner will > > >> >> accept mail, but will not deliver it to any chrooted site. I also > > >> get file not found errors thrown to the console. It seems to me > > >> then, to be something that must be passed from the sendmail config > > >> for this module to work, which is not passed by MailScanner - it is > > >> supposed to track the size of each mail passed through sendmail, so > > >> a monthly 'bandwidth allowance' can be applied to each virtual site > > >> within Ensim. I don't really know where to go next, and wondered if > > >> anybody who knows sendmail in more detail might have any ideas > > >> where to look? > > >> >> > > >> >>Does MailScanner refer to all the same sendmail config files that > > >> >> sendmail would if it was called using its own startup script? > > >> >> > > >> >>Andrew G Allen > > >> >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > > >> >> > > >> >>--- Disclaimer --- > > >> >>This e-mail and any files transmitted with it are confidential and > > >> >> intended solely for the use of the individual or entity to whom > > >> they are addressed. If you have received this email in error, > > >> please notify the system manager. > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >>-- > > >> >>This message has been scanned for viruses and dangerous > > >> >>content by MailScanner, and is believed to be clean. > > >> > > > >> > -- > > >> > Julian Field Teaching Systems Manager > > >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > >> Tel. 023 8059 2817 University of Southampton > > >> > Southampton SO17 1BJ > > >> > > > >> > > > >> > -- > > >> > This message has been scanned for viruses and dangerous > > >> > content by MailScanner, and is believed to be clean. > > >> > > >> > > >> > > >> -- > > >> This message has been scanned for viruses and dangerous > > >> content by MailScanner, and is believed to be clean. > > >> > > >> ---- > > >> > > > > > >> #!/bin/bash > > >> # > > >> # sendmail This shell script takes care of starting and stopping > > >> # sendmail. > > >> # > > >> # chkconfig: 2345 80 30 > > >> # description: Sendmail is a Mail Transport Agent, which is the > > >> program \ # that moves mail from one machine to another. > > >> # processname: sendmail > > >> # config: /etc/sendmail.cf > > >> # pidfile: /var/run/sendmail.pid > > >> > > >> # Source function library. > > >> . /etc/init.d/functions > > >> > > >> # Source networking configuration. > > >> . /etc/sysconfig/network > > >> > > >> # Source sendmail configureation. > > >> if [ -f /etc/sysconfig/sendmail ] ; then > > >> . /etc/sysconfig/sendmail > > >> else > > >> DAEMON=no > > >> QUEUE=1h > > >> fi > > >> > > >> # Check that networking is up. > > >> [ ${NETWORKING} = "no" ] && exit 0 > > >> > > >> [ -f /usr/sbin/sendmail ] || exit 0 > > >> > > >> RETVAL=0 > > >> prog="sendmail" > > >> > > >> start() { > > >> # Start daemons. > > >> > > >> echo -n $"Starting $prog: " > > >> /usr/bin/newaliases > /dev/null 2>&1 > > >> for i in virtusertable access domaintable ; do > > >> if [ -f /etc/mail/$i ] ; then > > >> makemap hash /etc/mail/$i < /etc/mail/$i > > >> fi > > >> done > > >> mailertables= > > >> if [ -f /etc/mail/mailertable.virtual_domains ]; then > > >> mailertables="/etc/mail/mailertable.virtual_domains" > > >> fi > > >> if [ -f /etc/mail/mailertable ]; then > > >> mailertables="$mailertables /etc/mail/mailertable" > > >> fi > > >> if [ -n "$mailertables" ]; then > > >> cat $mailertables | makemap hash /etc/mail/mailertable.db > > >> fi > > >> genericstables= > > >> if [ -f /etc/mail/genericstable.siteadmins ]; then > > >> genericstables="/etc/mail/genericstable.siteadmins" > > >> fi > > >> if [ -f /etc/mail/genericstable ]; then > > >> genericstables="$mailertables /etc/mail/genericstable" > > >> fi > > >> if [ -n "$genericstables" ]; then > > >> cat $genericstables | makemap hash > > >> /etc/mail/genericstable.db > > >> fi > > >> export LD_PRELOAD=/lib/libensimvwhbw.so > > >> export ENSIMVWH_BWSVCID=1 > > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > > >> RETVAL=$? > > >> echo > > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > > >> return $RETVAL > > >> } > > >> > > >> start-fast() { > > >> # Start daemons. > > >> > > >> echo -n $"Starting $prog: " > > >> /usr/bin/newaliases > /dev/null 2>&1 > > >> for i in virtusertable access domaintable ; do > > >> if [ -f /etc/mail/$i ] ; then > > >> makemap hash /etc/mail/$i < /etc/mail/$i > > >> fi > > >> done > > >> export LD_PRELOAD=/lib/libensimvwhbw.so > > >> export ENSIMVWH_BWSVCID=1 > > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > > >> RETVAL=$? > > >> echo > > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > > >> return $RETVAL > > >> } > > >> > > >> stop() { > > >> # Stop daemons. > > >> echo -n $"Shutting down $prog: " > > >> killproc sendmail > > >> RETVAL=$? > > >> echo > > >> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail > > >> return $RETVAL > > >> } > > >> > > >> # See how we were called. > > >> case "$1" in > > >> start) > > >> start > > >> ;; > > >> start-fast) > > >> start-fast > > >> ;; > > >> stop) > > >> stop > > >> ;; > > >> restart|reload) > > >> stop > > >> start > > >> RETVAL=$? > > >> ;; > > >> condrestart) > > >> if [ -f /var/lock/subsys/sendmail ]; then > > >> stop > > >> start > > >> RETVAL=$? > > >> fi > > >> ;; > > >> status) > > >> status sendmail > > >> RETVAL=$? > > >> ;; > > >> restart-fast) > > >> stop > > >> start-fast > > >> RETVAL=$? > > >> ;; > > >> *) > > >> echo $"Usage: $0 > > >> {start|stop|restart|condrestart|status|start-fast|restart-fast}" > > >> exit 1 > > >> esac > > >> > > >> exit $RETVAL > > >> > > >> > > > > > > -- > > > This message has been scanned for viruses and dangerous > > > content by MailScanner, and is believed to be clean. > > > > > > > > > > -- > > This message has been scanned for viruses and dangerous > > content by MailScanner, and is believed to be clean. > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mail at projectandrew.com Tue Nov 5 17:22:39 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <5.1.0.14.2.20021105170153.073edb10@imap.ecs.soton.ac.uk> References: <1036506054.2350.41.camel@bonzai> <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> <5.1.0.14.2.20021105170153.073edb10@imap.ecs.soton.ac.uk> Message-ID: <55720.213.120.149.3.1036516959.squirrel@www.projectandrew.com> Sorry, I was refering to Frederic Badel's modified scripts for Ensim, rather than the default MainScanner init script. :) Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. > At 15:44 05/11/2002, you wrote: >>Does your installation therefore require that the MailScanner & >> sendmail init scripts both have to be started? > > No. The 2 sendmail processes required by MailScanner are both started by > the MailScanner startup script. > >> If this is the case, the only >>problem is that on reboot, only MailScanner will start, since when it >> was installed, sendmail was 'switched off' with chkconfig. > > That's correct. > >> > hi, >> > >> > I modified the sendmail init script to use the "queue delivery mode" >> : daemon /usr/sbin/sendmail -bd >> -OQueueDirectory=/var/spool/mqueue.in -ODeliveryMode=queueonly >> > >> > and modified the mailscanner init script and comented out every >> thing about sendmail ... >> > >> > i found some very usefull explanation on the rackshack forum >> > (http://forum.rackshack.net), you should give look... >> > >> > i you want, i can send my modified startup scripts ... >> > >> > hth >> > >> > fred >> > >> > PS sorry for my poor english :( >> > >> > On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: >> >> No luck :( I've tried doing this in the MailScanner.conf and in the >> MailScanner startup script. There are no errors produced this time, >> but no bandwidth is recorded. >> >> >> >> Is there anyway to decompile the shared library >> >> (/lib/libensimvwhbw.so)? I've attached the whole sendmail init >> script incase you can see something that can be copied/added to the >> >> MailScanner script. Is there someway of running MailScanner, but >> call sendmail using it's own init script? Just looking for ideas... >> >> >> >> Andrew G Allen >> >> email: mail@projectandrew.com | voice: +44 (0) 7958 540596 >> >> >> >> --- Disclaimer --- >> >> This e-mail and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom >> they are addressed. If you have received this email in error, >> please notify the system manager. >> >> >> >> > I'm not at all convinced this will work, but give it a try: Write >> a very short script that sets these variables and then calls >> >> sendmail, something like this >> >> > >> >> > #!/bin/sh >> >> > export LD_PRELOAD=/lib/libensimvwhbw.so >> >> > export ENSIMVWH_BWSVCID=1 >> >> > /usr/sbin/sendmail "$@" >> >> > >> >> > and then call this script in MailScanner instead of directly >> >> invoking sendmail. You should just edit the "Sendmail =" setting in >> >> > MailScanner.conf to refer to your script instead of sendmail >> >> itself. >> >> > >> >> > See what happens with this setup. >> >> > >> >> > At 18:42 04/11/2002, you wrote: >> >> >>I am still trying to get MailScanner fully working with Ensim >> >> >> WEBppliance - the only part that is not working is a piece of >> >> custom ensim code that is normally called from the sendmail startup >> script. The two lines are: >> >> >> >> >> >> export LD_PRELOAD=/lib/libensimvwhbw.so >> >> >> export ENSIMVWH_BWSVCID=1 >> >> >> >> >> >>If I add these to the MailScanner startup script, MailScanner >> will >> >> >> accept mail, but will not deliver it to any chrooted site. I >> also >> >> get file not found errors thrown to the console. It seems to me >> then, to be something that must be passed from the sendmail config >> for this module to work, which is not passed by MailScanner - it is >> supposed to track the size of each mail passed through sendmail, so >> a monthly 'bandwidth allowance' can be applied to each virtual site >> within Ensim. I don't really know where to go next, and wondered if >> anybody who knows sendmail in more detail might have any ideas >> where to look? >> >> >> >> >> >>Does MailScanner refer to all the same sendmail config files that >> >> >> sendmail would if it was called using its own startup script? >> >> >> >> >> >>Andrew G Allen >> >> >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 >> >> >> >> >> >>--- Disclaimer --- >> >> >>This e-mail and any files transmitted with it are confidential >> and >> >> >> intended solely for the use of the individual or entity to whom >> >> they are addressed. If you have received this email in error, >> please notify the system manager. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>-- >> >> >>This message has been scanned for viruses and dangerous >> >> >>content by MailScanner, and is believed to be clean. >> >> > >> >> > -- >> >> > Julian Field Teaching Systems Manager >> >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer >> Science >> >> Tel. 023 8059 2817 University of Southampton >> >> > Southampton SO17 1BJ >> >> > >> >> > >> >> > -- >> >> > This message has been scanned for viruses and dangerous >> >> > content by MailScanner, and is believed to be clean. >> >> >> >> >> >> >> >> -- >> >> This message has been scanned for viruses and dangerous >> >> content by MailScanner, and is believed to be clean. >> >> >> >> ---- >> >> >> > >> >> #!/bin/bash >> >> # >> >> # sendmail This shell script takes care of starting and >> stopping # sendmail. >> >> # >> >> # chkconfig: 2345 80 30 >> >> # description: Sendmail is a Mail Transport Agent, which is the >> program \ # that moves mail from one machine to >> another. # processname: sendmail >> >> # config: /etc/sendmail.cf >> >> # pidfile: /var/run/sendmail.pid >> >> >> >> # Source function library. >> >> . /etc/init.d/functions >> >> >> >> # Source networking configuration. >> >> . /etc/sysconfig/network >> >> >> >> # Source sendmail configureation. >> >> if [ -f /etc/sysconfig/sendmail ] ; then >> >> . /etc/sysconfig/sendmail >> >> else >> >> DAEMON=no >> >> QUEUE=1h >> >> fi >> >> >> >> # Check that networking is up. >> >> [ ${NETWORKING} = "no" ] && exit 0 >> >> >> >> [ -f /usr/sbin/sendmail ] || exit 0 >> >> >> >> RETVAL=0 >> >> prog="sendmail" >> >> >> >> start() { >> >> # Start daemons. >> >> >> >> echo -n $"Starting $prog: " >> >> /usr/bin/newaliases > /dev/null 2>&1 >> >> for i in virtusertable access domaintable ; do >> >> if [ -f /etc/mail/$i ] ; then >> >> makemap hash /etc/mail/$i < /etc/mail/$i >> >> fi >> >> done >> >> mailertables= >> >> if [ -f /etc/mail/mailertable.virtual_domains ]; then >> >> mailertables="/etc/mail/mailertable.virtual_domains" >> >> fi >> >> if [ -f /etc/mail/mailertable ]; then >> >> mailertables="$mailertables /etc/mail/mailertable" >> >> fi >> >> if [ -n "$mailertables" ]; then >> >> cat $mailertables | makemap hash >> /etc/mail/mailertable.db >> >> fi >> >> genericstables= >> >> if [ -f /etc/mail/genericstable.siteadmins ]; then >> >> genericstables="/etc/mail/genericstable.siteadmins" >> >> fi >> >> if [ -f /etc/mail/genericstable ]; then >> >> genericstables="$mailertables /etc/mail/genericstable" >> >> fi >> >> if [ -n "$genericstables" ]; then >> >> cat $genericstables | makemap hash >> >> /etc/mail/genericstable.db >> >> fi >> >> export LD_PRELOAD=/lib/libensimvwhbw.so >> >> export ENSIMVWH_BWSVCID=1 >> >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo >> -bd) \ >> >> $([ -n "$QUEUE" ] && echo >> -q$QUEUE) >> >> RETVAL=$? >> >> echo >> >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail >> >> return $RETVAL >> >> } >> >> >> >> start-fast() { >> >> # Start daemons. >> >> >> >> echo -n $"Starting $prog: " >> >> /usr/bin/newaliases > /dev/null 2>&1 >> >> for i in virtusertable access domaintable ; do >> >> if [ -f /etc/mail/$i ] ; then >> >> makemap hash /etc/mail/$i < /etc/mail/$i >> >> fi >> >> done >> >> export LD_PRELOAD=/lib/libensimvwhbw.so >> >> export ENSIMVWH_BWSVCID=1 >> >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo >> -bd) \ >> >> $([ -n "$QUEUE" ] && echo >> -q$QUEUE) >> >> RETVAL=$? >> >> echo >> >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail >> >> return $RETVAL >> >> } >> >> >> >> stop() { >> >> # Stop daemons. >> >> echo -n $"Shutting down $prog: " >> >> killproc sendmail >> >> RETVAL=$? >> >> echo >> >> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail >> >> return $RETVAL >> >> } >> >> >> >> # See how we were called. >> >> case "$1" in >> >> start) >> >> start >> >> ;; >> >> start-fast) >> >> start-fast >> >> ;; >> >> stop) >> >> stop >> >> ;; >> >> restart|reload) >> >> stop >> >> start >> >> RETVAL=$? >> >> ;; >> >> condrestart) >> >> if [ -f /var/lock/subsys/sendmail ]; then >> >> stop >> >> start >> >> RETVAL=$? >> >> fi >> >> ;; >> >> status) >> >> status sendmail >> >> RETVAL=$? >> >> ;; >> >> restart-fast) >> >> stop >> >> start-fast >> >> RETVAL=$? >> >> ;; >> >> *) >> >> echo $"Usage: $0 >> >> {start|stop|restart|condrestart|status|start-fast|restart-fast}" >> exit 1 >> >> esac >> >> >> >> exit $RETVAL >> >> >> >> >> > >> > -- >> > This message has been scanned for viruses and dangerous >> > content by MailScanner, and is believed to be clean. >> >> >> >> >>-- >>This message has been scanned for viruses and dangerous >>content by MailScanner, and is believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From fred at NEVER-MIND.CH Tue Nov 5 17:33:01 2002 From: fred at NEVER-MIND.CH (Frederic Badel) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <5.1.0.14.2.20021105170250.0746cd80@imap.ecs.soton.ac.uk> References: <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> <5.1.0.14.2.20021105170250.0746cd80@imap.ecs.soton.ac.uk> Message-ID: <1036517582.2350.90.camel@bonzai> On Tue, 2002-11-05 at 18:03, Julian Field wrote: > At 16:31 05/11/2002, you wrote: > >On Tue, 2002-11-05 at 16:44, Andrew G Allen wrote: > > > Does your installation therefore require that the MailScanner & sendmail > > > init scripts both have to be started? If this is the case, the only > > > problem is that on reboot, only MailScanner will start, since when it was > > > installed, sendmail was 'switched off' with chkconfig. > > > >Yes, both need to be run at startup, > >do a 'chkconfig --level 345 sendmail on' > > NO THEY DON'T (it's my list, and I'll shout if I want to :-) > Please see my posting of a minute ago. > please !! don't shout :( i didn't mean to drive you mad ! ;) i was just reporting a workaround i found on rackshack.net ... which work fine on my rh/ensim server ... if someone can find another way of making every thing work together (without breaking all that ensim stuff !), i'd be very happy :) and would use it immediatly ... sorry for the mess on your list ;)) and thanks a lot for your job with MS ! fred From LISTSERV at JISCMAIL.AC.UK Tue Nov 5 18:42:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:18 2006 Subject: MAILSCANNER: ycayer@3WEBMEDIA.COM requested to join Message-ID: <200211051842.SAA11233@magpie.ecs.soton.ac.uk> Tue, 5 Nov 2002 18:42:51 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Yannick Cayer . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER ycayer@3WEBMEDIA.COM Yannick Cayer The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+ycayer%403WEBMEDIA.COM+Yannick+Cayer&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From ycayer at 3WEBMEDIA.COM Tue Nov 5 19:00:51 2002 From: ycayer at 3WEBMEDIA.COM (Yannick Cayer) Date: Thu Jan 12 21:16:18 2006 Subject: MailScanner v 4.05-3 with Mcafee uvscan Message-ID: <200211051900.gA5J0nX10361@ori.rl.ac.uk> Greetings, I have been trying to setup MailScanner with Mcafee, but whenever I test it, mcafee lets viruses through, only warning me about them in the log file. It does not send me (the admin) a notice It sends the email with the infected attachment(s) the the recipient which is not the way I configured MailScanner. If I use Sophos instead of mcafee, It behaves properly: it notifies me (the admin) of a virus and does NOT send the message to the recipient. Like I want it. Am I missing something here or is there any special parameters I must pass on in the mcafee-wrapper file? I know I did not change anything special in the sophos-wrapper file and it behaves properly. (weird) Any help would be greatly appreciated. Thank you in advance. From gavin at NETERGY.COM Tue Nov 5 19:52:46 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:18 2006 Subject: Kaspersky Message-ID: Hi Has anyone got kaspersky to work with mailscanner? anything special to do - I have got it installed and running on a file by file basis but don't seems to get any response with mailscanner. thanks Gavin From mailscanner at ecs.soton.ac.uk Tue Nov 5 20:17:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Kaspersky In-Reply-To: Message-ID: <5.1.0.14.2.20021105201516.0236b7f8@imap.ecs.soton.ac.uk> At 19:52 05/11/2002, you wrote: >Has anyone got kaspersky to work with mailscanner? >anything special to do - I have got it installed and running on a file by >file basis but don't seems to get any response with mailscanner. What happens when you run cd /tmp /usr/lib/kaspersky-wrapper . with a couple of viruses in /tmp? You may need to alter the path to kaspersky in the wrapper script, depending on where you have installed it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at NETERGY.COM Tue Nov 5 20:46:19 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:18 2006 Subject: Kaspersky In-Reply-To: <5.1.0.14.2.20021105201516.0236b7f8@imap.ecs.soton.ac.uk> Message-ID: I get an error Nothing to scan. You should select at least one directory to scan. and the command I put in was /usr/lib/MailScanner/kaspersky-wrapper . with the . at the end Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 05 November 2002 20:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Kaspersky At 19:52 05/11/2002, you wrote: >Has anyone got kaspersky to work with mailscanner? >anything special to do - I have got it installed and running on a file by >file basis but don't seems to get any response with mailscanner. What happens when you run cd /tmp /usr/lib/kaspersky-wrapper . with a couple of viruses in /tmp? You may need to alter the path to kaspersky in the wrapper script, depending on where you have installed it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 5 21:37:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Kaspersky In-Reply-To: References: <5.1.0.14.2.20021105201516.0236b7f8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021105213713.0251f638@imap.ecs.soton.ac.uk> Anyone any experience with Kaspersky that might be able to help? I haven't got a copy of it to test with :( At 20:46 05/11/2002, you wrote: >I get an error > >Nothing to scan. >You should select at least one directory to scan. > >and the command I put in was /usr/lib/MailScanner/kaspersky-wrapper . with >the . at the end > >Gavin > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: 05 November 2002 20:17 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Kaspersky > > >At 19:52 05/11/2002, you wrote: > >Has anyone got kaspersky to work with mailscanner? > >anything special to do - I have got it installed and running on a file by > >file basis but don't seems to get any response with mailscanner. > >What happens when you run > cd /tmp > /usr/lib/kaspersky-wrapper . >with a couple of viruses in /tmp? >You may need to alter the path to kaspersky in the wrapper script, >depending on where you have installed it. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at netergy.com Tue Nov 5 22:29:42 2002 From: gavin at netergy.com (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:18 2006 Subject: Kaspersky In-Reply-To: <5.1.0.14.2.20021105213713.0251f638@imap.ecs.soton.ac.uk> Message-ID: its on its way to you - 30 day demo :-) so all legal and legit -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 05 November 2002 21:38 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Kaspersky Anyone any experience with Kaspersky that might be able to help? I haven't got a copy of it to test with :( At 20:46 05/11/2002, you wrote: >I get an error > >Nothing to scan. >You should select at least one directory to scan. > >and the command I put in was /usr/lib/MailScanner/kaspersky-wrapper . with >the . at the end > >Gavin > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: 05 November 2002 20:17 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Kaspersky > > >At 19:52 05/11/2002, you wrote: > >Has anyone got kaspersky to work with mailscanner? > >anything special to do - I have got it installed and running on a file by > >file basis but don't seems to get any response with mailscanner. > >What happens when you run > cd /tmp > /usr/lib/kaspersky-wrapper . >with a couple of viruses in /tmp? >You may need to alter the path to kaspersky in the wrapper script, >depending on where you have installed it. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From scouty at BROMBERG.DEMON.NL Tue Nov 5 22:31:46 2002 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:18 2006 Subject: Redhat 8.0 / command: service MailScanner status Message-ID: <200211052231.gA5MVlX32628@ori.rl.ac.uk> Got my new server hardware and have started to build the new server soon to get rid of the old 6.2 box with the fab. 3.x Mail-Scanner... :-) OS : RedHat 8.0 Sendmail : 8.12.5-7 Mail-Scanner : 4.05-3 Everything installed and compiled just fine and messages send from another computer to a user on the new system gets signed ok in the header (found to be clean), A eicar test file was stopped, send to /var/spool/MailScanner/quarantine and a virus warning is send to the user and a copy to me at my postmaster address so far so good... but.... When I issue the command "service MailScanner status" I'm receiving a error on the outgoing sendmail. Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [FAILED] And a snip from /var/log/messages Nov 5 23:28:35 bromberg2 MailScanner: succeeded Nov 5 23:28:35 bromberg2 MailScanner: succeeded Nov 5 23:28:35 bromberg2 MailScanner: failed Since this server is not yet in production I can not send a message from a outlook client over the new MailScanner to the outside but when I issue a command "sendmail email@adres.com" fill in some blabla and hit "." it sends out fine to anyone anywhere... From didier.belhomme at FUNDP.AC.BE Wed Nov 6 08:34:48 2002 From: didier.belhomme at FUNDP.AC.BE (Didier Belhomme) Date: Thu Jan 12 21:16:18 2006 Subject: Redhat 8.0 / command: service MailScanner status In-Reply-To: <200211052231.gA5MVlX32628@ori.rl.ac.uk> Message-ID: <5.1.0.14.0.20021106093247.01ffcef8@pop.fundp.ac.be> At 22:31 5/11/2002 +0000, you wrote: >Everything installed and compiled just fine and messages >send from another computer to a user on the new system gets >signed ok in the header (found to be clean), A eicar test >file was stopped, send to /var/spool/MailScanner/quarantine >and a virus warning is send to the user and a copy to me at >my postmaster address so far so good... but.... > >When I issue the command "service MailScanner status" I'm >receiving a error on the outgoing sendmail. > >Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [FAILED] > >And a snip from /var/log/messages > >Nov 5 23:28:35 bromberg2 MailScanner: succeeded >Nov 5 23:28:35 bromberg2 MailScanner: succeeded >Nov 5 23:28:35 bromberg2 MailScanner: failed Check that another sendmail process is not already running. When the "normal" sendmail service is running, Mailscanner is unable to start the outgoing sendmail process. # service sendmail stop # service MailScanner stop # service MailScanner start should work. Didier Belhomme FUNDP - Service informatique universitaire - UNIX Systems Support Rue Grandgagnage, 21 B-5000 Namur Tel : +32 81 725025 Fax: +32 81 725023 E-mail : didier.belhomme@fundp.ac.be From florusb at ASCIO.COM Wed Nov 6 08:50:42 2002 From: florusb at ASCIO.COM (Florus Both) Date: Thu Jan 12 21:16:18 2006 Subject: Redhat 8.0 / command: service MailScanner status Message-ID: <2F15A97500CFA0469C9BACC2041F8AC7032E7E00@aries.dk.speednames.com> Hi, do a Chkconfig sendmail off And try again, I guess sendmail was already running before you started mailscanner (this happens automagically after an install) Florus Both -----Original Message----- From: Matthijs Althoff [mailto:scouty@BROMBERG.DEMON.NL] Sent: 5. november 2002 23:32 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Redhat 8.0 / command: service MailScanner status Got my new server hardware and have started to build the new server soon to get rid of the old 6.2 box with the fab. 3.x Mail-Scanner... :-) OS : RedHat 8.0 Sendmail : 8.12.5-7 Mail-Scanner : 4.05-3 Everything installed and compiled just fine and messages send from another computer to a user on the new system gets signed ok in the header (found to be clean), A eicar test file was stopped, send to /var/spool/MailScanner/quarantine and a virus warning is send to the user and a copy to me at my postmaster address so far so good... but.... When I issue the command "service MailScanner status" I'm receiving a error on the outgoing sendmail. Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [FAILED] And a snip from /var/log/messages Nov 5 23:28:35 bromberg2 MailScanner: succeeded Nov 5 23:28:35 bromberg2 MailScanner: succeeded Nov 5 23:28:35 bromberg2 MailScanner: failed Since this server is not yet in production I can not send a message from a outlook client over the new MailScanner to the outside but when I issue a command "sendmail email@adres.com" fill in some blabla and hit "." it sends out fine to anyone anywhere... From gavin at NETERGY.COM Wed Nov 6 09:34:13 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:18 2006 Subject: Clam AV - Beware Message-ID: I know its currently unsupported in code status by mailscanner and this doesn't technically alter that but beware if you are planning to use it on a production box with no other scanners. My findings so far with regard to virus detecting is poor we have pushed several real virii through it and it hasn't detected them when f-prot,sophos and kaspersky all have and I'm not talking new ones here one of the ones we are playing with is Melissa which is 2 years old. We have up to date virus definitions for Clamav and it is working as it detects its own test file but not some of the others that I would expect it to. Regards Gavin From t.d.lee at DURHAM.AC.UK Wed Nov 6 09:52:17 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <5.1.0.14.2.20021104182526.023b4238@imap.ecs.soton.ac.uk> Message-ID: On Mon, 4 Nov 2002, Julian Field wrote: > At 18:06 04/11/2002, you wrote: > >[...] > >It seems the choice is currently a stark one: either permit iframe (and > >risk its possible dangers) or forbid iframe (and risk the dangers of > >unhappy users with big sticks). > > > >Might there be the possibility of a compromise? An option something like > >"convert iframe to text"? (Or was this discussed and deemed unworkable?) > > In version 4, you can allow IFrame tags from any given "trusted" address, > which solves the problem. Thanks. But that doesn't really solve the problem, doses it? It merely replaces it with another: a never-ending problem of maintaining a list of such trusted addresses submitted by our 15K-20K users. Even if that were feasible (doubtful!), how would we (the service provider in the university) judge what really is to be "trusted"? Further, one of the purposes of MailScanner is to help to protect the site, not just the individual PC. If a trusted address turns out itself to be troublesome, then doesn't that open the floodgates? (Analogy: suppose one had the facility "trust Bugbear from this address"?) (Perhaps I've misunderstood something?) What I am suggesting is something complementary, to augment your "trusted iframe address" facility, which could still be in place. Namely, an option (for non-trusted addresses) to convert the iframe to text. Thus the basic message will still get through, and still be vaguely human readable. > I am loathed to spend the time required to implement all the "domains file" > code in version 3, it would be quite a bit of work. That's fine. I wasn't even hinting at any such back-port! > If you keep your Outlook and OE users well up to date with patches, then > you probably won't have much problem as most of the current viruses that > exploit this rely on you not having installed patches that were issued a > year ago. But one of the very reasons for MailScanner in the first place is that the users often don't keep themselves up-to-date with patches, and thus they (and other non-up-to-date users) remain vulnerable. (Suppose one user gets caught with such an iframe problem: what might then be the effect on other users whose own virus-scanning is, say, a few weeks behind?) Thanks again for a great product! -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From novirus at CARLO65.DE Wed Nov 6 10:11:42 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: References: Message-ID: <1036577502.23578.14.camel@linroute> Hi David, Am Mit, 2002-11-06 um 10.52 schrieb David Lee: [..] > > In version 4, you can allow IFrame tags from any given "trusted" address, > > which solves the problem. > But that doesn't really solve the problem, doses it? It merely replaces > it with another: a never-ending problem of maintaining a list of such > trusted addresses submitted by our 15K-20K users. finally it is your decision, which one is the petty evil to you. > Even if that were feasible (doubtful!), how would we (the service provider > in the university) judge what really is to be "trusted"? You can't! Never, that is my opinion. I run a site with several domains and I decided not to allow IFrame tags. My customers understand it and there were no problems so far. Julian did a very good job with MailScanner 4.x and of course it is not his task to solve anybodys organisational problems. I am sure, if you convert HTML-mails containing IFrame tags to text-only, you are going to have a whole bunch of user complaints on your desk. Maybe, I did not understand you correctly, but it seems to me, that your favourite decision should be "Allow IFrame tags = no", because you will not find a 100 percent secure solution. Regards, Roland Sorry for my poor english From LISTSERV at JISCMAIL.AC.UK Wed Nov 6 11:38:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:18 2006 Subject: MAILSCANNER: paul-w@BLUEYONDER.CO.UK left the list Message-ID: <200211061138.LAA25940@magpie.ecs.soton.ac.uk> Wed, 6 Nov 2002 11:38:55 Paul Welsh has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [WWW request received from 217.150.102.222] From mailscanner at ecs.soton.ac.uk Wed Nov 6 12:38:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: References: <5.1.0.14.2.20021104182526.023b4238@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> At 09:52 06/11/2002, you wrote: >On Mon, 4 Nov 2002, Julian Field wrote: > > > At 18:06 04/11/2002, you wrote: > > >[...] > > >It seems the choice is currently a stark one: either permit iframe (and > > >risk its possible dangers) or forbid iframe (and risk the dangers of > > >unhappy users with big sticks). > > > > > >Might there be the possibility of a compromise? An option something like > > >"convert iframe to text"? (Or was this discussed and deemed unworkable?) > > > > In version 4, you can allow IFrame tags from any given "trusted" address, > > which solves the problem. > >Further, one of the purposes of MailScanner is to help to protect the >site, not just the individual PC. If a trusted address turns out itself >to be troublesome, then doesn't that open the floodgates? (Analogy: >suppose one had the facility "trust Bugbear from this address"?) Agreed. >What I am suggesting is something complementary, to augment your "trusted >iframe address" facility, which could still be in place. Namely, an >option (for non-trusted addresses) to convert the iframe to text. Thus >the basic message will still get through, and still be vaguely human >readable. > >But one of the very reasons for MailScanner in the first place is that the >users often don't keep themselves up-to-date with patches, and thus they >(and other non-up-to-date users) remain vulnerable. (Suppose one user >gets caught with such an iframe problem: what might then be the effect on >other users whose own virus-scanning is, say, a few weeks behind?) Yes, I understand your point of view much better now. I can see there are certain situations, or certain addresses, where you still want the readable content to get through even if the message contains untrusted IFrames or "Object Codebase" tags. So, say you have Allow IFrame Tags = yes but you also have a new option Convert Dangerous HTML to Text = yes then the message contents would be allowed through (by the 1st option) but it would be stripped down to plain text (by the 2nd option). The definition of "Dangerous" in this context is HTML containing either IFrame tags or Object Codebase tags. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From t.d.lee at DURHAM.AC.UK Wed Nov 6 14:17:02 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> Message-ID: On Wed, 6 Nov 2002, Julian Field wrote: > So, say you have > Allow IFrame Tags = yes > but you also have a new option > Convert Dangerous HTML to Text = yes > then the message contents would be allowed through (by the 1st option) but > it would be stripped down to plain text (by the 2nd option). The definition > of "Dangerous" in this context is HTML containing either IFrame tags or > Object Codebase tags. That sounds like the sort of thing I had envisaged. Thanks. Naturally, if a back-port to 3.x were also reasonable, that, too, would be nice. And, of course, I would volunteer to help verify its working. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From tal at MUSICGENOME.COM Wed Nov 6 14:28:04 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021104182526.023b4238@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> Message-ID: <1036592892.17268.14.camel@johnny5> On Wed, 2002-11-06 at 14:38, Julian Field wrote: > So, say you have > Allow IFrame Tags = yes > but you also have a new option > Convert Dangerous HTML to Text = yes > then the message contents would be allowed through (by the 1st option) but > it would be stripped down to plain text (by the 2nd option). The definition > of "Dangerous" in this context is HTML containing either IFrame tags or > Object Codebase tags. how about converting it into slightly less dangerous HTML? (assuming users still want their HTML mail intact, which I think will mostly be the case) ie, turn IFRAME into DIV or something similar. btw, I'm wondering if an IFRAME without a src attribute is still as dangerous -- Tal Kelrich PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 Key Available at: http://www.hasturkun.com/pub.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/0b46d6e7/attachment.bin From LISTSERV at JISCMAIL.AC.UK Wed Nov 6 15:00:29 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:18 2006 Subject: MAILSCANNER: aweiss@ESHCOM.COM left the list Message-ID: <200211061500.PAA25079@magpie.ecs.soton.ac.uk> Wed, 6 Nov 2002 15:00:29 aweiss@ESHCOM.COM has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- X-LSVMFlags: 16 Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Wed, 6 Nov 2002 15:00:29 GMT Received: from server.esh.local (svcr-216-37-230-6.dsl.svcr.epix.net [216.37.230.6]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA6F0KX05672 for ; Wed, 6 Nov 2002 15:00:20 GMT MIME-Version: 1.0 Subject: X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Wed, 6 Nov 2002 09:59:52 -0500 Message-ID: <9E9BA1804B974B4E869491E1F2F4CCF5224B4E@server.esh.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Index: AcKFpSXJ7pzitFz/Q6GAE7bsNBas5Q== From: "Andrew P. Weiss" To: X-LSVline1: SIGNOFF * From mailscanner at ecs.soton.ac.uk Wed Nov 6 15:04:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <1036592892.17268.14.camel@johnny5> References: <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021104182526.023b4238@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021106150350.04544328@imap.ecs.soton.ac.uk> At 14:28 06/11/2002, you wrote: >On Wed, 2002-11-06 at 14:38, Julian Field wrote: > > So, say you have > > Allow IFrame Tags = yes > > but you also have a new option > > Convert Dangerous HTML to Text = yes > > then the message contents would be allowed through (by the 1st option) but > > it would be stripped down to plain text (by the 2nd option). The definition > > of "Dangerous" in this context is HTML containing either IFrame tags or > > Object Codebase tags. >how about converting it into slightly less dangerous HTML? (assuming >users still want their HTML mail intact, which I think will mostly be >the case) >ie, turn IFRAME into DIV or something similar. > >btw, I'm wondering if an IFRAME without a src attribute is still as >dangerous You want to guarantee there is no src attribute within a particular iframe? Very nasty parsing problem, that! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Heinz.Knutzen at DZSH.DE Wed Nov 6 15:52:08 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz) Date: Thu Jan 12 21:16:18 2006 Subject: MailScanner-4.05-3 and SuSE 8.0 Message-ID: <096F8FA588BAD211844C0090272F2307017FBAFF@DZSHMAILSRV2> Hi, today I installed MailScanner-4.05-3 from rpm on a system running SuSE 8.0. I will summarize my changes to get it work: 1. add a link /usr/src/RPM to /usr/src/packages (this has been reported before) 2. The postinstall script doesn't work. chkconfig from SuSE seems to be a bit different "chkconfig --level 2 sendmail off # To fix bug in some RedHat dist's" gives an error message: Unknown option: level usage: chkconfig -t|--terse [names] (shows the links) chkconfig -e|--edit [names] (configure services) chkconfig -s|--set [name state]... (configure services) chkconfig -l|--list [--deps] [names] (shows the links) chkconfig -a|--add [names] (runs insserv) chkconfig -d|--del [names] (runs insserv -r) chkconfig -h|--help (print usage) chkconfig [name] same as chkconfig -t chkconfig name state... same as chkconfig -s name state 3. The preuninstall and postuninstall won't work, since SuSE 8.0 doesn't have a "service" command. 4. The init script is placed in /etc/rc.d/init.d/MailScanner This does't work for SuSE. SuSE uses /etc/init.d/ for init scripts. /etc/rc.d is simply a link to /etc/init.d Installing from rpm results in a file /etc/init.d/init.d/MailScanner 5. The init script init.d/MailScanner doesn't work anyhow: - there is no /etc/rc.d/init.d/functions but a /etc/rc.status instead - there is no file /etc/sysconfig/network, but a directory /etc/sysconfig/network - the outgoing sendmail process is named "sendmail: Queue runner.*" for SuSE - there is a different mechanism for failure / success reporting - I don't know if /var/lock/subsys/MailScanner is useful for a SuSE system See my modified init script for SuSE 8.0 attached to this mail. Viele Gr??e -- Heinz Knutzen Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:heinz.knutzen@dzsh.de Tel: +49.431.3295.581 Fax: +49.431.3295.410 <> -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.init Type: application/octet-stream Size: 4808 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/105e0860/MailScanner.obj From t.d.lee at DURHAM.AC.UK Wed Nov 6 16:06:18 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <1036592892.17268.14.camel@johnny5> Message-ID: On Wed, 6 Nov 2002, Tal Kelrich wrote: > On Wed, 2002-11-06 at 14:38, Julian Field wrote: > > So, say you have > > Allow IFrame Tags = yes > > but you also have a new option > > Convert Dangerous HTML to Text = yes > > then the message contents would be allowed through (by the 1st option) but > > it would be stripped down to plain text (by the 2nd option). The definition > > of "Dangerous" in this context is HTML containing either IFrame tags or > > Object Codebase tags. > how about converting it into slightly less dangerous HTML? (assuming > users still want their HTML mail intact, which I think will mostly be > the case) > ie, turn IFRAME into DIV or something similar. So, to generalise, Julian's suggested binary switch: Convert Dangerous HTML to Text = yes this could become something vaguely like: Convert Dangerous HTML = {text|div|\&perl_routine|...} Note the "vaguely like": this is simply exploration of ideas. The "text" would strip out the iframe (result is a text message containing HTML tags: not spectacularly user-friendly, but simple and vaguely readable). The "div" would convert the "iframe": presumably the result would be modified HTML, still viewed in a WWW-browser-like window. The "\&perl_routine" would allow a site to have its own code. (Analogy: I recall some discussion about some sort of "Custom" facility.) For instance, that "perl_routine" might somehow invoke a custom, safer browser (perhaps lynx?). All very hand-wavy! -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From Heinz.Knutzen at DZSH.DE Wed Nov 6 16:28:02 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz) Date: Thu Jan 12 21:16:18 2006 Subject: AW: MailScanner-4.05-3 and SuSE 8.0 Message-ID: <096F8FA588BAD211844C0090272F2307017FBB01@DZSHMAILSRV2> Another issue I forgot to mention: the ./install-sh script tried to upgrade perl-MIME-tools, but this was refused with the following message: "package perl-MIME-tools-5.411a-56 (which is newer than perl-MIME-tools-5.411-pl4.2) is already installed" I don't understand from what RPM knows, which package is "newer". The installed package doesn't have the recent patches applied. Presumably I have to upgrade using --force ? Viele Gr??e -- Heinz > -----Urspr?ngliche Nachricht----- > Von: Knutzen, Heinz [mailto:Heinz.Knutzen@DZSH.DE] > Gesendet am: Mittwoch, 6. November 2002 16:52 > An: MAILSCANNER@JISCMAIL.AC.UK > Betreff: MailScanner-4.05-3 and SuSE 8.0 > > Hi, > > today I installed MailScanner-4.05-3 from rpm on a system > running SuSE 8.0. > I will summarize my changes to get it work: > > 1. add a link /usr/src/RPM to /usr/src/packages (this has > been reported > before) > > 2. The postinstall script doesn't work. > chkconfig from SuSE seems to be a bit different > "chkconfig --level 2 sendmail off # To fix bug in some RedHat dist's" > gives an error message: > Unknown option: level > usage: > chkconfig -t|--terse [names] (shows the links) > chkconfig -e|--edit [names] (configure services) > chkconfig -s|--set [name state]... (configure services) > chkconfig -l|--list [--deps] [names] (shows the links) > chkconfig -a|--add [names] (runs insserv) > chkconfig -d|--del [names] (runs insserv -r) > chkconfig -h|--help (print usage) > > chkconfig [name] same as chkconfig -t > chkconfig name state... same as chkconfig -s name state > > 3. The preuninstall and postuninstall won't work, since SuSE > 8.0 doesn't > have a "service" command. > > 4. The init script is placed in /etc/rc.d/init.d/MailScanner > This does't work for SuSE. > SuSE uses /etc/init.d/ for init scripts. /etc/rc.d is simply a link to > /etc/init.d > Installing from rpm results in a file /etc/init.d/init.d/MailScanner > > 5. The init script init.d/MailScanner doesn't work anyhow: > - there is no /etc/rc.d/init.d/functions but a /etc/rc.status instead > - there is no file /etc/sysconfig/network, but a directory > /etc/sysconfig/network > - the outgoing sendmail process is named "sendmail: Queue > runner.*" for SuSE > - there is a different mechanism for failure / success reporting > - I don't know if /var/lock/subsys/MailScanner is useful for > a SuSE system > See my modified init script for SuSE 8.0 attached to this mail. > > Viele Gr??e > > -- Heinz Knutzen > > Datenzentrale Schleswig-Holstein > Altenholzer Str. 10-14, 24161 Altenholz, Germany > http://www.dzsh.de/ > mailto:heinz.knutzen@dzsh.de > Tel: +49.431.3295.581 Fax: +49.431.3295.410 > <> > From LISTSERV at JISCMAIL.AC.UK Wed Nov 6 15:58:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:18 2006 Subject: MAILSCANNER: kevin.steil@JMFAMILY.COM requested to join Message-ID: <200211061558.PAA04535@magpie.ecs.soton.ac.uk> Wed, 6 Nov 2002 15:58:12 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Kevin Steil . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER kevin.steil@JMFAMILY.COM Kevin Steil The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+kevin.steil%40JMFAMILY.COM+Kevin+Steil&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From ivan at NUCCI.COM.BR Wed Nov 6 17:05:38 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:18 2006 Subject: Clam AV - Beware References: Message-ID: <3DC94BE2.4060109@nucci.com.br> Hi Mr. Gavin Nelmes, What version of clamAV are you using? Perhaps this security bug has been corrected on the latest version (0.53 ). If I can be of any assistance in testing this software, I'll be glad to help. I think the OpenSource comunity will certainly apreciate if clamAV is promoted to a "supported" status. BTW: Does anyone know of a website were I can download viruses as a test platform? Best regards, Ivan Gavin Nelmes-Crocker wrote: >I know its currently unsupported in code status by mailscanner and this >doesn't technically alter that but beware if you are planning to use it on a >production box with no other scanners. > >My findings so far with regard to virus detecting is poor we have pushed >several real virii through it and it hasn't detected them when f-prot,sophos >and kaspersky all have and I'm not talking new ones here one of the ones we >are playing with is Melissa which is 2 years old. We have up to date virus >definitions for Clamav and it is working as it detects its own test file but >not some of the others that I would expect it to. > >Regards > >Gavin > > From mailscanner at ecs.soton.ac.uk Wed Nov 6 17:08:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: References: <1036592892.17268.14.camel@johnny5> Message-ID: <5.1.0.14.2.20021106170426.06ad7aa0@imap.ecs.soton.ac.uk> At 16:06 06/11/2002, you wrote: >On Wed, 6 Nov 2002, Tal Kelrich wrote: > > > On Wed, 2002-11-06 at 14:38, Julian Field wrote: > > > So, say you have > > > Allow IFrame Tags = yes > > > but you also have a new option > > > Convert Dangerous HTML to Text = yes > > > then the message contents would be allowed through (by the 1st > option) but > > > it would be stripped down to plain text (by the 2nd option). The > definition > > > of "Dangerous" in this context is HTML containing either IFrame tags or > > > Object Codebase tags. > > how about converting it into slightly less dangerous HTML? (assuming > > users still want their HTML mail intact, which I think will mostly be > > the case) > > ie, turn IFRAME into DIV or something similar. > >So, to generalise, Julian's suggested binary switch: > Convert Dangerous HTML to Text = yes > >this could become something vaguely like: > Convert Dangerous HTML = {text|div|\&perl_routine|...} > >Note the "vaguely like": this is simply exploration of ideas. > >The "text" would strip out the iframe (result is a text message containing >HTML tags: not spectacularly user-friendly, but simple and vaguely >readable). > >The "div" would convert the "iframe": presumably the result would be >modified HTML, still viewed in a WWW-browser-like window. > >The "\&perl_routine" would allow a site to have its own code. (Analogy: I >recall some discussion about some sort of "Custom" facility.) For >instance, that "perl_routine" might somehow invoke a custom, safer >browser (perhaps lynx?). All very hand-wavy! Eek, that sounds like far too much hard work for me. Don't forget that my proposed "Convert Dangerous HTML to Text" option can be a ruleset or a custom function for working out which messages to massage. Converting the IFrames to Divs is a bit harder for me (as I have to start parsing the HTML tag by tag and replacing certain tags while leaving others alone, and who's to say there aren't possible exploits in Divs too?). Allowing your own code to run at this point is awkward too, as you would have to know quite a lot about the internal structure of MailScanner to even start to be able to do something useful, and you may open yourself up to various attacks in the process. I prefer to keep it simple, if that will satisfy most people. (I can't satisfy all the users all the time, and still get to sleep a few hours each night). David, I'll mail you a URL in a moment so you can try out what I've done. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at NETERGY.COM Wed Nov 6 17:42:36 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:18 2006 Subject: Clam AV - Beware In-Reply-To: <3DC94BE2.4060109@nucci.com.br> Message-ID: the version I'm using is the latest version 0.53 I only installed the other day to see what it was like. the best site I have found for virii to use in testing is http://vx.netlux.org/ I have been using Melissa a lot as its nice and old and therefore should be picked up by everything - that's what disappointed me when ClamAV missed it but i am happy to be corrected - I'm not on any of the clamav mailing lists so maybe you could test as well and bring it up there if you have the same findings. Regards Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Ivan Mirisola Sent: 06 November 2002 17:06 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Clam AV - Beware Hi Mr. Gavin Nelmes, What version of clamAV are you using? Perhaps this security bug has been corrected on the latest version (0.53 ). If I can be of any assistance in testing this software, I'll be glad to help. I think the OpenSource comunity will certainly apreciate if clamAV is promoted to a "supported" status. BTW: Does anyone know of a website were I can download viruses as a test platform? Best regards, Ivan Gavin Nelmes-Crocker wrote: >I know its currently unsupported in code status by mailscanner and this >doesn't technically alter that but beware if you are planning to use it on a >production box with no other scanners. > >My findings so far with regard to virus detecting is poor we have pushed >several real virii through it and it hasn't detected them when f-prot,sophos >and kaspersky all have and I'm not talking new ones here one of the ones we >are playing with is Melissa which is 2 years old. We have up to date virus >definitions for Clamav and it is working as it detects its own test file but >not some of the others that I would expect it to. > >Regards > >Gavin > > From mailscanner at ecs.soton.ac.uk Wed Nov 6 18:11:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: AW: MailScanner-4.05-3 and SuSE 8.0 In-Reply-To: <096F8FA588BAD211844C0090272F2307017FBB01@DZSHMAILSRV2> Message-ID: <5.1.0.14.2.20021106181027.0238fbb0@imap.ecs.soton.ac.uk> At 16:28 06/11/2002, you wrote: >Another issue I forgot to mention: > >the ./install-sh script tried to upgrade perl-MIME-tools, >but this was refused with the following message: >"package perl-MIME-tools-5.411a-56 (which is newer than >perl-MIME-tools-5.411-pl4.2) is already installed" > >I don't understand from what RPM knows, which package is "newer". >The installed package doesn't have the recent patches applied. >Presumably I have to upgrade using --force ? Yes, you will have to --force it. Thanks for all the other comments, looks like I need to build a SuSE-specific version as there are too many differences from RedHat to be able to construct an RPM that will do both. Oh for some more hardware... > > -----Urspr?ngliche Nachricht----- > > Von: Knutzen, Heinz [mailto:Heinz.Knutzen@DZSH.DE] > > Gesendet am: Mittwoch, 6. November 2002 16:52 > > An: MAILSCANNER@JISCMAIL.AC.UK > > Betreff: MailScanner-4.05-3 and SuSE 8.0 > > > > Hi, > > > > today I installed MailScanner-4.05-3 from rpm on a system > > running SuSE 8.0. > > I will summarize my changes to get it work: > > > > 1. add a link /usr/src/RPM to /usr/src/packages (this has > > been reported > > before) > > > > 2. The postinstall script doesn't work. > > chkconfig from SuSE seems to be a bit different > > "chkconfig --level 2 sendmail off # To fix bug in some RedHat dist's" > > gives an error message: > > Unknown option: level > > usage: > > chkconfig -t|--terse [names] (shows the links) > > chkconfig -e|--edit [names] (configure services) > > chkconfig -s|--set [name state]... (configure services) > > chkconfig -l|--list [--deps] [names] (shows the links) > > chkconfig -a|--add [names] (runs insserv) > > chkconfig -d|--del [names] (runs insserv -r) > > chkconfig -h|--help (print usage) > > > > chkconfig [name] same as chkconfig -t > > chkconfig name state... same as chkconfig -s name state > > > > 3. The preuninstall and postuninstall won't work, since SuSE > > 8.0 doesn't > > have a "service" command. > > > > 4. The init script is placed in /etc/rc.d/init.d/MailScanner > > This does't work for SuSE. > > SuSE uses /etc/init.d/ for init scripts. /etc/rc.d is simply a link to > > /etc/init.d > > Installing from rpm results in a file /etc/init.d/init.d/MailScanner > > > > 5. The init script init.d/MailScanner doesn't work anyhow: > > - there is no /etc/rc.d/init.d/functions but a /etc/rc.status instead > > - there is no file /etc/sysconfig/network, but a directory > > /etc/sysconfig/network > > - the outgoing sendmail process is named "sendmail: Queue > > runner.*" for SuSE > > - there is a different mechanism for failure / success reporting > > - I don't know if /var/lock/subsys/MailScanner is useful for > > a SuSE system > > See my modified init script for SuSE 8.0 attached to this mail. > > > > Viele Gr??e > > > > -- Heinz Knutzen > > > > Datenzentrale Schleswig-Holstein > > Altenholzer Str. 10-14, 24161 Altenholz, Germany > > http://www.dzsh.de/ > > mailto:heinz.knutzen@dzsh.de > > Tel: +49.431.3295.581 Fax: +49.431.3295.410 > > <> > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From tal at MUSICGENOME.COM Wed Nov 6 18:20:32 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <5.1.0.14.2.20021106170426.06ad7aa0@imap.ecs.soton.ac.uk> References: <1036592892.17268.14.camel@johnny5> <5.1.0.14.2.20021106170426.06ad7aa0@imap.ecs.soton.ac.uk> Message-ID: <1036606832.17268.86.camel@johnny5> On Wed, 2002-11-06 at 19:08, Julian Field wrote: > Eek, that sounds like far too much hard work for me. Don't forget that my > proposed "Convert Dangerous HTML to Text" option can be a ruleset or a > custom function for working out which messages to massage. > > Converting the IFrames to Divs is a bit harder for me (as I have to start > parsing the HTML tag by tag and replacing certain tags while leaving others > alone, and who's to say there aren't possible exploits in Divs too?). > Allowing your own code to run at this point is awkward too, as you would > have to know quite a lot about the internal structure of MailScanner to > even start to be able to do something useful, and you may open yourself up > to various attacks in the process. Couldn't you just use Anomy Sanitizer's Anomy::HTMLCleaner? it seems to be pretty much well written, as well as maintained (though some print STDERR and logging should be changed) (http://mailtools.anomy.net/) -- Tal Kelrich PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 Key Available at: http://www.hasturkun.com/pub.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/9451c1ec/attachment.bin From mailscanner at ecs.soton.ac.uk Wed Nov 6 18:39:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <1036606832.17268.86.camel@johnny5> References: <5.1.0.14.2.20021106170426.06ad7aa0@imap.ecs.soton.ac.uk> <1036592892.17268.14.camel@johnny5> <5.1.0.14.2.20021106170426.06ad7aa0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021106183430.037bfe50@imap.ecs.soton.ac.uk> At 18:20 06/11/2002, you wrote: >On Wed, 2002-11-06 at 19:08, Julian Field wrote: > > Eek, that sounds like far too much hard work for me. Don't forget that my > > proposed "Convert Dangerous HTML to Text" option can be a ruleset or a > > custom function for working out which messages to massage. > > > > Converting the IFrames to Divs is a bit harder for me (as I have to start > > parsing the HTML tag by tag and replacing certain tags while leaving others > > alone, and who's to say there aren't possible exploits in Divs too?). > > Allowing your own code to run at this point is awkward too, as you would > > have to know quite a lot about the internal structure of MailScanner to > > even start to be able to do something useful, and you may open yourself up > > to various attacks in the process. >Couldn't you just use Anomy Sanitizer's Anomy::HTMLCleaner? >it seems to be pretty much well written, as well as maintained >(though some print STDERR and logging should be changed) >(http://mailtools.anomy.net/) That certainly sounds like a possibility, but I don't think it's a short term solution which is what people seem to want at the moment. When I get time, I will take a look at the HTMLCleaner as it may be better than the HTML-Parser module I use at the moment to do this. One concern is what it considers to need "cleaning". At the moment, the HTML stripping I do removes all HTML tags, which is brutal but safe. I don't want to leave potential security holes due to any HTML that HTMLCleaner leaves intact. That may not be a problem, I haven't studied it yet. But thanks for the pointer! I'll take a look when I get time. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ivan at NUCCI.COM.BR Wed Nov 6 19:01:26 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:18 2006 Subject: Clam AV - Beware References: Message-ID: <3DC96706.2060006@nucci.com.br> Dear Mr. Gavin, I tested the same virus on vx.netlux.org with clamAV 0.51 and it also failed to discover. I have reported this issue to clamAV's site and hope to see some fix very soon. ----------------------------------------------------------------------------------- Nov 6 16:55:48 nucci sendmail[9060]: gA6Jtlp09060: from=, size=44395, class=0, nrcpts=1, msgid=<000d01c285cf$05c31270$0502a8c0@C5>, proto=SMTP, daemon=MTA, Nov 6 16:55:48 nucci MailScanner[9358]: New Batch: Scanning 1 messages, 44802 bytes Nov 6 16:55:50 nucci MailScanner[9358]: Virus and Content Scanning: Starting Nov 6 16:55:50 nucci MailScanner[9358]: Uninfected: Delivered 1 messages ----------------------------------------------------------------------------------- Thanks again, Ivan Gavin Nelmes-Crocker wrote: >I know its currently unsupported in code status by mailscanner and this >doesn't technically alter that but beware if you are planning to use it on a >production box with no other scanners. > >My findings so far with regard to virus detecting is poor we have pushed >several real virii through it and it hasn't detected them when f-prot,sophos >and kaspersky all have and I'm not talking new ones here one of the ones we >are playing with is Melissa which is 2 years old. We have up to date virus >definitions for Clamav and it is working as it detects its own test file but >not some of the others that I would expect it to. > >Regards > >Gavin > > From vanhorn at whidbey.com Wed Nov 6 19:25:37 2002 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:16:18 2006 Subject: Upgrade problems to 4.05 References: <0b0c01c27118$eda6f190$1c0a0a0a@pugmarks34team> <5.1.0.14.2.20021011135424.04352c00@imap.ecs.soton.ac.uk> Message-ID: <3DC96CB1.2FE7B832@whidbey.com> Julian, I've been running with 4.00.0a13 ever since that frantic weekend when you were spitting out a new alpha every few hours. (You released them all, I installed them all, did either of us get any sleep?) At that time I couldn't get the ./install.sh to ever work, and you had me uninstalling each package, in reverse order, and then installing each package in order. It's been a while, so I decided to catch up again and just grabbed 4.05 to try. With that many other installs behind you, I thought I'd give the installer another shot. After congratulating me for having the patch command and /usr/src/redhat, it gave me this: You appear to have 2 versions of Perl installed, the normal one in /usr/bin and one in /usr/local. This often happens if you have used CPAN to install modules. I strongly advise you remove all traces of perl from within /usr/local and then run this script again. If you do not want to do that, and really want to continue, then you will need to run this script as ./install.sh ignore-perl That neatly illustrates the most frustrating thing about my Linux/Unix experience. If anyone on earth should know where Perl modules should be, it has to be CPAN, right? And if anyone on earth should know where files belong on a RedHat system, it would be rpm, right? So how come every machine I have ever run more than a week has at least two sets of several Perl directories? (Never mind that I have to have two versions of Python now.) I know, you didn't make this mess. But I certainly don't feel confident removing all traces of Perl from /usr/local, and the only trace I see there is mod_perl.pm -> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl.pm which is a link to yet a third location. Is there a risk in running more than one copy of Perl things? Is it greater than the risk of running less than one? Or, as seems more likely to me, having seven copies of Perl things but none of them is in the place that something else wants it to be? As much as I despise Microsoft, I at least know where everything goes in a Windows system! So, I'm thinking about going back to the familiar routine of removing each RPM in turn and reinstallting them one at a time. That way the only thing I have to worry about is to restore my MailScanner.conf. (Which reminds me, why can't RPM note if a valid conf file is in place and leave it alone?) Also, I have noticed a major difference in the messages I get when a virus is found. When I was running 3.23 I got the headers of the offending message, now I get a short summary. Is this a change from MailScanner 3 to 4, or a change from Kasparsky to f-prot which I made at the same time for economic reasons? This can wait a bit, viruses are being stopped and the mail is getting delivered. Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/716078e9/attachment.html From brian at PORTSMOUTH-COLLEGE.AC.UK Wed Nov 6 19:33:02 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers) Date: Thu Jan 12 21:16:18 2006 Subject: mailscanner.conf.rpmnew Message-ID: <003501c285cb$5258c5c0$69c8a8c0@tpc.ac.uk> I've just upgrade from 3.13 to 3.25-1 via the RPM and everything seems to be ok except !!! When I look in the etc directory in Mailscanner directory I see a new file called mailscanner.conf.rpmnew Should I merge the old setting from my existing conf file into the rpmnew file then rename this to mailscanner.conf ?? Thanks in advance Brian Chivers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/3bd1d8b7/attachment.html From ivan at NUCCI.COM.BR Wed Nov 6 19:34:45 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:18 2006 Subject: ClamAV - New Test Results References: <3DC96706.2060006@nucci.com.br> Message-ID: <3DC96ED5.5000007@nucci.com.br> Hi All, I have performed new tests with some famous viruses found on vx.netlux.org. Only Melissa failed to be discovered by clamAV. I don't know why. The virus is found on a "visual basic for ms-word" format and had to be included in a document. Maybe clamAV is trying to find the original file that contaned the virus but this must be a wrong doing. My AVG Free Edition does check the document generated and is able to see that there is a virus within. Any thoughts, I'll be glad to hear. Sincerely, Ivan ------------------------------Love Letter Test------------------------------------ Nov 6 17:27:36 nucci sendmail[17092]: gA6KRZp17092: from=, size=11995, class=0, nrcpts=1, msgid=<002d01c285d3$77256bd0$0502a8c0@C5>, proto=SMTP, Nov 6 17:27:37 nucci MailScanner[10818]: New Batch: Scanning 1 messages, 12402 bytes Nov 6 17:27:37 nucci MailScanner[10818]: Virus and Content Scanning: Starting Nov 6 17:27:38 nucci MailScanner[10818]: Virus Scanning: clamav found 1 infections Nov 6 17:27:38 nucci MailScanner[10818]: Virus Scanning: Found 1 viruses Nov 6 17:27:38 nucci MailScanner[10818]: Filename Checks: Possible Microsoft Visual Basic script attack (I-Worm.LoveLetter.vbs) Nov 6 17:27:38 nucci MailScanner[10818]: Other Checks: Found 1 problems Nov 6 17:27:38 nucci MailScanner[10818]: Saved infected "I-Worm.LoveLetter.vbs" to /var/spool/MailScanner/quarantine/20021106/gA6KRZp17092 Nov 6 17:27:38 nucci MailScanner[10818]: Cleaned: Delivered 1 cleaned messages ------------------------------Love Letter Test------------------------------------ ------------------------------Prety Park Test------------------------------------- Nov 6 17:25:37 nucci sendmail[15773]: gA6KPap15773: from=, size=52034, class=0, nrcpts=1, msgid=<002301c285d3$30265f50$0502a8c0@C5>, proto=SMTP Nov 6 17:25:40 nucci MailScanner[4547]: New Batch: Scanning 1 messages, 52441 bytes Nov 6 17:25:40 nucci MailScanner[4547]: Virus and Content Scanning: Starting Nov 6 17:25:41 nucci MailScanner[4547]: Filename Checks: Possible virus hidden in a screensaver (I-Worm.PrettyPark.scr) Nov 6 17:25:41 nucci MailScanner[4547]: Other Checks: Found 1 problems Nov 6 17:25:41 nucci MailScanner[4547]: Saved infected "I-Worm.PrettyPark.scr" to /var/spool/MailScanner/quarantine/20021106/gA6KPap15773 Nov 6 17:25:41 nucci MailScanner[4547]: Cleaned: Delivered 1 cleaned messages ------------------------------Prety Park Test------------------------------------- --------------------------------Magister Test------------------------------------- Nov 6 17:23:34 nucci sendmail[15225]: gA6KNXp15225: from=, size=85924, class=0, nrcpts=1, msgid=<001901c285d2$e6e5ee50$0502a8c0@C5>, proto=SMTP Nov 6 17:23:35 nucci MailScanner[4152]: New Batch: Scanning 1 messages, 86332 bytes Nov 6 17:23:35 nucci MailScanner[4152]: Virus and Content Scanning: Starting Nov 6 17:23:37 nucci MailScanner[4152]: Virus Scanning: clamav found 1 infections Nov 6 17:23:37 nucci MailScanner[4152]: Virus Scanning: Found 1 viruses Nov 6 17:23:37 nucci MailScanner[4152]: Filename Checks: Possible virus hidden in a screensaver (I-Worm.Magistr.b.scr) Nov 6 17:23:37 nucci MailScanner[4152]: Other Checks: Found 1 problems Nov 6 17:23:37 nucci MailScanner[4152]: Saved infected "I-Worm.Magistr.b.scr" to /var/spool/MailScanner/quarantine/20021106/gA6KNXp15225 Nov 6 17:23:37 nucci MailScanner[4152]: Cleaned: Delivered 1 cleaned messages --------------------------------Magister Test------------------------------------- ------------------------------Nimda Test------------------------------------------ Nov 6 17:21:07 nucci sendmail[14736]: gA6KL7p14736: from=, size=2947, class=0, nrcpts=1, msgid=<000d01c285d2$8f8f1320$0502a8c0@C5>, proto=SMTP Nov 6 17:21:07 nucci MailScanner[4152]: New Batch: Scanning 1 messages, 3354 bytes Nov 6 17:21:07 nucci MailScanner[4152]: Virus and Content Scanning: Starting Nov 6 17:21:08 nucci MailScanner[4152]: Virus Scanning: clamav found 1 infections Nov 6 17:21:08 nucci MailScanner[4152]: Virus Scanning: Found 1 viruses Nov 6 17:21:08 nucci MailScanner[4152]: Saved infected "I-Worm.Nimda.html" to /var/spool/MailScanner/quarantine/20021106/gA6KL7p14736 Nov 6 17:21:08 nucci MailScanner[4152]: Cleaned: Delivered 1 cleaned messages ------------------------------Nimda Test------------------------------------------ Ivan Mirisola wrote: > Dear Mr. Gavin, > > I tested the same virus on vx.netlux.org with clamAV 0.51 and it also > failed to discover. I have reported this issue to clamAV's site and hope > to see some fix very soon. > > ----------------------------------------------------------------------------------- > > Nov 6 16:55:48 nucci sendmail[9060]: gA6Jtlp09060: > from=, size=44395, class=0, nrcpts=1, > msgid=<000d01c285cf$05c31270$0502a8c0@C5>, proto=SMTP, daemon=MTA, Nov > 6 16:55:48 nucci MailScanner[9358]: New Batch: Scanning 1 messages, > 44802 bytes > Nov 6 16:55:50 nucci MailScanner[9358]: Virus and Content Scanning: > Starting > Nov 6 16:55:50 nucci MailScanner[9358]: Uninfected: Delivered 1 messages > ----------------------------------------------------------------------------------- > > > Thanks again, > Ivan > > > Gavin Nelmes-Crocker wrote: > >> I know its currently unsupported in code status by mailscanner and this >> doesn't technically alter that but beware if you are planning to use >> it on a >> production box with no other scanners. >> >> My findings so far with regard to virus detecting is poor we have pushed >> several real virii through it and it hasn't detected them when >> f-prot,sophos >> and kaspersky all have and I'm not talking new ones here one of the >> ones we >> are playing with is Melissa which is 2 years old. We have up to date >> virus >> definitions for Clamav and it is working as it detects its own test >> file but >> not some of the others that I would expect it to. >> >> Regards >> >> Gavin >> >> From mike at CAMAROSS.NET Wed Nov 6 19:37:11 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:18 2006 Subject: mailscanner.conf.rpmnew In-Reply-To: <003501c285cb$5258c5c0$69c8a8c0@tpc.ac.uk> Message-ID: I would if the time/date stamp on the .rpmnew is more recent. Chances are, there are more options to be set in the .rpmnew that you'll need/want. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Brian Chivers Sent: Wednesday, November 06, 2002 1:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: mailscanner.conf.rpmnew I've just upgrade from 3.13 to 3.25-1 via the RPM and everything seems to be ok except !!! When I look in the etc directory in Mailscanner directory I see a new file called mailscanner.conf.rpmnew Should I merge the old setting from my existing conf file into the rpmnew file then rename this to mailscanner.conf ?? Thanks in advance Brian Chivers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Nov 6 19:37:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:19 2006 Subject: Upgrade problems to 4.05 In-Reply-To: <3DC96CB1.2FE7B832@whidbey.com> References: <0b0c01c27118$eda6f190$1c0a0a0a@pugmarks34team> <5.1.0.14.2.20021011135424.04352c00@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021106193025.02370e20@imap.ecs.soton.ac.uk> At 19:25 06/11/2002, you wrote: >I've been running with 4.00.0a13 ever since that frantic weekend when you >were spitting out a new alpha every few hours. (You released them all, I >installed them all, did either of us get any sleep?) At that time I >couldn't get the ./install.sh to ever work, and you had me uninstalling >each package, in reverse order, and then installing each package in order. I have hazy memories of that weekend... Given more hardware, I could build test systems for other OS's. VMWare helps a lot (my main desktop pc can run run 3 different OS's at the same time) but it's not a complete solution to the problem. >It's been a while, so I decided to catch up again and just grabbed 4.05 to >try. With that many other installs behind you, I thought I'd give the >installer another shot. After congratulating me for having the patch >command and /usr/src/redhat, it gave me this: >You appear to have 2 versions of Perl installed, >the normal one in /usr/bin and one in /usr/local. >This often happens if you have used CPAN to install modules. >I strongly advise you remove all traces of perl from >within /usr/local and then run this script again. > >If you do not want to do that, and really want to continue, >then you will need to run this script as > ./install.sh ignore-perl > >That neatly illustrates the most frustrating thing about my Linux/Unix >experience. If anyone on earth should know where Perl modules should be, >it has to be CPAN, right? And if anyone on earth should know where files >belong on a RedHat system, it would be rpm, right? So how come every >machine I have ever run more than a week has at least two sets of several >Perl directories? (Never mind that I have to have two versions of Python now.) > >I know, you didn't make this mess. But I certainly don't feel confident >removing all traces of Perl from /usr/local, and the only trace I see there is > mod_perl.pm -> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl.pm >which is a link to yet a third location. Is there a risk in running more >than one copy of Perl things? It can affect where cpan tries to install things, which may not be where /usr/bin/perl finds things. The test in my script looks for /usr/bin/perl and /usr/local/bin/perl, and complains if they both exist. Try cd /usr/local find . -name '*perl*' -print to find potential targets, > Is it greater than the risk of running less than one? Or, as seems more > likely to me, having seven copies of Perl things but none of them is in > the place that something else wants it to be? As much as I despise > Microsoft, I at least know where everything goes in a Windows system! > >So, I'm thinking about going back to the familiar routine of removing each >RPM in turn and reinstallting them one at a time. That way the only thing >I have to worry about is to restore my MailScanner.conf. (Which reminds >me, why can't RPM note if a valid conf file is in place and leave it alone?) RPM does do this, and will leave you with both the new one and your old one, so you can sort out your customisations. >Also, I have noticed a major difference in the messages I get when a virus >is found. When I was running 3.23 I got the headers of the offending >message, now I get a short summary. Is this a change from MailScanner 3 to >4, or a change from Kasparsky to f-prot which I made at the same time for >economic reasons? This is a configuration option, called something containing "Full Headers" if I remember rightly. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/183531d7/attachment.html From mike at CAMAROSS.NET Wed Nov 6 19:45:11 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: <5.1.0.14.2.20021106193025.02370e20@imap.ecs.soton.ac.uk> Message-ID: I know out of all the people on this list and users of MailScanner which Julian provides for FREE, we should be able to come up with some spare hardware to get him the tools he needs. I know I have RAM, some drives, a couple of older processors, etc that I will gladly donate to the cause. If international shipping is a problem, I know Julian accepts donations via Paypal. Come on folks...let's show some appreciation and help Julian help US! Mike From gavin at NETERGY.COM Wed Nov 6 20:02:16 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: Message-ID: what are the hardware woes? I'm happy to contribute some equipment to the cause as well, I have some at least 1 spare motherboard with low end cpu and a large 1u unit again low cpu but fully working and redhat compatible. We are looking to benefit commercially its the least I can do. Regards Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: 06 November 2002 19:45 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Hardware Woes I know out of all the people on this list and users of MailScanner which Julian provides for FREE, we should be able to come up with some spare hardware to get him the tools he needs. I know I have RAM, some drives, a couple of older processors, etc that I will gladly donate to the cause. If international shipping is a problem, I know Julian accepts donations via Paypal. Come on folks...let's show some appreciation and help Julian help US! Mike From mike at CAMAROSS.NET Wed Nov 6 20:03:55 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: Message-ID: I'll let Julian tell us what his needs/requirements are :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Gavin Nelmes-Crocker Sent: Wednesday, November 06, 2002 2:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Hardware Woes what are the hardware woes? I'm happy to contribute some equipment to the cause as well, I have some at least 1 spare motherboard with low end cpu and a large 1u unit again low cpu but fully working and redhat compatible. We are looking to benefit commercially its the least I can do. Regards Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: 06 November 2002 19:45 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Hardware Woes I know out of all the people on this list and users of MailScanner which Julian provides for FREE, we should be able to come up with some spare hardware to get him the tools he needs. I know I have RAM, some drives, a couple of older processors, etc that I will gladly donate to the cause. If international shipping is a problem, I know Julian accepts donations via Paypal. Come on folks...let's show some appreciation and help Julian help US! Mike From mailscanner at ecs.soton.ac.uk Wed Nov 6 20:49:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: References: Message-ID: <5.1.0.14.2.20021106203843.02c13eb8@imap.ecs.soton.ac.uk> At 20:03 06/11/2002, you wrote: >I'll let Julian tell us what his needs/requirements are :) My ideal list is this at the moment: PC to run SuSE / Ensim / RedHat Cobalt raq Cobalt cube (or is it qube these days) and a Sun workgroup server for various Solaris versions. I need them for not only development, but also performance testing so that potential users know what hardware they need for their mail load for the current version. I know that lot is asking a bit much of any of you, I'm trying to get some sponsorship/donations locally too. If anyone needs ammunition for their financial directors, get a quote from MessageLabs or Trend for a nasty surprise! We did this and nearly fainted. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Gavin Nelmes-Crocker >Sent: Wednesday, November 06, 2002 2:02 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Hardware Woes > > >what are the hardware woes? > >I'm happy to contribute some equipment to the cause as well, I have some at >least 1 spare motherboard with low end cpu and a large 1u unit again low cpu >but fully working and redhat compatible. > >We are looking to benefit commercially its the least I can do. > >Regards > >Gavin > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Mike Kercher >Sent: 06 November 2002 19:45 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Hardware Woes > > >I know out of all the people on this list and users of MailScanner which >Julian provides for FREE, we should be able to come up with >some spare hardware to get him the tools he needs. I know I have RAM, some >drives, a couple of older processors, etc that I will >gladly donate to the cause. If international shipping is a problem, I know >Julian accepts donations via Paypal. Come on >folks...let's show some appreciation and help Julian help US! > >Mike -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From richard.siddall at elirion.net Wed Nov 6 21:07:09 2002 From: richard.siddall at elirion.net (Richard Siddall) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes References: <5.1.0.14.2.20021106203843.02c13eb8@imap.ecs.soton.ac.uk> Message-ID: <3DC9847D.B8C9D8D4@elirion.net> Julian Field wrote: > > At 20:03 06/11/2002, you wrote: > >I'll let Julian tell us what his needs/requirements are :) > > My ideal list is this at the moment: > > PC to run SuSE / Ensim / RedHat > Cobalt raq > Cobalt cube (or is it qube these days) > and a Sun workgroup server for various Solaris versions. > All 240V / 50 Hz or auto-switching, I assume. Julian, have you looked at the Sun Cobalt RaQ Hotel? http://developer.cobalt.com/resources/hotel.php (You may have to register first at: http://developer.cobalt.com/sol/dev.maintenance.php) I haven't used it. Apparently they have the Qube 3, but not the RaQ XTR or 550. Regards, Richard Siddall From mailscanner at ecs.soton.ac.uk Wed Nov 6 21:28:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: <3DC9847D.B8C9D8D4@elirion.net> References: <5.1.0.14.2.20021106203843.02c13eb8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021106212429.02bc17d8@imap.ecs.soton.ac.uk> At 21:07 06/11/2002, you wrote: >Julian Field wrote: > > At 20:03 06/11/2002, you wrote: > > >I'll let Julian tell us what his needs/requirements are :) > > > > My ideal list is this at the moment: > > > > PC to run SuSE / Ensim / RedHat > > Cobalt raq > > Cobalt cube (or is it qube these days) > > and a Sun workgroup server for various Solaris versions. > > > >All 240V / 50 Hz or auto-switching, I assume. Yes please. Fortunately PC power supplies are cheap. >Julian, have you looked at the Sun Cobalt RaQ Hotel? >http://developer.cobalt.com/resources/hotel.php >(You may have to register first at: >http://developer.cobalt.com/sol/dev.maintenance.php) >I haven't used it. Apparently they have the Qube 3, but not the RaQ >XTR or 550. That looks like a possibility for testing builds. Unfortunately I can't guarantee being able to spend lots of hours at some specific dates, so this would be less suitable for development use. Occasionally my real job gets in the way :-) The other development docs there definitely look very useful though. And as I didn't know they existed, a Sun LX50 would be very handy too. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at NETERGY.COM Wed Nov 6 21:58:46 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: <5.1.0.14.2.20021106212429.02bc17d8@imap.ecs.soton.ac.uk> Message-ID: ok this hardware list is getting longer by the minute :-) Ok I'm committing a 1U 700Mhz 20Gb 128Mb unit to the cause - does anyone have a DHL or similar account who would like to donate shipping we're only talking about ?15 as I'm based in the UK, otherwise I will drop it in but it may take me some time to be in Southampton again (before Christmas is the best at the moment) The unit runs redhat but will need to be wiped as I don't have the password anymore, the box has only been set-up and not used (previous company I worked for went belly up) As for the Cobalt stuff I can probably lend something for a reasonable period for testing sorry no LX50 or RaQ550 but I have some friends in Southampton who customize a lot of RaQ550's so I will ask if they can help. I used to work for Cobalt so maybe there are some strings to be pulled sadly with Sun its not as easy as it was. In my Cobalt days I would have been driving down with one of each of our products in sponsorship sadly Sun don't always view it like that. That's the best I can do at the moment - Mailscanner is awesome and I have to say Julian is one of the hardest working maintainer/programmers I've dealt with recently. Regards Gavin ps the box is boxed and ready to ship if anyone is quick with courier details!!!!!! don't be shy. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 06 November 2002 21:28 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Hardware Woes At 21:07 06/11/2002, you wrote: >Julian Field wrote: > > At 20:03 06/11/2002, you wrote: > > >I'll let Julian tell us what his needs/requirements are :) > > > > My ideal list is this at the moment: > > > > PC to run SuSE / Ensim / RedHat > > Cobalt raq > > Cobalt cube (or is it qube these days) > > and a Sun workgroup server for various Solaris versions. > > > >All 240V / 50 Hz or auto-switching, I assume. Yes please. Fortunately PC power supplies are cheap. >Julian, have you looked at the Sun Cobalt RaQ Hotel? >http://developer.cobalt.com/resources/hotel.php >(You may have to register first at: >http://developer.cobalt.com/sol/dev.maintenance.php) >I haven't used it. Apparently they have the Qube 3, but not the RaQ >XTR or 550. That looks like a possibility for testing builds. Unfortunately I can't guarantee being able to spend lots of hours at some specific dates, so this would be less suitable for development use. Occasionally my real job gets in the way :-) The other development docs there definitely look very useful though. And as I didn't know they existed, a Sun LX50 would be very handy too. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From novirus at CARLO65.DE Wed Nov 6 22:40:02 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: References: Message-ID: <1036622402.23579.21.camel@linroute> Hi Gavin, Am Mit, 2002-11-06 um 22.58 schrieb Gavin Nelmes-Crocker: > ok this hardware list is getting longer by the minute :-) > > Ok I'm committing a 1U 700Mhz 20Gb 128Mb unit to the cause - does anyone > have a DHL or similar account who would like to donate shipping we're only > talking about ?15 as I'm based in the UK, otherwise I will drop it in but it > may take me some time to be in Southampton again (before Christmas is the > best at the moment) I do not have a DHL account, but I think, I can call the german branch of DHL and have them picking up the box at your address to deliver it to Julian. Let me just sort this out tomorrow morning. Otherwhise I will sent you the money. Regards, Roland From gavin at NETERGY.COM Wed Nov 6 23:50:57 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: <1036622402.23579.21.camel@linroute> Message-ID: Roland you are most kind let me know and I will let you have all the details for collection, I'm sure Julian will also forward you the delivery address. Regards Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Roland Ehle Sent: 06 November 2002 22:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Hardware Woes Hi Gavin, Am Mit, 2002-11-06 um 22.58 schrieb Gavin Nelmes-Crocker: > ok this hardware list is getting longer by the minute :-) > > Ok I'm committing a 1U 700Mhz 20Gb 128Mb unit to the cause - does anyone > have a DHL or similar account who would like to donate shipping we're only > talking about ?15 as I'm based in the UK, otherwise I will drop it in but it > may take me some time to be in Southampton again (before Christmas is the > best at the moment) I do not have a DHL account, but I think, I can call the german branch of DHL and have them picking up the box at your address to deliver it to Julian. Let me just sort this out tomorrow morning. Otherwhise I will sent you the money. Regards, Roland From vguerrero at minar.com Wed Nov 6 23:56:53 2002 From: vguerrero at minar.com (Vicente Guerrero M.) Date: Thu Jan 12 21:16:19 2006 Subject: F-PROT problem? Message-ID: <00d901c285f0$2eb3b650$620aaa82@ADMINISTRATOR> I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. Everything its seems to be working ok, but if I send a message from an external account (hotmail) with a virus attached, I have no warning about an infected message. I tried the EICAR_test file too, but nothing happened, I just get these lines in maillog: Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: from=, size=96715, class=0, pri=126715, nrcpts=1, msgid=, proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, 97125 bytes Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: to=, delay=00:00:09, xdelay=00:00:00, mailer=local, stat=Sent I tested f-prot manually and it says the infection is there (EICAR_test and an infected file (Magistr). I really apreciate your help to solve this issue. BTW, I got warned about some infected messages, but they are the ones with IFrame tags in it. Thanks in advance (Sorry about my poor English) vgm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/5a0c4184/attachment.html From devin at JETDATA.CA Wed Nov 6 23:58:44 2002 From: devin at JETDATA.CA (Devin Smith) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: <5.1.0.14.2.20021106212429.02bc17d8@imap.ecs.soton.ac.uk> Message-ID: <006501c285f0$7538d7e0$a384e5c6@rd.csandall.com> Hi Julian, while I can't offer to send it to the UK, I will certainly set up a RaQ4 or Qube 3 online for your use. Just email me and I will take the steps to get it online for you, as I'd really love to see you have your mailscanner package easily integrated with the RaQ/Qube! Steve Bassi took an older version and made a .pkg file for the RaQ4, but it is getting outdated and I'd love to have the v4 code available. :-) > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field > Sent: Wednesday, November 06, 2002 2:28 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Hardware Woes > > > At 21:07 06/11/2002, you wrote: > >Julian Field wrote: > > > At 20:03 06/11/2002, you wrote: > > > >I'll let Julian tell us what his needs/requirements are :) > > > > > > My ideal list is this at the moment: > > > > > > PC to run SuSE / Ensim / RedHat > > > Cobalt raq > > > Cobalt cube (or is it qube these days) > > > and a Sun workgroup server for various Solaris versions. > > > > > > >All 240V / 50 Hz or auto-switching, I assume. > > Yes please. Fortunately PC power supplies are cheap. > > >Julian, have you looked at the Sun Cobalt RaQ Hotel? > >http://developer.cobalt.com/resources/hotel.php > >(You may have to register first at: > >http://developer.cobalt.com/sol/dev.maintenance.php) > >I haven't used it. Apparently they have the Qube 3, but not the RaQ > >XTR or 550. > > That looks like a possibility for testing builds. > Unfortunately I can't > guarantee being able to spend lots of hours at some specific > dates, so this > would be less suitable for development use. Occasionally my > real job gets > in the way :-) The other development docs there definitely > look very useful > though. > > And as I didn't know they existed, a Sun LX50 would be very handy too. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > From fong at SHUNKAM.COM Thu Nov 7 02:50:07 2002 From: fong at SHUNKAM.COM (fong) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network Message-ID: <001d01c28608$62b45140$57046898@shunkam.com> Did anyone configure mailscanner+sendmail+sophos? I had try to use sendmail on redhat 7.3 and only relay on my network, that is ok. After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/201353ed/attachment.html From mike at CAMAROSS.NET Thu Nov 7 02:49:06 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network In-Reply-To: <001d01c28608$62b45140$57046898@shunkam.com> Message-ID: Sounds like sendmail since neither MailScanner nor Sophos have anything to do with relaying of mail. Did you install Sophos using the script supplied with MailScanner? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of fong Sent: Wednesday, November 06, 2002 8:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Relay by other network Did anyone configure mailscanner+sendmail+sophos? I had try to use sendmail on redhat 7.3 and only relay on my network, that is ok. After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang From fong at SHUNKAM.COM Thu Nov 7 03:12:33 2002 From: fong at SHUNKAM.COM (fong) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network References: Message-ID: <003c01c2860b$83ad4c50$57046898@shunkam.com> Thanks.. Yes, I was install Sophos using the script supplied with MailScanner. ----- Original Message ----- From: "Mike Kercher" To: Sent: Thursday, November 07, 2002 10:49 AM Subject: Re: Relay by other network > Sounds like sendmail since neither MailScanner nor Sophos have anything to do with relaying of mail. Did you install Sophos using > the script supplied with MailScanner? > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of fong > Sent: Wednesday, November 06, 2002 8:50 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Relay by other network > > > Did anyone configure mailscanner+sendmail+sophos? > > I had try to use sendmail on redhat 7.3 and only relay on my network, that is ok. > > After I installed mailscanner and sophos on the same pc, I make the following configuration: > > Sendmail port no: 8888 > Sophos port no: 25 (redirect to sendmail after scanned) > > So that all mail will be scanned before send to sendmail. It also make relay by other network. > > How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? > > I hope you understand my bad english. > > Appreciate for any help.... > > Fong Cheang From smohan at VSNL.COM Thu Nov 7 08:45:11 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network In-Reply-To: <001d01c28608$62b45140$57046898@shunkam.com> Message-ID: I've used this combination for 1 year now on 4 machines. Why are you changing sendmail port? Mailscanner starts two instances of sendmail - one in queued delivery mode accepting incoming connections and one just flushing out the queue. There is no need to change. If you are attaching port 25 to Sophos, then I guess you are using their mail gateway and not mailscanner. MailScanner user the sweep commandline program and is a replacement for the Sophos Mail Gateway. Relaying in sendmail is controlled thro' /etc/mail/access file which has entries that look like IP/domainname/email id OK/RELAY?REJECT e.g. 192.168.0 RELAY will relay for your local Class C subnet assuming it is 192.168.0 subnet. Restart MailScanner after this. sendmail start up converts this file to a access.db file. Also take care that sendmail MTA listen to your actual IP and not 127.0.0.1. HTH Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of fong Sent: 07 November 2002 08:20 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Relay by other network Did anyone configure mailscanner+sendmail+sophos? After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/55053cae/attachment.html From fong at SHUNKAM.COM Thu Nov 7 10:03:14 2002 From: fong at SHUNKAM.COM (fong) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network References: Message-ID: <015a01c28644$e38e5810$57046898@shunkam.com> Thanks Mohan Since someone told me that if you install both software on same machine, you should change the port of sendmail. Do I change any configure in sophos's config(mmsmtp.cfg) file? Should I start the sophos daemon(mmsmtpd) and mailscanner daemon or instead of start mailscanner daemon only? Fong Cheang ----- Original Message ----- From: S Mohan To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 4:45 PM Subject: Re: Relay by other network I've used this combination for 1 year now on 4 machines. Why are you changing sendmail port? Mailscanner starts two instances of sendmail - one in queued delivery mode accepting incoming connections and one just flushing out the queue. There is no need to change. If you are attaching port 25 to Sophos, then I guess you are using their mail gateway and not mailscanner. MailScanner user the sweep commandline program and is a replacement for the Sophos Mail Gateway. Relaying in sendmail is controlled thro' /etc/mail/access file which has entries that look like IP/domainname/email id OK/RELAY?REJECT e.g. 192.168.0 RELAY will relay for your local Class C subnet assuming it is 192.168.0 subnet. Restart MailScanner after this. sendmail start up converts this file to a access.db file. Also take care that sendmail MTA listen to your actual IP and not 127.0.0.1. HTH Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of fong Sent: 07 November 2002 08:20 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Relay by other network Did anyone configure mailscanner+sendmail+sophos? After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/8c0c5568/attachment.html From mailscanner at ecs.soton.ac.uk Thu Nov 7 10:51:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network In-Reply-To: <015a01c28644$e38e5810$57046898@shunkam.com> References: Message-ID: <5.1.0.14.2.20021107104933.01e19a28@imap.ecs.soton.ac.uk> At 10:03 07/11/2002, you wrote: >Since someone told me that if you install both software on same machine, >you should change the port of sendmail. >Do I change any configure in sophos's config(mmsmtp.cfg) file? >Should I start the sophos daemon(mmsmtpd) and mailscanner daemon or >instead of start mailscanner daemon only? There is no point running the Sophos MailMonitor email gateway package as well as MailScanner on the same system. MailScanner does not use Sophos' MailMonitor at all, it uses their "sweep" command-line utility. If you want to use MailScanner, then uninstall MailMonitor completely. > >Fong Cheang >----- Original Message ----- >From: S Mohan >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Thursday, November 07, 2002 4:45 PM >Subject: Re: Relay by other network > >I've used this combination for 1 year now on 4 machines. Why are you >changing sendmail port? Mailscanner starts two instances of sendmail - one >in queued delivery mode accepting incoming connections and one just >flushing out the queue. There is no need to change. If you are attaching >port 25 to Sophos, then I guess you are using their mail gateway and not >mailscanner. MailScanner user the sweep commandline program and is a >replacement for the Sophos Mail Gateway. Relaying in sendmail is >controlled thro' /etc/mail/access file which has entries that look like > >IP/domainname/email id OK/RELAY?REJECT > >e.g. >192.168.0 RELAY will relay for your local Class C subnet assuming it is >192.168.0 subnet. > >Restart MailScanner after this. sendmail start up converts this file to a >access.db file. Also take care that sendmail MTA listen to your actual IP >and not 127.0.0.1. > >HTH >Mohan >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of fong >Sent: 07 November 2002 08:20 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Relay by other network > >Did anyone configure mailscanner+sendmail+sophos? > >After I installed mailscanner and sophos on the same pc, I make the >following configuration: > >Sendmail port no: 8888 >Sophos port no: 25 (redirect to sendmail after scanned) > >So that all mail will be scanned before send to sendmail. It also make >relay by other network. > >How can I control the relay domain? Is it the problem of sophos, sendmail >or mailscanner? > >I hope you understand my bad english. > >Appreciate for any help.... > >Fong Cheang > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/71b1a768/attachment.html From mailscanner at ecs.soton.ac.uk Thu Nov 7 11:02:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:19 2006 Subject: F-PROT problem? In-Reply-To: <00d901c285f0$2eb3b650$620aaa82@ADMINISTRATOR> Message-ID: <5.1.0.14.2.20021107105839.032b2e80@imap.ecs.soton.ac.uk> Something is going wrong in how MailScanner is calling your copy of F-Prot. If you do these 2 commands, it should output some sort of summary showing how many files it scanned, at the very least. cd /tmp /usr/lib/MailScaner/f-prot-wrapper -old -archive -dumb . (don't forget the dot on the end) If you get some sort of "command not found" error, then you have installed your copy of F-Prot somewhere different than the standard location, and you will need to alter the f-prot-wrapper script so it calls it in the right place. That script is very simple, you'll soon work out what you need to change in it. Let us know how you get on. At 23:56 06/11/2002, you wrote: >I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. > >Everything its seems to be working ok, but if I send a message from an >external account (hotmail) with a virus attached, I have no warning about >an infected message. I tried the EICAR_test file too, but nothing >happened, I just get these lines in maillog: > >Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: >from=<user@hotmail.com>, size=96715, class=0, >pri=126715, nrcpts=1, >msgid=<OE17Bt3J3JCj2fBUA510000094e@hotmail.com>, >proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] >Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting >Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, >97125 bytes >Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting >Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages >Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: >to=<mail_user@minar.com>, delay=00:00:09, >xdelay=00:00:00, mailer=local, stat=Sent >I tested f-prot manually and it says the infection is there (EICAR_test >and an infected file (Magistr). I really apreciate your help to solve this >issue. > > >BTW, I got warned about some infected messages, but they are the ones with >IFrame tags in it. > > >Thanks in advance > > >(Sorry about my poor English) > > >vgm -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/e3ac850f/attachment.html From andersan at LTKALMAR.SE Thu Nov 7 12:08:17 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:19 2006 Subject: SV: F-PROT problem? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC53@lkl22.ltkalmar.se> Just a little thought, Im not a big fan of hotmail but I know they use mcafee to scan for viruses. I dont have a clue if they scan outgoing mail but I would hope they do /Anders -----Ursprungligt meddelande----- Fr?n: Vicente Guerrero M. [mailto:vguerrero@MINAR.COM] Skickat: den 7 november 2002 00:57 Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: F-PROT problem? I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. Everything its seems to be working ok, but if I send a message from an external account (hotmail) with a virus attached, I have no warning about an infected message. I tried the EICAR_test file too, but nothing happened, I just get these lines in maillog: Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: from=< user@hotmail.com >, size=96715, class=0, pri=126715, nrcpts=1, msgid=< OE17Bt3J3JCj2fBUA510000094e@hotmail.com >, proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, 97125 bytes Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: to=< mail_user@minar.com >, delay=00:00:09, xdelay=00:00:00, mailer=local, stat=Sent I tested f-prot manually and it says the infection is there (EICAR_test and an infected file (Magistr). I really apreciate your help to solve this issue. BTW, I got warned about some infected messages, but they are the ones with IFrame tags in it. Thanks in advance (Sorry about my poor English) vgm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/e339cdd8/attachment.html From iah at DMU.AC.UK Thu Nov 7 12:47:19 2002 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:16:20 2006 Subject: Help - mqueue.in filling up Message-ID: I just attempted an upgrade on one of my mail gateways from version 3.23-6 to 4.05-3. Things seemed to be working fine for a little while and then mailscanner appeared to stop processing mqueue.in. I reverted back to 3.23-6 but the problem still exists has anybody got any ideas...? Thanks in advance Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/cec94762/attachment.html From novirus at CARLO65.DE Thu Nov 7 12:53:48 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:20 2006 Subject: Hardware Woes In-Reply-To: References: Message-ID: <1036673628.23579.35.camel@linroute> Hi Gavin, Am Don, 2002-11-07 um 00.50 schrieb Gavin Nelmes-Crocker: > Roland you are most kind let me know and I will let you have all the details > for collection, I'm sure Julian will also forward you the delivery address. I just called DHL in Germany, to see what they can do. They told me, that I need an international Customer number to have your parcel shipped to Julian. It doesn't make sense for me, to apply for such a number, I never need it. So my suggestion: if you could provide your address details and the amount you need for shipping, I send you an international money order. This seems to be the easiest way. Regards, Roland From novirus at CARLO65.DE Thu Nov 7 12:57:21 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:20 2006 Subject: Help - mqueue.in filling up In-Reply-To: References: Message-ID: <1036673841.23579.41.camel@linroute> Hi Andy, Am Don, 2002-11-07 um 13.47 schrieb Andy Humberston: > I just attempted an upgrade on one of my mail gateways from > version 3.23-6 to 4.05-3. Things seemed to be working fine for > a little while and then mailscanner appeared to stop processing > mqueue.in. I reverted back to 3.23-6 but the problem still exists > has anybody got any ideas...? did you check your configuration files? Did you check, if MailScanner is running? (ps -ax |grep MailScanner or with version 4.x check_Mailscanner) Regards, Roland From kevin.steil at jmfamily.com Thu Nov 7 13:56:50 2002 From: kevin.steil at jmfamily.com (Kevin J. Steil) Date: Thu Jan 12 21:16:20 2006 Subject: *.pl Message-ID: <03E83F2E1D95D311870600A02461F55A05963D9A@drfsxchp3.corp.jmfamily.com> I am looking at doing some debugging of MailScanner and SpamAssassin, but I can not find the sendmail.pl or for that matter another .pl(s). I using the Current Version of MailScanner and SpamAssassin, Can someone please point me in the right direction? Also, it is running on RedHat 7.3 with sendmail. Thank you, Kevin Steil Sr. Enterprise Architect, ITS JM Family Enterprises, Inc. Our Mission: "To Deliver Technology Solutions Through Teamwork That Enhance Business Value Every Day!" -------------------------------------------------- This e-mail transmission contains information intended only for the use of the recipient(s) named above. Further, it contains information that may be privileged and confidential. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message (including any attachments) is strictly prohibited. If you have received this e-mail in error, please notify the sender by reply e-mail and then delete this message from your mail system. Thank you for your compliance. From mailscanner at ecs.soton.ac.uk Thu Nov 7 14:20:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: *.pl In-Reply-To: <03E83F2E1D95D311870600A02461F55A05963D9A@drfsxchp3.corp.jm family.com> Message-ID: <5.1.0.14.2.20021107141921.05929e18@imap.ecs.soton.ac.uk> If you are running version 3, then they are in /usr/local/MailScanner/bin. If you are running version 4, they don't exist but it is all *.pm files in /usr/lib/MailScanner. You can always find out the files that are contained in a package with a command like this: rpm -ql mailscanner At 13:56 07/11/2002, you wrote: >I am looking at doing some debugging of MailScanner and SpamAssassin, >but I can not find the sendmail.pl or for that matter another .pl(s). >I using the Current Version of MailScanner and SpamAssassin, Can someone >please point me in the right direction? Also, it is running on RedHat >7.3 with sendmail. > >Thank you, > >Kevin Steil >Sr. Enterprise Architect, ITS >JM Family Enterprises, Inc. > >Our Mission: >"To Deliver Technology Solutions >Through Teamwork >That Enhance Business Value >Every Day!" > > > > > > > > > > >-------------------------------------------------- >This e-mail transmission contains information intended only for the use of >the recipient(s) named above. Further, it contains information that may be >privileged and confidential. If you are not the intended recipient, you >are hereby notified that any dissemination, distribution, or copying of >this message (including any attachments) is strictly prohibited. If you >have received this e-mail in error, please notify the sender by reply >e-mail and then delete this message from your mail system. Thank you for >your compliance. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Thu Nov 7 14:19:12 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson (by way of Julian Field )) Date: Thu Jan 12 21:16:20 2006 Subject: promote Braid/A to "viruses.to.delete.conf" Message-ID: <5.1.0.14.2.20021107141856.058f0678@imap.ecs.soton.ac.uk> Y'all, I suggest that you add "Braid/A" to your silently-delete list in viruses.to.delete.conf. I got the warning below from my own mailscanner and I don't use a PC for email. I saw someplace the other day that Braid/A uses the same tricks as Klez/H to forge the sender. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- ---------- Forwarded message ---------- Return-Path: Received: from emerald.colby.edu (localhost [127.0.0.1]) by emerald.colby.edu (8.12.6/8.12.6/1.13') with ESMTP id gA7827uf022629 for ; Thu, 7 Nov 2002 03:02:07 -0500 (EST) Received: (from root@localhost) by emerald.colby.edu (8.12.6/8.12.5/Submit) id gA7827ZA022628; Thu, 7 Nov 2002 03:02:07 -0500 (EST) Date: Thu, 7 Nov 2002 03:02:07 -0500 (EST) Message-Id: <200211070802.gA7827ZA022628@emerald.colby.edu> From: "MailScanner" To: jaearick@colby.edu Subject: Warning: E-mail viruses detected X-MailScanner: ftbc Our virus detector has just been triggered by a message you sent:- To: jaearick@colby.edu Subject: ???? Date: Thu Nov 7 03:02:07 2002 Any infected parts of the message have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: >>> Virus 'W32/Braid-A' found in file ./gA7820uf022539/README.EXE -- MailScanner Email Virus Scanner www.mailscanner.info -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ispmgr at CLAS.NET Thu Nov 7 14:21:16 2002 From: ispmgr at CLAS.NET (Youn Gonzales) Date: Thu Jan 12 21:16:20 2006 Subject: Relay by other network References: <001d01c28608$62b45140$57046898@shunkam.com> Message-ID: <00af01c28668$efe15d00$813112d0@ISPMGR> i believe you need to use mailertable in sendmail. Youn Gonzales System Administrator Comptia A+, Network+, INET+, Cisco CCNA/CCDA Certified Technician Microsoft Certified Professional The basic tool for the manipulation of reality is the manipulation of words. If you can control the meaning of words, you can control the people who must use the words. Philip K. Dick ----- Original Message ----- From: fong To: MAILSCANNER@JISCMAIL.AC.UK Sent: Wednesday, November 06, 2002 8:50 PM Subject: Relay by other network Did anyone configure mailscanner+sendmail+sophos? I had try to use sendmail on redhat 7.3 and only relay on my network, that is ok. After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/0f8f5917/attachment.html From Denis.Beauchemin at USHERBROOKE.CA Thu Nov 7 14:35:52 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:20 2006 Subject: promote Braid/A to "viruses.to.delete.conf" In-Reply-To: <5.1.0.14.2.20021107141856.058f0678@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021107141856.058f0678@imap.ecs.soton.ac.uk> Message-ID: <1036679752.8141.4.camel@dbeauchemin.si.usherb.ca> If you use McAfee, use W32/Braid@MM. BTW in the last 2 days we trapped 9 Braid-infected attachments because we don't let .EXE files through. McAfee just issued their DAT file yesterday afternoon and now they flag the files as virus-infected. Had it not been of our .EXE rule we would have let 9 virus-infected files through! Better safe than sorry! Denis On Thu, 2002-11-07 at 09:19, Jeff A. Earickson (by way of Julian Field ) wrote: > Y'all, > > I suggest that you add "Braid/A" to your silently-delete list in > viruses.to.delete.conf. I got the warning below from my own mailscanner > and I don't use a PC for email. I saw someplace the other day that > Braid/A uses the same tricks as Klez/H to forge the sender. > > ----------------------------------- > Jeff A. Earickson, Ph.D > Senior UNIX Sysadmin and Email Guru > Information Technology Services > Colby College, 4214 Mayflower Hill, > Waterville ME, 04901-8842 > phone: 207-872-3659 (fax = 3076) > ----------------------------------- > > ---------- Forwarded message ---------- > Return-Path: > Received: from emerald.colby.edu (localhost [127.0.0.1]) > by emerald.colby.edu (8.12.6/8.12.6/1.13') with ESMTP id > gA7827uf022629 > for ; Thu, 7 Nov 2002 03:02:07 -0500 (EST) > Received: (from root@localhost) > by emerald.colby.edu (8.12.6/8.12.5/Submit) id gA7827ZA022628; > Thu, 7 Nov 2002 03:02:07 -0500 (EST) > Date: Thu, 7 Nov 2002 03:02:07 -0500 (EST) > Message-Id: <200211070802.gA7827ZA022628@emerald.colby.edu> > From: "MailScanner" > To: jaearick@colby.edu > Subject: Warning: E-mail viruses detected > X-MailScanner: ftbc > > Our virus detector has just been triggered by a message you sent:- > To: jaearick@colby.edu > Subject: ???? > Date: Thu Nov 7 03:02:07 2002 > Any infected parts of the message have not been delivered. > > This message is simply to warn you that your computer system may have a > virus present and should be checked. > > The virus detector said this about the message: > Report: >>> Virus 'W32/Braid-A' found in file ./gA7820uf022539/README.EXE > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From dustin.baer at IHS.COM Thu Nov 7 14:38:11 2002 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:16:20 2006 Subject: promote Braid/A to "viruses.to.delete.conf" References: <5.1.0.14.2.20021107141856.058f0678@imap.ecs.soton.ac.uk> <1036679752.8141.4.camel@dbeauchemin.si.usherb.ca> Message-ID: <3DCA7AD3.181C4375@ihs.com> Denis Beauchemin wrote: > > If you use McAfee, use W32/Braid@MM. Just use "Braid" since it looks for anything in the output. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From vguerrero at minar.com Thu Nov 7 14:40:37 2002 From: vguerrero at minar.com (Vicente Guerrero M.) Date: Thu Jan 12 21:16:20 2006 Subject: F-PROT problem? References: <5.1.0.14.2.20021107105839.032b2e80@imap.ecs.soton.ac.uk> Message-ID: <014d01c2866b$a2ebf2f0$620aaa82@ADMINISTRATOR> I've tried the command you told me and it seems to be working ok since I got a summary of files been scanned. I checked the script and it seems to be right too. Some other clue? Thanks ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 5:02 AM Subject: Re: F-PROT problem? Something is going wrong in how MailScanner is calling your copy of F-Prot. If you do these 2 commands, it should output some sort of summary showing how many files it scanned, at the very least. cd /tmp /usr/lib/MailScaner/f-prot-wrapper -old -archive -dumb . (don't forget the dot on the end) If you get some sort of "command not found" error, then you have installed your copy of F-Prot somewhere different than the standard location, and you will need to alter the f-prot-wrapper script so it calls it in the right place. That script is very simple, you'll soon work out what you need to change in it. Let us know how you get on. At 23:56 06/11/2002, you wrote: I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. Everything its seems to be working ok, but if I send a message from an external account (hotmail) with a virus attached, I have no warning about an infected message. I tried the EICAR_test file too, but nothing happened, I just get these lines in maillog: Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: from=, size=96715, class=0, pri=126715, nrcpts=1, msgid=, proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, 97125 bytes Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: to=, delay=00:00:09, xdelay=00:00:00, mailer=local, stat=Sent I tested f-prot manually and it says the infection is there (EICAR_test and an infected file (Magistr). I really apreciate your help to solve this issue. BTW, I got warned about some infected messages, but they are the ones with IFrame tags in it. Thanks in advance (Sorry about my poor English) vgm -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/b6ee1dc1/attachment.html From novirus at CARLO65.DE Thu Nov 7 14:43:27 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:20 2006 Subject: Help - mqueue.in filling up In-Reply-To: References: Message-ID: <1036680207.23577.51.camel@linroute> Hi Andy, oki. I have reposted this message to the mailing list, because I have no further idea. Just to repeat: messages seem to be delivered, but a copy remains in mqueue.in. Sorry, but I don't know how to help you. Regards, Roland Am Don, 2002-11-07 um 14.11 schrieb Andy Humberston: > > Roland > > I have stopped the daemon process, to reduce the > number of mails entering the mqueue.in directory. > But I have left the -q15m one running in order to > process the output from mailscanner. > > Andy > > > -----Original Message----- > > From: Roland Ehle [mailto:novirus@carlo65.de] > > Sent: 07 November 2002 13:10 > > To: Andy Humberston > > Subject: RE: Help - mqueue.in filling up > > > > > > Just one other important thing to remember: you need to have > > 2 sendmail processes, in order to have MailScanner working. > > > > Am Don, 2002-11-07 um 13.58 schrieb Andy Humberston: > > > > > > Roland, > > > > > > I checked these and also checked the permissions > > > on the directories, but I am unable to locate the > > > problem. > > > > > > Now entering panic mode :) > > > > > > Andy > > > > > > > -----Original Message----- > > > > From: Roland Ehle [mailto:novirus@CARLO65.DE] > > > > Sent: 07 November 2002 12:57 > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Help - mqueue.in filling up > > > > > > > > > > > > Hi Andy, > > > > > > > > Am Don, 2002-11-07 um 13.47 schrieb Andy Humberston: > > > > > I just attempted an upgrade on one of my mail gateways from > > > > > version > > > > > 3.23-6 to 4.05-3. Things seemed to be working fine for a > > > > little while > > > > > and then mailscanner appeared to stop processing mqueue.in. I > > > > > reverted back to 3.23-6 but the problem still exists has > > > > anybody got > > > > > any ideas...? > > > > > > > > did you check your configuration files? Did you check, if > > > > MailScanner is running? (ps -ax |grep MailScanner or with > > version 4.x > > > > check_Mailscanner) > > > > > > > > Regards, > > > > Roland > > > > > > > > > > > > > > From iah at DMU.AC.UK Thu Nov 7 14:45:14 2002 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:16:20 2006 Subject: Help - mqueue.in filling up Message-ID: Thanks to Roland and Youn, I shutdown the incoming sendmail process and allowed version 3 or mailscanner to clear the backlog. Every thing seems to be operating correctly now. I will reattempt the upgrade later :) Andy > oki. I have reposted this message to the mailing list, > because I have no further idea. Just to repeat: messages seem > to be delivered, but a copy remains in mqueue.in. > From gavin at NETERGY.COM Thu Nov 7 15:00:28 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems Message-ID: okay decided today to play with rule sets. the domain one went fine only scanning the domains I allow but when I come to do the outgoing mail signing I run into problems I have my rules files -rw-r--r-- 1 root root 82 Nov 7 14:39 sig.html.rules -rw-r--r-- 1 root root 81 Nov 7 14:39 sig.text.rules and in my conf file I have Inline HTML Signature = /etc/MailScanner/reports/en/inline.sig.html Inline Text Signature = /etc/MailScanner/rules/sig.txt.rules I had a problem with html so I thought I would only test txt but I get this error in the maillog Nov 7 14:52:45 nvsd MailScanner[16564]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 7 14:52:45 nvsd MailScanner[16564]: Cannot open ruleset file /etc/MailScanner/rules/sig.txt.rules, No such file or directory Nov 7 14:52:54 nvsd MailScanner[16568]: MailScanner am I missing something stupid here? Gavin From dustin.baer at IHS.COM Thu Nov 7 15:04:11 2002 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems References: Message-ID: <3DCA80EB.428743DA@ihs.com> Gavin Nelmes-Crocker wrote: > > okay decided today to play with rule sets. > > the domain one went fine only scanning the domains I allow > > but when I come to do the outgoing mail signing I run into problems > > I have my rules files > > -rw-r--r-- 1 root root 81 Nov 7 14:39 sig.text.rules > > and in my conf file I have > > Inline Text Signature = /etc/MailScanner/rules/sig.txt.rules sig.text.rules != sig.txt.rules Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From gavin at NETERGY.COM Thu Nov 7 15:14:06 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems In-Reply-To: <3DCA80EB.428743DA@ihs.com> Message-ID: thanks for that Dustin - I just couldn't see it - now that works but I get a problem with the html one (and I have checked the filenames on this one) Nov 7 15:09:00 nvsd MailScanner[17700]: Syntax error in line 1 of ruleset file /etc/MailScanner/rules/sig.html.rules for keyword inlinehtmlsig this is the rule file From: *@choclatier.co.uk /etc/MailScanner/reports/en/choclatier.html.txt which I copied from the example - by the looks of the error it looks as though its looking for inlinehtmlsig somewhere on that line any ideas? Gavin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Dustin Baer > Sent: 07 November 2002 15:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Rule set problems > > > Gavin Nelmes-Crocker wrote: > > > > okay decided today to play with rule sets. > > > > the domain one went fine only scanning the domains I allow > > > > but when I come to do the outgoing mail signing I run into problems > > > > I have my rules files > > > > -rw-r--r-- 1 root root 81 Nov 7 14:39 sig.text.rules > > > > and in my conf file I have > > > > Inline Text Signature = /etc/MailScanner/rules/sig.txt.rules > > > sig.text.rules != sig.txt.rules > > Dustin > > -- > Dustin Baer > Unix Administrator/Postmaster > Information Handling Services > 15 Inverness Way East > Englewood, CO 80112 > 303-397-2836 > From andy.wright at BARDSEY.DEMON.CO.UK Thu Nov 7 15:15:00 2002 From: andy.wright at BARDSEY.DEMON.CO.UK (Andy Wright) Date: Thu Jan 12 21:16:20 2006 Subject: Hardware Woes References: <1036673628.23579.35.camel@linroute> Message-ID: <002401c28670$c5f14de0$70f286d9@vaio> I have a UK account with Amtrak - I'd be happy to arrange shipping to/from UK addresses. Andy. ----- Original Message ----- From: "Roland Ehle" To: Sent: Thursday, November 07, 2002 12:53 PM Subject: Re: Hardware Woes > Hi Gavin, > > Am Don, 2002-11-07 um 00.50 schrieb Gavin Nelmes-Crocker: > > Roland you are most kind let me know and I will let you have all the details > > for collection, I'm sure Julian will also forward you the delivery address. > > I just called DHL in Germany, to see what they can do. They told me, > that I need an international Customer number to have your parcel shipped > to Julian. It doesn't make sense for me, to apply for such a number, I > never need it. So my suggestion: if you could provide your address > details and the amount you need for shipping, I send you an > international money order. This seems to be the easiest way. > > Regards, > Roland From kevin.steil at jmfamily.com Thu Nov 7 16:03:49 2002 From: kevin.steil at jmfamily.com (Kevin J. Steil) Date: Thu Jan 12 21:16:20 2006 Subject: *.pl In-Reply-To: <03E83F2E1D95D311870600A02461F55A05DB7755@drfsxchp3.corp.jmfamily.com> Message-ID: <03E83F2E1D95D311870600A02461F55A05963D9D@drfsxchp3.corp.jmfamily.com> I don't seem to have the sendmail.pl.. the only .pl is the configdefs.pl.....help...I need to debug SpamAssaassin and MailScanner Thank you, Kevin Steil Sr. Enterprise Architect, ITS JM Family Enterprises, Inc. Our Mission: "To Deliver Technology Solutions Through Teamwork That Enhance Business Value Every Day!" -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] Sent: Thursday, November 07, 2002 9:21 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: *.pl If you are running version 3, then they are in /usr/local/MailScanner/bin. If you are running version 4, they don't exist but it is all *.pm files in /usr/lib/MailScanner. You can always find out the files that are contained in a package with a command like this: rpm -ql mailscanner At 13:56 07/11/2002, you wrote: >I am looking at doing some debugging of MailScanner and SpamAssassin, >but I can not find the sendmail.pl or for that matter another .pl(s). >I using the Current Version of MailScanner and SpamAssassin, Can someone >please point me in the right direction? Also, it is running on RedHat >7.3 with sendmail. > >Thank you, > >Kevin Steil >Sr. Enterprise Architect, ITS >JM Family Enterprises, Inc. > >Our Mission: >"To Deliver Technology Solutions >Through Teamwork >That Enhance Business Value >Every Day!" > > > > > > > > > > >-------------------------------------------------- >This e-mail transmission contains information intended only for the use of >the recipient(s) named above. Further, it contains information that may be >privileged and confidential. If you are not the intended recipient, you >are hereby notified that any dissemination, distribution, or copying of >this message (including any attachments) is strictly prohibited. If you >have received this e-mail in error, please notify the sender by reply >e-mail and then delete this message from your mail system. Thank you for >your compliance. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------------------------------------------- This e-mail transmission contains information intended only for the use of the recipient(s) named above. Further, it contains information that may be privileged and confidential. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message (including any attachments) is strictly prohibited. If you have received this e-mail in error, please notify the sender by reply e-mail and then delete this message from your mail system. Thank you for your compliance. From mailscanner at ecs.soton.ac.uk Thu Nov 7 16:46:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems In-Reply-To: References: <3DCA80EB.428743DA@ihs.com> Message-ID: <5.1.0.14.2.20021107164635.04a4c148@imap.ecs.soton.ac.uk> At 15:14 07/11/2002, you wrote: >thanks for that Dustin - I just couldn't see it - now that works but I get a >problem with the html one (and I have checked the filenames on this one) > >Nov 7 15:09:00 nvsd MailScanner[17700]: Syntax error in line 1 of ruleset >file /etc/MailScanner/rules/sig.html.rules for keyword inlinehtmlsig > >this is the rule file > >From: *@choclatier.co.uk >/etc/MailScanner/reports/en/choclatier.html.txt Are you sure it hasn't really word-wrapped that onto 2 lines? >which I copied from the example - by the looks of the error it looks as >though its looking for inlinehtmlsig somewhere on that line > >any ideas? > >Gavin > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Dustin Baer > > Sent: 07 November 2002 15:04 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Rule set problems > > > > > > Gavin Nelmes-Crocker wrote: > > > > > > okay decided today to play with rule sets. > > > > > > the domain one went fine only scanning the domains I allow > > > > > > but when I come to do the outgoing mail signing I run into problems > > > > > > I have my rules files > > > > > > -rw-r--r-- 1 root root 81 Nov 7 14:39 sig.text.rules > > > > > > and in my conf file I have > > > > > > Inline Text Signature = /etc/MailScanner/rules/sig.txt.rules > > > > > > sig.text.rules != sig.txt.rules > > > > Dustin > > > > -- > > Dustin Baer > > Unix Administrator/Postmaster > > Information Handling Services > > 15 Inverness Way East > > Englewood, CO 80112 > > 303-397-2836 > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at NETERGY.COM Thu Nov 7 16:53:16 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems In-Reply-To: <5.1.0.14.2.20021107164635.04a4c148@imap.ecs.soton.ac.uk> Message-ID: > >Nov 7 15:09:00 nvsd MailScanner[17700]: Syntax error in line 1 > of ruleset > >file /etc/MailScanner/rules/sig.html.rules for keyword inlinehtmlsig > > > >this is the rule file > > > >From: *@choclatier.co.uk > >/etc/MailScanner/reports/en/choclatier.html.txt > > Are you sure it hasn't really word-wrapped that onto 2 lines? > > no in the file it is on one line - just Outlook munging the mails Gavin From mailscanner at ecs.soton.ac.uk Thu Nov 7 16:53:13 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems In-Reply-To: References: <5.1.0.14.2.20021107164635.04a4c148@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021107165210.049758f8@imap.ecs.soton.ac.uk> At 16:53 07/11/2002, you wrote: > > >Nov 7 15:09:00 nvsd MailScanner[17700]: Syntax error in line 1 > > of ruleset > > >file /etc/MailScanner/rules/sig.html.rules for keyword inlinehtmlsig > > > > > >this is the rule file > > > > > >From: *@choclatier.co.uk > > >/etc/MailScanner/reports/en/choclatier.html.txt > > > > Are you sure it hasn't really word-wrapped that onto 2 lines? >no in the file it is on one line - just Outlook munging the mails Does the file /etc/MailScanner/reports/en/choclatier.html.txt exist? Other than that, I can't really see what it is complaining about. Add a blank line after that line, just in case the line is actually incomplete. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From t.d.lee at DURHAM.AC.UK Thu Nov 7 17:18:10 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:20 2006 Subject: MS4.x config/runtime issues Message-ID: We have been using MailScanner v3.x on Solaris for a long time. In the last couple of weeks I have begun installing a test v4.x . See, for example, yesterday's discussion about "iframe dilemma", following which I am now trying Julian's latest pre-release 4.x (although none of the issues below relate to this "pre-release": I had already uncovered them all a week or so ago under 4.04-1). What follows are issues that 4.x/Solaris/our-site has exposed, and I am wondering what is the most appropriate way forward. 1. bin/MailScanner/Log.pm : MS gave a message: Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] By commenting out the line: eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r this then worked, apparently with no ill effect. Seems to be sort of Perl/Solaris interaction (Perl 5.6.0; Solaris 8). Does the MS code need to be more tolerant, and/or autoconf'd? 2. lib/mcafee-wrapper: has pathname "/usr/local/uvscan/uvscan" hardcoded. At our site the pathname is different. OK, I can tweak things to make it work. But in v3 this had been configurable in etc/mailscanner.conf and v4.x seems to have gone backwards: no longer configurable. (Or is it your intention that this should ultimately be a site-driven autoconf thing. In which case, can I urge you to begin to include the the "configure" and autoconf stuff please!) 3. With v3, I had had the default (and sensible!): Outgoing Queue Dir = /var/spool/mqueue To ensure co-residency on the same physical partition of the other directories, they had been subdirectories of this: Incoming Queue Dir = /var/spool/mqueue/mq.in Incoming Work Dir = /var/spool/mqueue/incoming Quarantine Dir = /var/spool/mqueue/quarantine Solid and safe. Further, the standard "/var/spool/mqueue" (i.e. "Outgoing Queue Dir") was also a separate partition for ease of system maintenance (including possible OS replacement). So it also contained a "lost+found". But under v4 this gives errors: Queue directory /var/spool/mqueue cannot contain sub-directories, currently contains dir lost+found at /opt/MailScanner/bin/MailScanner/Sendmail.pm line 839 (Presumably each of the other directories could also have given an analogous message, had it got that far.) Is there any reason why v4.x forbids such subdirectory use? (Note that the apparently simple solution of making the partition "/var/spool" instead of "/var/spool/mqueue" makes OS replacement potentially more tricky, as "/var/spool" contians "system" things other than mqueue. Does MailScanner really require this restriction? Can it be removed? If this is necessary, "bin/MailScanner/Sendmail.pm" would then require changing so that so that "sub KickMessage {}" could pass an argument "-oQ" as it invokes sendmail. What is the best for us (our site, and Julian as MS author) to proceed on these issues? By the way, Julian, did you get those autoconf-isms I sent you from the MS 4 you had privately sent me a couple of weeks ago? Hope this helps make MS even better! -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From gavin at NETERGY.COM Thu Nov 7 17:29:28 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems In-Reply-To: <5.1.0.14.2.20021107165210.049758f8@imap.ecs.soton.ac.uk> Message-ID: > At 16:53 07/11/2002, you wrote: > > > >Nov 7 15:09:00 nvsd MailScanner[17700]: Syntax error in line 1 > > > of ruleset > > > >file /etc/MailScanner/rules/sig.html.rules for keyword inlinehtmlsig > > > > > > > >this is the rule file > > > > > > > >From: *@choclatier.co.uk > > > >/etc/MailScanner/reports/en/choclatier.html.txt > > > > > > Are you sure it hasn't really word-wrapped that onto 2 lines? > >no in the file it is on one line - just Outlook munging the mails > > Does the file /etc/MailScanner/reports/en/choclatier.html.txt exist? > Other than that, I can't really see what it is complaining about. > Add a blank line after that line, just in case the line is > actually incomplete. thank you I think I need to go to bed and start the day again tomorrow the file is in fact choclatier.sig.html humble apologies it now appears to be happy and working again Gavin From lele at PROFIM.FLORIDA.IT Thu Nov 7 17:40:46 2002 From: lele at PROFIM.FLORIDA.IT (Emanuele Salvador) Date: Thu Jan 12 21:16:20 2006 Subject: Stuffit files (Macintosh specific) Message-ID: <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> Is there a way to make unpack and process .sit (StuffIt files), very common in macintosh world? I compressed eicar.com and it flew freely thru MailScanner nets. Regards, Emanuele Salvador A carrot is as close as a rabbit gets to a diamond. - Don Van Vliet - From mailscanner at ecs.soton.ac.uk Thu Nov 7 19:04:56 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: MS4.x config/runtime issues In-Reply-To: Message-ID: <5.1.0.14.2.20021107182018.031e7ec0@imap.ecs.soton.ac.uk> At 17:18 07/11/2002, you wrote: >1. bin/MailScanner/Log.pm : MS gave a message: > Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] > By commenting out the line: > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r > this then worked, apparently with no ill effect. > Seems to be sort of Perl/Solaris interaction (Perl 5.6.0; Solaris 8). > Does the MS code need to be more tolerant, and/or autoconf'd? The failure message doesn't actually cause any harm. Basically it tries to use a domain socket instead of a UDP socket, so you don't have to open up your syslogd to accept UDP logging requests from other machines (which might be used as a DoS attack on your server by forcing gigabytes of syslog traffic). Please can you try the attached patch to Log.pm to see if it removes the error message on your system. >2. lib/mcafee-wrapper: has pathname "/usr/local/uvscan/uvscan" hardcoded. > At our site the pathname is different. OK, I can tweak things to make > it work. But in v3 this had been configurable in etc/mailscanner.conf > and v4.x seems to have gone backwards: no longer configurable. You just edit the wrapper. The setting in mailscanner.conf in V3 set the location of the wrapper, not the location of uvscan itself. So this isn't actually any different. If you moved uvscan to somewhere else, you would have edited the wrapper to point to the correct location. In V4 you can find the wrapper script more easily as they are all in the same place. > (Or is it your intention that this should ultimately be a site-driven > autoconf thing. In which case, can I urge you to begin to include the > the "configure" and autoconf stuff please!) All the autoconf stuff is still in development. Sorry I haven't got this out the door yet. >3. With v3, I had had the default (and sensible!): > Outgoing Queue Dir = /var/spool/mqueue > > To ensure co-residency on the same physical partition of the other > directories, they had been subdirectories of this: > Incoming Queue Dir = /var/spool/mqueue/mq.in > Incoming Work Dir = /var/spool/mqueue/incoming > Quarantine Dir = /var/spool/mqueue/quarantine > Solid and safe. Interesting setup, hadn't occurred to me that people might do that. > Further, the standard "/var/spool/mqueue" (i.e. "Outgoing Queue Dir") > was also a separate partition for ease of system maintenance (including > possible OS replacement). So it also contained a "lost+found". > > But under v4 this gives errors: > Queue directory /var/spool/mqueue cannot contain sub-directories, > currently contains dir lost+found at > /opt/MailScanner/bin/MailScanner/Sendmail.pm line 839 > > (Presumably each of the other directories could also have given an > analogous message, had it got that far.) > > Is there any reason why v4.x forbids such subdirectory use? > (Note that the apparently simple solution of making the partition > "/var/spool" instead of "/var/spool/mqueue" makes OS replacement > potentially more tricky, as "/var/spool" contians "system" things other > than mqueue. > > Does MailScanner really require this restriction? Can it be removed? I thought it was a good idea at the time, but setups such as yours hadn't occurred to me. On reflection it may be better to remove the check. I will still look for a q1 or qf directory though, in an attempt to find split queue directories which sendmail will use if it finds them. So you can get it going now, the minimal patch to Sendmail.pm is attached to this message. There is actually just 1 extra line of code. >By the way, Julian, did you get those autoconf-isms I sent you from the >MS 4 you had privately sent me a couple of weeks ago? Yes thanks. Just need to find time to do some more work on autoconf. >Hope this helps make MS even better! I hope my responses above answer most of the issues you have raised. All constructive comments are always appreciated :-) -------------- next part -------------- A non-text attachment was scrubbed... Name: Sendmail.pm.patch Type: application/octet-stream Size: 778 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/c8ead941/Sendmail.pm.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: Log.pm.patch Type: application/octet-stream Size: 604 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/c8ead941/Log.pm.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Thu Nov 7 19:18:29 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:20 2006 Subject: Stuffit files (Macintosh specific) In-Reply-To: <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> References: <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> Message-ID: <1036696709.8142.28.camel@dbeauchemin.si.usherb.ca> On Thu, 2002-11-07 at 12:40, Emanuele Salvador wrote: > Is there a way to make unpack and process .sit (StuffIt files), very > common in macintosh world? > I compressed eicar.com and it flew freely thru MailScanner nets. I don't know of any virus that compresses its infected file before sending it to someone else. If that were to happen we would have to rethink our strategy that encourages people to use zip files to send .exe and other file types that we quarantine on our gateway. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Thu Nov 7 19:13:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Stuffit files (Macintosh specific) In-Reply-To: <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> Message-ID: <5.1.0.14.2.20021107191228.03235018@imap.ecs.soton.ac.uk> At 17:40 07/11/2002, you wrote: >Is there a way to make unpack and process .sit (StuffIt files), very >common in macintosh world? >I compressed eicar.com and it flew freely thru MailScanner nets. It's down to the virus scanners to scan inside archives. I suggest you ask the virus scanner vendor(s) if they can search inside Stuffit files, ideally they should do it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 7 19:23:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Stuffit files (Macintosh specific) In-Reply-To: <1036696709.8142.28.camel@dbeauchemin.si.usherb.ca> References: <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> Message-ID: <5.1.0.14.2.20021107192053.023925b8@imap.ecs.soton.ac.uk> At 19:18 07/11/2002, you wrote: >I don't know of any virus that compresses its infected file before >sending it to someone else. If it did, it wouldn't be very "successful" as it would require a whole series of actions by the user, not just a single click. The really dumb users, who are most susceptible to the Social Engineering attack mechanisms used by current viruses, wouldn't even know what to do with a zip file anyway. The time you do need to be able to scan inside compressed archives is for finding macro viruses. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From scouty at BROMBERG.DEMON.NL Thu Nov 7 20:04:03 2002 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:20 2006 Subject: Redhat 8.0 / command: service MailScanner status Message-ID: <200211072004.gA7K43X23101@ori.rl.ac.uk> On Wed, 6 Nov 2002 09:50:42 +0100, Florus Both wrote: >Hi, do a > >Chkconfig sendmail off >And try again, I guess sendmail was already running before you started >mailscanner (this happens automagically after an install) Not working still having a failure on sendmail outgoing. When I did a reboot I noticed a error "/etc/rc6.d/K30MailScanner" and at some times the error "We haven't got any child processes, which isn't right!, No child processes at /usr/sbin/MailScanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /usr/sbin/MailScanner line 194." From mailscanner at ecs.soton.ac.uk Thu Nov 7 20:09:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Redhat 8.0 / command: service MailScanner status In-Reply-To: <200211072004.gA7K43X23101@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20021107200828.031e4560@imap.ecs.soton.ac.uk> At 20:04 07/11/2002, you wrote: >On Wed, 6 Nov 2002 09:50:42 +0100, Florus Both wrote: > > >Hi, do a > > > >Chkconfig sendmail off > >And try again, I guess sendmail was already running before you started > >mailscanner (this happens automagically after an install) > >Not working still having a failure on sendmail outgoing. When I >did a reboot I noticed a error "/etc/rc6.d/K30MailScanner" and >at some times the error "We haven't got any child processes, >which isn't right!, No child processes at /usr/sbin/MailScanner >line 191. We have just tried to reap a process which wasn't one >of ours!, No child processes at /usr/sbin/MailScanner line 194." Check your maillog to see if MailScanner output something useful in there. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From vanhorn at whidbey.com Thu Nov 7 20:46:46 2002 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:16:20 2006 Subject: Upgrade problems to 4.05 References: <0b0c01c27118$eda6f190$1c0a0a0a@pugmarks34team> <5.1.0.14.2.20021011135424.04352c00@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021106193025.02370e20@imap.ecs.soton.ac.uk> Message-ID: <3DCAD136.E8D3D025@whidbey.com> Julian Field wrote: > At 19:25 06/11/2002, you wrote: > >> Also, I have noticed a major difference in the messages I get when a >> virus is found. When I was running 3.23 I got the headers of the >> offending message, now I get a short summary. Is this a change from >> MailScanner 3 to 4, or a change from Kasparsky to f-prot which I >> made at the same time for economic reasons? > > This is a configuration option, called something containing "Full > Headers" if I remember rightly. In deed, at line 359 in my MailScanner.conf: Notices Include Full Headers = yes I built and supervise five firewalls for my largest client, and I keep a crib-sheet of those addresses close at hand. With Full Headers I was able to quickly note when the first address in a blocked message was one of those five, and catch our own problems quickly. After restoring this setting yesterday I was able to identify the largest single source of virus messages in the last month, and it turned out to be the general manager of the company! Fortunately, she's out of town today and I've arranged for her ethernet to be unplugged. I'll quietly run FixKlez.com on her machine this afternoon. I just wish I'd raised this question sooner. Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/323c77f0/attachment.html From mailscanner at ecs.soton.ac.uk Thu Nov 7 20:25:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Redhat 8.0 / command: service MailScanner status In-Reply-To: <5.1.0.14.2.20021107200828.031e4560@imap.ecs.soton.ac.uk> References: <200211072004.gA7K43X23101@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20021107202409.024a7ea8@imap.ecs.soton.ac.uk> At 20:09 07/11/2002, you wrote: >At 20:04 07/11/2002, you wrote: >>On Wed, 6 Nov 2002 09:50:42 +0100, Florus Both wrote: >> >> >Hi, do a >> > >> >Chkconfig sendmail off >> >And try again, I guess sendmail was already running before you started >> >mailscanner (this happens automagically after an install) >> >>Not working still having a failure on sendmail outgoing. When I >>did a reboot I noticed a error "/etc/rc6.d/K30MailScanner" and >>at some times the error "We haven't got any child processes, >>which isn't right!, No child processes at /usr/sbin/MailScanner >>line 191. We have just tried to reap a process which wasn't one >>of ours!, No child processes at /usr/sbin/MailScanner line 194." I have modified the code to remove these errors, they aren't anywhere near as serious as they sound :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From scouty at BROMBERG.DEMON.NL Thu Nov 7 21:07:52 2002 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:20 2006 Subject: Redhat 8.0 / command: service MailScanner status Message-ID: <200211072107.gA7L7qX29078@ori.rl.ac.uk> On Thu, 7 Nov 2002 20:09:22 +0000, Julian Field wrote: >>Not working still having a failure on sendmail outgoing. When I >>did a reboot I noticed a error "/etc/rc6.d/K30MailScanner" and >>at some times the error "We haven't got any child processes, >>which isn't right!, No child processes at /usr/sbin/MailScanner >>line 191. We have just tried to reap a process which wasn't one >>of ours!, No child processes at /usr/sbin/MailScanner line 194." >Check your maillog to see if MailScanner output something useful in there. from /var/log/messages # service sendmail stop Nov 7 21:52:41 bromberg2 sendmail: sendmail shutdown succeeded # service MailScanner stop Nov 7 21:52:53 bromberg2 MailScanner: MailScanner shutdown succeeded Nov 7 21:52:53 bromberg2 MailScanner: sendmail shutdown succeeded Nov 7 21:52:53 bromberg2 MailScanner: sendmail shutdown failed # service MailScanner start Nov 7 21:53:25 bromberg2 MailScanner: succeeded After a clean boot from /var/log/maillog, MailScanner output 5 times this for each process started from mailscanner.conf (?) bromberg2 sendmail[516]: alias database /etc/aliases rebuilt by root bromberg2 sendmail[516]: /etc/aliases: 62 aliases, longest 10 bytes, 599 bytes total bromberg2 sendmail[525]: starting daemon (8.12.5): SMTP bromberg2 sendmail[530]: starting daemon (8.12.5): queueing@00:15:00 bromberg2 MailScanner[546]: MailScanner bromberg2 MailScanner[546]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... bromberg2 MailScanner[546]: Using locktype = flock None of the above service commands produces logs in maillog, even the reap errors etc are not logged just send to console.. I'm a bit lost is it my sendmail or mailscanner messing up? Is their anyone on the list who had a successful redhat 8.0 and latest MailScanner combination running? From scouty at BROMBERG.DEMON.NL Thu Nov 7 21:14:45 2002 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:20 2006 Subject: mailscanner.conf.rpmnew Message-ID: <200211072114.gA7LEkX29611@ori.rl.ac.uk> On Wed, 6 Nov 2002 19:33:02 -0000, Brian Chivers wrote: > I've just upgrade from 3.13 to 3.25-1 via the RPM and > everything seems to be ok except !!! When I look in the > etc directory in Mailscanner directory I see a new file > called mailscanner.conf.rpmnew > Should I merge the old setting from my existing conf file > into the rpmnew file then rename this to mailscanner.conf ?? Yes It might contain some new options put in my Julian. Edit the mailscanner.conf.rpmnew this is the new configuration file, then delete the mailscanner.conf and rename the rpmnew to mailscanner.conf and issue the command "/etc/rc.d/init.d/ mailscanner restart" From mailscanner at ecs.soton.ac.uk Thu Nov 7 21:17:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Redhat 8.0 / command: service MailScanner status In-Reply-To: <200211072107.gA7L7qX29078@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20021107210902.03241c70@imap.ecs.soton.ac.uk> At 21:07 07/11/2002, you wrote: >On Thu, 7 Nov 2002 20:09:22 +0000, Julian Field > wrote: > > >>Not working still having a failure on sendmail outgoing. When I > >>did a reboot I noticed a error "/etc/rc6.d/K30MailScanner" and > >>at some times the error "We haven't got any child processes, > >>which isn't right!, No child processes at /usr/sbin/MailScanner > >>line 191. We have just tried to reap a process which wasn't one > >>of ours!, No child processes at /usr/sbin/MailScanner line 194." > > >Check your maillog to see if MailScanner output something useful in there. > >from /var/log/messages > ># service sendmail stop >Nov 7 21:52:41 bromberg2 sendmail: sendmail shutdown succeeded That stopped the sendmail process which your next command also tried to stop, so there's little womnder why it complained. Once using MailScanner, don't start up or shut down sendmail using the sendmail init script. MailScanner handles all that for you. ># service MailScanner stop >Nov 7 21:52:53 bromberg2 MailScanner: MailScanner shutdown succeeded >Nov 7 21:52:53 bromberg2 MailScanner: sendmail shutdown succeeded >Nov 7 21:52:53 bromberg2 MailScanner: sendmail shutdown failed > ># service MailScanner start >Nov 7 21:53:25 bromberg2 MailScanner: succeeded > >After a clean boot from /var/log/maillog, MailScanner output >5 times this for each process started from mailscanner.conf (?) This is because you have "Max Children = 5" in your /etc/MailScanner.conf file, and the log entries are produced as each of the 5 parallel processes start. >bromberg2 sendmail[516]: alias database /etc/aliases rebuilt by root >bromberg2 sendmail[516]: /etc/aliases: 62 aliases, longest 10 bytes, > 599 bytes total >bromberg2 sendmail[525]: starting daemon (8.12.5): SMTP >bromberg2 sendmail[530]: starting daemon (8.12.5): queueing@00:15:00 >bromberg2 MailScanner[546]: MailScanner >bromberg2 MailScanner[546]: MailScanner E-Mail Virus Scanner > version 4.05-3 starting... >bromberg2 MailScanner[546]: Using locktype = flock > >None of the above service commands produces logs >in maillog, even the reap errors etc are not logged just >send to console.. The reap errors should stop in the next release. It is just down to the exact order in which the "stop" actually kills off the processes. > I'm a bit lost is it my sendmail or >mailscanner messing up? Neither. I hope I have explained it well enough for you to understand. > Is their anyone on the list who >had a successful redhat 8.0 and latest MailScanner >combination running? Yes, lots of sites are happily running RH8 and MS4. Including me of course :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From novirus at CARLO65.DE Thu Nov 7 21:35:35 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:20 2006 Subject: Virus Message-ID: <1036704935.23578.76.camel@linroute> Hi, this is probably a strange question in your eyes, but I would like to have a virus or better a virus infected mail, to check different scanners. Unfortunately the only thing I find is the EICAR test virus, but thats not enough. Anybody a hint? Regards, Roland From raymond at PROLOCATION.NET Thu Nov 7 21:36:39 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:20 2006 Subject: Virus In-Reply-To: <1036704935.23578.76.camel@linroute> Message-ID: Hi! > this is probably a strange question in your eyes, but I would like to > have a virus or better a virus infected mail, to check different > scanners. Unfortunately the only thing I find is the EICAR test virus, > but thats not enough. Give me a address and i'll send you a nice .zip to test your scanner setup with. Bye, Raymond. From novirus at CARLO65.DE Thu Nov 7 21:39:19 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:20 2006 Subject: Virus In-Reply-To: References: Message-ID: <1036705159.23579.78.camel@linroute> Hi Raymond, thanks very much. Please use roland@inbox4u.de. Roland Am Don, 2002-11-07 um 22.36 schrieb Raymond Dijkxhoorn: > Hi! > > > this is probably a strange question in your eyes, but I would like to > > have a virus or better a virus infected mail, to check different > > scanners. Unfortunately the only thing I find is the EICAR test virus, > > but thats not enough. > > Give me a address and i'll send you a nice .zip to test your scanner setup > with. > > Bye, > Raymond. > > From vguerrero at minar.com Thu Nov 7 22:10:50 2002 From: vguerrero at minar.com (Vicente Guerrero M.) Date: Thu Jan 12 21:16:21 2006 Subject: F-PROT problem? References: <5.1.0.14.2.20021107105839.032b2e80@imap.ecs.soton.ac.uk> <014d01c2866b$a2ebf2f0$620aaa82@ADMINISTRATOR> Message-ID: <036301c286aa$88441240$620aaa82@ADMINISTRATOR> Hi all, I just wanted to tell you I finally solved the problem whit f-prot. Im happy right now, and Im getting ready to check some other features in MailScanner. Thanks to Julian and the people that helped me to solve the "f-prot mistery" :) vgm ----- Original Message ----- From: Vicente Guerrero M. To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 8:40 AM Subject: Re: F-PROT problem? I've tried the command you told me and it seems to be working ok since I got a summary of files been scanned. I checked the script and it seems to be right too. Some other clue? Thanks ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 5:02 AM Subject: Re: F-PROT problem? Something is going wrong in how MailScanner is calling your copy of F-Prot. If you do these 2 commands, it should output some sort of summary showing how many files it scanned, at the very least. cd /tmp /usr/lib/MailScaner/f-prot-wrapper -old -archive -dumb . (don't forget the dot on the end) If you get some sort of "command not found" error, then you have installed your copy of F-Prot somewhere different than the standard location, and you will need to alter the f-prot-wrapper script so it calls it in the right place. That script is very simple, you'll soon work out what you need to change in it. Let us know how you get on. At 23:56 06/11/2002, you wrote: I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. Everything its seems to be working ok, but if I send a message from an external account (hotmail) with a virus attached, I have no warning about an infected message. I tried the EICAR_test file too, but nothing happened, I just get these lines in maillog: Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: from=, size=96715, class=0, pri=126715, nrcpts=1, msgid=, proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, 97125 bytes Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: to=, delay=00:00:09, xdelay=00:00:00, mailer=local, stat=Sent I tested f-prot manually and it says the infection is there (EICAR_test and an infected file (Magistr). I really apreciate your help to solve this issue. BTW, I got warned about some infected messages, but they are the ones with IFrame tags in it. Thanks in advance (Sorry about my poor English) vgm -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/b91214e0/attachment.html From mailscanner at ecs.soton.ac.uk Thu Nov 7 22:14:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: F-PROT problem? In-Reply-To: <036301c286aa$88441240$620aaa82@ADMINISTRATOR> References: <5.1.0.14.2.20021107105839.032b2e80@imap.ecs.soton.ac.uk> <014d01c2866b$a2ebf2f0$620aaa82@ADMINISTRATOR> Message-ID: <5.1.0.14.2.20021107221317.03314498@imap.ecs.soton.ac.uk> At 22:10 07/11/2002, you wrote: >Hi all, I just wanted to tell you I finally solved the problem whit >f-prot. Im happy right now, and Im getting ready to check some other >features in MailScanner. What was the solution? It's useful to get solutions into the mailing list archive for everyone else's benefit. >----- Original Message ----- >From: Vicente Guerrero M. >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Thursday, November 07, 2002 8:40 AM >Subject: Re: F-PROT problem? > >I've tried the command you told me and it seems to be working ok since I >got a summary of files been scanned. I checked the script and it seems to >be right too. Some other clue? > > >Thanks >----- Original Message ----- >From: Julian Field >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Thursday, November 07, 2002 5:02 AM >Subject: Re: F-PROT problem? > >Something is going wrong in how MailScanner is calling your copy of F-Prot. >If you do these 2 commands, it should output some sort of summary showing >how many files it scanned, at the very least. > cd /tmp > /usr/lib/MailScaner/f-prot-wrapper -old -archive -dumb . >(don't forget the dot on the end) > >If you get some sort of "command not found" error, then you have installed >your copy of F-Prot somewhere different than the standard location, and >you will need to alter the f-prot-wrapper script so it calls it in the >right place. That script is very simple, you'll soon work out what you >need to change in it. > >Let us know how you get on. > >At 23:56 06/11/2002, you wrote: >>I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. >> >>Everything its seems to be working ok, but if I send a message from an >>external account (hotmail) with a virus attached, I have no warning about >>an infected message. I tried the EICAR_test file too, but nothing >>happened, I just get these lines in maillog: >> >>Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: >>from=<user@hotmail.com>, size=96715, class=0, >>pri=126715, nrcpts=1, >>msgid=<OE17Bt3J3JCj2fBUA510000094e@hotmail.com>, >>proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] >>Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting >>Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, >>97125 bytes >>Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting >>Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages >>Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: >>to=<mail_user@minar.com>, delay=00:00:09, >>xdelay=00:00:00, mailer=local, stat=Sent >>I tested f-prot manually and it says the infection is there (EICAR_test >>and an infected file (Magistr). I really apreciate your help to solve >>this issue. >> >> >>BTW, I got warned about some infected messages, but they are the ones >>with IFrame tags in it. >> >> >>Thanks in advance >> >> >>(Sorry about my poor English) >> >> >>vgm >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/a60a80a9/attachment.html From vguerrero at minar.com Thu Nov 7 22:28:39 2002 From: vguerrero at minar.com (Vicente Guerrero M.) Date: Thu Jan 12 21:16:21 2006 Subject: F-PROT problem? References: <5.1.0.14.2.20021107105839.032b2e80@imap.ecs.soton.ac.uk> <014d01c2866b$a2ebf2f0$620aaa82@ADMINISTRATOR> <5.1.0.14.2.20021107221317.03314498@imap.ecs.soton.ac.uk> Message-ID: <038b01c286ad$0569f710$620aaa82@ADMINISTRATOR> I'm sorry. Well, I know this gonna sounds kinda stupid, but the fact is I was making changes in /opt/Mailscanner/etc/MailScanner.conf instead of /etc/Mailscanner/MailScanner.conf. That's it. I'm shamed, but I can tell you I learn a lot of thing these days. Thanks again for your patience and understanding (Im relatively new to linux stuff) Best Regards vgm P.S. I've told you about my bad english? ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 4:14 PM Subject: Re: F-PROT problem? At 22:10 07/11/2002, you wrote: Hi all, I just wanted to tell you I finally solved the problem whit f-prot. Im happy right now, and Im getting ready to check some other features in MailScanner. What was the solution? It's useful to get solutions into the mailing list archive for everyone else's benefit. ----- Original Message ----- From: Vicente Guerrero M. To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 8:40 AM Subject: Re: F-PROT problem? I've tried the command you told me and it seems to be working ok since I got a summary of files been scanned. I checked the script and it seems to be right too. Some other clue? Thanks ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 5:02 AM Subject: Re: F-PROT problem? Something is going wrong in how MailScanner is calling your copy of F-Prot. If you do these 2 commands, it should output some sort of summary showing how many files it scanned, at the very least. cd /tmp /usr/lib/MailScaner/f-prot-wrapper -old -archive -dumb . (don't forget the dot on the end) If you get some sort of "command not found" error, then you have installed your copy of F-Prot somewhere different than the standard location, and you will need to alter the f-prot-wrapper script so it calls it in the right place. That script is very simple, you'll soon work out what you need to change in it. Let us know how you get on. At 23:56 06/11/2002, you wrote: I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. Everything its seems to be working ok, but if I send a message from an external account (hotmail) with a virus attached, I have no warning about an infected message. I tried the EICAR_test file too, but nothing happened, I just get these lines in maillog: Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: from=, size=96715, class=0, pri=126715, nrcpts=1, msgid=, proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, 97125 bytes Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: to=, delay=00:00:09, xdelay=00:00:00, mailer=local, stat=Sent I tested f-prot manually and it says the infection is there (EICAR_test and an infected file (Magistr). I really apreciate your help to solve this issue. BTW, I got warned about some infected messages, but they are the ones with IFrame tags in it. Thanks in advance (Sorry about my poor English) vgm -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/d3298124/attachment.html From alex at IALEX.NET Thu Nov 7 22:03:40 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail Message-ID: For the archiving of mail feature, how can you archive some users and not others. The only option i have seen is *where* to save the archived email. Alex From mike at CAMAROSS.NET Thu Nov 7 22:58:21 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: Message-ID: <000d01c286b1$2d381a20$6501a8c0@mikedesk> With v.4, use a ruleset -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Alex Short Sent: Thursday, November 07, 2002 4:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Archiving Mail For the archiving of mail feature, how can you archive some users and not others. The only option i have seen is *where* to save the archived email. Alex From email at ace.net.au Fri Nov 8 00:14:00 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:16:21 2006 Subject: Stuffit files (Macintosh specific) In-Reply-To: <5.1.0.14.2.20021107191228.03235018@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021107191228.03235018@imap.ecs.soton.ac.uk> Message-ID: <200211081044000134.4D9F2414@smtp1.ace.net.au> On W2k mail server that I also have, I run a mime decoder before running the virus scanner, would that be possible with MS? Peter *********** REPLY SEPARATOR *********** On 7/11/2002 at 7:13 PM Julian Field wrote: >At 17:40 07/11/2002, you wrote: >>Is there a way to make unpack and process .sit (StuffIt files), very >>common in macintosh world? >>I compressed eicar.com and it flew freely thru MailScanner nets. > >It's down to the virus scanners to scan inside archives. I suggest you ask >the virus scanner vendor(s) if they can search inside Stuffit files, >ideally they should do it. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From gavin at NETERGY.COM Fri Nov 8 00:13:30 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again Message-ID: ok after a couple of abortive attempts earlier today where typos and miss-naming of files gave me problems I am now finding something odd happening Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, mailer=esmtp, pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], dsn=2.0.0, stat=Sent (gA7NsV006079 Message accepted for delivery) Nov 8 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: from=, size=4220, class=0, nrcpts=1, msgid=, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=anchor-post-32.mail.demon.net [194.217.242.90] Nov 8 00:00:03 nvsd MailScanner[7477]: New Batch: Scanning 1 messages, 4759 bytes Nov 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting Nov 8 00:00:06 nvsd MailScanner[7477]: Virus and Content Scanning: Starting Nov 8 00:00:07 nvsd MailScanner[7477]: Could not open inline file /opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or directory Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered 1 messages the second line up is the problem, I don't have /opt/MailScanner specified anywhere in my config or any of my rules files even doing an egrep -r /opt/MailScanner only returns this from the MailScanner directory in /etc [root MailScanner]# egrep -r /opt/MailScanner/ * rules/EXAMPLES: Set "Is Definitely Not Spam = /opt/MailScanner/etc/rules/whitelist.rules". rules/EXAMPLES: Set "Is Definitely Spam = /opt/MailScanner/etc/rules/blacklist.rules". rules/EXAMPLES: Set "Sign Clean Messages = /opt/MailScanner/etc/rules/signing.rules". rules/EXAMPLES: Set "Inline Text Signature = /opt/MailScanner/etc/rules/sig.text.rules" & rules/EXAMPLES: set "Inline HTML Signature = /opt/MailScanner/etc/rules/sig.html.rules". rules/EXAMPLES: From: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt rules/EXAMPLES: From: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt rules/EXAMPLES: Set "Virus Scanning = /opt/MailScanner/etc/rules/virus.scanning.rules". rules/EXAMPLES: Set "Sign Clean Messages = /opt/MailScanner/etc/rules/signing.rules". only the example file. however if do the same in /usr/lib/MailScanner, I get this suggesting there is some throwback to an earlier version hiding somewhere? the end result is no inline sig [root MailScanner]# egrep -r /opt/MailScanner/ * MailScanner/ConfigDefs.pl:piddir /opt/MailScanner/var MailScanner/ConfigDefs.pl:spamassassinprefsfile /opt/MailScanner/etc/spam.assassin.prefs.conf MailScanner/ConfigDefs.pl:SpamListDefinitions /opt/MailScanner/etc/spam.lists.conf MailScanner/ConfigDefs.pl:VirusScannerDefinitions /opt/MailScanner/etc/virus.scanners.conf MailScanner/ConfigDefs.pl:TNEFExpander /opt/MailScanner/bin/tnef --maxsize=100000000 MailScanner/ConfigDefs.pl:DeletedFilenameMessage /opt/MailScanner/etc/reports/en/deleted.filename.message.txt MailScanner/ConfigDefs.pl:DeletedVirusMessage /opt/MailScanner/etc/reports/en/deleted.virus.message.txt MailScanner/ConfigDefs.pl:DisinfectedReportText /opt/MailScanner/etc/reports/en/disinfected.report.txt MailScanner/ConfigDefs.pl:inlinehtmlsig /opt/MailScanner/etc/reports/en/inline.sig.html MailScanner/ConfigDefs.pl:inlinehtmlwarning /opt/MailScanner/etc/reports/en/inline.warning.html MailScanner/ConfigDefs.pl:inlinetextsig /opt/MailScanner/etc/reports/en/inline.sig.txt MailScanner/ConfigDefs.pl:inlinetextwarning /opt/MailScanner/etc/reports/en/inline.warning.txt MailScanner/ConfigDefs.pl:sendererrorreport /opt/MailScanner/etc/reports/en/sender.error.report.txt MailScanner/ConfigDefs.pl:senderfilenamereport /opt/MailScanner/etc/reports/en/sender.filename.report.txt MailScanner/ConfigDefs.pl:SenderRBLSpamReport /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt MailScanner/ConfigDefs.pl:SenderSASpamReport /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt MailScanner/ConfigDefs.pl:SenderBothSpamReport /opt/MailScanner/etc/reports/en/sender.spam.report.txt MailScanner/ConfigDefs.pl:sendervirusreport /opt/MailScanner/etc/reports/en/sender.virus.report.txt MailScanner/ConfigDefs.pl:StoredFilenameMessage /opt/MailScanner/etc/reports/en/stored.filename.message.txt MailScanner/ConfigDefs.pl:StoredVirusMessage /opt/MailScanner/etc/reports/en/stored.virus.message.txt MailScanner/ConfigDefs.pl:#FilenameRules /opt/MailScanner/etc/filename.rules.conf From mike at CAMAROSS.NET Fri Nov 8 00:16:04 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again In-Reply-To: Message-ID: <001701c286bc$074ebed0$6501a8c0@mikedesk> What OS are you running...and is this the RPM version or the tarball? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Gavin Nelmes-Crocker Sent: Thursday, November 07, 2002 6:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: possible bug or me up to late again ok after a couple of abortive attempts earlier today where typos and miss-naming of files gave me problems I am now finding something odd happening Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, mailer=esmtp, pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], dsn=2.0.0, stat=Sent (gA7NsV006079 Message accepted for delivery) Nov 8 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: from=, size=4220, class=0, nrcpts=1, msgid=, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=anchor-post-32.mail.demon.net [194.217.242.90] Nov 8 00:00:03 nvsd MailScanner[7477]: New Batch: Scanning 1 messages, 4759 bytes Nov 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting Nov 8 00:00:06 nvsd MailScanner[7477]: Virus and Content Scanning: Starting Nov 8 00:00:07 nvsd MailScanner[7477]: Could not open inline file /opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or directory Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered 1 messages the second line up is the problem, I don't have /opt/MailScanner specified anywhere in my config or any of my rules files even doing an egrep -r /opt/MailScanner only returns this from the MailScanner directory in /etc [root MailScanner]# egrep -r /opt/MailScanner/ * rules/EXAMPLES: Set "Is Definitely Not Spam = /opt/MailScanner/etc/rules/whitelist.rules". rules/EXAMPLES: Set "Is Definitely Spam = /opt/MailScanner/etc/rules/blacklist.rules". rules/EXAMPLES: Set "Sign Clean Messages = /opt/MailScanner/etc/rules/signing.rules". rules/EXAMPLES: Set "Inline Text Signature = /opt/MailScanner/etc/rules/sig.text.rules" & rules/EXAMPLES: set "Inline HTML Signature = /opt/MailScanner/etc/rules/sig.html.rules". rules/EXAMPLES: From: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt rules/EXAMPLES: From: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt rules/EXAMPLES: Set "Virus Scanning = /opt/MailScanner/etc/rules/virus.scanning.rules". rules/EXAMPLES: Set "Sign Clean Messages = /opt/MailScanner/etc/rules/signing.rules". only the example file. however if do the same in /usr/lib/MailScanner, I get this suggesting there is some throwback to an earlier version hiding somewhere? the end result is no inline sig [root MailScanner]# egrep -r /opt/MailScanner/ * MailScanner/ConfigDefs.pl:piddir /opt/MailScanner/var MailScanner/ConfigDefs.pl:spamassassinprefsfile /opt/MailScanner/etc/spam.assassin.prefs.conf MailScanner/ConfigDefs.pl:SpamListDefinitions /opt/MailScanner/etc/spam.lists.conf MailScanner/ConfigDefs.pl:VirusScannerDefinitions /opt/MailScanner/etc/virus.scanners.conf MailScanner/ConfigDefs.pl:TNEFExpander /opt/MailScanner/bin/tnef --maxsize=100000000 MailScanner/ConfigDefs.pl:DeletedFilenameMessage /opt/MailScanner/etc/reports/en/deleted.filename.message.txt MailScanner/ConfigDefs.pl:DeletedVirusMessage /opt/MailScanner/etc/reports/en/deleted.virus.message.txt MailScanner/ConfigDefs.pl:DisinfectedReportText /opt/MailScanner/etc/reports/en/disinfected.report.txt MailScanner/ConfigDefs.pl:inlinehtmlsig /opt/MailScanner/etc/reports/en/inline.sig.html MailScanner/ConfigDefs.pl:inlinehtmlwarning /opt/MailScanner/etc/reports/en/inline.warning.html MailScanner/ConfigDefs.pl:inlinetextsig /opt/MailScanner/etc/reports/en/inline.sig.txt MailScanner/ConfigDefs.pl:inlinetextwarning /opt/MailScanner/etc/reports/en/inline.warning.txt MailScanner/ConfigDefs.pl:sendererrorreport /opt/MailScanner/etc/reports/en/sender.error.report.txt MailScanner/ConfigDefs.pl:senderfilenamereport /opt/MailScanner/etc/reports/en/sender.filename.report.txt MailScanner/ConfigDefs.pl:SenderRBLSpamReport /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt MailScanner/ConfigDefs.pl:SenderSASpamReport /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt MailScanner/ConfigDefs.pl:SenderBothSpamReport /opt/MailScanner/etc/reports/en/sender.spam.report.txt MailScanner/ConfigDefs.pl:sendervirusreport /opt/MailScanner/etc/reports/en/sender.virus.report.txt MailScanner/ConfigDefs.pl:StoredFilenameMessage /opt/MailScanner/etc/reports/en/stored.filename.message.txt MailScanner/ConfigDefs.pl:StoredVirusMessage /opt/MailScanner/etc/reports/en/stored.virus.message.txt MailScanner/ConfigDefs.pl:#FilenameRules /opt/MailScanner/etc/filename.rules.conf From gavin at NETERGY.COM Fri Nov 8 00:17:30 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again In-Reply-To: <001701c286bc$074ebed0$6501a8c0@mikedesk> Message-ID: this is on a Cobalt RaQ running Redhatish for those that don't know Cobalts, I'm running the rpm version 4.05-3 > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Mike Kercher > Sent: 08 November 2002 00:16 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: possible bug or me up to late again > > > What OS are you running...and is this the RPM version or the tarball? > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Gavin Nelmes-Crocker > Sent: Thursday, November 07, 2002 6:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: possible bug or me up to late again > > > ok after a couple of abortive attempts earlier today where typos and > miss-naming of files gave me problems I am now finding something odd > happening > > Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: > to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, > mailer=esmtp, pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], > dsn=2.0.0, stat=Sent (gA7NsV006079 Message accepted for delivery) Nov 8 > 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: > from=, size=4220, class=0, nrcpts=1, > msgid=, > bodytype=8BITMIME, proto=ESMTP, daemon=MTA, > relay=anchor-post-32.mail.demon.net [194.217.242.90] Nov 8 00:00:03 > nvsd MailScanner[7477]: New Batch: Scanning 1 messages, 4759 bytes Nov > 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting Nov 8 00:00:06 > nvsd MailScanner[7477]: Virus and Content Scanning: Starting Nov 8 > 00:00:07 nvsd MailScanner[7477]: Could not open inline file > /opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or > directory Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered > 1 messages > > the second line up is the problem, I don't have /opt/MailScanner > specified anywhere in my config or any of my rules files even doing an > egrep -r /opt/MailScanner only returns this from the MailScanner > directory in /etc > > [root MailScanner]# egrep -r /opt/MailScanner/ * > rules/EXAMPLES: Set "Is Definitely Not Spam = > /opt/MailScanner/etc/rules/whitelist.rules". > rules/EXAMPLES: Set "Is Definitely Spam = > /opt/MailScanner/etc/rules/blacklist.rules". > rules/EXAMPLES: Set "Sign Clean Messages = > /opt/MailScanner/etc/rules/signing.rules". > rules/EXAMPLES: Set "Inline Text Signature = > /opt/MailScanner/etc/rules/sig.text.rules" & > rules/EXAMPLES: set "Inline HTML Signature = > /opt/MailScanner/etc/rules/sig.html.rules". > rules/EXAMPLES: From: *@domain1.com > /opt/MailScanner/etc/reports/domain1.sig.txt > rules/EXAMPLES: From: *@domain2.com > /opt/MailScanner/etc/reports/domain2.sig.txt > rules/EXAMPLES: Set "Virus Scanning = > /opt/MailScanner/etc/rules/virus.scanning.rules". > rules/EXAMPLES: Set "Sign Clean Messages = > /opt/MailScanner/etc/rules/signing.rules". > > only the example file. > > however if do the same in /usr/lib/MailScanner, I get this suggesting > there is some throwback to an earlier version hiding somewhere? the end > result is no inline sig > > [root MailScanner]# egrep -r /opt/MailScanner/ * > MailScanner/ConfigDefs.pl:piddir > /opt/MailScanner/var > MailScanner/ConfigDefs.pl:spamassassinprefsfile > /opt/MailScanner/etc/spam.assassin.prefs.conf > MailScanner/ConfigDefs.pl:SpamListDefinitions > /opt/MailScanner/etc/spam.lists.conf > MailScanner/ConfigDefs.pl:VirusScannerDefinitions > /opt/MailScanner/etc/virus.scanners.conf > MailScanner/ConfigDefs.pl:TNEFExpander > /opt/MailScanner/bin/tnef --maxsize=100000000 > MailScanner/ConfigDefs.pl:DeletedFilenameMessage > /opt/MailScanner/etc/reports/en/deleted.filename.message.txt > MailScanner/ConfigDefs.pl:DeletedVirusMessage > /opt/MailScanner/etc/reports/en/deleted.virus.message.txt > MailScanner/ConfigDefs.pl:DisinfectedReportText > /opt/MailScanner/etc/reports/en/disinfected.report.txt > MailScanner/ConfigDefs.pl:inlinehtmlsig > /opt/MailScanner/etc/reports/en/inline.sig.html > MailScanner/ConfigDefs.pl:inlinehtmlwarning > /opt/MailScanner/etc/reports/en/inline.warning.html > MailScanner/ConfigDefs.pl:inlinetextsig > /opt/MailScanner/etc/reports/en/inline.sig.txt > MailScanner/ConfigDefs.pl:inlinetextwarning > /opt/MailScanner/etc/reports/en/inline.warning.txt > MailScanner/ConfigDefs.pl:sendererrorreport > /opt/MailScanner/etc/reports/en/sender.error.report.txt > MailScanner/ConfigDefs.pl:senderfilenamereport > /opt/MailScanner/etc/reports/en/sender.filename.report.txt > MailScanner/ConfigDefs.pl:SenderRBLSpamReport > /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt > MailScanner/ConfigDefs.pl:SenderSASpamReport > /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt > MailScanner/ConfigDefs.pl:SenderBothSpamReport > /opt/MailScanner/etc/reports/en/sender.spam.report.txt > MailScanner/ConfigDefs.pl:sendervirusreport > /opt/MailScanner/etc/reports/en/sender.virus.report.txt > MailScanner/ConfigDefs.pl:StoredFilenameMessage > /opt/MailScanner/etc/reports/en/stored.filename.message.txt > MailScanner/ConfigDefs.pl:StoredVirusMessage > /opt/MailScanner/etc/reports/en/stored.virus.message.txt > MailScanner/ConfigDefs.pl:#FilenameRules > /opt/MailScanner/etc/filename.rules.conf > From mike at CAMAROSS.NET Fri Nov 8 00:41:58 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again In-Reply-To: Message-ID: I have v4.x running on a RAQ. None of my paths point to /opt anymore though. If you are not using /opt/MailScanner anymore, you might consider renaming it or moving it elsewhere and see if your problem clears up. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Gavin Nelmes-Crocker Sent: Thursday, November 07, 2002 6:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: possible bug or me up to late again this is on a Cobalt RaQ running Redhatish for those that don't know Cobalts, I'm running the rpm version 4.05-3 > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Mike Kercher > Sent: 08 November 2002 00:16 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: possible bug or me up to late again > > > What OS are you running...and is this the RPM version or the tarball? > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Gavin Nelmes-Crocker > Sent: Thursday, November 07, 2002 6:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: possible bug or me up to late again > > > ok after a couple of abortive attempts earlier today where typos and > miss-naming of files gave me problems I am now finding something odd > happening > > Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: > to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, > mailer=esmtp, pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], > dsn=2.0.0, stat=Sent (gA7NsV006079 Message accepted for delivery) Nov 8 > 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: > from=, size=4220, class=0, nrcpts=1, > msgid=, > bodytype=8BITMIME, proto=ESMTP, daemon=MTA, > relay=anchor-post-32.mail.demon.net [194.217.242.90] Nov 8 00:00:03 > nvsd MailScanner[7477]: New Batch: Scanning 1 messages, 4759 bytes Nov > 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting Nov 8 00:00:06 > nvsd MailScanner[7477]: Virus and Content Scanning: Starting Nov 8 > 00:00:07 nvsd MailScanner[7477]: Could not open inline file > /opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or > directory Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered > 1 messages > > the second line up is the problem, I don't have /opt/MailScanner > specified anywhere in my config or any of my rules files even doing an > egrep -r /opt/MailScanner only returns this from the MailScanner > directory in /etc > > [root MailScanner]# egrep -r /opt/MailScanner/ * > rules/EXAMPLES: Set "Is Definitely Not Spam = > /opt/MailScanner/etc/rules/whitelist.rules". > rules/EXAMPLES: Set "Is Definitely Spam = > /opt/MailScanner/etc/rules/blacklist.rules". > rules/EXAMPLES: Set "Sign Clean Messages = > /opt/MailScanner/etc/rules/signing.rules". > rules/EXAMPLES: Set "Inline Text Signature = > /opt/MailScanner/etc/rules/sig.text.rules" & > rules/EXAMPLES: set "Inline HTML Signature = > /opt/MailScanner/etc/rules/sig.html.rules". > rules/EXAMPLES: From: *@domain1.com > /opt/MailScanner/etc/reports/domain1.sig.txt > rules/EXAMPLES: From: *@domain2.com > /opt/MailScanner/etc/reports/domain2.sig.txt > rules/EXAMPLES: Set "Virus Scanning = > /opt/MailScanner/etc/rules/virus.scanning.rules". > rules/EXAMPLES: Set "Sign Clean Messages = > /opt/MailScanner/etc/rules/signing.rules". > > only the example file. > > however if do the same in /usr/lib/MailScanner, I get this suggesting > there is some throwback to an earlier version hiding somewhere? the end > result is no inline sig > > [root MailScanner]# egrep -r /opt/MailScanner/ * > MailScanner/ConfigDefs.pl:piddir > /opt/MailScanner/var > MailScanner/ConfigDefs.pl:spamassassinprefsfile > /opt/MailScanner/etc/spam.assassin.prefs.conf > MailScanner/ConfigDefs.pl:SpamListDefinitions > /opt/MailScanner/etc/spam.lists.conf > MailScanner/ConfigDefs.pl:VirusScannerDefinitions > /opt/MailScanner/etc/virus.scanners.conf > MailScanner/ConfigDefs.pl:TNEFExpander > /opt/MailScanner/bin/tnef --maxsize=100000000 > MailScanner/ConfigDefs.pl:DeletedFilenameMessage > /opt/MailScanner/etc/reports/en/deleted.filename.message.txt > MailScanner/ConfigDefs.pl:DeletedVirusMessage > /opt/MailScanner/etc/reports/en/deleted.virus.message.txt > MailScanner/ConfigDefs.pl:DisinfectedReportText > /opt/MailScanner/etc/reports/en/disinfected.report.txt > MailScanner/ConfigDefs.pl:inlinehtmlsig > /opt/MailScanner/etc/reports/en/inline.sig.html > MailScanner/ConfigDefs.pl:inlinehtmlwarning > /opt/MailScanner/etc/reports/en/inline.warning.html > MailScanner/ConfigDefs.pl:inlinetextsig > /opt/MailScanner/etc/reports/en/inline.sig.txt > MailScanner/ConfigDefs.pl:inlinetextwarning > /opt/MailScanner/etc/reports/en/inline.warning.txt > MailScanner/ConfigDefs.pl:sendererrorreport > /opt/MailScanner/etc/reports/en/sender.error.report.txt > MailScanner/ConfigDefs.pl:senderfilenamereport > /opt/MailScanner/etc/reports/en/sender.filename.report.txt > MailScanner/ConfigDefs.pl:SenderRBLSpamReport > /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt > MailScanner/ConfigDefs.pl:SenderSASpamReport > /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt > MailScanner/ConfigDefs.pl:SenderBothSpamReport > /opt/MailScanner/etc/reports/en/sender.spam.report.txt > MailScanner/ConfigDefs.pl:sendervirusreport > /opt/MailScanner/etc/reports/en/sender.virus.report.txt > MailScanner/ConfigDefs.pl:StoredFilenameMessage > /opt/MailScanner/etc/reports/en/stored.filename.message.txt > MailScanner/ConfigDefs.pl:StoredVirusMessage > /opt/MailScanner/etc/reports/en/stored.virus.message.txt > MailScanner/ConfigDefs.pl:#FilenameRules > /opt/MailScanner/etc/filename.rules.conf > From smohan at vsnl.com Fri Nov 8 02:28:53 2002 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:16:21 2006 Subject: Relay by other network In-Reply-To: <015a01c28644$e38e5810$57046898@shunkam.com> Message-ID: <004101c286ce$95fe4850$28405bca@18yamuna> No. Do not install mmsmtp. Just install sweep or savi. Ideally, you must just get the tar file of Sophos SAVI/Sweep. Install MailScanner and run Sophos.install from the same directory where the tar file exists. This script will do all the installation and command line options of sendmail. If you have installed mmsmtp, uninstall it first. The configuration you have done is what mmsmtp proposes for running the gateway and MTA on the same machine. Julian has taken a different and IMHO a much better route. In case we feel mailscanner is misbehaving, simply stop mailscanner and start sendmail. We need not tinker with sendmail configuration every time this switch is made. Julian - I think your scheme is by far the best I've seen. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of fong Sent: Thursday, November 07, 2002 3:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Relay by other network Thanks Mohan Since someone told me that if you install both software on same machine, you should change the port of sendmail. Do I change any configure in sophos's config(mmsmtp.cfg) file? Should I start the sophos daemon(mmsmtpd) and mailscanner daemon or instead of start mailscanner daemon only? Fong Cheang ----- Original Message ----- From: S Mohan To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 4:45 PM Subject: Re: Relay by other network I've used this combination for 1 year now on 4 machines. Why are you changing sendmail port? Mailscanner starts two instances of sendmail - one in queued delivery mode accepting incoming connections and one just flushing out the queue. There is no need to change. If you are attaching port 25 to Sophos, then I guess you are using their mail gateway and not mailscanner. MailScanner user the sweep commandline program and is a replacement for the Sophos Mail Gateway. Relaying in sendmail is controlled thro' /etc/mail/access file which has entries that look like IP/domainname/email id OK/RELAY?REJECT e.g. 192.168.0 RELAY will relay for your local Class C subnet assuming it is 192.168.0 subnet. Restart MailScanner after this. sendmail start up converts this file to a access.db file. Also take care that sendmail MTA listen to your actual IP and not 127.0.0.1. HTH Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of fong Sent: 07 November 2002 08:20 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Relay by other network Did anyone configure mailscanner+sendmail+sophos? After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021108/f8cf41b5/attachment.html From smohan at vsnl.com Fri Nov 8 02:54:52 2002 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: Message-ID: <004a01c286d2$36f5ae80$28405bca@18yamuna> In the archiving mail option, give a ruleset name. Say /etc/MailScanner/rules/archive.rules. This file must have the following entries. To: emailid or directory. From: similar as above. In this manner, you can copy incoming and out going mails for each user or domain to email ids. If directory name is given, MailScanner stores in qf+df format. If email id is given, the mail gets delivered to the mailbox. You can use which ever is useful. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Alex Short Sent: Friday, November 08, 2002 3:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Archiving Mail For the archiving of mail feature, how can you archive some users and not others. The only option i have seen is *where* to save the archived email. Alex From alex at IALEX.NET Fri Nov 8 04:01:03 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail References: <004a01c286d2$36f5ae80$28405bca@18yamuna> Message-ID: <06dc01c286db$78356440$6400000a@clerks> Ah yes, now i see it :) Two questions-- any way to save it in one file/message, (ie not qf+df) Also, is there a way to do *@domain.com /var/archive but not for notme@domain.com ? Alex ----- Original Message ----- From: "S Mohan" To: Sent: Thursday, November 07, 2002 9:54 PM Subject: Re: Archiving Mail > In the archiving mail option, give a ruleset name. Say > /etc/MailScanner/rules/archive.rules. This file must have the following > entries. > > To: emailid or directory. > From: similar as above. > > In this manner, you can copy incoming and out going mails for each user > or domain to email ids. If directory name is given, MailScanner stores > in qf+df format. If email id is given, the mail gets delivered to the > mailbox. You can use which ever is useful. > > Mohan > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Alex Short > Sent: Friday, November 08, 2002 3:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Archiving Mail > > > For the archiving of mail feature, how can you archive some users and > not others. The only option i have seen is *where* to save the archived > email. > > Alex > > > From sevans at FOUNDATION.SDSU.EDU Fri Nov 8 04:22:34 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail Message-ID: <6214C3F9233D764C9E7029396C355015331640@mail.foundation.sdsu.edu> There is an option in MailScanner.conf after version 4.02-1. Can't remember the name of the option though. Rulesets are configured top to bottom. So put a line that says notme@domain.com no @domain.com /var/archive Or however something along those lines. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Alex Short [mailto:alex@IALEX.NET] Sent: Thursday, November 07, 2002 8:01 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Archiving Mail Ah yes, now i see it :) Two questions-- any way to save it in one file/message, (ie not qf+df) Also, is there a way to do *@domain.com /var/archive but not for notme@domain.com ? Alex ----- Original Message ----- From: "S Mohan" To: Sent: Thursday, November 07, 2002 9:54 PM Subject: Re: Archiving Mail > In the archiving mail option, give a ruleset name. Say > /etc/MailScanner/rules/archive.rules. This file must have the > following entries. > > To: emailid or directory. > From: similar as above. > > In this manner, you can copy incoming and out going mails for each > user or domain to email ids. If directory name is given, MailScanner > stores in qf+df format. If email id is given, the mail gets delivered > to the mailbox. You can use which ever is useful. > > Mohan > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Alex Short > Sent: Friday, November 08, 2002 3:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Archiving Mail > > > For the archiving of mail feature, how can you archive some users and > not others. The only option i have seen is *where* to save the > archived email. > > Alex > > > From smohan at VSNL.COM Fri Nov 8 06:23:34 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: <06dc01c286db$78356440$6400000a@clerks> Message-ID: I've not tried it but I've seen Julian's mail that says it is supported. Mohan -----Original Message----- From: Alex Short [mailto:alex@ialex.net] Sent: 08 November 2002 09:31 To: smohan@vsnl.com; MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Archiving Mail Ah yes, now i see it :) Two questions-- any way to save it in one file/message, (ie not qf+df) Also, is there a way to do *@domain.com /var/archive but not for notme@domain.com ? Alex ----- Original Message ----- From: "S Mohan" To: Sent: Thursday, November 07, 2002 9:54 PM Subject: Re: Archiving Mail > In the archiving mail option, give a ruleset name. Say > /etc/MailScanner/rules/archive.rules. This file must have the following > entries. > > To: emailid or directory. > From: similar as above. > > In this manner, you can copy incoming and out going mails for each user > or domain to email ids. If directory name is given, MailScanner stores > in qf+df format. If email id is given, the mail gets delivered to the > mailbox. You can use which ever is useful. > > Mohan > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Alex Short > Sent: Friday, November 08, 2002 3:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Archiving Mail > > > For the archiving of mail feature, how can you archive some users and > not others. The only option i have seen is *where* to save the archived > email. > > Alex > > > From Heinz.Knutzen at DZSH.DE Fri Nov 8 08:52:01 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz) Date: Thu Jan 12 21:16:21 2006 Subject: setlogsock('unix') in *-autoupdate scripts Message-ID: <096F8FA588BAD211844C0090272F2307017FBB16@DZSHMAILSRV2> I would like to have Sys::Syslog::setlogsock('unix') be added to f-prot-autoupdate and possibly the other *-autoupdate scripts. This should be similar to MailScanner/Log.pm: eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r Viele Gr??e -- Heinz Knutzen Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:heinz.knutzen@dzsh.de Tel: +49.431.3295.581 Fax: +49.431.3295.410 From mailscanner at ecs.soton.ac.uk Fri Nov 8 09:11:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: <6214C3F9233D764C9E7029396C355015331640@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20021108090542.06fbdeb0@imap.ecs.soton.ac.uk> At 04:22 08/11/2002, you wrote: >There is an option in MailScanner.conf after version 4.02-1. Can't >remember the name of the option though. # When you quarantine an entire message, do you want to store it as # raw mail queue files (so you can easily send them onto users) or # as human-readable files (header then body in 1 file)? Quarantine Whole Messages As Queue Files = no >Rulesets are configured top to bottom. So put a line that says > >notme@domain.com no >@domain.com /var/archive > >Or however something along those lines. Very nearly, you just forgot the direction off the front. So possibly you want FromTo: notme@domain.com no FromTo: *@domain.com /var/archive FromTo: default no "FromTo:" will match any message coming from the address or going to it. You will have to restart MailScanner (or kill -HUP all the processes) to force it to re-read the configuration files and recompile the rulesets. >-----Original Message----- >From: Alex Short [mailto:alex@IALEX.NET] >Sent: Thursday, November 07, 2002 8:01 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Archiving Mail > > >Ah yes, now i see it :) > >Two questions-- any way to save it in one file/message, (ie not qf+df) >Also, is there a way to do *@domain.com /var/archive but not for >notme@domain.com > >? > >Alex >----- Original Message ----- >From: "S Mohan" >To: >Sent: Thursday, November 07, 2002 9:54 PM >Subject: Re: Archiving Mail > > > > In the archiving mail option, give a ruleset name. Say > > /etc/MailScanner/rules/archive.rules. This file must have the > > following entries. > > > > To: emailid or directory. > > From: similar as above. > > > > In this manner, you can copy incoming and out going mails for each > > user or domain to email ids. If directory name is given, MailScanner > > stores in qf+df format. If email id is given, the mail gets delivered > > to the mailbox. You can use which ever is useful. > > > > Mohan > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Alex Short > > Sent: Friday, November 08, 2002 3:34 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Archiving Mail > > > > > > For the archiving of mail feature, how can you archive some users and > > not others. The only option i have seen is *where* to save the > > archived email. > > > > Alex > > > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 09:13:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: setlogsock('unix') in *-autoupdate scripts In-Reply-To: <096F8FA588BAD211844C0090272F2307017FBB16@DZSHMAILSRV2> Message-ID: <5.1.0.14.2.20021108091232.06fadeb0@imap.ecs.soton.ac.uk> At 08:52 08/11/2002, you wrote: >I would like to have Sys::Syslog::setlogsock('unix') >be added to f-prot-autoupdate and possibly the other *-autoupdate scripts. > >This should be similar to >MailScanner/Log.pm: eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't >need syslogd -r Once someone has confirmed that my Log.pm.patch posted here last night ("Re: MS4.x config/runtime issues") works and removes the error message. Then I'll include it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 09:17:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again In-Reply-To: Message-ID: <5.1.0.14.2.20021108091459.04aa61d0@imap.ecs.soton.ac.uk> At 00:13 08/11/2002, you wrote: >ok after a couple of abortive attempts earlier today where typos and >miss-naming of files gave me problems I am now finding something odd >happening > >Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: >to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, mailer=esmtp, >pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], dsn=2.0.0, >stat=Sent (gA7NsV006079 Message accepted for delivery) >Nov 8 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: >from=, size=4220, class=0, nrcpts=1, >msgid=, >bodytype=8BITMIME, proto=ESMTP, daemon=MTA, >relay=anchor-post-32.mail.demon.net [194.217.242.90] >Nov 8 00:00:03 nvsd MailScanner[7477]: New Batch: Scanning 1 messages, 4759 >bytes >Nov 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting >Nov 8 00:00:06 nvsd MailScanner[7477]: Virus and Content Scanning: Starting >Nov 8 00:00:07 nvsd MailScanner[7477]: Could not open inline file >/opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or directory >Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered 1 messages > >the second line up is the problem, I don't have /opt/MailScanner specified >anywhere in my config or any of my rules files even doing an egrep -r >/opt/MailScanner >only returns this from the MailScanner directory in /etc It thinks you haven't specified a value for the configuration option Inline Text Signature and is therefore using its internal default value (which doesn't happen to exist on your system). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 09:14:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: Stuffit files (Macintosh specific) In-Reply-To: <200211081044000134.4D9F2414@smtp1.ace.net.au> References: <5.1.0.14.2.20021107191228.03235018@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021107191228.03235018@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021108091347.04862378@imap.ecs.soton.ac.uk> At 00:14 08/11/2002, you wrote: >On W2k mail server that I also have, I run a mime decoder before running >the virus scanner, would that be possible with MS? MS decodes all the MIME messages anyway, it has to. >Peter > > >*********** REPLY SEPARATOR *********** > >On 7/11/2002 at 7:13 PM Julian Field wrote: > > >At 17:40 07/11/2002, you wrote: > >>Is there a way to make unpack and process .sit (StuffIt files), very > >>common in macintosh world? > >>I compressed eicar.com and it flew freely thru MailScanner nets. > > > >It's down to the virus scanners to scan inside archives. I suggest you ask > >the virus scanner vendor(s) if they can search inside Stuffit files, > >ideally they should do it. > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Richard.Lush at HP.COM Fri Nov 8 09:33:19 2002 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question Message-ID: Hi All, I'm using fetchmail to collect emails from my ISPs and then MailScanner to scan them and send them on to my exchange server. The question I have is on the IP headers. You can see here the information I am getting on the spam messages. I'm getting 127.0.0.1 and in brackets the real domain name of the sender. Message gA7KiTLN013054 from 127.0.0.1 (ns1.sexycity.com) is spam according to SpamAssassin (score=14, required 7, FROM_NAME_NO_SPACES, BUGGY_CGI, CLICK_BELOW, GUARANTEE, UPPERCASE_25_50, NORMAL_HTTP_TO_IP, CLICK_HERE_LINK, SUBJ_ALL_CAPS, NO_MX_FOR_FROM) Does anyone know how I can get the real IP address back in? I'm using Dave Whiles MRTG script and at the moment only see the 127.0.0.1. (I had the access list turned on and blocked myself - oops!) Any ideas are gratefully received. Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021108/5ceb2ac0/attachment.html From gavin at NETERGY.COM Fri Nov 8 10:07:10 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again In-Reply-To: <5.1.0.14.2.20021108091459.04aa61d0@imap.ecs.soton.ac.uk> Message-ID: thanks, it came to me this morning shaving - I hadn't put a default rule in my rules file so if defaulted to the ConfigDef file which as you say looks at somewhere I don't have - sorted now Thanks Gavin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 08 November 2002 09:17 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: possible bug or me up to late again > > > At 00:13 08/11/2002, you wrote: > >ok after a couple of abortive attempts earlier today where typos and > >miss-naming of files gave me problems I am now finding something odd > >happening > > > >Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: > >to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, mailer=esmtp, > >pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], dsn=2.0.0, > >stat=Sent (gA7NsV006079 Message accepted for delivery) > >Nov 8 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: > >from=, size=4220, class=0, nrcpts=1, > >msgid=, > >bodytype=8BITMIME, proto=ESMTP, daemon=MTA, > >relay=anchor-post-32.mail.demon.net [194.217.242.90] > >Nov 8 00:00:03 nvsd MailScanner[7477]: New Batch: Scanning 1 > messages, 4759 > >bytes > >Nov 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting > >Nov 8 00:00:06 nvsd MailScanner[7477]: Virus and Content > Scanning: Starting > >Nov 8 00:00:07 nvsd MailScanner[7477]: Could not open inline file > >/opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or directory > >Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered 1 messages > > > >the second line up is the problem, I don't have /opt/MailScanner > specified > >anywhere in my config or any of my rules files even doing an egrep -r > >/opt/MailScanner > >only returns this from the MailScanner directory in /etc > > It thinks you haven't specified a value for the configuration option > Inline Text Signature > and is therefore using its internal default value (which doesn't happen to > exist on your system). > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From ant at DVERE.NET Fri Nov 8 10:07:06 2002 From: ant at DVERE.NET (Ant La Porte) Date: Thu Jan 12 21:16:21 2006 Subject: ClamAV - New Test Results In-Reply-To: <3DC96ED5.5000007@nucci.com.br> References: <3DC96706.2060006@nucci.com.br> <3DC96ED5.5000007@nucci.com.br> Message-ID: <48567.10.0.0.5.1036750026.squirrel@webmail.dvere.dyndns.org> Ivan Mirisola said: > Hi All, > > I have performed new tests with some famous viruses found on > vx.netlux.org. Only Melissa failed to be discovered by clamAV. I don't > know why. The virus is found on a "visual basic for ms-word" format and > had to be included in a document. Maybe clamAV is trying to find the > original file that contaned the virus but this must be a wrong doing. My > AVG Free Edition does check the document generated and is able to see > that there is a virus within. > > Any thoughts, I'll be glad to hear. > > Sincerely, > Ivan > This thread on the openativirus-discuss list may be related: http://marc.theaimsgroup.com/?l=openantivirus-discuss&m=103590759412100&w=2 -- Ant La Porte - Dvere Network Services From scouty at BROMBERG.DEMON.NL Fri Nov 8 10:09:38 2002 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:21 2006 Subject: MRTG etc Message-ID: <200211081009.gA8A9cX19729@ori.rl.ac.uk> On Mon, 4 Nov 2002 19:53:53 +0000, David While wrote: >Currently the virus analysis will only work for ClamAV and inoculan since I >don't have access to any other scanners, however it is easy for me to add >them in - all I need are some sample mail log file entries from the >relevant scanners when they have detected a virus. $ uvscan --version (mcafee) Virus Scan for Linux v4.14.0 Scan engine v4.1.60 for Linux. Virus data file v4232 created Nov 06 2002 OS : RedHat 6.2 Sendmail : 8.11.6/8.11.6 MailScanner : 3.24-1 Scanning for 62223 viruses, trojans and variants. mailscanner[13551]: Scanning 1 messages, 70605 bytes mailscanner[13551]: /g9NJdEl14740/wedding.imp.scr Found the W32/Bugbear@MM virus !!! mailscanner[13551]: Detected Microsoft-specific exploits in g9NJdEl14740 mailscanner[13551]: Possible virus hidden in a screensaver (wedding.imp.scr) mailscanner[13551]: Found 3 viruses in messages g9NJdEl14740 mailscanner[13551]: Scanned 1 messages, 70605 bytes in 4 seconds mailscanner[13551]: Saved entire message to /var/spool/MailScanner/quarantine/20021023/g9NJdEl14740 mailscanner[13551]: Deleted infected messages g9NJdEl14740 sendmail[14747]: g9NJdPR14747: from=virus-admin@bromberg.demon.nl, size=1779, class=0, nrcpts=1, msgi mailscanner[13551]: Notified virus-admin@bromberg.demon.nl about 1 infections From t.d.lee at DURHAM.AC.UK Fri Nov 8 10:08:23 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:21 2006 Subject: MS4.x config/runtime issues In-Reply-To: <5.1.0.14.2.20021107182018.031e7ec0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 7 Nov 2002, Julian Field wrote: > At 17:18 07/11/2002, you wrote: > >1. bin/MailScanner/Log.pm : MS gave a message: > > Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] > > By commenting out the line: > > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r > > this then worked, apparently with no ill effect. > > Seems to be sort of Perl/Solaris interaction (Perl 5.6.0; Solaris 8). > > Does the MS code need to be more tolerant, and/or autoconf'd? > > The failure message doesn't actually cause any harm. Basically it tries to > use a domain socket instead of a UDP socket, so you don't have to open up > your syslogd to accept UDP logging requests from other machines (which > might be used as a DoS attack on your server by forcing gigabytes of syslog > traffic). Thanks, Julian. Overall: Good News, No News (yet) and Bad News. So, in reverse order... > Please can you try the attached patch to Log.pm to see if it removes the > error message on your system. The Log.pm patch doesn't seem to remove the message; the versions seem indistinguishable in behaviour. Note also that both versions have a further problem. This only comes to light after five of the previous messages had been issued. (Because of that previous behaviour, my trials had never got as far as revealing the further problem.) After about five of the: Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] it then gives: We haven't got any child processes, which isn't right!, No child processes at /opt/MailScanner/bin/mailscanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /opt/MailScanner/bin/mailscanner line 194. Basically MS doesn't ever really get started: the messages just sit in the inbound queue. > >2. lib/mcafee-wrapper: has pathname "/usr/local/uvscan/uvscan" hardcoded. > > At our site the pathname is different. OK, I can tweak things to make > > it work. But in v3 this had been configurable in etc/mailscanner.conf > > and v4.x seems to have gone backwards: no longer configurable. > > You just edit the wrapper. The setting in mailscanner.conf in V3 set the > location of the wrapper, not the location of uvscan itself. So this isn't > actually any different. If you moved uvscan to somewhere else, you would > have edited the wrapper to point to the correct location. In V4 you can > find the wrapper script more easily as they are all in the same place. OK, I'll look deeper, and get back to you if I still think there might be an issue. > >3. With v3, I had had the default (and sensible!): > > Outgoing Queue Dir = /var/spool/mqueue > > > > To ensure co-residency on the same physical partition of the other > > directories, they had been subdirectories of this: > > Incoming Queue Dir = /var/spool/mqueue/mq.in > > Incoming Work Dir = /var/spool/mqueue/incoming > > Quarantine Dir = /var/spool/mqueue/quarantine > > Solid and safe. > >[...] > > Is there any reason why v4.x forbids such subdirectory use? > >[...] > > Does MailScanner really require this restriction? Can it be removed? > > I thought it was a good idea at the time, but setups such as yours hadn't > occurred to me. On reflection it may be better to remove the check. I will > still look for a q1 or qf directory though, in an attempt to find split > queue directories which sendmail will use if it finds them. So you can get > it going now, the minimal patch to Sendmail.pm is attached to this message. > There is actually just 1 extra line of code. Good News: That seems fine. Many thanks. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From mailscanner at ecs.soton.ac.uk Fri Nov 8 10:42:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: MS4.x config/runtime issues In-Reply-To: References: <5.1.0.14.2.20021107182018.031e7ec0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021108104101.07142e20@imap.ecs.soton.ac.uk> At 10:08 08/11/2002, you wrote: >On Thu, 7 Nov 2002, Julian Field wrote: > > At 17:18 07/11/2002, you wrote: > > >1. bin/MailScanner/Log.pm : MS gave a message: > > > Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] > > > By commenting out the line: > > > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r > > > this then worked, apparently with no ill effect. > > > Seems to be sort of Perl/Solaris interaction (Perl 5.6.0; Solaris 8). > > > Does the MS code need to be more tolerant, and/or autoconf'd? > > > > The failure message doesn't actually cause any harm. Basically it tries to > > use a domain socket instead of a UDP socket, so you don't have to open up > > your syslogd to accept UDP logging requests from other machines (which > > might be used as a DoS attack on your server by forcing gigabytes of syslog > > traffic). > >Thanks, Julian. Overall: Good News, No News (yet) and Bad News. > >So, in reverse order... > > > Please can you try the attached patch to Log.pm to see if it removes the > > error message on your system. > >The Log.pm patch doesn't seem to remove the message; the versions seem >indistinguishable in behaviour. Can you try this: use Sys::Syslog; use Carp; eval { $SIG{'__DIE__'} = 'IGNORE'; croak "Bye bye"; }; $SIG{'__DIE__'} = 'DEFAULT'; print "Hello there\n"; and tell me what it outputs. On my system I just get "Hello there". If the "__DIE__" handler isn't working as expected, it will stop with an error. >Note also that both versions have a further problem. This only comes to >light after five of the previous messages had been issued. (Because of >that previous behaviour, my trials had never got as far as revealing the >further problem.) After about five of the: > Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] >it then gives: > We haven't got any child processes, which isn't right!, No child > processes at /opt/MailScanner/bin/mailscanner line 191. > We have just tried to reap a process which wasn't one of ours!, No > child processes at /opt/MailScanner/bin/mailscanner line 194. For now, you can comment out the setlogsock line. > > I thought it was a good idea at the time, but setups such as yours hadn't > > occurred to me. On reflection it may be better to remove the check. I will > > still look for a q1 or qf directory though, in an attempt to find split > > queue directories which sendmail will use if it finds them. So you can get > > it going now, the minimal patch to Sendmail.pm is attached to this message. > > There is actually just 1 extra line of code. > >Good News: That seems fine. Many thanks. Goodo! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From novirus at CARLO65.DE Fri Nov 8 11:41:15 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question In-Reply-To: References: Message-ID: <1036755675.23579.105.camel@linroute> Hi Richard, Am Fre, 2002-11-08 um 10.33 schrieb Lush, Richard: > Hi All, > > I'm using fetchmail to collect emails from my ISPs and then MailScanner > to scan them and send them on to my exchange server. The question I > have is on the IP headers. > > You can see here the information I am getting on the spam messages. I'm > getting 127.0.0.1 and in brackets the real domain name of the sender. afaik there is no solution for this. When you use fetchmail, the sender is always localhost. Eplanation: fetchmail picks up the mail and sends it via smtp to the local recipient. But, concerning Dave Whiles MRTG script, I have a proposal: in my eyes it seems to be better to have the senders address instead of the sending SMTP-Server in the log and access-list. I have customers, who forward their mails from their free-mail accounts, such as yahoo, web.de, gmx, to their accounts on my server. When I first used the script I had suddenly yahoo Mailservers on my access list. Regards, Roland From Richard.Lush at HP.COM Fri Nov 8 11:53:16 2002 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question Message-ID: Thanks Roland, I guessed that might have been the answer but am pretty new to fetchmail and mailscanner. -----Original Message----- From: Roland Ehle [mailto:novirus@CARLO65.DE] Sent: 08 November 2002 11:41 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Fetchmail and MailScanner question Hi Richard, Am Fre, 2002-11-08 um 10.33 schrieb Lush, Richard: > Hi All, > > I'm using fetchmail to collect emails from my ISPs and then > MailScanner to scan them and send them on to my exchange server. The > question I have is on the IP headers. > > You can see here the information I am getting on the spam messages. > I'm getting 127.0.0.1 and in brackets the real domain name of the > sender. afaik there is no solution for this. When you use fetchmail, the sender is always localhost. Eplanation: fetchmail picks up the mail and sends it via smtp to the local recipient. But, concerning Dave Whiles MRTG script, I have a proposal: in my eyes it seems to be better to have the senders address instead of the sending SMTP-Server in the log and access-list. I have customers, who forward their mails from their free-mail accounts, such as yahoo, web.de, gmx, to their accounts on my server. When I first used the script I had suddenly yahoo Mailservers on my access list. Regards, Roland From carl.boberg at NRM.SE Fri Nov 8 11:56:15 2002 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:16:21 2006 Subject: Log issue In-Reply-To: <5.1.0.14.2.20021108104101.07142e20@imap.ecs.soton.ac.uk> Message-ID: Hi, I noticed that MS does a rescan on every virus infected message. That is all well and good but I have a little problem with this... Im using David Whiles perlscript to scan the maillog to find viruses which does this with a regular exp. to find the line with the virus name and the infected filename. Since MS does the rescan I get the double amount of viruses in my output... Question is: Is the rescan really neccessary? (Probably is a good idea) If so, can I modify the rescan log entries somehow? If not, how do I turn it off? >From my log: First scan: ... MailScanner[1281]: New Batch: Scanning 1 messages, 2491 bytes MailScanner[1281]: Spam Checks: Starting MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: EICAR_Test_File MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: EICAR_Test_File MailScanner[1281]: Virus Scanning: f-secure found 2 infections MailScanner[1281]: Virus Scanning: Found 2 viruses MailScanner[1281]: Saved infected "eicar-1.zip" to /.../20021108/gA8BPSU01371 MailScanner[1281]: Saved infected "eicar.zip" to /.../quarantine/20021108/gA8BPSU01371 MailScanner[1281]: Cleaned: Delivered 1 cleaned messages .... Then Rescan: .... MailScanner[1281]: Notices: Warned about 1 messages MailScanner[1281]: Disinfection: Attempting to disinfect 1 messages MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: EICAR_Test_File MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: EICAR_Test_File MailScanner[1281]: Virus Scanning: f-secure found 2 infections MailScanner[1281]: Disinfection: Rescan found only 2 viruses .... BTW. Julian Field ROCKS! Best regards --------------------------------- Carl Boberg System & Network Administrator Dept. of Information Technology Swedish Museum of Natural History Frescativ. 40 104 05 Stockholm carl.boberg@nrm.se Phone: 08-519 551 16 Mobile: 0701-82 40 55 --------------------------------- From David.While at UCE.AC.UK Fri Nov 8 12:01:50 2002 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question Message-ID: I did originally have the senders address (as reported in the brackets in the log entry), however the address reported by MailScanner in the log file is the address from the envelope of the original email which in most cases of Spam is forged. I started to do reverse DNS lookups on the IP address but the majority of senders of Spam don't have the reverse DNS entries set up. The sending SMTP server is the only reliable information - it is the server that sent the spam to you - that is all you can tell. To do what you are suggesting would require MailScanner to analyse the email and look at the headers to try and determine the originator of the spam which I suspect would be a fairly complex task (perhaps Julian would like to comment!). Hotmail does do Spam checking (according to their website) by activating the junk mail filter so maybe the users should turn this on so that the mail isn't forwarded. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 Roland Ehle Sent by: MailScanner mailing list 08/11/2002 11:41 Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Fetchmail and MailScanner question Hi Richard, Am Fre, 2002-11-08 um 10.33 schrieb Lush, Richard: > Hi All, > > I'm using fetchmail to collect emails from my ISPs and then MailScanner > to scan them and send them on to my exchange server. The question I > have is on the IP headers. > > You can see here the information I am getting on the spam messages. I'm > getting 127.0.0.1 and in brackets the real domain name of the sender. afaik there is no solution for this. When you use fetchmail, the sender is always localhost. Eplanation: fetchmail picks up the mail and sends it via smtp to the local recipient. But, concerning Dave Whiles MRTG script, I have a proposal: in my eyes it seems to be better to have the senders address instead of the sending SMTP-Server in the log and access-list. I have customers, who forward their mails from their free-mail accounts, such as yahoo, web.de, gmx, to their accounts on my server. When I first used the script I had suddenly yahoo Mailservers on my access list. Regards, Roland -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021108/43a405b1/attachment.html From t.d.lee at durham.ac.uk Fri Nov 8 12:04:17 2002 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Jan 12 21:16:21 2006 Subject: MS4.x config/runtime issues In-Reply-To: <5.1.0.14.2.20021108104101.07142e20@imap.ecs.soton.ac.uk> Message-ID: On Fri, 8 Nov 2002, Julian Field wrote: > Can you try this: > > use Sys::Syslog; > use Carp; > > eval { $SIG{'__DIE__'} = 'IGNORE'; > croak "Bye bye"; > }; > $SIG{'__DIE__'} = 'DEFAULT'; > print "Hello there\n"; > > and tell me what it outputs. On my system I just get "Hello there". If the > "__DIE__" handler isn't working as expected, it will stop with an error. Get "Hello there". In the interim I had also tried further adjustments in that area of Log.pm, namely simply printing a message before and after the: eval { Sys::Syslog::setlogsock('unix'); }; (in its various incarnations). This confirmed that it was successfully getting past this point. In that sense all would *appear* to well. (So I fully expected the "Hello there" from your test, anyway.) Another of my trials had been: eval { Sys::Syslog::setlogsock('unix') || Sys::Syslog::setlogsock('inet'); }; Again, that had successfully passed this point, but still produced all the messages, including my test "{before|after} setlogsock()", and including the: We haven't got any child processes [...] We have just tried to reap a process which wasn't one of ours! So I'm reasonably happy that our signal/DIE/eval stuff is OK. Rather, it looks as though the mere attempt to do "setlogsock('unix')" is itself having a longer-term side-effect which causes later problems. Am I hitting something odd in perl 5.6.0, I wonder? Given that we have a shared (from NetApp filers) perl installation across our Solaris/UNIX service we're not in a position simply to upgrade it at the drop of a hat. I'd have to find some other workaround, at least in the short-term. > For now, you can comment out the setlogsock line. Sure, that's a fine temporary hack, for us, for the moment. Looking to the wider community, is there some way that "Log.pm" could itself do the &_PATH_LOG check before committing to the apparently trojan "setlogsock('unix')"? (It seems ironic that our virus-scanner's innocent-looking "setlogsock('unix')" seems to have a infection-like result within itself!) Thanks again, Julian, for your attention to this. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From novirus at CARLO65.DE Fri Nov 8 12:11:58 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question In-Reply-To: References: Message-ID: <1036757518.23514.112.camel@linroute> Hi David, Am Fre, 2002-11-08 um 13.01 schrieb David While: > I did originally have the senders address (as reported in the brackets in > the log entry), however the address reported by MailScanner in the log > file is the address from the envelope of the original email which in most > cases of Spam is forged. I started to do reverse DNS lookups on the IP > address but the majority of senders of Spam don't have the reverse DNS > entries set up. > > The sending SMTP server is the only reliable information - it is the > server that sent the spam to you - that is all you can tell. Fully ACK. > To do what you are suggesting would require MailScanner to analyse the > email and look at the headers to try and determine the originator of the > spam which I suspect would be a fairly complex task (perhaps Julian would > like to comment!). I think, this is to much work, for statistical purposes only. But thank you for this information. > Hotmail does do Spam checking (according to their website) by activating > the junk mail filter so maybe the users should turn this on so that the > mail isn't forwarded. I know, Yahoo does it too, meanwhile, but others don't as you may see on my statistics page (http://www.is-on-stream.de/mrtg). The top spammer IPs are those from the german Freemailers GMX and WEB.de. Regards, Roland From Richard.Lush at HP.COM Fri Nov 8 12:39:32 2002 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:21 2006 Subject: MailScanner not virus scanning Message-ID: Hi All, I have Sophos and f-prot both configured within MailScanner.conf but it would appear the virus scanners are not running. I am not getting any error messages they are just not running. (i.e. no messages showing the maillog, in fact I haven't seen anything since upgrading) This sounds similar to a problem report earlier by someone else I think, I am running Redhat 8.0 with MailScanner 4.05-3. The wrappers run ok (tested manually). The only change I have made is upgrade. (Julian, I upgraded after you added the Sophos changes I tested to the rpm). I've been sending some test viruses from VX Heavens, Mcafee is picking them up on Exchange but MailScanner is not. Any ideas? Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021108/7d4bfe74/attachment.html From Richard.Lush at HP.COM Fri Nov 8 12:49:43 2002 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:21 2006 Subject: MailScanner not virus scanning Message-ID: OK, the plot thickens. It seems that it is running but the virus engines are not picking up some older viruses (that's nice!). Just sent Nimda through and it picked it up but some old word viruses are not being picked up. Interestingly enough, I scanned the older files that are not being picked up with Norton on my client and it didn't detect them either. I guess MacAfee is going something extra checking. Richard -----Original Message----- From: Lush, Richard Sent: 08 November 2002 12:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner not virus scanning Hi All, I have Sophos and f-prot both configured within MailScanner.conf but it would appear the virus scanners are not running. I am not getting any error messages they are just not running. (i.e. no messages showing the maillog, in fact I haven't seen anything since upgrading) This sounds similar to a problem report earlier by someone else I think, I am running Redhat 8.0 with MailScanner 4.05-3. The wrappers run ok (tested manually). The only change I have made is upgrade. (Julian, I upgraded after you added the Sophos changes I tested to the rpm). I've been sending some test viruses from VX Heavens, Mcafee is picking them up on Exchange but MailScanner is not. Any ideas? Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021108/64ce5811/attachment.html From novirus at CARLO65.DE Fri Nov 8 13:45:08 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:21 2006 Subject: Virus In-Reply-To: References: Message-ID: <1036763108.23514.133.camel@linroute> Hi Raymond, it was a serious request from my side and don't worry I will not blame you or so. Regards, Roland Am Don, 2002-11-07 um 22.36 schrieb Raymond Dijkxhoorn: > Hi! > > > this is probably a strange question in your eyes, but I would like to > > have a virus or better a virus infected mail, to check different > > scanners. Unfortunately the only thing I find is the EICAR test virus, > > but thats not enough. > > Give me a address and i'll send you a nice .zip to test your scanner setup > with. > > Bye, > Raymond. > > From mailscanner at ecs.soton.ac.uk Fri Nov 8 12:22:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question In-Reply-To: Message-ID: <5.1.0.14.2.20021108122157.042ba8c0@imap.ecs.soton.ac.uk> At 12:01 08/11/2002, you wrote: >To do what you are suggesting would require MailScanner to analyse the >email and look at the headers to try and determine the originator of the >spam which I suspect would be a fairly complex task (perhaps Julian would >like to comment!). Nightmare. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 12:21:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: Log issue In-Reply-To: References: <5.1.0.14.2.20021108104101.07142e20@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021108121921.03ef6e98@imap.ecs.soton.ac.uk> At 11:56 08/11/2002, you wrote: >Question is: >Is the rescan really neccessary? (Probably is a good idea) Yes. Vital. >If so, can I modify the rescan log entries somehow? >If not, how do I turn it off? I have changed the logging so that you will get Virus Scanning: f-secure found 2 infections but then Virus Re-scanning: f-secure found 2 infections so you don't get identical log entries for different things. I hope that doesn't break too many people's scripts! >First scan: >... >MailScanner[1281]: New Batch: Scanning 1 messages, 2491 bytes >MailScanner[1281]: Spam Checks: Starting >MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: >EICAR_Test_File >MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: >EICAR_Test_File >MailScanner[1281]: Virus Scanning: f-secure found 2 infections >MailScanner[1281]: Virus Scanning: Found 2 viruses >MailScanner[1281]: Saved infected "eicar-1.zip" to >/.../20021108/gA8BPSU01371 >MailScanner[1281]: Saved infected "eicar.zip" to >/.../quarantine/20021108/gA8BPSU01371 >MailScanner[1281]: Cleaned: Delivered 1 cleaned messages >.... >Then Rescan: >.... >MailScanner[1281]: Notices: Warned about 1 messages >MailScanner[1281]: Disinfection: Attempting to disinfect 1 messages >MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: >EICAR_Test_File >MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: >EICAR_Test_File >MailScanner[1281]: Virus Scanning: f-secure found 2 infections >MailScanner[1281]: Disinfection: Rescan found only 2 viruses >.... > >BTW. Julian Field ROCKS! :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From alex at IALEX.NET Fri Nov 8 13:49:28 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: <5.1.0.14.2.20021108090542.06fbdeb0@imap.ecs.soton.ac.uk> Message-ID: Julian, When putting these parameters in the ruleset the email is still getting forwarded because it matches. ie. FromTo: alex@domain.com no FromTo: *@domain.com archive@domain.com email to alex@domain.com is still getting forwarded. Alex > At 04:22 08/11/2002, you wrote: > >There is an option in MailScanner.conf after version 4.02-1. Can't > >remember the name of the option though. > > # When you quarantine an entire message, do you want to store it as > # raw mail queue files (so you can easily send them onto users) or > # as human-readable files (header then body in 1 file)? > Quarantine Whole Messages As Queue Files = no > > >Rulesets are configured top to bottom. So put a line that says > > > >notme@domain.com no > >@domain.com /var/archive > > > >Or however something along those lines. > > Very nearly, you just forgot the direction off the front. So possibly you want > FromTo: notme@domain.com no > FromTo: *@domain.com /var/archive > FromTo: default no > > "FromTo:" will match any message coming from the address or going to it. > You will have to restart MailScanner (or kill -HUP all the processes) to > force it to re-read the configuration files and recompile the rulesets. > > >-----Original Message----- > >From: Alex Short [mailto:alex@IALEX.NET] > >Sent: Thursday, November 07, 2002 8:01 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Archiving Mail > > > > > >Ah yes, now i see it :) > > > >Two questions-- any way to save it in one file/message, (ie not qf+df) > >Also, is there a way to do *@domain.com /var/archive but not for > >notme@domain.com > > > >? > > > >Alex > >----- Original Message ----- > >From: "S Mohan" > >To: > >Sent: Thursday, November 07, 2002 9:54 PM > >Subject: Re: Archiving Mail > > > > > > > In the archiving mail option, give a ruleset name. Say > > > /etc/MailScanner/rules/archive.rules. This file must have the > > > following entries. > > > > > > To: emailid or directory. > > > From: similar as above. > > > > > > In this manner, you can copy incoming and out going mails for each > > > user or domain to email ids. If directory name is given, MailScanner > > > stores in qf+df format. If email id is given, the mail gets delivered > > > to the mailbox. You can use which ever is useful. > > > > > > Mohan > > > > > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > Behalf Of Alex Short > > > Sent: Friday, November 08, 2002 3:34 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Archiving Mail > > > > > > > > > For the archiving of mail feature, how can you archive some users and > > > not others. The only option i have seen is *where* to save the > > > archived email. > > > > > > Alex > > > > > > > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > > From gavin at NETERGY.COM Fri Nov 8 15:17:32 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:21 2006 Subject: unusual question Message-ID: Ok this is an odd one - I want to test the Spam capabilities harder now presently we forward Spam that arrives with us but that only checks content with spamassasin and not really checking any RBL etc as it looks as though it comes from me not the spammer. So the question - I am going to setup a domain especially for this and then I want to register (if you can call it that) for as much Spam and porn rubbish as I can. Does anyone know any sure fire places to put your email address that will result in being spammed? I am fairly broad minded but please nothing illegal. Regards Gavin From j.cormie at ABERTAY.AC.UK Fri Nov 8 15:19:47 2002 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:21 2006 Subject: unusual question Message-ID: <6F7DF531DBB3D41197B600508B55D4020404AAC6@mail3.tay.ac.uk> > Does anyone know any sure fire places to put your email > address that will result in being spammed? Just use the email address to "unsubscribe" from some emails, that should get some attention From mailscanner at ecs.soton.ac.uk Fri Nov 8 15:20:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: References: <5.1.0.14.2.20021108090542.06fbdeb0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021108150819.040fbe90@imap.ecs.soton.ac.uk> At 13:49 08/11/2002, you wrote: >Julian, > >When putting these parameters in the ruleset the email is still getting >forwarded because it matches. > >ie. > >FromTo: alex@domain.com no >FromTo: *@domain.com archive@domain.com > >email to alex@domain.com is still getting forwarded. Unfortunately the Archive Mail parameter collects all the addresses+directories from matching rules. The *@domain.com will cause alex@domain.com to be archived to archive@domain.com. I envisioned people potentially wanting some addresses to be archived in more than 1 place, not specific users not being archived at all. Add having "not" as part of the address to match wouldn't help either, as "not alex@domain.com" would be true for "jim@otherdomain.com", so you would end up archiving *all* your mail. You really need some way to specify a "nowhere" result which over-rides all the other results. Perhaps some "magic value" such as "none", which would cause it to immediately make the whole result blank. But then if we get a virus called "none" we might be in trouble making up the "Viruses To Delete" list. Guess I could use something wacky like "*none*" but it doesn't exactly sound like a good solution, does it? Looks like a right hack to me :-( > > At 04:22 08/11/2002, you wrote: > > >There is an option in MailScanner.conf after version 4.02-1. Can't > > >remember the name of the option though. > > > > # When you quarantine an entire message, do you want to store it as > > # raw mail queue files (so you can easily send them onto users) or > > # as human-readable files (header then body in 1 file)? > > Quarantine Whole Messages As Queue Files = no > > > > >Rulesets are configured top to bottom. So put a line that says > > > > > >notme@domain.com no > > >@domain.com /var/archive > > > > > >Or however something along those lines. > > > > Very nearly, you just forgot the direction off the front. So possibly > you want > > FromTo: notme@domain.com no > > FromTo: *@domain.com /var/archive > > FromTo: default no > > > > "FromTo:" will match any message coming from the address or going to it. > > You will have to restart MailScanner (or kill -HUP all the processes) to > > force it to re-read the configuration files and recompile the rulesets. > > > > >-----Original Message----- > > >From: Alex Short [mailto:alex@IALEX.NET] > > >Sent: Thursday, November 07, 2002 8:01 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Archiving Mail > > > > > > > > >Ah yes, now i see it :) > > > > > >Two questions-- any way to save it in one file/message, (ie not qf+df) > > >Also, is there a way to do *@domain.com /var/archive but not for > > >notme@domain.com > > > > > >? > > > > > >Alex > > >----- Original Message ----- > > >From: "S Mohan" > > >To: > > >Sent: Thursday, November 07, 2002 9:54 PM > > >Subject: Re: Archiving Mail > > > > > > > > > > In the archiving mail option, give a ruleset name. Say > > > > /etc/MailScanner/rules/archive.rules. This file must have the > > > > following entries. > > > > > > > > To: emailid or directory. > > > > From: similar as above. > > > > > > > > In this manner, you can copy incoming and out going mails for each > > > > user or domain to email ids. If directory name is given, MailScanner > > > > stores in qf+df format. If email id is given, the mail gets delivered > > > > to the mailbox. You can use which ever is useful. > > > > > > > > Mohan > > > > > > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > > Behalf Of Alex Short > > > > Sent: Friday, November 08, 2002 3:34 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Archiving Mail > > > > > > > > > > > > For the archiving of mail feature, how can you archive some users and > > > > not others. The only option i have seen is *where* to save the > > > > archived email. > > > > > > > > Alex > > > > > > > > > > > > > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 15:06:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: MS4.x config/runtime issues In-Reply-To: References: <5.1.0.14.2.20021108104101.07142e20@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021108144327.040dad78@imap.ecs.soton.ac.uk> At 12:04 08/11/2002, you wrote: >On Fri, 8 Nov 2002, Julian Field wrote: > > > Can you try this: > > > > use Sys::Syslog; > > use Carp; > > > > eval { $SIG{'__DIE__'} = 'IGNORE'; > > croak "Bye bye"; > > }; > > $SIG{'__DIE__'} = 'DEFAULT'; > > print "Hello there\n"; > > > > and tell me what it outputs. On my system I just get "Hello there". If the > > "__DIE__" handler isn't working as expected, it will stop with an error. > >Get "Hello there". > >In the interim I had also tried further adjustments in that area of >Log.pm, namely simply printing a message before and after the: > eval { Sys::Syslog::setlogsock('unix'); }; >(in its various incarnations). > >This confirmed that it was successfully getting past this point. In that >sense all would *appear* to well. (So I fully expected the "Hello there" >from your test, anyway.) > >Another of my trials had been: > eval { Sys::Syslog::setlogsock('unix') || > Sys::Syslog::setlogsock('inet'); }; > >Again, that had successfully passed this point, but still produced all the >messages, including my test "{before|after} setlogsock()", and including >the: > We haven't got any child processes [...] > We have just tried to reap a process which wasn't one of ours! > >So I'm reasonably happy that our signal/DIE/eval stuff is OK. > >Rather, it looks as though the mere attempt to do "setlogsock('unix')" is >itself having a longer-term side-effect which causes later problems. Am I >hitting something odd in perl 5.6.0, I wonder? > >Given that we have a shared (from NetApp filers) perl installation across >our Solaris/UNIX service we're not in a position simply to upgrade it at >the drop of a hat. I'd have to find some other workaround, at least in >the short-term. > > > For now, you can comment out the setlogsock line. > >Sure, that's a fine temporary hack, for us, for the moment. > >Looking to the wider community, is there some way that "Log.pm" could >itself do the &_PATH_LOG check before committing to the apparently trojan >"setlogsock('unix')"? (It seems ironic that our virus-scanner's >innocent-looking "setlogsock('unix')" seems to have a infection-like >result within itself!) This is weird. The __DIE__ handler apparently works fine, and swallows "croak" messages. Inside Sys::Syslog it does a croak if the macro _PATH_LOG is not defined (which is actually a bug in Sys::Syslog). So how come with the __DIE__ handler you still get the croak message? And it certainly shouldn't cause it to stop completely. That bit of code will have to back how it was (and you'll have to just comment out the setlogsock line), until I understand DynaLoader a lot better than I do now. I can't figure it at the moment. The bug is in AUTOLOAD itself (in Sys::Syslog) which makes it very hard to over-ride. I can't make it work, anyway. If someone else can, then let me know. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Fri Nov 8 15:52:14 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:22 2006 Subject: unusual question In-Reply-To: Message-ID: <5.1.1.6.0.20021108103614.01a2b380@192.168.50.2> Here's the best places I know of to get spam without soliciting it, these are places that spammers tend to "troll" for addresses: 1) usenet. make a few (legitimate please) posts to usenet groups with an unobscured address. 2) whois. Make sure you've got an email address in your whois database entries of your domain registration. 3) postmaster/webmaster. Many spammers just add these on. Some add on "mail@" as well since this is the default user that sendmail runs as on most linux boxes. 4) website. Put a mailto link on your website. Also create a geocities or other popular "free website" service with a mailto link. 5) mailing lists with public web archives. 6) as soon as you get a "millions of emails CD" or "millions of fax numbers on CD" message, be sure to unsubscribe. As far as I can tell those guys in particular never honor such removes and this will promote your status to being a "verified" address. Most spammer's don't honor removes, but these guys are in the business of selling lists, and the bigger the better. If you want to get more commercial/porn junk mail, even if it means you'll get some mail you did legitimately "opt-in" for (along with some you may not have): 1) go to some porn sites and many of them have "enter your email address for access" type deals. Eventually you'll hit one that also submits their database to a "millions of emails CD" database. 2) become a registered user at http://www.SomeoneLikesYou.com. Their privacy policy state that they don't sell all the email addresses they get, but that they DO sell the emails and mailing addresses of the users that do fully register. At 03:17 PM 11/8/2002 +0000, you wrote: >Ok this is an odd one - I want to test the Spam capabilities harder now >presently we forward Spam that arrives with us but that only checks content >with spamassasin and not really checking any RBL etc as it looks as though >it comes from me not the spammer. > >So the question - I am going to setup a domain especially for this and then >I want to register (if you can call it that) for as much Spam and porn >rubbish as I can. Does anyone know any sure fire places to put your email >address that will result in being spammed? > >I am fairly broad minded but please nothing illegal. > >Regards > >Gavin From mkettler at EVI-INC.COM Fri Nov 8 16:02:58 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:22 2006 Subject: unusual question In-Reply-To: <5.1.1.6.0.20021108103614.01a2b380@192.168.50.2> References: Message-ID: <5.1.1.6.0.20021108110148.01a0be80@192.168.50.2> Ack, that wasn't supposed to be a link to the orignal HTML of the spammish mail I got referencing them. It was supposed to be just a plain link to www.someonelikesyou.com. I guess that's what I get for copy-pasting :( >2) become a registered user at >http://www.SomeoneLikesYou.com. From raymond at PROLOCATION.NET Fri Nov 8 16:18:09 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:22 2006 Subject: Virus In-Reply-To: <1036763108.23514.133.camel@linroute> Message-ID: Hi! > it was a serious request from my side and don't worry I will not blame > you or so. > > Give me a address and i'll send you a nice .zip to test your scanner setup > > with. I will make a nice collection tonight. Bye, Raymond. From carl.boberg at NRM.SE Fri Nov 8 16:21:33 2002 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:16:22 2006 Subject: Log issue In-Reply-To: <5.1.0.14.2.20021108121921.03ef6e98@imap.ecs.soton.ac.uk> Message-ID: Thanks thats great! But that wasnt really what I meant... Im sorry but I wasnt clear enough. What I meant was that the lines with: MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: EICAR_Test_File I get one line per virus and the virus name on the same line (wich is perfect). But the exact same lines show up again when it does rescan. Do you see what Im getting at? Thing is that I would love to fix the log line so that it looked something like this: MailScanner[1281]: f-secure found [./gA8BPSU01371/eicar.zip] eicar.com Infection: EICAR_Test_File and the rescan line: MailScanner[1281]: f-secure rescan found [./gA8BPSU01371/eicar.zip] eicar.com Infection: EICAR_Test_File or something similar... Is this asking too much? If so can you point me to where I can fiddle around with this myself? Best regards The Very Greatful Carl > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Friday, November 08, 2002 13:21 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Log issue > > > At 11:56 08/11/2002, you wrote: > >Question is: > >Is the rescan really neccessary? (Probably is a good idea) > > Yes. Vital. > > >If so, can I modify the rescan log entries somehow? > >If not, how do I turn it off? > > I have changed the logging so that you will get > Virus Scanning: f-secure found 2 infections > but then > Virus Re-scanning: f-secure found 2 infections > so you don't get identical log entries for different things. > > I hope that doesn't break too many people's scripts! > > >First scan: > >... > >MailScanner[1281]: New Batch: Scanning 1 messages, 2491 bytes > >MailScanner[1281]: Spam Checks: Starting > >MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: > >EICAR_Test_File > >MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: > >EICAR_Test_File > >MailScanner[1281]: Virus Scanning: f-secure found 2 infections > >MailScanner[1281]: Virus Scanning: Found 2 viruses > >MailScanner[1281]: Saved infected "eicar-1.zip" to > >/.../20021108/gA8BPSU01371 > >MailScanner[1281]: Saved infected "eicar.zip" to > >/.../quarantine/20021108/gA8BPSU01371 > >MailScanner[1281]: Cleaned: Delivered 1 cleaned messages > >.... > >Then Rescan: > >.... > >MailScanner[1281]: Notices: Warned about 1 messages > >MailScanner[1281]: Disinfection: Attempting to disinfect 1 messages > >MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: > >EICAR_Test_File > >MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: > >EICAR_Test_File > >MailScanner[1281]: Virus Scanning: f-secure found 2 infections > >MailScanner[1281]: Disinfection: Rescan found only 2 viruses > >.... > > > >BTW. Julian Field ROCKS! > > :-) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From novirus at CARLO65.DE Fri Nov 8 16:25:21 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:22 2006 Subject: Virus In-Reply-To: References: Message-ID: <1036772721.23579.145.camel@linroute> That's great. If you want to prevent the bounces arriving at your account, just take testi@inbox4u.de as sender/reply-to address. Am Fre, 2002-11-08 um 17.18 schrieb Raymond Dijkxhoorn: > Hi! > > > it was a serious request from my side and don't worry I will not blame > > you or so. > > > > Give me a address and i'll send you a nice .zip to test your scanner setup > > > with. > > I will make a nice collection tonight. > > Bye, > Raymond. > > From LISTSERV at JISCMAIL.AC.UK Fri Nov 8 16:59:37 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:22 2006 Subject: MAILSCANNER: royce.williams@ACSALASKA.NET left the list Message-ID: <200211081659.QAA29342@magpie.ecs.soton.ac.uk> Fri, 8 Nov 2002 16:59:37 Royce Williams has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Fri Nov 8 17:13:26 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:22 2006 Subject: MAILSCANNER: brahn@WOH.RR.COM requested to join Message-ID: <200211081713.RAA01604@magpie.ecs.soton.ac.uk> Fri, 8 Nov 2002 17:13:26 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Bruce Rahn . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER brahn@WOH.RR.COM Bruce Rahn The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+brahn%40WOH.RR.COM+Bruce+Rahn&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From ivan at NUCCI.COM.BR Fri Nov 8 17:29:40 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:22 2006 Subject: ClamAV - New Test Results References: <3DC96706.2060006@nucci.com.br> <3DC96ED5.5000007@nucci.com.br> <48567.10.0.0.5.1036750026.squirrel@webmail.dvere.dyndns.org> Message-ID: <3DCBF484.3000803@nucci.com.br> Thanks Ant La Porte, I think you're right. Perhaps clamAV's virus database is searching for some wrong pattern on this particular case. Maybe a few virus patterns are wrongly made. That was my first thought when I came up with this problem. Maybe when the project started out, the developers didn't thought this could be an issue and fixed the pattern searching when dealing with the new viruses - since Melissa is an old one. I hope the people from OpenAntiVirus Project can fix this problem in future releases. Sorry people. I don't think this issue is related to this list. Maybe I'll post something on to the TheAimsGroup. Right now I am just glad my server is not delivering BugBear to other users. Thanks anyway, Ivan Ant La Porte wrote: >Ivan Mirisola said: > > >>Hi All, >> >>I have performed new tests with some famous viruses found on >>vx.netlux.org. Only Melissa failed to be discovered by clamAV. I don't >>know why. The virus is found on a "visual basic for ms-word" format and >>had to be included in a document. Maybe clamAV is trying to find the >>original file that contaned the virus but this must be a wrong doing. My >>AVG Free Edition does check the document generated and is able to see >>that there is a virus within. >> >>Any thoughts, I'll be glad to hear. >> >>Sincerely, >>Ivan >> >> >> > >This thread on the openativirus-discuss list may be related: >http://marc.theaimsgroup.com/?l=openantivirus-discuss&m=103590759412100&w=2 > >-- >Ant La Porte - Dvere Network Services > > From t.d.lee at DURHAM.AC.UK Fri Nov 8 18:39:24 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation Message-ID: Earlier this afternnon, I changed our main site relay (Solaris 8) from MS 3.25-1 to 4.06-1 (i.e. from 3 to 4). [For the curious: 4.06-1 is a version Julian had given me to test the "iframe-conversion" option.] Neither our 3.x nor 4.x has used SpamAssassin. Under 3.x, our log files used to get entries of the form: Message [...] is spam according to ORDB-RBL and these were later detected via our "sendmail.logs.pl" to extract the daily spam-count. But these entries no longer appear with 4.x. Which means our daily spam count (derived from "sendmail.logs.pl") will apparently reduce to zero. But I'm reasonably sure SPAM is being detected because I see: RBL checks: [...] found in ORDB-RBL Looking deeper, I see that the code (which seems to have migrated from 3.x "bin/sendmail.pl" to 4.x "bin/MailScanner/Message.pm") has changed its structure. With 4.x, if the config file says "Use SpamAssassin = no", the code in "bin/MailScanner/Message.pm" seems to return (line ~315), so it never gets never the code that produces the "according to" message (line ~390). 1. Is this observation correct (or have I somehow mis-configured)? 2. Is this change in behaviour (version 3 -> 4)intentional or accidental? 3. Where do we go from here? (My config problem, or Julian's coding problem?) (Off at a tangent, re: iframe: The good news (I presume) is that the log files have "Content Checks: Detected Microsoft-specific exploits [...]" entries.) -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From lbergman at wtxs.net Fri Nov 8 18:49:11 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:23 2006 Subject: The Challenge Message-ID: <200211081249.11611.lbergman@wtxs.net> All the talk and offers of donating hardware to Julian to further improve MS are great. I just don't think they go far enough. We are a commercial entity. We charge people money as a result of Julian's efforts. I think it is only fair that Julian be awarded at least some paltry sum as a result. I believe this should be the case if your are a large educational institution or a business. If you gain economic benefit by either costs saved or profits produced you should consider rewarding Julian's hard work out of gratitude. He hasn't asked for anything but I think version 4 proves it is high time to step up and reward him without him asking. My company has done this already. We wanted certain features which were either not on the radar screen or way down the list. Julian did not ask but I offered to "bump" these features up the list in exchange for paying him since he would obviously forgore some other pleasurable pursuits. As a direct result you have the old "domains.to.scan.conf" and its version 4 equivalent "Spam Checks". The improved F-Prot logging is also a result as well as some other minor things. We only did this when we thought that the features we requested were of use to the general population of MailScanner. I now challenge the rest of you to do the same. To date we have paid Julian $350.00 USD and there is no other software available that could do what MS does for even ten times that amount. When you ask for something that benefits you and causes Julian (or Nick) to do some work, seriously consider paying them. I think you could all let your conscience guide you as to when this is appropriate. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From lbergman at wtxs.net Fri Nov 8 18:57:16 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: References: Message-ID: <200211081257.16440.lbergman@wtxs.net> > Under 3.x, our log files used to get entries of the form: > Message [...] is spam according to ORDB-RBL > But these entries no longer appear with 4.x. Which means our daily spam > count (derived from "sendmail.logs.pl") will apparently reduce to zero. > But I'm reasonably sure SPAM is being detected because I see: > RBL checks: [...] found in ORDB-RBL Before I migrated all of my rbl's to SA I used to get messages logged about the rbl lists but I don't remember the form. If the RBL checks: [...] found in ORDB-RBL is being spit out why can't you use that? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From t.d.lee at DURHAM.AC.UK Fri Nov 8 19:02:52 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: <200211081257.16440.lbergman@wtxs.net> Message-ID: On Fri, 8 Nov 2002, Lewis Bergman wrote: > > Under 3.x, our log files used to get entries of the form: > > Message [...] is spam according to ORDB-RBL > > > But these entries no longer appear with 4.x. Which means our daily spam > > count (derived from "sendmail.logs.pl") will apparently reduce to zero. > > But I'm reasonably sure SPAM is being detected because I see: > > RBL checks: [...] found in ORDB-RBL > Before I migrated all of my rbl's to SA I used to get messages logged about > the rbl lists but I don't remember the form. If the RBL checks: [...] found > in ORDB-RBL is being spit out why can't you use that? Certainly I could use that. But I thought it worth mentioning "for the greater good of all" because it seems to be a change, possibly accidental, between v3 and v4, and because it has a knock-on effect with the widely used "sendmail.logs.pl". Thanks. Best wishes. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From mailscanner at ecs.soton.ac.uk Fri Nov 8 19:41:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: Message-ID: <5.1.0.14.2.20021108193934.03267630@imap.ecs.soton.ac.uk> At 18:39 08/11/2002, you wrote: >Earlier this afternnon, I changed our main site relay (Solaris 8) from MS >3.25-1 to 4.06-1 (i.e. from 3 to 4). [For the curious: 4.06-1 is a >version Julian had given me to test the "iframe-conversion" option.] > >Neither our 3.x nor 4.x has used SpamAssassin. >Under 3.x, our log files used to get entries of the form: > Message [...] is spam according to ORDB-RBL >and these were later detected via our "sendmail.logs.pl" to extract the >daily spam-count. >But these entries no longer appear with 4.x. Which means our daily spam >count (derived from "sendmail.logs.pl") will apparently reduce to zero. >But I'm reasonably sure SPAM is being detected because I see: > RBL checks: [...] found in ORDB-RBL >Looking deeper, I see that the code (which seems to have migrated from 3.x >"bin/sendmail.pl" to 4.x "bin/MailScanner/Message.pm") has changed its >structure. That's because V4 is a complete re-write from the ground up. The only bits of code that stayed were the virus scanner parsers. >With 4.x, if the config file says "Use SpamAssassin = no", the code in >"bin/MailScanner/Message.pm" seems to return (line ~315), so it never gets >never the code that produces the "according to" message (line ~390). >1. Is this observation correct (or have I somehow mis-configured)? Correct. >2. Is this change in behaviour (version 3 -> 4)intentional or accidental? Accidental. >3. Where do we go from here? (My config problem, or Julian's coding > problem?) I'll mail you a new Message.pm to try. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 19:45:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: References: <200211081257.16440.lbergman@wtxs.net> Message-ID: <5.1.0.14.2.20021108194328.03267e08@imap.ecs.soton.ac.uk> At 19:02 08/11/2002, you wrote: >it has a knock-on effect with the widely >used "sendmail.logs.pl". sendmail.logs.pl was a really dirty hack I knocked up in a hurry at work one day. Never thought anyone might actually use it! One of these fine days, when I'm sitting at work with nothing to do, I'll get around to rewriting it rather better. :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Fri Nov 8 19:50:22 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:23 2006 Subject: The Challenge -- The Invoice In-Reply-To: <200211081249.11611.lbergman@wtxs.net> Message-ID: Y'all, I well agree that Julian deserves renumeration for his fine work with MailScanner. Colby College has benefited tremendously from his work. The problem in a business bureaucracy is the beancounters. They want to see an invoice for a product/service, a legal description of what they are paying for, etc -- ye olde paper trail. The managers also want accountability and budget control. I can't just get purchasing to send somebody a check because I say he's a good guy. I have the same headache with other valuable "free but please contribute" software like SpamCop. We use their blocklist; same issue with $$$. We do pay for RBL+ ($125/year, I think) because they have a means of billing us. But that means RBL+ suddenly has to have a support staff, a billing office, paperwork, file tax forms -- be a business. Frankly, RBL+ isn't a tenth as useful as SpamCop. The sad thing here is that while MailScanner is "free", Sophos sweep is not. We pay good money to use sweep within MailScanner on our mail server. We would have paid Sophos even more to use their inferior MailMonitor software -- if their sales person hadn't recommended MailScanner to me instead. IMHO, Sophos and the other anti-virus vendors should be paying Julian for promoting sales of their products. The problem, for me at least, is not the money. It is the paperwork needed to issue the check/cheque. Maybe Julian needs to start sending out bills... ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- On Fri, 8 Nov 2002, Lewis Bergman wrote: > Date: Fri, 8 Nov 2002 12:49:11 -0600 > From: Lewis Bergman > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: The Challenge > > All the talk and offers of donating hardware to Julian to further improve MS > are great. I just don't think they go far enough. We are a commercial entity. > We charge people money as a result of Julian's efforts. I think it is only > fair that Julian be awarded at least some paltry sum as a result. > > I believe this should be the case if your are a large educational institution > or a business. If you gain economic benefit by either costs saved or profits > produced you should consider rewarding Julian's hard work out of gratitude. > He hasn't asked for anything but I think version 4 proves it is high time to > step up and reward him without him asking. > > My company has done this already. We wanted certain features which were either > not on the radar screen or way down the list. Julian did not ask but I > offered to "bump" these features up the list in exchange for paying him since > he would obviously forgore some other pleasurable pursuits. As a direct > result you have the old "domains.to.scan.conf" and its version 4 equivalent > "Spam Checks". The improved F-Prot logging is also a result as well as some > other minor things. We only did this when we thought that the features we > requested were of use to the general population of MailScanner. > > I now challenge the rest of you to do the same. To date we have paid Julian > $350.00 USD and there is no other software available that could do what MS > does for even ten times that amount. When you ask for something that benefits > you and causes Julian (or Nick) to do some work, seriously consider paying > them. I think you could all let your conscience guide you as to when this is > appropriate. > -- > Lewis Bergman > Texas Communications > 4309 Maple St. > Abilene, TX 79602-8044 > 915-695-6962 ext 115 > From mailscanner at ecs.soton.ac.uk Fri Nov 8 19:57:29 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:23 2006 Subject: The Challenge -- The Invoice In-Reply-To: References: <200211081249.11611.lbergman@wtxs.net> Message-ID: <5.1.0.14.2.20021108195401.0330df50@imap.ecs.soton.ac.uk> At 19:50 08/11/2002, you wrote: >Y'all, > I well agree that Julian deserves renumeration for his fine work with >MailScanner. Colby College has benefited tremendously from his work. >The problem in a business bureaucracy is the beancounters. They want to >see an invoice for a product/service, a legal description of what they >are paying for, etc -- ye olde paper trail. The managers also want >accountability and budget control. I can't just get purchasing >to send somebody a check because I say he's a good guy. > > I have the same headache with other valuable "free but please contribute" >software like SpamCop. We use their blocklist; same issue with $$$. >We do pay for RBL+ ($125/year, I think) because they have a means of >billing us. But that means RBL+ suddenly has to have a support staff, >a billing office, paperwork, file tax forms -- be a business. Frankly, >RBL+ isn't a tenth as useful as SpamCop. > > The sad thing here is that while MailScanner is "free", Sophos sweep >is not. We pay good money to use sweep within MailScanner on our mail >server. We would have paid Sophos even more to use their inferior >MailMonitor software -- if their sales person hadn't recommended >MailScanner to me instead. IMHO, Sophos and the other anti-virus >vendors should be paying Julian for promoting sales of their products. > > The problem, for me at least, is not the money. It is the paperwork >needed to issue the check/cheque. Maybe Julian needs to start sending >out bills... I have a consulting company run by a friend of mine (with all the necessary "official" paperwork) in the UK. I can always issue invoices through his company if that helps. That way the taxman gets 50% of it, but it's very official. If you would like paper invoices issued by a UK registered company, that's no problem at all. And I am already personally registered in the US for tax purposes as well as in the UK. >----------------------------------- >Jeff A. Earickson, Ph.D >Senior UNIX Sysadmin and Email Guru >Information Technology Services >Colby College, 4214 Mayflower Hill, >Waterville ME, 04901-8842 >phone: 207-872-3659 (fax = 3076) >----------------------------------- > >On Fri, 8 Nov 2002, Lewis Bergman wrote: > > > Date: Fri, 8 Nov 2002 12:49:11 -0600 > > From: Lewis Bergman > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: The Challenge > > > > All the talk and offers of donating hardware to Julian to further > improve MS > > are great. I just don't think they go far enough. We are a commercial > entity. > > We charge people money as a result of Julian's efforts. I think it is only > > fair that Julian be awarded at least some paltry sum as a result. > > > > I believe this should be the case if your are a large educational > institution > > or a business. If you gain economic benefit by either costs saved or > profits > > produced you should consider rewarding Julian's hard work out of gratitude. > > He hasn't asked for anything but I think version 4 proves it is high > time to > > step up and reward him without him asking. > > > > My company has done this already. We wanted certain features which were > either > > not on the radar screen or way down the list. Julian did not ask but I > > offered to "bump" these features up the list in exchange for paying him > since > > he would obviously forgore some other pleasurable pursuits. As a direct > > result you have the old "domains.to.scan.conf" and its version 4 equivalent > > "Spam Checks". The improved F-Prot logging is also a result as well as some > > other minor things. We only did this when we thought that the features we > > requested were of use to the general population of MailScanner. > > > > I now challenge the rest of you to do the same. To date we have paid Julian > > $350.00 USD and there is no other software available that could do what MS > > does for even ten times that amount. When you ask for something that > benefits > > you and causes Julian (or Nick) to do some work, seriously consider paying > > them. I think you could all let your conscience guide you as to when > this is > > appropriate. > > -- > > Lewis Bergman > > Texas Communications > > 4309 Maple St. > > Abilene, TX 79602-8044 > > 915-695-6962 ext 115 > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Fri Nov 8 20:23:48 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:23 2006 Subject: unusual question In-Reply-To: Message-ID: <004001c28764$befe6e60$6501a8c0@mikedesk> Yeah...go post some messages in the newsgroups. You can also look for messages with a title like "Spambot Bait" and the like. They are filled with hundreds of email addresses :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Gavin Nelmes-Crocker Sent: Friday, November 08, 2002 9:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: unusual question Ok this is an odd one - I want to test the Spam capabilities harder now presently we forward Spam that arrives with us but that only checks content with spamassasin and not really checking any RBL etc as it looks as though it comes from me not the spammer. So the question - I am going to setup a domain especially for this and then I want to register (if you can call it that) for as much Spam and porn rubbish as I can. Does anyone know any sure fire places to put your email address that will result in being spammed? I am fairly broad minded but please nothing illegal. Regards Gavin From alex at IALEX.NET Fri Nov 8 20:38:09 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:23 2006 Subject: Friend-Greetings.com Message-ID: I had blocked for friendgreetings.com and 'you have an e-card from' from last month, but just a heads up that one of my users received a: 'you have a Greeting card from' And a link to www.friend-greetings.com Just a warning, the second i saw it I added friend-greeting.com to my deny list and now changing the spamassassin rule to toss it into the high score spam list. Weee.. Alex From sysadmin at DMS.UMONTREAL.CA Fri Nov 8 22:13:10 2002 From: sysadmin at DMS.UMONTREAL.CA (Chris Albert) Date: Thu Jan 12 21:16:23 2006 Subject: Cannot open ruleset file 7.5.... Message-ID: <3DCC36F6.103@dms.umontreal.ca> Greetings, Trying to upgrade to version 4 (MailScanner-4.05-3, on Solaris 7, perl 5.6.1, sophos,SA 2.43..) and I get the following error messages, resulting from setting # required_hits value can be set to different values for different messages. Required SpamAssassin Score = 7.5 An intermediate value that seemed useful in the past, but now gets interpreted as a file name: Cannot open ruleset file 7.5, \ No such file or directory at /opt/MailScanner/bin/MailScanner/Config.pm line 891 But seems to work okay if I give an integer value for the required minimum spam score. Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From mike at CAMAROSS.NET Fri Nov 8 22:20:51 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:23 2006 Subject: Cannot open ruleset file 7.5.... In-Reply-To: <3DCC36F6.103@dms.umontreal.ca> Message-ID: <004601c28775$18e37b40$6501a8c0@mikedesk> Try either 7 or 8 Seems like I had a similar problem where it wouldn't accept the decimal point. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Albert Sent: Friday, November 08, 2002 4:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Cannot open ruleset file 7.5.... Greetings, Trying to upgrade to version 4 (MailScanner-4.05-3, on Solaris 7, perl 5.6.1, sophos,SA 2.43..) and I get the following error messages, resulting from setting # required_hits value can be set to different values for different messages. Required SpamAssassin Score = 7.5 An intermediate value that seemed useful in the past, but now gets interpreted as a file name: Cannot open ruleset file 7.5, \ No such file or directory at /opt/MailScanner/bin/MailScanner/Config.pm line 891 But seems to work okay if I give an integer value for the required minimum spam score. Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Fri Nov 8 22:22:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:23 2006 Subject: Cannot open ruleset file 7.5.... In-Reply-To: <3DCC36F6.103@dms.umontreal.ca> Message-ID: <5.1.0.14.2.20021108222056.033de1f8@imap.ecs.soton.ac.uk> Many thanks for the bug report. I thought I had fixed this before, but I only half-fixed it :-( If you edit Config.pm, and change line 1343 to say $isrules = 1 if $first !~ /^[\d.]*$/; # Rules aren't all digits or . then the problem should disappear. This will be included in the next release. At 22:13 08/11/2002, you wrote: >Greetings, > >Trying to upgrade to version 4 >(MailScanner-4.05-3, on Solaris 7, perl 5.6.1, >sophos,SA 2.43..) and I get the following error >messages, resulting from setting ># required_hits value can be set to different values for different >messages. >Required SpamAssassin Score = 7.5 > >An intermediate value that seemed useful in the past, >but now gets interpreted as a file name: > > >Cannot open ruleset file 7.5, \ >No such file or directory at /opt/MailScanner/bin/MailScanner/Config.pm >line 891 > >But seems to work okay if I give an integer value >for the required minimum spam score. > >Chris > >-- >-------------------------------------------------------------------- > Christopher Albert > Responsable des services informatiques > Departement de mathematiques et de statistique > Universite de Montreal > > bureau 6188, Pavillon Andre-Aisenstadt > Tel: (514) 343-2281 Fax: (514) 343-5700 >-------------------------------------------------------------------- > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mrlynx at LAING.E-TARLAC.COM Sat Nov 9 00:35:57 2002 From: mrlynx at LAING.E-TARLAC.COM (Joseph C. Bautista -mrlynx-) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: <5.1.0.14.2.20021108194328.03267e08@imap.ecs.soton.ac.uk> Message-ID: On Fri, 8 Nov 2002, Julian Field wrote: > At 19:02 08/11/2002, you wrote: > >it has a knock-on effect with the widely > >used "sendmail.logs.pl". > > sendmail.logs.pl was a really dirty hack I knocked up in a hurry at work > one day. > Never thought anyone might actually use it! > > One of these fine days, when I'm sitting at work with nothing to do, I'll > get around to rewriting it rather better. That ROCKS!!! Just wondering, with all the MS stuff, when is the last time you're sitting and nothing to do? Awesome! > :-) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=- _ _ _ - o' \,=./ `o - (o o) - +--------------ooO--(_)-----Ooo------------+ | Mr. Joseph C. Bautista | | NOC, e-Tarlac.com | | email add: mrlynx@e-tarlac.com | | URL: http://www.e-tarlac.com | +--------------------------(_)-------------+ - |__|__| - - | | | | - - ooO Ooo - -- This message has been scanned for viruses and dangerous content by e-Tarlac e-Mail Virus Scanner, and is believed to be clean. From mike at CAMAROSS.NET Sat Nov 9 03:06:56 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:23 2006 Subject: [Virus Detected] {VIRUS?} HMIME-Version: 1.0 In-Reply-To: <200211090241.gA92faam027527@mail.atcnet.net> Message-ID: Now THAT'S ironic! :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of mailscanner Sent: Friday, November 08, 2002 8:42 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: [Virus Detected] {VIRUS?} HMIME-Version: 1.0 Warning: This message has had one or more attachments removed. Warning: Please read the "VirusWarning.txt" attachment(s) for more information. Warning: This message has had one or more attachments removed. Please read the "VirusWarning.txt" attachment(s) for more information. From LISTSERV at JISCMAIL.AC.UK Sat Nov 9 03:22:08 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:23 2006 Subject: MAILSCANNER: m-list@PUGMARKS.COM left the list Message-ID: <200211090322.DAA14529@magpie.ecs.soton.ac.uk> Sat, 9 Nov 2002 03:22:08 Arminder Singh has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [WWW request received from 203.129.220.98] From LISTSERV at JISCMAIL.AC.UK Sat Nov 9 10:58:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:23 2006 Subject: MAILSCANNER: paul@ESPMAIL.CO.UK requested to join Message-ID: <200211091058.KAA24530@magpie.ecs.soton.ac.uk> Sat, 9 Nov 2002 10:58:51 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Paul Welsh . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER paul@ESPMAIL.CO.UK Paul Welsh The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+paul%40ESPMAIL.CO.UK+Paul+Welsh&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Sat Nov 9 11:42:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: References: <5.1.0.14.2.20021108194328.03267e08@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021109114122.03058e98@imap.ecs.soton.ac.uk> At 00:35 09/11/2002, you wrote: >On Fri, 8 Nov 2002, Julian Field wrote: > > At 19:02 08/11/2002, you wrote: > > >it has a knock-on effect with the widely > > >used "sendmail.logs.pl". > > > > sendmail.logs.pl was a really dirty hack I knocked up in a hurry at work > > one day. > > Never thought anyone might actually use it! > > > > One of these fine days, when I'm sitting at work with nothing to do, I'll > > get around to rewriting it rather better. > >That ROCKS!!! Just wondering, with all the MS stuff, when is the last time >you're sitting and nothing to do? Errr.... Christmas Day last year during the inevitable showing of an old James Bond film on the TV possibly? :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mark at TIPPINGMAR.COM Sat Nov 9 20:07:31 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:16:23 2006 Subject: {VIRUS?} {VIRUS?} HMIME-Version: 1.0 In-Reply-To: <200211090241.gA92faam027527@mail.atcnet.net> Message-ID: Hmm, what happened here? That was my mail server that identified the message from the list as a virus and sent the notification back to the list. 1. Why did the list accept a post from my mail server (obviously not a list member). 2. Why aren't there notifications here from everyone else? Mark On Friday, November 8, 2002, at 06:41 PM, mailscanner wrote: > Warning: This message has had one or more attachments removed. > Warning: Please read the "VirusWarning.txt" attachment(s) for more > information. > > This is a message from the MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail attachment "the entire message" > was found to be infected by a virus and has been > replaced by this warning message. > > The attachment is being stored on the mail server and > it is possible for mark to retrieve it using the info > in this message. > > At Fri Nov 8 18:53:31 2002 the virus scanner said: > Possible Microsoft security vulnerability attack > > Note: Look on the MailScanner in /var/spool/MailScanner/quarantine > (message gA92rIZ09681). > -- > Postmaster From novirus at CARLO65.DE Sat Nov 9 20:11:29 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:23 2006 Subject: {VIRUS?} {VIRUS?} HMIME-Version: 1.0 In-Reply-To: References: Message-ID: <1036872689.20798.25.camel@linroute> Hi Mark, it would be interesting to have the original message header, such as sender and subject, to identify. As far, as I can see, I did not receive this message. Regards, Roland Am Sam, 2002-11-09 um 21.07 schrieb Mark Nienberg: > Hmm, what happened here? That was my mail server that identified the > message from the list as a virus and sent the notification back to the > list. > > 1. Why did the list accept a post from my mail server (obviously not a > list member). > > 2. Why aren't there notifications here from everyone else? > > Mark > > On Friday, November 8, 2002, at 06:41 PM, mailscanner wrote: > > > Warning: This message has had one or more attachments removed. > > Warning: Please read the "VirusWarning.txt" attachment(s) for more > > information. > > > > This is a message from the MailScanner E-Mail Virus Protection Service > > ---------------------------------------------------------------------- > > The original e-mail attachment "the entire message" > > was found to be infected by a virus and has been > > replaced by this warning message. > > > > The attachment is being stored on the mail server and > > it is possible for mark to retrieve it using the info > > in this message. > > > > At Fri Nov 8 18:53:31 2002 the virus scanner said: > > Possible Microsoft security vulnerability attack > > > > Note: Look on the MailScanner in /var/spool/MailScanner/quarantine > > (message gA92rIZ09681). > > -- > > Postmaster > > From novirus at CARLO65.DE Sat Nov 9 20:28:11 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:23 2006 Subject: {VIRUS?} {VIRUS?} HMIME-Version: 1.0 In-Reply-To: References: Message-ID: <1036873691.20796.32.camel@linroute> Oki sorry, I did receive the message and it contained an IFrame tag. Just found the warning message in my postmasters mailbox. Very strange thing that. Am Sam, 2002-11-09 um 21.07 schrieb Mark Nienberg: > Hmm, what happened here? That was my mail server that identified the > message from the list as a virus and sent the notification back to the > list. > > 1. Why did the list accept a post from my mail server (obviously not a > list member). > > 2. Why aren't there notifications here from everyone else? > > Mark > > On Friday, November 8, 2002, at 06:41 PM, mailscanner wrote: > > > Warning: This message has had one or more attachments removed. > > Warning: Please read the "VirusWarning.txt" attachment(s) for more > > information. > > > > This is a message from the MailScanner E-Mail Virus Protection Service > > ---------------------------------------------------------------------- > > The original e-mail attachment "the entire message" > > was found to be infected by a virus and has been > > replaced by this warning message. > > > > The attachment is being stored on the mail server and > > it is possible for mark to retrieve it using the info > > in this message. > > > > At Fri Nov 8 18:53:31 2002 the virus scanner said: > > Possible Microsoft security vulnerability attack > > > > Note: Look on the MailScanner in /var/spool/MailScanner/quarantine > > (message gA92rIZ09681). > > -- > > Postmaster > > From novirus at CARLO65.DE Sat Nov 9 20:32:42 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:23 2006 Subject: {VIRUS?} {VIRUS?} HMIME-Version: 1.0 In-Reply-To: References: Message-ID: <1036873962.20797.35.camel@linroute> Mark, just for your information. Your mailscanner did not send a notification back to the list, nobody did at all. But your mailscanner replaced the original message by the warning text. Regards, Roland (a little bit confused about all that :-)) Am Sam, 2002-11-09 um 21.07 schrieb Mark Nienberg: > Hmm, what happened here? That was my mail server that identified the > message from the list as a virus and sent the notification back to the > list. > > 1. Why did the list accept a post from my mail server (obviously not a > list member). > > 2. Why aren't there notifications here from everyone else? > > Mark > > On Friday, November 8, 2002, at 06:41 PM, mailscanner wrote: > > > Warning: This message has had one or more attachments removed. > > Warning: Please read the "VirusWarning.txt" attachment(s) for more > > information. > > > > This is a message from the MailScanner E-Mail Virus Protection Service > > ---------------------------------------------------------------------- > > The original e-mail attachment "the entire message" > > was found to be infected by a virus and has been > > replaced by this warning message. > > > > The attachment is being stored on the mail server and > > it is possible for mark to retrieve it using the info > > in this message. > > > > At Fri Nov 8 18:53:31 2002 the virus scanner said: > > Possible Microsoft security vulnerability attack > > > > Note: Look on the MailScanner in /var/spool/MailScanner/quarantine > > (message gA92rIZ09681). > > -- > > Postmaster > > From novirus at CARLO65.DE Sat Nov 9 20:35:39 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:23 2006 Subject: {Virus?} [MAILSCANNER] {VIRUS?} HMIME-Version: 1.0 In-Reply-To: <200211090241.gA92faam027527@mail.atcnet.net> References: <200211090241.gA92faam027527@mail.atcnet.net> Message-ID: <1036874139.20796.38.camel@linroute> Can somebody explain please, why I do have a replaced html-message part, but the base64-encoded part of the message is still in there and not decoded. Regards, Roland Am Sam, 2002-11-09 um 03.41 schrieb mailscanner: > Warnung: Diese Nachricht enthielt einen oder mehrere Dateianhaenge, die entfernt wurden > Warnung: (msg-7015-1.html) > Warnung: Bitte lesen Sie den oder die "VirusWarning.txt" Dateianhaenge fuer genauere Informationen. > > > ---- > > Dies ist eine Nachricht vom MailScanner (E-Mail Virus Protection Service) > ------------------------------------------------------------------------- > Der Dateianhang "msg-7015-1.html" > ist von einem Virus verseucht und wurde durch diese Nachricht ersetzt. > > Wenn Sie eine Kopie der Original Nachricht wuenschen, wenden Sie sich bitte > per Mail oder Telefon an Ihren Systemadministrator. Bitte halten Sie diese > Meldung bereit. > > Am Sat Nov 9 03:53:28 2002 meldete der Virenscanner folgendes: > Found dangerous IFrame tag in HTML message > > > Hinweis an den Administrator: > Datei ist auf Rechner: the MailScanner im Verzeichnis /var/spool/MailScanner/quarantine/20021109 (NachrichtenID gA92rQ307820) abgespeichert. > > -- > Postmaster > ---- > > This is a message from the MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail attachment ".exe" > was believed to be infected by a virus and has been replaced by this warning > message. > > If you wish to receive a copy of the *infected* attachment, please > e-mail helpdesk and include the whole of this message > in your request. Alternatively, you can call them, with > the contents of this message to hand when you call. > > At Fri Nov 8 19:42:26 2002 the virus scanner said: > >>> Virus 'W32/Klez-H' found in file ./gA92faam027527/.exe > > Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine (message gA92faam027527). > -- > Postmaster > ---- > > Content-Type: application/octet-stream; > name=I256022-4[1].jpg > Content-Transfer-Encoding: base64 > Content-ID: > > /9j/4AAQSkZJRgABAgEASABIAAD/7Q2mUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAA > AAEAAQBIAAAAAQABOEJJTQQNAAAAAAAEAAAAeDhCSU0D8wAAAAAACAAAAAAAAAAAOEJJTQQK > AAAAAAABAAA4QklNJxAAAAAAAAoAAQAAAAAAAAACOEJJTQP1AAAAAABIAC9mZgABAGxmZgAG From mark at TIPPINGMAR.COM Sat Nov 9 20:41:34 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:16:23 2006 Subject: {VIRUS?} {VIRUS?} HMIME-Version: 1.0 In-Reply-To: <1036873962.20797.35.camel@linroute> Message-ID: Ah! Thanks for that. I grok it now. On Saturday, November 9, 2002, at 12:32 PM, Roland Ehle wrote: > Mark, > > just for your information. Your mailscanner did not send a notification > back to the list, nobody did at all. But your mailscanner replaced the > original message by the warning text. > > Regards, > Roland (a little bit confused about all that :-)) From sysadmin at DMS.UMONTREAL.CA Sat Nov 9 22:24:51 2002 From: sysadmin at DMS.UMONTREAL.CA (Chris Albert) Date: Thu Jan 12 21:16:23 2006 Subject: Mailscanner-4.05-3 Message-ID: <3DCD8B33.2000705@dms.umontreal.ca> Greetings, I've recently installed version 4 from a tarball on a Solaris U10, and I just wanted to point out that 1. The script Sophos.install uses linux names for the compressed tarball and tarball variables. 2. Given the changes in the filesytem hierarchy under the quarantine directory and the new naming convention for spam files saved there, the script df2mbox no longer works correctly. I saw on the mailing list that Julian had considered including df2mbox in the distribution. I personnaly have found this little tool quite useful if you save high ranked spam to make periodic checks, especially after SA upgrades, or to show users that you have only quarantined junk. In fact, other contibutors have put other scripts up on the mailing list that have been useful too (e.g.Peter Peters) , and I think it would be nice if the 'contributed tools' portion of the website contained some of these tools as well. I realize these are trivial issues , but I get the impression that the designers of this tool are perfectionists. As for version 4, even in my little shop, there is a noticeable increase in speed and memory efficiency. Bravo gentlemen. Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From LISTSERV at JISCMAIL.AC.UK Sat Nov 9 12:48:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:23 2006 Subject: MAILSCANNER: security@MCGUINNESS.DE left the list Message-ID: <200211091248.MAA05922@magpie.ecs.soton.ac.uk> Sat, 9 Nov 2002 12:48:36 Marc Mc Guinness has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sat, 9 Nov 2002 12:48:36 GMT Received: from post.webmailer.de (natsmtp00.webmailer.de [192.67.198.74]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA9CmbX20983 for ; Sat, 9 Nov 2002 12:48:37 GMT Received: from there (pD9004B47.dip.t-dialin.net [217.0.75.71]) by post.webmailer.de (8.9.3/8.8.7) with SMTP id NAA19183 for ; Sat, 9 Nov 2002 13:48:29 +0100 (MET) Message-Id: <200211091248.NAA19183@post.webmailer.de> Content-Type: text/plain; charset="iso-8859-15" From: Marc Mc Guinness To: listserv@jiscmail.ac.uk Subject: SIGNOFF MAILSCANNER Date: Sat, 9 Nov 2002 14:48:32 +0200 X-Mailer: KMail [version 1.3.1] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From LISTSERV at JISCMAIL.AC.UK Sat Nov 9 14:40:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:23 2006 Subject: MAILSCANNER: Jan-Peter.Koopmann@SECEIDOS.DE requested to join Message-ID: <200211091441.OAA17307@magpie.ecs.soton.ac.uk> Sat, 9 Nov 2002 14:40:38 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Jan-Peter Koopmann . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER Jan-Peter.Koopmann@SECEIDOS.DE Jan-Peter Koopmann The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+Jan-Peter.Koopmann%40SECEIDOS.DE+Jan-Peter+Koopmann&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sat Nov 9 18:34:44 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:24 2006 Subject: MAILSCANNER: Antony@SOFT-SOLUTIONS.CO.UK requested to join Message-ID: <200211091834.SAA10597@magpie.ecs.soton.ac.uk> Sat, 9 Nov 2002 18:34:44 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Antony Stone . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER Antony@SOFT-SOLUTIONS.CO.UK Antony Stone The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+Antony%40SOFT-SOLUTIONS.CO.UK+Antony+Stone&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sat, 9 Nov 2002 18:34:44 GMT Received: from mta05-svc.ntlworld.com (mta05-svc.ntlworld.com [62.253.162.45]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA9IYfX18245 for ; Sat, 9 Nov 2002 18:34:41 GMT Received: from there ([62.254.142.59]) by mta05-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP id <20021109183441.ZGQH27595.mta05-svc.ntlworld.com@there> for ; Sat, 9 Nov 2002 18:34:41 +0000 Content-Type: text/plain; charset="iso-8859-1" From: Antony Stone Organization: Software Solutions To: "L-Soft list server at JISCMAIL (1.8e)" Subject: Re: Command confirmation request (3F7EF376) Date: Sat, 9 Nov 2002 18:34:38 +0000 X-Mailer: KMail [version 1.3.2] References: <20021109183248.6DFCC92FE1@mail6.easyspace.com> In-Reply-To: <20021109183248.6DFCC92FE1@mail6.easyspace.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20021109183441.ZGQH27595.mta05-svc.ntlworld.com@there> From LISTSERV at JISCMAIL.AC.UK Sun Nov 10 14:18:58 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:24 2006 Subject: MAILSCANNER: pvogel@VR.CL requested to join Message-ID: <200211101419.OAA21498@magpie.ecs.soton.ac.uk> Sun, 10 Nov 2002 14:18:58 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Pablo Vogel . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER pvogel@VR.CL Pablo Vogel The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+pvogel%40VR.CL+Pablo+Vogel&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Sun Nov 10 15:04:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: Mailscanner-4.05-3 In-Reply-To: <3DCD8B33.2000705@dms.umontreal.ca> Message-ID: <5.1.0.14.2.20021110142857.0244add0@imap.ecs.soton.ac.uk> At 22:24 09/11/2002, you wrote: >I've recently installed version 4 from a tarball on a Solaris U10, >and I just wanted to point out that > >1. The script Sophos.install uses linux names for >the compressed tarball and tarball variables. I should probably just put in Linux and non-Linux versions of it. I'll take a look. >2. Given the changes in the filesytem hierarchy >under the quarantine directory and the new naming >convention for spam files saved there, the script df2mbox >no longer works correctly. Please try the attached one and let me know if it works okay or not. None of my servers here quarantine spam (for legal reasons). >I saw on the mailing list that Julian had considered including >df2mbox in the distribution. I personnaly have found this little >tool quite useful if you save high ranked spam to make periodic >checks, especially after SA upgrades, or to show users that >you have only quarantined junk. Done. >In fact, other contibutors have put other scripts up on the mailing >list that have been useful too (e.g.Peter Peters) , and I think it >would be nice if the 'contributed tools' portion of the website >contained some of these tools as well. Good idea. What would people like to see in it? And where can I get the latest versions of the contributed scripts? >I realize these are trivial issues , but I get the impression >that the designers of this tool are perfectionists. Me, perfectionist, never :-) >As for version 4, even in my little shop, there is a noticeable increase >in speed and memory efficiency. Bravo gentlemen. Thankyou! -------------- next part -------------- A non-text attachment was scrubbed... Name: df2mbox Type: application/octet-stream Size: 1559 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021110/5bc78a73/df2mbox.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From email at ace.net.au Sun Nov 10 15:04:42 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:16:24 2006 Subject: OT Sendmail In-Reply-To: <5.1.1.6.0.20021108110148.01a0be80@192.168.50.2> References: <5.1.1.6.0.20021108110148.01a0be80@192.168.50.2> Message-ID: <200211110134420878.0C4E9EF3@smtp1.ace.net.au> Slightly off-topic. Some twonk has started using randomly generated email addresses based on a domain that I host as the return address for a massive spamming session. I am getting hammered with rejection noticed from msn, yahoo etc Is there a way for sendmail to block these rejection notices outright? I tried adding mailer-daemon@* REJECT to the /etc/mail/access to no avail. I can kill them with MS, but would prefer to block them before they even get that far to save bandwidth and CPU on the mail server. Thanks in advance for any help on this one. Peter From sysadmin at DMS.UMONTREAL.CA Sun Nov 10 15:32:19 2002 From: sysadmin at DMS.UMONTREAL.CA (Chris Albert) Date: Thu Jan 12 21:16:24 2006 Subject: Mailscanner-4.05-3 References: <5.1.0.14.2.20021110142857.0244add0@imap.ecs.soton.ac.uk> Message-ID: <3DCE7C03.8020909@dms.umontreal.ca> Julian Field wrote: > At 22:24 09/11/2002, you wrote: > >> I've recently installed version 4 from a tarball on a Solaris U10, >> and I just wanted to point out that >> >> 1. The script Sophos.install uses linux names for >> the compressed tarball and tarball variables. > > > I should probably just put in Linux and non-Linux versions of it. I'll > take > a look. > >> 2. Given the changes in the filesytem hierarchy >> under the quarantine directory and the new naming >> convention for spam files saved there, the script df2mbox >> no longer works correctly. > > > Please try the attached one and let me know if it works okay or not. None > of my servers here quarantine spam (for legal reasons). Well the directory part seems right, but since I moved to v4 all the messages under spam begin with gA... . If I replace all occurances of qf with gA and change the occurance of df$id to cat gA$id, the script seems to work, except the output file is not readable by mutt -f in the same way as before. However if I look at the file with less, it seems correct; though I dont exactly understand why you eliminate the S from Subject, for example. Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Sun Nov 10 15:39:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: Mailscanner-4.05-3 In-Reply-To: <3DCE7C03.8020909@dms.umontreal.ca> References: <5.1.0.14.2.20021110142857.0244add0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021110153720.02431970@imap.ecs.soton.ac.uk> At 15:32 10/11/2002, you wrote: >Julian Field wrote: > >>At 22:24 09/11/2002, you wrote: >> >>>I've recently installed version 4 from a tarball on a Solaris U10, >>>and I just wanted to point out that >>> >>>1. The script Sophos.install uses linux names for >>>the compressed tarball and tarball variables. >> >> >>I should probably just put in Linux and non-Linux versions of it. I'll >>take >>a look. >> >>>2. Given the changes in the filesytem hierarchy >>>under the quarantine directory and the new naming >>>convention for spam files saved there, the script df2mbox >>>no longer works correctly. >> >> >>Please try the attached one and let me know if it works okay or not. None >>of my servers here quarantine spam (for legal reasons). > >Well the directory part seems right, but since I moved to v4 >all the messages under spam begin with gA... . You need to be storing the quarantine files in "raw queue files" format # When you quarantine an entire message, do you want to store it as # raw mail queue files (so you can easily send them onto users) or # as human-readable files (header then body in 1 file)? Quarantine Whole Messages As Queue Files = yes Otherwise there is no need to use the df2mbox script at all, as the quarantined files are already readable whole messages. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From henrik at CHELLE.NU Mon Nov 11 09:42:25 2002 From: henrik at CHELLE.NU (Henrik Kjellsson) Date: Thu Jan 12 21:16:24 2006 Subject: Licensing Message-ID: <3DCF7B81.7000906@chelle.nu> Hi! This might be abit Off Topic. A customer of the company that I work for has asked for a new mailsecurity solution and ofcourse I thought of Mailscanner. However the company is abit costsensitive and can not afford an expensive solution. So I'm wondering what kind of licenses for the antivirus software do you use on your sites? /Chelle From tony.johansson at SVENSKAKYRKAN.SE Mon Nov 11 09:58:50 2002 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:16:24 2006 Subject: SV: Licensing Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D07C2@nt.svenskakyrkan.se> Hello, I would recommend F-Prot We protect 11.000 users with Mailscanner and F-Prot at a total licensing cost of $450 for two servers Trend wanted $130.000 so I would hesitate to recommend them to anyone cost-sensitive... regards, tony -----Ursprungligt meddelande----- Fr?n: Henrik Kjellsson [mailto:henrik@CHELLE.NU] Skickat: Monday, November 11, 2002 10:42 AM Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: Licensing Hi! This might be abit Off Topic. A customer of the company that I work for has asked for a new mailsecurity solution and ofcourse I thought of Mailscanner. However the company is abit costsensitive and can not afford an expensive solution. So I'm wondering what kind of licenses for the antivirus software do you use on your sites? /Chelle From mailscanner at ecs.soton.ac.uk Mon Nov 11 10:42:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: Licensing In-Reply-To: <3DCF7B81.7000906@chelle.nu> Message-ID: <5.1.0.14.2.20021111104108.01fb1648@imap.ecs.soton.ac.uk> At 09:42 11/11/2002, you wrote: >A customer of the company that I work for has asked for a new >mailsecurity solution and ofcourse I thought of Mailscanner. However the >company is abit costsensitive and can not afford an expensive solution. >So I'm wondering what kind of licenses for the antivirus software do you >use on your sites? The cheapest solutions are usually F-Prot (www.f-prot.com) and RAV (www.ravantivirus.com) as I *believe* they both charge per server rather than per user. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Mon Nov 11 10:52:39 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:24 2006 Subject: Installation questions.. Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC60@lkl22.ltkalmar.se> HI Ive finally recieved my new servers and wanna make the best out of it. But there are a few questions I would like some input on. Server config: 2x 1,4 GHz 1256 Mb 2x 18G scsi/raid1 RH 8.0 The servers will also work as DNS and DNS-cashing servers Since I really dont have a clue how MS/SA works regarding language is there any point installing support for other language ie. swedish then english? What is the most bussy dir for mailscanner so I can put that in the beginning of hardrive(mqueue/mqueue.in or the /urs/lib/MailScanner)? Thinking of making separate partitions for mqueue in case I need to reinstall? Anything else i should consider or should not do? Kind regards /Anders From mailscanner at ecs.soton.ac.uk Mon Nov 11 11:40:24 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: Installation questions.. In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EC60@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20021111113240.036e4440@imap.ecs.soton.ac.uk> At 10:52 11/11/2002, you wrote: >Server config: >2x 1,4 GHz >1256 Mb >2x 18G scsi/raid1 >RH 8.0 >The servers will also work as DNS and DNS-cashing servers > >Since I really dont have a clue how MS/SA works regarding language >is there any point installing support for other language ie. swedish >then english? MS/SA won't make much use of other languages. You can set the character encoding you want to use (probably ISO-8859-15 in your case) in MailScanner.conf, and then just translate the reports into Swedish. (Please can you send me the translation results if you do this so I can add them to the distribution!) >What is the most bussy dir for mailscanner so I can put that in the >beginning of hardrive(mqueue/mqueue.in or the /urs/lib/MailScanner)? Doesn't make any difference these days as the "cylinder/head/sector" address is totally artificial now as they are translated from the real position on the disks. >Thinking of making separate partitions for mqueue in case I need >to reinstall? I would advise putting /var/spool into a partition on its own. That way mqueue+mqueue.in are on the same partition, and sendmail will handle gracefully odd things happening like your quarantine filling up. You might want to put /var/log on its own too, so rampant logs don't knock your server out. >Anything else i should consider or should not do? > >Kind regards > >/Anders -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Mon Nov 11 11:44:52 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:24 2006 Subject: SV: Installation questions.. Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC62@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 11 november 2002 12:40 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Installation questions.. > > > At 10:52 11/11/2002, you wrote: > >Server config: > >2x 1,4 GHz > >1256 Mb > >2x 18G scsi/raid1 > >RH 8.0 > >The servers will also work as DNS and DNS-cashing servers > > > >Since I really dont have a clue how MS/SA works regarding language > >is there any point installing support for other language ie. swedish > >then english? > > MS/SA won't make much use of other languages. You can set the > character > encoding you want to use (probably ISO-8859-15 in your case) in > MailScanner.conf, and then just translate the reports into > Swedish. (Please > can you send me the translation results if you do this so I > can add them to > the distribution!) I sure will do that asap its done....thanks Julian > > >What is the most bussy dir for mailscanner so I can put that in the > >beginning of hardrive(mqueue/mqueue.in or the /urs/lib/MailScanner)? > > Doesn't make any difference these days as the "cylinder/head/sector" > address is totally artificial now as they are translated from the real > position on the disks. > > >Thinking of making separate partitions for mqueue in case I need > >to reinstall? > > I would advise putting /var/spool into a partition on its > own. That way > mqueue+mqueue.in are on the same partition, and sendmail will handle > gracefully odd things happening like your quarantine filling up. > > You might want to put /var/log on its own too, so rampant > logs don't knock > your server out. > > >Anything else i should consider or should not do? > > > >Kind regards > > > >/Anders > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From andersan at LTKALMAR.SE Mon Nov 11 11:55:27 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:24 2006 Subject: SV: Installation questions.. Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC63@lkl22.ltkalmar.se> Just thpought of one more question, how to do handle the time set. Cant figure out what best, to put bios clock to GNT and then tell RH to use UTC+1 or use local time. /Anders > -----Ursprungligt meddelande----- > Fr?n: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] > Skickat: den 11 november 2002 12:45 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: SV: Installation questions.. > > > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 11 november 2002 12:40 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: Installation questions.. > > > > > > At 10:52 11/11/2002, you wrote: > > >Server config: > > >2x 1,4 GHz > > >1256 Mb > > >2x 18G scsi/raid1 > > >RH 8.0 > > >The servers will also work as DNS and DNS-cashing servers > > > > > >Since I really dont have a clue how MS/SA works regarding language > > >is there any point installing support for other language > ie. swedish > > >then english? > > > > MS/SA won't make much use of other languages. You can set the > > character > > encoding you want to use (probably ISO-8859-15 in your case) in > > MailScanner.conf, and then just translate the reports into > > Swedish. (Please > > can you send me the translation results if you do this so I > > can add them to > > the distribution!) > > I sure will do that asap its done....thanks Julian > > > > > >What is the most bussy dir for mailscanner so I can put that in the > > >beginning of hardrive(mqueue/mqueue.in or the > /urs/lib/MailScanner)? > > > > Doesn't make any difference these days as the "cylinder/head/sector" > > address is totally artificial now as they are translated > from the real > > position on the disks. > > > > >Thinking of making separate partitions for mqueue in case I need > > >to reinstall? > > > > I would advise putting /var/spool into a partition on its > > own. That way > > mqueue+mqueue.in are on the same partition, and sendmail will handle > > gracefully odd things happening like your quarantine filling up. > > > > You might want to put /var/log on its own too, so rampant > > logs don't knock > > your server out. > > > > >Anything else i should consider or should not do? > > > > > >Kind regards > > > > > >/Anders > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > From andersan at LTKALMAR.SE Mon Nov 11 13:17:15 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:24 2006 Subject: SV: Installation questions.. Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC67@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > At 10:52 11/11/2002, you wrote: > >Server config: > >2x 1,4 GHz > >1256 Mb > >2x 18G scsi/raid1 > >RH 8.0 > >The servers will also work as DNS and DNS-cashing servers > > > >Since I really dont have a clue how MS/SA works regarding language > >is there any point installing support for other language ie. swedish > >then english? > > MS/SA won't make much use of other languages. You can set the > character > encoding you want to use (probably ISO-8859-15 in your case) in > MailScanner.conf, and then just translate the reports into > Swedish. (Please > can you send me the translation results if you do this so I > can add them to > the distribution!) > > >What is the most bussy dir for mailscanner so I can put that in the > >beginning of hardrive(mqueue/mqueue.in or the /urs/lib/MailScanner)? > > Doesn't make any difference these days as the "cylinder/head/sector" > address is totally artificial now as they are translated from the real > position on the disks. > > >Thinking of making separate partitions for mqueue in case I need > >to reinstall? > > I would advise putting /var/spool into a partition on its > own. That way > mqueue+mqueue.in are on the same partition, and sendmail will handle > gracefully odd things happening like your quarantine filling up. Is there any idea of making /var/spool/MailScanner or.../quarantine a seperate partition or just make /var/spool big enough to handle both quarantine etc... say like 10 G's > > You might want to put /var/log on its own too, so rampant > logs don't knock > your server out. > > >Anything else i should consider or should not do? > > > >Kind regards > > > >/Anders > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From x.mailscanner.mail at MELLONI.COM Mon Nov 11 14:09:50 2002 From: x.mailscanner.mail at MELLONI.COM (Bruno) Date: Thu Jan 12 21:16:24 2006 Subject: Virus-carrying spam Message-ID: <200211111409.gABE9nX20397@ori.rl.ac.uk> In case nobody noticed yet, I'd like to bring to your attention that spam and viruses are no longer separate issues. One of my accounts has been consistently receiving spam that carries the Klez virus for the last week. Mailscanner seems to stop it fine, but it is a disturbing new development and I thought it should be mentioned. From mailscanner at ecs.soton.ac.uk Mon Nov 11 14:44:05 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: SV: Installation questions.. In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EC67@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20021111144118.044eff80@imap.ecs.soton.ac.uk> At 13:17 11/11/2002, you wrote: > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > At 10:52 11/11/2002, you wrote: > > >Server config: > > >2x 1,4 GHz > > >1256 Mb > > >2x 18G scsi/raid1 > > >RH 8.0 > > >The servers will also work as DNS and DNS-cashing servers > > > > > >Since I really dont have a clue how MS/SA works regarding language > > >is there any point installing support for other language ie. swedish > > >then english? > > > > MS/SA won't make much use of other languages. You can set the > > character > > encoding you want to use (probably ISO-8859-15 in your case) in > > MailScanner.conf, and then just translate the reports into > > Swedish. (Please > > can you send me the translation results if you do this so I > > can add them to > > the distribution!) > > > > >What is the most bussy dir for mailscanner so I can put that in the > > >beginning of hardrive(mqueue/mqueue.in or the /urs/lib/MailScanner)? > > > > Doesn't make any difference these days as the "cylinder/head/sector" > > address is totally artificial now as they are translated from the real > > position on the disks. > > > > >Thinking of making separate partitions for mqueue in case I need > > >to reinstall? > > > > I would advise putting /var/spool into a partition on its > > own. That way > > mqueue+mqueue.in are on the same partition, and sendmail will handle > > gracefully odd things happening like your quarantine filling up. > >Is there any idea of making /var/spool/MailScanner or.../quarantine >a seperate partition or just make /var/spool big enough to handle >both quarantine etc... say like 10 G's If you put incoming and quarantine on the same partition as the mqueue.in and mqueue, then just before you run out of disk space sendmail will stop accepting incoming connections until you give it more space. So you don't a) risk message corruption caused by not having enough space to extract the attachments b) risk data loss by not having a full quarantine In MailScanner I intentionally do not watch for disk full errors because 1) it's very hard to do portably 2) sendmail is very good at it already -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Richard.Lush at HP.COM Mon Nov 11 14:55:59 2002 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:24 2006 Subject: Virus-carrying spam Message-ID: I don't agree that they are the same issue. Viruses are staring to use spam techniques but they are still separate issues. A spam messages won't delete files but a virus will. That account that is receiving a klez it is not receiving spam, it is receiving a virus. Just my two pence worth. Richard -----Original Message----- From: Bruno [mailto:x.mailscanner.mail@MELLONI.COM] Sent: 11 November 2002 14:10 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Virus-carrying spam In case nobody noticed yet, I'd like to bring to your attention that spam and viruses are no longer separate issues. One of my accounts has been consistently receiving spam that carries the Klez virus for the last week. Mailscanner seems to stop it fine, but it is a disturbing new development and I thought it should be mentioned. From gavin at NETERGY.COM Mon Nov 11 15:04:56 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:24 2006 Subject: Bogofilter Message-ID: Hi Is it possible to use this http://bogofilter.sourceforge.net/bogofilter-faq.html in place of or as well as Spamassasin - what are peoples thoughts on how this works good/bad etc. Thanks Gavin From mailscanner at ecs.soton.ac.uk Mon Nov 11 15:24:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: Bogofilter In-Reply-To: Message-ID: <5.1.0.14.2.20021111152327.062a0ec0@imap.ecs.soton.ac.uk> At 15:04 11/11/2002, you wrote: >Is it possible to use this >http://bogofilter.sourceforge.net/bogofilter-faq.html in place of or as well >as Spamassasin - what are peoples thoughts on how this works good/bad etc. The SpamAssassin folks have plans to include Bayesian techniques in their filtering engine at some point, so I didn't really investigate this any further. If lots of people want it and can confirm that it is worth all the effort required, then I'll take a look. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ipswitch at APK.NET Mon Nov 11 15:39:04 2002 From: ipswitch at APK.NET (Stuart Krivis) Date: Thu Jan 12 21:16:24 2006 Subject: Bogofilter In-Reply-To: References: Message-ID: <333845968.1037011144@[10.1.3.2]> --On Monday, November 11, 2002 3:04 PM +0000 Gavin Nelmes-Crocker wrote: > > Is it possible to use this > http://bogofilter.sourceforge.net/bogofilter-faq.html in place of or as > well as Spamassasin - what are peoples thoughts on how this works > good/bad etc. bogofilter won't run anywhere other than Linux so that limits things a bit. It also doesn't really fit very well into a stabdard mail setup. It certainly can't really be used as you would use MailScanner and/or SpamAssassin within the MTA. It fits in much better at the MUA level, but then you have to worry about how to integrate it with the myriad e-mail clients in use.... -- Stuart Krivis Hostmaster and Purchasing Manager APK Net, Inc. 216-241-7166 Voice 1621 Euclid Ave., Suite 1230 216-241-7522 FAX Cleveland, OH 44115 From ipswitch at APK.NET Mon Nov 11 15:42:23 2002 From: ipswitch at APK.NET (Stuart Krivis) Date: Thu Jan 12 21:16:24 2006 Subject: Bogofilter In-Reply-To: <5.1.0.14.2.20021111152327.062a0ec0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021111152327.062a0ec0@imap.ecs.soton.ac.uk> Message-ID: <334045296.1037011343@[10.1.3.2]> --On Monday, November 11, 2002 3:24 PM +0000 Julian Field wrote: > At 15:04 11/11/2002, you wrote: >> Is it possible to use this >> http://bogofilter.sourceforge.net/bogofilter-faq.html in place of or as >> well as Spamassasin - what are peoples thoughts on how this works >> good/bad etc. > > The SpamAssassin folks have plans to include Bayesian techniques in their > filtering engine at some point, so I didn't really investigate this any > further. I don't see how they're going to work that, unless they plan to apply it to an entire server, in which case you lose much of the benefit. -- Stuart Krivis Hostmaster and Purchasing Manager APK Net, Inc. 216-241-7166 Voice 1621 Euclid Ave., Suite 1230 216-241-7522 FAX Cleveland, OH 44115 From lbergman at wtxs.net Mon Nov 11 16:33:42 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:24 2006 Subject: Bogofilter In-Reply-To: References: Message-ID: <200211111033.42360.lbergman@wtxs.net> On Monday 11 November 2002 09:04 am, Gavin Nelmes-Crocker wrote: > Hi > > Is it possible to use this > http://bogofilter.sourceforge.net/bogofilter-faq.html in place of or as > well as Spamassasin - what are peoples thoughts on how this works good/bad > etc. There doesn't seem to be enough info available on the site to say one way or the other. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mrl at GENSTEAM.COM Mon Nov 11 19:55:18 2002 From: mrl at GENSTEAM.COM (Mary Ross Lynch) Date: Thu Jan 12 21:16:24 2006 Subject: how to install vipul's razor Message-ID: <007701c289bc$42ebc5c0$370410ac@ns.uu.net> I am running the latest versions of MailScanner/Sophos/Spamassassin on RedHat 7.0 with sendmail to scan email messages as they pass the mail gateway. Everything working great. However, I would like to add Vipul's Razor to the mix. And wonder what I should install to do this. I have looked around the various sites, but can't quite figure out what should be installed... I did find this quote on a spamassassin site: "Spamassassin will detect whether Razor is available and, by default, use it if so." Would appreciate any help, Thanks, Mary R. Lynch Systems Administrator General Steamship Corp. From mkettler at EVI-INC.COM Mon Nov 11 20:55:17 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:24 2006 Subject: how to install vipul's razor In-Reply-To: <007701c289bc$42ebc5c0$370410ac@ns.uu.net> Message-ID: <5.1.1.6.0.20021111154609.01fa5138@192.168.50.2> Just download the razor-agents tarball from razor.sf.net and install it as per the directions in the INSTALL file. Done. The perl modules needed by razor can be installed from CPAN like the documentation says, but they leave out that the command to get into cpan is: perl -MCPAN -e shell you can then do: install Net::Ping install Net::DNS etc. (the full list is in the INSTALL file). SpamAssassin will automatically use razor if it's installed, just like they say. No additional configuration is necessary, although if you want to tweak your razor settings you'll have to edit the razor-agent.conf file, but it's not really necessary. If you want to test if SpamAssassin is using razor run: spamassassin -tD I am running the latest versions of MailScanner/Sophos/Spamassassin on >RedHat 7.0 with >sendmail to scan email messages as they pass the mail gateway. Everything >working great. > >However, I would like to add Vipul's Razor to the mix. And wonder what I >should install >to do this. I have looked around the various sites, but can't quite figure >out what >should be installed... > >I did find this quote on a spamassassin site: > >"Spamassassin will detect whether Razor is available and, by default, use >it if so." > >Would appreciate any help, > >Thanks, > >Mary R. Lynch >Systems Administrator >General Steamship Corp. From srusin at ICONTECH.COM Mon Nov 11 21:08:49 2002 From: srusin at ICONTECH.COM (Steve Rusin) Date: Thu Jan 12 21:16:24 2006 Subject: white/black list question... Message-ID: <5.1.1.6.0.20021111160329.02ce5118@elvis.icontech.com> Does the latest version of MailScanner allow me to scan or not scan mail not only from a specific user, but to a specific user? I want to implement a "This mail is/is not spam" option, and I'd like to do something like this in the white list file: toandfrom: myemail@mydomain.com not_a_spammer@other_domain.com yes so that any mail coming to myemail@mydomain from not_a_spammer@other_domain.com will not be scanned, however if the mail was coming from not_a_spammer@other_domain.com to another_email@mydomain.com, it would be scanned. My apologies if this has already been covered, I searched the archives to no avail. Thanks, STeve ------------------------------- Stephen Rusin srusin@icontech.com Programmer Icon Technologies, Inc. http://www.icontech.com p: 570.876.6908 f: 570.876.8538 ------------------------------- 09.11.2001 - Remember. From mailscanner at ecs.soton.ac.uk Mon Nov 11 21:48:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: white/black list question... In-Reply-To: <5.1.1.6.0.20021111160329.02ce5118@elvis.icontech.com> Message-ID: <5.1.0.14.2.20021111214450.03db0e80@imap.ecs.soton.ac.uk> At 21:08 11/11/2002, you wrote: >Does the latest version of MailScanner allow me to scan or not scan mail >not only from a specific user, but to a specific user? I want to implement >a "This mail is/is not spam" option, and I'd like to do something like this >in the white list file: > >toandfrom: myemail@mydomain.com not_a_spammer@other_domain.com yes > >so that any mail coming to myemail@mydomain from >not_a_spammer@other_domain.com will not be scanned, however if the mail was >coming from not_a_spammer@other_domain.com to another_email@mydomain.com, >it would be scanned. The rules only currently allow 1 address to match, not combinations of addresses (the whole system could get absurdly complex!). However, if you are up to writing a teeny bit of Perl code, you can do this with a custom function in CustomConfig.pm. This could even read the relevant matching email addresses from a database if you wanted. How many different combinations of this sort of rule are you trying to handle? 1, 5, 5000? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mrl at GENSTEAM.COM Mon Nov 11 23:02:47 2002 From: mrl at GENSTEAM.COM (Mary Ross Lynch) Date: Thu Jan 12 21:16:24 2006 Subject: how to install vipul's razor In-Reply-To: <5.1.1.6.0.20021111154609.01fa5138@192.168.50.2> Message-ID: <003d01c289d6$73774c40$370410ac@ns.uu.net> Thanks very much, Matt. Will try it now. Mary -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Kettler Sent: Monday, November 11, 2002 12:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: how to install vipul's razor Just download the razor-agents tarball from razor.sf.net and install it as per the directions in the INSTALL file. Done. The perl modules needed by razor can be installed from CPAN like the documentation says, but they leave out that the command to get into cpan is: perl -MCPAN -e shell you can then do: install Net::Ping install Net::DNS etc. (the full list is in the INSTALL file). SpamAssassin will automatically use razor if it's installed, just like they say. No additional configuration is necessary, although if you want to tweak your razor settings you'll have to edit the razor-agent.conf file, but it's not really necessary. If you want to test if SpamAssassin is using razor run: spamassassin -tD I am running the latest versions of MailScanner/Sophos/Spamassassin on >RedHat 7.0 with >sendmail to scan email messages as they pass the mail gateway. Everything >working great. > >However, I would like to add Vipul's Razor to the mix. And wonder what I >should install >to do this. I have looked around the various sites, but can't quite figure >out what >should be installed... > >I did find this quote on a spamassassin site: > >"Spamassassin will detect whether Razor is available and, by default, use >it if so." > >Would appreciate any help, > >Thanks, > >Mary R. Lynch >Systems Administrator >General Steamship Corp. From robert at VCT.SI Tue Nov 12 11:53:37 2002 From: robert at VCT.SI (Robert) Date: Thu Jan 12 21:16:24 2006 Subject: IFrame tags Message-ID: <3DD0F9D1.14025.5608232@localhost> Hi Recently there was a discussion on IFrame tags in e-mails, but I still don't get it. If you allow IFrame tags in MailScanner, and the incoming mail with IFrame tag is infected, the virus scanner should intercept it, right? As far as I can see, the only time "Allow IFrame Tags" option is useful, when there is a quickly spreading new virus (exploiting this vunerability) and my virus scanner is not yet updated with new definitions. Am I missing something here? -- Robert Manfreda VCT d.o.o., Idrija From brian at PORTSMOUTH-COLLEGE.AC.UK Tue Nov 12 13:40:06 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers - ICT Support Officer Portsmouth College) Date: Thu Jan 12 21:16:24 2006 Subject: Licensing References: <3DCF7B81.7000906@chelle.nu> Message-ID: <006501c28a51$02d51be0$65c8a8c0@portsmouthcollege.ac.uk> We run Sophos. As an educational establishment we get very good pricing. Brian Chivers ----- Original Message ----- From: "Henrik Kjellsson" To: Sent: Monday, November 11, 2002 9:42 AM Subject: Licensing Hi! This might be abit Off Topic. A customer of the company that I work for has asked for a new mailsecurity solution and ofcourse I thought of Mailscanner. However the company is abit costsensitive and can not afford an expensive solution. So I'm wondering what kind of licenses for the antivirus software do you use on your sites? /Chelle -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brose at MED.WAYNE.EDU Tue Nov 12 13:47:42 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:24 2006 Subject: IFrame tags Message-ID: Someone can correct me if I'm wrong, but I believe the problem is that IFRAME can be used to reference a URL to remote system and doesn't need to contain a executabled code. The IFRAME can cause the email client to download and execute the code from that remote system so a vvirus scanner on a mail gateway is ineffective because the message doesn't include the code. -----Original Message----- From: Robert [mailto:robert@VCT.SI] Sent: Tuesday, November 12, 2002 6:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: IFrame tags Hi Recently there was a discussion on IFrame tags in e-mails, but I still don't get it. If you allow IFrame tags in MailScanner, and the incoming mail with IFrame tag is infected, the virus scanner should intercept it, right? As far as I can see, the only time "Allow IFrame Tags" option is useful, when there is a quickly spreading new virus (exploiting this vunerability) and my virus scanner is not yet updated with new definitions. Am I missing something here? -- Robert Manfreda VCT d.o.o., Idrija From novirus at CARLO65.DE Tue Nov 12 14:02:10 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:24 2006 Subject: IFrame tags In-Reply-To: References: Message-ID: <1037109730.6484.33.camel@linroute> Hi, Am Die, 2002-11-12 um 14.47 schrieb Rose, Bobby: > Someone can correct me if I'm wrong, but I believe the problem is that > IFRAME can be used to reference a URL to remote system and doesn't need > to contain a executabled code. The IFRAME can cause the email client to > download and execute the code from that remote system so a vvirus > scanner on a mail gateway is ineffective because the message doesn't > include the code. exactly this is the problem. The infected code will not found, during the download with the MUA, only in a full system scan. I decided not to allow IFrame and my customers are happy with it, You just need a good explanation for the reason. Regards, Roland From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 12 13:59:25 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:24 2006 Subject: reporting to Razor/Pyzor Message-ID: <4E7026FF8A422749B1553FE508E0068004ABA3@message.intern.akctech.de> Hi, is there a way to tell MailScanner to report Spam to Razor/Pzor e.g. via SpamAssassin? Thanks, JP -- ------------------------------------------------------------------------ ------- Seceidos GmbH | Jan-Peter Koopmann | Senior Engineer Wilhelminenstr. 2 | Tel.: +49 (6151) 66843-43 64283 Darmstadt | +49 (6151) 9511-252 (24H VoiceCenter) Germany | Fax: +49 (6151) 66843-52 ------------------------------------------------------------------------ ------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021112/616f10c7/attachment.html From LISTSERV at JISCMAIL.AC.UK Tue Nov 12 14:18:26 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:24 2006 Subject: MAILSCANNER: srusin@ICONTECH.COM left the list Message-ID: <200211121419.OAA16407@magpie.ecs.soton.ac.uk> Tue, 12 Nov 2002 14:18:26 Stephen Rusin has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From lsu at DC.LUTH.SE Tue Nov 12 15:11:38 2002 From: lsu at DC.LUTH.SE (Lennart Sundstr|m) Date: Thu Jan 12 21:16:24 2006 Subject: F-secure logging In-Reply-To: Your message of Tue, 05 Nov 2002 14:53:06 GMT. <5.1.0.14.2.20021105145207.03ff3b50@imap.ecs.soton.ac.uk> Message-ID: <200211121511.gACFBenG018970@samson.dc.luth.se> Do you have a patch for that? -- Lennart Sundstrom, Incident Response Team, Lule? University of Technology, S-971 87 Lule?, Sweden Tel: +46 920 492 528 Email: lsu@dc.luth.se On Tue, 05 Nov 2002 14:53:06 GMT, Julian Field wrote: > I have just added virus name logging for F-Secure. > Please don't all ask for the others, some of them are almost impossible due > to badly-designed virus scanner output by the manufacturers. > > At 12:57 05/11/2002, you wrote: > >On Tuesday 05 November 2002 03:01 am, Carl Boberg wrote: > > > Hi, > > > > > > Im trying really hard to make my F-secure log to the maillog as other > > > scanners do, like: > > > > > > Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in > > > file ./gA4HFT803745/coords.scr > > > > > > (this is a Sophos log entry) > > > > > > Has anyone any knowledge about how this could be done? > >Well, The code that does the following should be in the next release I would > >guess. > > > >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus and Content Scanning: Starting > >Nov 5 06:52:41 ns2 MailScanner[8374]: > >/var/spool/MailScanner/incoming/8374/gA5Cqch11332/eicar_com.zip->eicar.com > >Infection: EICAR_Test_File > >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: F-Prot found virus > >EICAR_Test_File > >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: f-prot found 1 > >infections > >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: Found 1 viruses > >Nov 5 06:52:41 ns2 MailScanner[8374]: Saved infected "eicar_com.zip" to > >/var/spool/MailScanner/quarantine/20021105/gA5Cqch11332 > > > >This is with f-prot but my output from the wrapper looks identical to yours so > >I would guess you might get the same output. > >-- > >Lewis Bergman > >Texas Communications > >4309 Maple St. > >Abilene, TX 79602-8044 > >915-695-6962 ext 115 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From lbergman at wtxs.net Tue Nov 12 16:23:03 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:24 2006 Subject: F-secure logging In-Reply-To: <200211121511.gACFBenG018970@samson.dc.luth.se> References: <200211121511.gACFBenG018970@samson.dc.luth.se> Message-ID: <200211121023.03653.lbergman@wtxs.net> On Tuesday 12 November 2002 09:11 am, Lennart Sundstr|m wrote: > Do you have a patch for that? As I said I am sure it will be in the next release. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mk at quadstone.com Tue Nov 12 16:37:17 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Bad attachments not being removed in V4.05-3 Message-ID: <20021112163717.GA17388@quadstone.com> We are currently using MailScanner V3.24-1 and have just tried out V4.05-3. We don't have a Virus scanner on our mail gateway, but do want to quarantine attachments specified in filename.rules.conf. In V3.24 this works, in V4.05-3 the bad attachments are not quarantined. We have "Virus Scanning = no" set in both versions. What's changed? Michael -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From mailscanner at ecs.soton.ac.uk Tue Nov 12 16:55:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Bad attachments not being removed in V4.05-3 In-Reply-To: <20021112163717.GA17388@quadstone.com> Message-ID: <5.1.0.14.2.20021112165354.05003308@imap.ecs.soton.ac.uk> At 16:37 12/11/2002, you wrote: >We are currently using MailScanner V3.24-1 and have just tried out V4.05-3. >We don't have a Virus scanner on our mail gateway, but do want to quarantine >attachments specified in filename.rules.conf. >In V3.24 this works, in V4.05-3 the bad attachments are not quarantined. > >We have "Virus Scanning = no" set in both versions. > >What's changed? Pretty much everything :-) I re-wrote it from scratch. You won't get far trying to use a mailscanner.conf from version 3 on version 4. I suggest you go through the version 4 conf file carefully. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 12 16:53:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: reporting to Razor/Pyzor In-Reply-To: <4E7026FF8A422749B1553FE508E0068004ABA3@message.intern.akct ech.de> Message-ID: <5.1.0.14.2.20021112165248.0500afa0@imap.ecs.soton.ac.uk> At 13:59 12/11/2002, you wrote: >is there a way to tell MailScanner to report Spam to Razor/Pzor e.g. via >SpamAssassin? *Please* search the list archives before you post questions to the list. This subject was discussed less than 24 hours ago! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From billa at STERLING.NET Tue Nov 12 17:48:51 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:25 2006 Subject: F-prot Enterprise Message-ID: Will mailscanner work with the enterprise (daemonized) version of F-prot? Is anyone running this with any success? Thanks. From mailscanner at ecs.soton.ac.uk Tue Nov 12 17:58:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: F-prot Enterprise In-Reply-To: Message-ID: <5.1.0.14.2.20021112175345.02e27fb8@imap.ecs.soton.ac.uk> At 17:48 12/11/2002, you wrote: >Will mailscanner work with the enterprise (daemonized) version of F-prot? >Is anyone running this with any success? Thanks. I wrote some support for the Enterprise (daemon) version. Then I speed-tested it. Then I removed support again :-) At low loads it doesn't matter which of the daemon or the command-line scanner is faster. All that happens is your message batch size is a bit bigger. At high loads, you have large message batches (up to the maximum configured in your MailScanner.conf). MailScanner handles large batches more efficiently than small batches (it only calls the scanner once for each batch) so its efficiency actually improves as the load gets bigger. With large message batches, it is faster to call the command-line scanner than the daemon, as you have to squirt all the file locations into a socket to talk to the daemon, which is actually quite slow. So the summary is that I don't support it because you don't want to be using it. Just buy the Small Business Edition and save your money. A winner all round, methinks :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From combslm at APPSTATE.EDU Tue Nov 12 18:35:32 2002 From: combslm at APPSTATE.EDU (Laramie Combs) Date: Thu Jan 12 21:16:25 2006 Subject: virus name in postmaster report Message-ID: <002601c28a7a$4baa4b50$160c0a98@maverick> Hello all, I am from Appalachian State University in Boone, NC (USA) and we are currently using the latest 3.x version of Mailscanner. We love the product, and are impressed with the time and effort that Julian (and others) have obviously put into this. I was wondering if there is a way to get the virus name into the subject of the email that gets sent to "postmaster" when a virus is detected. I searched the list archives, and didn't really find anything on it. We are using Sophos for anti-virus if this helps. Thanks for all your hard work Julian. -Laramie Combs Network Analyst -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021112/7d5cb836/attachment.html From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 12 18:52:23 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:25 2006 Subject: AW: reporting to Razor/Pyzor Message-ID: <4E7026FF8A422749B1553FE508E00680053D25@message.intern.akctech.de> > *Please* search the list archives before you post questions to the list. > This subject was discussed less than 24 hours ago! I am too blind then. *Please* tell me the ID or what to search for? If I search for Razor or Pyzor the next things I find are from June... From mk at QUADSTONE.COM Tue Nov 12 18:57:34 2002 From: mk at QUADSTONE.COM (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Bad attachments not being removed in V4.05-3 In-Reply-To: <5.1.0.14.2.20021112165354.05003308@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021112165354.05003308@imap.ecs.soton.ac.uk> Message-ID: <1037127454.3dd14f1ef1cee@edinmail.quadstone.com> Quoting Julian Field : > At 16:37 12/11/2002, you wrote: > >We are currently using MailScanner V3.24-1 and have just tried out V4.05-3. > >We don't have a Virus scanner on our mail gateway, but do want to > quarantine > >attachments specified in filename.rules.conf. > >In V3.24 this works, in V4.05-3 the bad attachments are not quarantined. > > > >We have "Virus Scanning = no" set in both versions. > > > >What's changed? > > Pretty much everything :-) > I re-wrote it from scratch. > > You won't get far trying to use a mailscanner.conf from version 3 on version > 4. > I suggest you go through the version 4 conf file carefully. I did use the version 4 config files with version 4. Michael > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- Michael Keightley Tel: +44 131 240 3137 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From mailscanner at ecs.soton.ac.uk Tue Nov 12 19:15:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: virus name in postmaster report In-Reply-To: <002601c28a7a$4baa4b50$160c0a98@maverick> Message-ID: <5.1.0.14.2.20021112191041.01fb2740@imap.ecs.soton.ac.uk> At 18:35 12/11/2002, you wrote: >I am from Appalachian State University in Boone, NC (USA) and we are >currently using the latest 3.x version of Mailscanner. > >We love the product, and are impressed with the time and effort that >Julian (and others) have obviously put into this. Thankyou. >I was wondering if there is a way to get the virus name into the subject >of the email that gets sent to "postmaster" when a virus is detected. If you send all the postmaster notifications to 1 mailbox, then it's dead easy to extract them anyway. To get a list of viruses with the number of each that has been caught, sorted with most common at the top, just use a script like this: #!/bin/sh fgrep '>>>' Mail/Archive/Viruses | \ cut -d\' -f2 | \ sort | \ uniq -c | \ sort -nr This should work fine for Sophos. > Thanks for all your hard work Julian. No worries. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 12 19:16:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: AW: reporting to Razor/Pyzor In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D25@message.intern.akct ech.de> Message-ID: <5.1.0.14.2.20021112191626.03777f50@imap.ecs.soton.ac.uk> At 18:52 12/11/2002, you wrote: > > *Please* search the list archives before you post questions to the >list. > > This subject was discussed less than 24 hours ago! > >I am too blind then. *Please* tell me the ID or what to search for? If I >search for Razor or Pyzor the next things I find are from June... The thread from last night had the subject Re: how to install vipul's razor -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 12 19:17:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Bad attachments not being removed in V4.05-3 In-Reply-To: <1037127454.3dd14f1ef1cee@edinmail.quadstone.com> References: <5.1.0.14.2.20021112165354.05003308@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021112165354.05003308@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021112191702.01fe6810@imap.ecs.soton.ac.uk> At 18:57 12/11/2002, you wrote: >Quoting Julian Field : > > At 16:37 12/11/2002, you wrote: > > >We are currently using MailScanner V3.24-1 and have just tried out > V4.05-3. > > >We don't have a Virus scanner on our mail gateway, but do want to > > quarantine > > >attachments specified in filename.rules.conf. > > >In V3.24 this works, in V4.05-3 the bad attachments are not quarantined. > > > > > >We have "Virus Scanning = no" set in both versions. > > > > > >What's changed? > > > > Pretty much everything :-) > > I re-wrote it from scratch. > > > > You won't get far trying to use a mailscanner.conf from version 3 on > version > > 4. > > I suggest you go through the version 4 conf file carefully. >I did use the version 4 config files with version 4. In which case mail me your conf file(s) and I'll take a look for you. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From todd.williams at TFCCI.COM Tue Nov 12 19:24:21 2002 From: todd.williams at TFCCI.COM (Todd Williams) Date: Thu Jan 12 21:16:25 2006 Subject: Question regarding 4.05-3 and virus scanner lock files Message-ID: <01b901c28a81$1ae9cf20$c802a8c0@toddntbox.tfcc.com> Hi, I have a few questions about the antivirus locking file mechanisms. I'm running 4.05-3 on a Redhat test/development box with McAfee uvscan and found that the last time I sent a message, it made this lock file in /tmp/McAfeeBusy.lock : # ls -alrt /tmp ... -rw------- 1 root root 50 Nov 11 17:33 McAfeeBusy.lock ... # cat /tmp/McAfeeBusy.lock Virus checker locked for scanning by mcafee 27087 Process 27087 is still running (a MailScanner child), but there have been no messages coming into this machine (test box). The last message received was around the same time the lock file was created. The issue (I think?) is, whenever the last test message was sent through, the MailScanner checked the message for viruses, and left the lock file laying around. Is this normal behaviour? Should it not unlock/unlink the file when it's completed? Are the MailScanner processes limited to running one copy of the virus scanner at a time? Also, what happens when the mcafee-autoupdate script attempts to run -- will it bail and fail to run properly because the lockfile exists? I'm also considering changing the default lock file directory to /var/lock - there should not be any issues there, right? Thanks in advance, Todd P.S. MailScanner is a wonderful thing!! From mailscanner at ecs.soton.ac.uk Tue Nov 12 19:36:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Question regarding 4.05-3 and virus scanner lock files In-Reply-To: <01b901c28a81$1ae9cf20$c802a8c0@toddntbox.tfcc.com> Message-ID: <5.1.0.14.2.20021112193128.0390a138@imap.ecs.soton.ac.uk> At 19:24 12/11/2002, you wrote: >I have a few questions about the antivirus locking file mechanisms. I'm >running 4.05-3 on a Redhat test/development box with McAfee uvscan and found >that the last time I sent a message, it made this lock file in >/tmp/McAfeeBusy.lock : > ># ls -alrt /tmp >... >-rw------- 1 root root 50 Nov 11 17:33 McAfeeBusy.lock >... ># cat /tmp/McAfeeBusy.lock >Virus checker locked for scanning by mcafee 27087 > >Process 27087 is still running (a MailScanner child), but there have been no >messages coming into this machine (test box). The last message received was >around the same time the lock file was created. The issue (I think?) is, >whenever the last test message was sent through, the MailScanner checked the >message for viruses, and left the lock file laying around. Is this normal >behaviour? Yes. It doesn't bother deleting the lockfile as there is no need to. > Should it not unlock/unlink the file when it's completed? It unlocks it, but does not delete it. > Are >the MailScanner processes limited to running one copy of the virus scanner >at a time? No. MailScanner gets a "shared" lock on the file. Many shared locks can exist at once. You can't have any shared locks while someone has an "exclusive" lock on the file. The autoupdate scripts get an exclusive lock, thereby excluding all the MailScanner processes while they update the virus scanner. > Also, what happens when the mcafee-autoupdate script attempts to >run -- will it bail and fail to run properly because the lockfile exists? >I'm also considering changing the default lock file directory to /var/lock - >there should not be any issues there, right? You will need to set the location in the autoupdate script if you change it in MailScanner.conf. >P.S. MailScanner is a wonderful thing!! Thanks! Have you added a comment to the "guest book" on the web site yet? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From billa at STERLING.NET Tue Nov 12 20:05:14 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:25 2006 Subject: Mismarked mail - AWL Message-ID: How is scoring determined for AWL? I can find the scores for SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK, however can't see what score is given to AWL. Why is it being triggered? This should be a valid email, which it is in version 3, however with version 4 it is being triggered. X-MailScanner-SpamCheck: SpamAssassin (score=7.7, required 5, AWL, SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK) From mike at CAMAROSS.NET Tue Nov 12 20:07:08 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:25 2006 Subject: Mismarked mail - AWL In-Reply-To: Message-ID: AWL is AutoWhiteList -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Bill Anderson Sent: Tuesday, November 12, 2002 2:05 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mismarked mail - AWL How is scoring determined for AWL? I can find the scores for SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK, however can't see what score is given to AWL. Why is it being triggered? This should be a valid email, which it is in version 3, however with version 4 it is being triggered. X-MailScanner-SpamCheck: SpamAssassin (score=7.7, required 5, AWL, SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK) From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 12 20:14:56 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:25 2006 Subject: AW: AW: reporting to Razor/Pyzor Message-ID: <4E7026FF8A422749B1553FE508E00680053D26@message.intern.akctech.de> > The thread from last night had the subject > Re: how to install vipul's razor I am aware of this threat but it does not answer my question: Is there a way to automatically report spam to razor/pyzor? I would love to automatically report high scoring spam. I know there once was an auto_report_threshold in SpamAssassin but it does not seem to be documented anymore. Moreover it said it only reported to razor. Thanks, JP From mike at CAMAROSS.NET Tue Nov 12 20:19:49 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:25 2006 Subject: AW: reporting to Razor/Pyzor In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D26@message.intern.akctech.de> Message-ID: That would probably the high score action...set your action in a ruleset. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jan-Peter Koopmann Sent: Tuesday, November 12, 2002 2:15 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: AW: AW: reporting to Razor/Pyzor > The thread from last night had the subject > Re: how to install vipul's razor I am aware of this threat but it does not answer my question: Is there a way to automatically report spam to razor/pyzor? I would love to automatically report high scoring spam. I know there once was an auto_report_threshold in SpamAssassin but it does not seem to be documented anymore. Moreover it said it only reported to razor. Thanks, JP From mkettler at EVI-INC.COM Tue Nov 12 20:48:37 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:25 2006 Subject: Mismarked mail - AWL In-Reply-To: References: Message-ID: <5.1.1.6.0.20021112153041.0192efa8@192.168.50.2> Well, the question wasn't "what is the AWL" it's "how is the AWL scored". Quite frankly it's my opinion that using the AWL with MailScanner is nothing short of broken. You can see my post under the subject "Re: [SAtalk] AWL broken in 2.43?" over on the SATalk list about one strong example of how the SA AWL breaks if you have a global AWL database, something which happens by necessity with MailScanner. I'd strongly recommend editing your MailScanner configs to disable the auto-whitelist. This is particularly catastrophic if you try to use any of SA's manual whitelisting features at the same time. As far as the AWL scoring method itself, the AWL is a system that tracks the average score of emails from a given sender/server IP combination. Each time an email arrives it is scored, and the AWL "pushes" the score of the individual email towards the average by a configurable factor. By default this "factor" is 0.5. So the final score of the email winds up being: (normal_score * (1-factor)) + (average_score * factor) so in the case of .5 it splits the difference between the current email and the average. This causes users that consistently send spam to have their scores raised, and those that consistently send nonspam to have their scores lowered. Of course, you can see how if you have manual whitelists and a global AWL, in particular to: type whitelists, the AWL winds up averaging the effects of those settings to all users on the system. i.e.: if I ALL_SPAM_TO my postmaster account and a spammer spams postmaster, then 10 other users, he'll have a roughly -100 score average when he sends to the other 10. I've effectively created a way for spammers to site-wide whitelist themselves by spaming a particular account first. At 02:07 PM 11/12/2002 -0600, Mike Kercher wrote: >AWL is AutoWhiteList > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Bill Anderson >Sent: Tuesday, November 12, 2002 2:05 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Mismarked mail - AWL > > >How is scoring determined for AWL? I can find the scores for SMTPD_IN_RCVD, >SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK, however can't see what score is given >to AWL. Why is it being triggered? This should be a valid email, which it >is in version 3, however with version 4 it is being triggered. > >X-MailScanner-SpamCheck: SpamAssassin (score=7.7, required 5, AWL, > SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK) From mailscanner at ecs.soton.ac.uk Tue Nov 12 21:02:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Mismarked mail - AWL In-Reply-To: <5.1.1.6.0.20021112153041.0192efa8@192.168.50.2> References: Message-ID: <5.1.0.14.2.20021112210036.03782168@imap.ecs.soton.ac.uk> Methinks I might want to change the default value in the distribution. Thanks for doing the thorough analysis. At 20:48 12/11/2002, you wrote: >Well, the question wasn't "what is the AWL" it's "how is the AWL scored". > >Quite frankly it's my opinion that using the AWL with MailScanner is >nothing short of broken. You can see my post under the subject "Re: >[SAtalk] AWL broken in 2.43?" over on the SATalk list about one strong >example of how the SA AWL breaks if you have a global AWL database, >something which happens by necessity with MailScanner. > >I'd strongly recommend editing your MailScanner configs to disable the >auto-whitelist. > >This is particularly catastrophic if you try to use any of SA's manual >whitelisting features at the same time. > >As far as the AWL scoring method itself, the AWL is a system that tracks >the average score of emails from a given sender/server IP combination. Each >time an email arrives it is scored, and the AWL "pushes" the score of the >individual email towards the average by a configurable factor. By default >this "factor" is 0.5. > >So the final score of the email winds up being: > >(normal_score * (1-factor)) + (average_score * factor) > >so in the case of .5 it splits the difference between the current email and >the average. This causes users that consistently send spam to have their >scores raised, and those that consistently send nonspam to have their >scores lowered. > >Of course, you can see how if you have manual whitelists and a global AWL, >in particular to: type whitelists, the AWL winds up averaging the effects >of those settings to all users on the system. > >i.e.: if I ALL_SPAM_TO my postmaster account and a spammer spams >postmaster, then 10 other users, he'll have a roughly -100 score average >when he sends to the other 10. I've effectively created a way for spammers >to site-wide whitelist themselves by spaming a particular account first. > > > > > >At 02:07 PM 11/12/2002 -0600, Mike Kercher wrote: >>AWL is AutoWhiteList >> >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>Behalf Of Bill Anderson >>Sent: Tuesday, November 12, 2002 2:05 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Mismarked mail - AWL >> >> >>How is scoring determined for AWL? I can find the scores for SMTPD_IN_RCVD, >>SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK, however can't see what score is given >>to AWL. Why is it being triggered? This should be a valid email, which it >>is in version 3, however with version 4 it is being triggered. >> >>X-MailScanner-SpamCheck: SpamAssassin (score=7.7, required 5, AWL, >> SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Tue Nov 12 21:20:20 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:25 2006 Subject: Mismarked mail - AWL In-Reply-To: <5.1.0.14.2.20021112210036.03782168@imap.ecs.soton.ac.uk> References: <5.1.1.6.0.20021112153041.0192efa8@192.168.50.2> Message-ID: <5.1.1.6.0.20021112160916.01892478@192.168.50.2> It's unfortunate that having a single global AWL is such a double-edged sword. The biggest benefits of the AWL show up when you use it globally, unfortunately the problems with it increase by a few orders of magnitude making it a trouble-causing nightmare. It *can* work, but it has some seriously unexpected side effects that most people aren't aware of. I'm also not a big fan of the AWL in general as I fear it will eventually encourage spammers to send you "bursts" of messages. 1 low scoring nonspam message to get themselves a whitelist entry followed by a spam message. If the first message scores zero, the second will need to score a 10 to get tagged with the default settings. I've not seen that sort of behavior yet, but it's not something I'd like to encourage. I'm a strong proponent of the "let the merits of each email stand upon it's own" approach, with manual whitelist_from_rcvd entries to allow in spamish newsletters of your choosing. Of course, that's a lot more work than just turning on the AWL, but it's by far less prone to error too. At 09:02 PM 11/12/2002 +0000, Julian Field wrote: >Methinks I might want to change the default value in the distribution. >Thanks for doing the thorough analysis. From gavin at NETERGY.COM Tue Nov 12 22:32:40 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:25 2006 Subject: dealing with the quarantine Message-ID: I know this was touched on a while ago but I don't think I saw a definitive answer, also now that that we can quarantine Spam as well. 2 things in the quarantine I notice the directories are in a date format such as year/month/day is this our server or is it in the code somewhere that I can tweak to be European date format i.e. year at the end. next and most important thing which is probably more of a sendmail issue if you have a Spam or a virus mail that a customer needs/wants (why I'm not sure) how do you get it processed - I suppose you need to do it from localhost and have a rule that won't block it or scan it from localhost but how do you get sendmail to process that raw file? Thanks Gavin From ivan at NUCCI.COM.BR Tue Nov 12 22:48:58 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:25 2006 Subject: Flash (SWF) in e-mail References: <1037109730.6484.33.camel@linroute> Message-ID: <3DD1855A.9080102@nucci.com.br> Hi All, Is there a way to prevent all email containing object tags to go through except when dealing with flash. I would like to deliver such messages but not the really dangerous ones. If it's not possible, is there a way to deliver the SWF files as attachments and remove the HTML code that calls it? TIA, --- Ivan From novirus at CARLO65.DE Tue Nov 12 23:00:05 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:25 2006 Subject: Flash (SWF) in e-mail In-Reply-To: <3DD1855A.9080102@nucci.com.br> References: <1037109730.6484.33.camel@linroute> <3DD1855A.9080102@nucci.com.br> Message-ID: <1037142005.6484.61.camel@linroute> Hi Ivan, Am Die, 2002-11-12 um 23.48 schrieb Ivan Mirisola: > Is there a way to prevent all email containing object tags to go through > except when dealing with flash. > I would like to deliver such messages but not the really dangerous ones. No this is not possible. > If it's not possible, is there a way to deliver the SWF files as > attachments and remove the HTML code that calls it? As the swf files are not attached to the mail, but remain on the website, which is called in the IFrame-tag, there is no possibility. Regards, Roland From ivan at NUCCI.COM.BR Tue Nov 12 23:21:38 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:25 2006 Subject: Flash (SWF) in e-mail References: <1037109730.6484.33.camel@linroute> <3DD1855A.9080102@nucci.com.br> <1037142005.6484.61.camel@linroute> Message-ID: <3DD18D02.5020801@nucci.com.br> Hi Roland, I have seen many e-mail that have SWF attachments and the HTML tag calls the filename on the mime part. It would be just like a hidden attachment in an e-mail but you would see the SWF within the email. I know that there is a virus that could be hidden in a SWF, that's why I wanted to remove just the HTML part that reffers to the SWF and make the SWF visible as an attachment. Is it possible? Thanks again Roland Ehle wrote: >Hi Ivan, > > >Am Die, 2002-11-12 um 23.48 schrieb Ivan Mirisola: > > >>Is there a way to prevent all email containing object tags to go through >>except when dealing with flash. >>I would like to deliver such messages but not the really dangerous ones. >> >> > >No this is not possible. > > > >>If it's not possible, is there a way to deliver the SWF files as >>attachments and remove the HTML code that calls it? >> >> > >As the swf files are not attached to the mail, but remain on the >website, which is called in the IFrame-tag, there is no possibility. > >Regards, >Roland > > From vanhorn at whidbey.com Wed Nov 13 00:12:38 2002 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:16:25 2006 Subject: Problem with autoupdate.f-prot References: <0fae50400001ca2PCOW024M@blueyonder.co.uk> <004201c27e6a$b48678e0$6a0110ac@sbsplc.com> <5.1.0.14.2.20021030145144.07dbe040@imap.ecs.soton.ac.uk> Message-ID: <3DD198F6.895BC5@whidbey.com> I switched to using cd /usr/lib/MailScanner; ./f-prot-autoupdate -cron and didnt see any change in behaviour. I dropped the " -cron" and still saw no behaviour. After one of the files is updated at f-prot, four times a day I get a message like the one below. Just like with the script from f-prot, the command works just fine from the command line. In fact, I normally copy the command out of the Subject line of the error message and paste it into the shell. I am generally logged on as root, and the cron script is set to run as root, so that's not the difference. Any ideas? Van Date: Tue, 12 Nov 2002 13:00:03 -0800 From: root@verbose.twistedhistory.com (Cron Daemon) To: root@verbose.twistedhistory.com Subject: Cron cd /usr/lib/MailScanner;./f-prot-autoupdate X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-MailScanner: Found to be clean FTP address for retrieving files is ftp://eu-1.updates.f-prot.com/pub/ F-Prot signature file update script There is a new version of SIGN.DEF, starting download. Download completed. Fatal error while unzipping file., Bad file descriptor at ./f-prot-autoupdate line 294, line 2. Julian Field wrote: > At 06:09 30/10/2002, you wrote: > >I'm running the updater /usr/local/f-prot_3.12b/check-updates.sh with the cron > >suffix, and I've never seen it work. But I go to the command line and it works > >just fine. So I end up using the failure message as a trigger to manually run > >it. > > > >Reading your message, it looks like you are running a different script, but I > >don't have an autoupdate.f-prot on my system. Should this have been part of > >the install? Or is this something I should go hunting for? I would welcome a > >script that normally works with the occasional failure instead of the script > >that never runs. > > You will have /usr/lib/MailScanner/f-prot-autoupdate. Use that. > > >I'm running 4.00.0a13-1, in case that explains why I don't have the script you > >are using. > > > >Van > > > > > > > >Paul Welsh wrote: > > > > > I'm using Julian's f-prot autoupdate script: > > > > > > # $Id: autoupdate,v 1.3.2.5 2002/07/15 00:47:26 nwp Exp $ > > > > > > and today I got the following error in my logs: > > > > > > FTP address for retrieving files is ftp://eu-1.updates.f-prot.com/pub/ > > > F-Prot signature file update script > > > There is a new version of SIGN.DEF, starting download. > > > Download completed. > > > Updated SIGN.DEF. > > > There is a new version of SIGN2.DEF, starting download. > > > Updated SIGN2.DEF. > > > There is a new version of MACRO.DEF, starting download. > > > Download completed. > > > Download completed. > > > Could not find correct version of MACRO.DEF, exiting., Bad file descriptor > > > at /etc/cron.daily/autoupdate.f-prot line 294, chunk 4. > > > > > > I ran the script again from the command line and no error messages - > > > everything was up to date apparently. > > > > > > I'm on MailScanner 3.22 with F-Prot 3.12a. > > > >-- > >---------------------------------------------------------- > >Sign up now for Quotes of the Day, a handful of quotations > >on a theme delivered every morning. > >Enlightenment! Daily, for free! > >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > > > >For web hosting and maintenance, > >visit Van's home page: http://www.domainvanhorn.com/van/ > >---------------------------------------------------------- > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From novirus at CARLO65.DE Wed Nov 13 00:10:58 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:25 2006 Subject: Flash (SWF) in e-mail In-Reply-To: <3DD18D02.5020801@nucci.com.br> References: <1037109730.6484.33.camel@linroute> <3DD1855A.9080102@nucci.com.br> <1037142005.6484.61.camel@linroute> <3DD18D02.5020801@nucci.com.br> Message-ID: <1037146258.6484.75.camel@linroute> Hi Ivan, AFAIK there are only 2 possibilities: Allow Object Codebase = no or yes. So far there is no option, to use rulesets or allow only certain objects. The only thing you can do, is to use a ruleset to allow object Codebase from certain senders only. Regards, Roland Am Mit, 2002-11-13 um 00.21 schrieb Ivan Mirisola: > Hi Roland, > > I have seen many e-mail that have SWF attachments and the HTML tag > calls the filename on the mime part. It would be just like a > hidden attachment in an e-mail but you would see the SWF within the email. > I know that there is a virus that could be hidden in a SWF, that's why I > wanted to remove just the HTML part that reffers to the SWF and make the > SWF visible as an attachment. > Is it possible? > > Thanks again > > Roland Ehle wrote: > > >Hi Ivan, > > > > > >Am Die, 2002-11-12 um 23.48 schrieb Ivan Mirisola: > > > > > >>Is there a way to prevent all email containing object tags to go through > >>except when dealing with flash. > >>I would like to deliver such messages but not the really dangerous ones. > >> > >> > > > >No this is not possible. > > > > > > > >>If it's not possible, is there a way to deliver the SWF files as > >>attachments and remove the HTML code that calls it? > >> > >> > > > >As the swf files are not attached to the mail, but remain on the > >website, which is called in the IFrame-tag, there is no possibility. > > > >Regards, > >Roland From gerry at DORFAM.CA Wed Nov 13 02:11:18 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:16:25 2006 Subject: AW: AW: reporting to Razor/Pyzor In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D26@message.intern.akctech.de> Message-ID: On Tue, 12 Nov 2002, Jan-Peter Koopmann wrote: > > The thread from last night had the subject > > Re: how to install vipul's razor > > I am aware of this threat but it does not answer my question: > > Is there a way to automatically report spam to razor/pyzor? I would love > to automatically report high scoring spam. I know there once was an > auto_report_threshold in SpamAssassin but it does not seem to be > documented anymore. Moreover it said it only reported to razor. > > Thanks, > JP > I'm going from memory here but I thought that the spamassassin folks were no longer trying to auto update razor. I believe people thought it was too open to abuse??? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From Jan-Peter.Koopmann at SECEIDOS.DE Wed Nov 13 08:38:19 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:25 2006 Subject: AW: reporting to Razor/Pyzor Message-ID: <4E7026FF8A422749B1553FE508E0068004ABAB@message.intern.akctech.de> Hi Mike, > That would probably the high score action...set your action > in a ruleset. How? I do not really know what you mean. Can you give me a few more hints? Do I do this within the SpamAssassin config? Regards, JP From P.G.M.Peters at civ.utwente.nl Wed Nov 13 10:56:03 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:25 2006 Subject: dealing with the quarantine In-Reply-To: References: Message-ID: <8qb4tuglluvfefo1sroqpeh12vtholcd8m@4ax.com> On Tue, 12 Nov 2002 22:32:40 -0000, you wrote: >2 things in the quarantine I notice the directories are in a date format >such as year/month/day is this our server or is it in the code somewhere >that I can tweak to be European date format i.e. year at the end. I would advice against using "our" format. The way it is coded now is very easy to sort. When you want to remove a month worth of quarantined files you just rm -rf yearmonth*. Or if you want to remove the first ten days of this month: rm -rf 2002111*. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Wed Nov 13 10:56:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: dealing with the quarantine In-Reply-To: Message-ID: <5.1.0.14.2.20021113105000.0300a628@imap.ecs.soton.ac.uk> At 22:32 12/11/2002, you wrote: >2 things in the quarantine I notice the directories are in a date format >such as year/month/day is this our server or is it in the code somewhere >that I can tweak to be European date format i.e. year at the end. The date format is yyyymmdd intentionally. If you alphabetically or numerically sort the directory names (like "ls" does) then you get the dates in chronological order. So a simple "ls" command will sort them with oldest first, newest last. >next and most important thing which is probably more of a sendmail issue if >you have a Spam or a virus mail that a customer needs/wants (why I'm not >sure) how do you get it processed - I suppose you need to do it from >localhost and have a rule that won't block it or scan it from localhost but >how do you get sendmail to process that raw file? If you store the messages as raw queue files (i.e. the qf+df pair) then you can just drop the files into /var/spool/mqueue. If you want to trigger immediate delivery of it, then do /usr/sbin/sendmail -qIxxxxxxxxx -v where xxxxxxxxx is the raw queue filename excluding the qf or df off the front of it. That way it won't get scanned at all. If you are using an old version of sendmail, and you have the whole message stored as 1 file, then you can do sendmail -t < blahblah where blahblah is the filename of the quarantined message. If you are using a newer sendmail (8.11 and beyond I believe) and you have the whole message stored as 1 file, then it's harder as invoking sendmail directly will still cause the message to be scanned. At that point you will need rulesets which stop MailScanner scanning messages coming from 127.0.0.1. >Thanks > >Gavin -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 13 11:04:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Problem with autoupdate.f-prot In-Reply-To: <3DD198F6.895BC5@whidbey.com> References: <0fae50400001ca2PCOW024M@blueyonder.co.uk> <004201c27e6a$b48678e0$6a0110ac@sbsplc.com> <5.1.0.14.2.20021030145144.07dbe040@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021113110136.030110a8@imap.ecs.soton.ac.uk> At 00:12 13/11/2002, you wrote: >I switched to using >cd /usr/lib/MailScanner; ./f-prot-autoupdate -cron >and didnt see any change in behaviour. I dropped the " -cron" and still saw no >behaviour. After one of the files is updated at f-prot, four times a day I >get a >message like the one below. > >Just like with the script from f-prot, the command works just fine from >the command >line. In fact, I normally copy the command out of the Subject line of the >error >message and paste it into the shell. I am generally logged on as root, and >the cron >script is set to run as root, so that's not the difference. Can you try the attached f-prot-autoupdate from your cron job and see if it works any better? The "unzip" command is bailing out for no very good reason. >Any ideas? > >Van > > > > > >Date: Tue, 12 Nov 2002 13:00:03 -0800 >From: root@verbose.twistedhistory.com (Cron Daemon) >To: root@verbose.twistedhistory.com >Subject: Cron cd /usr/lib/MailScanner;./f-prot-autoupdate >X-Cron-Env: >X-Cron-Env: >X-Cron-Env: >X-Cron-Env: >X-MailScanner: Found to be clean > > >FTP address for retrieving files is ftp://eu-1.updates.f-prot.com/pub/ >F-Prot signature file update script >There is a new version of SIGN.DEF, starting download. >Download completed. >Fatal error while unzipping file., Bad file descriptor at >./f-prot-autoupdate line >294, line 2. > > > >Julian Field wrote: > > > At 06:09 30/10/2002, you wrote: > > >I'm running the updater /usr/local/f-prot_3.12b/check-updates.sh with > the cron > > >suffix, and I've never seen it work. But I go to the command line and > it works > > >just fine. So I end up using the failure message as a trigger to > manually run > > >it. > > > > > >Reading your message, it looks like you are running a different > script, but I > > >don't have an autoupdate.f-prot on my system. Should this have been > part of > > >the install? Or is this something I should go hunting for? I would > welcome a > > >script that normally works with the occasional failure instead of the > script > > >that never runs. > > > > You will have /usr/lib/MailScanner/f-prot-autoupdate. Use that. > > > > >I'm running 4.00.0a13-1, in case that explains why I don't have the > script you > > >are using. > > > > > >Van > > > > > > > > > > > >Paul Welsh wrote: > > > > > > > I'm using Julian's f-prot autoupdate script: > > > > > > > > # $Id: autoupdate,v 1.3.2.5 2002/07/15 00:47:26 nwp Exp $ > > > > > > > > and today I got the following error in my logs: > > > > > > > > FTP address for retrieving files is ftp://eu-1.updates.f-prot.com/pub/ > > > > F-Prot signature file update script > > > > There is a new version of SIGN.DEF, starting download. > > > > Download completed. > > > > Updated SIGN.DEF. > > > > There is a new version of SIGN2.DEF, starting download. > > > > Updated SIGN2.DEF. > > > > There is a new version of MACRO.DEF, starting download. > > > > Download completed. > > > > Download completed. > > > > Could not find correct version of MACRO.DEF, exiting., Bad file > descriptor > > > > at /etc/cron.daily/autoupdate.f-prot line 294, chunk 4. > > > > > > > > I ran the script again from the command line and no error messages - > > > > everything was up to date apparently. > > > > > > > > I'm on MailScanner 3.22 with F-Prot 3.12a. > > > > > >-- > > >---------------------------------------------------------- > > >Sign up now for Quotes of the Day, a handful of quotations > > >on a theme delivered every morning. > > >Enlightenment! Daily, for free! > > >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > > > > > >For web hosting and maintenance, > > >visit Van's home page: http://www.domainvanhorn.com/van/ > > >---------------------------------------------------------- > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >-- >---------------------------------------------------------- >Sign up now for Quotes of the Day, a handful of quotations >on a theme delivered every morning. >Enlightenment! Daily, for free! >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > >For web hosting and maintenance, >visit Van's home page: http://www.domainvanhorn.com/van/ >---------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: f-prot-autoupdate Type: application/octet-stream Size: 9104 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021113/00cbee35/f-prot-autoupdate.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ivan at NUCCI.COM.BR Wed Nov 13 13:36:52 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:25 2006 Subject: Flash (SWF) in e-mail References: <1037109730.6484.33.camel@linroute> <3DD1855A.9080102@nucci.com.br> <1037142005.6484.61.camel@linroute> <3DD18D02.5020801@nucci.com.br> <1037146258.6484.75.camel@linroute> Message-ID: <3DD25574.5030609@nucci.com.br> Perhaps this could be a new feature request. I think this would make MailScanner more flexible Thanks anyway, --- Ivan Roland Ehle wrote: >Hi Ivan, > >AFAIK there are only 2 possibilities: Allow Object Codebase = no or yes. >So far there is no option, to use rulesets or allow only certain >objects. The only thing you can do, is to use a ruleset to allow object >Codebase from certain senders only. > >Regards, >Roland >Am Mit, 2002-11-13 um 00.21 schrieb Ivan Mirisola: > > >>Hi Roland, >> >>I have seen many e-mail that have SWF attachments and the HTML tag >> calls the filename on the mime part. It would be just like a >>hidden attachment in an e-mail but you would see the SWF within the email. >>I know that there is a virus that could be hidden in a SWF, that's why I >>wanted to remove just the HTML part that reffers to the SWF and make the >>SWF visible as an attachment. >>Is it possible? >> >>Thanks again >> >>Roland Ehle wrote: >> >> >> >>>Hi Ivan, >>> >>> >>>Am Die, 2002-11-12 um 23.48 schrieb Ivan Mirisola: >>> >>> >>> >>> >>>>Is there a way to prevent all email containing object tags to go through >>>>except when dealing with flash. >>>>I would like to deliver such messages but not the really dangerous ones. >>>> >>>> >>>> >>>> >>>No this is not possible. >>> >>> >>> >>> >>> >>>>If it's not possible, is there a way to deliver the SWF files as >>>>attachments and remove the HTML code that calls it? >>>> >>>> >>>> >>>> >>>As the swf files are not attached to the mail, but remain on the >>>website, which is called in the IFrame-tag, there is no possibility. >>> >>>Regards, >>>Roland >>> >>> From mike at CAMAROSS.NET Wed Nov 13 13:37:59 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:25 2006 Subject: AW: reporting to Razor/Pyzor In-Reply-To: <4E7026FF8A422749B1553FE508E0068004ABAB@message.intern.akctech.de> Message-ID: <006901c28b19$e1ba9560$6501a8c0@mikedesk> I don't run razor here anymore but when I used to, I had an alias setup on my local machine (/etc/aliases) to forward messages sent to razor@ to a specified email address. Now it's just a list of email addresses that have spammed me...so they get all of my high scoring spam. In my MailScanner.conf, I have this: # This is just like the "Spam Actions" option above, except that it applies # then the score from SpamAssassin is higher than the "High SpamAssassin Score" # value. # deliver - deliver the message as normal # delete - delete the message # store - store the message in the quarantine # bounce - send a rejection message back to the sender # forward user@domain.com - forward a copy of the message to user@domain.com # striphtml - convert all in-line HTML content to plain text # # Note that the bounce message is created in such a way as to stop it # bouncing back to your site. # # This can also be the filename of a ruleset. High Scoring Spam Actions = forward razor@localhost Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jan-Peter Koopmann Sent: Wednesday, November 13, 2002 2:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: AW: reporting to Razor/Pyzor Hi Mike, > That would probably the high score action...set your action > in a ruleset. How? I do not really know what you mean. Can you give me a few more hints? Do I do this within the SpamAssassin config? Regards, JP From mk at quadstone.com Wed Nov 13 14:10:12 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Whitelist for IFrame Tags? Message-ID: <20021113141012.GA1629@quadstone.com> Can the whitelist be used for messages containing IFrame Tags in version 4? The problem is if we set "Allow IFrame Tags = no" then people's Daily Dilbert cartoon gets quarantined!! Michael -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From mailscanner at ecs.soton.ac.uk Wed Nov 13 14:21:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Whitelist for IFrame Tags? In-Reply-To: <20021113141012.GA1629@quadstone.com> Message-ID: <5.1.0.14.2.20021113141910.0739da30@imap.ecs.soton.ac.uk> At 14:10 13/11/2002, you wrote: >Can the whitelist be used for messages containing IFrame Tags in version 4? Yes. >The problem is if we set "Allow IFrame Tags = no" then people's Daily Dilbert >cartoon gets quarantined!! You just use a ruleset for it. Allow IFrame Tags = /opt/MailScanner/etc/rules/allow.iframe.tags.rules Then in that file put From: *@*.dilbert.com yes From: other@mailinglist.com yes FromOrTo: default no (FromOrTo will work just as well as FromTo, it's just a bit clearer what it means) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dustin.baer at IHS.COM Wed Nov 13 14:19:04 2002 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:16:25 2006 Subject: Whitelist for IFrame Tags? References: <20021113141012.GA1629@quadstone.com> Message-ID: <3DD25F58.1EB68F52@ihs.com> Michael Keightley wrote: > > Can the whitelist be used for messages containing IFrame Tags in version 4? > The problem is if we set "Allow IFrame Tags = no" then people's Daily Dilbert > cartoon gets quarantined!! mailscanner.conf: Allow IFrame Tags = /opt/MailScanner/etc/rules/AllowIFrameTags.rules /opt/MailScanner/etc/rules/AllowIFrameTags.rules: From: *@comicsmail.unitedmedia.com yes Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From p.vanbrouwershaven at NETWORKING4ALL.COM Wed Nov 13 14:49:21 2002 From: p.vanbrouwershaven at NETWORKING4ALL.COM (Paul van Brouwershaven - Networking4all) Date: Thu Jan 12 21:16:25 2006 Subject: Multiple Reports Message-ID: Hi, I want to send a combined report to my client one in EN and one in NL can I do this with a command of must I change the reports?? Regards, Paul From mailscanner at ecs.soton.ac.uk Wed Nov 13 14:51:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Multiple Reports In-Reply-To: Message-ID: <5.1.0.14.2.20021113145106.0738cfa8@imap.ecs.soton.ac.uk> At 14:49 13/11/2002, you wrote: >I want to send a combined report to my client one in EN and one in NL >can I do this with a command of must I change the reports?? You will have to change the reports so that they say exactly what you want them to say. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mk at quadstone.com Wed Nov 13 15:27:37 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 Message-ID: <20021113152737.GB1629@quadstone.com> After starting up version 4, I am getting lots of these messages in the mail log: Nov 13 15:20:29 postie.quadstone.co.uk MailScanner[26958]: Failed to link message body between queues (/var/spool/mqueue/dfgADFKNXH026972 --> /var/spool/mqueue.in/dfgADFKNXH026972) I am running Sendmail version 8.12.3 on Solaris 8. Michael -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From mailscanner at ecs.soton.ac.uk Wed Nov 13 15:32:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 In-Reply-To: <20021113152737.GB1629@quadstone.com> Message-ID: <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> At 15:27 13/11/2002, you wrote: >After starting up version 4, I am getting lots of these messages in the mail >log: > >Nov 13 15:20:29 postie.quadstone.co.uk MailScanner[26958]: Failed to link >message body between queues (/var/spool/mqueue/dfgADFKNXH026972 --> >/var/spool/mqueue.in/dfgADFKNXH026972) Either the file already exists in the outgoing queue, or the 2 queues aren't on the same partition, or you are running V3 and V4 simultaneously. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mk at quadstone.com Wed Nov 13 15:45:43 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 In-Reply-To: <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> References: <20021113152737.GB1629@quadstone.com> <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> Message-ID: <20021113154543.GD1629@quadstone.com> When I start version 4 up, lots of mailscanner processes are started, not just one!! I guess this is causing the error message. Version 3 isn't running. Why would so many processes be started up? % pkill -9 mailscanner % ps -ef | grep mailscanner | grep -v grep % /var/opt/MailScanner/bin/check_mailscanner Starting virus scanner... # Wait 10 secs.... % ps -ef | grep mailscanner | grep -v grep root 27398 27389 0 15:38:04 ? 0:06 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / root 27410 27389 0 15:38:14 ? 0:07 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / root 27390 27389 0 15:37:44 ? 0:06 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / root 27411 27389 0 15:38:24 ? 0:05 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / root 27389 1 0 15:37:44 ? 0:00 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / root 27445 1 6 15:40:03 ? 0:05 /usr/bin/perl /var/opt/mailscanner/bin/mailscanner /var/opt/mailscanner/etc/mai root 27393 27389 0 15:37:54 ? 0:05 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / On Wed, Nov 13, 2002 at 03:32:35PM +0000, Julian Field wrote: > At 15:27 13/11/2002, you wrote: > >After starting up version 4, I am getting lots of these messages in the > >mail > >log: > > > >Nov 13 15:20:29 postie.quadstone.co.uk MailScanner[26958]: Failed to link > >message body between queues (/var/spool/mqueue/dfgADFKNXH026972 --> > >/var/spool/mqueue.in/dfgADFKNXH026972) > > Either the file already exists in the outgoing queue, or the 2 queues > aren't on the same partition, or you are running V3 and V4 simultaneously. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From info at pro-invest.ca Wed Nov 13 15:51:23 2002 From: info at pro-invest.ca (Investor Services) Date: Thu Jan 12 21:16:25 2006 Subject: MRTG Message-ID: Hi Julian, Could you please tell me how you do this.. "Every night the day's mail logs are collected and put in 1 directory, which is where the script gets them from" Thanks, >>>>>>>>>>>>>>>>>>>>> Mark Tavares IS Tech Support Professional Investments Inc. (613)384-7511 ext. 221 1-888-548-8868 <<<<<<<<<<<<<<<<<<<<< From Antony at SOFT-SOLUTIONS.CO.UK Wed Nov 13 15:50:12 2002 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 In-Reply-To: <20021113154543.GD1629@quadstone.com> References: <20021113152737.GB1629@quadstone.com> <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> <20021113154543.GD1629@quadstone.com> Message-ID: <200211131550.gADFoJe32216@vulcan.rissington.net> On Wednesday 13 November 2002 3:45 pm, Michael Keightley wrote: > When I start version 4 up, lots of mailscanner processes are started, not > just one!! I guess this is causing the error message. Version 3 isn't > running. Why would so many processes be started up? What value do you have for "Max Children" in your config file ? Antony. -- Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. - William Gibson, Neuromancer (1984) From mk at quadstone.com Wed Nov 13 16:11:56 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 In-Reply-To: <200211131550.gADFoJe32216@vulcan.rissington.net> References: <20021113152737.GB1629@quadstone.com> <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> <20021113154543.GD1629@quadstone.com> <200211131550.gADFoJe32216@vulcan.rissington.net> Message-ID: <20021113161156.GE1629@quadstone.com> On Wed, Nov 13, 2002 at 03:50:12PM +0000, Antony Stone wrote: > On Wednesday 13 November 2002 3:45 pm, Michael Keightley wrote: > > > When I start version 4 up, lots of mailscanner processes are started, not > > just one!! I guess this is causing the error message. Version 3 isn't > > running. Why would so many processes be started up? > > What value do you have for "Max Children" in your config file ? The default (5). Michael > > Antony. > > -- > > Behind the counter a boy with a shaven head stared vacantly into space, > a dozen spikes of microsoft protruding from the socket behind his ear. > > - William Gibson, Neuromancer (1984) -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From Antony at SOFT-SOLUTIONS.CO.UK Wed Nov 13 16:19:58 2002 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 In-Reply-To: <20021113161156.GE1629@quadstone.com> References: <20021113152737.GB1629@quadstone.com> <200211131550.gADFoJe32216@vulcan.rissington.net> <20021113161156.GE1629@quadstone.com> Message-ID: <200211131620.gADGK7e32267@vulcan.rissington.net> On Wednesday 13 November 2002 4:11 pm, Michael Keightley wrote: > On Wed, Nov 13, 2002 at 03:50:12PM +0000, Antony Stone wrote: > > On Wednesday 13 November 2002 3:45 pm, Michael Keightley wrote: > > > When I start version 4 up, lots of mailscanner processes are started, > > > not just one!! I guess this is causing the error message. Version 3 > > > isn't running. Why would so many processes be started up? > > > > What value do you have for "Max Children" in your config file ? > > The default (5). So that explains the six instances in your previous posting - one parent plus five child processes. Antony. -- Anyone that's normal doesn't really achieve much. - Mark Blair, Australian rocket engineer From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 16:28:27 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C355015331665@mail.foundation.sdsu.edu> I am ready to just block all e-mail. I attached the two possibilitys now according to Mcafee. Does anybody have a long term solution for these guys. I believe the rule that Julian suggested adding to spam.assassin.prefs.conf only covers the first one. Steve Evans SDSU Foundation (619) 594-0653 -------------- next part -------------- Subject: %Recipient% you have an E-Card from %Sender%. Body: Greetings! %sender% has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You can pickup your E-Card at the FriendGreetings.com by clicking on the link below. http://www.friendgreetings.com/pickup/pickup.aspx?code=%recipient%&id=%code% Message: ------------------------------------------------------------------------ %Recipient%, I sent you a greeting card. Please pick it up. %Sender% ------------------------------------------------------------------------ -------------- next part -------------- Subject: %Recipient% you have a greeting card from %Sender%. Body: %Recipient%, %sender% has sent you an greeting card -- a postcard from Friend-Greetings.com. You can pickup your greeting card at Friend-Greetings.com by clicking on the link below. http://www.friend-greeting.com/%number%/pickup.html?code=%name%&id=%number% Message: ------------------------------------------------------------------------ %Recipient%, I sent you a greeting card - please pick it up. %Sender% ------------------------------------------------------------------------ From David.While at UCE.AC.UK Wed Nov 13 16:58:50 2002 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:25 2006 Subject: Teeny problem? Message-ID: Does the Silent Viruses setting use a case sensitive lookup ? I suspect it doesn't which causes a problem with some scanners which produce the bugbear virus as BugBear and others that produce Bugbear. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021113/45f9320d/attachment.html From krice at SERVERSANDSOLUTIONS.COM Wed Nov 13 17:10:51 2002 From: krice at SERVERSANDSOLUTIONS.COM (Ken Rice) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <6214C3F9233D764C9E7029396C355015331665@mail.foundation.sdsu.edu> References: <6214C3F9233D764C9E7029396C355015331665@mail.foundation.sdsu.edu> Message-ID: <20021113121051.04bdec1d.krice@serversandsolutions.com> On Wed, 13 Nov 2002 08:28:27 -0800 Steve Evans wrote: > I am ready to just block all e-mail. how about yahoo, hotmail, web2mail, msn.com... 8-) > I attached the two possibilitys now according to Mcafee. Does anybody > have a long term solution for these guys. I believe the rule that > Julian suggested adding to spam.assassin.prefs.conf only covers the > first one. I have the "luxury" of running servers for our corporation, including lists for our customers, so we have no "public" users. (We're a liberal corporation, but with no 'Net policies). Since email passing through our email server(s) are supposedly only business-related, I use 2 approaches. One is sendmail based, in my sendmail.mc I have: LOCAL_RULESETS F{JunkSubs} /etc/mail/junksubs.txt F{SSJunk} /etc/mail/ssjunk.txt HSubject: $>Check_Subject SCheck_Subject R$={JunkSubs}$* $: NMJUNKSUB R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" my ssjunk.txt includes: e-card greeting.card greeting.cardyou.have.an.e-card you.have.a.greeting.card.from along with many other phrases/words from v*agra on, including some sick stuff. In my spam.assassin.prefs.conf (mailscanner-3.26-1): blacklist_from *@*.friendgreetings.com blacklist_from *@friendgreetings.com blacklist_from *@*.friend-greetings.com blacklist_from *@friend-greetings.com and many others. I believe the above format to be correct, but, anyone, pls critique, 'cause it appears to work for me. (Is a TAB really necessary after the "blacklist_from" ? But, as I mentioned this is corporate, so if an employee does complain that they aren't getting some "legit" email like an e-card, I try to nicely explain why they're blocked. (or am I really being a "nice" BOFH??) Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin and the expensive Sophos, upper-level here is QUITE impressed with how we can tweak our email flow. And, it's just one more example of a great, reliable open-source software, running on Linux here, so much that I'm within an inch of convincing them that our primary *nix platform for Oracle should now be Linux. Sorry for the ramble, Ken Rice The Library Corporation (first commercial CD-ROM made (with Hitachi back then) in the world) http://www.tlcdelivers.com Yeah, serversANDsolutions.com is my domain, but they let me work from home a lot for many reasons. opensource, of course! From brian at PORTSMOUTH-COLLEGE.AC.UK Wed Nov 13 17:26:51 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding References: <6214C3F9233D764C9E7029396C355015331665@mail.foundation.sdsu.edu> Message-ID: <001601c28b39$da60aa00$f0c8a8c0@brianhome> Couldn't you just block these site's ? that way they won't be able to visit the site and download the nasty bit's. I realise this is not ideal but better then nothing. Brian Chivers ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 4:28 PM Subject: FriendlyGreeting is Expanding I am ready to just block all e-mail. I attached the two possibilitys now according to Mcafee. Does anybody have a long term solution for these guys. I believe the rule that Julian suggested adding to spam.assassin.prefs.conf only covers the first one. Steve Evans SDSU Foundation (619) 594-0653 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sean at NISD.NET Wed Nov 13 17:26:12 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: A clue by four applied vigorously to the user's head that clicks on this works wonders. >>> krice@SERVERSANDSOLUTIONS.COM 11/13/02 11:10AM >>> On Wed, 13 Nov 2002 08:28:27 -0800 Steve Evans wrote: > I am ready to just block all e-mail. how about yahoo, hotmail, web2mail, msn.com... 8-) > I attached the two possibilitys now according to Mcafee. Does anybody > have a long term solution for these guys. I believe the rule that > Julian suggested adding to spam.assassin.prefs.conf only covers the > first one. I have the "luxury" of running servers for our corporation, including lists for our customers, so we have no "public" users. (We're a liberal corporation, but with no 'Net policies). Since email passing through our email server(s) are supposedly only business-related, I use 2 approaches. One is sendmail based, in my sendmail.mc I have: LOCAL_RULESETS F{JunkSubs} /etc/mail/junksubs.txt F{SSJunk} /etc/mail/ssjunk.txt HSubject: $>Check_Subject SCheck_Subject R$={JunkSubs}$* $: NMJUNKSUB R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" my ssjunk.txt includes: e-card greeting.card greeting.cardyou.have.an.e-card you.have.a.greeting.card.from along with many other phrases/words from v*agra on, including some sick stuff. In my spam.assassin.prefs.conf (mailscanner-3.26-1): blacklist_from *@*.friendgreetings.com blacklist_from *@friendgreetings.com blacklist_from *@*.friend-greetings.com blacklist_from *@friend-greetings.com and many others. I believe the above format to be correct, but, anyone, pls critique, 'cause it appears to work for me. (Is a TAB really necessary after the "blacklist_from" ? But, as I mentioned this is corporate, so if an employee does complain that they aren't getting some "legit" email like an e-card, I try to nicely explain why they're blocked. (or am I really being a "nice" BOFH??) Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin and the expensive Sophos, upper-level here is QUITE impressed with how we can tweak our email flow. And, it's just one more example of a great, reliable open-source software, running on Linux here, so much that I'm within an inch of convincing them that our primary *nix platform for Oracle should now be Linux. Sorry for the ramble, Ken Rice The Library Corporation (first commercial CD-ROM made (with Hitachi back then) in the world) http://www.tlcdelivers.com Yeah, serversANDsolutions.com is my domain, but they let me work from home a lot for many reasons. opensource, of course! From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 17:51:53 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C35501533166A@mail.foundation.sdsu.edu> Let me clarify, we provide e-mail for about %85 of our e-mail users, and they connect to the internet however they want. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Brian Chivers [mailto:brian@PORTSMOUTH-COLLEGE.AC.UK] Sent: Wednesday, November 13, 2002 9:27 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: FriendlyGreeting is Expanding Couldn't you just block these site's ? that way they won't be able to visit the site and download the nasty bit's. I realise this is not ideal but better then nothing. Brian Chivers ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 4:28 PM Subject: FriendlyGreeting is Expanding I am ready to just block all e-mail. I attached the two possibilitys now according to Mcafee. Does anybody have a long term solution for these guys. I believe the rule that Julian suggested adding to spam.assassin.prefs.conf only covers the first one. Steve Evans SDSU Foundation (619) 594-0653 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 17:51:31 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C355015331669@mail.foundation.sdsu.edu> We have. But we have home users, and we act as an ISP for about 85% of our mail users. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Brian Chivers [mailto:brian@PORTSMOUTH-COLLEGE.AC.UK] Sent: Wednesday, November 13, 2002 9:27 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: FriendlyGreeting is Expanding Couldn't you just block these site's ? that way they won't be able to visit the site and download the nasty bit's. I realise this is not ideal but better then nothing. Brian Chivers ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 4:28 PM Subject: FriendlyGreeting is Expanding I am ready to just block all e-mail. I attached the two possibilitys now according to Mcafee. Does anybody have a long term solution for these guys. I believe the rule that Julian suggested adding to spam.assassin.prefs.conf only covers the first one. Steve Evans SDSU Foundation (619) 594-0653 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 17:54:34 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C35501533166B@mail.foundation.sdsu.edu> Blocking the friendlygreeting domains won't work because the "Virus" comes from a user. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Ken Rice [mailto:krice@SERVERSANDSOLUTIONS.COM] Sent: Wednesday, November 13, 2002 9:11 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: FriendlyGreeting is Expanding On Wed, 13 Nov 2002 08:28:27 -0800 Steve Evans wrote: > I am ready to just block all e-mail. how about yahoo, hotmail, web2mail, msn.com... 8-) > I attached the two possibilitys now according to Mcafee. Does anybody > have a long term solution for these guys. I believe the rule that > Julian suggested adding to spam.assassin.prefs.conf only covers the > first one. I have the "luxury" of running servers for our corporation, including lists for our customers, so we have no "public" users. (We're a liberal corporation, but with no 'Net policies). Since email passing through our email server(s) are supposedly only business-related, I use 2 approaches. One is sendmail based, in my sendmail.mc I have: LOCAL_RULESETS F{JunkSubs} /etc/mail/junksubs.txt F{SSJunk} /etc/mail/ssjunk.txt HSubject: $>Check_Subject SCheck_Subject R$={JunkSubs}$* $: NMJUNKSUB R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" my ssjunk.txt includes: e-card greeting.card greeting.cardyou.have.an.e-card you.have.a.greeting.card.from along with many other phrases/words from v*agra on, including some sick stuff. In my spam.assassin.prefs.conf (mailscanner-3.26-1): blacklist_from *@*.friendgreetings.com blacklist_from *@friendgreetings.com blacklist_from *@*.friend-greetings.com blacklist_from *@friend-greetings.com and many others. I believe the above format to be correct, but, anyone, pls critique, 'cause it appears to work for me. (Is a TAB really necessary after the "blacklist_from" ? But, as I mentioned this is corporate, so if an employee does complain that they aren't getting some "legit" email like an e-card, I try to nicely explain why they're blocked. (or am I really being a "nice" BOFH??) Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin and the expensive Sophos, upper-level here is QUITE impressed with how we can tweak our email flow. And, it's just one more example of a great, reliable open-source software, running on Linux here, so much that I'm within an inch of convincing them that our primary *nix platform for Oracle should now be Linux. Sorry for the ramble, Ken Rice The Library Corporation (first commercial CD-ROM made (with Hitachi back then) in the world) http://www.tlcdelivers.com Yeah, serversANDsolutions.com is my domain, but they let me work from home a lot for many reasons. opensource, of course! From brian at PORTSMOUTH-COLLEGE.AC.UK Wed Nov 13 18:01:18 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding References: <6214C3F9233D764C9E7029396C35501533166B@mail.foundation.sdsu.edu> Message-ID: <000e01c28b3e$aa86f640$f0c8a8c0@brianhome> Yah but surely if they can't get to the website to download the program it doesn't pose a threat. Am I misunderstanding this ?? Brian Chivers ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 5:54 PM Subject: Re: FriendlyGreeting is Expanding > Blocking the friendlygreeting domains won't work because the "Virus" > comes from a user. > > Steve Evans > SDSU Foundation > (619) 594-0653 > > -----Original Message----- > From: Ken Rice [mailto:krice@SERVERSANDSOLUTIONS.COM] > Sent: Wednesday, November 13, 2002 9:11 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FriendlyGreeting is Expanding > > > On Wed, 13 Nov 2002 08:28:27 -0800 > Steve Evans wrote: > > > I am ready to just block all e-mail. > > how about yahoo, hotmail, web2mail, msn.com... 8-) > > > I attached the two possibilitys now according to Mcafee. Does anybody > > have a long term solution for these guys. I believe the rule that > > Julian suggested adding to spam.assassin.prefs.conf only covers the > > first one. > > I have the "luxury" of running servers for our corporation, including > lists for our customers, > so we have no "public" users. (We're a liberal corporation, but with no > 'Net policies). > Since email passing through our email server(s) are supposedly only > business-related, I use 2 approaches. > > One is sendmail based, in my sendmail.mc I have: > > LOCAL_RULESETS > F{JunkSubs} /etc/mail/junksubs.txt > F{SSJunk} /etc/mail/ssjunk.txt > > HSubject: $>Check_Subject > > SCheck_Subject > R$={JunkSubs}$* $: NMJUNKSUB > R$* $={SSJunk} $* $#error $: NMJUNKSUB > R$* NMJUNKSUB $* $#error $: "553 Rejected" > > my ssjunk.txt includes: > e-card > greeting.card > greeting.cardyou.have.an.e-card > you.have.a.greeting.card.from > along with many other phrases/words from v*agra on, including some sick > stuff. > > In my spam.assassin.prefs.conf (mailscanner-3.26-1): > blacklist_from *@*.friendgreetings.com > blacklist_from *@friendgreetings.com > blacklist_from *@*.friend-greetings.com > blacklist_from *@friend-greetings.com > and many others. I believe the above format to be correct, but, anyone, > pls critique, 'cause it appears to work for me. > > (Is a TAB really necessary after the "blacklist_from" ? > > But, as I mentioned this is corporate, so if an employee does complain > that > they aren't getting some "legit" email like an e-card, I try to nicely > explain > why they're blocked. (or am I really being a "nice" BOFH??) > > Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin > and the > expensive Sophos, upper-level here is QUITE impressed with how we can > tweak our email flow. > And, it's just one more example of a great, reliable open-source > software, running on Linux here, > so much that I'm within an inch of convincing them that our primary *nix > platform for Oracle > should now be Linux. > > Sorry for the ramble, > > Ken Rice > The Library Corporation > (first commercial CD-ROM made (with Hitachi back then) in the world) > http://www.tlcdelivers.com > > Yeah, serversANDsolutions.com is my domain, but they let me work from > home a lot for many reasons. > > opensource, of course! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 18:04:29 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C35501533166C@mail.foundation.sdsu.edu> We can't block all our users from getting to their site. Most of our e-mail users are on different networks. And even the ones that do physically reside on our network work from home sometimes. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Brian Chivers [mailto:brian@PORTSMOUTH-COLLEGE.AC.UK] Sent: Wednesday, November 13, 2002 10:01 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: FriendlyGreeting is Expanding Yah but surely if they can't get to the website to download the program it doesn't pose a threat. Am I misunderstanding this ?? Brian Chivers ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 5:54 PM Subject: Re: FriendlyGreeting is Expanding > Blocking the friendlygreeting domains won't work because the "Virus" > comes from a user. > > Steve Evans > SDSU Foundation > (619) 594-0653 > > -----Original Message----- > From: Ken Rice [mailto:krice@SERVERSANDSOLUTIONS.COM] > Sent: Wednesday, November 13, 2002 9:11 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FriendlyGreeting is Expanding > > > On Wed, 13 Nov 2002 08:28:27 -0800 > Steve Evans wrote: > > > I am ready to just block all e-mail. > > how about yahoo, hotmail, web2mail, msn.com... 8-) > > > I attached the two possibilitys now according to Mcafee. Does > > anybody have a long term solution for these guys. I believe the > > rule that Julian suggested adding to spam.assassin.prefs.conf only > > covers the first one. > > I have the "luxury" of running servers for our corporation, including > lists for our customers, so we have no "public" users. (We're a > liberal corporation, but with no 'Net policies). > Since email passing through our email server(s) are supposedly only > business-related, I use 2 approaches. > > One is sendmail based, in my sendmail.mc I have: > > LOCAL_RULESETS > F{JunkSubs} /etc/mail/junksubs.txt > F{SSJunk} /etc/mail/ssjunk.txt > > HSubject: $>Check_Subject > > SCheck_Subject > R$={JunkSubs}$* $: NMJUNKSUB > R$* $={SSJunk} $* $#error $: NMJUNKSUB > R$* NMJUNKSUB $* $#error $: "553 Rejected" > > my ssjunk.txt includes: > e-card > greeting.card > greeting.cardyou.have.an.e-card > you.have.a.greeting.card.from > along with many other phrases/words from v*agra on, including some > sick stuff. > > In my spam.assassin.prefs.conf (mailscanner-3.26-1): blacklist_from > *@*.friendgreetings.com blacklist_from *@friendgreetings.com > blacklist_from *@*.friend-greetings.com > blacklist_from *@friend-greetings.com > and many others. I believe the above format to be correct, but, anyone, > pls critique, 'cause it appears to work for me. > > (Is a TAB really necessary after the "blacklist_from" ? > > But, as I mentioned this is corporate, so if an employee does complain > that they aren't getting some "legit" email like an e-card, I try to > nicely explain > why they're blocked. (or am I really being a "nice" BOFH??) > > Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin > and the expensive Sophos, upper-level here is QUITE impressed with how > we can tweak our email flow. > And, it's just one more example of a great, reliable open-source > software, running on Linux here, > so much that I'm within an inch of convincing them that our primary *nix > platform for Oracle > should now be Linux. > > Sorry for the ramble, > > Ken Rice > The Library Corporation > (first commercial CD-ROM made (with Hitachi back then) in the world) > http://www.tlcdelivers.com > > Yeah, serversANDsolutions.com is my domain, but they let me work from > home a lot for many reasons. > > opensource, of course! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brian at PORTSMOUTH-COLLEGE.AC.UK Wed Nov 13 18:07:43 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding References: <6214C3F9233D764C9E7029396C35501533166C@mail.foundation.sdsu.edu> Message-ID: <001301c28b3f$900d33a0$f0c8a8c0@brianhome> Ah, OK. Luckily I don't have to deal with this type of enviroment so I'm able to take a simplier way out. All our machines connect via proxies so we can just block the site. If the users moan I can just say that it isn't for college use and to do it at home. Brian ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 6:04 PM Subject: Re: FriendlyGreeting is Expanding > We can't block all our users from getting to their site. Most of our > e-mail users are on different networks. And even the ones that do > physically reside on our network work from home sometimes. > > Steve Evans > SDSU Foundation > (619) 594-0653 > > -----Original Message----- > From: Brian Chivers [mailto:brian@PORTSMOUTH-COLLEGE.AC.UK] > Sent: Wednesday, November 13, 2002 10:01 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FriendlyGreeting is Expanding > > > Yah but surely if they can't get to the website to download the program > it doesn't pose a threat. > > Am I misunderstanding this ?? > > Brian Chivers > ----- Original Message ----- > From: "Steve Evans" > To: > Sent: Wednesday, November 13, 2002 5:54 PM > Subject: Re: FriendlyGreeting is Expanding > > > > Blocking the friendlygreeting domains won't work because the "Virus" > > comes from a user. > > > > Steve Evans > > SDSU Foundation > > (619) 594-0653 > > > > -----Original Message----- > > From: Ken Rice [mailto:krice@SERVERSANDSOLUTIONS.COM] > > Sent: Wednesday, November 13, 2002 9:11 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: FriendlyGreeting is Expanding > > > > > > On Wed, 13 Nov 2002 08:28:27 -0800 > > Steve Evans wrote: > > > > > I am ready to just block all e-mail. > > > > how about yahoo, hotmail, web2mail, msn.com... 8-) > > > > > I attached the two possibilitys now according to Mcafee. Does > > > anybody have a long term solution for these guys. I believe the > > > rule that Julian suggested adding to spam.assassin.prefs.conf only > > > covers the first one. > > > > I have the "luxury" of running servers for our corporation, including > > lists for our customers, so we have no "public" users. (We're a > > liberal corporation, but with no 'Net policies). > > Since email passing through our email server(s) are supposedly only > > business-related, I use 2 approaches. > > > > One is sendmail based, in my sendmail.mc I have: > > > > LOCAL_RULESETS > > F{JunkSubs} /etc/mail/junksubs.txt > > F{SSJunk} /etc/mail/ssjunk.txt > > > > HSubject: $>Check_Subject > > > > SCheck_Subject > > R$={JunkSubs}$* $: NMJUNKSUB > > R$* $={SSJunk} $* $#error $: NMJUNKSUB > > R$* NMJUNKSUB $* $#error $: "553 Rejected" > > > > my ssjunk.txt includes: > > e-card > > greeting.card > > greeting.cardyou.have.an.e-card > > you.have.a.greeting.card.from > > along with many other phrases/words from v*agra on, including some > > sick stuff. > > > > In my spam.assassin.prefs.conf (mailscanner-3.26-1): blacklist_from > > *@*.friendgreetings.com blacklist_from *@friendgreetings.com > > blacklist_from *@*.friend-greetings.com > > blacklist_from *@friend-greetings.com > > and many others. I believe the above format to be correct, but, > anyone, > > pls critique, 'cause it appears to work for me. > > > > (Is a TAB really necessary after the "blacklist_from" ? > > > > But, as I mentioned this is corporate, so if an employee does complain > > > that they aren't getting some "legit" email like an e-card, I try to > > nicely explain > > why they're blocked. (or am I really being a "nice" BOFH??) > > > > Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin > > > and the expensive Sophos, upper-level here is QUITE impressed with how > > > we can tweak our email flow. > > And, it's just one more example of a great, reliable open-source > > software, running on Linux here, > > so much that I'm within an inch of convincing them that our primary > *nix > > platform for Oracle > > should now be Linux. > > > > Sorry for the ramble, > > > > Ken Rice > > The Library Corporation > > (first commercial CD-ROM made (with Hitachi back then) in the world) > > http://www.tlcdelivers.com > > > > Yeah, serversANDsolutions.com is my domain, but they let me work from > > home a lot for many reasons. > > > > opensource, of course! > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From krice at SERVERSANDSOLUTIONS.COM Wed Nov 13 18:14:52 2002 From: krice at SERVERSANDSOLUTIONS.COM (Ken Rice) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <6214C3F9233D764C9E7029396C35501533166B@mail.foundation.sdsu.edu> References: <6214C3F9233D764C9E7029396C35501533166B@mail.foundation.sdsu.edu> Message-ID: <20021113131452.498503d5.krice@serversandsolutions.com> On Wed, 13 Nov 2002 09:54:34 -0800 Steve Evans wrote: > Blocking the friendlygreeting domains won't work because the "Virus" > comes from a user. Yes, thx, I just grepped my maillogs. The local_ruleset is the one... > One is sendmail based, in my sendmail.mc I have: > > LOCAL_RULESETS > F{JunkSubs} /etc/mail/junksubs.txt > F{SSJunk} /etc/mail/ssjunk.txt > > HSubject: $>Check_Subject > > SCheck_Subject > R$={JunkSubs}$* $: NMJUNKSUB > R$* $={SSJunk} $* $#error $: NMJUNKSUB > R$* NMJUNKSUB $* $#error $: "553 Rejected" > > my ssjunk.txt includes: > e-card > greeting.card > greeting.cardyou.have.an.e-card > you.have.a.greeting.card.from Ken Rice The Library Corporation From mailscannerlist at TNJINFL.COM Wed Nov 13 18:35:50 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:25 2006 Subject: [Fwd: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK] Message-ID: <1037212550.13361.41.camel@tweety.tnjinfl.com> I looked at the FAQ before posting, and didn't find my answer. I've installed Redhat 8 (with Sendmail of course) and then added MailScanner, SpamAssassin, and F-Prot. My mail is being delivered, but I'm not sure that it's going through the spam and virus filters. I received 6 spam messages last evening. -How can I tell if it's working correctly or not? -Are there any log files? I checked maillog and it looked like only sendmail activity. -It also looks like Redhat 8 install Procmail by default. Do I need to do anything with this, like shut it off or configure it? Any help is appreciated. Thanks, James From lbergman at wtxs.net Wed Nov 13 18:49:45 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:25 2006 Subject: [Fwd: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK] In-Reply-To: <1037212550.13361.41.camel@tweety.tnjinfl.com> References: <1037212550.13361.41.camel@tweety.tnjinfl.com> Message-ID: <200211131249.45784.lbergman@wtxs.net> On Wednesday 13 November 2002 12:35 pm, James Pifer wrote: > I looked at the FAQ before posting, and didn't find my answer. > > I've installed Redhat 8 (with Sendmail of course) and then added > MailScanner, SpamAssassin, and F-Prot. My mail is being delivered, but I'm > not sure that it's going through the spam and virus filters. I received 6 > spam messages last evening. > You should go to the web site and look at some info there. > -How can I tell if it's working correctly or not? ps aux | grep MailScanner, look at the headers... > -Are there any log files? I checked maillog and it looked like only > sendmail activity. Did you start it per the instructions? > -It also looks like Redhat 8 install Procmail by default. Do I need to > do anything with this, like shut it off or configure it? No, MailScanner has nothing to do with Procmail -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Wed Nov 13 18:43:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: MRTG In-Reply-To: Message-ID: <5.1.0.14.2.20021113184229.03859f68@imap.ecs.soton.ac.uk> At 15:51 13/11/2002, you wrote: >Hi Julian, > >Could you please tell me how you do this.. > >"Every night the day's mail logs are collected and put in 1 directory, which >is where the script gets them from" I just have cron jobs on my mail servers that use rcp or scp to copy the day's maillog over to the host that runs MRTG. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 13 18:52:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <6214C3F9233D764C9E7029396C355015331665@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20021113184837.0385cf30@imap.ecs.soton.ac.uk> At 16:28 13/11/2002, you wrote: >I am ready to just block all e-mail. Do that and I'll have to go back to collecting things (glasses, clocks, bottles of brandy...) :-) >I attached the two possibilitys now according to Mcafee. Does anybody >have a long term solution for these guys. I believe the rule that >Julian suggested adding to spam.assassin.prefs.conf only covers the >first one. I have only seen these two. The second one appeared last week. Updates for sendmail.cf or spam.assassin.prefs.conf are included here for everyone's benefit. If I hear any more news in this I'll let you all know. Stop them in sendmail: HSubject: $>Check_Subject D{FriendPat1}you have an E-Card from D{FriendPat2}you have a greeting card from D{FriendMsg}This message is probably a nasty E-Card. SCheck_Subject R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} Or stop them in SpamAssassin: header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com score FRIEND_GREETINGS 100.0 header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com score FRIEND_GREETINGS2 100.0 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 13 19:03:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Teeny problem? In-Reply-To: Message-ID: <5.1.0.14.2.20021113185735.03841da8@imap.ecs.soton.ac.uk> At 16:58 13/11/2002, you wrote: >Does the Silent Viruses setting use a case sensitive lookup ? I suspect it >doesn't which causes a problem with some scanners which produce the >bugbear virus as BugBear and others that produce Bugbear. It is case sensitive, You really should customise this list to the exact output from your virus scanner. But on the assumption that most people don't, I'll change to case-insensitive so the default list does something sensible on more systems. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 13 18:55:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: [Fwd: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK] In-Reply-To: <200211131249.45784.lbergman@wtxs.net> References: <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> Message-ID: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> At 18:49 13/11/2002, you wrote: >On Wednesday 13 November 2002 12:35 pm, James Pifer wrote: > > I looked at the FAQ before posting, and didn't find my answer. > > > > I've installed Redhat 8 (with Sendmail of course) and then added > > MailScanner, SpamAssassin, and F-Prot. My mail is being delivered, but I'm > > not sure that it's going through the spam and virus filters. I received 6 > > spam messages last evening. > > >You should go to the web site and look at some info there. > > -How can I tell if it's working correctly or not? >ps aux | grep MailScanner, look at the headers... > > > -Are there any log files? I checked maillog and it looked like only > > sendmail activity. >Did you start it per the instructions? If you aren't sure, then do this: service sendmail stop chkconfig sendmail off chkconfig MailScanner on service MailScanner start And as Lewis said, look at the mail headers, you should see signs of MailScanner there. Note that by default, SpamAssassin is not enabled. If you have installed it, you need to enable it in MailScanner.conf. > > -It also looks like Redhat 8 install Procmail by default. Do I need to > > do anything with this, like shut it off or configure it? >No, MailScanner has nothing to do with Procmail > >-- >Lewis Bergman >Texas Communications >4309 Maple St. >Abilene, TX 79602-8044 >915-695-6962 ext 115 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From David.While at UCE.AC.UK Wed Nov 13 19:16:10 2002 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:25 2006 Subject: Teeny problem? Message-ID: Customising is OK if you only use one scanner but if you use multiple scanners then you end up having to put in potentially as many entries as you have scanners for each virus. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 Julian Field cc: Sent by: Subject: Re: Teeny problem? MailScanner mailing list 13/11/2002 19:03 Please respond to MailScanner mailing list At 16:58 13/11/2002, you wrote: >Does the Silent Viruses setting use a case sensitive lookup ? I suspect it >doesn't which causes a problem with some scanners which produce the >bugbear virus as BugBear and others that produce Bugbear. It is case sensitive, You really should customise this list to the exact output from your virus scanner. But on the assumption that most people don't, I'll change to case-insensitive so the default list does something sensible on more systems. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 19:24:54 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C355015682708@mail.foundation.sdsu.edu> Basically the difference between blocking them in Sendmail or SpamAssassin is the amount of work the server does, and if you want more control on what happens to the message. So SpamAssassin allows you to re-direct for example, sendmail just bounces. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, November 13, 2002 10:53 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: FriendlyGreeting is Expanding At 16:28 13/11/2002, you wrote: >I am ready to just block all e-mail. Do that and I'll have to go back to collecting things (glasses, clocks, bottles of brandy...) :-) >I attached the two possibilitys now according to Mcafee. Does anybody >have a long term solution for these guys. I believe the rule that >Julian suggested adding to spam.assassin.prefs.conf only covers the >first one. I have only seen these two. The second one appeared last week. Updates for sendmail.cf or spam.assassin.prefs.conf are included here for everyone's benefit. If I hear any more news in this I'll let you all know. Stop them in sendmail: HSubject: $>Check_Subject D{FriendPat1}you have an E-Card from D{FriendPat2}you have a greeting card from D{FriendMsg}This message is probably a nasty E-Card. SCheck_Subject R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} Or stop them in SpamAssassin: header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com score FRIEND_GREETINGS 100.0 header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com score FRIEND_GREETINGS2 100.0 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Wed Nov 13 19:31:53 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: Since the second one came out, I just updated the SA rule plus added the addresses to our firewall to keep users from even getting to those sites. Also, I think there is probably more to these guys that's not being talked about. Is it possible that they are also stealing the email addresses for sale to spammers? -----Original Message----- From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] Sent: Wednesday, November 13, 2002 11:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: FriendlyGreeting is Expanding I am ready to just block all e-mail. I attached the two possibilitys now according to Mcafee. Does anybody have a long term solution for these guys. I believe the rule that Julian suggested adding to spam.assassin.prefs.conf only covers the first one. Steve Evans SDSU Foundation (619) 594-0653 From mailscanner at ecs.soton.ac.uk Wed Nov 13 20:14:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Teeny problem? In-Reply-To: Message-ID: <5.1.0.14.2.20021113201331.02451eb8@imap.ecs.soton.ac.uk> At 19:16 13/11/2002, you wrote: >Customising is OK if you only use one scanner but if you use multiple >scanners then you end up having to put in potentially as many entries as >you have scanners for each virus. Good point. This is a very small change and will be included in the next release. > 13/11/2002 19:03 > Please respond to > MailScanner > mailing list > >At 16:58 13/11/2002, you wrote: > >Does the Silent Viruses setting use a case sensitive lookup ? I suspect it > >doesn't which causes a problem with some scanners which produce the > >bugbear virus as BugBear and others that produce Bugbear. > >It is case sensitive, You really should customise this list to the exact >output from your virus scanner. > >But on the assumption that most people don't, I'll change to >case-insensitive so the default list does something sensible on more >systems. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Wed Nov 13 21:18:01 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:26 2006 Subject: sender.virus.report.txt Message-ID: <200211131518.01902.lbergman@wtxs.net> I don't seem to be getting any sender virus reports sent out. I am using the eicar.com zip file to test. I was trying to make sure that all email is getting scanned on its way out ( for some reason the ip's were not doing that). Using the domain wildcard seems to work as expected. Along the way I noticed that when a rule like "From: *.wtxs.net yes" was employed I never received the sender.virus.report.txt. What I think is all the relevant info is below. Any ideas? Have I overlooked something as usual? My virus.check rules contains this kind of stuff: --------------------------------------------------------- # Default rules here FromOrTo: default no #From: 192.168.1. yes #From: 208.29.17. yes #From: 65.170.187. yes #From: 65.170.190. yes From: *.wtxs.net yes From: *.abi.tconline.net yes # Address for someone to send to if they # got a bounce To: noreject@wtxs.net no # Put whole doamins up here FromTo: hansoncattle.com yes # Put employees here FromTo: jevans@wtxs.net yes FromTo: jthompson@wtxs.net yes ------------------------------------------------------ MailScanner.conf has this: Notify Senders = yes Sender Virus Report = /etc/MailScanner/reports/en/sender.virus.report.txt -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From jrudd at UCSC.EDU Wed Nov 13 22:44:43 2002 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:16:26 2006 Subject: incoming directory Message-ID: <3DD2D5DB.FF65F8FF@ucsc.edu> Has anyone explored the bennefits or problems with putting the incoming directory onto a ramdisk? I know mailscanner preferes to have it on the same partition as the mail queue directories, but I'm wondering if it might be faster (for the scanning part of the process). Anyone have thoughts about that? John From mailscanner at BARENDSE.TO Thu Nov 14 09:10:42 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <5.1.0.14.2.20021113184837.0385cf30@imap.ecs.soton.ac.uk> Message-ID: Should or shouldn't that include LOCAL_RULESETS before the lines below that you put in sendmail.mc (they can be put in sendmail.mc right, I have never been able to figure out how the .cf files work) Also where do I put it in sendmail.mc? I just added at the bottom of the file, replaced the whitespaces with tabs after the last few lines starting from $* up until the $#error bit. Then my mail server simply stopped accepting any mail whatsoever.... May I suggest a 'complete morons guide to stopping FriendlyGreeting cards' for people like me? :) Remco On Wed, 13 Nov 2002, Julian Field wrote: > At 16:28 13/11/2002, you wrote: > >I am ready to just block all e-mail. > > Do that and I'll have to go back to collecting things (glasses, clocks, > bottles of brandy...) > :-) > > >I attached the two possibilitys now according to Mcafee. Does anybody > >have a long term solution for these guys. I believe the rule that > >Julian suggested adding to spam.assassin.prefs.conf only covers the > >first one. > > I have only seen these two. The second one appeared last week. Updates for > sendmail.cf or spam.assassin.prefs.conf are included here for everyone's > benefit. If I hear any more news in this I'll let you all know. > > Stop them in sendmail: > > HSubject: $>Check_Subject > D{FriendPat1}you have an E-Card from > D{FriendPat2}you have a greeting card from > D{FriendMsg}This message is probably a nasty E-Card. > SCheck_Subject > R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} > R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} > > Or stop them in SpamAssassin: > > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > score FRIEND_GREETINGS 100.0 > header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i > describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com > score FRIEND_GREETINGS2 100.0 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at BARENDSE.TO Thu Nov 14 09:25:28 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <20021113121051.04bdec1d.krice@serversandsolutions.com> Message-ID: Hi Ken! This is *very* interesting as it indeeds opens up some possibilities to block nasty stuff. Just wondering though, you have included what is in your ssjunk.txt file but what do you have in the junksubs.txt file? Also are the dots between the words really necessary, and will sendmail treat the subjects and texts in the e-mails case insensitive? Would be really great if you could send your sendmail.mc and the ssjunk.txt and junksubs.txt attached :) Thanks for any info! On Wed, 13 Nov 2002, Ken Rice wrote: > > I have the "luxury" of running servers for our corporation, including lists for our customers, > so we have no "public" users. (We're a liberal corporation, but with no 'Net policies). > Since email passing through our email server(s) are supposedly only business-related, I use 2 approaches. > > One is sendmail based, in my sendmail.mc I have: > > LOCAL_RULESETS > F{JunkSubs} /etc/mail/junksubs.txt > F{SSJunk} /etc/mail/ssjunk.txt > > HSubject: $>Check_Subject > > SCheck_Subject > R$={JunkSubs}$* $: NMJUNKSUB > R$* $={SSJunk} $* $#error $: NMJUNKSUB > R$* NMJUNKSUB $* $#error $: "553 Rejected" > > my ssjunk.txt includes: > e-card > greeting.card > greeting.cardyou.have.an.e-card > you.have.a.greeting.card.from > along with many other phrases/words from v*agra on, including some sick stuff. > > In my spam.assassin.prefs.conf (mailscanner-3.26-1): > blacklist_from *@*.friendgreetings.com > blacklist_from *@friendgreetings.com > blacklist_from *@*.friend-greetings.com > blacklist_from *@friend-greetings.com > and many others. I believe the above format to be correct, but, anyone, > pls critique, 'cause it appears to work for me. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From robert at VCT.SI Thu Nov 14 11:09:36 2002 From: robert at VCT.SI (Robert) Date: Thu Jan 12 21:16:26 2006 Subject: IFrame tags In-Reply-To: <1037109730.6484.33.camel@linroute> References: Message-ID: <3DD39280.32660.F84ECD5@localhost> Hi I understand this now, but I have one more question - how does IFrame tag get in normal (virus-free) e-mails? I receive many mails, sent from OE or Outlook, but very few of them have IFrame tags in them. What should a user do, to get rid of them? Sending plain-text messages is one of them, any other solution maybe? Robert > exactly this is the problem. The infected code will not found, during > the download with the MUA, only in a full system scan. I decided not to > allow IFrame and my customers are happy with it, You just need a good > explanation for the reason. > > Regards, > Roland -- Robert Manfreda VCT d.o.o., Idrija From mailscanner at ecs.soton.ac.uk Thu Nov 14 11:08:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: incoming directory In-Reply-To: <3DD2D5DB.FF65F8FF@ucsc.edu> Message-ID: <5.1.0.14.2.20021114110620.039a7a88@imap.ecs.soton.ac.uk> At 22:44 13/11/2002, you wrote: >Has anyone explored the bennefits or problems with putting the incoming >directory onto a ramdisk? I know mailscanner preferes to have it on the >same partition as the mail queue directories, but I'm wondering if it >might be faster (for the scanning part of the process). If you have got loads of RAM, then it should at least work. Though weigh it up against potentially increasing speed by running more child processes (which will require more RAM). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 14 11:11:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: References: <5.1.0.14.2.20021113184837.0385cf30@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021114110952.024b0fa0@imap.ecs.soton.ac.uk> At 09:10 14/11/2002, you wrote: >Should or shouldn't that include LOCAL_RULESETS before the lines below >that you put in sendmail.mc (they can be put in sendmail.mc right, I >have never been able to figure out how the .cf files work) It should come after the LOCAL_RULESETS line in the sendmail.mc file. >Also where do I put it in sendmail.mc? Anywhere are LOCAL_RULESETS should work. >I just added at the bottom of the file, replaced the whitespaces with >tabs after the last few lines starting from $* up until the $#error bit. >Then my mail server simply stopped accepting any mail whatsoever.... > >May I suggest a 'complete morons guide to stopping FriendlyGreeting cards' >for people like me? :) > >Remco > >On Wed, 13 Nov 2002, Julian Field wrote: > > > At 16:28 13/11/2002, you wrote: > > >I am ready to just block all e-mail. > > > > Do that and I'll have to go back to collecting things (glasses, clocks, > > bottles of brandy...) > > :-) > > > > >I attached the two possibilitys now according to Mcafee. Does anybody > > >have a long term solution for these guys. I believe the rule that > > >Julian suggested adding to spam.assassin.prefs.conf only covers the > > >first one. > > > > I have only seen these two. The second one appeared last week. Updates for > > sendmail.cf or spam.assassin.prefs.conf are included here for everyone's > > benefit. If I hear any more news in this I'll let you all know. > > > > Stop them in sendmail: > > > > HSubject: $>Check_Subject > > D{FriendPat1}you have an E-Card from > > D{FriendPat2}you have a greeting card from > > D{FriendMsg}This message is probably a nasty E-Card. > > SCheck_Subject > > R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} > > R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > Or stop them in SpamAssassin: > > > > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > > score FRIEND_GREETINGS 100.0 > > header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i > > describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com > > score FRIEND_GREETINGS2 100.0 > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at BARENDSE.TO Thu Nov 14 11:21:07 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <5.1.0.14.2.20021114110952.024b0fa0@imap.ecs.soton.ac.uk> Message-ID: Great, thanks! Last question, what is the format of the following line? HSubject: $>Check_Subject HSubject: $>Check_Subject On Thu, 14 Nov 2002, Julian Field wrote: > At 09:10 14/11/2002, you wrote: > >Should or shouldn't that include LOCAL_RULESETS before the lines below > >that you put in sendmail.mc (they can be put in sendmail.mc right, I > >have never been able to figure out how the .cf files work) > > It should come after the LOCAL_RULESETS line in the sendmail.mc file. > > >Also where do I put it in sendmail.mc? > > Anywhere are LOCAL_RULESETS should work. > > >I just added at the bottom of the file, replaced the whitespaces with > >tabs after the last few lines starting from $* up until the $#error bit. > >Then my mail server simply stopped accepting any mail whatsoever.... > > > >May I suggest a 'complete morons guide to stopping FriendlyGreeting cards' > >for people like me? :) > > > >Remco > > > >On Wed, 13 Nov 2002, Julian Field wrote: > > > > > At 16:28 13/11/2002, you wrote: > > > >I am ready to just block all e-mail. > > > > > > Do that and I'll have to go back to collecting things (glasses, clocks, > > > bottles of brandy...) > > > :-) > > > > > > >I attached the two possibilitys now according to Mcafee. Does anybody > > > >have a long term solution for these guys. I believe the rule that > > > >Julian suggested adding to spam.assassin.prefs.conf only covers the > > > >first one. > > > > > > I have only seen these two. The second one appeared last week. Updates for > > > sendmail.cf or spam.assassin.prefs.conf are included here for everyone's > > > benefit. If I hear any more news in this I'll let you all know. > > > > > > Stop them in sendmail: > > > > > > HSubject: $>Check_Subject > > > D{FriendPat1}you have an E-Card from > > > D{FriendPat2}you have a greeting card from > > > D{FriendMsg}This message is probably a nasty E-Card. > > > SCheck_Subject > > > R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > > > Or stop them in SpamAssassin: > > > > > > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > > > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > > > score FRIEND_GREETINGS 100.0 > > > header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i > > > describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com > > > score FRIEND_GREETINGS2 100.0 > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Nov 14 11:28:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: References: <5.1.0.14.2.20021114110952.024b0fa0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021114112743.039e3ed8@imap.ecs.soton.ac.uk> At 11:21 14/11/2002, you wrote: >Last question, what is the format of the following line? >HSubject: $>Check_Subject >HSubject: $>Check_Subject One space, not a tab. >On Thu, 14 Nov 2002, Julian Field wrote: > > > At 09:10 14/11/2002, you wrote: > > >Should or shouldn't that include LOCAL_RULESETS before the lines below > > >that you put in sendmail.mc (they can be put in sendmail.mc right, I > > >have never been able to figure out how the .cf files work) > > > > It should come after the LOCAL_RULESETS line in the sendmail.mc file. > > > > >Also where do I put it in sendmail.mc? > > > > Anywhere are LOCAL_RULESETS should work. > > > > >I just added at the bottom of the file, replaced the whitespaces with > > >tabs after the last few lines starting from $* up until the $#error bit. > > >Then my mail server simply stopped accepting any mail whatsoever.... > > > > > >May I suggest a 'complete morons guide to stopping FriendlyGreeting cards' > > >for people like me? :) > > > > > >Remco > > > > > >On Wed, 13 Nov 2002, Julian Field wrote: > > > > > > > At 16:28 13/11/2002, you wrote: > > > > >I am ready to just block all e-mail. > > > > > > > > Do that and I'll have to go back to collecting things (glasses, clocks, > > > > bottles of brandy...) > > > > :-) > > > > > > > > >I attached the two possibilitys now according to Mcafee. Does anybody > > > > >have a long term solution for these guys. I believe the rule that > > > > >Julian suggested adding to spam.assassin.prefs.conf only covers the > > > > >first one. > > > > > > > > I have only seen these two. The second one appeared last week. > Updates for > > > > sendmail.cf or spam.assassin.prefs.conf are included here for > everyone's > > > > benefit. If I hear any more news in this I'll let you all know. > > > > > > > > Stop them in sendmail: > > > > > > > > HSubject: $>Check_Subject > > > > D{FriendPat1}you have an E-Card from > > > > D{FriendPat2}you have a greeting card from > > > > D{FriendMsg}This message is probably a nasty E-Card. > > > > SCheck_Subject > > > > R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > > > > > Or stop them in SpamAssassin: > > > > > > > > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > > > > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > > > > score FRIEND_GREETINGS 100.0 > > > > header FRIEND_GREETINGS2 Subject =~ /you have a greeting > card from/i > > > > describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com > > > > score FRIEND_GREETINGS2 100.0 > > > > > > > > -- > > > > Julian Field Teaching Systems Manager > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > > > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscannerlist at TNJINFL.COM Thu Nov 14 14:44:55 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:26 2006 Subject: Forward to specified mailbox In-Reply-To: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> References: <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> Message-ID: <1037285096.12383.148.camel@tweety.tnjinfl.com> Is it possible to forward a message marked as Spam to a specific mailbox? In the conf I see that you can forward a copy, but what if a company doesn't want to user to get a copy unless it is verified as real mail? (I know, legal implications, but the company can make that determination) Can MailScanner do that or would I need to use Procmail for that? If so, how do I make Procmail get called after all the MailScanner stuff? Thanks for any help! Regards, James From lbergman at wtxs.net Thu Nov 14 14:47:57 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:26 2006 Subject: Forward to specified mailbox In-Reply-To: <1037285096.12383.148.camel@tweety.tnjinfl.com> References: <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037285096.12383.148.camel@tweety.tnjinfl.com> Message-ID: <200211140847.57685.lbergman@wtxs.net> On Thursday 14 November 2002 08:44 am, James Pifer wrote: > Is it possible to forward a message marked as Spam to a specific > mailbox? In the conf I see that you can forward a copy, but what if a > company doesn't want to user to get a copy unless it is verified as real > mail? (I know, legal implications, but the company can make that > determination) > > Can MailScanner do that or would I need to use Procmail for that? If so, > how do I make Procmail get called after all the MailScanner stuff? > It is already called. Just use the /etc/procmailrc file and specify the header you used along with the value for spam characters you set up. I am no procmail wizard but I am sure someone here already does that since the feature wsa added for that purpose. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Thu Nov 14 14:57:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Forward to specified mailbox In-Reply-To: <1037285096.12383.148.camel@tweety.tnjinfl.com> References: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021114145654.04543220@imap.ecs.soton.ac.uk> At 14:44 14/11/2002, you wrote: >Is it possible to forward a message marked as Spam to a specific >mailbox? In the conf I see that you can forward a copy, but what if a >company doesn't want to user to get a copy unless it is verified as real >mail? (I know, legal implications, but the company can make that >determination) If you specify the spam actions as just "forward other@mailbox.com" then it won't deliver it to the original recipient. It only delivers it to the original recipient if you specify "deliver" as well. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From novirus at CARLO65.DE Thu Nov 14 15:17:25 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:26 2006 Subject: German version of David While's mailstat script Message-ID: <1037287045.6516.108.camel@linroute> Hi, I finally managed to get a german version of Davids mailstat.pl script, to have the output in my favourite language :-) Anybody who is interested can download it at http://www.inbox4u.de/mailstats_ge.pl Comments can be adressed to my standard address roland@inbox4u.de Important: to have a complete german output, you have to edit the mrtg.cfg file. Add the line Language: german. This works fine with mrtg version 2.9.25 Regards, Roland From tim at PHALANSTERY.CO.UK Thu Nov 14 15:31:21 2002 From: tim at PHALANSTERY.CO.UK (Tim Sellar) Date: Thu Jan 12 21:16:26 2006 Subject: Bogofilter Message-ID: <200211141531.gAEFVLX32654@ori.rl.ac.uk> There is a relevant artivle showing Bogofilter vs. SpamAssassin here: http://lwn.net/Articles/9460/. Given bogofilters huge performance advantage I am considering implementing it as a primary spam filter. Mail which gets past it would then be passed to Spam Assassin acting as a secondary filter. I would hope this gives the best of both worlds. As a system wide filter I cannot guarantee the effectiveness of any initial training I apply to bogofilter to reflect an individuals particular email but can hopefully rely on Spam Assassin to catch most of what bogofilter misses. Over time, spam trapped by SA will be fed back (automatically?) to improve bogofilter's effectiveness and reduce reliance on SA - hopefully giving better system performance... Anyone see any flaws with this two-pronged approach? What this does mean is I need to look at getting Mailscanner working with both Exim and bogofilter... Tim From sysadmin at DMS.UMONTREAL.CA Thu Nov 14 15:45:31 2002 From: sysadmin at DMS.UMONTREAL.CA (Administrateur Systeme) Date: Thu Jan 12 21:16:26 2006 Subject: Bogofilter References: <200211141531.gAEFVLX32654@ori.rl.ac.uk> Message-ID: <3DD3C51B.8010209@DMS.UMontreal.CA> Tim Sellar wrote: >There is a relevant artivle showing Bogofilter vs. SpamAssassin here: >http://lwn.net/Articles/9460/. > >Given bogofilters huge performance advantage I am considering implementing >it as a primary spam filter. Mail which gets past it would then be passed to >Spam Assassin acting as a secondary filter. I would hope this gives the best >of both worlds. As a system wide filter I cannot guarantee the effectiveness >of any initial training I apply to bogofilter to reflect an individuals >particular email but can hopefully rely on Spam Assassin to catch most of >what bogofilter misses. Over time, spam trapped by SA will be fed back >(automatically?) to improve bogofilter's effectiveness and reduce reliance >on SA - hopefully giving better system performance... > >Anyone see any flaws with this two-pronged approach? > >What this does mean is I need to look at getting Mailscanner working with >both Exim and bogofilter... > >Tim > > Doesn't the SA 2.50 incorporate a bayesian filter along the lines of P. Graham's paper ? Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From brose at MED.WAYNE.EDU Thu Nov 14 16:04:58 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:26 2006 Subject: W32/Braid-A or W32/Brid-A Message-ID: Does anyone know if this guys is like Klez and forges? I read the description Symantec but it doesn't say. I've been getting those stupid replies from users proclaiming that "I didn't send this" or "I don't know this person" Just wondering if it's one to add to the virus drop list. From mailscanner at BARENDSE.TO Thu Nov 14 16:20:07 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: <200211141531.gAEFVLX32654@ori.rl.ac.uk> Message-ID: Hi! I just upgraded my RedHat 7.3 box from Mailscanner 3 to Mailscanner 4. When installing I got an error message: package perl-MIME-Base64-2.12-14 (which is newer than perl-MIME-Base64-2.12-1) Which version is better? And when I try to restart MailScanner it gives this output: [root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart Shutting down MailScanner daemons: MailScanner: We haven't got any child processes, which isn't right!, No child processes at /usr/sbin/MailScanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /usr/sbin/MailScanner line 194. [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] A simple MailScanner stop and then start does work correctly without any errors?!? Cheers! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Nov 14 16:18:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: W32/Braid-A or W32/Brid-A In-Reply-To: Message-ID: <5.1.0.14.2.20021114161811.0794b860@imap.ecs.soton.ac.uk> At 16:04 14/11/2002, you wrote: >Does anyone know if this guys is like Klez and forges? Yes it does. > I read the >description Symantec but it doesn't say. I've been getting those stupid >replies from users proclaiming that "I didn't send this" or "I don't >know this person" > >Just wondering if it's one to add to the virus drop list. You should, yes. It is included in the defaults of the next release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 14 16:34:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: References: <200211141531.gAEFVLX32654@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> At 16:20 14/11/2002, you wrote: >Hi! > >I just upgraded my RedHat 7.3 box from Mailscanner 3 to Mailscanner 4. > >When installing I got an error message: >package perl-MIME-Base64-2.12-14 (which is newer than perl-MIME-Base64-2.12-1) >Which version is better? It's probably just differences in build numbers between me and RedHat. The version already installed should work just fine. >And when I try to restart MailScanner it gives this output: > >[root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart >Shutting down MailScanner daemons: > MailScanner: We haven't got any child processes, which >isn't right!, No child processes at /usr/sbin/MailScanner line 191. >We have just tried to reap a process which wasn't one of ours!, No child >processes at /usr/sbin/MailScanner line 194. This is down to the exact order in which the processes are shut down. I have removed this error message from the next release as it causes confusion. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Thu Nov 14 16:53:49 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> References: <200211141531.gAEFVLX32654@ori.rl.ac.uk> <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> Message-ID: <1037292829.4324.101.camel@dbeauchemin.si.usherbrooke.ca> Le jeu 14/11/2002 ? 11:34, Julian Field a ?crit : > >And when I try to restart MailScanner it gives this output: > > > >[root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart > >Shutting down MailScanner daemons: > > MailScanner: We haven't got any child processes, which > >isn't right!, No child processes at /usr/sbin/MailScanner line 191. > >We have just tried to reap a process which wasn't one of ours!, No child > >processes at /usr/sbin/MailScanner line 194. > > This is down to the exact order in which the processes are shut down. I > have removed this error message from the next release as it causes confusion. Julian, I don't believe that not printing the error message will make things OK since a restart does a stop followed by a start and the start can't succeed unless the stop has stopped all processes (which it doesn't). Denis PS: The versions I run (mailscanner-4.04-1 and mailscanner-4.05-3) still exhibit this problem. -- Denis Beauchemin Universit? de Sherbrooke From mailscanner at ecs.soton.ac.uk Thu Nov 14 17:07:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: <1037292829.4324.101.camel@dbeauchemin.si.usherbrooke.ca> References: <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> <200211141531.gAEFVLX32654@ori.rl.ac.uk> <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021114170515.04aa7478@imap.ecs.soton.ac.uk> At 16:53 14/11/2002, you wrote: >Le jeu 14/11/2002 ? 11:34, Julian Field a ?crit : > > > >And when I try to restart MailScanner it gives this output: > > > > > >[root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart > > >Shutting down MailScanner daemons: > > > MailScanner: We haven't got any child processes, which > > >isn't right!, No child processes at /usr/sbin/MailScanner line 191. > > >We have just tried to reap a process which wasn't one of ours!, No child > > >processes at /usr/sbin/MailScanner line 194. > > > > This is down to the exact order in which the processes are shut down. I > > have removed this error message from the next release as it causes > confusion. > >Julian, > >I don't believe that not printing the error message will make things OK >since a restart does a stop followed by a start and the start can't >succeed unless the stop has stopped all processes (which it doesn't). The error messages you included didn't imply that the stop didn't stop everything. I know there are problems with the init.d script, it's far from perfect. I need to build a whole range of machines with different versions of different distributions installed, to sort this out. That takes time... (and requires me to be in my office). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Thu Nov 14 18:42:57 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:26 2006 Subject: W32/Braid-A or W32/Brid-A Message-ID: I'm seeing something odd.... Some virus message reports don't have the virus part mentioned but sometimes it does? Any ideas why this would happen? A timeout that needs adjusted or something? If it's not tagging it with the virus then it will still send the report back to the wrong user. Sender: IP Address: 141.217.202.31 Recipient: vheil@med.wayne.edu Subject: Undelivered Mail Returned to Sender MessageID: gAEGvLUZ010962 Report: Found dangerous IFrame tag in HTML message Report: Executables are very dangerous in email and must be zipped. (README.EXE) -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, November 14, 2002 11:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: W32/Braid-A or W32/Brid-A At 16:04 14/11/2002, you wrote: >Does anyone know if this guys is like Klez and forges? Yes it does. > I read the >description Symantec but it doesn't say. I've been getting those >stupid replies from users proclaiming that "I didn't send this" or "I >don't know this person" > >Just wondering if it's one to add to the virus drop list. You should, yes. It is included in the defaults of the next release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 14 18:49:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: W32/Braid-A or W32/Brid-A In-Reply-To: Message-ID: <5.1.0.14.2.20021114184831.03183e08@imap.ecs.soton.ac.uk> Can you send me a couple of example messages please? Password-protected zip is the best way. At 18:42 14/11/2002, you wrote: >I'm seeing something odd.... > >Some virus message reports don't have the virus part mentioned but >sometimes it does? Any ideas why this would happen? A timeout that >needs adjusted or something? If it's not tagging it with the virus then >it will still send the report back to the wrong user. > > Sender: >IP Address: 141.217.202.31 > Recipient: vheil@med.wayne.edu > Subject: Undelivered Mail Returned to Sender > MessageID: gAEGvLUZ010962 > Report: Found dangerous IFrame tag in HTML message > Report: Executables are very dangerous in email and must be zipped. >(README.EXE) > > > > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, November 14, 2002 11:19 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: W32/Braid-A or W32/Brid-A > > >At 16:04 14/11/2002, you wrote: > >Does anyone know if this guys is like Klez and forges? > >Yes it does. > > > I read the > >description Symantec but it doesn't say. I've been getting those > >stupid replies from users proclaiming that "I didn't send this" or "I > >don't know this person" > > > >Just wondering if it's one to add to the virus drop list. > >You should, yes. It is included in the defaults of the next release. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lyons at digitalvoodoo.org Thu Nov 14 18:50:02 2002 From: lyons at digitalvoodoo.org (Timothy M. Lyons) Date: Thu Jan 12 21:16:26 2006 Subject: Mailscanner 4.05-3 build fails Message-ID: <008e01c28c0e$a406b910$6401a8c0@seeker> Hello. I'm trying to install Mailscanner on a Sun Ultra5 running Auroralinux 0.42 (based on RedHat 7.3) The build goes well until the very end when I get the following: Preparing... ########################################### [100%] 1:perl-Convert-TNEF ########################################### [100%] Installing tnef decoder Preparing... ########################################### [100%] package tnef-1.1.2-sizelimit1 is for a different architecture Now to install MailScanner itself. error: failed dependencies: tnef >= 1.1.1 is needed by mailscanner-4.05-3 Please do not forget to kill your MailScanner version 3 processes before starting version 4. # Is there a version of tnef-1.1.2-sizelimit1 for linux on sparc64? From jrudd at UCSC.EDU Thu Nov 14 18:59:52 2002 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:16:26 2006 Subject: incoming directory Message-ID: <3DD3F2A8.D6F22EBA@ucsc.edu> > From: Julian Field > > At 22:44 13/11/2002, you wrote: > >Has anyone explored the bennefits or problems with putting the incoming > >directory onto a ramdisk? I know mailscanner preferes to have it on the > >same partition as the mail queue directories, but I'm wondering if it > >might be faster (for the scanning part of the process). > > If you have got loads of RAM, then it should at least work. Though weigh it > up against potentially increasing speed by running more child processes > (which will require more RAM). Well, the machines in question will shortly have a gig of memory, and I was thinking about giving them 200mb of ram disk (they're currently running on 128mb memory). The incoming directory never seems to be terribly large. As for child processes ... I'm still running 3.x. And, no, upgrading to 4.x isn't something I can do in the near future (production machines; change = bad ... 4.x is scheduled to be in the machines that will replace these, about 2 or so months from now). John From Denis.Beauchemin at USHERBROOKE.CA Thu Nov 14 19:03:26 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: <5.1.0.14.2.20021114170515.04aa7478@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> <200211141531.gAEFVLX32654@ori.rl.ac.uk> <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021114170515.04aa7478@imap.ecs.soton.ac.uk> Message-ID: <1037300606.4324.131.camel@dbeauchemin.si.usherbrooke.ca> Julian, I know you do a tremendous job with MS and I am thankful for it. This is a minor problem and you can take all the time you need to fix it. If the init.d script fails to kill all processes with the killproc function, why don't you try something different such as: kill $(for i in $(awk '/^ *PID dir =/{print $NF}' /etc/MailScanner/MailScanner.conf)/*; do echo ${i##*.}; done) if [[ $? == 0 ]]; then echo_success else echo_failure fi You already have the process IDs, why not use them? I've replaced the killproc by my suggestion and it works fine here. Denis Le jeu 14/11/2002 ? 12:07, Julian Field a ?crit : > At 16:53 14/11/2002, you wrote: > >Le jeu 14/11/2002 ? 11:34, Julian Field a ?crit : > > > > > >And when I try to restart MailScanner it gives this output: > > > > > > > >[root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart > > > >Shutting down MailScanner daemons: > > > > MailScanner: We haven't got any child processes, which > > > >isn't right!, No child processes at /usr/sbin/MailScanner line 191. > > > >We have just tried to reap a process which wasn't one of ours!, No child > > > >processes at /usr/sbin/MailScanner line 194. > > > > > > This is down to the exact order in which the processes are shut down. I > > > have removed this error message from the next release as it causes > > confusion. > > > >Julian, > > > >I don't believe that not printing the error message will make things OK > >since a restart does a stop followed by a start and the start can't > >succeed unless the stop has stopped all processes (which it doesn't). > > The error messages you included didn't imply that the stop didn't stop > everything. > I know there are problems with the init.d script, it's far from perfect. I > need to build a whole range of machines with different versions of > different distributions installed, to sort this out. That takes time... > (and requires me to be in my office). -- Denis Beauchemin Universit? de Sherbrooke From mailscanner at ecs.soton.ac.uk Thu Nov 14 19:22:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Mailscanner 4.05-3 build fails In-Reply-To: <008e01c28c0e$a406b910$6401a8c0@seeker> Message-ID: <5.1.0.14.2.20021114192222.03014520@imap.ecs.soton.ac.uk> You need the srpm. I have mailed this to you separately. At 18:50 14/11/2002, you wrote: >Hello. > >I'm trying to install Mailscanner on a Sun Ultra5 running Auroralinux >0.42 (based on RedHat 7.3) > >The build goes well until the very end when I get the following: > >Preparing... ########################################### >[100%] > 1:perl-Convert-TNEF ########################################### >[100%] > >Installing tnef decoder > >Preparing... ########################################### >[100%] >package tnef-1.1.2-sizelimit1 is for a different architecture > >Now to install MailScanner itself. > >error: failed dependencies: > tnef >= 1.1.1 is needed by mailscanner-4.05-3 >Please do not forget to kill your MailScanner version 3 processes before >starting version 4. ># > >Is there a version of tnef-1.1.2-sizelimit1 for linux on sparc64? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 14 19:27:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: <1037300606.4324.131.camel@dbeauchemin.si.usherbrooke.ca> References: <5.1.0.14.2.20021114170515.04aa7478@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> <200211141531.gAEFVLX32654@ori.rl.ac.uk> <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021114170515.04aa7478@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021114192430.01edb008@imap.ecs.soton.ac.uk> At 19:03 14/11/2002, you wrote: >Julian, > >I know you do a tremendous job with MS and I am thankful for it. This >is a minor problem and you can take all the time you need to fix it. :-) >If the init.d script fails to kill all processes with the killproc >function, why don't you try something different such as: >kill $(for i in $(awk '/^ *PID dir =/{print $NF}' >/etc/MailScanner/MailScanner.conf)/*; do echo ${i##*.}; done) >if [[ $? == 0 ]]; then > echo_success >else > echo_failure >fi Just need to ensure that there aren't pid files there that shouldn't be. But otherwise looks good. The init.d script is on my list of things to work on. >You already have the process IDs, why not use them? So long as they are trustworthy... >I've replaced the killproc by my suggestion and it works fine here. > >Denis >Le jeu 14/11/2002 ? 12:07, Julian Field a ?crit : > > At 16:53 14/11/2002, you wrote: > > >Le jeu 14/11/2002 ? 11:34, Julian Field a ?crit : > > > > > > > >And when I try to restart MailScanner it gives this output: > > > > > > > > > >[root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart > > > > >Shutting down MailScanner daemons: > > > > > MailScanner: We haven't got any child processes, which > > > > >isn't right!, No child processes at /usr/sbin/MailScanner line 191. > > > > >We have just tried to reap a process which wasn't one of ours!, No > child > > > > >processes at /usr/sbin/MailScanner line 194. > > > > > > > > This is down to the exact order in which the processes are shut down. I > > > > have removed this error message from the next release as it causes > > > confusion. > > > > > >Julian, > > > > > >I don't believe that not printing the error message will make things OK > > >since a restart does a stop followed by a start and the start can't > > >succeed unless the stop has stopped all processes (which it doesn't). > > > > The error messages you included didn't imply that the stop didn't stop > > everything. > > I know there are problems with the init.d script, it's far from perfect. I > > need to build a whole range of machines with different versions of > > different distributions installed, to sort this out. That takes time... > > (and requires me to be in my office). >-- >Denis Beauchemin >Universit? de Sherbrooke -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lyons at digitalvoodoo.org Thu Nov 14 19:31:14 2002 From: lyons at digitalvoodoo.org (Timothy M. Lyons) Date: Thu Jan 12 21:16:26 2006 Subject: Mailscanner 4.05-3 build fails In-Reply-To: <5.1.0.14.2.20021114192222.03014520@imap.ecs.soton.ac.uk> Message-ID: <000301c28c14$650e3660$6401a8c0@seeker> I'll keep my eye out for it. Thanks Julian! --Tim -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, November 14, 2002 14:23 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner 4.05-3 build fails You need the srpm. I have mailed this to you separately. At 18:50 14/11/2002, you wrote: >Hello. > >I'm trying to install Mailscanner on a Sun Ultra5 running Auroralinux >0.42 (based on RedHat 7.3) > >The build goes well until the very end when I get the following: > >Preparing... ########################################### >[100%] > 1:perl-Convert-TNEF ########################################### >[100%] > >Installing tnef decoder > >Preparing... ########################################### >[100%] >package tnef-1.1.2-sizelimit1 is for a different architecture > >Now to install MailScanner itself. > >error: failed dependencies: > tnef >= 1.1.1 is needed by mailscanner-4.05-3 >Please do not forget to kill your MailScanner version 3 processes >before starting version 4. # > >Is there a version of tnef-1.1.2-sizelimit1 for linux on sparc64? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscannerlist at TNJINFL.COM Thu Nov 14 20:28:45 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:26 2006 Subject: Almost there.... In-Reply-To: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> References: <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> Message-ID: <1037305726.12383.158.camel@tweety.tnjinfl.com> What's the proper way to restart everything after making a config change to any of the conf files with MailScanner? For example, MailScanner.conf, spam.mailassassin.prefs.conf, etc. I've tried the following: service sendmail off chkconfig sendmail off chkconfig MailScanner on service MailScanner start These seem to run ok, but the changes don't seem to take affect. Seems like I have to reboot once or twice before it starts working. Is it timing or am I missing something? Also, I have the Delivery Method set to queue instead of batch, since this will be running in high volume eventually. The MTA is Sendmail and the messages seem to sit in the outgoing queue for a while. I haven't figured out how long they sit there yet, but how does the MTA choose how long to wait before sending them? If I flush them (using Webmin) they are sent right away. I assume this is a Sendmail issue, but since I'm not sure I thought I'd ask here. Thanks, James From mike at CAMAROSS.NET Thu Nov 14 20:29:51 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:26 2006 Subject: Almost there.... In-Reply-To: <1037305726.12383.158.camel@tweety.tnjinfl.com> Message-ID: <00f701c28c1c$95e23cc0$6501a8c0@mikedesk> /etc/rc.d/init.d/MailScanner reload Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of James Pifer Sent: Thursday, November 14, 2002 2:29 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Almost there.... What's the proper way to restart everything after making a config change to any of the conf files with MailScanner? For example, MailScanner.conf, spam.mailassassin.prefs.conf, etc. I've tried the following: service sendmail off chkconfig sendmail off chkconfig MailScanner on service MailScanner start These seem to run ok, but the changes don't seem to take affect. Seems like I have to reboot once or twice before it starts working. Is it timing or am I missing something? Also, I have the Delivery Method set to queue instead of batch, since this will be running in high volume eventually. The MTA is Sendmail and the messages seem to sit in the outgoing queue for a while. I haven't figured out how long they sit there yet, but how does the MTA choose how long to wait before sending them? If I flush them (using Webmin) they are sent right away. I assume this is a Sendmail issue, but since I'm not sure I thought I'd ask here. Thanks, James From brent at TECHFORPEOPLE.NET Fri Nov 15 08:32:20 2002 From: brent at TECHFORPEOPLE.NET (Brent Emerson) Date: Thu Jan 12 21:16:26 2006 Subject: spam action to deliver messages pre-scanned Message-ID: (Sorry if this has already been suggested/discussed - couldn't find it in the archives.) I'm wondering how difficult it would be to add yet another Spam Action to MS allowing admins to forward (to an arbitrary address) copies of the messages identified as spam, but in their prescanned state (exactly as the message was received by MS) rather than with the MS/SA/etc markup. This would be especially nice when using SpamAssassin, which can remove its markup but doesn't promise to return a message that's identical to the original. This would be useful to stockpile messages that could be checked over by a human and, once verified as spam, submitted in their untouched state to systems like razor, which seem to be distrustful of submissions from automata. Otherwise we could all go to the trouble of creating troll accounts and seeding them all over the place and hoping spammers will find them, but that seems like a lot of work for a slow gradual payoff--and we already have so many active accounts (our real users) getting so much spam. I'd just love to get my hands on a mailbox full of untouched versions of the many messages MS/SA is identifying so accurately! brent emerson ----techforpeople: hosting for nonprofits and the arts--------------- nposhield: protection from email viruses/spam/abuse | web hosting -------------member of the tech underground (techunderground.org)---- From mkettler at EVI-INC.COM Thu Nov 14 22:04:26 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:26 2006 Subject: Almost there.... In-Reply-To: <1037305726.12383.158.camel@tweety.tnjinfl.com> References: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.0.20021114170206.025cc978@192.168.50.2> I can answer the time-interval part of your question... If you're going to do queue only processing change the delay time for the queue only copy of sendmail started by MailScanner. To do this edit /etc/sysconfig/mailscanner # # Put in here the time between runs for the outgoing sendmail mqueue # if you don't want the default of 15 minutes (15m). # QUEUETIME=5m Note that emails will only be processed at the interval specified, or when you manually run sendmail -q At 03:28 PM 11/14/2002 -0500, you wrote: >Also, I have the Delivery Method set to queue instead of batch, since >this will be running in high volume eventually. The MTA is Sendmail and >the messages seem to sit in the outgoing queue for a while. I haven't >figured out how long they sit there yet, but how does the MTA choose how >long to wait before sending them? If I flush them (using Webmin) they >are sent right away. I assume this is a Sendmail issue, but since I'm >not sure I thought I'd ask here. > >Thanks, >James From mailscanner at BARENDSE.TO Fri Nov 15 08:59:11 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: html2text output not really clean? In-Reply-To: <1037287045.6516.108.camel@linroute> Message-ID: Hi! I am using Mailscanner 4.05-3 and have a mobile user collecting mail onm his laptop. I want to use the html2text feature to prevent expensive phonecalls to collect e-mail in HTML format that keep the connection open for hours. MS is running on a RedHat 7.3 box. I have this line in my /etc/MailScanner/MailScanner.conf : Convert HTML To Text = /etc/MailScanner/rules/html2text.rules The html2text.rules contains: To r.barendse@somedomain.com yes To remco@somedomain.com yes Fromorto default no The output in maillog seems correct: Nov 15 09:44:19 linuxgw MailScanner[7367]: Content Checks: Need to convert HTML to plain text in 1 messages Nov 15 09:44:20 linuxgw MailScanner[7367]: Content Checks: Detected and will convert HTML message to plain text in gAF8iAN07366 When I start pine and look in the inbox, I still see small messages being huge in size (13-40 Kb). The top of the e-mail contains stuff like : @font-face { font-family: Tahoma; } @font-face { font-family: Verdana; } @page Section1 {size:595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in 70.9pt; mso-header-margin: and similar rubble throughout the e-mail : ….Whaaat ?? ? You gotta be kidding me….?! Now if I retrieve the contents of the mailbox using Outlook Express the e-mail *appears* to be stripped of html rubble because the formatting has changed (colors and font sizes are different). The size of the e-mail is slightly reduced (the original HTML mail was 21 Kb, the end result is 13 Kb (still too much for only 80 lines of text). Why is there still all this font and other rubble in the e-mails and how can I strip them completely? Thanks!! Remco -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From novirus at CARLO65.DE Fri Nov 15 09:03:13 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:26 2006 Subject: spam action to deliver messages pre-scanned In-Reply-To: References: Message-ID: <1037350993.7296.3.camel@linroute> Hi Brent, Am Fre, 2002-11-15 um 09.32 schrieb Brent Emerson: > (Sorry if this has already been suggested/discussed - couldn't find it in > the archives.) > > I'm wondering how difficult it would be to add yet another Spam Action to > MS allowing admins to forward (to an arbitrary address) copies of the > messages identified as spam, but in their prescanned state (exactly as the > message was received by MS) rather than with the MS/SA/etc markup. This > would be especially nice when using SpamAssassin, which can remove its > markup but doesn't promise to return a message that's identical to the > original. In MailScanner version 4.x you can combine several actions, one of which is forward. I can not tell you, if the forwarded message is untouched concerning its X-MailScanner headers, but I don't think so. As message has passed all MailScanner checks prior to the forwarding action, it probably has the MailScanner additions to the header. I don't see a problem to forward mails like these to razor. Regards, Roland From mailscanner at ecs.soton.ac.uk Fri Nov 15 09:15:16 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: spam action to deliver messages pre-scanned In-Reply-To: Message-ID: <5.1.0.14.2.20021115091403.045ea3b8@imap.ecs.soton.ac.uk> At 08:32 15/11/2002, you wrote: >I'm wondering how difficult it would be to add yet another Spam Action to >MS allowing admins to forward (to an arbitrary address) copies of the >messages identified as spam, but in their prescanned state (exactly as the >message was received by MS) rather than with the MS/SA/etc markup. This >would be especially nice when using SpamAssassin, which can remove its >markup but doesn't promise to return a message that's identical to the >original. MailScanner doesn't uses SpamAssassin's own message markup code, it strictly limits it to an obvious header. So if Razor really objects to MailScanner-processed messages, you could easily remove this header from the message automatically before it goes to Razor. >This would be useful to stockpile messages that could be checked over by a >human and, once verified as spam, submitted in their untouched state to >systems like razor, which seem to be distrustful of submissions from >automata. Otherwise we could all go to the trouble of creating troll >accounts and seeding them all over the place and hoping spammers will find >them, but that seems like a lot of work for a slow gradual payoff--and we >already have so many active accounts (our real users) getting so much >spam. I'd just love to get my hands on a mailbox full of untouched >versions of the many messages MS/SA is identifying so accurately! > >brent emerson > > >----techforpeople: hosting for nonprofits and the arts--------------- > nposhield: protection from email viruses/spam/abuse | web hosting >-------------member of the tech underground (techunderground.org)---- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 09:16:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: html2text output not really clean? In-Reply-To: References: <1037287045.6516.108.camel@linroute> Message-ID: <5.1.0.14.2.20021115091606.04487e68@imap.ecs.soton.ac.uk> Can you send me 1 of the messages for me to experiment with please? At 08:59 15/11/2002, you wrote: >Hi! > >I am using Mailscanner 4.05-3 and have a mobile user collecting mail onm >his laptop. I want to use the html2text feature to prevent expensive >phonecalls to collect e-mail in HTML format that keep the connection open >for hours. MS is running on a RedHat 7.3 box. > >I have this line in my /etc/MailScanner/MailScanner.conf : >Convert HTML To Text = /etc/MailScanner/rules/html2text.rules > >The html2text.rules contains: >To r.barendse@somedomain.com yes >To remco@somedomain.com yes >Fromorto default no > >The output in maillog seems correct: >Nov 15 09:44:19 linuxgw MailScanner[7367]: Content Checks: Need to convert >HTML to plain text in 1 messages >Nov 15 09:44:20 linuxgw MailScanner[7367]: Content Checks: Detected and >will convert HTML message to plain text in gAF8iAN07366 > >When I start pine and look in the inbox, I still see small messages >being huge in size (13-40 Kb). The top of the e-mail contains stuff like : >@font-face { font-family: Tahoma; } @font-face { font-family: Verdana; } >@page Section1 {size:595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in >70.9pt; mso-header-margin: > >and similar rubble throughout the e-mail : >….Whaaat ?? > >You gotta be kidding me….?! > >Now if I retrieve the contents of the mailbox using Outlook Express the >e-mail *appears* to be stripped of html rubble because the formatting has >changed (colors and font sizes are different). The size of the e-mail is >slightly reduced (the original HTML mail was 21 Kb, the end result is 13 >Kb (still too much for only 80 lines of text). > >Why is there still all this font and other rubble in the e-mails and how >can I strip them completely? > >Thanks!! > >Remco > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 09:12:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Almost there.... In-Reply-To: <1037305726.12383.158.camel@tweety.tnjinfl.com> References: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> At 20:28 14/11/2002, you wrote: >What's the proper way to restart everything after making a config change >to any of the conf files with MailScanner? For example, >MailScanner.conf, spam.mailassassin.prefs.conf, etc. > >I've tried the following: >service sendmail off >chkconfig sendmail off >chkconfig MailScanner on >service MailScanner start That's installation-time stuff. You just want service MailScanner reload >Also, I have the Delivery Method set to queue instead of batch, since >this will be running in high volume eventually. I still use batch even with a high volume. As MailScanner V4 runs lots of processes in parallel, you don't really need "queue" much any more. I do my speed tests with "batch" and my development PC (about the equivalent of a modern ?700 (or $1000 US) pc) can do over 250,000 messages per day. > The MTA is Sendmail and >the messages seem to sit in the outgoing queue for a while. I haven't >figured out how long they sit there yet, but how does the MTA choose how >long to wait before sending them? If I flush them (using Webmin) they >are sent right away. I assume this is a Sendmail issue, but since I'm >not sure I thought I'd ask here. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at BARENDSE.TO Fri Nov 15 09:48:03 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: html2text output not really clean? In-Reply-To: <5.1.0.14.2.20021115091606.04487e68@imap.ecs.soton.ac.uk> Message-ID: Ok, I will bounce you two messages, can I send them to a non-public address? One thing that might matter : the e-mail I will send will be generated by M$ Word as e-mail editor. I have noticed that the html output of Outlook itself is a lot cleaner and doesn't contain anywhere near the amount of rubble that Word throws in.... Maybe it is only the Word specific rubble that isn't cleaned? Also I have found something else. If html2text is enabled for one specific user (smith@somedomain.com) but the message is cc'ed to another user on the some domain/box (chris@somedomain.com) then both users will get the message in `plain' text. This is logical because the one df/qf message is converted but may be undesirable. Maybe a thing to add at the bottom of the todo list if it's possible at all? Remco On Fri, 15 Nov 2002, Julian Field wrote: > Can you send me 1 of the messages for me to experiment with please? > > At 08:59 15/11/2002, you wrote: > >Hi! > > > >I am using Mailscanner 4.05-3 and have a mobile user collecting mail onm > >his laptop. I want to use the html2text feature to prevent expensive > >phonecalls to collect e-mail in HTML format that keep the connection open > >for hours. MS is running on a RedHat 7.3 box. > > > >I have this line in my /etc/MailScanner/MailScanner.conf : > >Convert HTML To Text = /etc/MailScanner/rules/html2text.rules > > > >The html2text.rules contains: > >To r.barendse@somedomain.com yes > >To remco@somedomain.com yes > >Fromorto default no > > > >The output in maillog seems correct: > >Nov 15 09:44:19 linuxgw MailScanner[7367]: Content Checks: Need to convert > >HTML to plain text in 1 messages > >Nov 15 09:44:20 linuxgw MailScanner[7367]: Content Checks: Detected and > >will convert HTML message to plain text in gAF8iAN07366 > > > >When I start pine and look in the inbox, I still see small messages > >being huge in size (13-40 Kb). The top of the e-mail contains stuff like : > >@font-face { font-family: Tahoma; } @font-face { font-family: Verdana; } > >@page Section1 {size:595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in > >70.9pt; mso-header-margin: > > > >and similar rubble throughout the e-mail : > >….Whaaat ?? > > > >You gotta be kidding me….?! > > > >Now if I retrieve the contents of the mailbox using Outlook Express the > >e-mail *appears* to be stripped of html rubble because the formatting has > >changed (colors and font sizes are different). The size of the e-mail is > >slightly reduced (the original HTML mail was 21 Kb, the end result is 13 > >Kb (still too much for only 80 lines of text). > > > >Why is there still all this font and other rubble in the e-mails and how > >can I strip them completely? > > > >Thanks!! > > > >Remco > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From viers at UNILIM.FR Fri Nov 15 09:38:26 2002 From: viers at UNILIM.FR (Nicolas Viers - SCI Limoges) Date: Thu Jan 12 21:16:26 2006 Subject: Virus test Message-ID: <5.0.2.1.2.20021115102833.022d6368@pop.unilim.fr> Hello, with mailscanner 2.60 when i test virus with eicar i had the warning message send to the recipient, sender and postmaster. It was usefull to test With the 4.05-3 mailscanner only send message with "non infection" to the recipient. How to test with the same effect of a real virus ? Thanks a lot ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ From paul at ESPMAIL.CO.UK Fri Nov 15 09:45:47 2002 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:16:26 2006 Subject: IFrame tags References: <200211150003.AAA32156@www.espmail.co.uk> Message-ID: <005e01c28c8b$c6e081a0$6a0110ac@sbsplc.com> A fair number of innocent messages, eg, the daily Dilbert comic strip, get stopped by the IFrame blocking. Exuse my ignorance, but is there any way to allow messages from specific addresses to get through the IFrame scanning? From raymond at PROLOCATION.NET Fri Nov 15 09:56:26 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:26 2006 Subject: Virus test In-Reply-To: <5.0.2.1.2.20021115102833.022d6368@pop.unilim.fr> Message-ID: Hi! > With the 4.05-3 mailscanner only send message with "non infection" > to the recipient. > How to test with the same effect of a real virus ? If you really want i can send a zip with some variants so you can test your setup... Bye, Raymond. From klon at NYBRO.DK Fri Nov 15 12:10:06 2002 From: klon at NYBRO.DK (Thomas Hanson) Date: Thu Jan 12 21:16:26 2006 Subject: How to notify only certain senders of virus in thier email? Message-ID: <013f01c28c9f$efa91700$52df26c0@r58> Hi I would like to only notify senders of a certain domain or subset of ip addresses if they have a virus in the email they sent. Is there a way to do this in MailScanner 4.05 ? It says you can put a file with rules instead of just yes and no. But how should that file look like say if I only wanted to notify senders belonging to the domain mydomain.com Thanks, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021115/78a69596/attachment.html From mike at CAMAROSS.NET Fri Nov 15 13:00:24 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:26 2006 Subject: How to notify only certain senders of virus in thier email? In-Reply-To: <013f01c28c9f$efa91700$52df26c0@r58> Message-ID: <000601c28ca6$f6fb7690$6501a8c0@mikedesk> FromTo: default no FromTo: *@yourdomain.com yes FromTo: *@yourotherdomian.com no Julian has made the rule construction very flexible and forgiving :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Thomas Hanson Sent: Friday, November 15, 2002 6:10 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to notify only certain senders of virus in thier email? Hi I would like to only notify senders of a certain domain or subset of ip addresses if they have a virus in the email they sent. Is there a way to do this in MailScanner 4.05 ? It says you can put a file with rules instead of just yes and no. But how should that file look like say if I only wanted to notify senders belonging to the domain mydomain.com Thanks, Thomas From novirus at CARLO65.DE Fri Nov 15 13:15:40 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:26 2006 Subject: German version of David's mailstats Message-ID: <1037366140.7296.10.camel@linroute> Hi, big sorry to everybody who tried to download the script. I forgot, that my server has suexec restrictions, so download was impossible. New link to a tar-file: http://www.inbox4u.de/mailstats_ge.tar Regards, Roland From viers at UNILIM.FR Fri Nov 15 13:47:25 2002 From: viers at UNILIM.FR (Nicolas Viers - SCI Limoges) Date: Thu Jan 12 21:16:26 2006 Subject: Mailscanner 4.05-3 and virus infection Message-ID: <5.0.2.1.2.20021115143922.02332bd8@pop.unilim.fr> Hello, i had pb with my mailscanner config (4.05-3) When i test with virus file, the mail log file said: Nov 15 14:26:33 limdns-new MailScanner[13585]: /usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/URFRIEND.SCR Found virus or variant W32/Yaha !!! Nov 15 14:26:33 limdns-new MailScanner[13585]: /usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/VALUE.EXE Found virus or variant W32/Klez !!! Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: mcafee found 8 infections Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: Found 8 viruses Nov 15 14:26:33 limdns-new MailScanner[13585]: Uninfected: Delivered 1 messages Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 15 14:26:33 limdns-new MailScanner[15008]: Using locktype = flock 8 virus are found, but the attach file was delivered with the message "no infection was found" Mcafee said viruses found and mailscanner Unifected: deliver 1 message Why mailscanner does not put infected file in quarantine directory ? I had another mailscanner 2.60 version and it works fine with this zip infected file ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ From Denis.Beauchemin at USHERBROOKE.CA Fri Nov 15 14:24:46 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:26 2006 Subject: Filename rules and virus Message-ID: <1037370286.6238.23.camel@dbeauchemin.si.usherbrooke.ca> Hello, I just discovered something strange: an email with an infected .EXE got trapped by MS and quarantined (as per the filename rules) but McAfee was able to disinfect it so MS decided to send it to the recipient, disregarding the filename rules! Nov 15 06:36:08 smtp3 MailScanner[29982]: New Batch: Scanning 1 messages, 207433 bytes Nov 15 06:36:08 smtp3 MailScanner[29982]: Spam Checks: Starting Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus and Content Scanning: Starting Nov 15 06:36:08 smtp3 MailScanner[29982]: /gAFBa4w14876/Server.exe contient le virus W32/Magistr.b@MM !!! Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus Scanning: mcafee found 1 infections Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus Scanning: Found 1 viruses Nov 15 06:36:08 smtp3 MailScanner[29982]: Filename Checks: Fichiers EXE dangereux (Server.exe) Nov 15 06:36:08 smtp3 MailScanner[29982]: Other Checks: Found 1 problems Nov 15 06:36:08 smtp3 MailScanner[29982]: Saved infected "Server.exe" to /quarantaine/usherbrooke/20021115/gAFBa4w14876 Nov 15 06:36:08 smtp3 MailScanner[29982]: Cleaned: Delivered 1 cleaned messages Nov 15 06:36:09 smtp3 MailScanner[29982]: Sender Warnings: Delivered 1 warnings to virus senders Nov 15 06:36:09 smtp3 MailScanner[29982]: Disinfection: Attempting to disinfect 1 messages Nov 15 06:36:09 smtp3 sendmail[14887]: gAFBa8L14883: to=source@sympatico.ca, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30868, relay=smtp12.sy mpatico.ca. [209.226.175.80], dsn=5.1.1, stat=User unknown Nov 15 06:36:09 smtp3 MailScanner[29982]: Disinfection: Rescan found only 0 viruses Nov 15 06:36:09 smtp3 sendmail[14887]: gAFBa8L14883: gAFBa9K14887: postmaster notify: User unknown Nov 15 06:36:09 smtp3 sendmail[14890]: gAFBa9D14890: from=quarantaine@usherbrooke.ca, size=157267, class=0, nrcpts=1, msgid=<200211151136.gAFBa9D14890@smtp3.ush erbrooke.ca>, bodytype=8BITMIME, relay=root@localhost Nov 15 06:36:22 smtp3 sendmail[14893]: gAFBa9D14890: to=destination@usherbrooke.ca, ctladdr=quarantaine@usherbrooke.ca (0/0), delay=00:00:13, xdelay=00:00: 13, mailer=relay, pri=187267, relay=c-s.usherbrooke.ca. [132.210.x.y], dsn=2.0.0, stat=Sent (GAA150818 Message accepted for delivery) Can someone figure out what is going on? Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From tony.johansson at SVENSKAKYRKAN.SE Fri Nov 15 14:41:51 2002 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:16:26 2006 Subject: Double file extensions Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D07F6@nt.svenskakyrkan.se> I allow .pdf documents via mail but deny any double file extensions As a result, files such as "Important meeting.q4.nov.pdf" gets denied How do I write a rule which basically allows *.pdf no matter how many extensions? regards, Tony From bigdog at DOGPOUND.VNET.NET Fri Nov 15 14:52:46 2002 From: bigdog at DOGPOUND.VNET.NET (Matthew Davis) Date: Thu Jan 12 21:16:26 2006 Subject: Filename rules and virus In-Reply-To: <1037370286.6238.23.camel@dbeauchemin.si.usherbrooke.ca>; from Denis.Beauchemin@USHERBROOKE.CA on Fri, Nov 15, 2002 at 09:24:46AM -0500 References: <1037370286.6238.23.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <20021115095246.A308@dogpound.vnet.net> * Denis Beauchemin (Denis.Beauchemin@USHERBROOKE.CA) wrote: > Hello, > > I just discovered something strange: an email with an infected .EXE got > trapped by MS and quarantined (as per the filename rules) but McAfee was > able to disinfect it so MS decided to send it to the recipient, > disregarding the filename rules! > > Can someone figure out what is going on? Check your MailScanner.conf # Should I attempt to disinfect infected attachments and then deliver # the clean ones. "Disinfection" involves removing viruses from files # (such as removing macro viruses from documents). "Cleaning" is the # replacement of infected attachments with "VirusWarning.txt" text # attachments. # This can also be the filename of a ruleset. Deliver Disinfected Files = yes -- Matthew Davis http://dogpound.vnet.net/ ---------------------------------------------------------------- Borg spreadsheet: Locutus 1-2-3 ---------------------------------------------------------------- Friday, November 15, 2002 / 09:51AM From mailscanner at ecs.soton.ac.uk Fri Nov 15 15:01:28 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Double file extensions In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D07F6@nt.svenskakyrkan. se> Message-ID: <5.2.0.9.2.20021115150101.047b2e20@imap.ecs.soton.ac.uk> At 14:41 15/11/2002, you wrote: >I allow .pdf documents via mail but deny any double file extensions >As a result, files such as "Important meeting.q4.nov.pdf" gets denied > >How do I write a rule which basically allows *.pdf no matter how many >extensions? allow \.pdf$ - - above the "deny double extensions" rule. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 14:38:27 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: IFrame tags In-Reply-To: <005e01c28c8b$c6e081a0$6a0110ac@sbsplc.com> References: <200211150003.AAA32156@www.espmail.co.uk> Message-ID: <5.2.0.9.2.20021115143705.04660800@imap.ecs.soton.ac.uk> At 09:45 15/11/2002, you wrote: >A fair number of innocent messages, eg, the daily Dilbert comic strip, get >stopped by the IFrame blocking. > >Exuse my ignorance, but is there any way to allow messages from specific >addresses to get through the IFrame scanning? In version 4, you can make a ruleset that allows iframes from some places but not others. A ruleset file such as From: *@dilbert.com yes From: *@newsletters.microsoft.com yes FromOrTo: default no would do the trick. Obviously you need to get the "dilbert.com" domain name correct from looking at a real Dilbert daily comic strip. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 14:59:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Filename rules and virus In-Reply-To: <1037370286.6238.23.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.2.0.9.2.20021115145840.04421150@imap.ecs.soton.ac.uk> That's a subtle one. Fixed for the next release. In the mean time the patch is a 1-line change if you need this functionality in a hurry: --- /root/unstable/mailscanner/mailscanner/bin/MailScanner/MessageBatch.pm Fri Nov 8 16:13:58 2002 +++ MessageBatch.pm Fri Nov 15 15:12:15 2002 @@ -607,6 +607,7 @@ if ($message->{deleted} || $message->{cantparse} || $message->{badtnef} || + $message->{nameinfected} || ($message->{allreports} && $message->{allreports}{""}) || !MailScanner::Config::Value('deliverdisinfected',$message)) { $message->DeleteMessage(); At 14:24 15/11/2002, you wrote: >Hello, > >I just discovered something strange: an email with an infected .EXE got >trapped by MS and quarantined (as per the filename rules) but McAfee was >able to disinfect it so MS decided to send it to the recipient, >disregarding the filename rules! > >Nov 15 06:36:08 smtp3 MailScanner[29982]: New Batch: Scanning 1 messages, >207433 bytes >Nov 15 06:36:08 smtp3 MailScanner[29982]: Spam Checks: Starting >Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus and Content Scanning: Starting >Nov 15 06:36:08 smtp3 MailScanner[29982]: >/gAFBa4w14876/Server.exe contient le virus W32/Magistr.b@MM !!! >Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus Scanning: mcafee found 1 >infections >Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus Scanning: Found 1 viruses >Nov 15 06:36:08 smtp3 MailScanner[29982]: Filename Checks: Fichiers EXE >dangereux (Server.exe) >Nov 15 06:36:08 smtp3 MailScanner[29982]: Other Checks: Found 1 problems >Nov 15 06:36:08 smtp3 MailScanner[29982]: Saved infected "Server.exe" to >/quarantaine/usherbrooke/20021115/gAFBa4w14876 >Nov 15 06:36:08 smtp3 MailScanner[29982]: Cleaned: Delivered 1 cleaned >messages >Nov 15 06:36:09 smtp3 MailScanner[29982]: Sender Warnings: Delivered 1 >warnings to virus senders >Nov 15 06:36:09 smtp3 MailScanner[29982]: Disinfection: Attempting to >disinfect 1 messages >Nov 15 06:36:09 smtp3 sendmail[14887]: gAFBa8L14883: >to=source@sympatico.ca, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, >pri=30868, relay=smtp12.sy >mpatico.ca. [209.226.175.80], dsn=5.1.1, stat=User unknown >Nov 15 06:36:09 smtp3 MailScanner[29982]: Disinfection: Rescan found only >0 viruses >Nov 15 06:36:09 smtp3 sendmail[14887]: gAFBa8L14883: gAFBa9K14887: >postmaster notify: User unknown >Nov 15 06:36:09 smtp3 sendmail[14890]: gAFBa9D14890: >from=quarantaine@usherbrooke.ca, size=157267, class=0, nrcpts=1, >msgid=<200211151136.gAFBa9D14890@smtp3.ush >erbrooke.ca>, bodytype=8BITMIME, relay=root@localhost >Nov 15 06:36:22 smtp3 sendmail[14893]: gAFBa9D14890: >to=destination@usherbrooke.ca, ctladdr=quarantaine@usherbrooke.ca (0/0), >delay=00:00:13, xdelay=00:00: >13, mailer=relay, pri=187267, relay=c-s.usherbrooke.ca. [132.210.x.y], >dsn=2.0.0, stat=Sent (GAA150818 Message accepted for delivery) > >Can someone figure out what is going on? > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 14:36:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: html2text output not really clean? In-Reply-To: References: <5.1.0.14.2.20021115091606.04487e68@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021115135340.04655008@imap.ecs.soton.ac.uk> At 09:48 15/11/2002, you wrote: >Ok, I will bounce you two messages, can I send them to a non-public >address? Even better, can you put the queue files into a password-protected zip and mail that to me please? >One thing that might matter : the e-mail I will send will >be generated by M$ Word as e-mail editor. I have noticed that the html output >of Outlook itself is a lot cleaner and doesn't contain anywhere near the >amount of rubble that Word throws in.... >Maybe it is only the Word specific rubble that isn't cleaned? Maybe so. >Also I have found something else. If html2text is enabled for one specific >user (smith@somedomain.com) but the message is cc'ed to another user >on the some domain/box (chris@somedomain.com) then both users will get the >message in `plain' text. This is logical because the one df/qf message is >converted but may be undesirable. Maybe a thing to add at the bottom of >the todo list if it's possible at all? I have never done any splitting of messages. What applies to 1 recipient applies to all recipients. I'm unwilling to change that unless there is a very good reason to. >Remco > >On Fri, 15 Nov 2002, Julian Field wrote: > > > Can you send me 1 of the messages for me to experiment with please? > > > > At 08:59 15/11/2002, you wrote: > > >Hi! > > > > > >I am using Mailscanner 4.05-3 and have a mobile user collecting mail onm > > >his laptop. I want to use the html2text feature to prevent expensive > > >phonecalls to collect e-mail in HTML format that keep the connection open > > >for hours. MS is running on a RedHat 7.3 box. > > > > > >I have this line in my /etc/MailScanner/MailScanner.conf : > > >Convert HTML To Text = /etc/MailScanner/rules/html2text.rules > > > > > >The html2text.rules contains: > > >To r.barendse@somedomain.com yes > > >To remco@somedomain.com yes > > >Fromorto default no > > > > > >The output in maillog seems correct: > > >Nov 15 09:44:19 linuxgw MailScanner[7367]: Content Checks: Need to convert > > >HTML to plain text in 1 messages > > >Nov 15 09:44:20 linuxgw MailScanner[7367]: Content Checks: Detected and > > >will convert HTML message to plain text in gAF8iAN07366 > > > > > >When I start pine and look in the inbox, I still see small messages > > >being huge in size (13-40 Kb). The top of the e-mail contains stuff like : > > >@font-face { font-family: Tahoma; } @font-face { font-family: Verdana; } > > >@page Section1 {size:595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in > > >70.9pt; mso-header-margin: > > > > > >and similar rubble throughout the e-mail : > > >….Whaaat ?? > > > > > >You gotta be kidding me….?! > > > > > >Now if I retrieve the contents of the mailbox using Outlook Express the > > >e-mail *appears* to be stripped of html rubble because the formatting has > > >changed (colors and font sizes are different). The size of the e-mail is > > >slightly reduced (the original HTML mail was 21 Kb, the end result is 13 > > >Kb (still too much for only 80 lines of text). > > > > > >Why is there still all this font and other rubble in the e-mails and how > > >can I strip them completely? > > > > > >Thanks!! > > > > > >Remco > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Fri Nov 15 15:33:37 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:27 2006 Subject: Filename rules and virus In-Reply-To: <5.2.0.9.2.20021115145840.04421150@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021115145840.04421150@imap.ecs.soton.ac.uk> Message-ID: <1037374417.7307.1.camel@dbeauchemin.si.usherbrooke.ca> Thanks! Patch applied. BTW the mod I submitted yesterday for the init.d script is not working better than your original code today. Denis Le ven 15/11/2002 ? 09:59, Julian Field a ?crit : > That's a subtle one. Fixed for the next release. In the mean time the patch > is a 1-line change if you need this functionality in a hurry: > > --- > /root/unstable/mailscanner/mailscanner/bin/MailScanner/MessageBatch.pm > Fri Nov 8 16:13:58 2002 > +++ MessageBatch.pm Fri Nov 15 15:12:15 2002 > @@ -607,6 +607,7 @@ > if ($message->{deleted} || > $message->{cantparse} || > $message->{badtnef} || > + $message->{nameinfected} || > ($message->{allreports} && $message->{allreports}{""}) || > !MailScanner::Config::Value('deliverdisinfected',$message)) { > $message->DeleteMessage(); > > > At 14:24 15/11/2002, you wrote: -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Fri Nov 15 15:46:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? Message-ID: <5.2.0.9.2.20021115154020.0463e750@imap.ecs.soton.ac.uk> Guess what, I'm on the scrounge again :-) Just a little request this time: Anyone fancy buying me a copy of the latest release of SuSE Linux please? I can't download ISO's from them :-( I would like to sort out the SuSE installation and init.d problems once and for all, and I have a machine to run it on now (by very kind donation from Gavin Nelmes-Crocker ). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brian at PORTSMOUTH-COLLEGE.AC.UK Fri Nov 15 15:57:38 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers - ICT Support Officer Portsmouth College) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? References: <5.2.0.9.2.20021115154020.0463e750@imap.ecs.soton.ac.uk> Message-ID: <009201c28cbf$b8841020$65c8a8c0@portsmouthcollege.ac.uk> What version of Suse are you after. I'm off to a HantsLug meeting tomorrow so I might be able to get a copy from someone there ?? Brian Chivers ----- Original Message ----- From: "Julian Field" To: Sent: Friday, November 15, 2002 3:46 PM Subject: SuSE? Guess what, I'm on the scrounge again :-) Just a little request this time: Anyone fancy buying me a copy of the latest release of SuSE Linux please? I can't download ISO's from them :-( I would like to sort out the SuSE installation and init.d problems once and for all, and I have a machine to run it on now (by very kind donation from Gavin Nelmes-Crocker ). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Chris.Campbell at FAC.COM Fri Nov 15 16:00:41 2002 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? Message-ID: Julian, I have the dvd and 8 cds if you want. contact me personally if you wish. ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com Brian Chivers - ICT Support Officer Portsmouth College Sent by: MailScanner mailing list 11/15/2002 10:57 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: SuSE? What version of Suse are you after. I'm off to a HantsLug meeting tomorrow so I might be able to get a copy from someone there ?? Brian Chivers ----- Original Message ----- From: "Julian Field" To: Sent: Friday, November 15, 2002 3:46 PM Subject: SuSE? Guess what, I'm on the scrounge again :-) Just a little request this time: Anyone fancy buying me a copy of the latest release of SuSE Linux please? I can't download ISO's from them :-( I would like to sort out the SuSE installation and init.d problems once and for all, and I have a machine to run it on now (by very kind donation from Gavin Nelmes-Crocker ). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021115/7194f483/attachment.html From krice at SERVERSANDSOLUTIONS.COM Fri Nov 15 16:06:20 2002 From: krice at SERVERSANDSOLUTIONS.COM (Ken Rice) Date: Thu Jan 12 21:16:27 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: References: <20021113121051.04bdec1d.krice@serversandsolutions.com> Message-ID: <20021115110620.388ad0b6.krice@serversandsolutions.com> On Thu, 14 Nov 2002 10:25:28 +0100 Remco Barendse wrote: > Just wondering though, you have included what is in your ssjunk.txt > file but what do you have in the junksubs.txt file? ssjunk.txt is for a word or phrase appearing anywhere in the Subject: junksubs.txt is for word or phrase or characters that begins (MUST begin) the Subject: My junksubs.txt only includes this: ADV > Also are the dots between the words really necessary, and will > sendmail treat the subjects and texts in the e-mails case insensitive? case-insensitive dots = spaces in the phrase a portion of ssjunk.txt: add.inches chance.of.a.lifetime don't.just.dream fu*k *enis p*rn The stars are literal, I didn't edit the above. I have 351 entries in that file, can't catch all, but many. I only have 200 users but about 100 mailing lists, and it helps. (Just couldn't block "cash" when the CFO tries to email the CEO "Cash Statements"...) The tail of our sendmail.mc: MAILER(smtp)dnl MAILER(procmail)dnl LOCAL_RULESETS F{JunkSubs} /etc/mail/junksubs.txt F{SSJunk} /etc/mail/ssjunk.txt HSubject: $>Check_Subject SCheck_Subject R$={JunkSubs}$* $: NMJUNKSUB R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "5.7.1 Rejected" Rather than bounce all these back, I'll probably let our people see the ssjunk.txt list, although some will be offended, and then change the above to DISCARD. But we're then taking a chance of throwing away and not notifying a sender that we won't accept their email based on what they type into the Subject:. And that would not be polite nor proper (or maybe too bright on our part) to someone who isn't that familar with English phrasing/grammar, including the native West Virginians, Marylanders and Pennsylvanians here, and myself somedays of course. Apologies to the list if this is off-topic. Ken Rice SysAdmin The Library Corporation From mailscanner at ecs.soton.ac.uk Fri Nov 15 16:15:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? In-Reply-To: <009201c28cbf$b8841020$65c8a8c0@portsmouthcollege.ac.uk> References: <5.2.0.9.2.20021115154020.0463e750@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021115161505.086bc190@imap.ecs.soton.ac.uk> At 15:57 15/11/2002, you wrote: >What version of Suse are you after. I'm off to a HantsLug meeting tomorrow >so I might be able to get a copy from someone there ?? 8.1 appears to be the latest. >Brian Chivers >----- Original Message ----- >From: "Julian Field" >To: >Sent: Friday, November 15, 2002 3:46 PM >Subject: SuSE? > > >Guess what, I'm on the scrounge again :-) >Just a little request this time: > >Anyone fancy buying me a copy of the latest release of SuSE Linux please? >I can't download ISO's from them :-( > >I would like to sort out the SuSE installation and init.d problems once and >for all, and I have a machine to run it on now (by very kind donation from >Gavin Nelmes-Crocker ). >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 16:41:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Mailscanner 4.05-3 and virus infection In-Reply-To: <5.0.2.1.2.20021115143922.02332bd8@pop.unilim.fr> Message-ID: <5.2.0.9.2.20021115164108.042881f8@imap.ecs.soton.ac.uk> Just an update for the benefit of the list. This problem is apparently resolved now (I just don't quite know how :-) At 13:47 15/11/2002, you wrote: > Hello, >i had pb with my mailscanner config (4.05-3) >When i test with virus file, the mail log file said: >Nov 15 14:26:33 limdns-new MailScanner[13585]: >/usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/URFRIEND.SCR >Found virus or variant W32/Yaha !!! > >Nov 15 14:26:33 limdns-new MailScanner[13585]: >/usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/VALUE.EXE >Found virus or variant W32/Klez !!! > >Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: mcafee >found 8 infections >Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: Found 8 viruses >Nov 15 14:26:33 limdns-new MailScanner[13585]: Uninfected: Delivered 1 >messages >Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner >Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner E-Mail Virus >Scanner version 4.05-3 starting... > >Nov 15 14:26:33 limdns-new MailScanner[15008]: Using locktype = flock > >8 virus are found, but the attach file was delivered with the message >"no infection was found" >Mcafee said viruses found and mailscanner Unifected: deliver 1 message > >Why mailscanner does not put infected file in quarantine directory ? > >I had another mailscanner 2.60 version and it works fine with this zip >infected file -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Fri Nov 15 17:36:17 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:27 2006 Subject: stupid responses list Message-ID: <200211151136.17086.lbergman@wtxs.net> After I installed version 4 I started bouncing spam instead of just deleting it. I include in the report an address the sender may use to contact me that will not be blocked. Some of the responses I get are quite comical. Maybe there should be a place to post these for all to enjoy. A small excerpt follows: I sent two e-mail messages to jessekossman@wtxs.net this morning that were rejected by your "SpamAssassin". They WERE NOT SPAM. You have destroyed said messages, so I (and Jesse) have ALREADY been inconvenienced by you. If you were to carry out your threat to contact my ISP and request that my "account be removed" would most certainly anger me greatly. Thus contact my ISP at your peril. I suggest that you go yell at the programmers that designed the SpamAssassin, and beat them about the head and shoulders. (You should learn how to spell "behavior".) -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscannerlist at TNJINFL.COM Fri Nov 15 19:09:22 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:27 2006 Subject: Almost there.... In-Reply-To: <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> Message-ID: <1037387363.13470.199.camel@tweety.tnjinfl.com> Julian, I did the service MailScanner reload and it responded ok, yet it's still marking all emails from hotmail.com as Spam. I did a text search of every file under /etc/MailScanner and there is no reference to hotmail.com. Unless it stored somewhere else. Any idea how to get this thing to refresh and not have that domain blacklisted any more? Thanks, James On Fri, 2002-11-15 at 04:12, Julian Field wrote: > At 20:28 14/11/2002, you wrote: > >What's the proper way to restart everything after making a config change > >to any of the conf files with MailScanner? For example, > >MailScanner.conf, spam.mailassassin.prefs.conf, etc. > > > >I've tried the following: > >service sendmail off > >chkconfig sendmail off > >chkconfig MailScanner on > >service MailScanner start > > That's installation-time stuff. > > You just want > service MailScanner reload > > >Also, I have the Delivery Method set to queue instead of batch, since > >this will be running in high volume eventually. > > I still use batch even with a high volume. As MailScanner V4 runs lots of > processes in parallel, you don't really need "queue" much any more. I do my > speed tests with "batch" and my development PC (about the equivalent of a > modern ?700 (or $1000 US) pc) can do over 250,000 messages per day. > > > The MTA is Sendmail and > >the messages seem to sit in the outgoing queue for a while. I haven't > >figured out how long they sit there yet, but how does the MTA choose how > >long to wait before sending them? If I flush them (using Webmin) they > >are sent right away. I assume this is a Sendmail issue, but since I'm > >not sure I thought I'd ask here. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mkettler at EVI-INC.COM Fri Nov 15 19:38:49 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:27 2006 Subject: Almost there.... In-Reply-To: <1037387363.13470.199.camel@tweety.tnjinfl.com> References: <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> Are you using SpamAssassin with MailScanner? If so, make sure you are running 2.43 or 2.42 (2.43 preferred for AWL bugfix reasons but not critical). If not, which spam lists are you using? Try turning some off to see which one is listing hotmail.com's MX as a spam source. Or you could check the marked email to see what MX it came from and pump that into: http://relays.osirusoft.com/cgi-bin/rbcheck.cgi for a report of a very large number of blacklists to see which, if any, list that mailserver. At 02:09 PM 11/15/2002 -0500, you wrote: >Julian, > >I did the service MailScanner reload and it responded ok, yet it's still >marking all emails from hotmail.com as Spam. I did a text search of >every file under /etc/MailScanner and there is no reference to >hotmail.com. Unless it stored somewhere else. > >Any idea how to get this thing to refresh and not have that domain >blacklisted any more? > >Thanks, >James From mailscannerlist at TNJINFL.COM Fri Nov 15 19:50:53 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:27 2006 Subject: Almost there.... In-Reply-To: <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> References: <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> Message-ID: <1037389854.12383.208.camel@tweety.tnjinfl.com> Yes, I installed 2.43-2. hotmail.com was not being blocked before I added it to the spam.assassin.prefs.conf files, so I don't think running the rbcheck.cgi is the answer do you? Once I added hotmail.com to that conf file, and then somehow got it to apply, then the mail from hotmail started getting marked as spam. Thanks, James On Fri, 2002-11-15 at 14:38, Matt Kettler wrote: > Are you using SpamAssassin with MailScanner? If so, make sure you are > running 2.43 or 2.42 (2.43 preferred for AWL bugfix reasons but not critical). > > If not, which spam lists are you using? Try turning some off to see which > one is listing hotmail.com's MX as a spam source. Or you could check the > marked email to see what MX it came from and pump that into: > > http://relays.osirusoft.com/cgi-bin/rbcheck.cgi > > for a report of a very large number of blacklists to see which, if any, > list that mailserver. > > > At 02:09 PM 11/15/2002 -0500, you wrote: > >Julian, > > > >I did the service MailScanner reload and it responded ok, yet it's still > >marking all emails from hotmail.com as Spam. I did a text search of > >every file under /etc/MailScanner and there is no reference to > >hotmail.com. Unless it stored somewhere else. > > > >Any idea how to get this thing to refresh and not have that domain > >blacklisted any more? > > > >Thanks, > >James From Denis.Beauchemin at USHERBROOKE.CA Fri Nov 15 20:03:53 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:27 2006 Subject: Internationalization Message-ID: <1037390633.7395.47.camel@dbeauchemin.si.usherbrooke.ca> Julian, MailScanner is almost perfect in terms of internationalization but there are some hard coded strings in some modules. I for one had to modify the following modules for French: Message.pm SweepContent.pm SweepViruses.pm and a fast scan seems to indicate that MessageBatch.pm and SweepOther.pm also contain such strings. Could it be possible to implement an internationalization file that would contain localized versions of those messages? Something in the lines of "localization.rules": Could not analyze = "Could not analyze message\n" Dangerous Codebase Object = "Found dangerous Object Codebase tag in HTML message\n" # Could not analyze = "Impossible d'analyser le courriel\n" # Dangerous Codebase Object = "Une balise ?Object Codebase? non s?curitaire a ?t? trouv?e dans le message HTML\n" that would be loaded into variables and then used in your Perl modules? All you would have to do initially would be to extract your hard coded strings from your modules and put them in a file that you would have to parse and load on startup; your modules would then use the values loaded in the variables. We would do the translations and send them back to you to be included in the MS package. That would greatly simplify upgrades! Thanks again for all the time you spend supporting MS. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From bidwell at ANDREWS.EDU Fri Nov 15 20:00:15 2002 From: bidwell at ANDREWS.EDU (Daniel Bidwell) Date: Thu Jan 12 21:16:27 2006 Subject: Directory ownership under debian Message-ID: <1037390416.1163.11.camel@samwise> I have installed mailscanner 3.24.1 with sendmail on a debien intel machine and the directory permissions are giving me trouble. mailscanner will not run unless /var/spool/mqueue is owned by the user smmsp and sendmail will not accept incomming mail unless /var/spool/mqueue is owned by root. I would like to upgrade to version 4.x but would like to get this working first unless it will be easier to run version 4.x. -- Daniel R. Bidwell | bidwell@andrews.edu Andrews University Computer Science & Information Systems Department If two always agree, one of them is unnecessary "Friends don't let friends do DOS" "In theory, theory and practice are the same. In practice, however, they are not." From mailscanner at ecs.soton.ac.uk Fri Nov 15 20:26:28 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Internationalization In-Reply-To: <1037390633.7395.47.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> At 20:03 15/11/2002, you wrote: >MailScanner is almost perfect in terms of internationalization but there >are some hard coded strings in some modules. I for one had to modify >the following modules for French: >Message.pm >SweepContent.pm >SweepViruses.pm > >and a fast scan seems to indicate that MessageBatch.pm and SweepOther.pm >also contain such strings. > >Could it be possible to implement an internationalization file that >would contain localized versions of those messages? Something in the >lines of "localization.rules": >Could not analyze = "Could not analyze message\n" >Dangerous Codebase Object = "Found dangerous Object Codebase tag in HTML >message\n" ># Could not analyze = "Impossible d'analyser le courriel\n" ># Dangerous Codebase Object = "Une balise ?Object Codebase? non >s?curitaire a ?t? trouv?e dans le message HTML\n" > >that would be loaded into variables and then used in your Perl modules? > >All you would have to do initially would be to extract your hard coded >strings from your modules and put them in a file that you would have to >parse and load on startup; your modules would then use the values loaded >in the variables. We would do the translations and send them back to >you to be included in the MS package. > >That would greatly simplify upgrades! Okay, that sounds like a good idea. Not sure whether to allow rulesets for the files or not yet. Will have a think about it this weekend and come up with something which will do the job, but not add more complexity than necessary. >Thanks again for all the time you spend supporting MS. No problem. Thanks for the suggestion. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Fri Nov 15 20:35:06 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:27 2006 Subject: Error message on console Message-ID: <1037392506.7395.54.camel@dbeauchemin.si.usherbrooke.ca> Hello again Julian, The following error message pops up on my console now and then: Premature padding of base64 data at /usr/lib/perl5/site_perl/5.6.1/MIME/Decoder/Base64.pm line 109. This sounds like something external to MS... Is this something to worry about? Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From combslm at APPSTATE.EDU Fri Nov 15 20:40:26 2002 From: combslm at APPSTATE.EDU (Laramie Combs) Date: Thu Jan 12 21:16:27 2006 Subject: virus name in postmaster report References: <5.1.0.14.2.20021112191041.01fb2740@imap.ecs.soton.ac.uk> Message-ID: <025e01c28ce7$3a6bc2f0$160c0a98@maverick> That works great - thanks. -Laramie ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, November 12, 2002 2:15 PM Subject: Re: virus name in postmaster report > At 18:35 12/11/2002, you wrote: > >I am from Appalachian State University in Boone, NC (USA) and we are > >currently using the latest 3.x version of Mailscanner. > > > >We love the product, and are impressed with the time and effort that > >Julian (and others) have obviously put into this. > > Thankyou. > > >I was wondering if there is a way to get the virus name into the subject > >of the email that gets sent to "postmaster" when a virus is detected. > > If you send all the postmaster notifications to 1 mailbox, then it's dead > easy to extract them anyway. To get a list of viruses with the number of > each that has been caught, sorted with most common at the top, just use a > script like this: > > #!/bin/sh > > fgrep '>>>' Mail/Archive/Viruses | \ > cut -d\' -f2 | \ > sort | \ > uniq -c | \ > sort -nr > > This should work fine for Sophos. > > > Thanks for all your hard work Julian. > > No worries. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Fri Nov 15 20:40:29 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Error message on console In-Reply-To: <1037392506.7395.54.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.1.0.14.2.20021115203703.02438dd0@imap.ecs.soton.ac.uk> It's the Base64 decoder module complaining about a message it doesn't like. There's not much that can be done about it at present. I have the biggest set of the most horrible test messages you'll ever see, and I need to work through them all and get MailScanner to handle them all correctly. That's a pretty big job which I am going to start on soon. So hopefully messages like this will become a thing of the past... I wouldn't worry about it for now, it's extremely rare. At 20:35 15/11/2002, you wrote: >Hello again Julian, > >The following error message pops up on my console now and then: >Premature padding of base64 data at >/usr/lib/perl5/site_perl/5.6.1/MIME/Decoder/Base64.pm line 109. > >This sounds like something external to MS... Is this something to worry >about? > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brian at PORTSMOUTH-COLLEGE.AC.UK Fri Nov 15 20:45:52 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? References: <5.2.0.9.2.20021115154020.0463e750@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021115161505.086bc190@imap.ecs.soton.ac.uk> Message-ID: <001d01c28ce7$fd020fe0$69c8a8c0@tpc.ac.uk> OK I'll ask about Brian ----- Original Message ----- From: "Julian Field" To: Sent: Friday, November 15, 2002 4:15 PM Subject: Re: SuSE? > At 15:57 15/11/2002, you wrote: > >What version of Suse are you after. I'm off to a HantsLug meeting tomorrow > >so I might be able to get a copy from someone there ?? > > 8.1 appears to be the latest. > > > >Brian Chivers > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Friday, November 15, 2002 3:46 PM > >Subject: SuSE? > > > > > >Guess what, I'm on the scrounge again :-) > >Just a little request this time: > > > >Anyone fancy buying me a copy of the latest release of SuSE Linux please? > >I can't download ISO's from them :-( > > > >I would like to sort out the SuSE installation and init.d problems once and > >for all, and I have a machine to run it on now (by very kind donation from > >Gavin Nelmes-Crocker ). > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.siddall at ELIRION.NET Fri Nov 15 21:07:49 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:16:27 2006 Subject: Internationalization References: <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> Message-ID: <3DD56225.A87528B5@elirion.net> Julian Field wrote: > [snip] > > > >All you would have to do initially would be to extract your hard coded > >strings from your modules and put them in a file that you would have to > >parse and load on startup; your modules would then use the values loaded > >in the variables. We would do the translations and send them back to > >you to be included in the MS package. > > > >That would greatly simplify upgrades! > > Okay, that sounds like a good idea. Not sure whether to allow rulesets for > the files or not yet. Will have a think about it this weekend and come up > with something which will do the job, but not add more complexity than > necessary. > Let me put in a plug for GNU Gettext. There are several modules on CPAN that support it or emulate it. Essentially you wrap all the UK English strings in subroutine calls. The subroutine uses the string as a key to look up the equivalent in a locale-specific language. All you have to do is set the locale when the program starts (and supply translations in a text file). (No point in reinventing the wheel.) Regards, Richard Siddall http://www.gnu.org/directory/localization/gettext.html http://search.cpan.org/search?query=gettext&mode=all From mkettler at EVI-INC.COM Fri Nov 15 21:11:51 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:27 2006 Subject: Almost there.... In-Reply-To: <1037389854.12383.208.camel@tweety.tnjinfl.com> References: <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> Message-ID: <5.1.1.6.0.20021115155958.02361a10@192.168.50.2> Ahh.. you're probably suffering from the AWL. I'd recommend that you go to your mailscanner.conf and change this line: SpamAssassin Auto Whitelist = yes to SpamAssassin Auto Whitelist = no Basically when you hand-blacklisted hotmail.com, everyone with a hotmail address that sent you mail during that time got a HUGE penalty score in their auto-whitelist entry. Now that the manual blacklisting is gone, those senders still have a past history of high scores. If you like the AWL feature, you can leave it on, but shut down MailScanner, delete your auto_whitelist.db (probably /root/.spamassassin/auto_whitelist.db) and restart it. Personally, I'd advise against using the AWL when used as a global DB like MailScanner uses it, but that's really your choice to make. (note: this problem is not one of the problems of using the AWL with a global database, that's a separate issue. This is just the nature of the AWL. It tries to make past spammers pay for their mistakes in future emails, just as it tries to give credit to past non-spam senders to prevent their mail from being tagged) At 02:50 PM 11/15/2002 -0500, James Pifer wrote: >Yes, I installed 2.43-2. > >hotmail.com was not being blocked before I added it to the >spam.assassin.prefs.conf files, so I don't think running the rbcheck.cgi >is the answer do you? Once I added hotmail.com to that conf file, and >then somehow got it to apply, then the mail from hotmail started getting >marked as spam. > >Thanks, >James From mailscanner at BARENDSE.TO Fri Nov 15 21:23:02 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:27 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <20021115110620.388ad0b6.krice@serversandsolutions.com> Message-ID: I works perfectly now, all those buggers get rejected :) What doesn't work however are the * expressions. I added fu*k like in the example but if i send a message with fuck in the header it doesn't get rejected? Furthermore I want to kill off any message with quote : Delivery Status Notification (Success) unquote as a subject. I don't want to block the failed ones, just the success version. I tried several versions for a line but it never gets blocked. How do I make sendmail recognize the () ?? i tried delivery.status.notification.*success delivery.status.notification.(success) delivery.status.notification.\(success\) Even better, could I make another ruleset but copying the first one to create a second rule so I can reject some messages and discard others? Would this be the correct addition to sendmail.mc correct in that case (sendmail has never been a friend of mine)?? LOCAL_RULESETS F{JunkSubs} /etc/mail/junksubs.txt F{SSJunk} /etc/mail/ssjunk.txt F{DiscardSubs} /etc/mail/discardsubs.txt HSubject: $>Check_Subject SCheck_Subject R$={JunkSubs}$* $: NMJUNKSUB R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" R$* $={DiscardSubs} $* $#discard Thanks!! On Fri, 15 Nov 2002, Ken Rice wrote: > On Thu, 14 Nov 2002 10:25:28 +0100 > Remco Barendse wrote: > > > Just wondering though, you have included what is in your ssjunk.txt > > file but what do you have in the junksubs.txt file? > > ssjunk.txt is for a word or phrase appearing anywhere in the Subject: > junksubs.txt is for word or phrase or characters that begins (MUST begin) the Subject: > > My junksubs.txt only includes this: > ADV > > > Also are the dots between the words really necessary, and will > > sendmail treat the subjects and texts in the e-mails case insensitive? > > case-insensitive > dots = spaces in the phrase > > a portion of ssjunk.txt: > add.inches > chance.of.a.lifetime > don't.just.dream > fu*k > *enis > p*rn > > The stars are literal, I didn't edit the above. I have 351 entries in that file, > can't catch all, but many. I only have 200 users but about 100 mailing lists, and it helps. > (Just couldn't block "cash" when the CFO tries to email the CEO "Cash Statements"...) > > The tail of our sendmail.mc: > > MAILER(smtp)dnl > MAILER(procmail)dnl > LOCAL_RULESETS > F{JunkSubs} /etc/mail/junksubs.txt > F{SSJunk} /etc/mail/ssjunk.txt > > HSubject: $>Check_Subject > > SCheck_Subject > R$={JunkSubs}$* $: NMJUNKSUB > R$* $={SSJunk} $* $#error $: NMJUNKSUB > R$* NMJUNKSUB $* $#error $: "5.7.1 Rejected" > > Rather than bounce all these back, I'll probably let our people see the ssjunk.txt list, although > some will be offended, and then change the above to DISCARD. But we're then taking a chance > of throwing away and not notifying a sender that we won't accept their email based on what they > type into the Subject:. And that would not be polite nor proper (or maybe too bright on our part) > to someone who isn't that familar with English phrasing/grammar, > including the native West Virginians, Marylanders and Pennsylvanians here, > and myself somedays of course. > > Apologies to the list if this is off-topic. > > Ken Rice > SysAdmin > The Library Corporation > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Nov 15 21:28:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Internationalization In-Reply-To: <3DD56225.A87528B5@elirion.net> References: <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021115212540.03596008@imap.ecs.soton.ac.uk> At 21:07 15/11/2002, you wrote: >Let me put in a plug for GNU Gettext. There are several modules on >CPAN that support it or emulate it. > >Essentially you wrap all the UK English strings in subroutine calls. >The subroutine uses the string as a key to look up the >equivalent in a locale-specific language. All you have to do is >set the locale when the program starts (and supply translations in >a text file). > >(No point in reinventing the wheel.) At fiirst glance that doesn't sound like noticeably less work than what I was thinking of doing anyway, and it adds another dependency. But I'll take a look and see if it looks useful. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From WPS.MFRIEDEL at WPSIC.COM Fri Nov 15 21:39:00 2002 From: WPS.MFRIEDEL at WPSIC.COM (FRIEDEL, MARK) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? Message-ID: <200211152139.GNUY@wpsic.com> --- Received from WPS.MFRIEDEL 224-2255 11-15-02 339p Julian, I could arrange for you to have your own personal instance on our mainframe. We're running SLES 7.0 64-bit for zSeries. Mark Friedel, RHCE WPS Health Insurance (608)224-2255 ---------------------------------------------------------------------------- From: brian@PORTSMOUTH-COLLEGE.AC.UK To: MAILSCANNER@JISCMAIL.AC.UK Date: Fri, 15 Nov 2002 20:45:52 -0000 Subject: Re: SuSE? OK I'll ask about Brian ----- Original Message ----- From: "Julian Field" To: Sent: Friday, November 15, 2002 4:15 PM Subject: Re: SuSE? > At 15:57 15/11/2002, you wrote: > >What version of Suse are you after. I'm off to a HantsLug meeting tomorrow > >so I might be able to get a copy from someone there ?? > 8.1 appears to be the latest. > >Brian Chivers > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Friday, November 15, 2002 3:46 PM > >Subject: SuSE? > > > > > >Guess what, I'm on the scrounge again :-) > >Just a little request this time: > > > >Anyone fancy buying me a copy of the latest release of SuSE Linux please? > >I can't download ISO's from them :-( > > > >I would like to sort out the SuSE installation and init.d problems once and > >for all, and I have a machine to run it on now (by very kind donation from > >Gavin Nelmes-Crocker ). > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ---- 11-15-02 339p ---- Sent to ------------------------------------- -> MAILSCANNER@JISCMAIL.AC.UK From mailscannerlist at TNJINFL.COM Sat Nov 16 01:36:03 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:27 2006 Subject: Almost there.... In-Reply-To: <5.1.1.6.0.20021115155958.02361a10@192.168.50.2> References: <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> <5.1.1.6.0.20021115155958.02361a10@192.168.50.2> Message-ID: <1037410564.26372.6.camel@tweety.tnjinfl.com> That was it. Thanks for the info. I have to say, this stuff is pretty cool. It has been catching 100% of my spam. Regards, James On Fri, 2002-11-15 at 16:11, Matt Kettler wrote: > Ahh.. you're probably suffering from the AWL. > > I'd recommend that you go to your mailscanner.conf and change this line: > > SpamAssassin Auto Whitelist = yes > > to > > SpamAssassin Auto Whitelist = no > > > Basically when you hand-blacklisted hotmail.com, everyone with a hotmail > address that sent you mail during that time got a HUGE penalty score in > their auto-whitelist entry. Now that the manual blacklisting is gone, those > senders still have a past history of high scores. > > If you like the AWL feature, you can leave it on, but shut down > MailScanner, delete your auto_whitelist.db (probably > /root/.spamassassin/auto_whitelist.db) and restart it. Personally, I'd > advise against using the AWL when used as a global DB like MailScanner uses > it, but that's really your choice to make. > > (note: this problem is not one of the problems of using the AWL with a > global database, that's a separate issue. This is just the nature of the > AWL. It tries to make past spammers pay for their mistakes in future > emails, just as it tries to give credit to past non-spam senders to prevent > their mail from being tagged) > > > > At 02:50 PM 11/15/2002 -0500, James Pifer wrote: > >Yes, I installed 2.43-2. > > > >hotmail.com was not being blocked before I added it to the > >spam.assassin.prefs.conf files, so I don't think running the rbcheck.cgi > >is the answer do you? Once I added hotmail.com to that conf file, and > >then somehow got it to apply, then the mail from hotmail started getting > >marked as spam. > > > >Thanks, > >James From sevans at FOUNDATION.SDSU.EDU Sat Nov 16 03:19:42 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:27 2006 Subject: Log Entry Explanation Message-ID: <6214C3F9233D764C9E7029396C355015682733@mail.foundation.sdsu.edu> Could someone tell me what this is about. Thanks. Nov 15 16:47:36 mx MailScanner[22916]: Content Checks: Detected and rejected external message body in gAG0lYl26644 Steve Evans SDSU Foundation (619) 594-0653 From dpowell at LSSI.NET Sat Nov 16 15:50:27 2002 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:16:27 2006 Subject: How to install patch command on RH 7.3 Message-ID: <004701c28d87$e29b11b0$0100a8c0@hightower1> I get the following when I try to install MailScanner. [root@www:/home/dpowell/MailScanner/MailScanner-4.05-3]# ./install.sh You need to install the patch command from your Linux distribution. Once you have done that, please try running this script again. [root@www:/home/dpowell/MailScanner/MailScanner-4.05-3]# Can some one tell me how to install the patch command? Thanks Darrin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021116/459ca75e/attachment.html From dpowell at LSSI.NET Sat Nov 16 15:52:23 2002 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:16:27 2006 Subject: How to install patch command on RH 7.3 References: <004701c28d87$e29b11b0$0100a8c0@hightower1> Message-ID: <005101c28d88$2770d590$0100a8c0@hightower1> Disregare, I found an RPM for the patch command. ----- Original Message ----- From: Darrin Powell To: MAILSCANNER@JISCMAIL.AC.UK Sent: Saturday, November 16, 2002 10:50 AM Subject: How to install patch command on RH 7.3 I get the following when I try to install MailScanner. [root@www:/home/dpowell/MailScanner/MailScanner-4.05-3]# ./install.sh You need to install the patch command from your Linux distribution. Once you have done that, please try running this script again. [root@www:/home/dpowell/MailScanner/MailScanner-4.05-3]# Can some one tell me how to install the patch command? Thanks Darrin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021116/3d18ef7c/attachment.html From mailscanner at ecs.soton.ac.uk Sat Nov 16 17:58:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Log Entry Explanation In-Reply-To: <6214C3F9233D764C9E7029396C355015682733@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20021116175429.03d4ec48@imap.ecs.soton.ac.uk> At 03:19 16/11/2002, you wrote: >Could someone tell me what this is about. Thanks. > >Nov 15 16:47:36 mx MailScanner[22916]: Content Checks: Detected and >rejected external message body in gAG0lYl26644 There is a very odd RFC that allows the body of the message to be stored on an external server and fetched by various methods (including mail and ftp) by the email client application. Netscape is about the only application that supports this, and the IETF drafts are the only messages that ever use it. Because the contents of the message body aren't actually in the message, they are banned by MailScanner. And having MailScanner fetch the contents of the body from the remote server won't help either, as it's trivial for the server holding the body to give the mail server a nice harmless one and the final client machine a malicious one. There really is just about no reasonable way of scanning the message contents. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Sat Nov 16 18:21:37 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:27 2006 Subject: Log Entry Explanation Message-ID: <6214C3F9233D764C9E7029396C355015682734@mail.foundation.sdsu.edu> Just curious. Thanks a lot. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Saturday, November 16, 2002 9:59 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Log Entry Explanation At 03:19 16/11/2002, you wrote: >Could someone tell me what this is about. Thanks. > >Nov 15 16:47:36 mx MailScanner[22916]: Content Checks: Detected and >rejected external message body in gAG0lYl26644 There is a very odd RFC that allows the body of the message to be stored on an external server and fetched by various methods (including mail and ftp) by the email client application. Netscape is about the only application that supports this, and the IETF drafts are the only messages that ever use it. Because the contents of the message body aren't actually in the message, they are banned by MailScanner. And having MailScanner fetch the contents of the body from the remote server won't help either, as it's trivial for the server holding the body to give the mail server a nice harmless one and the final client machine a malicious one. There really is just about no reasonable way of scanning the message contents. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Nov 17 14:51:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Calling all translators Message-ID: <5.2.0.9.2.20021117144946.032627a0@imap.ecs.soton.ac.uk> I have moved all the output strings into a configuration file so they can be translated into different languages, so MailScanner hopefully doesn't output much to a user that has to be in English. I have attached the file, and would be grateful if people could translate it into other languages for me. Thanks folks! Jules. -------------- next part -------------- A non-text attachment was scrubbed... Name: languages.conf Type: application/octet-stream Size: 2049 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021117/4d2d8b1b/languages.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Sun Nov 17 15:51:36 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:28 2006 Subject: SV: Calling all translators Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC8C@lkl22.ltkalmar.se> Just did a fast look at the file.. will this file complement or replace the normal msg files or is it just for the log file and conf file? Just curious.... as usual /Anders > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 17 november 2002 15:52 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Calling all translators > > > I have moved all the output strings into a configuration file > so they can > be translated into different languages, so MailScanner > hopefully doesn't > output much to a user that has to be in English. > > I have attached the file, and would be grateful if people > could translate > it into other languages for me. > > Thanks folks! > Jules. > From mailscanner at ecs.soton.ac.uk Sun Nov 17 15:58:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: SV: Calling all translators In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EC8C@lkl22.ltkalmar.se > Message-ID: <5.2.0.9.2.20021117155716.03297c18@imap.ecs.soton.ac.uk> At 15:51 17/11/2002, you wrote: >Just did a fast look at the file.. will this file >complement or replace the normal msg files or >is it just for the log file and conf file? >Just curious.... as usual It's all the output strings that aren't already in the msg files. The log file and conf files will remain in English. > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 17 november 2002 15:52 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Calling all translators > > > > > > I have moved all the output strings into a configuration file > > so they can > > be translated into different languages, so MailScanner > > hopefully doesn't > > output much to a user that has to be in English. > > > > I have attached the file, and would be grateful if people > > could translate > > it into other languages for me. > > > > Thanks folks! > > Jules. > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Nov 17 16:09:13 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Internationalization In-Reply-To: <3DD56225.A87528B5@elirion.net> References: <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021117160716.03296d40@imap.ecs.soton.ac.uk> At 21:07 15/11/2002, you wrote: >Let me put in a plug for GNU Gettext. There are several modules on >CPAN that support it or emulate it. > >Essentially you wrap all the UK English strings in subroutine calls. >The subroutine uses the string as a key to look up the >equivalent in a locale-specific language. All you have to do is >set the locale when the program starts (and supply translations in >a text file). That only appears to easily allow for 1 language at a time. I allow you to choose different languages for different messages, like you can already with the message report files. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nerijus at USERS.SOURCEFORGE.NET Mon Nov 18 02:01:07 2002 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:16:28 2006 Subject: Internationalization In-Reply-To: <5.2.0.9.2.20021117160716.03296d40@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021117160716.03296d40@imap.ecs.soton.ac.uk> Message-ID: <200211180210.gAI2A2vR004128@mx.ktv.lt> On Sun, 17 Nov 2002 16:09:13 +0000 Julian Field wrote: > That only appears to easily allow for 1 language at a time. > I allow you to choose different languages for different messages, like you > can already with the message report files. Is it possible to use 2 (both) languages in a message at the same time? Regards, Nerijus From rbremer at FUTURE-GATE.COM Mon Nov 18 08:14:44 2002 From: rbremer at FUTURE-GATE.COM (Ronny Bremer) Date: Thu Jan 12 21:16:28 2006 Subject: Calling all translators Message-ID: Jules, ok, find a German translation attached to this email. Please note, that some of the message might be changed as it is hard to translate out of context. I do not know, whether some of the string are used within a larger sentence, for instance. Also, I would not recommend translating the headers (NotSpam, Black- Whitelisted), as they are not directly shown to end users (unless they want to and then they should know a little bit of english ) Ronny >>> mailscanner@ECS.SOTON.AC.UK 11/17/02 03:51pm >>> I have moved all the output strings into a configuration file so they can be translated into different languages, so MailScanner hopefully doesn't output much to a user that has to be in English. I have attached the file, and would be grateful if people could translate it into other languages for me. Thanks folks! Jules. -------------- next part -------------- A non-text attachment was scrubbed... Name: languages.conf Type: application/octet-stream Size: 2340 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021118/88004979/languages.obj From SJCJonker at SJC.NL Mon Nov 18 09:59:07 2002 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:16:28 2006 Subject: Calling all translators In-Reply-To: <5.2.0.9.2.20021117144946.032627a0@imap.ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, Here is my attempt at translating this file. I must admit it's harder then it looks. But i think it is reasonable. But if you are dutch also don't hesitate to check this, because i D0n,t meka mistakeS. ;-) P.S. If somebody knows an translation in dutch for timeout in the context as mentioned in te file.... On Sun, 17 Nov 2002, Julian Field wrote: > I have moved all the output strings into a configuration file so they can > be translated into different languages, so MailScanner hopefully doesn't > output much to a user that has to be in English. > > I have attached the file, and would be grateful if people could translate > it into other languages for me. > > Thanks folks! > Jules. - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker - -- Outlook Express is actually an incredibly effective virus distribution system which only pretends to be an email program. [by Eric Lee] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE92LntH0P/oLuWBrcRAvJPAKCRx5XiGayDJH3UTH1hmEeIqGz/xACfbnjJ Iv/SRanWqCX4EH4dUr49Qgo= =38OR -----END PGP SIGNATURE----- -------------- next part -------------- # # This file contains all the word, phrases and sentences that are output # to a user by MailScanner. They are all here so that you can translate # them into your language. # You should only edit what is on the right of each "=". # If you set the "Language Strings" option in MailScanner.conf to be a # ruleset (or even a function!) then you can output responses in different # languages to different users and customers. # # Used in spam header Blacklisted = blacklisted Whitelisted = whitelisted NotSpam = not spam # used when creating VirusWarning.txt TheEntireMessage = het gehele bericht NotNamed = niet benoemd # used for sysadmin notifications NoticeSubject = Waarschuwing: E-mail virussen gedetecteerd FullHeadersAre = De volledige headers zijn # used for delivering truly disinfected attachments Disinfected = Gedesinfecteerd # used for virus report in unparsable messages CantAnalyze = Kon het bericht niet analyseren # used for virus report in unparsable TNEF messages BadTNEF = Kon de Outlook Rich Text bijlage niet verwerken # used for creating sysadmin notifications NoticeHeading = De volgende e-mail berichten zijn gedetecteerd als besmet met een virus # used when SpamAssassin has timed out too often SADisabled = Uitgeschakeld vanwege %d opeenvolgende timeouts # used when message size exceeds configured SpamAssassin max message size SATooLarge = Bericht groter dan maximale grote voor spam test # used when trying to use SpamAssassin on a bad message with no headers SANoHeaders = Bericht bevatte geen headers # used when creating SpamAssassin results header score = score required = vereist SATimedOut = timed out # used when creating reports for messages with dangerous content PartialMessage = Gefragmenteerde berichten kunnen niet worden geanalyseerd en zijn daarom verwijderd FoundIFrame = Gevaarlijke IFrame tag in HTML bericht gevonden FoundObject = Gevaarlijke Object Codebase tag in HTML bericht gevonden ExternalBody = Externe bericht inhoud kan niet worden gescaned en zijn daarom verwijderd EudoraLongMIME = Eudora long-MIME-boundary aanval # used when detecting denial-of-service attacks DOSAttack = Denial of Service aanval in bericht! From Heinz.Knutzen at DZSH.DE Mon Nov 18 10:03:23 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:16:28 2006 Subject: AW: Calling all translators Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FD98@dzrz-ex-1.dzsh.landsh.de> One minor correction for the german translation from Ronny: # used for virus report in unparsable TNEF messages BadTNEF = Fehler beim verarbeiten des Outlook Rich Text Anhangs --> # used for virus report in unparsable TNEF messages BadTNEF = Fehler beim Verarbeiten des Outlook Rich Text Anhangs Viele Gr??e -- Heinz > -----Urspr?ngliche Nachricht----- > Von: Ronny Bremer [mailto:rbremer@FUTURE-GATE.COM] > Gesendet am: Montag, 18. November 2002 09:15 > An: MAILSCANNER@JISCMAIL.AC.UK > Betreff: Re: Calling all translators > > Jules, > > ok, find a German translation attached to this email. > > Please note, that some of the message might be changed as it > is hard to translate out of context. I do not know, whether > some of the string are used within a larger sentence, for instance. > > Also, I would not recommend translating the headers (NotSpam, > Black- Whitelisted), as they are not directly shown to end > users (unless they want to and then they should know a little > bit of english ) > > Ronny > > >>> mailscanner@ECS.SOTON.AC.UK 11/17/02 03:51pm >>> > I have moved all the output strings into a configuration file > so they can > be translated into different languages, so MailScanner > hopefully doesn't > output much to a user that has to be in English. > > I have attached the file, and would be grateful if people > could translate > it into other languages for me. > > Thanks folks! > Jules. > > From mailscanner at ecs.soton.ac.uk Mon Nov 18 10:36:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Internationalization In-Reply-To: <200211180210.gAI2A2vR004128@mx.ktv.lt> References: <5.2.0.9.2.20021117160716.03296d40@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021117160716.03296d40@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021118103608.02c557a8@imap.ecs.soton.ac.uk> At 02:01 18/11/2002, you wrote: >On Sun, 17 Nov 2002 16:09:13 +0000 Julian Field > wrote: > > > That only appears to easily allow for 1 language at a time. > > I allow you to choose different languages for different messages, like you > > can already with the message report files. > >Is it possible to use 2 (both) languages in a message at the same time? Just set up your own custom languages.conf file containing both languages. You are free to change what I provide... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From viers at UNILIM.FR Mon Nov 18 10:55:13 2002 From: viers at UNILIM.FR (Nicolas Viers - SCI Limoges) Date: Thu Jan 12 21:16:28 2006 Subject: Mailscanner 4.05-3 and virus infection (end) Message-ID: <5.0.2.1.2.20021118114850.0231ff58@pop.unilim.fr> Hello, I post this mail to give the response to my pb It was: ---------------------------------------------------------- i had pb with my mailscanner config (4.05-3) When i test with virus file, the mail log file said: Nov 15 14:26:33 limdns-new MailScanner[13585]: /usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/URFRIEND.SCR Found virus or variant W32/Yaha !!! Nov 15 14:26:33 limdns-new MailScanner[13585]: /usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/VALUE.EXE Found virus or variant W32/Klez !!! Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: mcafee found 8 infections Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: Found 8 viruses Nov 15 14:26:33 limdns-new MailScanner[13585]: Uninfected: Delivered 1 messages Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 15 14:26:33 limdns-new MailScanner[15008]: Using locktype = flock 8 virus are found, but the attach file was delivered with the message "no infection was found" Mcafee said viruses found and mailscanner Unifected: deliver 1 message Why mailscanner does not put infected file in quarantine directory ? I had another mailscanner 2.60 version and it works fine with this zip infected file Maybe it was due to a bad version of my perl modules And i don't had install first the rpm version. when i do this (rpm version) mailscanner works fine. I want to give a precision: in the mailscanner.conf file there is a directive "Deliver Cleaned Messages" When i put No to this no message were sent to the sender of the virus. With "yes" it's ok For me this directive apply to virus cleaned by mailscanner and not detected. ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ From mailscanner at ecs.soton.ac.uk Mon Nov 18 11:07:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Mailscanner 4.05-3 and virus infection (end) In-Reply-To: <5.0.2.1.2.20021118114850.0231ff58@pop.unilim.fr> Message-ID: <5.2.0.9.2.20021118110451.02232ab8@imap.ecs.soton.ac.uk> I suspect that your path to the incoming directory that you have in your mailscanner.conf file has some links in it. You must put the *real* path to the incoming directory in your mailscanner.conf file, like this: Incoming Work Dir = /usr/local/MailScanner-4.05-3/var/incoming At 10:55 18/11/2002, you wrote: > Hello, >I post this mail to give the response to my pb >It was: >---------------------------------------------------------- >i had pb with my mailscanner config (4.05-3) >When i test with virus file, the mail log file said: >Nov 15 14:26:33 limdns-new MailScanner[13585]: >/usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/URFRIEND.SCR >Found virus or variant W32/Yaha !!! > >Nov 15 14:26:33 limdns-new MailScanner[13585]: >/usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/VALUE.EXE >Found virus or variant W32/Klez !!! > >Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: mcafee >found 8 infections >Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: Found 8 viruses >Nov 15 14:26:33 limdns-new MailScanner[13585]: Uninfected: Delivered 1 >messages >Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner >Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner E-Mail Virus >Scanner version 4.05-3 starting... > >Nov 15 14:26:33 limdns-new MailScanner[15008]: Using locktype = flock > >8 virus are found, but the attach file was delivered with the message >"no infection was found" >Mcafee said viruses found and mailscanner Unifected: deliver 1 message > >Why mailscanner does not put infected file in quarantine directory ? > >I had another mailscanner 2.60 version and it works fine with this zip >infected file > > > >Maybe it was due to a bad version of my perl modules >And i don't had install first the rpm version. > >when i do this (rpm version) mailscanner works fine. > >I want to give a precision: >in the mailscanner.conf file there is a directive "Deliver Cleaned Messages" >When i put No to this no message were sent to the sender of the virus. >With "yes" >it's ok >For me this directive apply to virus cleaned by mailscanner and not detected. > > >____________________________________________________________ > >Nicolas Viers | Service Commun Informatique >M?l: viers@unilim.fr | 123, avenue Albert Thomas > | 87060 Limoges cedex >Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 > http://www.unilim.fr/sci >____________________________________________________________ > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mlo at UNI2.DK Mon Nov 18 12:13:18 2002 From: mlo at UNI2.DK (Martin Lorensen) Date: Thu Jan 12 21:16:28 2006 Subject: Internationalization In-Reply-To: <5.2.0.9.2.20021118103608.02c557a8@imap.ecs.soton.ac.uk> Message-ID: On Mon, 18 Nov 2002, Julian Field wrote: > > > That only appears to easily allow for 1 language at a time. > > > I allow you to choose different languages for different messages, like you > > > can already with the message report files. > > > >Is it possible to use 2 (both) languages in a message at the same time? > > Just set up your own custom languages.conf file containing both languages. > You are free to change what I provide... What I would like was some way of having MailScanner merging 2 repports and 2 langugage sets. Today some of the translated reports includes both the national and the english version - thats kind of silly and adds complexity when something should be changed. Another thing would be to have alle the configuration options for repports replaced by a "language-base-path" and a report-filename. That way you only need to change one line when changeing the language. My "dream" is to have a single config-file option "Language" which could be "en", "de", "nl" etc. - or "de-en", "nl-en" etc. Where the last case would have MailScanner merging the two repports. This would requere some more work on the repports, e.g. having a way to say "English version bellow", not having 2 headers and 2 footers etc. Just my thoughts.... -- A happy MailScanner user, Martin Lorensen From Heinz.Knutzen at DZSH.DE Mon Nov 18 13:08:00 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:16:28 2006 Subject: Again: Inline Text Signature and attachment-only mail Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FD9A@dzrz-ex-1.dzsh.landsh.de> Hi, one month ago I sent this bug report: > One user received a mail with an empty body and two text/plain attachments. > Mailscanner inserted the "Inline Text Signature" into the first attachment. > The user got some trouble from this, because the attachment > was used as input for some program which disliked the signature. ... > MailScanner uses SignCleanMessage to insert the signature > into the first part of a multipart message. > > MailScanner shouldn't insert a signature into an attachment > which is marked with > Content-Disposition: attachment; filename="something.txt" When releasing 3.24-1, Julian wrote I have also fixed 1 minor bug affecting the warning message added to infected messages containing no main message body at all. This didn't solve the original problem, since my problem was with inline signatures, but Julian fixed inline warnings. In mailscanner-4.05-3, file Message.pm, function "SignWarningMessage" there is a line # Won't sign attachments. return 0 if $top->head->mime_attr('content-disposition') =~ /attachment/i; Please add similar code to function "SignCleanEntity" in the same file. Viele Gr??e -- Heinz Knutzen Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:heinz.knutzen@dzsh.de Tel: +49.431.3295.581 Fax: +49.431.3295.410 From mailscannerlist at TNJINFL.COM Mon Nov 18 13:12:34 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:28 2006 Subject: Working well Message-ID: <1037625154.2330.11.camel@tweety.tnjinfl.com> With the help of the last two responses I received on my posts everything appears to be working well. I have this installed on my home mail server as a testing for possibly using the setup (MailScanner/SpamAssassin/Sendmail/F-Prot) where I work. It will be much higher volume, but that doesn't worry me. If we do try to use this we will forward any message that is marked as spam to s specific mailbox that will have to be monitored, probably by our HR department, to make sure all legitimate mail is forwarded to the recipient. One question I still have is, how do you handle a situation where messages are marked as spam but really aren't? Let's assume it's not because of DNS Blacklist, but because of content. I can't give an example since it hasn't happened to me yet, so this is hypathetically speaking. I assume if it's content that SpamAssassin is what is marking it as spam. Are the config files(content filters) for SpamAssasin configurable? Where would this be done at? If it's not SpamAssassin, what would it be? If there's a FAQ or Doc I should be looking at let me know. Thanks. James From nerijus at USERS.SOURCEFORGE.NET Mon Nov 18 13:34:32 2002 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:16:28 2006 Subject: Working well In-Reply-To: <1037625154.2330.11.camel@tweety.tnjinfl.com> References: <1037625154.2330.11.camel@tweety.tnjinfl.com> Message-ID: <200211181340.gAIDe4vR000436@mx.ktv.lt> On Mon, 18 Nov 2002 08:12:34 -0500 James Pifer wrote: > Are the config files(content filters) for SpamAssasin configurable? > Where would this be done at? Yes - why don't you just read SpamAssassin documentation? Regards, Nerijus From mike at CAMAROSS.NET Mon Nov 18 13:43:47 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:28 2006 Subject: Working well In-Reply-To: <1037625154.2330.11.camel@tweety.tnjinfl.com> Message-ID: <000101c28f08$85416140$6501a8c0@mikedesk> There is a score file for SpamAssassin that you can change...I wouldn't advise tweaking it too much. I leave that to the SA guys :) You might start off with your threshold set a little higher for messages to be marked as spam. I currently have mine set at 9 (I think) and see very few false positives. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of James Pifer Sent: Monday, November 18, 2002 7:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Working well With the help of the last two responses I received on my posts everything appears to be working well. I have this installed on my home mail server as a testing for possibly using the setup (MailScanner/SpamAssassin/Sendmail/F-Prot) where I work. It will be much higher volume, but that doesn't worry me. If we do try to use this we will forward any message that is marked as spam to s specific mailbox that will have to be monitored, probably by our HR department, to make sure all legitimate mail is forwarded to the recipient. One question I still have is, how do you handle a situation where messages are marked as spam but really aren't? Let's assume it's not because of DNS Blacklist, but because of content. I can't give an example since it hasn't happened to me yet, so this is hypathetically speaking. I assume if it's content that SpamAssassin is what is marking it as spam. Are the config files(content filters) for SpamAssasin configurable? Where would this be done at? If it's not SpamAssassin, what would it be? If there's a FAQ or Doc I should be looking at let me know. Thanks. James From wkuiters at FREE.FR Mon Nov 18 14:18:05 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:16:28 2006 Subject: Calling all translators In-Reply-To: References: <5.2.0.9.2.20021117144946.032627a0@imap.ecs.soton.ac.uk> Message-ID: <20021118141805.GA1495@bragann> Hoi, On Mon, Nov 18, 2002 at 10:59:07AM +0100, Stijn Jonker wrote: > Hello all, > > Here is my attempt at translating this file. I must admit it's harder then > it looks. But i think it is reasonable. > > But if you are dutch also don't hesitate to check this, because i D0n,t > meka mistakeS. ;-) I added a few corrections and suggestions to the good work of Stijn. The concerned lines are singled out. -- |\ /| Willem G.J. Kuiters |0 0| (/"\) --- "The malicious have a dark happiness" --- / \ --- -- Victor Hugo --- (( U U )) --- --- " " " " --(Htag.pl 0.0.19)-- -------------- next part -------------- # # This file contains all the word, phrases and sentences that are output # to a user by MailScanner. They are all here so that you can translate # them into your language. # You should only edit what is on the right of each "=". # If you set the "Language Strings" option in MailScanner.conf to be a # ruleset (or even a function!) then you can output responses in different # languages to different users and customers. # # Used in spam header Blacklisted = blacklisted Whitelisted = whitelisted NotSpam = not spam # used when creating VirusWarning.txt TheEntireMessage = het gehele bericht NotNamed = niet benoemd # used for sysadmin notifications NoticeSubject = Waarschuwing: E-mail virussen gevonden FullHeadersAre = De volledige headers zijn # used for delivering truly disinfected attachments Disinfected = Gedesinfecteerd # used for virus report in unparsable messages CantAnalyze = Kon het bericht niet analyseren # used for virus report in unparsable TNEF messages BadTNEF = Kon de Outlook Rich Text bijlage niet verwerken # used for creating sysadmin notifications NoticeHeading = De volgende e-mail berichten blijken besmet met een virus # used when SpamAssassin has timed out too often SADisabled = Uitgeschakeld vanwege %d opeenvolgende timeouts # used when message size exceeds configured SpamAssassin max message size SATooLarge = Bericht groter dan maximale grootte voor spam test # used when trying to use SpamAssassin on a bad message with no headers SANoHeaders = Bericht bevatte geen headers # used when creating SpamAssassin results header score = score required = vereist SATimedOut = timed out # used when creating reports for messages with dangerous content PartialMessage = Gefragmenteerde berichten kunnen niet worden geanalyseerd en zijn daarom verwijderd FoundIFrame = Gevaarlijke IFrame tag in HTML bericht gevonden FoundObject = Gevaarlijke Object Codebase tag in HTML bericht gevonden ExternalBody = Externe bericht inhoud kan niet worden gescanned en is daarom verwijderd EudoraLongMIME = Eudora long-MIME-boundary aanval # used when detecting denial-of-service attacks DOSAttack = Denial of Service aanval in bericht! From mailscanner at ecs.soton.ac.uk Mon Nov 18 14:24:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Again: Inline Text Signature and attachment-only mail In-Reply-To: <6C645222B0A8BC4FBFACD7606D4306A822FD9A@dzrz-ex-1.dzsh.land sh.de> Message-ID: <5.2.0.9.2.20021118142300.033bace0@imap.ecs.soton.ac.uk> Sorry about that, must have missed it. I have just added it to the code for 4.06 (the next release). At 13:08 18/11/2002, you wrote: >Hi, > >one month ago I sent this bug report: > > > One user received a mail with an empty body and two text/plain attachments. > > Mailscanner inserted the "Inline Text Signature" into the first attachment. > > The user got some trouble from this, because the attachment > > was used as input for some program which disliked the signature. >... > > MailScanner uses SignCleanMessage to insert the signature > > into the first part of a multipart message. > > > > MailScanner shouldn't insert a signature into an attachment > > which is marked with > > Content-Disposition: attachment; filename="something.txt" > >When releasing 3.24-1, Julian wrote > I have also fixed 1 minor bug affecting the warning message added to > infected messages containing no main message body at all. > >This didn't solve the original problem, >since my problem was with inline signatures, >but Julian fixed inline warnings. > >In mailscanner-4.05-3, file Message.pm, function "SignWarningMessage" >there is a line > # Won't sign attachments. > return 0 if $top->head->mime_attr('content-disposition') =~ > /attachment/i; > >Please add similar code to function "SignCleanEntity" in the same file. > >Viele Gr??e > >-- Heinz Knutzen > >Datenzentrale Schleswig-Holstein >Altenholzer Str. 10-14, 24161 Altenholz, Germany >http://www.dzsh.de/ >mailto:heinz.knutzen@dzsh.de >Tel: +49.431.3295.581 Fax: +49.431.3295.410 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Mon Nov 18 17:02:12 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:28 2006 Subject: Working well (SA customization tips) In-Reply-To: <1037625154.2330.11.camel@tweety.tnjinfl.com> Message-ID: <5.1.1.6.0.20021118103352.015eb2e8@192.168.50.2> Ok, I'll admit upfront that I do a bit more "rule tinkering" than most end users do, and I sometimes do a small contribution to the SA Development effort. So I confess up front that I probably customize SA more than most users will. That said, I don't think that writing a few simple custom rules are beyond the scope of what a "normal" user might want to do. Before you go off tuning your ruleset, first make sure you're running a reasonable version of SA. If you're getting an unreasonable number false positives/negatives, and are running something older than 2.42, upgrade. 2.40 and 2.41 had absolutely horrid scores (due to a combination of a few bad rules, a minor issue in the GA, and some mis-placed emails in the corpus). Older versions aren't likely to be very effective against current spam. Other "general" tweaks you can apply are to increase the threshold, and to (lightly) bump down the scores of rules which are false-positive prone on your email. You can apply these to your spam.assassin.prefs and the SpamAssassin man page mentioned below should be sufficient to show you the format for these options. Note that any score line in your prefs file will supercede anything in 50_scores.cf, so to adjust a score, just create a new score in your prefs file like this one (these are adjustments from my config, with scores changed a little from what I really use) # How many hits before a mail is considered spam. required_hits 5.2 #X_OSIRU_SPAM_SRC is high collateral damage, trim score down a little score X_OSIRU_SPAM_SRC 1.5 SA is tuned for a more or less "general purpose" variety of email. Depending on what industry you work in, you might get more "spam-alike" marketing than most. Fortunately you also know there are certain "catch phrases" for your industry that aren't likely to appear in spam mail. I tend to have a small handful of "correction" rules that decrease the score of emails pertaining to the industry my company works in. This makes it a bit less likely that newsletters and marketing information that people here have requested will be tagged as spam. Note: you should not need to make a whole lot of these rules, in general I'd think hard before making more than 10 of them. What follows is a quickie guide to simple SA rule writing, targeted towards MailScanner users --------------------------- The first thing you'll want to do is skim through man Mail::SpamAssassin::Conf. Then go to your /usr/share/spamassassin and look at some of the rules in 20_head_tests.cf and 20_body_tests.cf. (note: it is strongly advised that you NOT edit the files in /usr/share/spamassassin) Since you're running MailScanner the best place to put your rules is in MailScanner's spam.assassin.prefs.conf, but I'd recommend writing and testing them using the command-line tools while editing /root/.spamassassin/user_prefs. The simplest rules look for a basic text string, and assign a score, like this one (this is one mine): body BUGTRAQ_MENTIONED /\bbugtraq\b/i describe BUGTRAQ_MENTIONED mentions bugtraq in body score BUGTRAQ_MENTIONED -1.0 The describe line is optional, and not very relevant to MailScanner setups. I put it in there for my own reference. The body rule itself is just a regex string match which is started and terminated with forward slash characters (/). The \b's are used inside the string to indicate "any kind of word break" including spaces, tabs, newlines, etc and are generally a good idea at the beginning and end of most rules (unless you want it to match even if there is no word break). A string match ending with "not" will match not, note, notice, etc but one ending with "not\b" will only match not. the /i at the end makes the entire text match case insensitive. Some rules you might want to leave this off, others you might want it on. The regex's can be a lot more complicated, but most things you'll want to do yourself should be simple enough with rules like this one. After you write a rule, you need to test it. Every time you add a rule you risk a typo causing SpamAssassin to skip large chunks of your rules. If you followed my advice about trying them on root's user_prefs first, test the rules using SpamAssassin's command line: spamassassin --lint This will make SA complain about rule syntax. Note that if MailScanner calls SpamAssassin and there's a typo it will SILENTLY skip rules until it can start parsing the config file again. You can also test your rules against emails that are in raw text format (note: this must be a complete SMTP formatted email, with headers, with a empty blank line after the headers before the body begins, as per RFC requirements) spamassassin -tD One question I still have is, how do you handle a situation where >messages are marked as spam but really aren't? Let's assume it's not >because of DNS Blacklist, but because of content. I can't give an >example since it hasn't happened to me yet, so this is hypathetically >speaking. I assume if it's content that SpamAssassin is what is marking >it as spam. > >Are the config files(content filters) for SpamAssasin configurable? >Where would this be done at? If it's not SpamAssassin, what would it be? >If there's a FAQ or Doc I should be looking at let me know. Note: Emails authored under this address do not reflect the opinions of my employer unless otherwise stated. Facts contained are also prone to human error. If either of these statements are not humanly obvious to you, I suggest careful thought before leaping to any other conclusions. :) From sean at NISD.NET Mon Nov 18 17:33:10 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:28 2006 Subject: Working well (SA customization tips) Message-ID: This is great! Just the kind of info I've been looking for. >>> mkettler@EVI-INC.COM 11/18/02 11:02AM >>> Ok, I'll admit upfront that I do a bit more "rule tinkering" than most end From mailscannerlist at TNJINFL.COM Mon Nov 18 17:36:05 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:28 2006 Subject: Working well (SA customization tips) In-Reply-To: <5.1.1.6.0.20021118103352.015eb2e8@192.168.50.2> References: <5.1.1.6.0.20021118103352.015eb2e8@192.168.50.2> Message-ID: <1037640965.2332.19.camel@tweety.tnjinfl.com> Matt, Thank you very much for the response. That's exactly what I was looking for, real world examples and experience! (thanks to Mike for his earlier response too) I am running 2.43 so I should be up to date. Like I said, on my server at home it has 100% successful, but I only two or three email accounts that receive any spam. I'm assuming if we use this at our company we'll come across some that get tagged that really aren't. Best regards, James On Mon, 2002-11-18 at 12:02, Matt Kettler wrote: > Ok, I'll admit upfront that I do a bit more "rule tinkering" than most end > users do, and I sometimes do a small contribution to the SA Development > effort. So I confess up front that I probably customize SA more than most > users will. > > That said, I don't think that writing a few simple custom rules are beyond > the scope of what a "normal" user might want to do. > > Before you go off tuning your ruleset, first make sure you're running a > reasonable version of SA. If you're getting an unreasonable number false > positives/negatives, and are running something older than 2.42, upgrade. > 2.40 and 2.41 had absolutely horrid scores (due to a combination of a few > bad rules, a minor issue in the GA, and some mis-placed emails in the > corpus). Older versions aren't likely to be very effective against current > spam. > > Other "general" tweaks you can apply are to increase the threshold, and to > (lightly) bump down the scores of rules which are false-positive prone on > your email. You can apply these to your spam.assassin.prefs and the > SpamAssassin man page mentioned below should be sufficient to show you the > format for these options. Note that any score line in your prefs file will > supercede anything in 50_scores.cf, so to adjust a score, just create a new > score in your prefs file like this one (these are adjustments from my > config, with scores changed a little from what I really use) > > # How many hits before a mail is considered spam. > required_hits 5.2 > #X_OSIRU_SPAM_SRC is high collateral damage, trim score down a little > score X_OSIRU_SPAM_SRC 1.5 > > > SA is tuned for a more or less "general purpose" variety of email. > Depending on what industry you work in, you might get more "spam-alike" > marketing than most. Fortunately you also know there are certain "catch > phrases" for your industry that aren't likely to appear in spam mail. > > I tend to have a small handful of "correction" rules that decrease the > score of emails pertaining to the industry my company works in. This makes > it a bit less likely that newsletters and marketing information that people > here have requested will be tagged as spam. > > Note: you should not need to make a whole lot of these rules, in general > I'd think hard before making more than 10 of them. > > What follows is a quickie guide to simple SA rule writing, targeted towards > MailScanner users > --------------------------- > > The first thing you'll want to do is skim through man > Mail::SpamAssassin::Conf. Then go to your /usr/share/spamassassin and look > at some of the rules in 20_head_tests.cf and 20_body_tests.cf. (note: it is > strongly advised that you NOT edit the files in /usr/share/spamassassin) > > Since you're running MailScanner the best place to put your rules is in > MailScanner's spam.assassin.prefs.conf, but I'd recommend writing and > testing them using the command-line tools while editing > /root/.spamassassin/user_prefs. > > The simplest rules look for a basic text string, and assign a score, like > this one (this is one mine): > > body BUGTRAQ_MENTIONED /\bbugtraq\b/i > describe BUGTRAQ_MENTIONED mentions bugtraq in body > score BUGTRAQ_MENTIONED -1.0 > > The describe line is optional, and not very relevant to MailScanner setups. > I put it in there for my own reference. > > The body rule itself is just a regex string match which is started and > terminated with forward slash characters (/). > > The \b's are used inside the string to indicate "any kind of word break" > including spaces, tabs, newlines, etc and are generally a good idea at the > beginning and end of most rules (unless you want it to match even if there > is no word break). A string match ending with "not" will match not, note, > notice, etc but one ending with "not\b" will only match not. > > the /i at the end makes the entire text match case insensitive. Some rules > you might want to leave this off, others you might want it on. > > The regex's can be a lot more complicated, but most things you'll want to > do yourself should be simple enough with rules like this one. > > After you write a rule, you need to test it. Every time you add a rule you > risk a typo causing SpamAssassin to skip large chunks of your rules. If you > followed my advice about trying them on root's user_prefs first, test the > rules using SpamAssassin's command line: > > spamassassin --lint > > This will make SA complain about rule syntax. Note that if MailScanner > calls SpamAssassin and there's a typo it will SILENTLY skip rules until it > can start parsing the config file again. > > You can also test your rules against emails that are in raw text format > (note: this must be a complete SMTP formatted email, with headers, with a > empty blank line after the headers before the body begins, as per RFC > requirements) > > spamassassin -tD > Once you've got rules that don't error, and suit your needs put them into > your spam.assassin.prefs.conf > > > > > At 08:12 AM 11/18/2002 -0500, you wrote: > >One question I still have is, how do you handle a situation where > >messages are marked as spam but really aren't? Let's assume it's not > >because of DNS Blacklist, but because of content. I can't give an > >example since it hasn't happened to me yet, so this is hypathetically > >speaking. I assume if it's content that SpamAssassin is what is marking > >it as spam. > > > >Are the config files(content filters) for SpamAssasin configurable? > >Where would this be done at? If it's not SpamAssassin, what would it be? > >If there's a FAQ or Doc I should be looking at let me know. > > Note: Emails authored under this address do not reflect the opinions of my > employer unless otherwise stated. Facts contained are also prone to human > error. If either of these statements are not humanly obvious to you, I > suggest careful thought before leaping to any other conclusions. :) From sevans at FOUNDATION.SDSU.EDU Mon Nov 18 17:39:41 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:28 2006 Subject: Working well (SA customization tips) Message-ID: <6214C3F9233D764C9E7029396C355015682737@mail.foundation.sdsu.edu> Great info. One question on the SA versions. I upgraded to 2.42 (might have been 2.43) and had huge problems with false negatives. The probably tripled. Have you heard of that happening before. I run SA without any RBL's, and without Razor. (though I'm thinking about going down the razor path soon.) Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Matt Kettler [mailto:mkettler@EVI-INC.COM] Sent: Monday, November 18, 2002 9:02 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Working well (SA customization tips) Ok, I'll admit upfront that I do a bit more "rule tinkering" than most end users do, and I sometimes do a small contribution to the SA Development effort. So I confess up front that I probably customize SA more than most users will. That said, I don't think that writing a few simple custom rules are beyond the scope of what a "normal" user might want to do. Before you go off tuning your ruleset, first make sure you're running a reasonable version of SA. If you're getting an unreasonable number false positives/negatives, and are running something older than 2.42, upgrade. 2.40 and 2.41 had absolutely horrid scores (due to a combination of a few bad rules, a minor issue in the GA, and some mis-placed emails in the corpus). Older versions aren't likely to be very effective against current spam. Other "general" tweaks you can apply are to increase the threshold, and to (lightly) bump down the scores of rules which are false-positive prone on your email. You can apply these to your spam.assassin.prefs and the SpamAssassin man page mentioned below should be sufficient to show you the format for these options. Note that any score line in your prefs file will supercede anything in 50_scores.cf, so to adjust a score, just create a new score in your prefs file like this one (these are adjustments from my config, with scores changed a little from what I really use) # How many hits before a mail is considered spam. required_hits 5.2 #X_OSIRU_SPAM_SRC is high collateral damage, trim score down a little score X_OSIRU_SPAM_SRC 1.5 SA is tuned for a more or less "general purpose" variety of email. Depending on what industry you work in, you might get more "spam-alike" marketing than most. Fortunately you also know there are certain "catch phrases" for your industry that aren't likely to appear in spam mail. I tend to have a small handful of "correction" rules that decrease the score of emails pertaining to the industry my company works in. This makes it a bit less likely that newsletters and marketing information that people here have requested will be tagged as spam. Note: you should not need to make a whole lot of these rules, in general I'd think hard before making more than 10 of them. What follows is a quickie guide to simple SA rule writing, targeted towards MailScanner users --------------------------- The first thing you'll want to do is skim through man Mail::SpamAssassin::Conf. Then go to your /usr/share/spamassassin and look at some of the rules in 20_head_tests.cf and 20_body_tests.cf. (note: it is strongly advised that you NOT edit the files in /usr/share/spamassassin) Since you're running MailScanner the best place to put your rules is in MailScanner's spam.assassin.prefs.conf, but I'd recommend writing and testing them using the command-line tools while editing /root/.spamassassin/user_prefs. The simplest rules look for a basic text string, and assign a score, like this one (this is one mine): body BUGTRAQ_MENTIONED /\bbugtraq\b/i describe BUGTRAQ_MENTIONED mentions bugtraq in body score BUGTRAQ_MENTIONED -1.0 The describe line is optional, and not very relevant to MailScanner setups. I put it in there for my own reference. The body rule itself is just a regex string match which is started and terminated with forward slash characters (/). The \b's are used inside the string to indicate "any kind of word break" including spaces, tabs, newlines, etc and are generally a good idea at the beginning and end of most rules (unless you want it to match even if there is no word break). A string match ending with "not" will match not, note, notice, etc but one ending with "not\b" will only match not. the /i at the end makes the entire text match case insensitive. Some rules you might want to leave this off, others you might want it on. The regex's can be a lot more complicated, but most things you'll want to do yourself should be simple enough with rules like this one. After you write a rule, you need to test it. Every time you add a rule you risk a typo causing SpamAssassin to skip large chunks of your rules. If you followed my advice about trying them on root's user_prefs first, test the rules using SpamAssassin's command line: spamassassin --lint This will make SA complain about rule syntax. Note that if MailScanner calls SpamAssassin and there's a typo it will SILENTLY skip rules until it can start parsing the config file again. You can also test your rules against emails that are in raw text format (note: this must be a complete SMTP formatted email, with headers, with a empty blank line after the headers before the body begins, as per RFC requirements) spamassassin -tD One question I still have is, how do you handle a situation where >messages are marked as spam but really aren't? Let's assume it's not >because of DNS Blacklist, but because of content. I can't give an >example since it hasn't happened to me yet, so this is hypathetically >speaking. I assume if it's content that SpamAssassin is what is marking >it as spam. > >Are the config files(content filters) for SpamAssasin configurable? >Where would this be done at? If it's not SpamAssassin, what would it >be? If there's a FAQ or Doc I should be looking at let me know. Note: Emails authored under this address do not reflect the opinions of my employer unless otherwise stated. Facts contained are also prone to human error. If either of these statements are not humanly obvious to you, I suggest careful thought before leaping to any other conclusions. :) From billa at STERLING.NET Mon Nov 18 20:17:38 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? Message-ID: I notice there are several ways to utilize blacklists. Looks like you can do it in mailscanner, sendmail, and the other option is to let Spamassassin do it. Any ideas on the best way to implement with pros and cons would be greatly appreciated? Thanks. From mlo at UNI2.DK Mon Nov 18 20:32:15 2002 From: mlo at UNI2.DK (Martin Lorensen) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? In-Reply-To: Message-ID: On Mon, 18 Nov 2002, Bill Anderson wrote: > I notice there are several ways to utilize blacklists. Looks like you > can do it in mailscanner, sendmail, and the other option is to let > Spamassassin do it. Any ideas on the best way to implement with pros > and cons would be greatly appreciated? Thanks. Sendmail is IMHO always perfered if you can do it there - The simple reason is that you don't have to do bounces to often faked sender-adresses. Only cache in doint it in sendmail would be that you might not have enough information or you might want to get more information (e.g. content of mail to be able to deliver with a changed subject) before you have to reject the message. If you blacklist in mailscanner you don't have to call SpamAssasin, on the negative side is then that SA's AWL doesn't get more clever - but I guess that is of little use of the origin is a blacklisted site or address. -- Martin Lorensen From richard.siddall at ELIRION.NET Mon Nov 18 20:39:12 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? References: Message-ID: <3DD94FF0.DC29A338@elirion.net> Bill Anderson wrote: > > I notice there are several ways to utilize blacklists. Looks like you can > do it in mailscanner, sendmail, and the other option is to let Spamassassin > do it. Any ideas on the best way to implement with pros and cons would be > greatly appreciated? Thanks. !!!FAQ Alert!!! I guess my view is that it depends on your confidence in the blacklist: 1/ If you absolutely trust the blacklist and want to reject the mail, false positives and all, use it in sendmail. That will result in the least processing load too. 2/ If you absolutely trust the blacklist, but want only to flag the message as spam, use it in MailScanner. 3/ If you have mixed feelings about the blacklist, but consider it useful in detecting spam, use it in SpamAssassin (and consider tuning the score SA assigns). I hope this helps. Bear in mind that the more blacklists you use, the longer it takes to process each message. If you're rejecting mail in sendmail, the sender can time out while waiting for you to check all the blacklists. Regards, Richard Siddall. From support at INVICTANET.CO.UK Mon Nov 18 20:40:10 2002 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:16:28 2006 Subject: Yuk! Message-ID: Hi I think this is from a de-IFRAMEd message. Can anyone suggest why it looks so 'orrible? Also, why have I got "irusWarning.txt" (I'm using v3.26-2) Martyn -----Original Message----- From: FT.com News by email [mailto:ymnl+672583.125202216.2@newsbyemail.ft.com] Sent: 18 November 2002 15:03 To: martynr@invictanet.co.uk Subject: {VIRUS?} Your Money update Content-Type: text/plain; charset=s-ascii"; name=irusWarning.txt" Content-Disposition: inline; filename=irusWarning.txt" Content-Transfer-Encoding: quoted-printable This is a message from the MailScanner E-Mail Virus Protection Service -------------------------------------------------------------------- -- The original e-mail attachment "the entire message" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Mon Nov 18 15:05:45 2002 the virus scanner said: Possible Microsoft security vulnerability attack Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine (message gAIF5bjK050146). -- Postmaster From lyons at digitalvoodoo.org Mon Nov 18 20:48:05 2002 From: lyons at digitalvoodoo.org (Timothy M. Lyons) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? In-Reply-To: <3DD94FF0.DC29A338@elirion.net> Message-ID: <000201c28f43$cbadeff0$6401a8c0@seeker> I personally use multiple blacklists - however I only use one of them with sendmail (relays.ordb.org), I then implement spamcop.net and Infinite-Monkeys within MailScanner. I find that ordb is quick and gives me a pretty good coverage, plus I have had very few problems with false positives - those that I have noticed, have been resubmitted and cleaned out quickly. Spamcop however tends to be a bit too aggressive and has inadvertently blocked out numerous valid senders so I wont use it on my server other than with MailScanner/SA to indicate the possibility. Just my .02 --Tim -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Richard Siddall Sent: Monday, November 18, 2002 15:39 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Best way to use blacklists? Bill Anderson wrote: > > I notice there are several ways to utilize blacklists. Looks like you > can do it in mailscanner, sendmail, and the other option is to let > Spamassassin do it. Any ideas on the best way to implement with pros > and cons would be greatly appreciated? Thanks. !!!FAQ Alert!!! I guess my view is that it depends on your confidence in the blacklist: 1/ If you absolutely trust the blacklist and want to reject the mail, false positives and all, use it in sendmail. That will result in the least processing load too. 2/ If you absolutely trust the blacklist, but want only to flag the message as spam, use it in MailScanner. 3/ If you have mixed feelings about the blacklist, but consider it useful in detecting spam, use it in SpamAssassin (and consider tuning the score SA assigns). I hope this helps. Bear in mind that the more blacklists you use, the longer it takes to process each message. If you're rejecting mail in sendmail, the sender can time out while waiting for you to check all the blacklists. Regards, Richard Siddall. From MailScanner at LISTS.COM.AR Mon Nov 18 21:01:44 2002 From: MailScanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:16:28 2006 Subject: Calling all translators In-Reply-To: <3DFD0E385303F649AB7C31D651DEDD00071779@mafalda.pert.com.ar> Message-ID: <3DD92B08.1826.19BB0673@localhost> Mmhhhh... I wasn't reading the list lately... but browsed thru the subjects and got this one... I quickly browsed the 'languages.conf' file and it scares me a bit... It has too many too short phrases that I fear you intend to glue together at message generation time... the point is that Spanish (and all latin languages, including at least French and Italian) have quite a different sentence order than English... I'm so worried that the results look like those automatic translations you see in the web... Regretfully I'm stuck with lots of work and couldn't yet put my hands on MS (I have a pending ZMailer implementation)... Maybe if you could put the complete phrases in context in a comment before the config line, I could be more brave in translating... I also hope that Luis Peromarta is still around, 'cause he did a great job reviewing my previous translation and making it much better overall.. El 17 Nov 2002 a las 11:51, Julian Field escribi?: > I have moved all the output strings into a configuration file so they > can > be translated into different languages, so MailScanner hopefully doesn't > output much to a user that has to be in English. > > I have attached the file, and would be grateful if people could > translate > it into other languages for me. > > Thanks folks! > Jules. > > -- Mariano Absatz El Baby ---------------------------------------------------------- What is a "free" gift ? Aren't all gifts free? From devin at JETDATA.CA Mon Nov 18 21:31:33 2002 From: devin at JETDATA.CA (Devin Smith) Date: Thu Jan 12 21:16:28 2006 Subject: Unsubscribe Message-ID: <002701c28f49$e1f1a5d0$f184e5c6@rd.csandall.com> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021118/626aa6b0/attachment.html From P.G.M.Peters at civ.utwente.nl Tue Nov 19 08:10:28 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? In-Reply-To: <3DD94FF0.DC29A338@elirion.net> References: <3DD94FF0.DC29A338@elirion.net> Message-ID: On Mon, 18 Nov 2002 15:39:12 -0500, you wrote: >I hope this helps. Bear in mind that the more blacklists you use, >the longer it takes to process each message. If you're rejecting >mail in sendmail, the sender can time out while waiting for you >to check all the blacklists. I use 10 blacklists (in MS) and i keep processing several messages within seconds. Only when one of the blacklists times out (currently occasionally infinite monkeys) it takes up to 20 seconds to process a batch. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 10:34:54 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format Message-ID: <4E7026FF8A422749B1553FE508E00680053D84@message.intern.akctech.de> Hi Julian, I just discovered something that makes my life a bit more difficult. I would love to have a header that tells me whether or not something is spam or not. Currently I see things like this: X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=7, required 6, AWL, BAD_HELO_WARNING, BIG_FONT, CTYPE_JUST_HTML, EXCUSE_1, HTML_50_70, HTML_COMMENT_UNIQUE_ID, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_NOHASH, HTML_FONT_COLOR_RED, HTML_FONT_COLOR_YELLOW, MSG_ID_ADDED_BY_MTA_3, NO_REAL_NAME, SPAM_PHRASE_02_03, SUBJECT_HAS_DATE, WEB_BUGS, X_AUTH_WARNING) X-MailScanner-SpamScore: sssssss or X-MailScanner-SpamCheck: SpamAssassin X-MailScanner-SpamCheck: spamcop.net There is no simple rule for Outlook etc. that would allow me to put all Spam-Mail in some folder. Currently I would have to put all possible X-MailScanner-SpamCheck Messages in the word list. Proposal: X-MailScanner-SpamCheck: spam, whatever (e.g. SpamAssassin or spamcop.net etc.) and X-MailScanner-SpamCheck: not spam, whatever (e.g. whitelisted) Moreover: The X-MailScanner-SpamScore should not be in the header if for some reason MailScanner determines that the message is not spam. I used to have a rule in Outlook that put all messages with X-MailScanner-SpamScore: ssssss in the junk mailfolder. As you can see in the first example this is not helpful. Thanks, JP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021119/20435f09/attachment.html From info at blacknight-solutions.com Tue Nov 19 11:21:23 2002 From: info at blacknight-solutions.com (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D84@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E00680053D84@message.intern.akctech.de> Message-ID: <24897.213.136.131.214.1037704883.squirrel@www.blacknightsolutions.com> In MailScanner.conf check your settings. I have it set to change the subject line for Spam and Virus, so I can easily filter messages in Eudora. From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 12:59:44 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format Message-ID: <4E7026FF8A422749B1553FE508E00680053D87@message.intern.akctech.de> Hi, > In MailScanner.conf check your settings. I have it set to > change the subject line for Spam and Virus, so I can easily > filter messages in Eudora. I know but you should not change the subject if you report spam to the corresponding abuse centers (or spamcop etc.). Regards, JP From mk at quadstone.com Tue Nov 19 15:53:48 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:28 2006 Subject: Problems with version 4 In-Reply-To: <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> References: <20021113152737.GB1629@quadstone.com> <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> Message-ID: <20021119155348.GA3968@quadstone.com> This problem was caused by me forgetting to change "mailscanner" to "MailScanner" in the cron jon that runs check_mailscanner. So it was starting up the old version. 0,20,40 * * * * [ -x /var/opt/MailScanner/bin/check_mailscanner ] && /var/opt/MailScanner/bin/check_mailscanner >/dev/null 2>&1 Michael On Wed, Nov 13, 2002 at 03:32:35PM +0000, Julian Field wrote: > At 15:27 13/11/2002, you wrote: > >After starting up version 4, I am getting lots of these messages in the > >mail > >log: > > > >Nov 13 15:20:29 postie.quadstone.co.uk MailScanner[26958]: Failed to link > >message body between queues (/var/spool/mqueue/dfgADFKNXH026972 --> > >/var/spool/mqueue.in/dfgADFKNXH026972) > > Either the file already exists in the outgoing queue, or the 2 queues > aren't on the same partition, or you are running V3 and V4 simultaneously. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From jim at ENTROPHY-FREE.NET Tue Nov 19 15:59:17 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D84@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E00680053D84@message.intern.akctech.de> Message-ID: <1037721557.16055.37.camel@chaos.entrophy-free.net> On Tue, 2002-11-19 at 04:34, Jan-Peter Koopmann wrote: > Hi Julian, > > I just discovered something that makes my life a bit more difficult. I > would love to have a header that tells me whether or not something is > spam or not. Currently I see things like this: > > X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=7, > required 6, AWL, BAD_HELO_WARNING, BIG_FONT, CTYPE_JUST_HTML, > EXCUSE_1, HTML_50_70, HTML_COMMENT_UNIQUE_ID, HTML_FONT_COLOR_BLUE, > HTML_FONT_COLOR_NOHASH, HTML_FONT_COLOR_RED, HTML_FONT_COLOR_YELLOW, > MSG_ID_ADDED_BY_MTA_3, NO_REAL_NAME, SPAM_PHRASE_02_03, > SUBJECT_HAS_DATE, WEB_BUGS, X_AUTH_WARNING) > X-MailScanner-SpamScore: sssssss > > or > > X-MailScanner-SpamCheck: SpamAssassin > X-MailScanner-SpamCheck: spamcop.net > > There is no simple rule for Outlook etc. that would allow me to put all > Spam-Mail in some folder. Currently I would have to put all possible > X-MailScanner-SpamCheck Messages in the word list. Proposal: Easy enough to do. You decide what spam score would be spam and filter on the X-MailScanner-SpamScore header. For example if you decided that anything wih a spam score of 5 was spam you'd tell Outlook that any message whose X-MailScanner-SpamCheck: header contained sssss should go into a Spam folder. > > X-MailScanner-SpamCheck: spam, whatever (e.g. SpamAssassin or > spamcop.net etc.) and > X-MailScanner-SpamCheck: not spam, whatever (e.g. whitelisted) > > Moreover: The X-MailScanner-SpamScore should not be in the header if for > some reason MailScanner determines that the message is not spam. I used > to have a rule in Outlook that put all messages with > X-MailScanner-SpamScore: ssssss in the junk mailfolder. As you can see > in the first example this is not helpful. > The MailScanner configuration sets the lower threshold that triggers the inclusion of the SpamCheck/SpamScore headers. Messages that garner a SpamAssassin score below that threshold won't trigger the inclusion of those headers, and thus "aren't spam'. Because of the nature of the beast, it is quite possible to see messages with a spam score of 10-12 or less that aren't really spam, depending on who you get legitimate mail from. Most of the time, in my experience, anything with a spam score of 8 or more is spam, but I do get some mailings from legitimate sources that garner a score of 5-7. So you have to be careful when setting the lower and upper thresholds in MailScanner. Personally I find it best to set the lower threshold in the 3-5 range and sort out what isn't really spam at the mail client. Along the same lines I set the high threshold, where we drop messages, in the 12-15 range to reduce the likelyhood of discarding legitimate mail. That setting gets rid of a large amount of the objectionable and blatant spam and users can sort through the rest. -- The instructions said to use Windows 98 or better, so I installed RedHat. From billa at STERLING.NET Tue Nov 19 16:06:14 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? In-Reply-To: <000201c28f43$cbadeff0$6401a8c0@seeker> Message-ID: If you use MailScanner first for blacklists, does it always call spamassasin, or does it just flag the email as spam and bypass SA? Where in SA do you select what blacklists to use? Thanks again for all the GREAT help. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Timothy M. Lyons > Sent: Monday, November 18, 2002 12:48 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Best way to use blacklists? > > > I personally use multiple blacklists - however I only use one of them > with sendmail (relays.ordb.org), I then implement spamcop.net and > Infinite-Monkeys within MailScanner. > > I find that ordb is quick and gives me a pretty good coverage, plus I > have had very few problems with false positives - those that I have > noticed, have been resubmitted and cleaned out quickly. Spamcop however > tends to be a bit too aggressive and has inadvertently blocked out > numerous valid senders so I wont use it on my server other than with > MailScanner/SA to indicate the possibility. > > Just my .02 > > --Tim > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Richard Siddall > Sent: Monday, November 18, 2002 15:39 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Best way to use blacklists? > > > Bill Anderson wrote: > > > > I notice there are several ways to utilize blacklists. Looks like you > > > can do it in mailscanner, sendmail, and the other option is to let > > Spamassassin do it. Any ideas on the best way to implement with pros > > and cons would be greatly appreciated? Thanks. > > !!!FAQ Alert!!! > > I guess my view is that it depends on your confidence in the blacklist: > > 1/ If you absolutely trust the blacklist and want to reject the mail, > false positives and all, use it in sendmail. That will result in the > least processing load too. > > 2/ If you absolutely trust the blacklist, but want only to flag the > message as spam, use it in MailScanner. > > 3/ If you have mixed feelings about the blacklist, but consider it > useful in detecting spam, use it in SpamAssassin (and consider tuning > the score SA assigns). > > I hope this helps. Bear in mind that the more blacklists you use, the > longer it takes to process each message. If you're rejecting mail in > sendmail, the sender can time out while waiting for you to check all the > blacklists. > > Regards, > > Richard Siddall. > From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 16:31:56 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format Message-ID: <4E7026FF8A422749B1553FE508E00680053D88@message.intern.akctech.de> Hi, > > There is no simple rule for Outlook etc. that would allow me to put > > all Spam-Mail in some folder. Currently I would have to put all > > possible X-MailScanner-SpamCheck Messages in the word list. > Proposal: > > Easy enough to do. You decide what spam score would be spam > and filter on the X-MailScanner-SpamScore header. For example > if you decided that anything wih a spam score of 5 was spam > you'd tell Outlook that any message whose > X-MailScanner-SpamCheck: header contained sssss should go > into a Spam folder. Yet if you use this even messages that are not spam (due to whitelist) but have a high SpamAssassin score are sorted out by the rule. Unfortunately Outlook cannot create rules like "Move message if X-MailScanner-Spamscore: sssss unless X-MailScanner-SpamCheck: not spam"... > The MailScanner configuration sets the lower threshold that > triggers the inclusion of the SpamCheck/SpamScore headers. > Messages that garner a SpamAssassin score below that > threshold won't trigger the inclusion of those headers, and > thus "aren't spam'. So? Again think of whitelists. If a message is in the whitelist I do not care about the SpamScore from SpamAssassin. The whole point of the whitelist is to overrule SpamAssassin. > Because of the nature of the beast, it is quite possible to > see messages with a spam score of 10-12 or less that aren't > really spam, depending on who you get legitimate mail from. That is quite correct and the first exampled showed just that. But if I put something in the whitelist explicitely I do not what the message to be moved by my Outlook rule due to a SpamScore of 10 or so. The headers are very informational telling me that the message is not spam due to the whitelist but would have had a SpamAssassin score of 10. This is nice and informational but impossible for Outlook to use for rules. That is why I would love to see the simple extention to the X-MailScanner-SpamCheck header. It should be very easy to implement a (spam, not spam) message. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 16:35:00 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? Message-ID: <4E7026FF8A422749B1553FE508E00680053D89@message.intern.akctech.de> Hi, > If you use MailScanner first for blacklists, does it always > call spamassasin, or does it just flag the email as spam and > bypass SA? Where in SA do you select what blacklists to use? > Thanks again for all the GREAT help. Have you tried this setting in mailscanner.conf: # If the message sender is on any of the Spam Lists, do you still want # to do the SpamAssassin checks? Setting this to "no" will reduce the load # on your server, but will stop the High Scoring Spam Actions from ever # happening. # This can also be the filename of a ruleset. Check SpamAssassin If On Spam List = yes This might (!) also work for blacklist. I would have to look at the sources first but try it. Regards, JP From billa at STERLING.NET Tue Nov 19 16:44:25 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D89@message.intern.akctech.de> Message-ID: Thanks. I read it, but it did not register. I guess I still want the mail to be checked by spam assassin for the high score. I have a custom list that elevates the score to 100 if it is a porno spam. Anything over 50 will be deleted. My guess is the best thing to do is to turn on blacklist in Mailscanner and turn off blacklist checking in SA and set Check SpamAssassin If On Spam List = yes. This way the email will be marked as spam, then passed of to SA to see if it might be porn. Is it fairly simple to turn off all blacklist checking in SA? If so how? I want to avoid checking the blacklists twice. Thanks again. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jan-Peter Koopmann > Sent: Tuesday, November 19, 2002 8:35 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Best way to use blacklists? > > > Hi, > > > If you use MailScanner first for blacklists, does it always > > call spamassasin, or does it just flag the email as spam and > > bypass SA? Where in SA do you select what blacklists to use? > > Thanks again for all the GREAT help. > > Have you tried this setting in mailscanner.conf: > > # If the message sender is on any of the Spam Lists, do you still want > # to do the SpamAssassin checks? Setting this to "no" will reduce the > load > # on your server, but will stop the High Scoring Spam Actions from ever > # happening. > # This can also be the filename of a ruleset. > Check SpamAssassin If On Spam List = yes > > This might (!) also work for blacklist. I would have to look at the > sources first but try it. > > Regards, > JP > From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 16:52:10 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? Message-ID: <4E7026FF8A422749B1553FE508E00680053D8A@message.intern.akctech.de> > Is it fairly simple to turn off all blacklist checking in SA? > If so how? I want to avoid checking the blacklists twice. I would say simply give SA no blacklist entry/filename in the spam.assassing.prefs file. Just a wild guess. But if SpamAssassin has no blacklist associated, what list does it use? :-) Regards, JP From mailscanner at ecs.soton.ac.uk Tue Nov 19 16:52:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D88@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021119165112.090bcce0@imap.ecs.soton.ac.uk> Is the outcome of all this that you would like the "SpamScore" header to be empty (or maybe not even exist?) when the message is whitelisted? Empty? Or not exist? Any contributions or thoughts most welcome... Jules. At 16:31 19/11/2002, you wrote: >Hi, > > > > There is no simple rule for Outlook etc. that would allow me to put > > > all Spam-Mail in some folder. Currently I would have to put all > > > possible X-MailScanner-SpamCheck Messages in the word list. > > Proposal: > > > > Easy enough to do. You decide what spam score would be spam > > and filter on the X-MailScanner-SpamScore header. For example > > if you decided that anything wih a spam score of 5 was spam > > you'd tell Outlook that any message whose > > X-MailScanner-SpamCheck: header contained sssss should go > > into a Spam folder. > >Yet if you use this even messages that are not spam (due to whitelist) >but have a high SpamAssassin score are sorted out by the rule. >Unfortunately Outlook cannot create rules like "Move message if >X-MailScanner-Spamscore: sssss unless X-MailScanner-SpamCheck: not >spam"... > > > The MailScanner configuration sets the lower threshold that > > triggers the inclusion of the SpamCheck/SpamScore headers. > > Messages that garner a SpamAssassin score below that > > threshold won't trigger the inclusion of those headers, and > > thus "aren't spam'. > >So? Again think of whitelists. If a message is in the whitelist I do not >care about the SpamScore from SpamAssassin. The whole point of the >whitelist is to overrule SpamAssassin. > > > Because of the nature of the beast, it is quite possible to > > see messages with a spam score of 10-12 or less that aren't > > really spam, depending on who you get legitimate mail from. > >That is quite correct and the first exampled showed just that. But if I >put something in the whitelist explicitely I do not what the message to >be moved by my Outlook rule due to a SpamScore of 10 or so. > >The headers are very informational telling me that the message is not >spam due to the whitelist but would have had a SpamAssassin score of 10. >This is nice and informational but impossible for Outlook to use for >rules. That is why I would love to see the simple extention to the >X-MailScanner-SpamCheck header. It should be very easy to implement a >(spam, not spam) message. > >Regards, > JP -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 19 16:45:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Calling all translators In-Reply-To: <3DD92B08.1826.19BB0673@localhost> References: <3DFD0E385303F649AB7C31D651DEDD00071779@mafalda.pert.com.ar> Message-ID: <5.2.0.9.2.20021119164345.04802e68@imap.ecs.soton.ac.uk> At 21:01 18/11/2002, you wrote: >It has too many too short phrases that I fear you intend to glue together at >message generation time... the point is that Spanish (and all latin >languages, including at least French and Italian) have quite a different >sentence order than English... I'm so worried that the results look like >those automatic translations you see in the web... They are phrases and words that are just used as they are given, they are not glued together at all. They are just for things such as the SpamCheck header which can contain "not spam" at the start of the report when it has been told to always include the header even when the message isn't spam. That's why I included a line of explanation above each one that tells you where it is used. I agree that sticking these phrases together would be a very bad idea. >Regretfully I'm stuck with lots of work and couldn't yet put my hands on MS >(I have a pending ZMailer implementation)... Maybe if you could put the >complete phrases in context in a comment before the config line, I could be >more brave in translating... I also hope that Luis Peromarta is still around, >'cause he did a great job reviewing my previous translation and making it >much better overall.. > >El 17 Nov 2002 a las 11:51, Julian Field escribi?: > > > I have moved all the output strings into a configuration file so they > > can > > be translated into different languages, so MailScanner hopefully doesn't > > output much to a user that has to be in English. > > > > I have attached the file, and would be grateful if people could > > translate > > it into other languages for me. > > > > Thanks folks! > > Jules. > > > > > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >What is a "free" gift ? Aren't all gifts free? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 17:01:48 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:29 2006 Subject: Header change format Message-ID: <4E7026FF8A422749B1553FE508E00680053D8B@message.intern.akctech.de> Hi Julian, > Is the outcome of all this that you would like the > "SpamScore" header to be empty (or maybe not even exist?) > when the message is whitelisted? This would be one solution. > Empty? Or not exist? I do not care to be honest. > Any contributions or thoughts most welcome... The most simple and most flexible solution though would be to generate a definate SPAM or NOT SPAM within the header. Examples for "real" spam: X-MailScanner-SpamCheck: spam, SpamAssasin (SCORE=....) X-MailScanner-SpamCheck: spam, spamcop.net, SpamAssasin (SCORE=....) Example for a whitelisted which triggers SpamAssassin: X-MailScanner-SpamCheck: not spam, whitelisted, SpamAssasin (SCORE=....) If you implement this you could tell the mail client to only handle mails with "X-MailScanner-SpamCheck: spam" in the header. If possible one should be able to configure whether or not "not spam" messages should show the SpamAssassin score with "X-MailScanner-Spamscore: sssss" or not. Regards, JP From billa at STERLING.NET Tue Nov 19 17:10:45 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:29 2006 Subject: Best way to use blacklists? In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D8A@message.intern.akctech.de> Message-ID: Thanks for the pointer. I found the following entry in the spam.assassin.prefs.conf file: skip_rbl_checks 1 > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jan-Peter Koopmann > Sent: Tuesday, November 19, 2002 8:52 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Best way to use blacklists? > > > > Is it fairly simple to turn off all blacklist checking in SA? > > If so how? I want to avoid checking the blacklists twice. > > I would say simply give SA no blacklist entry/filename in the > spam.assassing.prefs file. Just a wild guess. But if SpamAssassin has no > blacklist associated, what list does it use? :-) > > Regards, > JP > From mailscanner at ecs.soton.ac.uk Tue Nov 19 17:14:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Best way to use blacklists? In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D8A@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021119171340.01eae790@imap.ecs.soton.ac.uk> At 16:52 19/11/2002, you wrote: > > Is it fairly simple to turn off all blacklist checking in SA? > > If so how? I want to avoid checking the blacklists twice. > >I would say simply give SA no blacklist entry/filename in the >spam.assassing.prefs file. Just a wild guess. But if SpamAssassin has no >blacklist associated, what list does it use? :-) In your spam.assassin.prefs.conf file, there is a line that says # ignore_rbl_checks 1 Just un-comment it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 19 17:17:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Header change format In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D8B@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021119171526.08dad878@imap.ecs.soton.ac.uk> At 17:01 19/11/2002, you wrote: >Hi Julian, > > > Is the outcome of all this that you would like the > > "SpamScore" header to be empty (or maybe not even exist?) > > when the message is whitelisted? > >This would be one solution. > > > Empty? Or not exist? > >I do not care to be honest. > > > Any contributions or thoughts most welcome... > >The most simple and most flexible solution though would be to generate a >definate SPAM or NOT SPAM within the header. But I should only add "spam" when they have requested to always add the header, as people can currently do spam filtering based on just the presence of the SpamCheck header. It all gets a bit murky, unfortunately, as I need to retain backward compatibility for all the previous users, while providing a whizzy neat solution that is simple for you. The SpamScore proposal above is simple and doesn't create compatibility problems. But does it do enough of what you want? If not, I don't want to do it. But if yes, then that will probably be my chosen solution. >Examples for "real" spam: >X-MailScanner-SpamCheck: spam, SpamAssasin (SCORE=....) >X-MailScanner-SpamCheck: spam, spamcop.net, SpamAssasin (SCORE=....) > >Example for a whitelisted which triggers SpamAssassin: > >X-MailScanner-SpamCheck: not spam, whitelisted, SpamAssasin (SCORE=....) > >If you implement this you could tell the mail client to only handle >mails with "X-MailScanner-SpamCheck: spam" in the header. If possible >one should be able to configure whether or not "not spam" messages >should show the SpamAssassin score with "X-MailScanner-Spamscore: sssss" >or not. > >Regards, > JP -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ts247 at CORNELL.EDU Tue Nov 19 17:24:37 2002 From: ts247 at CORNELL.EDU (Tom Shannon) Date: Thu Jan 12 21:16:29 2006 Subject: RBL error Message-ID: <200211191724.gAJHOdX30327@ori.rl.ac.uk> Hello all, I'm running a solaris 7 email server with sendmail 8.12.4. I'm using most of the default mailscanner settings. Spamassassin is ON. Everything works fine for serveral hours then the following messages appears in my maillog... Nov 16 17:09:06 astrosun.astro.cornell.edu MailScanner[4800]: RBL Checks failed with real error: Can't use an undefined value as a symbol reference at /opt/MailScanner/bin/MailScanner/RBLs.pm line 159, line 27. At this point mailscanner stops processing the mail in the mqueue.in. Looking thru the logs I don't see any particular incident that causes this error. Any ideas? Thanks! From mailscanner at ecs.soton.ac.uk Tue Nov 19 18:41:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: RBL error In-Reply-To: <200211191724.gAJHOdX30327@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20021119184030.02353308@imap.ecs.soton.ac.uk> At 17:24 19/11/2002, you wrote: >Hello all, I'm running a solaris 7 email server with sendmail 8.12.4. > >I'm using most of the default mailscanner settings. Spamassassin is ON. > >Everything works fine for serveral hours then the following messages appears >in my maillog... > >Nov 16 17:09:06 astrosun.astro.cornell.edu MailScanner[4800]: RBL Checks >failed with real error: Can't use an undefined value as a symbol reference >at /opt/MailScanner/bin/MailScanner/RBLs.pm line 159, line 27. > >At this point mailscanner stops processing the mail in the mqueue.in. > >Looking thru the logs I don't see any particular incident that causes this >error. I have re-written the pipe code in RBLs.pm and SA.pm as 1 other user was having the same problem but in a different place. I can't reproduce the problem myself, but I hope my tweaks will help. If you want a copy of the new code to try out, drop me a line privately and I'll send it to you. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dlovelace at HOTELS.COM Tue Nov 19 18:46:03 2002 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: <95DD6F026D9C5C459E262B9C385C478E59819D@h-file04.180096hotel.com> Hello, I have MailScanner configured to use the RBL's ORDB-RBL and Infinite-Monkeys, and SpamAssassin configure to skip_rbl_checks. When MailScanner marks a message as spam because it is in the RBL, does it log this? If so, what does the log entry look like? Is there a way to test to make sure MailScanner is marking mail that is from an RBL'ed site as spam? Thanks, Dale Lovelace -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021119/a1c93419/attachment.html From mbowman at UDCOM.COM Tue Nov 19 18:47:08 2002 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: Check your /var/spool/maillog it should indicate which RBL was mentioned in the detection Regards, Matthew K Bowman, Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Dale Lovelace cc: Sent by: Subject: Logging mailed marked as spam by RBL MailScanner mailing list 11/19/2002 01:46 PM Please respond to MailScanner mailing list Hello, I have MailScanner configured to use the RBL's ORDB-RBL and Infinite-Monkeys, and SpamAssassin configure to skip_rbl_checks. When MailScanner marks a message as spam because it is in the RBL, does it log this? If so, what does the log entry look like? Is there a way to test to make sure MailScanner is marking mail that is from an RBL'ed site as spam? Thanks, Dale Lovelace From dlovelace at HOTELS.COM Tue Nov 19 19:06:53 2002 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: <95DD6F026D9C5C459E262B9C385C478E327DB7@h-file04.180096hotel.com> I don't have any entries in /var/log/maillog that would lead me to believe that MailScanner has blocked any messages from an RBL'ed site... That's why I wanted to make sure that MailScanner logged this, and to find out what the log entry would look like when it did. Perhaps I should have been a bit more clear :-) Could you copy one of your RBL'ed log entries into an email so I would know what they were supposed to look like if I were getting them? Thanks! Dale Lovelace -----Original Message----- From: Matthew Bowman [mailto:mbowman@UDCOM.COM] Sent: Tuesday, November 19, 2002 12:47 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Logging mailed marked as spam by RBL Check your /var/spool/maillog it should indicate which RBL was mentioned in the detection Regards, Matthew K Bowman, Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Dale Lovelace cc: Sent by: Subject: Logging mailed marked as spam by RBL MailScanner mailing list 11/19/2002 01:46 PM Please respond to MailScanner mailing list Hello, I have MailScanner configured to use the RBL's ORDB-RBL and Infinite-Monkeys, and SpamAssassin configure to skip_rbl_checks. When MailScanner marks a message as spam because it is in the RBL, does it log this? If so, what does the log entry look like? Is there a way to test to make sure MailScanner is marking mail that is from an RBL'ed site as spam? Thanks, Dale Lovelace From mailscanner at ecs.soton.ac.uk Tue Nov 19 18:54:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL In-Reply-To: <95DD6F026D9C5C459E262B9C385C478E59819D@h-file04.180096hote l.com> Message-ID: <5.2.0.9.2.20021119185239.02e60270@imap.ecs.soton.ac.uk> At 18:46 19/11/2002, you wrote: > When MailScanner marks a message as spam because it is in the RBL, does > it log this? If so, what does the log entry look like? Set Log Spam = yes and you'll see. > Is there a way to test to make sure MailScanner is marking mail that is > from an RBLed site as spam? Relay a message through it, i.e. send yourself some mail using the open relay as your smtp server. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Harish.Amin at DEG.STATE.WI.US Tue Nov 19 19:45:21 2002 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C66FE@doamail04> Dale Check /var/log/syslog if you don't have maillog # grep RBL /var/log/syslog Nov 18 04:14:46 badger MailScanner[8264]: RBL checks: gAIAEdQ09660 found in ORDB-RBL Nov 18 04:14:47 badger MailScanner[8264]: Message gAIAEdQ09660 from 218.44.224.250 (tm-net.co.jp) is spam according to ORDB-RBL Nov 18 15:59:56 badger MailScanner[15941]: RBL checks: gAILxqQ19320 found in ORDB-RBL Nov 18 15:59:57 badger MailScanner[15941]: Message gAILxqQ19320 from 204.86.126.102 () is spam according to ORDB-RBL -----Original Message----- From: Dale Lovelace [mailto:dlovelace@HOTELS.COM] Sent: Tuesday, November 19, 2002 1:07 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Logging mailed marked as spam by RBL I don't have any entries in /var/log/maillog that would lead me to believe that MailScanner has blocked any messages from an RBL'ed site... That's why I wanted to make sure that MailScanner logged this, and to find out what the log entry would look like when it did. Perhaps I should have been a bit more clear :-) Could you copy one of your RBL'ed log entries into an email so I would know what they were supposed to look like if I were getting them? Thanks! Dale Lovelace -----Original Message----- From: Matthew Bowman [mailto:mbowman@UDCOM.COM] Sent: Tuesday, November 19, 2002 12:47 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Logging mailed marked as spam by RBL Check your /var/spool/maillog it should indicate which RBL was mentioned in the detection Regards, Matthew K Bowman, Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Dale Lovelace cc: Sent by: Subject: Logging mailed marked as spam by RBL MailScanner mailing list 11/19/2002 01:46 PM Please respond to MailScanner mailing list Hello, I have MailScanner configured to use the RBL's ORDB-RBL and Infinite-Monkeys, and SpamAssassin configure to skip_rbl_checks. When MailScanner marks a message as spam because it is in the RBL, does it log this? If so, what does the log entry look like? Is there a way to test to make sure MailScanner is marking mail that is from an RBL'ed site as spam? Thanks, Dale Lovelace From dlovelace at HOTELS.COM Tue Nov 19 19:53:55 2002 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: <95DD6F026D9C5C459E262B9C385C478E59819E@h-file04.180096hotel.com> Ok, I finally got some spam from a RBL'ed site so I could see the log entry. I noticed a strange entry: Nov 19 13:13:25 relay-01 MailScanner[24780]: Spam Actions: (RBL) Bounce To And that's it. Shouldn't the $from be at the end of the line? I noticed that SpamAssassin bounce lines were similar in that they left off the $from. Bug? Thanks, Dale Lovelace -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, November 19, 2002 12:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Logging mailed marked as spam by RBL At 18:46 19/11/2002, you wrote: > When MailScanner marks a message as spam because it is in the RBL, does > it log this? If so, what does the log entry look like? Set Log Spam = yes and you'll see. > Is there a way to test to make sure MailScanner is marking mail that is > from an RBLed site as spam? Relay a message through it, i.e. send yourself some mail using the open relay as your smtp server. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mbest at JET2.NET Tue Nov 19 19:42:26 2002 From: mbest at JET2.NET (Matt) Date: Thu Jan 12 21:16:29 2006 Subject: red hat 8 weirdness Message-ID: <036301c29003$c9ca1180$0201a8c0@RADIUS> Hello, Just a couple problems I am having here with Red Hat 8.0 and MailScanner 4.05-3: Mailscanner is restarting itself every 10 seconds, regardless of what I have set in the /etc/MailScanner.conf. Is there a way in the new mailscanner to turn off the Virus Scanning but still use the attachment scanning? I was able to do this in previous versions. I am having some problems getting it to read the sophos IDE files, and just wanted to test it out without using the virus scanner. Can anyone steer me in the right direction here? Thanks.. Regards, Matt From mailscanner at ecs.soton.ac.uk Tue Nov 19 20:16:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL In-Reply-To: <95DD6F026D9C5C459E262B9C385C478E59819E@h-file04.180096hote l.com> Message-ID: <5.2.0.9.2.20021119201539.022a9b28@imap.ecs.soton.ac.uk> At 19:53 19/11/2002, you wrote: > Ok, I finally got some spam from a RBL'ed site so I could see the log >entry. I noticed a strange entry: > >Nov 19 13:13:25 relay-01 MailScanner[24780]: Spam Actions: (RBL) Bounce >To > > And that's it. Shouldn't the $from be at the end of the line? I >noticed that SpamAssassin bounce lines were similar in that they left >off the $from. > > Bug? Indeed. Fixed. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 19 20:18:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: red hat 8 weirdness In-Reply-To: <036301c29003$c9ca1180$0201a8c0@RADIUS> Message-ID: <5.2.0.9.2.20021119201719.022efce8@imap.ecs.soton.ac.uk> At 19:42 19/11/2002, you wrote: >Just a couple problems I am having here with Red Hat 8.0 and MailScanner >4.05-3: > >Mailscanner is restarting itself every 10 seconds, regardless of what I have >set in the /etc/MailScanner.conf. What does the maillog say? >Is there a way in the new mailscanner to turn off the Virus Scanning but >still use the attachment scanning? I was able to do this in previous >versions. I am having some problems getting it to read the sophos IDE >files, and just wanted to test it out without using the virus scanner. Set Virus Scanners = none -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mbest at JET2.NET Tue Nov 19 20:08:32 2002 From: mbest at JET2.NET (Matt) Date: Thu Jan 12 21:16:29 2006 Subject: red hat 8 weirdness References: <5.2.0.9.2.20021119201719.022efce8@imap.ecs.soton.ac.uk> Message-ID: <039801c29007$6f7c67b0$0201a8c0@RADIUS> ----- Original Message ----- From: "Julian Field" To: Sent: November 19, 2002 3:18 PM Subject: Re: red hat 8 weirdness > At 19:42 19/11/2002, you wrote: > >Just a couple problems I am having here with Red Hat 8.0 and MailScanner > >4.05-3: > > > >Mailscanner is restarting itself every 10 seconds, regardless of what I have > >set in the /etc/MailScanner.conf. > > What does the maillog say? Hi Julian, Great program btw, I use it on a handful of linux servers and got my colleague in Toronto to use it on his Cobalt RaQ. We both love it. Here's my maillog: --- snip --- Nov 19 14:39:13 worm sendmail[1400]: alias database /etc/aliases rebuilt by mbest Nov 19 14:39:13 worm sendmail[1400]: /etc/aliases: 64 aliases, longest 10 bytes, 636 bytes total Nov 19 14:39:13 worm sendmail[1409]: starting daemon (8.12.5): SMTP Nov 19 14:39:13 worm sendmail[1414]: starting daemon (8.12.5): queueing@00:15:00 Nov 19 14:39:14 worm MailScanner[1426]: MailScanner Nov 19 14:39:14 worm MailScanner[1426]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 19 14:39:14 worm MailScanner[1426]: Using locktype = flock Nov 19 14:39:24 worm MailScanner[1428]: MailScanner Nov 19 14:39:24 worm MailScanner[1428]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 19 14:39:24 worm MailScanner[1428]: Using locktype = flock Nov 19 14:39:34 worm MailScanner[1430]: MailScanner Nov 19 14:39:34 worm MailScanner[1430]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 19 14:39:34 worm MailScanner[1430]: Using locktype = flock --- snip --- > Set > Virus Scanners = none > Doh, should have seen that one. Thanks! --Matt > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 19 20:33:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: red hat 8 weirdness In-Reply-To: <039801c29007$6f7c67b0$0201a8c0@RADIUS> References: <5.2.0.9.2.20021119201719.022efce8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021119203018.022eae78@imap.ecs.soton.ac.uk> At 20:08 19/11/2002, you wrote: > > At 19:42 19/11/2002, you wrote: > > >Just a couple problems I am having here with Red Hat 8.0 and MailScanner > > >4.05-3: > > > > > >Mailscanner is restarting itself every 10 seconds, regardless of what I >have > > >set in the /etc/MailScanner.conf. > > > > What does the maillog say? > >Hi Julian, > >Great program btw, I use it on a handful of linux servers and got my >colleague in Toronto to use it on his Cobalt RaQ. We both love it. Glad you like it! Have you added a comment in the "guest book" on the website yet? >Here's my maillog: > >--- snip --- >Nov 19 14:39:13 worm sendmail[1400]: alias database /etc/aliases rebuilt by >mbest >Nov 19 14:39:13 worm sendmail[1400]: /etc/aliases: 64 aliases, longest 10 >bytes, 636 bytes total >Nov 19 14:39:13 worm sendmail[1409]: starting daemon (8.12.5): SMTP >Nov 19 14:39:13 worm sendmail[1414]: starting daemon (8.12.5): >queueing@00:15:00 >Nov 19 14:39:14 worm MailScanner[1426]: MailScanner >Nov 19 14:39:14 worm MailScanner[1426]: MailScanner E-Mail Virus Scanner >version 4.05-3 starting... >Nov 19 14:39:14 worm MailScanner[1426]: Using locktype = flock >Nov 19 14:39:24 worm MailScanner[1428]: MailScanner >Nov 19 14:39:24 worm MailScanner[1428]: MailScanner E-Mail Virus Scanner >version 4.05-3 starting... >Nov 19 14:39:24 worm MailScanner[1428]: Using locktype = flock >Nov 19 14:39:34 worm MailScanner[1430]: MailScanner >Nov 19 14:39:34 worm MailScanner[1430]: MailScanner E-Mail Virus Scanner >version 4.05-3 starting... >Nov 19 14:39:34 worm MailScanner[1430]: Using locktype = flock >--- snip --- That's normal. It will start up the parent plus as many child processes as you've got configured in Max Children in MailScanner.conf. By default this is 5. There is a 10 second skew between starting up each MailScanner in order to avoid the "herd of elephants" problem that can plague parallel-processing systems. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dlovelace at HOTELS.COM Tue Nov 19 20:53:34 2002 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: <95DD6F026D9C5C459E262B9C385C478E327DBA@h-file04.180096hotel.com> Thanks! Would you mind if I asked a stupid perl question? In the file /usr/lib/MailScanner/MailScanner/Config.pm you use "new FileHandle" quite a few times. Where does the object "FileHandle" come from? I am trying to steal from your Config.pm to read in the config file for the MailScanner log analyzer I am writing :-) Thanks, Dale -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, November 19, 2002 2:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Logging mailed marked as spam by RBL At 19:53 19/11/2002, you wrote: > Ok, I finally got some spam from a RBL'ed site so I could see the log >entry. I noticed a strange entry: > >Nov 19 13:13:25 relay-01 MailScanner[24780]: Spam Actions: (RBL) Bounce >To > > And that's it. Shouldn't the $from be at the end of the line? I >noticed that SpamAssassin bounce lines were similar in that they left >off the $from. > > Bug? Indeed. Fixed. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 19 20:58:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL In-Reply-To: <95DD6F026D9C5C459E262B9C385C478E327DBA@h-file04.180096hote l.com> Message-ID: <5.2.0.9.2.20021119205656.02293ea8@imap.ecs.soton.ac.uk> At 20:53 19/11/2002, you wrote: > Thanks! Would you mind if I asked a stupid perl question? In the file >/usr/lib/MailScanner/MailScanner/Config.pm you use "new FileHandle" >quite a few times. Where does the object "FileHandle" come from? There should be a use FileHandle; somewhere in there. > I am trying to steal from your Config.pm to read in the config file >for the MailScanner log analyzer I am writing :-) Sounds like a good idea. A decent conf-file-checker would be useful too. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bidwell at ANDREWS.EDU Tue Nov 19 21:58:14 2002 From: bidwell at ANDREWS.EDU (Daniel Bidwell) Date: Thu Jan 12 21:16:29 2006 Subject: Connecting mailscanner to sendmail Message-ID: <1037743097.744.7.camel@samwise> I am running MailScanner 4.05-3 with sendmail 8.12.6 on a Debian system and am having trouble getting sendmail to leave the message in the queue for MailScanner to see and process. If I stop sendmail and drop some q/df files into the queue MailScanenr immediately grabs them and processes them and sends them on appropriately. If sendmail is running and receives a message it immediately processes it and sends it along with giving MailScanner a chance to look at it. Everything else works great, but how do I get sendmail to put it in the queue and leave it there long enough for MailScanner to see it? I have tried commenting out the ControlSocketName=... in the sendmail.cf file, but still no luck. Any suggestions? -- Daniel R. Bidwell | bidwell@andrews.edu Andrews University Computer Science & Information Systems Department If two always agree, one of them is unnecessary "Friends don't let friends do DOS" "In theory, theory and practice are the same. In practice, however, they are not." From sean at NISD.NET Tue Nov 19 22:11:47 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:29 2006 Subject: GroupWise considerations Message-ID: The GroupWise MUA does not allow users to apply rulesets to X-header information, making filtering on X-spam-score impossible. Is there an option to put the spam score in the subject line or the body of the message? Thanks! From jrudd at UCSC.EDU Tue Nov 19 22:51:48 2002 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:16:29 2006 Subject: [Fwd: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK] Message-ID: <3DDAC084.72DE19FE@ucsc.edu> > From: Jan-Peter Koopmann > > > > There is no simple rule for Outlook etc. that would allow me to put > > > all Spam-Mail in some folder. Currently I would have to put all > > > possible X-MailScanner-SpamCheck Messages in the word list. > > Proposal: > > > > Easy enough to do. You decide what spam score would be spam > > and filter on the X-MailScanner-SpamScore header. For example > > if you decided that anything wih a spam score of 5 was spam > > you'd tell Outlook that any message whose > > X-MailScanner-SpamCheck: header contained sssss should go > > into a Spam folder. > > Yet if you use this even messages that are not spam (due to whitelist) > but have a high SpamAssassin score are sorted out by the rule. > Unfortunately Outlook cannot create rules like "Move message if > X-MailScanner-Spamscore: sssss unless X-MailScanner-SpamCheck: not > spam"... What I do is have 2 rules that look for lines that start with: (rule 1) X-MailScanner-SpamCheck: SpamAssassin (rule 2) X-MailScanner-SpamCheck: ORDB-RBL And both of them have the same action (put it in my spam folder). These two only happen if the message is spam. Though, I do agree that I would prefer a positive "is spam" to parallel the negative "not spam". The downside of my technique is that you have to have one rule for each of your spam types (SpamAssassin, each RBL, etc.), and you have to know what those various responses will look like. For me its easy because we only use SpamAssassin and ORDB (and we'll probably stop using ORDB). But, it does work in things like procmail, netscape's sorting rules, etc. I have no idea if it works in outlook though; I don't know what outlooks sorting/filtering rules look like. I would also like to see an option for the SpamScore header to _always_ appear, even if its empty (because the spam score was less than zero). -------------- next part -------------- An embedded message was scrubbed... From: John Rudd Subject: Re: Header change format Date: Tue, 19 Nov 2002 11:00:39 -0800 Size: 2615 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021119/4367bcf6/nsmail3DDAC058B2A1C17.mht From chicks at CHICKS.NET Tue Nov 19 23:31:18 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL In-Reply-To: <5.2.0.9.2.20021119205656.02293ea8@imap.ecs.soton.ac.uk> Message-ID: On Tue, 19 Nov 2002, Julian Field wrote: > > I am trying to steal from your Config.pm to read in the config file > >for the MailScanner log analyzer I am writing :-) > > Sounds like a good idea. A decent conf-file-checker would be useful too. Have you ever looked at AppConfig? It's very slick IMHO. -- Programming is a Dark Art, and it will always be. The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity. They're not things you can always overcome with a "methodology" or on a schedule. -Damian Conway, Perl God From nathan at TCPNETWORKS.NET Tue Nov 19 23:51:30 2002 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:16:29 2006 Subject: f-prot 3.12b Message-ID: I just noticed that a new version of f-prot 3.12b was released. I'm currently using version 3.12a. I remember that f-prot made some changes in output for version 3.12a that precipitated some changes to MailScanner. Before I move to this new version, I want to make sure there aren't any potential issues this time around. Is it safe to install version 3.12b? Has anyone else been using this with the recent flavors of MailScanner 3.x and 4.x? Sincerely, Nathan Johanson Email: nathan@tcpnetworks.net From nathan at TCPNETWORKS.NET Wed Nov 20 00:04:49 2002 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:16:29 2006 Subject: Upgrading SpamAssassin (and Perl Modules) Message-ID: This may be a little OT, but you guys are so helpful... An easy question. If I have already installed the SpamAssasin 2.31 via tar ball. And I want to upgrade to version 2.43, is it a simple matter of downloading the tar ball, running make, make test, make install, and installing over the top of older version? The same goes for updating perl modules (it appears to just install over the top, but I'm curious what's going on behind the scenes). During make install of a new version, does it remove the old files first before writing the new ones? Or does it simply overwrite them? And if so, is there any danger of leaving older, defunct files behind that could bite me in the ass down the road? Should I try to clean out the old version first? Thanks in advance! Sincerely, Nathan Johanson Email: nathan@tcpnetworks.net From richard.siddall at ELIRION.NET Wed Nov 20 00:11:20 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:16:29 2006 Subject: f-prot 3.12b References: Message-ID: <3DDAD328.9B755268@elirion.net> Nathan Johanson wrote: > > I just noticed that a new version of f-prot 3.12b was released. I'm currently using version 3.12a. > I remember that f-prot made some changes in output for version 3.12a that precipitated some changes to MailScanner. Before I move to this new version, I want to make sure there aren't any potential issues this time around. > > Is it safe to install version 3.12b? Has anyone else been using this with the recent flavors of MailScanner 3.x and 4.x? > > Sincerely, > > Nathan Johanson > Email: nathan@tcpnetworks.net Apparently we've been using 3.12b for about a month with MailScanner 3.2x, with no problems so far. (We haven't upgraded to 4.x as I don't look forward to having to install a second copy of Perl on the RaQ.) Regards, Richard Siddall. From mkettler at EVI-INC.COM Wed Nov 20 00:43:05 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:29 2006 Subject: Upgrading SpamAssassin (and Perl Modules) In-Reply-To: Message-ID: <5.1.1.6.0.20021119193551.01ef33f8@192.168.50.2> I recently did this upgrade myself. It was more-or-less trouble free. I think I had one extra perl module I needed to add. One thing to be aware of is that if you've added any subdirectories to /usr/share/spamassasin remove them or the install fails. Also be aware that all of /usr/share/spamassasin/* will be obliterated and the directory will be rmdir'ed during the upgrade. A new directory with new rules will be created. I'm not sure if it uses the same approach to removing the old perl module files, but it does work if installed over an old version. You shouldn't need to clean anything out, but be sure to specify the same PREFIX if you installed it somewhere other than the default. (ie: at one point I wound up with two copies on my test box, one in /usr/ and one in /usr/local) At 04:04 PM 11/19/2002 -0800, Nathan Johanson wrote: >This may be a little OT, but you guys are so helpful... > >An easy question. If I have already installed the SpamAssasin 2.31 via tar >ball. And I want to upgrade to version 2.43, is it a simple matter of >downloading the tar ball, running make, make test, make install, and >installing over the top of older version? The same goes for updating perl >modules (it appears to just install over the top, but I'm curious what's >going on behind the scenes). > >During make install of a new version, does it remove the old files first >before writing the new ones? Or does it simply overwrite them? And if so, >is there any danger of leaving older, defunct files behind that could bite >me in the ass down the road? Should I try to clean out the old version first? > >Thanks in advance! > >Sincerely, > >Nathan Johanson >Email: nathan@tcpnetworks.net From mailscanner at ecs.soton.ac.uk Wed Nov 20 03:55:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: GroupWise considerations In-Reply-To: Message-ID: <5.2.0.9.2.20021120035442.03129a90@imap.ecs.soton.ac.uk> At 22:11 19/11/2002, you wrote: >The GroupWise MUA does not allow users to apply >rulesets to X-header information, making filtering >on X-spam-score impossible. > >Is there an option to put the spam score in the >subject line or the body of the message? Not at the moment, no. They can still filter on the whatever spam tag you put in the subject line. You could set a different tag for low-scoring vs. high-scoring spam, which would be better than nothing. There is no way to run a decent MUA, I guess? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 20 03:54:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Connecting mailscanner to sendmail In-Reply-To: <1037743097.744.7.camel@samwise> Message-ID: <5.2.0.9.2.20021120035300.023939e0@imap.ecs.soton.ac.uk> Sounds like you have the normal sendmail process running as well as MailScanner. You should have 1) 2 sendmail processes, both of which are started by the MailScanner init.d script. Neither one is started by the sendmail init.d script (and this script should be disabled). 2) 1 or more MailScanner processes (you will get 6 by default) started by the MailScanner init.d script. At 21:58 19/11/2002, you wrote: >I am running MailScanner 4.05-3 with sendmail 8.12.6 on a Debian system >and am having trouble getting sendmail to leave the message in the queue >for MailScanner to see and process. > >If I stop sendmail and drop some q/df files into the queue MailScanenr >immediately grabs them and processes them and sends them on >appropriately. If sendmail is running and receives a message it >immediately processes it and sends it along with giving MailScanner a >chance to look at it. > >Everything else works great, but how do I get sendmail to put it in the >queue and leave it there long enough for MailScanner to see it? > >I have tried commenting out the ControlSocketName=... in the sendmail.cf >file, but still no luck. Any suggestions? >-- >Daniel R. Bidwell | bidwell@andrews.edu >Andrews University Computer Science & Information Systems Department >If two always agree, one of them is unnecessary >"Friends don't let friends do DOS" >"In theory, theory and practice are the same. >In practice, however, they are not." -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Jan-Peter.Koopmann at SECEIDOS.DE Wed Nov 20 08:11:14 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:29 2006 Subject: Header change format Message-ID: <4E7026FF8A422749B1553FE508E00680053D92@message.intern.akctech.de> Hi Julian, > The SpamScore proposal above is simple and doesn't create > compatibility problems. > > But does it do enough of what you want? If not, I don't want > to do it. But if yes, then that will probably be my chosen solution. As far as I can see: Yes that sollution would suffice. As long as X-MailScanner-SpamScore only appears when the message is not whitelisted etc. that would do it. I cannot see though, why backwards compatibility should be a problem. You could still write the X-MailScanner-SpamCheck header at exactly the same points under the same conditions and people would not have to change their rules. Frankly I do not know how these guys do their filtering as they should have the same problems. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Wed Nov 20 08:14:55 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:29 2006 Subject: [Fwd: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK] Message-ID: <4E7026FF8A422749B1553FE508E00680053D93@message.intern.akctech.de> Hi John, > What I do is have 2 rules that look for lines that start with: I am using the same config. > The downside of my technique is that you have to have one > rule for each of your spam types (SpamAssassin, each RBL, > etc.), and you have to know what those various responses will > look like. For me its easy because we only use SpamAssassin My point exactly. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Wed Nov 20 08:20:38 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:29 2006 Subject: syslog logging stops Message-ID: <4E7026FF8A422749B1553FE508E00680053D94@message.intern.akctech.de> Hi, does anybody have the same problem? After a few hours of operation MailScanner stops to log its messages to my /var/log/maillog. After its regular restart everything is back to normal. I am using FreeBSD 4.7 and syslog-ng. Thanks, JP -- ----------------------------------------------------------------------- Seceidos GmbH | Jan-Peter Koopmann | Senior Engineer Wilhelminenstr. 2 | Tel.: +49 (6151) 66843-43 64283 Darmstadt | +49 (6151) 9511-252 (24H VoiceCenter) Germany | Fax: +49 (6151) 66843-52 ----------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021120/2a05f7ad/attachment.html From Jan-Peter.Koopmann at SECEIDOS.DE Wed Nov 20 08:24:51 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:29 2006 Subject: RBL checks in MailScanner Message-ID: <4E7026FF8A422749B1553FE508E00680053D95@message.intern.akctech.de> Hi, one small question: What exactly is checked by MailScanner? All IPs in the received lines or just the latest? If all participating servers are checked I can safely remove RBL-Checks in SpamAssassin. Thanks, JP -- ----------------------------------------------------------------------- Seceidos GmbH | Jan-Peter Koopmann | Senior Engineer Wilhelminenstr. 2 | Tel.: +49 (6151) 66843-43 64283 Darmstadt | +49 (6151) 9511-252 (24H VoiceCenter) Germany | Fax: +49 (6151) 66843-52 ----------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021120/a990a6e6/attachment.html From bigdog at DOGPOUND.VNET.NET Wed Nov 20 14:55:46 2002 From: bigdog at DOGPOUND.VNET.NET (Matthew Davis) Date: Thu Jan 12 21:16:29 2006 Subject: Header change format In-Reply-To: <5.2.0.9.2.20021119171526.08dad878@imap.ecs.soton.ac.uk>; from mailscanner@ECS.SOTON.AC.UK on Tue, Nov 19, 2002 at 05:17:48PM +0000 References: <4E7026FF8A422749B1553FE508E00680053D8B@message.intern.akct ech.de> <5.2.0.9.2.20021119171526.08dad878@imap.ecs.soton.ac.uk> Message-ID: <20021120095546.A24291@dogpound.vnet.net> * Julian Field (mailscanner@ECS.SOTON.AC.UK) wrote: > But I should only add "spam" when they have requested to always add the > header, as people can currently do spam filtering based on just the > presence of the SpamCheck header. One issue I ran into when I setup my system was the fact mailscanner strips out some spamassassin headers. >From http://spamassassin.org/doc/spamassassin.html X-Spam-Flag: header Set to YES. or X-Spam-Status: header A string, Yes, hits=nn required=nn is set in this header to reflect the filter status. I started using spamassassin by itself then added mailscanner later, but I was filtering using the X-Spam-Flag if ti was present or not. And I noticed mailscanner didn't pass that flag thru. -- Matthew Davis http://dogpound.vnet.net/ ---------------------------------------------------------------- In /dev/null no one can hear you scream... ---------------------------------------------------------------- Wednesday, November 20, 2002 / 09:46AM From mailscanner at ecs.soton.ac.uk Wed Nov 20 15:22:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: RBL checks in MailScanner In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D95@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021120152222.07175e28@imap.ecs.soton.ac.uk> At 08:24 20/11/2002, you wrote: >one small question: What exactly is checked by MailScanner? All IPs in the >received lines or just the latest? If all participating servers are >checked I can safely remove RBL-Checks in SpamAssassin. Just the last one, as it's the only one you can even vaguely trust. And even that could be fake. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 20 15:23:38 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Header change format In-Reply-To: <20021120095546.A24291@dogpound.vnet.net> References: <5.2.0.9.2.20021119171526.08dad878@imap.ecs.soton.ac.uk> <4E7026FF8A422749B1553FE508E00680053D8B@message.intern.akct ech.de> <5.2.0.9.2.20021119171526.08dad878@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021120152308.070a1e70@imap.ecs.soton.ac.uk> At 14:55 20/11/2002, you wrote: >* Julian Field (mailscanner@ECS.SOTON.AC.UK) wrote: > > But I should only add "spam" when they have requested to always add the > > header, as people can currently do spam filtering based on just the > > presence of the SpamCheck header. > >One issue I ran into when I setup my system was the fact mailscanner >strips out some spamassassin headers. It doesn't strip them out, it never creates them in the first place. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 20 15:28:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Header change format In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D92@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021120152356.07123c10@imap.ecs.soton.ac.uk> At 08:11 20/11/2002, you wrote: >Hi Julian, > > > The SpamScore proposal above is simple and doesn't create > > compatibility problems. > > > > But does it do enough of what you want? If not, I don't want > > to do it. But if yes, then that will probably be my chosen solution. > >As far as I can see: Yes that sollution would suffice. As long as >X-MailScanner-SpamScore only appears when the message is not whitelisted >etc. that would do it. I cannot see though, why backwards compatibility >should be a problem. You could still write the X-MailScanner-SpamCheck >header at exactly the same points under the same conditions and people >would not have to change their rules. Okay, 1) Message is not spam. SpamCheck header only appears if "Always Include SpamAssassin Report = yes". Header starts with "not spam". SpamScore header appears unless message is whitelisted. 2) Message is spam. SpamCheck headers appears, and starts with "spam". SpamScore header appears. The only drawback of that is a change in the use of "Always Include SpamAssassin Report", it now really means "Always Include Spam Report". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From billa at STERLING.NET Wed Nov 20 15:30:20 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:29 2006 Subject: f-prot 3.12b In-Reply-To: Message-ID: I have been running 3.12b with no problems on 4.x. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Nathan Johanson > Sent: Tuesday, November 19, 2002 3:52 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: f-prot 3.12b > > > I just noticed that a new version of f-prot 3.12b was released. > I'm currently using version 3.12a. > I remember that f-prot made some changes in output for version > 3.12a that precipitated some changes to MailScanner. Before I > move to this new version, I want to make sure there aren't any > potential issues this time around. > > Is it safe to install version 3.12b? Has anyone else been using > this with the recent flavors of MailScanner 3.x and 4.x? > > Sincerely, > > Nathan Johanson > Email: nathan@tcpnetworks.net > From lbergman at wtxs.net Wed Nov 20 16:02:03 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:29 2006 Subject: f-prot 3.12b In-Reply-To: References: Message-ID: <200211201002.03725.lbergman@wtxs.net> On Tuesday 19 November 2002 05:51 pm, Nathan Johanson wrote: > I just noticed that a new version of f-prot 3.12b was released. I'm > currently using version 3.12a. I remember that f-prot made some changes in > output for version 3.12a that precipitated some changes to MailScanner. > Before I move to this new version, I want to make sure there aren't any > potential issues this time around. > > Is it safe to install version 3.12b? Has anyone else been using this with > the recent flavors of MailScanner 3.x and 4.x? We use it with 4 and used it with 3. No problems. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From Jan-Peter.Koopmann at SECEIDOS.DE Wed Nov 20 16:03:25 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:29 2006 Subject: Header change format Message-ID: <4E7026FF8A422749B1553FE508E00680053D9D@message.intern.akctech.de> > Okay, PERFECT! Thanks a lot! What version will that be in? JP From mailscanner at ecs.soton.ac.uk Wed Nov 20 17:12:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Header change format In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D9D@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021120170650.01fea8a0@imap.ecs.soton.ac.uk> At 16:03 20/11/2002, you wrote: > > Okay, > >PERFECT! Thanks a lot! Consider it done :-) >What version will that be in? 4.06, which is still brewing. I might release it this weekend, but I've got a few things to check up on first. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Stephen.Dawes at GOV.CALGARY.AB.CA Wed Nov 20 17:19:02 2002 From: Stephen.Dawes at GOV.CALGARY.AB.CA (Dawes, Stephen) Date: Thu Jan 12 21:16:29 2006 Subject: Sendmail configuration: Message-ID: New to MailScanner, I have a few questions about configuring sendmail to work the way that I would like it too. However, before I ask the questions, I would like to let you know that I think that I have done my homework first. To outline what I have done so far before posting my questions is: 1. Read the on-line installation documentation. 2. read through the on-line FAQs. 3. Did a number of searches on the list archives for answers to my questions. 4. Went to and read the information available at www.sendmail.org . 5. Searched the internet in general for what I was looking for. So, now it is to the list that I am turning to see if I have found the right answers, and further more, to share what I found in hopes that it will one day help someone else. Scenario: I would like to have MailScanner running on one computer with the mail server located on a second box. From mailscanner at ecs.soton.ac.uk Wed Nov 20 18:48:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Sendmail configuration: In-Reply-To: Message-ID: <5.2.0.9.2.20021120184021.01c8dcf8@imap.ecs.soton.ac.uk> I don't quite see why you need to run MailScanner on a different box from your mail server, if you are using sendmail or Exim on the mail server. It just adds extra complication and really doesn't gain you very much. You need to set up your mail server to accept mail from your "MailScanner" box, and you need to set up your MailScanner box so that it receives mail from the outside world and relays it onto the mail server for you. You should do *all* of that before you think about installing MailScanner itself. Test it. Make sure it all works. Only once you are happy that the mail is going to and from the right places, with all the right addresses and headers, should you install MailScanner on the box that faces the outside world. MailScanner does not get involved with the SMTP service, nor the delivery or addressing of any email that passes through it. So installing MailScanner won't affect the path that mail takes through your systems, which is why you should get them all working first. You might want to ask this list if there is someone who could privately help you set up your mail system the way you want it, but otherwise that is OT (off-topic) for this list. Get back to us when you install MailScanner itself. I'm not being rude or anything, I hope you won't take offence, none is intended. But I do like to keep this list reasonably "on topic" and general mail setup information discussions aren't really relevant to MailScanner itself. Jules. At 17:19 20/11/2002, you wrote: >New to MailScanner, I have a few questions about configuring sendmail to >work the way that I would like it too. However, before I ask the >questions, I would like to let you know that I think that I have done my >homework first. >To outline what I have done so far before posting my questions is: >1. Read the on-line installation documentation. >2. read through the on-line FAQs. >3. Did a number of searches on the list archives for answers to my questions. >4. Went to and read the information available at www.sendmail.org . >5. Searched the internet in general for what I was looking for. >So, now it is to the list that I am turning to see if I have found the >right answers, and further more, to share what I found in hopes that it >will one day help someone else. > >Scenario: >I would like to have MailScanner running on one computer with the mail >server located on a second box. > From the link, Deploying MailScanner with Microsoft Exchange Server or > Postfix >(or any other unsupported mail server), which points the reader to Q16 of >the of the Installation FAQ, I gather that this is not out of the ordinary >and that it indeed can be done. In fact, I observed that there are some >instructions on how to do it. However, as a home linux user, I did not >quite understand all that was being explained. So I went looking for more >information to hopefully help me out. After a few days of digging around, >I uncovered the following information. > > >From the Web site: >http://www.tropicseas.net/reference/sysadmin/html/v09/i02/a6.htm >I read the article "A Linux Email Server" by Marcel Gagn?. In this article >he talks about "Setting up Sendmail". (see below for excerpts) >My question are, would a configuration like that discussed in Marcel's >article: >1. work with MailScanner. >2. fit my scenario for my home linux network? > > >From the article: >"Depending on how your account is set up with your ISP, the domain name of >your server may be something like dhch3-ip1.theirdomain.com , which is not the >best name for setting up the email gateway. For a return address, user >"fred" would wind up as fred@dhcp3-ip.theirdomain.com, when sending mail >from the >local system. You can have the Sendmail program put in your domain name by >making the one modification that I recommend in the Sendmail configuration >file. >I mentioned that this email server is not going to be connected to the >Internet, but if you make this easy change now, you won't need to do it later. > >Using your editor, open /etc/sendmail.cf and look for the lines shown in >Listing 1. Notice the part that talks about my official domain name. The >line that >reads Dj$w.Foo.COM has been copied and rewritten with the domain name to >define the "Dj" macro. A macro in Sendmail parlance is very much like an >environment >variable in your Bourne, Korn, or C shell. The Dj macro references your >canonical hostname. For this article, I'll call the domain mycompany.com. > >That is the only change needed in the /etc/sendmail.cf file. The next file >to modify is /etc/sendmail.cw. This file contains a list of all the domains and >systems for which the server will accept mail. For instance, if you edit >the file with your editor, and add the domain name (mycompany.com) and the >localhost >name (localhost), you end up with this simple file: > ># sendmail.cw - include all aliases for your machine here. >mailserv >mailserv.mycompany.com >mycompany.com >localhost > >This tells the Sendmail daemon to accept mail messages addressed to either >user@localhost, or user@mycompany.com, or any of the aliases you have set up. >Next, you need to edit /etc/mail/relay-domains. > >One of the great annoyances of modern email is SPAM (those unwanted bits >of advertising that seem to rain down in your email box). Particularly galling >are the spammers who use other people's email servers to route their mail >traffic. Fortunately, the modern incarnations of Sendmail make it difficult for >spammers to use your machine as a relay. In fact, unless otherwise >specified, Sendmail will refuse to deliver messages from unfamiliar >machines or domains. >That is where the relay-domains file comes into play. Edit the file and >add the following: > >localhost >127. >mycompany.com >192.168.1. > >This should cover all hosts in your small, networked office, including any >need you have for using Sendmail to relay messages on the server. Be sure to >include the dot at the end of your localhost domain address (127.) and at >the end of your private network and domain (192.168.1.)." > >AND > >"That's all you really need to do with Sendmail and IMAP in order to send >and receive mail on this small network. > >To DNS or Not to DNS > >For Sendmail to route mail properly, it must be able to resolve domain >names to IP addresses. An email server operating on the Internet uses DNS >servers >for name resolution. > >Simply put, a DNS, or Domain Name Server, takes a system's IP address and >converts it to a more "human" name (like mailserv.mycompany.com). It will also >convert that name back to its numeric IP address. On the server, >mailserv.mycompany.com would become 192.168.1.100, or vice-versa. This >requires the setup >of "zone" files and domain tables and can be quite complex. For the small >network here, it is easier to list host-to-name-to-IP-address mappings in the >/etc/hosts file: > >127.0.0.1 localhost >192.168.1.100 mailserv.mycompany.com mailserv mycompany.com >192.168.1.31 john >192.168.1.32 myrtle >192.168.1.33 bonnie >192.168.1.34 gilbert >192.168.1.35 elvis >192.168.1.36 tux > >Usually, the standard Linux install fires up with a DNS already present. >This is a simple version called a "caching nameserver". For this example, >you need >to get rid of it or it will try to use the DNS to resolve the address of >the local machine. The mail client will usually time out waiting for the system >to return with a failed DNS lookup, which is not a good idea. The easiest >way is to rename the /etc/resolv.conf file: > ># mv /etc/resolv.conf /etc/resolv.conf.orig > >Next, stop the DNS by shutting down the named daemon: > ># /etc/rc.d/init.d/named stop > >To make sure named does not restart on boot, use this command: > ># chkconfig --del named > >Of course, if your network has been set up for a while and you have a >fully configured DNS, you should simply continue using it." > >For the full article: >http://www.tropicseas.net/reference/sysadmin/html/v09/i02/a6.htm > > >Thanks! > > >Steve Dawes >PH: (403) 268-5527. >Mailto: sdawes@calgary.ca > > > >NOTICE:: >This communication is intended ONLY for the use of the person or entity >named above and may contain information that is confidential or legally >privileged. If you are not the intended recipient named above or a person >responsible for delivering messages or communications to the intended >recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying >of this communication or any of the information contained in it is >strictly prohibited. If you have received this communication in error, >please notify us immediately by telephone and then destroy or delete this >communication, or return it to us by mail if requested by us. The City of >Calgary thanks you for your attention and cooperation. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Harish.Amin at DEG.STATE.WI.US Wed Nov 20 18:56:03 2002 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:16:29 2006 Subject: Connecting mailscanner to sendmail Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C6707@doamail04> Do we have MailScanner init.d script?? Sorry for being ignorant -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, November 19, 2002 9:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Connecting mailscanner to sendmail Sounds like you have the normal sendmail process running as well as MailScanner. You should have 1) 2 sendmail processes, both of which are started by the MailScanner init.d script. Neither one is started by the sendmail init.d script (and this script should be disabled). 2) 1 or more MailScanner processes (you will get 6 by default) started by the MailScanner init.d script. At 21:58 19/11/2002, you wrote: >I am running MailScanner 4.05-3 with sendmail 8.12.6 on a Debian system >and am having trouble getting sendmail to leave the message in the queue >for MailScanner to see and process. > >If I stop sendmail and drop some q/df files into the queue MailScanenr >immediately grabs them and processes them and sends them on >appropriately. If sendmail is running and receives a message it >immediately processes it and sends it along with giving MailScanner a >chance to look at it. > >Everything else works great, but how do I get sendmail to put it in the >queue and leave it there long enough for MailScanner to see it? > >I have tried commenting out the ControlSocketName=... in the sendmail.cf >file, but still no luck. Any suggestions? >-- >Daniel R. Bidwell | bidwell@andrews.edu >Andrews University Computer Science & Information Systems Department >If two always agree, one of them is unnecessary >"Friends don't let friends do DOS" >"In theory, theory and practice are the same. >In practice, however, they are not." -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 20 19:08:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Connecting mailscanner to sendmail In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C6707@doamail04> Message-ID: <5.2.0.9.2.20021120190821.0378bf50@imap.ecs.soton.ac.uk> At 18:56 20/11/2002, you wrote: >Do we have MailScanner init.d script?? Sorry for being ignorant Yes. Take a look in /etc/rc.d/init.d >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Tuesday, November 19, 2002 9:54 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Connecting mailscanner to sendmail > > >Sounds like you have the normal sendmail process running as well as >MailScanner. You should have >1) 2 sendmail processes, both of which are started by the MailScanner >init.d script. Neither one is started by the sendmail init.d script (and >this script should be disabled). >2) 1 or more MailScanner processes (you will get 6 by default) started by >the MailScanner init.d script. > >At 21:58 19/11/2002, you wrote: > >I am running MailScanner 4.05-3 with sendmail 8.12.6 on a Debian system > >and am having trouble getting sendmail to leave the message in the queue > >for MailScanner to see and process. > > > >If I stop sendmail and drop some q/df files into the queue MailScanenr > >immediately grabs them and processes them and sends them on > >appropriately. If sendmail is running and receives a message it > >immediately processes it and sends it along with giving MailScanner a > >chance to look at it. > > > >Everything else works great, but how do I get sendmail to put it in the > >queue and leave it there long enough for MailScanner to see it? > > > >I have tried commenting out the ControlSocketName=... in the sendmail.cf > >file, but still no luck. Any suggestions? > >-- > >Daniel R. Bidwell | bidwell@andrews.edu > >Andrews University Computer Science & Information Systems Department > >If two always agree, one of them is unnecessary > >"Friends don't let friends do DOS" > >"In theory, theory and practice are the same. > >In practice, however, they are not." > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Stephen.Dawes at GOV.CALGARY.AB.CA Wed Nov 20 19:06:40 2002 From: Stephen.Dawes at GOV.CALGARY.AB.CA (Dawes, Stephen) Date: Thu Jan 12 21:16:30 2006 Subject: Sendmail configuration: Message-ID: Thanks, you have given me some ideas as to what I am doing wrong in my approach. So I am going to undo some of what I have already done and attack the problem with your approach. I am looking to getting all up and running, and when I do so, I will drop you a line as to the final outcome. (off line if you prefer) I do appreciate the need to stay on topic, so no offence taken by your response. Stephen Dawes The City of Calgary | Phone: (403) 268-5527 Web Business Office #8300 | Fax: (403) 268-6423 PO Box 2100 Postal Station M. | Email: Stephen.Dawes@calgary.ca Calgary, Alberta, Canada. T2P 2M5 | Web: http://www.calgary.ca FOIPP NOTIFICATION This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. Thank you for your attention and co-operation. > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 2002 November 20 11:48 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sendmail configuration: > > > I don't quite see why you need to run MailScanner on a > different box from > your mail server, if you are using sendmail or Exim on the > mail server. It > just adds extra complication and really doesn't gain you very much. > > You need to set up your mail server to accept mail from your > "MailScanner" > box, and you need to set up your MailScanner box so that it > receives mail > from the outside world and relays it onto the mail server for you. > > You should do *all* of that before you think about installing > MailScanner > itself. > Test it. > Make sure it all works. > > Only once you are happy that the mail is going to and from the right > places, with all the right addresses and headers, should you install > MailScanner on the box that faces the outside world. > > MailScanner does not get involved with the SMTP service, nor > the delivery > or addressing of any email that passes through it. > > So installing MailScanner won't affect the path that mail > takes through > your systems, which is why you should get them all working first. > > You might want to ask this list if there is someone who could > privately > help you set up your mail system the way you want it, but > otherwise that is > OT (off-topic) for this list. Get back to us when you install > MailScanner > itself. I'm not being rude or anything, I hope you won't take > offence, none > is intended. But I do like to keep this list reasonably "on > topic" and > general mail setup information discussions aren't really relevant to > MailScanner itself. > > Jules. > > At 17:19 20/11/2002, you wrote: > >New to MailScanner, I have a few questions about configuring > sendmail to > >work the way that I would like it too. However, before I ask the > >questions, I would like to let you know that I think that I > have done my > >homework first. > >To outline what I have done so far before posting my questions is: > >1. Read the on-line installation documentation. > >2. read through the on-line FAQs. > >3. Did a number of searches on the list archives for answers > to my questions. > >4. Went to and read the information available at www.sendmail.org . > >5. Searched the internet in general for what I was looking for. > >So, now it is to the list that I am turning to see if I have > found the > >right answers, and further more, to share what I found in > hopes that it > >will one day help someone else. > > > >Scenario: > >I would like to have MailScanner running on one computer > with the mail > >server located on a second box. > > From the link, Deploying MailScanner with Microsoft > Exchange Server or > > Postfix > >(or any other unsupported mail server), which points the > reader to Q16 of > >the of the Installation FAQ, I gather that this is not out > of the ordinary > >and that it indeed can be done. In fact, I observed that > there are some > >instructions on how to do it. However, as a home linux user, > I did not > >quite understand all that was being explained. So I went > looking for more > >information to hopefully help me out. After a few days of > digging around, > >I uncovered the following information. > > > > >From the Web site: > >http://www.tropicseas.net/reference/sysadmin/html/v09/i02/a6.htm > >I read the article "A Linux Email Server" by Marcel Gagn?. > In this article > >he talks about "Setting up Sendmail". (see below for excerpts) > >My question are, would a configuration like that discussed > in Marcel's > >article: > >1. work with MailScanner. > >2. fit my scenario for my home linux network? > > > > >From the article: > >"Depending on how your account is set up with your ISP, the > domain name of > >your server may be something like dhch3-ip1.theirdomain.com > , which is not the > >best name for setting up the email gateway. For a return > address, user > >"fred" would wind up as fred@dhcp3-ip.theirdomain.com, when > sending mail > >from the > >local system. You can have the Sendmail program put in your > domain name by > >making the one modification that I recommend in the Sendmail > configuration > >file. > >I mentioned that this email server is not going to be > connected to the > >Internet, but if you make this easy change now, you won't > need to do it later. > > > >Using your editor, open /etc/sendmail.cf and look for the > lines shown in > >Listing 1. Notice the part that talks about my official > domain name. The > >line that > >reads Dj$w.Foo.COM has been copied and rewritten with the > domain name to > >define the "Dj" macro. A macro in Sendmail parlance is very > much like an > >environment > >variable in your Bourne, Korn, or C shell. The Dj macro > references your > >canonical hostname. For this article, I'll call the domain > mycompany.com. > > > >That is the only change needed in the /etc/sendmail.cf file. > The next file > >to modify is /etc/sendmail.cw. This file contains a list of > all the domains and > >systems for which the server will accept mail. For instance, > if you edit > >the file with your editor, and add the domain name > (mycompany.com) and the > >localhost > >name (localhost), you end up with this simple file: > > > ># sendmail.cw - include all aliases for your machine here. > >mailserv > >mailserv.mycompany.com > >mycompany.com > >localhost > > > >This tells the Sendmail daemon to accept mail messages > addressed to either > >user@localhost, or user@mycompany.com, or any of the aliases > you have set up. > >Next, you need to edit /etc/mail/relay-domains. > > > >One of the great annoyances of modern email is SPAM (those > unwanted bits > >of advertising that seem to rain down in your email box). > Particularly galling > >are the spammers who use other people's email servers to > route their mail > >traffic. Fortunately, the modern incarnations of Sendmail > make it difficult for > >spammers to use your machine as a relay. In fact, unless otherwise > >specified, Sendmail will refuse to deliver messages from unfamiliar > >machines or domains. > >That is where the relay-domains file comes into play. Edit > the file and > >add the following: > > > >localhost > >127. > >mycompany.com > >192.168.1. > > > >This should cover all hosts in your small, networked office, > including any > >need you have for using Sendmail to relay messages on the > server. Be sure to > >include the dot at the end of your localhost domain address > (127.) and at > >the end of your private network and domain (192.168.1.)." > > > >AND > > > >"That's all you really need to do with Sendmail and IMAP in > order to send > >and receive mail on this small network. > > > >To DNS or Not to DNS > > > >For Sendmail to route mail properly, it must be able to > resolve domain > >names to IP addresses. An email server operating on the > Internet uses DNS > >servers > >for name resolution. > > > >Simply put, a DNS, or Domain Name Server, takes a system's > IP address and > >converts it to a more "human" name (like > mailserv.mycompany.com). It will also > >convert that name back to its numeric IP address. On the server, > >mailserv.mycompany.com would become 192.168.1.100, or > vice-versa. This > >requires the setup > >of "zone" files and domain tables and can be quite complex. > For the small > >network here, it is easier to list > host-to-name-to-IP-address mappings in the > >/etc/hosts file: > > > >127.0.0.1 localhost > >192.168.1.100 mailserv.mycompany.com mailserv mycompany.com > >192.168.1.31 john > >192.168.1.32 myrtle > >192.168.1.33 bonnie > >192.168.1.34 gilbert > >192.168.1.35 elvis > >192.168.1.36 tux > > > >Usually, the standard Linux install fires up with a DNS > already present. > >This is a simple version called a "caching nameserver". For > this example, > >you need > >to get rid of it or it will try to use the DNS to resolve > the address of > >the local machine. The mail client will usually time out > waiting for the system > >to return with a failed DNS lookup, which is not a good > idea. The easiest > >way is to rename the /etc/resolv.conf file: > > > ># mv /etc/resolv.conf /etc/resolv.conf.orig > > > >Next, stop the DNS by shutting down the named daemon: > > > ># /etc/rc.d/init.d/named stop > > > >To make sure named does not restart on boot, use this command: > > > ># chkconfig --del named > > > >Of course, if your network has been set up for a while and > you have a > >fully configured DNS, you should simply continue using it." > > > >For the full article: > >http://www.tropicseas.net/reference/sysadmin/html/v09/i02/a6.htm > > > > > >Thanks! > > > > > >Steve Dawes > >PH: (403) 268-5527. > >Mailto: sdawes@calgary.ca > > > > > > > >NOTICE:: > >This communication is intended ONLY for the use of the > person or entity > >named above and may contain information that is confidential > or legally > >privileged. If you are not the intended recipient named > above or a person > >responsible for delivering messages or communications to the > intended > >recipient, YOU ARE HEREBY NOTIFIED that any use, > distribution, or copying > >of this communication or any of the information contained in it is > >strictly prohibited. If you have received this communication > in error, > >please notify us immediately by telephone and then destroy > or delete this > >communication, or return it to us by mail if requested by > us. The City of > >Calgary thanks you for your attention and cooperation. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mbowman at UDCOM.COM Wed Nov 20 21:10:25 2002 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:30 2006 Subject: spam.actions.conf Message-ID: Greetings, So far I have Spam Action = deliver instead of using spam.actions.conf. However today a client of ours wants us to just delete SPAM email instead of delivering it to them. What is the best way to do this? In spam.actions.conf could I have @customer.com delete @*.* deliver i.e. spam directed to @customer.com will get deleted where as all other domains its delivered? TIA Regards, Matthew K Bowman, Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. From gavin at NETERGY.COM Wed Nov 20 23:21:28 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:30 2006 Subject: spam.actions.conf In-Reply-To: Message-ID: here are some examples of what I have been doing on a test system spamactions.low.rules To: *@choclatier.co.uk forward spam@choclatier.co.uk delete To: default deliver spamactions.high.rules To: *@choclatier.co.uk delete To: *@spam-me.co.uk store To: default deliver and then we have the relevant info in the Mailscanner.conf file to tell it to use these rules. Basically in the first one for anything with a low score it delivers unless it is going to someone@choclatier in which case it is forwarded to spam@choclatier and deleted from the user. In the case of a high score it is delivered by default except for choclatier where it is deleted and for spam-me.co.uk it is stored in the quarantine. The rules files make this system incredibly powerful as you can take it even further by defining a rule for each user though what the impact would be in a large user base I don't know. Hope this helps Gavin ps if anyone wants to register me for some spam please feel free to do so at gavin@spam-me.co.uk set up specially for testing - the biggest laugh I've had so far was 2 lists that sent me a mail refusing to add me to their databases - did they get the idea I wonder > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Matthew Bowman > Sent: 20 November 2002 21:10 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: spam.actions.conf > > > Greetings, > > So far I have Spam Action = deliver instead of using spam.actions.conf. > However today a client of ours wants us to just delete SPAM email instead > of delivering it to them. What is the best way to do this? > > In spam.actions.conf could I have > > @customer.com delete > @*.* deliver > > i.e. spam directed to @customer.com will get deleted where as all other > domains its delivered? > > TIA > > Regards, > > Matthew K Bowman, > Systems Administrator; Hostmaster; Miva Administrator > Universal Digital Communications, Mansfield Ohio. > From alex at IALEX.NET Wed Nov 20 23:56:34 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:30 2006 Subject: Sendmail configuration: In-Reply-To: Message-ID: Part of what you are doing-- redirecting mail after a scan to another mailserver is what i implemented because we run notes. in /etc/mail/mailertable domain.com smtp:[second.mailserver.domain.com] On this very list someone helped me out with that earlier in the month. Alex > New to MailScanner, I have a few questions about configuring sendmail to work the way that I would like it too. However, before I ask the questions, I would like to let you know that I think that I have done my homework first. > Scenario: > I would like to have MailScanner running on one computer with the mail server located on a second box. > >From the link, Deploying MailScanner with Microsoft Exchange Server or Postfix > (or any other unsupported mail server), which points the reader to Q16 of the of the Installation FAQ, I gather that this is not out of the ordinary and that it indeed can be done. In fact, I observed that there are some instructions on how to do it. However, as a home linux user, I did not quite understand all that was being explained. So I went looking for more information to hopefully help me out. After a few days of digging around, I uncovered the following information. > From smohan at vsnl.com Thu Nov 21 02:51:25 2002 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:16:30 2006 Subject: spam.actions.conf In-Reply-To: Message-ID: <000101c29108$e3f44e80$2a405bca@18yamuna> Why not simply redirect to /dev/null? Will do the job eminently. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matthew Bowman Sent: Thursday, November 21, 2002 2:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: spam.actions.conf Greetings, So far I have Spam Action = deliver instead of using spam.actions.conf. However today a client of ours wants us to just delete SPAM email instead of delivering it to them. What is the best way to do this? In spam.actions.conf could I have @customer.com delete @*.* deliver i.e. spam directed to @customer.com will get deleted where as all other domains its delivered? TIA Regards, Matthew K Bowman, Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. From fong at SHUNKAM.COM Thu Nov 21 06:00:19 2002 From: fong at SHUNKAM.COM (fong) Date: Thu Jan 12 21:16:30 2006 Subject: Upgrade problems Message-ID: <00c901c29123$495fc050$57046898@shunkam.com> Hi, I using sendmail + sophos + mailscanner-3.23-5 on redhat 7.3. What steps should I do if I want upgrade mailscanner to version 4.05-3? Much Thanks.. Fong Cheang From mailscanner at ecs.soton.ac.uk Thu Nov 21 09:50:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:30 2006 Subject: Upgrade problems In-Reply-To: <00c901c29123$495fc050$57046898@shunkam.com> Message-ID: <5.2.0.9.2.20021121094936.057d4308@imap.ecs.soton.ac.uk> At 06:00 21/11/2002, you wrote: >Hi, > >I using sendmail + sophos + mailscanner-3.23-5 on redhat 7.3. What steps >should I do if I want upgrade mailscanner to version 4.05-3? Save a copy of the mailscanner.conf file so that you know what customisations you made to it. Then upgrade to V4 (using the tar of rpm's). Then go through the V4 configuration files (now in /etc/MailScanner) and configure it the way you want. It will probably take you a couple of hours or so to do completely, so plan for this. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From alberto at CIED.RIMED.CU Thu Nov 21 14:24:48 2002 From: alberto at CIED.RIMED.CU (Alberto =?iso-8859-1?q?Garc=EDa=20Fumero?=) Date: Thu Jan 12 21:16:30 2006 Subject: Help trying to install MailScanner 4.05-3 on SuSE 7.0 Message-ID: <200211211427.gALERaQ01022@cied.rimed.cu> Hi all. I need a helping hand... I have already installed MailScanner on my SuSE 7.3 workstation and it works great, so I therefore copied all configuration files to the SuSE 7.0 server with the indeicated permissions. It doesn't work. No way. It seems the first copy of sendmail simply does not push messages into mqueue.in, so they are not processed. If I change the O QueueDirectory in sendmail.cf to mqueue.in it indeed processes the messages, but they never will leave the mqueue directory. Great. Here is my configuration: (In crontab) */2 * * * * root [ -x /opt/MailScanner/bin/check_mailscanner ] &&\ /opt/MailScanner/bin/check_mailscanner > /dev/null 2>&1 */6 * * * * root sendmail -q <----- In SuSE 7.0; in SuSE 7.3 I start sendmail by hand whenever I wish... testing, you know. In the script that launches sendmail (/etc/rc.d/sendmail) there is the following: (only relevant part here and on one line) if test -z "$SENDMAIL_ARGS" ; then SENDMAIL_ARGS="-bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in &&\ -q5m" fi In YAST I have the following (the arguments): -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in && \ sendmail -q5m all in one line. What am I doing wrong? --- MSc. Alberto Garc?a Fumero Centro de Informaci?n para la Educaci?n Ministerio de Educaci?n Usuario Linux No. 97 138 ?Windows? No, gracias! No apruebo el IVA (Impuesto al Virus Agregado) From t.d.lee at DURHAM.AC.UK Thu Nov 21 14:48:06 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:30 2006 Subject: MS4.x config/runtime issues In-Reply-To: <5.1.0.14.2.20021107182018.031e7ec0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 7 Nov 2002, Julian Field wrote: > At 17:18 07/11/2002, you wrote: > [...] > >3. With v3, I had had the default (and sensible!): > > Outgoing Queue Dir = /var/spool/mqueue > > > > To ensure co-residency on the same physical partition of the other > > directories, they had been subdirectories of this: > > Incoming Queue Dir = /var/spool/mqueue/mq.in > > Incoming Work Dir = /var/spool/mqueue/incoming > > Quarantine Dir = /var/spool/mqueue/quarantine > > Solid and safe. > > Interesting setup, hadn't occurred to me that people might do that. > > > Further, the standard "/var/spool/mqueue" (i.e. "Outgoing Queue Dir") > > was also a separate partition for ease of system maintenance (including > > possible OS replacement). So it also contained a "lost+found". > > > > But under v4 this gives errors: > > Queue directory /var/spool/mqueue cannot contain sub-directories, > > currently contains dir lost+found at > > /opt/MailScanner/bin/MailScanner/Sendmail.pm line 839 > > > > (Presumably each of the other directories could also have given an > > analogous message, had it got that far.) > > > > Is there any reason why v4.x forbids such subdirectory use? > > (Note that the apparently simple solution of making the partition > > "/var/spool" instead of "/var/spool/mqueue" makes OS replacement > > potentially more tricky, as "/var/spool" contians "system" things other > > than mqueue. > > > > Does MailScanner really require this restriction? Can it be removed? > > I thought it was a good idea at the time, but setups such as yours hadn't > occurred to me. On reflection it may be better to remove the check. I will > still look for a q1 or qf directory though, in an attempt to find split > queue directories which sendmail will use if it finds them. So you can get > it going now, the minimal patch to Sendmail.pm is attached to this message. > There is actually just 1 extra line of code. That was excellent. Thanks. We have had it running in production on our three Solaris servers (each of 60K-120K msgs/day) for nearly two weeks. Which leads me to... a patch to make this more flexible per-site. We are about to migrate this service from Solaris to Linux. (Upside: the hardware is cheaper; downside: I've got to learn Redhat.) It is going reasonably well. I find that everything is in a different location, but I'm trying to stay with the Redhat/RPM defaults as far as possible. But I would very much like to keep the above scheme: that is, all the MS directories (incoming, outgoing, work, quarantine) in a single partition and as subdirectories of "/var/spool/mqueue". Now these specifications appear not only in the MailScanner.conf file, but some also appear in the startup script "/etc/rc.d/init.d/MailScanner". And that script itself has possible overrides of its data values from "/etc/sysconfig/MailScanner". Editing a script to tweak its data variables feels wrong. Especially so when that script itself reads very similar data from a file. The patch below attempts to begin to rationalise this, to add per-site flexibility, whilst reducing the need to edit the script itself to achieve this. (Based on 4.05-3 RPM download.) ======================== snip ==================== *** /etc/rc.d/init.d/MailScanner.orig Sun Nov 3 22:45:18 2002 --- /etc/rc.d/init.d/MailScanner Thu Nov 21 14:02:01 2002 *************** *** 15,30 **** # Source networking configuration. . /etc/sysconfig/network ! # Source mailscanner configureation. if [ -f /etc/sysconfig/MailScanner ] ; then . /etc/sysconfig/MailScanner - else - QUEUETIME=15m - PIDDIR=/var/run/MailScanner - WORKDIR=/var/spool/MailScanner/incoming - export QUEUETIME - export PIDDIR - export WORKDIR fi # Check that networking is up. --- 15,35 ---- # Source networking configuration. . /etc/sysconfig/network ! # Some default values ! QUEUETIME=15m ! PIDDIR=/var/run/MailScanner ! INDIR=/var/spool/mqueue.in ! OUTDIR=/var/spool/mqueue ! WORKDIR=/var/spool/MailScanner/incoming ! export QUEUETIME ! export PIDDIR ! export INDIR ! export OUTDIR ! export WORKDIR ! ! # Source mailscanner configuration. if [ -f /etc/sysconfig/MailScanner ] ; then . /etc/sysconfig/MailScanner fi # Check that networking is up. *************** *** 54,65 **** done fi /usr/sbin/sendmail -bd -ODeliveryMode=queueonly \ ! -OQueueDirectory=/var/spool/mqueue.in success echo } StartOutSendmail() { ! /usr/sbin/sendmail $([ -n "$QUEUETIME" ] && echo -q$QUEUETIME) success echo } --- 59,70 ---- done fi /usr/sbin/sendmail -bd -ODeliveryMode=queueonly \ ! -OQueueDirectory=$INDIR success echo } StartOutSendmail() { ! /usr/sbin/sendmail -OQueueDirectory=$OUTDIR $([ -n "$QUEUETIME" ] && echo -q$QUEUETIME) success echo } ======================== snip ==================== First, it adds INDIR and OUTDIR to the list of variables. Second, it extracts them outside the "if ..." so that they are set, as defaults, regardless. Then "/etc/sysconfig/MailScanner" can override some or all of them, as the site wishes, without diddling with the script. Finally, it then employs the new INDIR and OUTDIR variables in the sendmail start-ups. So it enhances flexibility and reduces (eliminates?) the need to per-site tailor the script (only tailor data file "/etc/sysconfig/MailScanner"). [One possible additional step would be to extract (grep?) these variables (INDIR, OUTDIR, WORKDIR, PIDDIR) out of the MailScanner.conf file. But that would be a large technical change with relatively little payoff.] Seem OK? I like it (but I would say that, wouldn't I?) Incidentally, and changing subject, the "Convert Dangerous HTML To Text" in the pre-release 4.06 I've been running on Solaris is going very well. The local guinea-pig users are very grateful! Herewith their thanks, Julian! -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From info at pro-invest.ca Thu Nov 21 15:19:20 2002 From: info at pro-invest.ca (Investor Services) Date: Thu Jan 12 21:16:30 2006 Subject: clean_quarantine Message-ID: Anyone know where this went? Searched the website to no avail. If someone could provide the latest version, that would be appreciated. Thanks again, >>>>>>>>>>>>>>>>>>>>> Mark Tavares Professional Investments Inc. (613)384-7511 ext. 221 1-888-548-8868 <<<<<<<<<<<<<<<<<<<<< -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021121/ef7f9266/attachment.html From mailscanner at ecs.soton.ac.uk Thu Nov 21 15:28:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:30 2006 Subject: clean_quarantine In-Reply-To: Message-ID: <5.2.0.9.2.20021121152757.058abed8@imap.ecs.soton.ac.uk> At 15:19 21/11/2002, you wrote: >Anyone know where this went? Searched the website to no avail. If someone >could provide the latest version, that would be appreciated. It's linked off http://www.sng.ecs.soton.ac.uk/mailscanner/install/filesnscripts.shtml which is the "useful files & scripts" link off the downloads page. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 21 15:15:27 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:30 2006 Subject: Help trying to install MailScanner 4.05-3 on SuSE 7.0 In-Reply-To: <200211211427.gALERaQ01022@cied.rimed.cu> Message-ID: <5.2.0.9.2.20021121151446.058c1180@imap.ecs.soton.ac.uk> You don't want to be using the sendmail init.d script. The MailScanner init.d script will start up the 2 required sendmail processes as well as MailScanner itself. So disable the sendmail one and just use the MailScanner one. At 14:24 21/11/2002, you wrote: >Hi all. >I need a helping hand... >I have already installed MailScanner on my SuSE 7.3 workstation and it works >great, so I therefore copied all configuration files to the SuSE 7.0 server >with the indeicated permissions. It doesn't work. No way. It seems the first >copy of sendmail simply does not push messages into mqueue.in, so they are >not processed. If I change the O QueueDirectory in sendmail.cf to mqueue.in >it indeed processes the messages, but they never will leave the mqueue >directory. Great. >Here is my configuration: >(In crontab) > >*/2 * * * * root [ -x /opt/MailScanner/bin/check_mailscanner ] &&\ >/opt/MailScanner/bin/check_mailscanner > /dev/null 2>&1 >*/6 * * * * root sendmail -q <----- In SuSE 7.0; in SuSE 7.3 I start >sendmail by hand whenever I wish... testing, you know. > >In the script that launches sendmail (/etc/rc.d/sendmail) there is the >following: (only relevant part here and on one line) > >if test -z "$SENDMAIL_ARGS" ; then > SENDMAIL_ARGS="-bd -ODeliveryMode=queueonly >-OQueueDirectory=/var/spool/mqueue.in &&\ -q5m" >fi >In YAST I have the following (the arguments): >-bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in && \ >sendmail -q5m all in one line. >What am I doing wrong? >--- >MSc. Alberto Garc?a Fumero >Centro de Informaci?n para la Educaci?n >Ministerio de Educaci?n >Usuario Linux No. 97 138 >?Windows? No, gracias! No apruebo el IVA (Impuesto al Virus Agregado) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 21 15:26:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:30 2006 Subject: MS4.x config/runtime issues In-Reply-To: References: <5.1.0.14.2.20021107182018.031e7ec0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021121151612.05904eb8@imap.ecs.soton.ac.uk> At 14:48 21/11/2002, you wrote: >On Thu, 7 Nov 2002, Julian Field wrote: > > > At 17:18 07/11/2002, you wrote: > > [...] > > >3. With v3, I had had the default (and sensible!): > > > Outgoing Queue Dir = /var/spool/mqueue > > > > > > To ensure co-residency on the same physical partition of the other > > > directories, they had been subdirectories of this: > > > Incoming Queue Dir = /var/spool/mqueue/mq.in > > > Incoming Work Dir = /var/spool/mqueue/incoming > > > Quarantine Dir = /var/spool/mqueue/quarantine > > > Solid and safe. > > > > Interesting setup, hadn't occurred to me that people might do that. > > > > > Further, the standard "/var/spool/mqueue" (i.e. "Outgoing Queue Dir") > > > was also a separate partition for ease of system maintenance > (including > > > possible OS replacement). So it also contained a "lost+found". > > > > > > But under v4 this gives errors: > > > Queue directory /var/spool/mqueue cannot contain sub-directories, > > > currently contains dir lost+found at > > > /opt/MailScanner/bin/MailScanner/Sendmail.pm line 839 > > > > > > (Presumably each of the other directories could also have given an > > > analogous message, had it got that far.) > > > > > > Is there any reason why v4.x forbids such subdirectory use? > > > (Note that the apparently simple solution of making the partition > > > "/var/spool" instead of "/var/spool/mqueue" makes OS replacement > > > potentially more tricky, as "/var/spool" contians "system" things > other > > > than mqueue. > > > > > > Does MailScanner really require this restriction? Can it be removed? > > > > I thought it was a good idea at the time, but setups such as yours hadn't > > occurred to me. On reflection it may be better to remove the check. I will > > still look for a q1 or qf directory though, in an attempt to find split > > queue directories which sendmail will use if it finds them. So you can get > > it going now, the minimal patch to Sendmail.pm is attached to this message. > > There is actually just 1 extra line of code. > >That was excellent. Thanks. We have had it running in production on our >three Solaris servers (each of 60K-120K msgs/day) for nearly two weeks. > >Which leads me to... a patch to make this more flexible per-site. > >We are about to migrate this service from Solaris to Linux. (Upside: the >hardware is cheaper; downside: I've got to learn Redhat.) It is going >reasonably well. I find that everything is in a different location, but >I'm trying to stay with the Redhat/RPM defaults as far as possible. > >But I would very much like to keep the above scheme: that is, all the MS >directories (incoming, outgoing, work, quarantine) in a single partition >and as subdirectories of "/var/spool/mqueue". > >Now these specifications appear not only in the MailScanner.conf file, but >some also appear in the startup script "/etc/rc.d/init.d/MailScanner". >And that script itself has possible overrides of its data values from >"/etc/sysconfig/MailScanner". /etc/sysconfig/MailScanner is where you should put the changes. That's where RedHat keeps localisations for init.d scripts. It will use values defined in there in preference to what is in the init.d script. The /etc/sysconfig file will not be over-written by an upgrade if you edit it. The only things I should have done differently are 1) allow the setting of the mqueue.in directory in the /etc/sysconfig file as well and 2) put the default values outside the "if" statement so it doesn't matter if they aren't mentioned in the /etc/sysconfig file. I have corrected these 2 problems for the next version. No insult intended, but personally I do not like the idea of keeping other MS dirs inside /var/spool/mqueue, as they aren't part of mqueue's logical purpose (i.e. a sendmail mail queue and nothing else). >Incidentally, and changing subject, the "Convert Dangerous HTML To Text" >in the pre-release 4.06 I've been running on Solaris is going very well. >The local guinea-pig users are very grateful! Herewith their thanks, >Julian! Glad to hear it is proving useful. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscannerlist at TNJINFL.COM Thu Nov 21 15:43:10 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open Message-ID: <1037893390.22464.84.camel@tweety.tnjinfl.com> We're installing a new server to use in production. I wrote a short list of steps to install it the exact same way my test servers were setup. Everything went fine, except port 25 is not open. (it's open on the firewall settings, just doesn't show up in a port scan and of course we can't send any mail to it). MailScanner is definitely running. If I do "service MailScanner reload" it reloads fine, yet port 25 is still not open. Anyone have any ideas? The steps we used for installing everything is below. No, I don't know if sendmail was working before doing the install, so it could be a sendmail problem. If you think it is, I'll take other avenues to fix the problem. Any suggestion are appreciated. Thanks, James Here are the steps we took to install everything: -Fresh install of Redhat 7.3 -Make sure port 25 is open with ipchains -L -Edit the /etc/mail/sendmail.mc file and comment the following lines: dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl FEATURE(`accept_unresolvable_domains')dnl -Recreate the sendmail.cf file by doing the following at the command prompt: m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf -Install MailScanner using the provided install.sh and install instructions -Install SpamAssassin using the provided RPM files -Install F-Prot using the provided RPM file -Configure MailScanner by modifying /etc/MailScanner/MailScanner.conf (look for these settings) MTA = sendmail (search for MTA =) Virus Scanners = f-prot Use SpamAssassin = yes SpamAssassin Auto Whitelist = no Delivery Method = queue Spam Actions = forward address_goes_here High Scoring Spam Actions = forward address_goes_here -Comment out the following lines in /etc/MailScanner/spam.lists.conf #MAPS-RBL blackholes.mail-abuse.org. #MAPS-DUL dialups.mail-abuse.org. #MAPS-RSS relays.mail-abuse.org. #MAPS-RBL+ rbl-plus.mail-abuse.ja.net. -Edit /etc/sysconfig/mailscanner and change queuetime: QUEUETIME=5m -Run the following commands: service sendmail stop chkconfig sendmail off chkconfig MailScanner on service MailScanner start From mbowman at UDCOM.COM Thu Nov 21 15:42:48 2002 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:30 2006 Subject: clean_quarantine Message-ID: This is also effective find /var/spool/MailScanner/quarantine -mtime +8 -exec rm -fr {} \; Regards, Matthew K Bowman, Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Julian Field cc: Sent by: Subject: Re: clean_quarantine MailScanner mailing list 11/21/2002 10:28 AM Please respond to MailScanner mailing list At 15:19 21/11/2002, you wrote: >Anyone know where this went? Searched the website to no avail. If someone >could provide the latest version, that would be appreciated. It's linked off http://www.sng.ecs.soton.ac.uk/mailscanner/install/filesnscripts.shtml which is the "useful files & scripts" link off the downloads page. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Antony at SOFT-SOLUTIONS.CO.UK Thu Nov 21 15:46:07 2002 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <1037893390.22464.84.camel@tweety.tnjinfl.com> References: <1037893390.22464.84.camel@tweety.tnjinfl.com> Message-ID: <200211211546.gALFkEe08569@vulcan.rissington.net> On Thursday 21 November 2002 3:43 pm, James Pifer wrote: > We're installing a new server to use in production. I wrote a short list > of steps to install it the exact same way my test servers were setup. > Everything went fine, except port 25 is not open. > -Make sure port 25 is open with ipchains -L What does this command show ? What processes do you see running ? Can you connect to port 25 from the local machine, ie: telnet localhost 25 Antony. -- All matter in the Universe can be placed into one of two categories: 1. things which need to be fixed 2. things which will need to be fixed once you've had a few minutes to play with them From RHerban at GRAMTEL.NET Thu Nov 21 15:41:27 2002 From: RHerban at GRAMTEL.NET (Randy Herban) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open Message-ID: I have noticed this too and it bugged me many hours until I found the problem. There is a line in the sendmail.cf specifying which ip/port to bind to, for some reason it is only bound to 127.0.0.1 by default. I have just been changing that to the public IP of my server and killall -HUP sendmail and it is working then. -Randy -----Original Message----- From: James Pifer [mailto:mailscannerlist@TNJINFL.COM] Sent: Thursday, November 21, 2002 10:43 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Port 25 not open We're installing a new server to use in production. I wrote a short list of steps to install it the exact same way my test servers were setup. Everything went fine, except port 25 is not open. (it's open on the firewall settings, just doesn't show up in a port scan and of course we can't send any mail to it). MailScanner is definitely running. If I do "service MailScanner reload" it reloads fine, yet port 25 is still not open. Anyone have any ideas? The steps we used for installing everything is below. No, I don't know if sendmail was working before doing the install, so it could be a sendmail problem. If you think it is, I'll take other avenues to fix the problem. Any suggestion are appreciated. Thanks, James Here are the steps we took to install everything: -Fresh install of Redhat 7.3 -Make sure port 25 is open with ipchains -L -Edit the /etc/mail/sendmail.mc file and comment the following lines: dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl FEATURE(`accept_unresolvable_domains')dnl -Recreate the sendmail.cf file by doing the following at the command prompt: m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf -Install MailScanner using the provided install.sh and install instructions -Install SpamAssassin using the provided RPM files -Install F-Prot using the provided RPM file -Configure MailScanner by modifying /etc/MailScanner/MailScanner.conf (look for these settings) MTA = sendmail (search for MTA =) Virus Scanners = f-prot Use SpamAssassin = yes SpamAssassin Auto Whitelist = no Delivery Method = queue Spam Actions = forward address_goes_here High Scoring Spam Actions = forward address_goes_here -Comment out the following lines in /etc/MailScanner/spam.lists.conf #MAPS-RBL blackholes.mail-abuse.org. #MAPS-DUL dialups.mail-abuse.org. #MAPS-RSS relays.mail-abuse.org. #MAPS-RBL+ rbl-plus.mail-abuse.ja.net. -Edit /etc/sysconfig/mailscanner and change queuetime: QUEUETIME=5m -Run the following commands: service sendmail stop chkconfig sendmail off chkconfig MailScanner on service MailScanner start From billa at STERLING.NET Thu Nov 21 16:12:17 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:30 2006 Subject: filename extension (exe)? Message-ID: Is there a reason why .exe extension filenames are not denied? I notice the filenames file denies .bat, .cmd, .scr, etc... but not .exe. Is there a particular reason for this? Thanks. From t.d.lee at DURHAM.AC.UK Thu Nov 21 16:25:42 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:30 2006 Subject: MS4.x config/runtime issues In-Reply-To: <5.2.0.9.2.20021121151612.05904eb8@imap.ecs.soton.ac.uk> Message-ID: On Thu, 21 Nov 2002, Julian Field wrote: > /etc/sysconfig/MailScanner is where you should put the changes. That's > where RedHat keeps localisations for init.d scripts. It will use values > defined in there in preference to what is in the init.d script. The > /etc/sysconfig file will not be over-written by an upgrade if you edit it. > > The only things I should have done differently are > 1) allow the setting of the mqueue.in directory in the /etc/sysconfig file > as well and > 2) put the default values outside the "if" statement so it doesn't matter > if they aren't mentioned in the /etc/sysconfig file. > > I have corrected these 2 problems for the next version. Excellent. Thanks. (That's logically identical to my patch, I think.) > No insult intended, but personally I do not like the idea of keeping other > MS dirs inside /var/spool/mqueue, as they aren't part of mqueue's logical > purpose (i.e. a sendmail mail queue and nothing else). Indeed. That detail is our choice for our environment at our site. I, too, am not entirely comfortable with it! The patch was simply a clean way to separate the script (which should be invariant) from the data (which peculiar sites may wish to set in peculiar ways). The one major thing in the scheme's favour, for us, was that it maintains the technical requirement for the directories to be co-resident on the same partition, with the ability to separate the OS (including everything else in "/var/spool") from the email "data" in transit. So if there is a major system event, the OS can be adjusted or even replaced without affecting that email data. (We probably ought to reconsider: e.g. we could make "/var/spool/mqueue" simply contain each of the 4 MS data directories as a subdirectory. Then you and I would both be happy/happier!) Thanks again. Best wishes. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From mbowman at UDCOM.COM Thu Nov 21 16:27:12 2002 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:30 2006 Subject: filename extension (exe)? Message-ID: Possibly due to people e-mailling legitimate self extracting archive files? Regards, Matthew K Bowman, Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Bill Anderson cc: Sent by: Subject: filename extension (exe)? MailScanner mailing list 11/21/2002 11:12 AM Please respond to MailScanner mailing list Is there a reason why .exe extension filenames are not denied? I notice the filenames file denies .bat, .cmd, .scr, etc... but not .exe. Is there a particular reason for this? Thanks. From mailscanner at ecs.soton.ac.uk Thu Nov 21 16:39:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <1037893390.22464.84.camel@tweety.tnjinfl.com> Message-ID: <5.2.0.9.2.20021121163853.058020d0@imap.ecs.soton.ac.uk> At 15:43 21/11/2002, you wrote: >-Comment out the following lines in /etc/MailScanner/spam.lists.conf > #MAPS-RBL blackholes.mail-abuse.org. > #MAPS-DUL dialups.mail-abuse.org. > #MAPS-RSS relays.mail-abuse.org. > #MAPS-RBL+ rbl-plus.mail-abuse.ja.net. You don't need to do that. Just don't refer to them in the "Spam Lists" configuration option in MailScanner.conf. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 21 16:44:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:30 2006 Subject: filename extension (exe)? In-Reply-To: Message-ID: <5.2.0.9.2.20021121164401.03a98ce0@imap.ecs.soton.ac.uk> At 16:12 21/11/2002, you wrote: >Is there a reason why .exe extension filenames are not denied? I notice the >filenames file denies .bat, .cmd, .scr, etc... but not .exe. Is there a >particular reason for this? Thanks. Feel free to add it. I originally hoped that people would customise that file for their own site policy, it appears now that hardly anyone changes my defaults :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscannerlist at TNJINFL.COM Thu Nov 21 17:58:43 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <5.2.0.9.2.20021121163853.058020d0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021121163853.058020d0@imap.ecs.soton.ac.uk> Message-ID: <1037901523.32061.100.camel@tweety.tnjinfl.com> Ah, I see how that part works. Cool, thanks. James On Thu, 2002-11-21 at 11:39, Julian Field wrote: > At 15:43 21/11/2002, you wrote: > >-Comment out the following lines in /etc/MailScanner/spam.lists.conf > > #MAPS-RBL blackholes.mail-abuse.org. > > #MAPS-DUL dialups.mail-abuse.org. > > #MAPS-RSS relays.mail-abuse.org. > > #MAPS-RBL+ rbl-plus.mail-abuse.ja.net. > > You don't need to do that. Just don't refer to them in the "Spam Lists" > configuration option in MailScanner.conf. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mailscannerlist at TNJINFL.COM Thu Nov 21 18:06:20 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <200211211546.gALFkEe08569@vulcan.rissington.net> References: <1037893390.22464.84.camel@tweety.tnjinfl.com> <200211211546.gALFkEe08569@vulcan.rissington.net> Message-ID: <1037901980.22463.109.camel@tweety.tnjinfl.com> Antony, ipchains -L shows me that ports 22 and 25 are open. Without giving you the exact verbage, let's just say both ports look the same in the output and I can connect through SSH. Basically, I'm sure port 25 is open. Processes running? Is this what you mean? 2108 root sendmail: accepting connections 2113 root /usr/sbin/sendmail -q5m 2122 root /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/Ma 2125 root /usr/bin/perl -I/usr/lib/MailScanner/usr/sbin/MailScanner /etc/Ma Yes, I can connect to port 25 on the local port. I've verified that I modified the sendmail.mc file and rebuilt the cf using M4. I've tried commenting it out: dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') And I've tried using the real ip address in the line DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.25, Name=MTA') Still can't see the port open. Any other suggestions? Thanks, James On Thu, 2002-11-21 at 10:46, Antony Stone wrote: > On Thursday 21 November 2002 3:43 pm, James Pifer wrote: > > > We're installing a new server to use in production. I wrote a short list > > of steps to install it the exact same way my test servers were setup. > > Everything went fine, except port 25 is not open. > > > -Make sure port 25 is open with ipchains -L > > What does this command show ? > > What processes do you see running ? > > Can you connect to port 25 from the local machine, ie: > telnet localhost 25 > > Antony. > > -- > > All matter in the Universe can be placed into one of two categories: > > 1. things which need to be fixed > 2. things which will need to be fixed once you've had a few minutes to play > with them From Antony at SOFT-SOLUTIONS.CO.UK Thu Nov 21 18:14:14 2002 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <1037901980.22463.109.camel@tweety.tnjinfl.com> References: <1037893390.22464.84.camel@tweety.tnjinfl.com> <200211211546.gALFkEe08569@vulcan.rissington.net> <1037901980.22463.109.camel@tweety.tnjinfl.com> Message-ID: <200211211814.gALIELe08787@vulcan.rissington.net> On Thursday 21 November 2002 6:06 pm, James Pifer wrote: > Antony, > > ipchains -L shows me that ports 22 and 25 are open. Without giving you > the exact verbage, let's just say both ports look the same in the output > and I can connect through SSH. Basically, I'm sure port 25 is open. Okay. > Processes running? Is this what you mean? > 2108 root sendmail: accepting connections > 2113 root /usr/sbin/sendmail -q5m > 2122 root /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner > /etc/Ma > 2125 root /usr/bin/perl -I/usr/lib/MailScanner/usr/sbin/MailScanner > /etc/Ma Yes - the "sendmail: accepting connections" is the one... > Yes, I can connect to port 25 on the local port. In that case it's a networking problem. Since you've verified that ipchains isn't blocking, I wonder whether you're trying to connect to port 25 from the same machine as you're able to ssh from? It could be that this machine doesn't know how to route back to the client ? Antony. -- Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. - William Gibson, Neuromancer (1984) From mailscanner at ecs.soton.ac.uk Thu Nov 21 18:17:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <1037901980.22463.109.camel@tweety.tnjinfl.com> References: <200211211546.gALFkEe08569@vulcan.rissington.net> <1037893390.22464.84.camel@tweety.tnjinfl.com> <200211211546.gALFkEe08569@vulcan.rissington.net> Message-ID: <5.2.0.9.2.20021121181703.03251ed0@imap.ecs.soton.ac.uk> At 18:06 21/11/2002, you wrote: >2108 root sendmail: accepting connections That does rather imply that it is listening. The easiest way to check is netstat -an | grep 25 or netstat -a | grep smtp >2113 root /usr/sbin/sendmail -q5m >2122 root /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner >/etc/Ma >2125 root /usr/bin/perl -I/usr/lib/MailScanner/usr/sbin/MailScanner >/etc/Ma > >Yes, I can connect to port 25 on the local port. I've verified that I >modified the sendmail.mc file and rebuilt the cf using M4. >I've tried commenting it out: >dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') >And I've tried using the real ip address in the line >DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.25, Name=MTA') > >Still can't see the port open. > >Any other suggestions? Thanks, >James > >On Thu, 2002-11-21 at 10:46, Antony Stone wrote: > > On Thursday 21 November 2002 3:43 pm, James Pifer wrote: > > > > > We're installing a new server to use in production. I wrote a short list > > > of steps to install it the exact same way my test servers were setup. > > > Everything went fine, except port 25 is not open. > > > > > -Make sure port 25 is open with ipchains -L > > > > What does this command show ? > > > > What processes do you see running ? > > > > Can you connect to port 25 from the local machine, ie: > > telnet localhost 25 > > > > Antony. > > > > -- > > > > All matter in the Universe can be placed into one of two categories: > > > > 1. things which need to be fixed > > 2. things which will need to be fixed once you've had a few minutes to play > > with them -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Thu Nov 21 18:15:53 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <1037893390.22464.84.camel@tweety.tnjinfl.com> References: <1037893390.22464.84.camel@tweety.tnjinfl.com> Message-ID: <1037902554.1120.2.camel@wilowisp.dynetics.com> On Thu, 2002-11-21 at 09:43, James Pifer wrote: > We're installing a new server to use in production. I wrote a short list > of steps to install it the exact same way my test servers were setup. > Everything went fine, except port 25 is not open. (it's open on the > firewall settings, just doesn't show up in a port scan and of course we > can't send any mail to it). > Go look at /etc/mail/sendmail.mc, towards the bottom of the file. It clearly states there that sendmail will only listen on the localhost IP, for security considerations on a workstation, unless the DAEMON_OPTIONS line is commented out and a new sendmail.cf is built. The is also documented in the Release Notes for RedHat 7.x & later. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From chicks at CHICKS.NET Thu Nov 21 18:35:55 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <1037901980.22463.109.camel@tweety.tnjinfl.com> Message-ID: On Thu, 21 Nov 2002, James Pifer wrote: > I've tried commenting it out: > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') > And I've tried using the real ip address in the line > DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.25, Name=MTA') You've got to get rid of the "Addr=xxxx, " part totally. I'm guessing you're on Red Hat since they've been doing that garbage for a while. I forget to do that occasionally when I'm setting up a totally new box. (Hay Red hat - If I don't want people connecting to my SMTP server I won't open up that port in iptables. Grrr.) At least RH8 supports iptables by default. -- Programming is a Dark Art, and it will always be. The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity. They're not things you can always overcome with a "methodology" or on a schedule. -Damian Conway, Perl God From bamcomp at YAHOO.COM Thu Nov 21 18:39:30 2002 From: bamcomp at YAHOO.COM (Brett) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <1037901980.22463.109.camel@tweety.tnjinfl.com> Message-ID: <20021121183931.71291.qmail@web13805.mail.yahoo.com> hello, try to simply comment out (dnl) the line DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA') there is no need to replace it. after this rebuild the sendmail.cf file, then restart MailScanner hth, brett --- James Pifer wrote: > Antony, > > ipchains -L shows me that ports 22 and 25 are open. > Without giving you > the exact verbage, let's just say both ports look > the same in the output > and I can connect through SSH. Basically, I'm sure > port 25 is open. > > Processes running? Is this what you mean? > 2108 root sendmail: accepting connections > 2113 root /usr/sbin/sendmail -q5m > 2122 root /usr/bin/perl -I/usr/lib/MailScanner > /usr/sbin/MailScanner > /etc/Ma > 2125 root /usr/bin/perl > -I/usr/lib/MailScanner/usr/sbin/MailScanner > /etc/Ma > > Yes, I can connect to port 25 on the local port. > I've verified that I > modified the sendmail.mc file and rebuilt the cf > using M4. > I've tried commenting it out: > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, > Name=MTA') > And I've tried using the real ip address in the line > DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.25, > Name=MTA') > > Still can't see the port open. > > Any other suggestions? Thanks, > James > > On Thu, 2002-11-21 at 10:46, Antony Stone wrote: > > On Thursday 21 November 2002 3:43 pm, James Pifer > wrote: > > > > > We're installing a new server to use in > production. I wrote a short list > > > of steps to install it the exact same way my > test servers were setup. > > > Everything went fine, except port 25 is not > open. > > > > > -Make sure port 25 is open with ipchains -L > > > > What does this command show ? > > > > What processes do you see running ? > > > > Can you connect to port 25 from the local machine, > ie: > > telnet localhost 25 > > > > Antony. > > > > -- > > > > All matter in the Universe can be placed into one > of two categories: > > > > 1. things which need to be fixed > > 2. things which will need to be fixed once you've > had a few minutes to play > > with them __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus – Powerful. Affordable. Sign up now. http://mailplus.yahoo.com From alberto at CIED.RIMED.CU Thu Nov 21 18:57:31 2002 From: alberto at CIED.RIMED.CU (Alberto =?iso-8859-1?q?Garc=EDa=20Fumero?=) Date: Thu Jan 12 21:16:30 2006 Subject: Help trying to install MailScanner 4.05-3 on SuSE 7.0 In-Reply-To: <5.2.0.9.2.20021121151446.058c1180@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021121151446.058c1180@imap.ecs.soton.ac.uk> Message-ID: <200211211900.gALJ0HK02407@cied.rimed.cu> El Thursday 21 November 2002 10:15, usted escribi?: > You don't want to be using the sendmail init.d script. The MailScanner > init.d script will start up the 2 required sendmail processes as well as > MailScanner itself. So disable the sendmail one and just use the > MailScanner one. Excuse me. I must be dumb! What is that init.d script? I don't seem to find it here something by that name.Are you referring to the two lines invoking sendmail you mention in the documents? -- MSc. Alberto Garc?a Fumero Centro de Informaci?n para la Educaci?n Ministerio de Educaci?n Usuario Linux No. 97 138 ?Windows? No, gracias! No apruebo el IVA (Impuesto al Virus Agregado) From mailscannerlist at TNJINFL.COM Thu Nov 21 19:04:43 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <20021121183931.71291.qmail@web13805.mail.yahoo.com> References: <20021121183931.71291.qmail@web13805.mail.yahoo.com> Message-ID: <1037905483.22463.118.camel@tweety.tnjinfl.com> Now I've also tried the following line: DAEMON_OPTIONS(`Port=smtp, Name=MTA') I started out by commenting the whole line and it didn't work. Commenting it out was how I did it on all my test servers. netstat -an | grep 25 gives me: tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN unix 2 [ ] DGRAM 1258 Maybe I'm not rebuilding it correctly. After modifying the sendmail.mc file I rebuild it with: m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf Then I restart MailScanner with "service MailScanner reload" I wrote and tested my steps from my original post using Redhat 8.0. The server having the problem is 7.3, if that matters. Thanks, James sorry to be using this list for an obvious sendmail/red hat problem.... On Thu, 2002-11-21 at 13:39, Brett wrote: > hello, > try to simply comment out (dnl) the line > DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA') > there is no need to replace it. after this rebuild > the sendmail.cf file, then restart MailScanner > > hth, > brett > > --- James Pifer wrote: > > Antony, > > > > ipchains -L shows me that ports 22 and 25 are open. > > Without giving you > > the exact verbage, let's just say both ports look > > the same in the output > > and I can connect through SSH. Basically, I'm sure > > port 25 is open. > > > > Processes running? Is this what you mean? > > 2108 root sendmail: accepting connections > > 2113 root /usr/sbin/sendmail -q5m > > 2122 root /usr/bin/perl -I/usr/lib/MailScanner > > /usr/sbin/MailScanner > > /etc/Ma > > 2125 root /usr/bin/perl > > -I/usr/lib/MailScanner/usr/sbin/MailScanner > > /etc/Ma > > > > Yes, I can connect to port 25 on the local port. > > I've verified that I > > modified the sendmail.mc file and rebuilt the cf > > using M4. > > I've tried commenting it out: > > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, > > Name=MTA') > > And I've tried using the real ip address in the line > > DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.25, > > Name=MTA') > > > > Still can't see the port open. > > > > Any other suggestions? Thanks, > > James > > > > On Thu, 2002-11-21 at 10:46, Antony Stone wrote: > > > On Thursday 21 November 2002 3:43 pm, James Pifer > > wrote: > > > > > > > We're installing a new server to use in > > production. I wrote a short list > > > > of steps to install it the exact same way my > > test servers were setup. > > > > Everything went fine, except port 25 is not > > open. > > > > > > > -Make sure port 25 is open with ipchains -L > > > > > > What does this command show ? > > > > > > What processes do you see running ? > > > > > > Can you connect to port 25 from the local machine, > > ie: > > > telnet localhost 25 > > > > > > Antony. > > > > > > -- > > > > > > All matter in the Universe can be placed into one > > of two categories: > > > > > > 1. things which need to be fixed > > > 2. things which will need to be fixed once you've > > had a few minutes to play > > > with them > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus ? Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com From mailscanner at ecs.soton.ac.uk Thu Nov 21 19:10:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <1037905483.22463.118.camel@tweety.tnjinfl.com> References: <20021121183931.71291.qmail@web13805.mail.yahoo.com> <20021121183931.71291.qmail@web13805.mail.yahoo.com> Message-ID: <5.2.0.9.2.20021121190811.03226c80@imap.ecs.soton.ac.uk> At 19:04 21/11/2002, you wrote: >Now I've also tried the following line: >DAEMON_OPTIONS(`Port=smtp, Name=MTA') > >I started out by commenting the whole line and it didn't work. >Commenting it out was how I did it on all my test servers. > >netstat -an | grep 25 gives me: >tcp 0 0 127.0.0.1:25 0.0.0.0:* >LISTEN >unix 2 [ ] DGRAM 1258 > >Maybe I'm not rebuilding it correctly. After modifying the sendmail.mc >file I rebuild it with: >m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf > >Then I restart MailScanner with "service MailScanner reload" Do a restart rather than a reload. A reload just tells MailScanner to re-read the config files, it doesn't restart either of the sendmail processes. Even better do a stop, then a ps ax | grep -i mail to check that everything really did die, then a start. >I wrote and tested my steps from my original post using Redhat 8.0. The >server having the problem is 7.3, if that matters. > >Thanks, >James >sorry to be using this list for an obvious sendmail/red hat problem.... You're not the first, and probably won't be the last. I've managed to collect a bunch of very experienced sysadmins in 1 place :-) >On Thu, 2002-11-21 at 13:39, Brett wrote: > > hello, > > try to simply comment out (dnl) the line > > DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA') > > there is no need to replace it. after this rebuild > > the sendmail.cf file, then restart MailScanner > > > > hth, > > brett > > > > --- James Pifer wrote: > > > Antony, > > > > > > ipchains -L shows me that ports 22 and 25 are open. > > > Without giving you > > > the exact verbage, let's just say both ports look > > > the same in the output > > > and I can connect through SSH. Basically, I'm sure > > > port 25 is open. > > > > > > Processes running? Is this what you mean? > > > 2108 root sendmail: accepting connections > > > 2113 root /usr/sbin/sendmail -q5m > > > 2122 root /usr/bin/perl -I/usr/lib/MailScanner > > > /usr/sbin/MailScanner > > > /etc/Ma > > > 2125 root /usr/bin/perl > > > -I/usr/lib/MailScanner/usr/sbin/MailScanner > > > /etc/Ma > > > > > > Yes, I can connect to port 25 on the local port. > > > I've verified that I > > > modified the sendmail.mc file and rebuilt the cf > > > using M4. > > > I've tried commenting it out: > > > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, > > > Name=MTA') > > > And I've tried using the real ip address in the line > > > DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.25, > > > Name=MTA') > > > > > > Still can't see the port open. > > > > > > Any other suggestions? Thanks, > > > James > > > > > > On Thu, 2002-11-21 at 10:46, Antony Stone wrote: > > > > On Thursday 21 November 2002 3:43 pm, James Pifer > > > wrote: > > > > > > > > > We're installing a new server to use in > > > production. I wrote a short list > > > > > of steps to install it the exact same way my > > > test servers were setup. > > > > > Everything went fine, except port 25 is not > > > open. > > > > > > > > > -Make sure port 25 is open with ipchains -L > > > > > > > > What does this command show ? > > > > > > > > What processes do you see running ? > > > > > > > > Can you connect to port 25 from the local machine, > > > ie: > > > > telnet localhost 25 > > > > > > > > Antony. > > > > > > > > -- > > > > > > > > All matter in the Universe can be placed into one > > > of two categories: > > > > > > > > 1. things which need to be fixed > > > > 2. things which will need to be fixed once you've > > > had a few minutes to play > > > > with them > > > > > > __________________________________________________ > > Do you Yahoo!? > > Yahoo! Mail Plus ? Powerful. Affordable. Sign up now. > > http://mailplus.yahoo.com -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 21 19:07:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:30 2006 Subject: Help trying to install MailScanner 4.05-3 on SuSE 7.0 In-Reply-To: <200211211900.gALJ0HK02407@cied.rimed.cu> References: <5.2.0.9.2.20021121151446.058c1180@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021121151446.058c1180@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021121190651.03394988@imap.ecs.soton.ac.uk> At 18:57 21/11/2002, you wrote: >El Thursday 21 November 2002 10:15, usted escribi?: > > You don't want to be using the sendmail init.d script. The MailScanner > > init.d script will start up the 2 required sendmail processes as well as > > MailScanner itself. So disable the sendmail one and just use the > > MailScanner one. >Excuse me. I must be dumb! What is that init.d script? /etc/rc.d/init.d/MailScanner or /etc/init.d/MailScanner. > I don't seem to find >it here something by that name.Are you referring to the two lines invoking >sendmail you mention in the documents? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bamcomp at YAHOO.COM Thu Nov 21 19:12:51 2002 From: bamcomp at YAHOO.COM (Brett) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <1037905483.22463.118.camel@tweety.tnjinfl.com> Message-ID: <20021121191251.80476.qmail@web13805.mail.yahoo.com> hi, the version of RH does matter in this case try rebuilding sendmail using m4 /etc/mail/sendmail.mc > /etc/sendmail.cf it was RH8 that started putting sendmail.cf in /etc/mail , prior it is located in /etc brett --- James Pifer wrote: > Now I've also tried the following line: > DAEMON_OPTIONS(`Port=smtp, Name=MTA') > > I started out by commenting the whole line and it > didn't work. > Commenting it out was how I did it on all my test > servers. > > netstat -an | grep 25 gives me: > tcp 0 0 127.0.0.1:25 > 0.0.0.0:* > LISTEN > unix 2 [ ] DGRAM > 1258 > > Maybe I'm not rebuilding it correctly. After > modifying the sendmail.mc > file I rebuild it with: > m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf > > Then I restart MailScanner with "service MailScanner > reload" > > I wrote and tested my steps from my original post > using Redhat 8.0. The > server having the problem is 7.3, if that matters. > > Thanks, > James > sorry to be using this list for an obvious > sendmail/red hat problem.... > > On Thu, 2002-11-21 at 13:39, Brett wrote: > > hello, > > try to simply comment out (dnl) the line > > > DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA') > > there is no need to replace it. after this > rebuild > > the sendmail.cf file, then restart MailScanner > > > > hth, > > brett > > > > --- James Pifer > wrote: > > > Antony, > > > > > > ipchains -L shows me that ports 22 and 25 are > open. > > > Without giving you > > > the exact verbage, let's just say both ports > look > > > the same in the output > > > and I can connect through SSH. Basically, I'm > sure > > > port 25 is open. > > > > > > Processes running? Is this what you mean? > > > 2108 root sendmail: accepting connections > > > 2113 root /usr/sbin/sendmail -q5m > > > 2122 root /usr/bin/perl -I/usr/lib/MailScanner > > > /usr/sbin/MailScanner > > > /etc/Ma > > > 2125 root /usr/bin/perl > > > -I/usr/lib/MailScanner/usr/sbin/MailScanner > > > /etc/Ma > > > > > > Yes, I can connect to port 25 on the local port. > > > I've verified that I > > > modified the sendmail.mc file and rebuilt the cf > > > using M4. > > > I've tried commenting it out: > > > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, > > > Name=MTA') > > > And I've tried using the real ip address in the > line > > > DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.25, > > > Name=MTA') > > > > > > Still can't see the port open. > > > > > > Any other suggestions? Thanks, > > > James > > > > > > On Thu, 2002-11-21 at 10:46, Antony Stone wrote: > > > > On Thursday 21 November 2002 3:43 pm, James > Pifer > > > wrote: > > > > > > > > > We're installing a new server to use in > > > production. I wrote a short list > > > > > of steps to install it the exact same way my > > > test servers were setup. > > > > > Everything went fine, except port 25 is not > > > open. > > > > > > > > > -Make sure port 25 is open with ipchains -L > > > > > > > > What does this command show ? > > > > > > > > What processes do you see running ? > > > > > > > > Can you connect to port 25 from the local > machine, > > > ie: > > > > telnet localhost 25 > > > > > > > > Antony. > > > > > > > > -- > > > > > > > > All matter in the Universe can be placed into > one > > > of two categories: > > > > > > > > 1. things which need to be fixed > > > > 2. things which will need to be fixed once > you've > > > had a few minutes to play > > > > with them > > > > > > __________________________________________________ > > Do you Yahoo!? > > Yahoo! Mail Plus – Powerful. Affordable. Sign up > now. > > http://mailplus.yahoo.com __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus – Powerful. Affordable. Sign up now. http://mailplus.yahoo.com From alberto at CIED.RIMED.CU Thu Nov 21 19:10:27 2002 From: alberto at CIED.RIMED.CU (Alberto =?iso-8859-1?q?Garc=EDa=20Fumero?=) Date: Thu Jan 12 21:16:30 2006 Subject: Help trying to install MailScanner 4.05-3 on SuSE 7.0 In-Reply-To: <5.2.0.9.2.20021121151446.058c1180@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021121151446.058c1180@imap.ecs.soton.ac.uk> Message-ID: <200211211913.gALJDCQ02459@cied.rimed.cu> El Thursday 21 November 2002 10:15, usted escribi?: > You don't want to be using the sendmail init.d script. The MailScanner > init.d script will start up the 2 required sendmail processes as well as > MailScanner itself. So disable the sendmail one and just use the > MailScanner one. I forgot to say I install from sources. Is there any difference? I can't find that init.d file here. -- MSc. Alberto Garc?a Fumero Centro de Informaci?n para la Educaci?n Ministerio de Educaci?n Usuario Linux No. 97 138 ?Windows? No, gracias! No apruebo el IVA (Impuesto al Virus Agregado) From mailscannerlist at TNJINFL.COM Thu Nov 21 19:28:18 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <20021121191251.80476.qmail@web13805.mail.yahoo.com> References: <20021121191251.80476.qmail@web13805.mail.yahoo.com> Message-ID: <1037906898.22464.126.camel@tweety.tnjinfl.com> Brett, Thanks, that was it. What a nightmare! Thanks to everyone, especially Julian and his list. You're right, a lot of experience on this list and it's great to see people willing to help those that are not experts. (at this rate I feel like the learning will never end....) James On Thu, 2002-11-21 at 14:12, Brett wrote: > hi, the version of RH does matter in this case > try rebuilding sendmail using > m4 /etc/mail/sendmail.mc > /etc/sendmail.cf > it was RH8 that started putting sendmail.cf in > /etc/mail , prior it is located in /etc > > brett > > --- James Pifer wrote: > > Now I've also tried the following line: > > DAEMON_OPTIONS(`Port=smtp, Name=MTA') > > > > I started out by commenting the whole line and it > > didn't work. > > Commenting it out was how I did it on all my test > > servers. > > > > netstat -an | grep 25 gives me: > > tcp 0 0 127.0.0.1:25 > > 0.0.0.0:* > > LISTEN > > unix 2 [ ] DGRAM > > 1258 > > > > Maybe I'm not rebuilding it correctly. After > > modifying the sendmail.mc > > file I rebuild it with: > > m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf > > > > Then I restart MailScanner with "service MailScanner > > reload" > > > > I wrote and tested my steps from my original post > > using Redhat 8.0. The > > server having the problem is 7.3, if that matters. > > > > Thanks, > > James > > sorry to be using this list for an obvious > > sendmail/red hat problem.... > > > > On Thu, 2002-11-21 at 13:39, Brett wrote: > > > hello, > > > try to simply comment out (dnl) the line > > > > > DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA') > > > there is no need to replace it. after this > > rebuild > > > the sendmail.cf file, then restart MailScanner > > > > > > hth, > > > brett > > > > > > --- James Pifer > > wrote: > > > > Antony, > > > > > > > > ipchains -L shows me that ports 22 and 25 are > > open. > > > > Without giving you > > > > the exact verbage, let's just say both ports > > look > > > > the same in the output > > > > and I can connect through SSH. Basically, I'm > > sure > > > > port 25 is open. > > > > > > > > Processes running? Is this what you mean? > > > > 2108 root sendmail: accepting connections > > > > 2113 root /usr/sbin/sendmail -q5m > > > > 2122 root /usr/bin/perl -I/usr/lib/MailScanner > > > > /usr/sbin/MailScanner > > > > /etc/Ma > > > > 2125 root /usr/bin/perl > > > > -I/usr/lib/MailScanner/usr/sbin/MailScanner > > > > /etc/Ma > > > > > > > > Yes, I can connect to port 25 on the local port. > > > > I've verified that I > > > > modified the sendmail.mc file and rebuilt the cf > > > > using M4. > > > > I've tried commenting it out: > > > > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, > > > > Name=MTA') > > > > And I've tried using the real ip address in the > > line > > > > DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.25, > > > > Name=MTA') > > > > > > > > Still can't see the port open. > > > > > > > > Any other suggestions? Thanks, > > > > James > > > > > > > > On Thu, 2002-11-21 at 10:46, Antony Stone wrote: > > > > > On Thursday 21 November 2002 3:43 pm, James > > Pifer > > > > wrote: > > > > > > > > > > > We're installing a new server to use in > > > > production. I wrote a short list > > > > > > of steps to install it the exact same way my > > > > test servers were setup. > > > > > > Everything went fine, except port 25 is not > > > > open. > > > > > > > > > > > -Make sure port 25 is open with ipchains -L > > > > > > > > > > What does this command show ? > > > > > > > > > > What processes do you see running ? > > > > > > > > > > Can you connect to port 25 from the local > > machine, > > > > ie: > > > > > telnet localhost 25 > > > > > > > > > > Antony. > > > > > > > > > > -- > > > > > > > > > > All matter in the Universe can be placed into > > one > > > > of two categories: > > > > > > > > > > 1. things which need to be fixed > > > > > 2. things which will need to be fixed once > > you've > > > > had a few minutes to play > > > > > with them > > > > > > > > > __________________________________________________ > > > Do you Yahoo!? > > > Yahoo! Mail Plus ? Powerful. Affordable. Sign up > > now. > > > http://mailplus.yahoo.com > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus ? Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com From alberto at CIED.RIMED.CU Thu Nov 21 20:00:47 2002 From: alberto at CIED.RIMED.CU (Alberto =?iso-8859-1?q?Garc=EDa=20Fumero?=) Date: Thu Jan 12 21:16:30 2006 Subject: Help trying to install MailScanner 4.05-3 on SuSE 7.0 In-Reply-To: <5.2.0.9.2.20021121190651.03394988@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021121151446.058c1180@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021121190651.03394988@imap.ecs.soton.ac.uk> Message-ID: <200211212003.gALK3Xh02820@cied.rimed.cu> El Thursday 21 November 2002 14:07, usted escribi?: > At 18:57 21/11/2002, you wrote: > >El Thursday 21 November 2002 10:15, usted escribi?: > > > You don't want to be using the sendmail init.d script. The MailScanner > > > init.d script will start up the 2 required sendmail processes as well > > > as MailScanner itself. So disable the sendmail one and just use the > > > MailScanner one. > > > >Excuse me. I must be dumb! What is that init.d script? > > /etc/rc.d/init.d/MailScanner or /etc/init.d/MailScanner. It isn't here. I downloaded the version marked "Other Linux" or so, not the rpm. Sometimes rpm's meant for Red Hat don't work properly in SuSE. I am trying to download the rpm, and to take a look at "useful scripts", but the download speed is, well, lousy (pardon my french!). I try to install from sources whenever possible. Are there significant differences between the source and the rpm? -- MSc. Alberto Garc?a Fumero Centro de Informaci?n para la Educaci?n Ministerio de Educaci?n Usuario Linux No. 97 138 ?Windows? No, gracias! No apruebo el IVA (Impuesto al Virus Agregado) From sean at NISD.NET Thu Nov 21 20:35:46 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:30 2006 Subject: Sendmail problems Message-ID: It's a reaction to the Korean school open relay debatical if I had to guess. It's thought that if you know enough to change the sendmail.cf file, you'll be cluefull enough to get sendmail running without being an open relay. Overall, I'm pretty happy RH chose to ship the base distro so that folks that are not paying attention won't have the possibility to act as an open relay. Sean >>> chicks@CHICKS.NET 11/21/02 12:35PM >>> On Thu, 21 Nov 2002, James Pifer wrote: > I've tried commenting it out: > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') > And I've tried using the real ip address in the line > DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.25, Name=MTA') You've got to get rid of the "Addr=xxxx, " part totally. I'm guessing you're on Red Hat since they've been doing that garbage for a while. I forget to do that occasionally when I'm setting up a totally new box. (Hay Red hat - If I don't want people connecting to my SMTP server I won't open up that port in iptables. Grrr.) At least RH8 supports iptables by default. -- Programming is a Dark Art, and it will always be. The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity. They're not things you can always overcome with a "methodology" or on a schedule. -Damian Conway, Perl God From nerijus at USERS.SOURCEFORGE.NET Thu Nov 21 21:05:29 2002 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:16:30 2006 Subject: filename extension (exe)? In-Reply-To: <5.2.0.9.2.20021121164401.03a98ce0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021121164401.03a98ce0@imap.ecs.soton.ac.uk> Message-ID: <200211212110.gALLA8L6009895@mx.ktv.lt> On Thu, 21 Nov 2002 16:44:52 +0000 Julian Field wrote: > At 16:12 21/11/2002, you wrote: > >Is there a reason why .exe extension filenames are not denied? I notice the > >filenames file denies .bat, .cmd, .scr, etc... but not .exe. Is there a > >particular reason for this? Thanks. > > Feel free to add it. I originally hoped that people would customise that > file for their own site policy, it appears now that hardly anyone changes > my defaults :-) I suggest including it into filename.rules.conf, but commented out by default, then someone will not forget about it. And please include .com (banned by default) also, as the same viruses which use .scr and .pif use .com also. Regards, Nerijus From thang at HAWAII.EDU Thu Nov 21 21:17:04 2002 From: thang at HAWAII.EDU (Thang M Nguyen) Date: Thu Jan 12 21:16:30 2006 Subject: Required SpamAssassin Score Message-ID: Can I set the "Required SpamAssassin Score" to a value with decimal number, ie. 8.5? I get the following error when setting it to 8.5: Cannot open ruleset file 8.5, No such file or directory at /opt/MailScanner/bin/MailScanner/Config.pm line 891 Thanks for you advice. --thang ************************************************************************* Thang M Nguyen Email: thang@hawaii.edu Information Technology Services Phone: (808)-956-4449 Systems Engineering Fax: (808)-956-2412 ************************************************************************* From alberto at CIED.RIMED.CU Thu Nov 21 21:19:32 2002 From: alberto at CIED.RIMED.CU (Alberto =?iso-8859-1?q?Garc=EDa=20Fumero?=) Date: Thu Jan 12 21:16:30 2006 Subject: Help trying to install MailScanner 4.05-3 on SuSE 7.0 In-Reply-To: <200211212003.gALK3Xh02820@cied.rimed.cu> References: <5.2.0.9.2.20021121151446.058c1180@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021121190651.03394988@imap.ecs.soton.ac.uk> <200211212003.gALK3Xh02820@cied.rimed.cu> Message-ID: <200211212122.gALLMJB03871@cied.rimed.cu> I have just downloaded the 4.05-4 and 4.0.5-1 rpm's. The install.sh script complain sabout a missing rpm-build rpm file that is not in the 7 SuSE CDs, nor installed. No /usr/src/redhat or /usr/src/RPM tree here. So I am already on first square...:-(( Where is that MailScanner daemon? The only other solution I envision is a certainly *clumsy * one: a) maintain two copies of sendmail.cf, one pointing to mqueue.in and the other pointing to mqueue. b) Use the first for the first run of sendmail, and the other for the second run... -- MSc. Alberto Garc?a Fumero Centro de Informaci?n para la Educaci?n Ministerio de Educaci?n Usuario Linux No. 97 138 ?Windows? No, gracias! No apruebo el IVA (Impuesto al Virus Agregado) From steinkel at PA.NET Thu Nov 21 21:46:26 2002 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:16:30 2006 Subject: EML/Fortnight Message-ID: <3DDD5432.1050606@pa.net> I haven't isolated one of these, but I received a report that it did get through MailScanner3.22/f-prot3.12a (with latest definitions). Has anybody seen EML/Fortnight before? How do we catch it? http://www.europe.f-secure.com/v-descs/fortnight.shtml Thanks, Leland From jaearick at COLBY.EDU Thu Nov 21 21:27:22 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:30 2006 Subject: v4 boot script and other questions Message-ID: Hi, I'm experimenting with the upgrade from v3 to v4. First off, is there a boot-time /etc/init.d script for MailScanner v4 already? Or just invoke "/opt/MailScanner/bin/check_mailscanner" from my v3-era boot-script? Second, I'm wondering about weirdness when I run the sendmail queue by hand with v4. With v3, I used: Delivery Method = queue instead of batch. My boot-time script for sendmail looks like: #---delivery-only mode for mailscanner /usr/lib/sendmail -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in #---process /var/spool/mqueue every 5 minutes for actual delivery /usr/lib/sendmail -q5m For v4, I commented out the "-q5m" line in my sendmail boot script, and used "Delivery Method = batch". If I process /var/spool/mqueue by hand, ie "/usr/lib/sendmail -v -q", then I get complaints in the window where I did "/opt/MailScanner/bin/check_mailscanner" from, which doesn't look good: Cannot create + lock headers file /var/spool/MailScanner/incoming/14521/gALLA6xo015767.header, at /opt/MailScanner/bin/MailScanner/Message.pm line 237 Cannot create + lock headers file /var/spool/MailScanner/incoming/14978/gALLA6xo015767.header, at /opt/MailScanner/bin/MailScanner/Message.pm line 237 Cannot create + lock headers file /var/spool/MailScanner/incoming/14616/gALLA6xo015771.header, at /opt/MailScanner/bin/MailScanner/Message.pm line 237 Cannot chdir for rules checking, No such file or directory at /opt/MailScanner/bin/MailScanner/SweepOther.pm line 83. Cannot create + lock headers file /var/spool/MailScanner/incoming/14811/gALL9sxo015709.header, at /opt/MailScanner/bin/MailScanner/Message.pm line 237 Cannot create + lock headers file /var/spool/MailScanner/incoming/14479/gALL9sxo015709.header, at /opt/MailScanner/bin/MailScanner/Message.pm line 237 Cannot create + lock headers file /var/spool/MailScanner/incoming/14908/gALL9sxo015709.header, at /opt/MailScanner/bin/MailScanner/Message.pm line 237 Cannot mkdir /var/spool/MailScanner/incoming/15112/gALLA7xo015773, No such file or directory at /opt/MailScanner/bin/MailScanner/WorkArea.pm line 90 Cannot create + lock headers file /var/spool/MailScanner/incoming/15045/gALLA6xo015767.header, at /opt/MailScanner/bin/MailScanner/Message.pm line 237 Cannot create + lock headers file /var/spool/MailScanner/incoming/14673/gALL9sxo015709.header, at /opt/MailScanner/bin/MailScanner/Message.pm line 237 We haven't got any child processes, which isn't right!, No child processes at /opt/MailScanner/bin/mailscanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /opt/MailScanner/bin/mailscanner line 194. Cannot mkdir /var/spool/MailScanner/incoming/15832/gALL9sxo015709, No such file or directory at /opt/MailScanner/bin/MailScanner/WorkArea.pm line 90 Cannot mkdir /var/spool/MailScanner/incoming/15902/gALLAOxo015899, No such file or directory at /opt/MailScanner/bin/MailScanner/WorkArea.pm line 90 Cannot create + lock headers file /var/spool/MailScanner/incoming/15967/gALLAfxo015958.header, at /opt/MailScanner/bin/MailScanner/Message.pm line 237 Cannot mkdir /var/spool/MailScanner/incoming/15995/gALLAkxp015979, No such file or directory at /opt/MailScanner/bin/MailScanner/WorkArea.pm line 90 ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- From derek at csolve.net Thu Nov 21 21:49:36 2002 From: derek at csolve.net (Derek Buttineau) Date: Thu Jan 12 21:16:30 2006 Subject: Odd Problem Message-ID: <027201c291a7$e2cd8180$8850a4cf@derek> Just moved 4.05-3 to one of our production servers as it was working amazingly great in our test environment.. I've encountered a bit of an issue.. it doesn't stop spawning children.. just reset it now so it's back to the configured 5.. but previous to that it was up to approx 72 children!! Not sure exactly what is causing it.. Anyone else encountered something similar? Thanks, Derek From Antony at SOFT-SOLUTIONS.CO.UK Thu Nov 21 22:44:04 2002 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:16:30 2006 Subject: Odd Problem In-Reply-To: <027201c291a7$e2cd8180$8850a4cf@derek> References: <027201c291a7$e2cd8180$8850a4cf@derek> Message-ID: <20021121224407.RMFD22505.mta07-svc.ntlworld.com@there> On Thursday 21 November 2002 9:49 pm, Derek Buttineau wrote: > Just moved 4.05-3 to one of our production servers as it was working > amazingly great in our test environment.. > > I've encountered a bit of an issue.. it doesn't stop spawning children.. > just reset it now so it's back to the configured 5.. but previous to that > it was up to approx 72 children!! > > Not sure exactly what is causing it.. > > Anyone else encountered something similar? Yes - I got the same thing. Every time the recommended cron job ran, it spawned another batch of processes. I took the simple route out and disabled the cron job. Antony. -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery From turveysp at NTLWORLD.COM Thu Nov 21 23:30:09 2002 From: turveysp at NTLWORLD.COM (Simon Turvey) Date: Thu Jan 12 21:16:30 2006 Subject: Missing Spam List Definitions Message-ID: <002d01c291b5$eff84ad0$0b0ba8c0@mistral> Hi all, In the configuration options documentation the following is stated: "Spam List Definitions :- This file contains all the definitions of the "Spam Lists" (also known as RBL's or DNSBL's) which can be used to try to detect spam based on where each message came from. Many more spam lists can be added to this file, but it contains the most popular ones to get you started." Later, it is stated: "Spam List :- This provides a space-separated list of "Spam Lists" (or RBL's or DNSBL's) which are checked for each message. These lists are based on the numeric IP address of the server that sent the message to your MailScanner server. Every list used here must be defined in the "Spam List Definitions" file mentioned above." I cannot find however, the file that contains the spam list definitions, nor is a location defined in mailscanner.conf. I am using mailscanner 3.26.1-1 in Debian/testing. Can you advise if this is a) my fault, b) Debian package maintainer's fault, c) other. Many thanks for a great tool and any help you can provide, Simon Turvey From jim at ENTROPHY-FREE.NET Fri Nov 22 00:54:26 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:30 2006 Subject: Missing Spam List Definitions In-Reply-To: <002d01c291b5$eff84ad0$0b0ba8c0@mistral> References: <002d01c291b5$eff84ad0$0b0ba8c0@mistral> Message-ID: <1037926467.18464.2.camel@chaos.entrophy-free.net> On Thu, 2002-11-21 at 17:30, Simon Turvey wrote: > Hi all, > In the configuration options documentation the following is stated: > > "Spam List Definitions :- This file contains all the definitions of the > "Spam Lists" (also known as RBL's or DNSBL's) which can be used to try to > detect spam based on where each message came from. Many more spam lists can > be added to this file, but it contains the most popular ones to get you > started." > > Later, it is stated: > > "Spam List :- This provides a space-separated list of "Spam Lists" (or > RBL's or DNSBL's) which are checked for each message. These lists are based > on the numeric IP address of the server that sent the message to your > MailScanner server. Every list used here must be defined in the "Spam List > Definitions" file mentioned above." > > I cannot find however, the file that contains the spam list definitions, nor > is a location defined in mailscanner.conf. I am using mailscanner 3.26.1-1 > in Debian/testing. > The documentation above applies to MailScanner 4.x, but you are running 3.26. In 3.x there is not an external file for defining DNS black lists. In that version all definitions of black lists are in the mailscanner.conf file (or done by SpamAssassin). -- The instructions said to use Windows 98 or better, so I installed RedHat. From turveysp at NTLWORLD.COM Fri Nov 22 07:42:04 2002 From: turveysp at NTLWORLD.COM (Simon Turvey) Date: Thu Jan 12 21:16:30 2006 Subject: Missing Spam List Definitions References: <002d01c291b5$eff84ad0$0b0ba8c0@mistral> <1037926467.18464.2.camel@chaos.entrophy-free.net> Message-ID: <001801c291fa$a6ed0d40$0b0ba8c0@mistral> > The documentation above applies to MailScanner 4.x, but you are running > 3.26. In 3.x there is not an external file for defining DNS black lists. > In that version all definitions of black lists are in the > mailscanner.conf file (or done by SpamAssassin). Thank you, things are cleared now. I was clearly very tired when looking at this last night :) Simon From evertjan at VANRAMSELAAR.NL Fri Nov 22 08:19:55 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:16:30 2006 Subject: f-prot-autoupdate error Message-ID: <000201c291ff$f0e89ea0$65000a0a@galaxy> Hi ppl, I recently installed the latest MS 4 RPM version. Everything works great, good work Julian! However, the f-prot-autoupdate scripts gives me this error: # ./f-prot-autoupdate FTP address for retrieving files is ftp://eu-3.updates.f-prot.com/pub/ Unknown fatal error calling "checksum", exiting., Bad file descriptor at ./f-prot-autoupdate line 295, line 2. F-prot lives in /usr/local/f-prot and the tmpdir /usr/local/f-prot/tmp does exist. Any idea on this one? -- Evert Jan van Ramselaar Van Ramselaar Info Tech From smohan at VSNL.COM Fri Nov 22 08:19:09 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:16:30 2006 Subject: Port 25 not open In-Reply-To: <1037893390.22464.84.camel@tweety.tnjinfl.com> Message-ID: This is certainly only a sendmail issue as MailScanner does not listen to any ports. MailScanner only retrieves files from /var/spool/mqueue.in, scans them and puts them into /var/spool/mqueue. You must change the MTA line instead of commenting it out to carry the IP assigned to the ethernet interface. This is how I installed sendmail Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of James Pifer Sent: 21 November 2002 21:13 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Port 25 not open We're installing a new server to use in production. I wrote a short list of steps to install it the exact same way my test servers were setup. Everything went fine, except port 25 is not open. (it's open on the firewall settings, just doesn't show up in a port scan and of course we can't send any mail to it). MailScanner is definitely running. If I do "service MailScanner reload" it reloads fine, yet port 25 is still not open. Anyone have any ideas? The steps we used for installing everything is below. No, I don't know if sendmail was working before doing the install, so it could be a sendmail problem. If you think it is, I'll take other avenues to fix the problem. Any suggestion are appreciated. Thanks, James Here are the steps we took to install everything: -Fresh install of Redhat 7.3 -Make sure port 25 is open with ipchains -L -Edit the /etc/mail/sendmail.mc file and comment the following lines: dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl FEATURE(`accept_unresolvable_domains')dnl -Recreate the sendmail.cf file by doing the following at the command prompt: m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf -Install MailScanner using the provided install.sh and install instructions -Install SpamAssassin using the provided RPM files -Install F-Prot using the provided RPM file -Configure MailScanner by modifying /etc/MailScanner/MailScanner.conf (look for these settings) MTA = sendmail (search for MTA =) Virus Scanners = f-prot Use SpamAssassin = yes SpamAssassin Auto Whitelist = no Delivery Method = queue Spam Actions = forward address_goes_here High Scoring Spam Actions = forward address_goes_here -Comment out the following lines in /etc/MailScanner/spam.lists.conf #MAPS-RBL blackholes.mail-abuse.org. #MAPS-DUL dialups.mail-abuse.org. #MAPS-RSS relays.mail-abuse.org. #MAPS-RBL+ rbl-plus.mail-abuse.ja.net. -Edit /etc/sysconfig/mailscanner and change queuetime: QUEUETIME=5m -Run the following commands: service sendmail stop chkconfig sendmail off chkconfig MailScanner on service MailScanner start From Q.G.Campbell at NEWCASTLE.AC.UK Fri Nov 22 08:29:12 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:16:30 2006 Subject: Working well (SA customization tips) Message-ID: > -----Original Message----- > From: Matt Kettler [mailto:mkettler@evi-inc.com] > Sent: 18 November 2002 17:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Working well (SA customization tips) > > [snip] > Since you're running MailScanner the best place to put your > rules is in MailScanner's spam.assassin.prefs.conf, but I'd > recommend writing and testing them using the command-line > tools while editing /root/.spamassassin/user_prefs. > Matt I would have thought doing your command line testing of new rules as "root" is not a good idea since at most sites the production SpamAssassin is normally running as root and so will look for a ~root/.spamassassin/user_prefs file. It will thus *always* find and use the rules you are developing/testing which is not a good idea! For this reason I always do my testing as an ordinary user. If the ordinary login ID I am using is "mylogin" then the rules I am testing will be in the file ~mylogon/.spamassassin/user_prefs. When I run "spamassassin -tD Hi, I had the same issue and simply used the 3.x script with some modifications. This is a bug in the check-mailscanner script. Regards, JP > -----Original Message----- > From: Derek Buttineau [mailto:derek@csolve.net] > Sent: Thursday, November 21, 2002 10:50 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Odd Problem > > > Just moved 4.05-3 to one of our production servers as it was > working amazingly great in our test environment.. > > I've encountered a bit of an issue.. it doesn't stop spawning > children.. just reset it now so it's back to the configured > 5.. but previous to that it was up to approx 72 children!! > > Not sure exactly what is causing it.. > > Anyone else encountered something similar? > > Thanks, > > Derek > From mailscanner at BARENDSE.TO Fri Nov 22 09:36:26 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:30 2006 Subject: EML/Fortnight In-Reply-To: <3DDD5432.1050606@pa.net> Message-ID: According to the McAfee website the link is contained in an IFRAME tag. If you kill the IFRAME stuff with MailScanner everything should be fine?? MailScanner rules! :) On Thu, 21 Nov 2002, Leland J. Steinke wrote: > I haven't isolated one of these, but I received a report that it did get > through MailScanner3.22/f-prot3.12a (with latest definitions). Has > anybody seen EML/Fortnight before? How do we catch it? > > http://www.europe.f-secure.com/v-descs/fortnight.shtml > > > Thanks, > Leland > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Nov 22 09:47:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: filename extension (exe)? In-Reply-To: <200211212110.gALLA8L6009895@mx.ktv.lt> References: <5.2.0.9.2.20021121164401.03a98ce0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021121164401.03a98ce0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021122094721.0436c398@imap.ecs.soton.ac.uk> At 21:05 21/11/2002, you wrote: >On Thu, 21 Nov 2002 16:44:52 +0000 Julian Field > wrote: > > > At 16:12 21/11/2002, you wrote: > > >Is there a reason why .exe extension filenames are not denied? I > notice the > > >filenames file denies .bat, .cmd, .scr, etc... but not .exe. Is there a > > >particular reason for this? Thanks. > > > > Feel free to add it. I originally hoped that people would customise that > > file for their own site policy, it appears now that hardly anyone changes > > my defaults :-) > >I suggest including it into filename.rules.conf, but commented out by default, >then someone will not forget about it. And please include .com (banned by >default) also, as the same viruses which use .scr and .pif use .com also. I have added rules to stop .com and .exe by default. If people want to comment them out, they are welcome to do so, but it probably is better to ban them on most sites. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 22 09:44:15 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: Help trying to install MailScanner 4.05-3 on SuSE 7.0 In-Reply-To: <200211212122.gALLMJB03871@cied.rimed.cu> References: <200211212003.gALK3Xh02820@cied.rimed.cu> <5.2.0.9.2.20021121151446.058c1180@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021121190651.03394988@imap.ecs.soton.ac.uk> <200211212003.gALK3Xh02820@cied.rimed.cu> Message-ID: <5.2.0.9.2.20021122094228.0436fe50@imap.ecs.soton.ac.uk> Here is the RedHat init.d script. You will probably need to edit it a bit, but it will show you most of what you need. I'm going to do some work on the SuSE setup some time soon. As for installing from source, MailScanner is written in Perl so you have the source anyway. At 21:19 21/11/2002, you wrote: >I have just downloaded the 4.05-4 and 4.0.5-1 rpm's. >The install.sh script complain sabout a missing rpm-build rpm file that is >not in the 7 SuSE CDs, nor installed. No /usr/src/redhat or /usr/src/RPM tree >here. >So I am already on first square...:-(( >Where is that MailScanner daemon? >The only other solution I envision is a certainly *clumsy * one: >a) maintain two copies of sendmail.cf, one pointing to mqueue.in and the >other pointing to mqueue. >b) Use the first for the first run of sendmail, and the other for the second >run... > >-- >MSc. Alberto Garc?a Fumero >Centro de Informaci?n para la Educaci?n >Ministerio de Educaci?n >Usuario Linux No. 97 138 >?Windows? No, gracias! No apruebo el IVA (Impuesto al Virus Agregado) -------------- next part -------------- #!/bin/sh # # mailscanner This shell script takes care of starting and stopping # MailScanner, and its associated copies of sendmail. # # chkconfig: 2345 80 30 # description: MailScanner is an open-source E-Mail Gateway Virus Scanner. # processname: MailScanner # config: /etc/MailScanner/MailScanner.conf # pidfile: /var/run/MailScanner/MailScanner.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network QUEUETIME=15m PIDDIR=/var/run/MailScanner WORKDIR=/var/spool/MailScanner/incoming INQDIR=/var/spool/mqueue.in # Source mailscanner configureation. if [ -f /etc/sysconfig/MailScanner ] ; then . /etc/sysconfig/MailScanner fi export QUEUETIME export PIDDIR export WORKDIR export INQDIR # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -f /usr/sbin/check_MailScanner ] || exit 0 [ -f /usr/sbin/sendmail ] || exit 0 # Get a string of all the PIDs of MailScanner #MailScannerPids() { # cd $PIDDIR || return 1 # PIDLIST=`ls | grep '^MailScanner.' | sed -e 's/MailScanner.//g'` # echo PIDLIST # return 0 #} # Start both the sendmail processes StartInSendmail() { /usr/bin/newaliases > /dev/null 2>&1 if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then make -C /etc/mail -q else for i in virtusertable access domaintable mailertable ; do if [ -f /etc/mail/$i ] ; then makemap hash /etc/mail/$i < /etc/mail/$i fi done fi /usr/sbin/sendmail -bd -ODeliveryMode=queueonly \ -OQueueDirectory=$INQDIR success echo } StartOutSendmail() { /usr/sbin/sendmail $([ -n "$QUEUETIME" ] && echo -q$QUEUETIME) success echo } RETVAL=0 # See how we were called. case "$1" in start) # Start daemons. echo 'Starting MailScanner daemons:' echo -n ' incoming sendmail: ' StartInSendmail echo -n ' outgoing sendmail: ' StartOutSendmail echo -n ' MailScanner: ' /usr/sbin/check_MailScanner >/dev/null RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/MailScanner success echo ;; stop) # Stop daemons. echo 'Shutting down MailScanner daemons:' echo -n ' MailScanner: ' killproc MailScanner echo echo -n ' incoming sendmail: ' killproc sendmail 2>/dev/null echo echo -n ' outgoing sendmail: ' killproc /usr/sbin/sendmail 2>/dev/null RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/MailScanner # Clear out all the old pid files #[ -f /var/run/MailScanner/MailScanner.* ] && \ rm -f /var/run/MailScanner/MailScanner.* # Clear out the old incoming dirs cd $WORKDIR && ls | xargs /bin/rm -rf ;; status) # Work out if all of MailScanner is running echo 'Checking MailScanner daemons:' echo -n ' MailScanner: ' pid=`pidofproc MailScanner` if [ -z "$pid" ] ; then failure; else success; fi echo # Now the incoming sendmail echo -n ' incoming sendmail: ' pid=`ps ax | grep 'sendmai[l]: accepting connections'` if [ -z "$pid" ] ; then failure; else success; fi echo # Now the outgoing sendmail echo -n ' outgoing sendmail: ' # More complex regexp to handle other RedHats pid=`ps ax | egrep '\[sendmail\]|sendmai[l] -q[0-9]*[mhd]'` if [ -z "$pid" ] ; then failure; else success; fi echo ;; restart) $0 stop sleep 2 $0 start RETVAL=$? ;; reload) echo -n 'Reloading MailScanner: ' pid=`pidofproc MailScanner` if [ -z "$pid" ] ; then failure; echo else success; echo; kill -HUP $pid; fi ;; *) echo "Usage: service MailScanner {start|stop|status|restart|reload}" exit 1 esac exit $RETVAL -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 22 09:57:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: v4 boot script and other questions In-Reply-To: Message-ID: <5.2.0.9.2.20021122095504.07e11948@imap.ecs.soton.ac.uk> At 21:27 21/11/2002, you wrote: > I'm experimenting with the upgrade from v3 to v4. First off, >is there a boot-time /etc/init.d script for MailScanner v4 already? >Or just invoke "/opt/MailScanner/bin/check_mailscanner" from my >v3-era boot-script? If you are using the "tar" distribution, then there isn't one, you should be able to just re-use your v3-era boot script. > Second, I'm wondering about weirdness when I run the sendmail >queue by hand with v4. With v3, I used: > >Delivery Method = queue > >instead of batch. I would always advise batch in v4 personally. > My boot-time script for sendmail looks like: > >#---delivery-only mode for mailscanner >/usr/lib/sendmail -bd -ODeliveryMode=queueonly >-OQueueDirectory=/var/spool/mqueue.in > >#---process /var/spool/mqueue every 5 minutes for actual delivery >/usr/lib/sendmail -q5m > >For v4, I commented out the "-q5m" line in my sendmail boot script, If you comment out the -q5m then it will just try to send 1 message input from stdin. Which isn't what you want at all. Try -q30m or something like that. >and used "Delivery Method = batch". If I process /var/spool/mqueue >by hand, ie "/usr/lib/sendmail -v -q", then I get complaints in >the window where I did "/opt/MailScanner/bin/check_mailscanner" from, >which doesn't look good: Check you haven't still got v3 running while trying to run v4. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 22 09:48:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: Required SpamAssassin Score In-Reply-To: Message-ID: <5.2.0.9.2.20021122094807.07e0f230@imap.ecs.soton.ac.uk> At 21:17 21/11/2002, you wrote: >Can I set the "Required SpamAssassin Score" to a value with decimal >number, ie. 8.5? You can in the next release, I fixed the bug. >I get the following error when setting it to 8.5: >Cannot open ruleset file 8.5, No such file or directory at >/opt/MailScanner/bin/MailScanner/Config.pm line 891 > >Thanks for you advice. > >--thang > >************************************************************************* >Thang M Nguyen Email: thang@hawaii.edu >Information Technology Services Phone: (808)-956-4449 >Systems Engineering Fax: (808)-956-2412 >************************************************************************* -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 22 09:58:28 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: Odd Problem In-Reply-To: <4E7026FF8A422749B1553FE508E00680053DA9@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021122095758.07e254b8@imap.ecs.soton.ac.uk> At 09:11 22/11/2002, you wrote: >I had the same issue and simply used the 3.x script with some >modifications. This is a bug in the check-mailscanner script. Exactly what version of what O/S are you using? The check_mailscanner script isn't perfect (yet). >Regards, > JP > > > -----Original Message----- > > From: Derek Buttineau [mailto:derek@csolve.net] > > Sent: Thursday, November 21, 2002 10:50 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Odd Problem > > > > > > Just moved 4.05-3 to one of our production servers as it was > > working amazingly great in our test environment.. > > > > I've encountered a bit of an issue.. it doesn't stop spawning > > children.. just reset it now so it's back to the configured > > 5.. but previous to that it was up to approx 72 children!! > > > > Not sure exactly what is causing it.. > > > > Anyone else encountered something similar? > > > > Thanks, > > > > Derek > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 22 09:59:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: Missing Spam List Definitions In-Reply-To: <001801c291fa$a6ed0d40$0b0ba8c0@mistral> References: <002d01c291b5$eff84ad0$0b0ba8c0@mistral> <1037926467.18464.2.camel@chaos.entrophy-free.net> Message-ID: <5.2.0.9.2.20021122095905.07e55008@imap.ecs.soton.ac.uk> At 07:42 22/11/2002, you wrote: > > The documentation above applies to MailScanner 4.x, but you are running > > 3.26. In 3.x there is not an external file for defining DNS black lists. > > In that version all definitions of black lists are in the > > mailscanner.conf file (or done by SpamAssassin). > >Thank you, things are cleared now. I was clearly very tired when looking at >this last night :) The V3 docs should be included in all distributions of the V3 code. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Fri Nov 22 10:14:40 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:31 2006 Subject: How many instances to spawn? Message-ID: <87452550.1037960080@jemima.zanker.org> I'm just wondering how many instances of MailScanner I need to run on a mail server that, on average, receives about one e-mail every two or three minutes but sometimes in bursts of two or three at the same time. Five instances seems overkill in this situation! Thanks, Mike. From mailscanner at ecs.soton.ac.uk Fri Nov 22 10:24:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: How many instances to spawn? In-Reply-To: <87452550.1037960080@jemima.zanker.org> Message-ID: <5.2.0.9.2.20021122102444.07e74960@imap.ecs.soton.ac.uk> At 10:14 22/11/2002, you wrote: >I'm just wondering how many instances of MailScanner I need to run on a >mail server that, on average, receives about one e-mail every two or >three minutes but sometimes in bursts of two or three at the same time. >Five instances seems overkill in this situation! 1 should be plenty. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From f.rotondo at TESEO.IT Fri Nov 22 10:31:06 2002 From: f.rotondo at TESEO.IT (Francesco Rotondo) Date: Thu Jan 12 21:16:31 2006 Subject: How many instances to spawn? References: <87452550.1037960080@jemima.zanker.org> Message-ID: <002a01c29212$43f6a760$0464a8c0@teseo.net> ----- Original Message ----- From: "Mike Zanker" To: Sent: Friday, November 22, 2002 11:14 AM Subject: How many instances to spawn? > I'm just wondering how many instances of MailScanner I need to run on a > mail server that, on average, receives about one e-mail every two or > three minutes but sometimes in bursts of two or three at the same time. > Five instances seems overkill in this situation! > > Thanks, > > Mike. > Hi, I have quite the same situation on my mail server. I upgraded MailScanner to version 4 about 2 weeks ago and realized that most of the time only one of the instances is working. So, I think that this number can be safely reduced to 2 or 3 instances. +----------------------------------------------------------+ | Francesco Rotondo E-mail: f.rotondo@teseo.it | +----------------------------------------------------------+ | Teseo Internet Provider, Srl | | C.so A. De Gasperi, 344 Web: http://www.teseo.it | | 70125 - Bari Tel: +39(080)5036970 | | Italy Fax: +39(080)5008672 | +----------------------------------------------------------+ From mailscanner at BARENDSE.TO Fri Nov 22 10:36:31 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:31 2006 Subject: Connecting mailscanner to sendmail Message-ID: Just a thought, would it be an idea to make the number of processes that will be started a MailScanner.conf option? Was thinking of something like Mail volume for this server = lo/med/high Would save some mem on low mem boxes and would have no negative result on mail processing speed if the number of processes is reduced but it is a low volume box. Maybe even make it a number to control how many processes will be running? On Wed, 20 Nov 2002, Julian Field wrote: > Sounds like you have the normal sendmail process running as well as > MailScanner. You should have > 1) 2 sendmail processes, both of which are started by the MailScanner > init.d script. Neither one is started by the sendmail init.d script (and > this script should be disabled). > 2) 1 or more MailScanner processes (you will get 6 by default) started by > the MailScanner init.d script. > > At 21:58 19/11/2002, you wrote: > >I am running MailScanner 4.05-3 with sendmail 8.12.6 on a Debian system > >and am having trouble getting sendmail to leave the message in the queue > >for MailScanner to see and process. > > > >If I stop sendmail and drop some q/df files into the queue MailScanenr > >immediately grabs them and processes them and sends them on > >appropriately. If sendmail is running and receives a message it > >immediately processes it and sends it along with giving MailScanner a > >chance to look at it. > > > >Everything else works great, but how do I get sendmail to put it in the > >queue and leave it there long enough for MailScanner to see it? > > > >I have tried commenting out the ControlSocketName=... in the sendmail.cf > >file, but still no luck. Any suggestions? > >-- > >Daniel R. Bidwell | bidwell@andrews.edu > >Andrews University Computer Science & Information Systems Department > >If two always agree, one of them is unnecessary > >"Friends don't let friends do DOS" > >"In theory, theory and practice are the same. > >In practice, however, they are not." > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at ZANKER.ORG Fri Nov 22 10:45:01 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:31 2006 Subject: How many instances to spawn? In-Reply-To: <5.2.0.9.2.20021122102444.07e74960@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021122102444.07e74960@imap.ecs.soton.ac.uk> Message-ID: <89274149.1037961901@jemima.zanker.org> On 22 November 2002 10:24 +0000 Julian Field wrote: > 1 should be plenty. Thanks, just trying this but have noticed something odd. See output below: [root@mallard root]# /etc/init.d/MailScanner stop Shutting down MailScanner daemons: MailScanner: We haven't got any child processes, which isn't right!, No child processes at /usr/sbin/MailScanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /usr/sbin/MailScanner line 194. [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] If I run this a second time: [root@mallard root]# /etc/init.d/MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [FAILED] outgoing sendmail: [FAILED] So it needs to be run twice to get rid of what seems to be a remaining instance. This is with Max Children set to 1. Mike. From mailscanner at ecs.soton.ac.uk Fri Nov 22 10:51:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: Connecting mailscanner to sendmail In-Reply-To: Message-ID: <5.2.0.9.2.20021122105125.03ffc138@imap.ecs.soton.ac.uk> Err... Do you mean "Max Children" ? At 10:36 22/11/2002, you wrote: >Just a thought, would it be an idea to make the number of processes that >will be started a MailScanner.conf option? >Was thinking of something like >Mail volume for this server = lo/med/high > >Would save some mem on low mem boxes and would have no negative result on >mail processing speed if the number of processes is reduced but it is a >low volume box. > >Maybe even make it a number to control how many processes will be running? > >On Wed, 20 Nov 2002, Julian Field wrote: > > > Sounds like you have the normal sendmail process running as well as > > MailScanner. You should have > > 1) 2 sendmail processes, both of which are started by the MailScanner > > init.d script. Neither one is started by the sendmail init.d script (and > > this script should be disabled). > > 2) 1 or more MailScanner processes (you will get 6 by default) started by > > the MailScanner init.d script. > > > > At 21:58 19/11/2002, you wrote: > > >I am running MailScanner 4.05-3 with sendmail 8.12.6 on a Debian system > > >and am having trouble getting sendmail to leave the message in the queue > > >for MailScanner to see and process. > > > > > >If I stop sendmail and drop some q/df files into the queue MailScanenr > > >immediately grabs them and processes them and sends them on > > >appropriately. If sendmail is running and receives a message it > > >immediately processes it and sends it along with giving MailScanner a > > >chance to look at it. > > > > > >Everything else works great, but how do I get sendmail to put it in the > > >queue and leave it there long enough for MailScanner to see it? > > > > > >I have tried commenting out the ControlSocketName=... in the sendmail.cf > > >file, but still no luck. Any suggestions? > > >-- > > >Daniel R. Bidwell | bidwell@andrews.edu > > >Andrews University Computer Science & Information Systems Department > > >If two always agree, one of them is unnecessary > > >"Friends don't let friends do DOS" > > >"In theory, theory and practice are the same. > > >In practice, however, they are not." > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 22 10:50:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: How many instances to spawn? In-Reply-To: <89274149.1037961901@jemima.zanker.org> References: <5.2.0.9.2.20021122102444.07e74960@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021122102444.07e74960@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021122105042.07efbfd8@imap.ecs.soton.ac.uk> That's the init script being hopeless again :-( At 10:45 22/11/2002, you wrote: >On 22 November 2002 10:24 +0000 Julian Field > wrote: > >>1 should be plenty. > >Thanks, just trying this but have noticed something odd. See output >below: > >[root@mallard root]# /etc/init.d/MailScanner stop >Shutting down MailScanner daemons: > MailScanner: We haven't got any child processes, which >isn't right!, No child processes at /usr/sbin/MailScanner line 191. >We have just tried to reap a process which wasn't one of ours!, No >child processes at /usr/sbin/MailScanner line 194. > [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > >If I run this a second time: > >[root@mallard root]# /etc/init.d/MailScanner stop >Shutting down MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [FAILED] > outgoing sendmail: [FAILED] > > >So it needs to be run twice to get rid of what seems to be a remaining >instance. This is with Max Children set to 1. > >Mike. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at BARENDSE.TO Fri Nov 22 11:33:13 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:31 2006 Subject: Connecting mailscanner to sendmail In-Reply-To: <5.2.0.9.2.20021122105125.03ffc138@imap.ecs.soton.ac.uk> Message-ID: yes, sorry bout that On Fri, 22 Nov 2002, Julian Field wrote: > Err... > Do you mean > "Max Children" ? > > At 10:36 22/11/2002, you wrote: > >Just a thought, would it be an idea to make the number of processes that > >will be started a MailScanner.conf option? > >Was thinking of something like > >Mail volume for this server = lo/med/high > > > >Would save some mem on low mem boxes and would have no negative result on > >mail processing speed if the number of processes is reduced but it is a > >low volume box. > > > >Maybe even make it a number to control how many processes will be running? > > > >On Wed, 20 Nov 2002, Julian Field wrote: > > > > > Sounds like you have the normal sendmail process running as well as > > > MailScanner. You should have > > > 1) 2 sendmail processes, both of which are started by the MailScanner > > > init.d script. Neither one is started by the sendmail init.d script (and > > > this script should be disabled). > > > 2) 1 or more MailScanner processes (you will get 6 by default) started by > > > the MailScanner init.d script. > > > > > > At 21:58 19/11/2002, you wrote: > > > >I am running MailScanner 4.05-3 with sendmail 8.12.6 on a Debian system > > > >and am having trouble getting sendmail to leave the message in the queue > > > >for MailScanner to see and process. > > > > > > > >If I stop sendmail and drop some q/df files into the queue MailScanenr > > > >immediately grabs them and processes them and sends them on > > > >appropriately. If sendmail is running and receives a message it > > > >immediately processes it and sends it along with giving MailScanner a > > > >chance to look at it. > > > > > > > >Everything else works great, but how do I get sendmail to put it in the > > > >queue and leave it there long enough for MailScanner to see it? > > > > > > > >I have tried commenting out the ControlSocketName=... in the sendmail.cf > > > >file, but still no luck. Any suggestions? > > > >-- > > > >Daniel R. Bidwell | bidwell@andrews.edu > > > >Andrews University Computer Science & Information Systems Department > > > >If two always agree, one of them is unnecessary > > > >"Friends don't let friends do DOS" > > > >"In theory, theory and practice are the same. > > > >In practice, however, they are not." > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From D.M.Chapman at UKC.AC.UK Fri Nov 22 11:49:31 2002 From: D.M.Chapman at UKC.AC.UK (D.M.Chapman) Date: Thu Jan 12 21:16:31 2006 Subject: DOS attach with zip of death? Message-ID: <20021122114931.E7559@apple.ukc.ac.uk> Yesterday we got hit with a "zip of death" denial of service attack on our mail hubs. Now I am not exactly up to speed on mailscanner yet and didn't build these machines but I'm just fishing for clues incase I've missed something obvious... We have 3 hubs. All running exim 3, two 2 are running MailScanner-3.15-3 on Solaris 8 with one running MailScanner-3.22-14 on Solaris 9. I know both of these are out of date... AFAIK these are the versions on the machines. All three run the same version of Sophos - they were all upgraded to the latest release of sophos recently so are identical in that respect. The first two machines coped fine. They logged: Commercial scanner sophos timed out! Denial Of Service attack is in message 18Eq5q-0004o9-00 And then carried on. The last machine (that is running the newer mailscanner release) failed. It logged: Commercial scanner sophos timed out! Denial Of Service attack detected! No message id was logged and it then died. No more scanning and it wouldn't restart until I had removed the message containing the zip from the mailq :-( Unfortunately this machine is our biggest so it is the one we can least afford to be down. Also, as exim carried on receiving emails we rapidly ended up with 7000 messages stuck on the machine awaiting virus checking... Have I missed something here? From the docs it seems like DOS attack protection was added in v2.50. Certainly it worked well on the two machines that are running the older version. Was this "missed out" of the 3.22 release? Is this one machine misconfigured? Any clues? Will upgrading the 3.22 machine to 3.26 fix this? I guess I could downgrade to 3.15 but that doesn't sound like the correct answer! Clues? This is the first problem we have had with mailscanner since the person who set up the system left in june...I knew I should have made sure I was up to speed before now! Thanks, Darren From mailscanner at ecs.soton.ac.uk Fri Nov 22 12:31:38 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: DOS attach with zip of death? In-Reply-To: <20021122114931.E7559@apple.ukc.ac.uk> Message-ID: <5.2.0.9.2.20021122122836.03fe3d98@imap.ecs.soton.ac.uk> I've just tested this on RedHat 7.3 with the latest V3 code. I got this (using a batch of 3 messages, with the ZipOfDeath in the middle) Nov 22 12:31:55 sailor mailscanner[3364]: Startup: found 3 messages waiting Nov 22 12:31:55 sailor mailscanner[3364]: Scanning 3 messages, 60217 bytes Nov 22 12:37:00 sailor mailscanner[3364]: Commercial scanner sophos timed out! Nov 22 12:37:00 sailor mailscanner[3364]: Denial Of Service attack detected! Nov 22 12:42:05 sailor mailscanner[3364]: Commercial scanner sophos timed out! Nov 22 12:42:05 sailor mailscanner[3364]: Denial Of Service attack is in message gAMCVGnf003351 Nov 22 12:42:11 sailor mailscanner[3364]: Scanned 3 messages, 60217 bytes in 616 seconds Nov 22 12:42:11 sailor mailscanner[3364]: Saved entire message to /var/spool/MailScanner/quarantine/20021122/gAMCVGnf003351 which is what I would expect. Note that you should get 1 DOS report without the message id, followed by another DOS report with the message id, a few minutes later. At 11:49 22/11/2002, you wrote: >Yesterday we got hit with a "zip of death" denial of service attack on >our mail hubs. Now I am not exactly up to speed on mailscanner yet and >didn't build these machines but I'm just fishing for clues incase I've >missed something obvious... > >We have 3 hubs. All running exim 3, two 2 are running MailScanner-3.15-3 >on Solaris 8 with one running MailScanner-3.22-14 on Solaris 9. I know >both of these are out of date... AFAIK these are the versions on the >machines. All three run the same version of Sophos - they were all >upgraded to the latest release of sophos recently so are identical in >that respect. > >The first two machines coped fine. They logged: > > Commercial scanner sophos timed out! > Denial Of Service attack is in message 18Eq5q-0004o9-00 > >And then carried on. > >The last machine (that is running the newer mailscanner release) failed. >It logged: > > Commercial scanner sophos timed out! > Denial Of Service attack detected! > >No message id was logged and it then died. No more scanning and it wouldn't >restart until I had removed the message containing the zip from the mailq :-( >Unfortunately this machine is our biggest so it is the one we can least >afford to be down. Also, as exim carried on receiving emails we rapidly >ended up with 7000 messages stuck on the machine awaiting virus checking... > >Have I missed something here? From the docs it seems like DOS attack >protection was added in v2.50. Certainly it worked well on the two machines >that are running the older version. Was this "missed out" of the >3.22 release? Is this one machine misconfigured? Any clues? > >Will upgrading the 3.22 machine to 3.26 fix this? I guess I could >downgrade to 3.15 but that doesn't sound like the correct answer! > >Clues? This is the first problem we have had with mailscanner since >the person who set up the system left in june...I knew I should have >made sure I was up to speed before now! > >Thanks, > >Darren -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From info at blacknight-solutions.com Fri Nov 22 12:42:05 2002 From: info at blacknight-solutions.com (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:16:31 2006 Subject: DOS attach with zip of death? In-Reply-To: <5.2.0.9.2.20021122122836.03fe3d98@imap.ecs.soton.ac.uk> References: <20021122114931.E7559@apple.ukc.ac.uk> <5.2.0.9.2.20021122122836.03fe3d98@imap.ecs.soton.ac.uk> Message-ID: <19592.213.136.131.214.1037968925.squirrel@www.blacknightsolutions.com> An article on the 'zip of death': http://www.mxsciences.com/artman/publish/article_2.shtml From Jan-Peter.Koopmann at SECEIDOS.DE Fri Nov 22 12:46:54 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:31 2006 Subject: Odd Problem Message-ID: <4E7026FF8A422749B1553FE508E00680053DAC@message.intern.akctech.de> > Exactly what version of what O/S are you using? The > check_mailscanner script isn't perfect (yet). FreeBSD 4.7 From derek at csolve.net Fri Nov 22 13:54:02 2002 From: derek at csolve.net (Derek Buttineau) Date: Thu Jan 12 21:16:31 2006 Subject: Odd Problem References: <5.2.0.9.2.20021122095758.07e254b8@imap.ecs.soton.ac.uk> Message-ID: <007201c2922e$9dd81450$8850a4cf@derek> Yeah turned out to be check_mailscanner script.. someone from the list sent me a fix and works fine now :) Thanks, Derek ----- Original Message ----- From: "Julian Field" To: Sent: Friday, November 22, 2002 4:58 AM Subject: Re: Odd Problem > At 09:11 22/11/2002, you wrote: > >I had the same issue and simply used the 3.x script with some > >modifications. This is a bug in the check-mailscanner script. > > Exactly what version of what O/S are you using? The check_mailscanner > script isn't perfect (yet). > > > >Regards, > > JP From mailscanner at ecs.soton.ac.uk Fri Nov 22 13:54:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: Odd Problem In-Reply-To: <4E7026FF8A422749B1553FE508E00680053DAC@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021122135437.0897f5d0@imap.ecs.soton.ac.uk> At 12:46 22/11/2002, you wrote: > > Exactly what version of what O/S are you using? The > > check_mailscanner script isn't perfect (yet). > >FreeBSD 4.7 Try using pgrep if you've got it rather than ps and grep. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 22 13:54:24 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: DOS attach with zip of death? In-Reply-To: <19592.213.136.131.214.1037968925.squirrel@www.blacknightso lutions.com> References: <5.2.0.9.2.20021122122836.03fe3d98@imap.ecs.soton.ac.uk> <20021122114931.E7559@apple.ukc.ac.uk> <5.2.0.9.2.20021122122836.03fe3d98@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021122135329.0897fa88@imap.ecs.soton.ac.uk> At 12:42 22/11/2002, you wrote: >An article on the 'zip of death': > >http://www.mxsciences.com/artman/publish/article_2.shtml I like the quote >Paul Rogers, a network security analyst at MIS, has carried out tests that >show that the exploit can be used to crash systems running MAILsweeper >filtering software from Content Technologies and antivirus products from >F-Secure. MailScanner has been protected against dos attacks for a long time. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Fri Nov 22 14:02:14 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:31 2006 Subject: Connecting mailscanner to sendmail In-Reply-To: References: Message-ID: <200211220802.14167.lbergman@wtxs.net> On Friday 22 November 2002 04:36 am, Remco Barendse wrote: > Just a thought, would it be an idea to make the number of processes that > will be started a MailScanner.conf option? > Was thinking of something like > Mail volume for this server = lo/med/high > > Would save some mem on low mem boxes and would have no negative result on > mail processing speed if the number of processes is reduced but it is a > low volume box. > > Maybe even make it a number to control how many processes will be running? You mean maybe like the Max Children setting? # As a rough guide, try 5 children per CPU. Max Children = 10 -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From lbergman at wtxs.net Fri Nov 22 14:05:40 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:31 2006 Subject: f-prot-autoupdate error In-Reply-To: <000201c291ff$f0e89ea0$65000a0a@galaxy> References: <000201c291ff$f0e89ea0$65000a0a@galaxy> Message-ID: <200211220805.40708.lbergman@wtxs.net> On Friday 22 November 2002 02:19 am, Evert Jan van Ramselaar wrote: > Hi ppl, > > I recently installed the latest MS 4 RPM version. Everything works > great, good work Julian! > > However, the f-prot-autoupdate scripts gives me this error: > > # ./f-prot-autoupdate > FTP address for retrieving files is ftp://eu-3.updates.f-prot.com/pub/ > Unknown fatal error calling "checksum", exiting., Bad file descriptor at > ./f-prot-autoupdate line 295, line 2. > > F-prot lives in /usr/local/f-prot and the tmpdir /usr/local/f-prot/tmp > does exist. > Any idea on this one? Are all the f-prot files there? Maybe try reinstalling f-prot and then run update again. If I remember correctly there is some kind of mismatch in the md5 sums. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From D.M.Chapman at UKC.AC.UK Fri Nov 22 14:28:27 2002 From: D.M.Chapman at UKC.AC.UK (D.M.Chapman) Date: Thu Jan 12 21:16:31 2006 Subject: DOS attach with zip of death? In-Reply-To: <5.2.0.9.2.20021122122836.03fe3d98@imap.ecs.soton.ac.uk>; from mailscanner@ECS.SOTON.AC.UK on Fri, Nov 22, 2002 at 12:31:38PM +0000 References: <20021122114931.E7559@apple.ukc.ac.uk> <5.2.0.9.2.20021122122836.03fe3d98@imap.ecs.soton.ac.uk> Message-ID: <20021122142827.A18689@apple.ukc.ac.uk> On Fri, Nov 22, 2002 at 12:31:38PM +0000, Julian Field wrote: > I've just tested this on RedHat 7.3 with the latest V3 code. I got this > (using a batch of 3 messages, with the ZipOfDeath in the middle) [snip] > Nov 22 12:42:11 sailor mailscanner[3364]: Saved entire message to > /var/spool/MailScanner/quarantine/20021122/gAMCVGnf003351 > > which is what I would expect. Note that you should get 1 DOS report without > the message id, followed by another DOS report with the message id, a few > minutes later. Thats what I got on the two older machines. The 3.22 box never reported the message id (it had been stuck for a couple of hours by the time I got to it). Oh well, I guess it will be an upgrade to the latest v3 then. One thing I notice from the above output is that you quarantine the message. We have a policy of not doing this at all and deleting any virus but on the two machines that coped with the ping of death it seems to have deleted the attack email (at least, I can't find it). Is there anyway to have it delete any virus but to keep the dos attack message/attachment so that it "can be used in evidence"? :-) Thanks, Darren From mailscanner at ecs.soton.ac.uk Fri Nov 22 14:32:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: DOS attach with zip of death? In-Reply-To: <20021122142827.A18689@apple.ukc.ac.uk> References: <5.2.0.9.2.20021122122836.03fe3d98@imap.ecs.soton.ac.uk> <20021122114931.E7559@apple.ukc.ac.uk> <5.2.0.9.2.20021122122836.03fe3d98@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021122143126.08917ec0@imap.ecs.soton.ac.uk> At 14:28 22/11/2002, you wrote: >On Fri, Nov 22, 2002 at 12:31:38PM +0000, Julian Field wrote: > > I've just tested this on RedHat 7.3 with the latest V3 code. I got this > > (using a batch of 3 messages, with the ZipOfDeath in the middle) >[snip] > > Nov 22 12:42:11 sailor mailscanner[3364]: Saved entire message to > > /var/spool/MailScanner/quarantine/20021122/gAMCVGnf003351 > > > > which is what I would expect. Note that you should get 1 DOS report without > > the message id, followed by another DOS report with the message id, a few > > minutes later. > >One thing I notice from the above output is that you quarantine the >message. We have a policy of not doing this at all and deleting any >virus but on the two machines that coped with the ping of death it >seems to have deleted the attack email (at least, I can't find it). > >Is there anyway to have it delete any virus but to keep the dos attack >message/attachment so that it "can be used in evidence"? :-) Not easily, no. The quarantining is an "all or nothing" affair. In V4 you could use a Custom Function to decide whether to quarantine based on the reports in the message. But you can't in V3. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Fri Nov 22 14:41:06 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:31 2006 Subject: v4: naming Sophos homedir Message-ID: Julian, Can the homedir of sophos (and maybe other virus scanners) be specified in mailscanner.conf, and then have the scripts: bin/Sophos.install lib/sophos-autoupdate lib/sophos-wrapper get the homedir definition from there? I keep sophos in /opt/sophos because /usr/local is NFS mounted. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- From alberto at CIED.RIMED.CU Fri Nov 22 15:25:40 2002 From: alberto at CIED.RIMED.CU (Alberto =?iso-8859-1?q?Garc=EDa=20Fumero?=) Date: Thu Jan 12 21:16:31 2006 Subject: Help trying to install MailScanner 4.05-3 on SuSE 7.0 In-Reply-To: <5.2.0.9.2.20021122094228.0436fe50@imap.ecs.soton.ac.uk> References: <200211212003.gALK3Xh02820@cied.rimed.cu> <5.2.0.9.2.20021122094228.0436fe50@imap.ecs.soton.ac.uk> Message-ID: <200211221528.gAMFSPV02677@cied.rimed.cu> El Friday 22 November 2002 04:44, usted escribi?: > Here is the RedHat init.d script. You will probably need to edit it a bit, > but it will show you most of what you need. > I'm going to do some work on the SuSE setup some time soon. > > As for installing from source, MailScanner is written in Perl so you have > the source anyway. Thanks a lot! I'll begin the study session in a few minutes ;-)) -- MSc. Alberto Garc?a Fumero Centro de Informaci?n para la Educaci?n Ministerio de Educaci?n Usuario Linux No. 97 138 ?Windows? No, gracias! No apruebo el IVA (Impuesto al Virus Agregado) -- Este mensaje ha sido analizado por MailScanner en el CIED en busca de virus y otros contenidos peligrosos, y se considera que est? limpio. From mailscannerlist at TNJINFL.COM Fri Nov 22 15:31:29 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:31 2006 Subject: Testing content filtering? Message-ID: <1037979109.22464.133.camel@tweety.tnjinfl.com> My setup is Sendmail with MailScanner using SpamAssassin and f-prot. SpamAssassin does the content filtering right? I'm trying to test the server and make sure it's working before throwing it this weekend for a few hours as a pilot run. I've tried sending messages with a lot of offensive words in the subject and body that I won't repeat here, but they all get through without getting tagged. From the headers MailScanner is looking at it. Obviously I'm being naive and probably just assuming they should be getting caught. Can anyone suggest the best way to test this before trying it in production as our real mail gateway? Sorry if this is just a really stupid question.... Thanks, James From lbergman at wtxs.net Fri Nov 22 15:34:24 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:31 2006 Subject: Testing content filtering? In-Reply-To: <1037979109.22464.133.camel@tweety.tnjinfl.com> References: <1037979109.22464.133.camel@tweety.tnjinfl.com> Message-ID: <200211220934.24120.lbergman@wtxs.net> On Friday 22 November 2002 09:31 am, James Pifer wrote: > My setup is Sendmail with MailScanner using SpamAssassin and f-prot. > SpamAssassin does the content filtering right? I'm trying to test the > server and make sure it's working before throwing it this weekend for a > few hours as a pilot run. > > I've tried sending messages with a lot of offensive words in the subject > and body that I won't repeat here, but they all get through without > getting tagged. From the headers MailScanner is looking at it. > > Obviously I'm being naive and probably just assuming they should be > getting caught. Can anyone suggest the best way to test this before > trying it in production as our real mail gateway? MailScanner is not a content filtering program. It can use SpamAssassin which can scan content but not filter (replace content) it. I am unaware of a program that does what you are asking for. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From dan at OXNARDSD.ORG Fri Nov 22 15:27:18 2002 From: dan at OXNARDSD.ORG (Dan Kubilos) Date: Thu Jan 12 21:16:31 2006 Subject: Testing content filtering? In-Reply-To: <1037979109.22464.133.camel@tweety.tnjinfl.com> Message-ID: I do this for our school district by adding local rules to spamassassin. On Fri, 22 Nov 2002, James Pifer wrote: > My setup is Sendmail with MailScanner using SpamAssassin and f-prot. > SpamAssassin does the content filtering right? I'm trying to test the > server and make sure it's working before throwing it this weekend for a > few hours as a pilot run. > > I've tried sending messages with a lot of offensive words in the subject > and body that I won't repeat here, but they all get through without > getting tagged. From the headers MailScanner is looking at it. > > Obviously I'm being naive and probably just assuming they should be > getting caught. Can anyone suggest the best way to test this before > trying it in production as our real mail gateway? > > Sorry if this is just a really stupid question.... > > Thanks, > James > -- Dan Kubilos __\o_ ^ K-8 Tech Coord http://www.oxnardsd.org From Denis.Beauchemin at USHERBROOKE.CA Fri Nov 22 16:42:11 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:31 2006 Subject: Friend Greetings expanding Message-ID: <1037983331.7622.26.camel@dbeauchemin.si.usherbrooke.ca> Hello, The following domain names have all been registered by the nice company that brought the Friend Greeting to us: cool-downloads.net friend-card.com friend-card.net friend-cards.com friend-cards.net friendgreeting.com friendgreeting.net friend-greetings.com friendgreetings.com friend-greetings.net friendgreetings.net laugh-mail.com I suggest we all add them to some high scoring SpamAssassin rules such as: describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com full FRIEND_GREETINGS /www\.friend-?greetings?\.com\./i score FRIEND_GREETINGS 100.0 using the following regex: /http:\/\/.*cool-downloads\.net/i /http:\/\/.*friend-cards?\.(com|net|/i /http:\/\/.*friend-?greetings?\.(com|net)/i /http:\/\/.*laugh-mail\.com/i Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Fri Nov 22 16:38:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: v4: naming Sophos homedir In-Reply-To: Message-ID: <5.2.0.9.2.20021122163756.089da4e8@imap.ecs.soton.ac.uk> At 14:41 22/11/2002, you wrote: >Julian, > > Can the homedir of sophos (and maybe other virus scanners) be >specified in mailscanner.conf, and then have the scripts: > >bin/Sophos.install >lib/sophos-autoupdate >lib/sophos-wrapper > >get the homedir definition from there? I keep sophos in >/opt/sophos because /usr/local is NFS mounted. All of those scripts now live inside MailScanner's dir structure rather than the virus scanner's dir, so they don't get lost when you upgrade your virus scanner or anything like that. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 22 16:40:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: Testing content filtering? In-Reply-To: <1037979109.22464.133.camel@tweety.tnjinfl.com> Message-ID: <5.2.0.9.2.20021122163941.089e68e0@imap.ecs.soton.ac.uk> There is a sample-spam.txt and sample-nonspam.txt supplied as part of SpamAssassin. They make a good pair of messages to test it with. You have enabled SpamAssassin use in MailScanner.conf haven't you? And remember that SpamAssassin is a *spam* filter, not an "offensive content" filter. At 15:31 22/11/2002, you wrote: >My setup is Sendmail with MailScanner using SpamAssassin and f-prot. >SpamAssassin does the content filtering right? I'm trying to test the >server and make sure it's working before throwing it this weekend for a >few hours as a pilot run. > >I've tried sending messages with a lot of offensive words in the subject >and body that I won't repeat here, but they all get through without >getting tagged. From the headers MailScanner is looking at it. > >Obviously I'm being naive and probably just assuming they should be >getting caught. Can anyone suggest the best way to test this before >trying it in production as our real mail gateway? > >Sorry if this is just a really stupid question.... > >Thanks, >James -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at BARENDSE.TO Fri Nov 22 16:48:37 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:31 2006 Subject: Friend Greetings expanding In-Reply-To: <1037983331.7622.26.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: wouldn't it be better to create a regexp that combines `e-card' of 'card' with any of the following 'laugh' and 'friend' and 'greeting'? Judging by the 'success' of their work method (every not all too clever user will install their crap) I think we will see loads of new domain names fairly soon. I found the same list on the mcafee site, and blocked all those sites in my web proxy as well combined with a regexp as described above. On Fri, 22 Nov 2002, Denis Beauchemin wrote: > Hello, > > The following domain names have all been registered by the nice company > that brought the Friend Greeting to us: > > cool-downloads.net > friend-card.com > friend-card.net > friend-cards.com > friend-cards.net > friendgreeting.com > friendgreeting.net > friend-greetings.com > friendgreetings.com > friend-greetings.net > friendgreetings.net > laugh-mail.com > > > I suggest we all add them to some high scoring SpamAssassin rules such > as: > > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > full FRIEND_GREETINGS /www\.friend-?greetings?\.com\./i > score FRIEND_GREETINGS 100.0 > > using the following regex: > /http:\/\/.*cool-downloads\.net/i > /http:\/\/.*friend-cards?\.(com|net|/i > /http:\/\/.*friend-?greetings?\.(com|net)/i > /http:\/\/.*laugh-mail\.com/i > > Denis > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From damian at WORKGROUPSOLUTIONS.COM Fri Nov 22 16:54:13 2002 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:16:31 2006 Subject: Friend Greetings expanding Message-ID: What does your regexp expression look like? Thanks, Damian -----Original Message----- From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] Sent: Friday, November 22, 2002 8:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Friend Greetings expanding wouldn't it be better to create a regexp that combines `e-card' of 'card' with any of the following 'laugh' and 'friend' and 'greeting'? Judging by the 'success' of their work method (every not all too clever user will install their crap) I think we will see loads of new domain names fairly soon. I found the same list on the mcafee site, and blocked all those sites in my web proxy as well combined with a regexp as described above. On Fri, 22 Nov 2002, Denis Beauchemin wrote: > Hello, > > The following domain names have all been registered by the nice company > that brought the Friend Greeting to us: > > cool-downloads.net > friend-card.com > friend-card.net > friend-cards.com > friend-cards.net > friendgreeting.com > friendgreeting.net > friend-greetings.com > friendgreetings.com > friend-greetings.net > friendgreetings.net > laugh-mail.com > > > I suggest we all add them to some high scoring SpamAssassin rules such > as: > > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > full FRIEND_GREETINGS /www\.friend-?greetings?\.com\./i > score FRIEND_GREETINGS 100.0 > > using the following regex: > /http:\/\/.*cool-downloads\.net/i > /http:\/\/.*friend-cards?\.(com|net|/i > /http:\/\/.*friend-?greetings?\.(com|net)/i > /http:\/\/.*laugh-mail\.com/i > > Denis > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steveb at CME.NIST.GOV Fri Nov 22 17:10:18 2002 From: steveb at CME.NIST.GOV (Steve Barber) Date: Thu Jan 12 21:16:31 2006 Subject: v4: naming Sophos homedir In-Reply-To: <5.2.0.9.2.20021122163756.089da4e8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021122163756.089da4e8@imap.ecs.soton.ac.uk> Message-ID: <20021122171012.GB1791@cme.nist.gov> On Fri, Nov 22, 2002 at 04:38:48PM +0000, Julian Field wrote: > At 14:41 22/11/2002, you wrote: > >Julian, > > > > Can the homedir of sophos (and maybe other virus scanners) be > >specified in mailscanner.conf, and then have the scripts: > > > >bin/Sophos.install > >lib/sophos-autoupdate > >lib/sophos-wrapper > > > >get the homedir definition from there? I keep sophos in > >/opt/sophos because /usr/local is NFS mounted. > > All of those scripts now live inside MailScanner's dir structure rather > than the virus scanner's dir, so they don't get lost when you upgrade your > virus scanner or anything like that. Julian, I think his concern was more that upgrading mailscanner was a pain because all these scripts had to be re-edited to change the path to the virus scanners. He wanted to put the path prefixes in the mailscanner config file and make these scripts use that prefix so that he only had to worry about bringing over the config file with the new mailscanner install. I have the same problem and like his suggestion. Steve From mailscanner at ecs.soton.ac.uk Fri Nov 22 17:59:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: SpamAssasin 2.43/Mailscanner 3.25-1/Razor 2.21 Issues In-Reply-To: References: <5.2.0.9.2.20021122090714.041f48a0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021122175700.01624668@imap.ecs.soton.ac.uk> At 17:28 22/11/2002, you wrote: >Not that I can tell. If I rm -rf the Razor2 perl directories and restart >mailscanner, everything works >just fine..... Very Weird! Hopefully Version 4 of mailscanner will work! How many installations of perl have you got? You seem to have 5.8 installed in /usr/local. Have you got 5.6 elsewhere? By default, MailScanner will use /usr/bin/perl, which might not be the version in which you have installed SpamAssassin. Do /usr/bin/perl -v /usr/local/bin/perl -v and see if they produce different version numbers. Having 2 sets of perl installed causes all sorts of problems, as CPAN may use one while /usr/bin/perl points to the other one. >If you have time, maybe youc an spot something with my set up: > >Thanks! > -Allan > >[root@mailman etc]# spamassassin -V >SpamAssassin version 2.43 > >razor-agents-2.21 (Which is currently uninstalled :). > >[root@mailman etc]# uname -a >Linux mailman.equat.com 2.4.19 #1 SMP Thu Sep 19 12:44:18 PDT 2002 i686 >unknown > >[root@mailman etc]# locate SpamAssassin|grep -i perl >/usr/local/lib/perl5/site_perl/5.8.0/i686-linux/auto/Mail/SpamAssassin >/usr/local/lib/perl5/site_perl/5.8.0/i686-linux/auto/Mail/SpamAssassin/.packlist >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Dns.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/AutoWhitelist.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/EncappedMIME.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/EncappedMessage.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/TextCat.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Message.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/MailingList.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/PhraseFreqs.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/SHA1.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/EvalTests.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Replier.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/AuditMessage.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Reporter.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/PersistentAddrList.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locales.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/ConfSourceSQL.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/NoMailAudit.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/DBBasedAddrList.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/ExposedMessage.pm >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/HTML.pm > > >On Fri, 22 Nov 2002 09:07:48 +0000, Julian Field wrote: > > >At 22:35 21/11/2002, you wrote: > >>Excellent, thats what I was hoping. Just wondering, I've just installed > >>razor, and its working fine with > >> spamassassin -t < testemail > >> > >>it shows the RAZOR2 Check. But when I restart MailScanner, I always > >>get these headers: > >> > >>X-mailscanner: Found to be clean > >>X-mailscanner-SpamCheck: not spam, > >> SpamAssassin (Absolute Line Numbers: 3 7 10 15 18 23) > > > >I've never seen that before! You haven't inadvertently got 2 copies of > >SpamAssassin installed anywhere have you? > > > > > >>Any idea? > >> > >> -Allan > >> > >>On Thu, 21 Nov 2002 09:48:56 +0000, Julian Field wrote: > >> > >> >I have added a note to 3.xx about it. However, it's likely that there > will > >> >not be another release of 3.xx (apart from security fixes). > >> > > >> >But I discovered that 4.xx suffers the same problem! So I have fixed it > >> there. > >> >The Exim code for V4 should appear very soon, it's being tested at the > >> moment. > >> > > >> >Many thanks for reporting this. > >> > > >> >At 00:17 21/11/2002, you wrote: > >> >>I'm still using 3.25-1 because I'm using exim. > >> >> > >> >>I noticed when I set the config variable "Multiple Headers" in > >> >>mailscanner.conf to: > >> >> Multiple Headers = replace > >> >> > >> >>It's not checked for spamassassin reports; it always appends them. > >> >>I would rather have it be replaced. (Like I have it set). > >> >> > >> >>I changed the sendmail.pl to reflect my change. Perhaps you guys > >> >>might want to do some if/else statements to actually use that variable. > >> >> > >> >>Keep up the good work. > >> >> -Allan > >> >> > >> >>On line 989, 1159, > >> >>FROM > >> >>======== > >> >> $headers = MTA::AddHeader($headers, $Config::SpamHeader, > >> >> $SpamReport->{$id}) > >> >> if $Config::IncludeSpamHeader || defined($IsSpam->{$id}); > >> >> > >> >>TO > >> >>======= > >> >> $headers = MTA::ReplaceHeader($headers, $Config::SpamHeader, > >> >> $SpamReport->{$id}) > >> >> if $Config::IncludeSpamHeader || defined($IsSpam->{$id}); > >> >> > >> >> > >> >><- Allan Rafuse -> > >> >>Systems Administrator > >> >>Equat.com Technologies > >> >>email: arafuse@equat.com > >> >>web: http://www.equat.com > >> > > >> >-- > >> >Julian Field Teaching Systems Manager > >> >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >> >Tel. 023 8059 2817 University of Southampton > >> > Southampton SO17 1BJ > >> > > >> > > >> > > >> > >> > >><- Allan Rafuse -> > >>Systems Administrator > >>Equat.com Technologies > >>email: arafuse@equat.com > >>web: http://www.equat.com > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > > > ><- Allan Rafuse -> >Systems Administrator >Equat.com Technologies >email: arafuse@equat.com >web: http://www.equat.com > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 22 18:06:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: v4: naming Sophos homedir In-Reply-To: <20021122171012.GB1791@cme.nist.gov> References: <5.2.0.9.2.20021122163756.089da4e8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021122163756.089da4e8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021122180142.01641120@imap.ecs.soton.ac.uk> At 17:10 22/11/2002, you wrote: >On Fri, Nov 22, 2002 at 04:38:48PM +0000, Julian Field wrote: > > At 14:41 22/11/2002, you wrote: > > >Julian, > > > > > > Can the homedir of sophos (and maybe other virus scanners) be > > >specified in mailscanner.conf, and then have the scripts: > > > > > >bin/Sophos.install > > >lib/sophos-autoupdate > > >lib/sophos-wrapper > > > > > >get the homedir definition from there? I keep sophos in > > >/opt/sophos because /usr/local is NFS mounted. > > > > All of those scripts now live inside MailScanner's dir structure rather > > than the virus scanner's dir, so they don't get lost when you upgrade your > > virus scanner or anything like that. > >Julian, I think his concern was more that upgrading mailscanner >was a pain because all these scripts had to be re-edited to >change the path to the virus scanners. He wanted to put the >path prefixes in the mailscanner config file and make these >scripts use that prefix so that he only had to worry about bringing >over the config file with the new mailscanner install. I have >the same problem and like his suggestion. So I could add a parameter to each of the wrapper scripts that is the directory in which the virus scanner was installed (in virus.scanners.conf). This is passed to each wrapper script. Should be pretty easy, except where I don't supply a wrapper script (not all of them need them). I would need to know exactly what the command should be for every scanner, which I don't have for all of them. I need the commands for: # command from www.command.co.uk, or # inoculate from www.cai.com/products/inoculateit.htm, or # inoculan from ftp.ca.com/getbbs/linux.eng/inoctar.LINUX.Z, or # nod32 from www.nod32.com, or # antivir from www.antivir.de, or Once I know the exact commands for all of these, I can add a simple wrapper script for them which will enable me to do the virus.scanners.conf change described above. I can't do anything until I have the info for all of these. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From evertjan at VANRAMSELAAR.NL Fri Nov 22 18:20:55 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:16:31 2006 Subject: f-prot-autoupdate error In-Reply-To: <200211220805.40708.lbergman@wtxs.net> Message-ID: <001101c29253$e5ebc550$65000a0a@galaxy> > -----Original Message----- > From: Lewis Bergman > Sent: Friday, November 22, 2002 3:06 PM > Are all the f-prot files there? Maybe try reinstalling f-prot > and then run update again. If I remember correctly there is > some kind of mismatch in the md5 sums. I did a re-install of f-prot and all works fine now. Thanks for pointing this out to me. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From jaearick at COLBY.EDU Fri Nov 22 18:39:01 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:31 2006 Subject: v4: naming Sophos homedir In-Reply-To: <20021122171012.GB1791@cme.nist.gov> References: <5.2.0.9.2.20021122163756.089da4e8@imap.ecs.soton.ac.uk> <20021122171012.GB1791@cme.nist.gov> Message-ID: Julian, Steve is right; more configurable parameters in mailscanner.conf means less twinking with other files to get things to work when an upgrade happens. That's the idea. As for Sophos, are you saying that lib/sophos-autoupdate and lib/sophos-wrapper run the show, and the v3 era autoupdate and sophoswrapper that I had in /opt/sophos/bin can go away? I've tried lib/sophos-autoupdate; it got the new virus info, created a new directory, then didn't reset the ide link. I'm looking at why it failed. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- On Fri, 22 Nov 2002, Steve Barber wrote: > Date: Fri, 22 Nov 2002 12:10:18 -0500 > From: Steve Barber > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: v4: naming Sophos homedir > > On Fri, Nov 22, 2002 at 04:38:48PM +0000, Julian Field wrote: > > At 14:41 22/11/2002, you wrote: > > >Julian, > > > > > > Can the homedir of sophos (and maybe other virus scanners) be > > >specified in mailscanner.conf, and then have the scripts: > > > > > >bin/Sophos.install > > >lib/sophos-autoupdate > > >lib/sophos-wrapper > > > > > >get the homedir definition from there? I keep sophos in > > >/opt/sophos because /usr/local is NFS mounted. > > > > All of those scripts now live inside MailScanner's dir structure rather > > than the virus scanner's dir, so they don't get lost when you upgrade your > > virus scanner or anything like that. > > Julian, I think his concern was more that upgrading mailscanner > was a pain because all these scripts had to be re-edited to > change the path to the virus scanners. He wanted to put the > path prefixes in the mailscanner config file and make these > scripts use that prefix so that he only had to worry about bringing > over the config file with the new mailscanner install. I have > the same problem and like his suggestion. > > Steve > From mailscanner at ecs.soton.ac.uk Fri Nov 22 18:51:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:31 2006 Subject: v4: naming Sophos homedir In-Reply-To: References: <20021122171012.GB1791@cme.nist.gov> <5.2.0.9.2.20021122163756.089da4e8@imap.ecs.soton.ac.uk> <20021122171012.GB1791@cme.nist.gov> Message-ID: <5.2.0.9.2.20021122184754.0230f090@imap.ecs.soton.ac.uk> At 18:39 22/11/2002, you wrote: > Steve is right; more configurable parameters in mailscanner.conf >means less twinking with other files to get things to work when an >upgrade happens. That's the idea. The conf would have to go in virus.scanners.conf as it is set per scanner. One other thing: this breaks all the autoupdate scripts, as they would have to be passed the dir as well. This would mean a change to the cron job for all installed systems, which is clearly not a good idea. > As for Sophos, are you saying that lib/sophos-autoupdate and >lib/sophos-wrapper run the show, and the v3 era autoupdate and >sophoswrapper that I had in /opt/sophos/bin can go away? Yes. >I've >tried lib/sophos-autoupdate; it got the new virus info, created a >new directory, then didn't reset the ide link. I'm looking at >why it failed. It might have assumed a different installation dir. Let me know. >On Fri, 22 Nov 2002, Steve Barber wrote: > > > Date: Fri, 22 Nov 2002 12:10:18 -0500 > > From: Steve Barber > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: v4: naming Sophos homedir > > > > On Fri, Nov 22, 2002 at 04:38:48PM +0000, Julian Field wrote: > > > At 14:41 22/11/2002, you wrote: > > > >Julian, > > > > > > > > Can the homedir of sophos (and maybe other virus scanners) be > > > >specified in mailscanner.conf, and then have the scripts: > > > > > > > >bin/Sophos.install > > > >lib/sophos-autoupdate > > > >lib/sophos-wrapper > > > > > > > >get the homedir definition from there? I keep sophos in > > > >/opt/sophos because /usr/local is NFS mounted. > > > > > > All of those scripts now live inside MailScanner's dir structure rather > > > than the virus scanner's dir, so they don't get lost when you upgrade > your > > > virus scanner or anything like that. > > > > Julian, I think his concern was more that upgrading mailscanner > > was a pain because all these scripts had to be re-edited to > > change the path to the virus scanners. He wanted to put the > > path prefixes in the mailscanner config file and make these > > scripts use that prefix so that he only had to worry about bringing > > over the config file with the new mailscanner install. I have > > the same problem and like his suggestion. > > > > Steve > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Fri Nov 22 18:54:32 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:31 2006 Subject: v4 sophos-autoupdate tweak Message-ID: Julian, I would change the line in lib/sophos-autoupdate from: $IDELink = "/usr/local/Sophos/ide"; to $IDELink = "$SophosRoot/ide"; I had missed this change, which was why my symlink didn't appear. --- Jeff From mailscanner at ecs.soton.ac.uk Fri Nov 22 19:03:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: v4 sophos-autoupdate tweak In-Reply-To: Message-ID: <5.2.0.9.2.20021122190259.0329cdf0@imap.ecs.soton.ac.uk> Good suggestion. Fixed in the next release. At 18:54 22/11/2002, you wrote: >Julian, > > I would change the line in lib/sophos-autoupdate from: > >$IDELink = "/usr/local/Sophos/ide"; > >to > >$IDELink = "$SophosRoot/ide"; > >I had missed this change, which was why my symlink didn't appear. > >--- Jeff -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sean at NISD.NET Fri Nov 22 19:14:37 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:32 2006 Subject: v4: naming Sophos homedir Message-ID: I use this little ditty when I'm dealing with files that move around. Don't know how portable it is, and I'm sure I could use something other than awk to parse the return. Doesn't seem to be too slow. ===>8 8<==== #! /bin/sh # gp: Get Path - gets the path name for various files to keep # moving files around easy. PATHDATA=/usr/local/lib/pathnames if [ ! -r $PATHDATA ] then echo "Error: Path database file $PATHDATA does not exsist or cannot be read. I give up." exit 2 fi if [ $# -ne 1 ] then echo "Usage: gp " exit 1 else # Main loop gpno=`grep ^$1 $PATHDATA` gpng=$? if [ $gpng -ne 0 ] then exit 1 else echo $gpno | awk '{print $2}' fi fi ====>8 8<==== >>> steveb@CME.NIST.GOV 11/22/02 11:10AM >>> On Fri, Nov 22, 2002 at 04:38:48PM +0000, Julian Field wrote: > At 14:41 22/11/2002, you wrote: > >Julian, > > > > Can the homedir of sophos (and maybe other virus scanners) be > >specified in mailscanner.conf, and then have the scripts: > > > >bin/Sophos.install > >lib/sophos-autoupdate > >lib/sophos-wrapper > > > >get the homedir definition from there? I keep sophos in > >/opt/sophos because /usr/local is NFS mounted. > > All of those scripts now live inside MailScanner's dir structure rather > than the virus scanner's dir, so they don't get lost when you upgrade your > virus scanner or anything like that. Julian, I think his concern was more that upgrading mailscanner was a pain because all these scripts had to be re-edited to change the path to the virus scanners. He wanted to put the path prefixes in the mailscanner config file and make these scripts use that prefix so that he only had to worry about bringing over the config file with the new mailscanner install. I have the same problem and like his suggestion. Steve From DEngstrom at CALAIR.COM Fri Nov 22 21:45:51 2002 From: DEngstrom at CALAIR.COM (Derek Engstrom) Date: Thu Jan 12 21:16:32 2006 Subject: configuring mailscanner/sendmail... Message-ID: <04C66F3C41502D4983B681440E7B41EC92A39A@cai_la.calair.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2950 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021122/c54dbaf6/image001.jpg From mailscanner at ecs.soton.ac.uk Fri Nov 22 22:32:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: configuring mailscanner/sendmail... In-Reply-To: <04C66F3C41502D4983B681440E7B41EC92A39A@cai_la.calair.com> Message-ID: <5.2.0.9.2.20021122222518.030886d0@imap.ecs.soton.ac.uk> At 21:45 22/11/2002, you wrote: >I currently have a RedHat 8.0 server setup which I would like to do a >couple things... I want it to accept an email from ANY domain/user, check >to make sure its address to *@ourdomain.com, (if its not addressed to our >domain, the email is considered a spam relay and is not accepted) after it >passes that it is then scanned by anti virus scanners, and if it passes >that, its then scanned for spam, and if successfully passed those test it >is then forwarded off to our internal exchange server. > >I've already done the anti-relay portion of it, however when I telnet to >sendmail, and try to send an email through it, it says "invalid >user"... I think its still lookin on the linux box for the user rather >than just accepting it. What do I change in the config's to make it accept >email to any user at ourdomain.com?? > >Our smtp/redhat machine = 192.168.0.1 >Our exchange server = 192.168.0.2 This is a sendmail configuration question, and is not really relevant to MailScanner. MailScanner plays no part in the provision of SMTP service or deciding what addresses your server should accept and refuse, nor does it play any part in the delivery of messages to your Exchange server. A more normal setup is to not accept email for any domain/user who is not in your domain. Sendmail does this pretty much "out of the box" and you will just need to tell it to relay for your domain (/etc/mail/relay-domains on RedHat 7.1) and pass all mail to your Exchange server (a simple sendmail.mc or sendmail.cf tweak). Once you have all the mail being routed correctly, only then install MailScanner on it. If you have any problems installing MailScanner, feel free to contact this list (or me) for help. P.S. On a point of netiquette, you might want to consider the wisdom of including images in mail that is delivered (by this list) to a large number of recipients, when the image does not contain any content relevant to the subject of the message. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mrlynx at LAING.E-TARLAC.COM Sat Nov 23 00:44:41 2002 From: mrlynx at LAING.E-TARLAC.COM (Joseph C. Bautista -mrlynx-) Date: Thu Jan 12 21:16:32 2006 Subject: iDEFENSE Security Advisory 11.19.02b: Eudora Script Execution Vulnerability (fwd) Message-ID: Just thought of bringing this issue to everyone's attention... ---------- Forwarded message ---------- Date: Tue, 19 Nov 2002 18:07:24 -0500 From: David Endler To: bugtraq@securityfocus.com Subject: iDEFENSE Security Advisory 11.19.02b: Eudora Script Execution Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 11.19.02b: http://www.idefense.com/advisory/11.19.02b.txt Eudora Script Execution Vulnerability November 19, 2002 I. BACKGROUND Qualcomm Inc.'s Eudora is a graphical e-mail client for Windows and Macintosh. More information about it is available at http://www.eudora.com . II. DESCRIPTION Remote exploitation of a weakness in Eudora could allow for the potential retrieval of sensitive information from a targeted Eudora user's computer. Eudora saves e-mail attachments in a predictable location. Exploitation works as such: an attacker sends an e-mail to a Eudora user that directs him to a specific URL; the e-mail also contains an HTML-enabled e-mail attachment that contains scripting code. If the user is socially engineered into clicking on the link, then a frames page can load the attachment in one of its frames. The attachment can then retrieve (within the security settings of the local zone) the content of any local file, and transmit it back to the attacker. The attack script, in turn, can retrieve the contents of any local file and transmit it back to the attacker. Since the issue is simple to exploit, and the issue has still not been addressed, a sample attack script is not included in this advisory. III. ANALYSIS Exploitation could lead to further compromise if the attacker is able to retrieve sensitive files such as the Windows SAM table. It is also possible for the attacker to obtain other confidential information. A secure implementation would involve using a random string within the directory structure to prevent this class of attacks (e.g. Mozilla e-mail client, etc.). IV. DETECTION Eudora 5.1.1 and 5.2 are confirmed to be vulnerable; other versions may be affected as well. To determine susceptibility, send an e-mail with an attachment to a test Eudora user. Check if Eudora stores it in the C:\Program Files\Qualcomm\Eudora\attach\ directory (assuming a default installation). V. WORKAROUND Change the default location where Eudora stores e-mail attachments. VI. VENDOR RESPONSE A Eudora Tech Support Specialist provided the following response (from head Eudora developer): "In rare circumstances, certain ill-formatted MIME boundaries can cause Eudora to crash. It is exceedingly unlikely that this problem could be exploited to undermine security. The problem will be fixed in the next release of Eudora." [iDEFENSE note: The response does not address the security implications of this advisory. Two attempts were made to change or clarify Qualcomm's response; all to no avail.] VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1210 to this issue. VIII. DISCLOSURE TIMELINE 09/12/2002 Issue disclosed to iDEFENSE 10/14/2002 Qualcomm notified (eudora-custserv@eudora.com) 10/14/2002 iDEFENSE clients notified 10/15/2002 Autoresponse recieved 10/31/2002 Second attempt at contact 11/07/2002 Third attempt at contact 11/08/2002 Vendor response from J. Michael L. (mlreply@qualcomm.com) 11/10/2002 Clarification request of Vendor Response from iDEFENSE 11/11/2002 Same response from J. Michael L. (mlreply@qualcomm.com) 11/12/2002 Second clarification request of Vendor Response from iDEFENSE 11/19/2002 Still no reply for vendor clarification of response 11/19/2002 Public disclosure IX. CREDIT Bennett Haselton (bennett@peacefire.org) discovered this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world ? from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPdrDkkrdNYRLCswqEQJc7QCfSGedu5O28cnm78OE1J1y9LBRwmsAoImw bNiGiW0ruhVfLb/5Ek3s8tIg =/ojw -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by e-Tarlac e-Mail Virus Scanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by e-Tarlac e-Mail Virus Scanner, and is believed to be clean. From josephl at NU-WORLD.COM Sat Nov 23 02:50:04 2002 From: josephl at NU-WORLD.COM (Joseph Lundgren) Date: Thu Jan 12 21:16:32 2006 Subject: FW: String found where operator expected Message-ID: <056a01c2929b$06c90a20$1b05b642@blackhole> > Greetings! > > Recently, I've begun to have problems with MailScanner 4.05-3 running > on perl 5.005_03 built for i386-bsdos(BSD/OS 4.3) using > SpamAssassin-2.43. We're using ClamAV as our virus scanner. This > behavior happens on my existing installation of MailScanner 4.05(??) > and on a brand new fresh install of MailScanner 4.05-3 on a new, fresh > installation of BSD/OS 4.3. > > > Whenever I start up /opt/MailScanner/bin/check_mailscanner I get the > following output: > > Starting virus scanner... > String found where operator expected at (eval 65) line 1, near > "&__FILE__ ":"" > (Missing operator before ":"?) > > > I then get several (hundreds) of the following errors logged to the > terminal: > > RBL Checks failed with real error: Can't use an undefined value as a > symbol reference at /opt/MailScanner/bin/MailScanner/RBLs.pm line 159, > chunk 28. > at /opt/MailScanner/bin/MailScanner/RBLs.pm line 184 > Can't use an undefined value as a symbol reference at > /opt/MailScanner/bin/MailScanner/RBLs.pm line 98, chunk 28. > > RBL Checks failed with real error: Can't use an undefined value as a > symbol reference at /opt/MailScanner/bin/MailScanner/RBLs.pm line 159, > chunk 28. > at /opt/MailScanner/bin/MailScanner/RBLs.pm line 184 > Can't use an undefined value as a symbol reference at > /opt/MailScanner/bin/MailScanner/RBLs.pm line 98, chunk 28. > > RBL Checks failed with real error: Can't use an undefined value as a > symbol reference at /opt/MailScanner/bin/MailScanner/RBLs.pm line 159, > chunk 28. > at /opt/MailScanner/bin/MailScanner/RBLs.pm line 184 > Can't use an undefined value as a symbol reference at > /opt/MailScanner/bin/MailScanner/RBLs.pm line 98, chunk 28. > > > ######### Line 159 ######### > eval { > ---->>>> close($writerfh); <<<<---- line 159 > local $SIG{ALRM} = sub { die "Command Timed Out" }; > alarm MailScanner::Config::Value('spamlisttimeout'); > # Read the list of matching RBL's printed by the child > while(<$readerfh>) { > ######### Line 159 ######### > > > ######### Line 184 ######### > # Catch failures other than the alarm > ---->>>> MailScanner::Log::DieLog("RBL Checks failed with real error: > $@") <<<<---- line 184 > if $@ and $@ !~ /Command Timed Out/; > ######### Line 184 ######### > > > ######### Line 98 ######### > if ($pid == 0) { > # In the child > my($IsSpam, $RBLEntry); > ---->>>> close($readerfh); <<<<---- line 98 > POSIX::setsid(); > ######### Line 98 ######### > > > > Please help!! I have no idea what caused this problem. I have tried > to disable all RBL behavior, both in MailScanner, and in SpamAssassin, > but the errors persist. Do any of you have an idea what might be > causing such a thing? > > > > > Joseph Lundgren > System Administrator > josephl@nu-world.com > Nu-World Communications > http://www.nu-world.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021122/174c8e63/attachment.html From mailscanner at ecs.soton.ac.uk Sat Nov 23 10:15:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: FW: String found where operator expected In-Reply-To: <056a01c2929b$06c90a20$1b05b642@blackhole> Message-ID: <5.2.0.9.2.20021123101109.022890b0@imap.ecs.soton.ac.uk> At 02:50 23/11/2002, you wrote: >Recently, I've begun to have problems with MailScanner 4.05-3 running on >perl 5.005_03 built for i386-bsdos(BSD/OS 4.3) using SpamAssassin-2.43. >We're using ClamAV as our virus scanner. This behavior happens on my >existing installation of MailScanner 4.05(??) and on a brand new fresh >install of MailScanner 4.05-3 on a new, fresh installation of BSD/OS 4.3. > >Whenever I start up /opt/MailScanner/bin/check_mailscanner I get the >following output: > >Starting virus scanner... >String found where operator expected at (eval 65) line 1, near "&__FILE__ >":"" > (Missing operator before ":"?) I think it is failing to compile your "FileHandle" module. Try fetching the latest version of FileHandle from http://search.cpan.org/author/JHI/perl-5.8.0/lib/FileHandle.pm and you may need to update your IO modules as well. I've re-written this for 4.06. I will mail you 4.06 to try out, I would be very interested to hear if it solves this problem for you. Perl 5.005_03 is the absolute earliest version of Perl I support, so if you can easily upgrade to 5.6.1 or 5.8.0 it would probably help too. >I then get several (hundreds) of the following errors logged to the terminal: > >RBL Checks failed with real error: Can't use an undefined value as a >symbol reference at /opt/MailScanner/bin/MailScanner/RBLs.pm line 159, > chunk 28. > > at /opt/MailScanner/bin/MailScanner/RBLs.pm line 184 >Can't use an undefined value as a symbol reference at >/opt/MailScanner/bin/MailScanner/RBLs.pm line 98, chunk 28. > >RBL Checks failed with real error: Can't use an undefined value as a >symbol reference at /opt/MailScanner/bin/MailScanner/RBLs.pm line 159, > chunk 28. > > at /opt/MailScanner/bin/MailScanner/RBLs.pm line 184 >Can't use an undefined value as a symbol reference at >/opt/MailScanner/bin/MailScanner/RBLs.pm line 98, chunk 28. > >RBL Checks failed with real error: Can't use an undefined value as a >symbol reference at /opt/MailScanner/bin/MailScanner/RBLs.pm line 159, > chunk 28. > > at /opt/MailScanner/bin/MailScanner/RBLs.pm line 184 >Can't use an undefined value as a symbol reference at >/opt/MailScanner/bin/MailScanner/RBLs.pm line 98, chunk 28. > >######### Line 159 ######### > eval { >---->>>> close($writerfh); <<<<---- line 159 > local $SIG{ALRM} = sub { die "Command Timed Out" }; > alarm MailScanner::Config::Value('spamlisttimeout'); > # Read the list of matching RBL's printed by the child > while(<$readerfh>) { >######### Line 159 ######### > >######### Line 184 ######### > # Catch failures other than the alarm >---->>>> MailScanner::Log::DieLog("RBL Checks failed with real error: >$@") <<<<---- line 184 > if $@ and $@ !~ /Command Timed Out/; >######### Line 184 ######### > >######### Line 98 ######### > if ($pid == 0) { > # In the child > my($IsSpam, $RBLEntry); >---->>>> close($readerfh); <<<<---- line 98 > POSIX::setsid(); >######### Line 98 ######### > > >Please help!! I have no idea what caused this problem. I have tried to >disable all RBL behavior, both in MailScanner, and in SpamAssassin, but >the errors persist. Do any of you have an idea what might be causing such >a thing? > > > >Joseph Lundgren >System Administrator >josephl@nu-world.com >Nu-World Communications >http://www.nu-world.com -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at BARENDSE.TO Sat Nov 23 16:37:17 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:32 2006 Subject: Friend Greetings expanding In-Reply-To: Message-ID: The regexp I use in my filtering proxy (DansGuardian) is this: (^|[-\?+=/_])(laugh|greeting|friend)?(card|e-card|mail)s?([-\?+=/_]|$) This would indeed also block any web or news pages that report about it, but then again my users don't need to know about it as it's blocked now anyways :) And for the people that also use sendmail rules to block these buggers, i'd recomend that they add : you.have.a.funny.card.from also to the list, this is the subjectline from the 'laugh' mail from the same makers (I'm not amused with their laugh mails :) ) It's great to see all those dropped and rejected messages in your logfiles :) Remco On Fri, 22 Nov 2002, Damian Mendoza wrote: > What does your regexp expression look like? > > Thanks, > > Damian > > -----Original Message----- > From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] > Sent: Friday, November 22, 2002 8:49 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Friend Greetings expanding > > > wouldn't it be better to create a regexp that combines > `e-card' of 'card' with any of the following 'laugh' and 'friend' and > 'greeting'? > > Judging by the 'success' of their work method (every not all too clever > user will install their crap) I think we will see loads of new domain > names fairly soon. > > I found the same list on the mcafee site, and blocked all those sites in > my web proxy as well combined with a regexp as described above. > > > On Fri, 22 Nov 2002, Denis Beauchemin wrote: > > > Hello, > > > > The following domain names have all been registered by the nice company > > that brought the Friend Greeting to us: > > > > cool-downloads.net > > friend-card.com > > friend-card.net > > friend-cards.com > > friend-cards.net > > friendgreeting.com > > friendgreeting.net > > friend-greetings.com > > friendgreetings.com > > friend-greetings.net > > friendgreetings.net > > laugh-mail.com > > > > > > I suggest we all add them to some high scoring SpamAssassin rules such > > as: > > > > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > > full FRIEND_GREETINGS /www\.friend-?greetings?\.com\./i > > score FRIEND_GREETINGS 100.0 > > > > using the following regex: > > /http:\/\/.*cool-downloads\.net/i > > /http:\/\/.*friend-cards?\.(com|net|/i > > /http:\/\/.*friend-?greetings?\.(com|net)/i > > /http:\/\/.*laugh-mail\.com/i > > > > Denis > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andersan at LTKALMAR.SE Sat Nov 23 19:54:37 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:32 2006 Subject: SV: How do I get MailScanner to pass Spamassassin Headers through ? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ECC9@lkl22.ltkalmar.se> Anyone got this saved somewhere. Trying to figure out how to filter in outlook /Anders > -----Ursprungligt meddelande----- > Fr?n: Peter Peters [mailto:P.G.M.Peters@CIV.UTWENTE.NL] > Skickat: den 7 augusti 2002 15:15 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: How do I get MailScanner to pass Spamassassin > Headers through > ? > > > On Wed, 7 Aug 2002 08:44:06 -0400, you wrote: > > > Outlook is not particularly good at parsing headers to make > >filtering decisions. > > I have made something to help our people install filters in > outlook. You > should be able to view it also on > http://home.student.utwente.nl/p.g.m.peters/outlookrule_viewlet.html > > -- > Peter Peters > senior netwerkbeheerder, Centrum voor Informatievoorziening, > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: +31 53 489 2301, fax:+31 53 489 2383, > http://www.utwente.nl/civ > From mailscanner at ecs.soton.ac.uk Sat Nov 23 20:58:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: Virus magnet Message-ID: <5.2.0.9.2.20021123205659.037f7f50@imap.ecs.soton.ac.uk> The good news: Since we started using MailScanner in our department, it has blocked over 37,000 viruses. The bad news: 1 in 6 of those viruses were addressed to me. (There are 1,800 people in our dept) Hmmm..... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Sat Nov 23 21:27:18 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:32 2006 Subject: Virus magnet In-Reply-To: <5.2.0.9.2.20021123205659.037f7f50@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021123205659.037f7f50@imap.ecs.soton.ac.uk> Message-ID: <1038086839.1138.1.camel@wilowisp.dynetics.com> On Sat, 2002-11-23 at 14:58, Julian Field wrote: > The good news: Since we started using MailScanner in our department, it has > blocked over 37,000 viruses. > > The bad news: 1 in 6 of those viruses were addressed to me. (There are > 1,800 people in our dept) > > Hmmm..... > -- I'll bet the majority are W32 variants, which probably just means that your address is in a lot of Out-of-Luck addressbooks. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From gavin at NETERGY.COM Sat Nov 23 22:43:52 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:32 2006 Subject: How do I get MailScanner to pass Spamassassin Headers through ? In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263ECC9@lkl22.ltkalmar.se> Message-ID: well a quick play with google brought this back from their cache - it looks as though there is a java applet loading or something i'm on a very slow connection tonight so i haven't waited but give it a try http://216.239.51.100/search?q=cache:zpWroZFNVtUC:home.student.utwente.nl/p. g.m.peters/outlookrule_viewlet.html+outlookrule_viewlet.html&hl=en&ie=UTF-8 regards Gavin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Anders Andersson, IT > Sent: 23 November 2002 19:55 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: SV: How do I get MailScanner to pass Spamassassin Headers > through ? > > > Anyone got this saved somewhere. > Trying to figure out how to filter in outlook > > /Anders > > > -----Ursprungligt meddelande----- > > Fr?n: Peter Peters [mailto:P.G.M.Peters@CIV.UTWENTE.NL] > > Skickat: den 7 augusti 2002 15:15 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: How do I get MailScanner to pass Spamassassin > > Headers through > > ? > > > > > > On Wed, 7 Aug 2002 08:44:06 -0400, you wrote: > > > > > Outlook is not particularly good at parsing headers to make > > >filtering decisions. > > > > I have made something to help our people install filters in > > outlook. You > > should be able to view it also on > > http://home.student.utwente.nl/p.g.m.peters/outlookrule_viewlet.html > > > > -- > > Peter Peters > > senior netwerkbeheerder, Centrum voor Informatievoorziening, > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > telefoon: +31 53 489 2301, fax:+31 53 489 2383, > > http://www.utwente.nl/civ > > > From Jan-Peter.Koopmann at SECEIDOS.DE Sun Nov 24 11:47:37 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:32 2006 Subject: How do I get MailScanner to pass Spamassassin Headers through ? Message-ID: <4E7026FF8A422749B1553FE508E00680053DC2@message.intern.akctech.de> Hi, Julian is implementing some changes to the headers that will make the life of all Outlook users quite a bit easier. Wait for the next version. Regards, JP > -----Original Message----- > From: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] > Sent: Saturday, November 23, 2002 8:55 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: SV: How do I get MailScanner to pass Spamassassin > Headers through ? > > > Anyone got this saved somewhere. > Trying to figure out how to filter in outlook > > /Anders > > > -----Ursprungligt meddelande----- > > Fr?n: Peter Peters [mailto:P.G.M.Peters@CIV.UTWENTE.NL] > > Skickat: den 7 augusti 2002 15:15 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: How do I get MailScanner to pass Spamassassin > > Headers through > > ? > > > > > > On Wed, 7 Aug 2002 08:44:06 -0400, you wrote: > > > > > Outlook is not particularly good at parsing headers to make > > >filtering decisions. > > > > I have made something to help our people install filters in > > outlook. You > > should be able to view it also on > > http://home.student.utwente.nl/p.g.m.peters/outlookrule_viewlet.html > > > > -- > > Peter Peters > > senior netwerkbeheerder, Centrum voor Informatievoorziening, > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > telefoon: +31 53 489 2301, fax:+31 53 489 2383, > > http://www.utwente.nl/civ > > > From andersan at LTKALMAR.SE Sun Nov 24 12:34:09 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:32 2006 Subject: SV: How do I get MailScanner to pass Spamassassin Headers through ? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ECCC@lkl22.ltkalmar.se> > Fr?n: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] > Skickat: den 24 november 2002 12:48 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: How do I get MailScanner to pass Spamassassin > Headers through > ? > > > Hi, > > Julian is implementing some changes to the headers that will > make the life of all Outlook users quite a bit easier. Wait > for the next version. > > Regards, > JP Well, I guess I can do that but I really wanna figure this one out before. Mostly to be able to filter and make manuales for the users. I done it once but I cant figure it out agin.... maybe Im getting old :) > > > -----Original Message----- > > From: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] > > Sent: Saturday, November 23, 2002 8:55 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: SV: How do I get MailScanner to pass Spamassassin > > Headers through ? > > > > > > Anyone got this saved somewhere. > > Trying to figure out how to filter in outlook > > > > /Anders > > > > > -----Ursprungligt meddelande----- > > > Fr?n: Peter Peters [mailto:P.G.M.Peters@CIV.UTWENTE.NL] > > > Skickat: den 7 augusti 2002 15:15 > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > ?mne: Re: How do I get MailScanner to pass Spamassassin > > > Headers through > > > ? > > > > > > > > > On Wed, 7 Aug 2002 08:44:06 -0400, you wrote: > > > > > > > Outlook is not particularly good at parsing headers to make > > > >filtering decisions. > > > > > > I have made something to help our people install filters in > > > outlook. You > > > should be able to view it also on > > > http://home.student.utwente.nl/p.g.m.peters/outlookrule_viewlet.html > > > > -- > > Peter Peters > > senior netwerkbeheerder, Centrum voor Informatievoorziening, > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > telefoon: +31 53 489 2301, fax:+31 53 489 2383, > > http://www.utwente.nl/civ > > > From mailscanner at ecs.soton.ac.uk Sun Nov 24 13:10:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: SV: How do I get MailScanner to pass Spamassassin Headers through ? In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263ECCC@lkl22.ltkalmar.se > Message-ID: <5.2.0.9.2.20021124130651.03215e38@imap.ecs.soton.ac.uk> At 12:34 24/11/2002, you wrote: > > Fr?n: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] > > Skickat: den 24 november 2002 12:48 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: How do I get MailScanner to pass Spamassassin > > Headers through > > ? > > > > Julian is implementing some changes to the headers that will > > make the life of all Outlook users quite a bit easier. Wait > > for the next version. > > > > Regards, > > JP > >Well, I guess I can do that but I really wanna figure this one out >before. Mostly to be able to filter and make manuales for the users. >I done it once but I cant figure it out agin.... maybe Im getting old :) I hope the next version won't be long now, just some testing that's being done by a couple of people for me. The change you are talking about is that the "SpamCheck" header will always start with "spam" or "not spam". And can we have a 1 minute silence for all the poor sysadmins at utwente.nl. It's one of the worst nightmares for all of us. > > > -----Original Message----- > > > From: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] > > > Sent: Saturday, November 23, 2002 8:55 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: SV: How do I get MailScanner to pass Spamassassin > > > Headers through ? > > > > > > > > > Anyone got this saved somewhere. > > > Trying to figure out how to filter in outlook > > > > > > /Anders > > > > > > > -----Ursprungligt meddelande----- > > > > Fr?n: Peter Peters [mailto:P.G.M.Peters@CIV.UTWENTE.NL] > > > > Skickat: den 7 augusti 2002 15:15 > > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > > ?mne: Re: How do I get MailScanner to pass Spamassassin > > > > Headers through > > > > ? > > > > > > > > > > > > On Wed, 7 Aug 2002 08:44:06 -0400, you wrote: > > > > > > > > > Outlook is not particularly good at parsing headers to make > > > > >filtering decisions. > > > > > > > > I have made something to help our people install filters in > > > > outlook. You > > > > should be able to view it also on > > > > >http://home.student.utwente.nl/p.g.m.peters/outlookrule_viewlet.html > > > > > > -- > > > Peter Peters > > > senior netwerkbeheerder, Centrum voor Informatievoorziening, > > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > > telefoon: +31 53 489 2301, fax:+31 53 489 2383, > > > http://www.utwente.nl/civ > > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Sun Nov 24 13:28:00 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:32 2006 Subject: How to make rules work Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ECCE@lkl22.ltkalmar.se> Hi I can finally say I got my new servers up and running (thanks Julian & crew). I still have small changes to make, like figure out what to RBL to use etc. Some are sendmail things but thats not for you to bother with... and yes Julian, I will add my self to the list asap everything is finished :) OK, this was my idea I cant figure out how to do. I want all reports sent when mail come from local network and of course with my swedish translation. I allso want to send certain report to of site ppl if they come from *.se The rest I will just send to /dev/null Same goes for filetypes, certain domains could send us files and the rest not or some ppl are allowed to accept *.exe ie. technical workers. Ive looked at samples but Im kinda lost whats the best way to get this to work. Looking at mailscanner.conf lets me switch to rules instead but how to write a rule to use different messages? regards /Anders Thanks again to Julian and crew :) From mailscanner at ecs.soton.ac.uk Sun Nov 24 14:01:05 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: How to make rules work In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263ECCE@lkl22.ltkalmar.se > Message-ID: <5.2.0.9.2.20021124135028.01fcf700@imap.ecs.soton.ac.uk> At 13:28 24/11/2002, you wrote: >I want all reports sent when mail come from local network and of course with >my swedish translation. >I allso want to send certain report to of site ppl if they come from *.se >The rest I will just send to /dev/null There are 2 parts to this: 1) What report should be sent to who 2) Who should get a report at all 1) Make each of the report files in MailScanner.conf a *.rules file instead, containing something along these lines: From: lktalmar.se /etc/MailScanner/reports/se/foobar.txt From: *@*.se /etc/MailScanner/reports/se/other.txt FromOrTo: default /dev/null For each one, it will use the file found by the first matching rule. 2) To actually control whether the senders are warned at all, use a ruleset for the "Warn Senders" switch, that contains something like From: lktalmar.se yes FromOrTo: *@*.se yes FromOrTo: default no >Same goes for filetypes, certain domains could send us files and the rest >not >or some ppl are allowed to accept *.exe ie. technical workers. To: sysadmin1@lktalmar.se /etc/MailScanner/allowallfilename.rules.conf From: friendlydomain.com /etc/MailScanner/allowallfilename.rules.conf FromOrTo: default /etc/MailScanner/filename.rules.conf then allowallfilename.rules.conf could just contain allow $ - - The filename.rules.conf files "add together" so the result used for 1 message is the filename.rules.conf files that result from all matching rules, strung together. The "default" filename.rules.conf file is only used when none of the rules match. >Looking at mailscanner.conf lets me switch to rules instead but how to write > >a rule to use different messages? > >regards > >/Anders > >Thanks again to Julian and crew :) Nick (the other bit of the crew) sends his gratitude :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Sun Nov 24 14:39:39 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:32 2006 Subject: SV: How to make rules work Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ECCF@lkl22.ltkalmar.se> Exactly what I wanted, my thoughts where close but I wanted proof.... now I just need to make sure I get the text in letters the we sweds can read..... :) Thanks Julian > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 24 november 2002 15:01 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: How to make rules work > > > At 13:28 24/11/2002, you wrote: > >I want all reports sent when mail come from local network > and of course with > >my swedish translation. > >I allso want to send certain report to of site ppl if they > come from *.se > >The rest I will just send to /dev/null > > There are 2 parts to this: > 1) What report should be sent to who > 2) Who should get a report at all > > 1) Make each of the report files in MailScanner.conf a *.rules file > instead, containing something along these lines: > From: lktalmar.se /etc/MailScanner/reports/se/foobar.txt > From: *@*.se /etc/MailScanner/reports/se/other.txt > FromOrTo: default /dev/null > > For each one, it will use the file found by the first matching rule. > > 2) To actually control whether the senders are warned at all, > use a ruleset > for the "Warn Senders" switch, that contains something like > From: lktalmar.se yes > FromOrTo: *@*.se yes > FromOrTo: default no > > >Same goes for filetypes, certain domains could send us files > and the rest > >not > >or some ppl are allowed to accept *.exe ie. technical workers. > > To: sysadmin1@lktalmar.se > /etc/MailScanner/allowallfilename.rules.conf > From: friendlydomain.com > /etc/MailScanner/allowallfilename.rules.conf > FromOrTo: default > /etc/MailScanner/filename.rules.conf > > then allowallfilename.rules.conf could just contain > allow $ - - > > The filename.rules.conf files "add together" so the result used for 1 > message is the filename.rules.conf files that result from all matching > rules, strung together. > > The "default" filename.rules.conf file is only used when none > of the rules > match. > > >Looking at mailscanner.conf lets me switch to rules instead > but how to write > > > >a rule to use different messages? > > > >regards > > > >/Anders > > > >Thanks again to Julian and crew :) > > Nick (the other bit of the crew) sends his gratitude :-) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From andersan at LTKALMAR.SE Sun Nov 24 15:02:35 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:32 2006 Subject: SV: How to make rules work Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ECD0@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 24 november 2002 15:01 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: How to make rules work > > > At 13:28 24/11/2002, you wrote: > >I want all reports sent when mail come from local network > and of course with > >my swedish translation. > >I allso want to send certain report to of site ppl if they > come from *.se > >The rest I will just send to /dev/null > > There are 2 parts to this: > 1) What report should be sent to who > 2) Who should get a report at all > > 1) Make each of the report files in MailScanner.conf a *.rules file > instead, containing something along these lines: > From: lktalmar.se /etc/MailScanner/reports/se/foobar.txt > From: *@*.se /etc/MailScanner/reports/se/other.txt > FromOrTo: default /dev/null > > For each one, it will use the file found by the first matching rule. > > 2) To actually control whether the senders are warned at all, > use a ruleset > for the "Warn Senders" switch, that contains something like > From: lktalmar.se yes > FromOrTo: *@*.se yes > FromOrTo: default no > > >Same goes for filetypes, certain domains could send us files > and the rest > >not > >or some ppl are allowed to accept *.exe ie. technical workers. Hmm, just a thought. Easier to maintain a separate file since this will only apply to technical person at work? Is it possible to use this kind of rule: To: /etc/MaiScanner/users.txt /etc/MailScanner/allow.filenames.rules.conf > > To: sysadmin1@lktalmar.se > /etc/MailScanner/allowallfilename.rules.conf > From: friendlydomain.com > /etc/MailScanner/allowallfilename.rules.conf > FromOrTo: default > /etc/MailScanner/filename.rules.conf > > then allowallfilename.rules.conf could just contain > allow $ - - > > The filename.rules.conf files "add together" so the result used for 1 > message is the filename.rules.conf files that result from all matching > rules, strung together. > > The "default" filename.rules.conf file is only used when none > of the rules > match. > > >Looking at mailscanner.conf lets me switch to rules instead > but how to write > > > >a rule to use different messages? > > > >regards > > > >/Anders > > > >Thanks again to Julian and crew :) > > Nick (the other bit of the crew) sends his gratitude :-) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Sun Nov 24 15:27:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: SV: How to make rules work In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263ECD0@lkl22.ltkalmar.se > Message-ID: <5.2.0.9.2.20021124152623.032181b0@imap.ecs.soton.ac.uk> At 15:02 24/11/2002, you wrote: >Hmm, just a thought. Easier to maintain a separate file since this >will only apply to technical person at work? > >Is it possible to use this kind of rule: >To: /etc/MaiScanner/users.txt >/etc/MailScanner/allow.filenames.rules.conf That's not a bad idea. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Sun Nov 24 15:45:35 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:32 2006 Subject: SV: SV: How to make rules work Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ECD3@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 24 november 2002 16:28 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: How to make rules work > > > At 15:02 24/11/2002, you wrote: > >Hmm, just a thought. Easier to maintain a separate file since this > >will only apply to technical person at work? > > > >Is it possible to use this kind of rule: > >To: /etc/MaiScanner/users.txt > >/etc/MailScanner/allow.filenames.rules.conf > > That's not a bad idea. Nope, even I got my bright days ;) but is it possible. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Sun Nov 24 17:36:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: MailScanner dying occasionally? Message-ID: <5.2.0.9.2.20021124173023.032077a8@imap.ecs.soton.ac.uk> 2 or 3 people here have been having a few problems recently with MailScanner occasionally dying, particularly in RBLs.pm or SA.pm. This has turned out to be a resource limit problem, where you have a mail server that a) is heavily loaded, and b) only actually scans a small fraction of the mail going through it, and c) has a relatively low limit for the number of open files at once (e.g. 1024). The default value for the Max Unscanned Messages Per Scan parameter has always been supplied at 500, causing these systems to run out of open files. (MailScanner needs 2 open files per message in a batch) The solution is very simple, just set Max Unscanned Messages Per Scan = 100 and you will be fine. There should be no noticeable loss in performance or speed. I have adjusted the default value in the distribution to match. Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Nov 24 17:44:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: SV: SV: How to make rules work In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263ECD3@lkl22.ltkalmar.se > Message-ID: <5.2.0.9.2.20021124174308.01ed20f8@imap.ecs.soton.ac.uk> At 15:45 24/11/2002, you wrote: > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 24 november 2002 16:28 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: SV: How to make rules work > > > > > > At 15:02 24/11/2002, you wrote: > > >Hmm, just a thought. Easier to maintain a separate file since this > > >will only apply to technical person at work? > > > > > >Is it possible to use this kind of rule: > > >To: /etc/MaiScanner/users.txt > > >/etc/MailScanner/allow.filenames.rules.conf > > > > That's not a bad idea. > >Nope, even I got my bright days ;) >but is it possible. It's possible. Not guaranteeing I'm going to do it immediately though, the ChangeLog for the next version is very long already. We'll see how my week goes... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Sun Nov 24 18:16:29 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:32 2006 Subject: SV: SV: SV: How to make rules work Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ECD5@lkl22.ltkalmar.se> I was talking in the present state of mailscanner.... but hey if it cant be done now maybe in the future then :) /Anders > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 24 november 2002 18:44 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: SV: How to make rules work > > > At 15:45 24/11/2002, you wrote: > > > -----Ursprungligt meddelande----- > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Skickat: den 24 november 2002 16:28 > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > ?mne: Re: SV: How to make rules work > > > > > > > > > At 15:02 24/11/2002, you wrote: > > > >Hmm, just a thought. Easier to maintain a separate file > since this > > > >will only apply to technical person at work? > > > > > > > >Is it possible to use this kind of rule: > > > >To: /etc/MaiScanner/users.txt > > > >/etc/MailScanner/allow.filenames.rules.conf > > > > > > That's not a bad idea. > > > >Nope, even I got my bright days ;) > >but is it possible. > > It's possible. Not guaranteeing I'm going to do it > immediately though, the > ChangeLog for the next version is very long already. We'll > see how my week > goes... > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Sun Nov 24 18:41:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: SV: SV: SV: How to make rules work In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263ECD5@lkl22.ltkalmar.se > Message-ID: <5.2.0.9.2.20021124183947.01ff3010@imap.ecs.soton.ac.uk> At 18:16 24/11/2002, you wrote: >I was talking in the present state of >mailscanner.... but hey if it cant be done now >maybe in the future then :) In the mean time, you could knock up a script that writes a rules file given a list-of-addresses file. >/Anders > > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 24 november 2002 18:44 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: SV: SV: How to make rules work > > > > > > At 15:45 24/11/2002, you wrote: > > > > -----Ursprungligt meddelande----- > > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > Skickat: den 24 november 2002 16:28 > > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > > ?mne: Re: SV: How to make rules work > > > > > > > > > > > > At 15:02 24/11/2002, you wrote: > > > > >Hmm, just a thought. Easier to maintain a separate file > > since this > > > > >will only apply to technical person at work? > > > > > > > > > >Is it possible to use this kind of rule: > > > > >To: /etc/MaiScanner/users.txt > > > > >/etc/MailScanner/allow.filenames.rules.conf > > > > > > > > That's not a bad idea. > > > > > >Nope, even I got my bright days ;) > > >but is it possible. > > > > It's possible. Not guaranteeing I'm going to do it > > immediately though, the > > ChangeLog for the next version is very long already. We'll > > see how my week > > goes... > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Sun Nov 24 18:45:37 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:32 2006 Subject: SV: SV: SV: SV: How to make rules work Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ECD7@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 24 november 2002 19:42 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: SV: SV: How to make rules work > > > At 18:16 24/11/2002, you wrote: > >I was talking in the present state of > >mailscanner.... but hey if it cant be done now > >maybe in the future then :) > > In the mean time, you could knock up a script that writes a > rules file > given a list-of-addresses file. If I knew how to do those things I wouldn't sitting here asking stupid questions :) I'll wait until you included that in another release > > > >/Anders > > > > > -----Ursprungligt meddelande----- > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Skickat: den 24 november 2002 18:44 > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > ?mne: Re: SV: SV: How to make rules work > > > > > > > > > At 15:45 24/11/2002, you wrote: > > > > > -----Ursprungligt meddelande----- > > > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > > Skickat: den 24 november 2002 16:28 > > > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > > > ?mne: Re: SV: How to make rules work > > > > > > > > > > > > > > > At 15:02 24/11/2002, you wrote: > > > > > >Hmm, just a thought. Easier to maintain a separate file > > > since this > > > > > >will only apply to technical person at work? > > > > > > > > > > > >Is it possible to use this kind of rule: > > > > > >To: /etc/MaiScanner/users.txt > > > > > >/etc/MailScanner/allow.filenames.rules.conf > > > > > > > > > > That's not a bad idea. > > > > > > > >Nope, even I got my bright days ;) > > > >but is it possible. > > > > > > It's possible. Not guaranteeing I'm going to do it > > > immediately though, the > > > ChangeLog for the next version is very long already. We'll > > > see how my week > > > goes... > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & > Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From sskulpone at METRIKA.COM Mon Nov 25 10:35:00 2002 From: sskulpone at METRIKA.COM (Sakorn Skulpone) Date: Thu Jan 12 21:16:32 2006 Subject: Specific From-To pairing rules Message-ID: My apologies if this has been covered, but I couldn't find anything in the archives or FAQ. Is there a way to write rules based on specific From and To pairings? In other words, a particular To address wants to receive from a certain From address, but another To address wants mail from that envelope treated as spam. Neither the FromTo nor the FromandTo seem to do this. I would procmail, but unfortunately MailScanner is front-ending for Exchange. And, yes, it is possible to get the person to unsubscribe, but this will keep me from having to explain how to the person! Or the person could write an Outlook rule, but that also means a visit :-) Sakorn Skulpone MIS Manager Metrika, Inc. From mailscanner at ecs.soton.ac.uk Mon Nov 25 11:00:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: Specific From-To pairing rules In-Reply-To: Message-ID: <5.2.0.9.2.20021125105342.01fbcc40@imap.ecs.soton.ac.uk> At 10:35 25/11/2002, you wrote: >Is there a way to write rules based on specific From and To pairings? In >other words, a particular To address wants to receive from a certain From >address, but another To address wants mail from that envelope treated as >spam. Neither the FromTo nor the FromandTo seem to do this. The current config compiler can't do this. However, if you are up to writing a bit of perl then you can implement it yourself as a Custom Function. I didn't want to make the config compiler more complex than necessary. It doesn't handle arbitrary expressions I'm afraid. Furthermore, in your specific situation, you will hit the fact that a message is not split up for different recipients. MailScanner doesn't create duplicate messages for different recipients. It will happily edit the recipient list of a message, but it won't create 2 completely separate output messages for 1 input message. For example, if the subject line is modified for 1 recipient, all the recipients will get the modified subject line. Unfortunately my config system doesn't allow totally general rules to be defined, that would have added a lot of complexity for a gain only seen by a few users. However, you can implement any scheme you wish using the Custom Function facility. >I would procmail, but unfortunately MailScanner is front-ending for >Exchange. And, yes, it is possible to get the person to unsubscribe, but >this will keep me from having to explain how to the person! Or the person >could write an Outlook rule, but that also means a visit :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From info at blacknight-solutions.com Mon Nov 25 12:51:52 2002 From: info at blacknight-solutions.com (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:16:32 2006 Subject: Virus magnet In-Reply-To: <5.2.0.9.2.20021123205659.037f7f50@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021123205659.037f7f50@imap.ecs.soton.ac.uk> Message-ID: <14698.213.136.131.214.1038228712.squirrel@www.blacknightsolutions.com> > The bad news: 1 in 6 of those viruses were addressed to me. (There are > 1,800 people in our dept) > > Hmmm..... I know the feeling! Most of the spam and viruses through our mailservers are addressed to me too... It's great to feel loved :-) From mailscannerlist at TNJINFL.COM Mon Nov 25 15:57:50 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:32 2006 Subject: Testing content filtering? In-Reply-To: References: Message-ID: <1038239870.23752.33.camel@tweety.tnjinfl.com> Dan, I've been looking at this since these responses came in. From what I've found you put custom rules in /etc/mail/spamassassin/local.cf. Is this correct? Would you be willing to give me an example of one of your custom rules? Also, after modifying this file, do you just restart spamassassin? Thanks, James On Fri, 2002-11-22 at 10:27, Dan Kubilos wrote: > I do this for our school district by adding local rules to spamassassin. > > On Fri, 22 Nov 2002, James Pifer wrote: > > > My setup is Sendmail with MailScanner using SpamAssassin and f-prot. > > SpamAssassin does the content filtering right? I'm trying to test the > > server and make sure it's working before throwing it this weekend for a > > few hours as a pilot run. > > > > I've tried sending messages with a lot of offensive words in the subject > > and body that I won't repeat here, but they all get through without > > getting tagged. From the headers MailScanner is looking at it. > > > > Obviously I'm being naive and probably just assuming they should be > > getting caught. Can anyone suggest the best way to test this before > > trying it in production as our real mail gateway? > > > > Sorry if this is just a really stupid question.... > > > > Thanks, > > James > > > > -- > Dan Kubilos __\o_ ^ > K-8 Tech Coord > http://www.oxnardsd.org From mailscanner at ecs.soton.ac.uk Mon Nov 25 16:58:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: Testing content filtering? In-Reply-To: <1038239870.23752.33.camel@tweety.tnjinfl.com> References: Message-ID: <5.2.0.9.2.20021125165809.03a1c910@imap.ecs.soton.ac.uk> At 15:57 25/11/2002, you wrote: >Also, after modifying this file, do you just restart spamassassin? There isn't anything in SpamAssassin to restart. You want to restart MailScanner. >On Fri, 2002-11-22 at 10:27, Dan Kubilos wrote: > > I do this for our school district by adding local rules to spamassassin. > > > > On Fri, 22 Nov 2002, James Pifer wrote: > > > > > My setup is Sendmail with MailScanner using SpamAssassin and f-prot. > > > SpamAssassin does the content filtering right? I'm trying to test the > > > server and make sure it's working before throwing it this weekend for a > > > few hours as a pilot run. > > > > > > I've tried sending messages with a lot of offensive words in the subject > > > and body that I won't repeat here, but they all get through without > > > getting tagged. From the headers MailScanner is looking at it. > > > > > > Obviously I'm being naive and probably just assuming they should be > > > getting caught. Can anyone suggest the best way to test this before > > > trying it in production as our real mail gateway? > > > > > > Sorry if this is just a really stupid question.... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rc at ITSS.NERC.AC.UK Mon Nov 25 17:02:55 2002 From: rc at ITSS.NERC.AC.UK (Ron Campbell) Date: Thu Jan 12 21:16:32 2006 Subject: "too many open files" Message-ID: <3DE257BF.7050603@itss.nerc.ac.uk> We had rather more spam than usual over the weekend and mailscanner had problems keeping up. What stopped it eventually was "Too many open files" from MailScanner. This seemed to be down to a large no of messages in /var/spool/mqueue.in. I added "/usr/bin/ulimit -Sn 4096" to the start script but that was not altogether successful. - I had to feed a few hundred mail messages to mailscanner at a time, until it got the backlog down. Has anyone else had to do this ? This is MailScanner 4.05-3 running on Solaris 9. Would be grateful for any suggestions ... Ron -- -------------------- Ron Campbell Email: rc@itss.nerc.ac.uk Fax: 01491 692446 IT Solutions & Services, NERC. Phone: 01491 692346 Maclean Building, Crowmarsh Gifford, Wallingford, Oxon OX10 8BB From mailscanner at ecs.soton.ac.uk Mon Nov 25 17:23:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: "too many open files" In-Reply-To: <3DE257BF.7050603@itss.nerc.ac.uk> Message-ID: <5.2.0.9.2.20021125171651.05a7ada8@imap.ecs.soton.ac.uk> At 17:02 25/11/2002, you wrote: >We had rather more spam than usual over the weekend and mailscanner >had problems keeping up. What stopped it eventually was "Too many >open files" from MailScanner. This seemed to be down to a large >no of messages in /var/spool/mqueue.in. > >I added "/usr/bin/ulimit -Sn 4096" to the start script but that >was not altogether successful. - I had to feed a few hundred mail >messages to mailscanner at a time, until it got the backlog down. > >Has anyone else had to do this ? In your MailScanner.conf (or mailscanner.conf), set Max Unscanned Messages Per Scan = 100 Max Unsafe Messages Per Scan = 100 You will find one of these values is probably set at 500 at the moment. It shouldn't cause any noticeable performance hit but will drastically reduce the number of file handles needed. For more info on this, see my "MailScanner dying occasionally?" posting from Sunday afternoon. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Miguel.Montoya at CALIDAD.TELETULUA.COM.CO Mon Nov 25 17:28:19 2002 From: Miguel.Montoya at CALIDAD.TELETULUA.COM.CO (Miguel Fernando Montoya Martinez) Date: Thu Jan 12 21:16:32 2006 Subject: Send Web pages Message-ID: <35D9989521E9D5118F6700065B38718E0F0EEF@CALIDAD> Hi, i can?t send web pages from Outlook express because my e-mail server return: Warning: E-mail viruses detected, I have mailscanner + sendmail, and the same page can to send from other e-mail server (mailscan (mcfee) + exchange) with the same dat version. How fix my problem. I need help, thanks. Atentamente, _________________________________________ Ing. MIGUEL FERNANDO MONTOYA MARTINEZ Jefe de Servicios Telem?ticos Miguel.Montoya@teletulua.com.co TELETULUA S.A. E.S.P. Calle 28 No. 25-61 Tulu?, (Valle del Cauca), Colombia Tel: 57+2+2242033 (235) Fax: 57+2+2242984 MSN mimontoy Registro linux 159945 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021125/af5c34b9/attachment.html From m.sapsed at BANGOR.AC.UK Mon Nov 25 18:41:27 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:16:32 2006 Subject: incoming directory References: <3DD2D5DB.FF65F8FF@ucsc.edu> Message-ID: <3DE26ED7.3080008@bangor.ac.uk> John Rudd wrote: > Has anyone explored the bennefits or problems with putting the incoming > directory onto a ramdisk? I know mailscanner preferes to have it on the > same partition as the mail queue directories, but I'm wondering if it > might be faster (for the scanning part of the process). Isn't the scary thought that if the power goes you lose all the incoming mail that hasn't been processed yet? (or do you have a truly UPS?) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Mon Nov 25 18:39:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: "too many open files" In-Reply-To: <5.2.0.9.2.20021125171651.05a7ada8@imap.ecs.soton.ac.uk> References: <3DE257BF.7050603@itss.nerc.ac.uk> Message-ID: <5.2.0.9.2.20021125183345.01ed41e8@imap.ecs.soton.ac.uk> At 17:23 25/11/2002, you wrote: >At 17:02 25/11/2002, you wrote: >>We had rather more spam than usual over the weekend and mailscanner >>had problems keeping up. What stopped it eventually was "Too many >>open files" from MailScanner. This seemed to be down to a large >>no of messages in /var/spool/mqueue.in. >> >>I added "/usr/bin/ulimit -Sn 4096" to the start script but that >>was not altogether successful. ulimit is a command built into the shell (and has to be). It exists in bash. I have added "ulimit -n 2000" to the Linux RPM version of the check_MailScanner script, and changed it from being a /bin/sh script to a /bin/bash script. Its effect appears to propagate into the code perfectly well. >> - I had to feed a few hundred mail >>messages to mailscanner at a time, until it got the backlog down. >> >>Has anyone else had to do this ? > >In your MailScanner.conf (or mailscanner.conf), set > >Max Unscanned Messages Per Scan = 100 >Max Unsafe Messages Per Scan = 100 > >You will find one of these values is probably set at 500 at the moment. It >shouldn't cause any noticeable performance hit but will drastically reduce >the number of file handles needed. > >For more info on this, see my "MailScanner dying occasionally?" posting >from Sunday afternoon. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 25 19:10:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: incoming directory In-Reply-To: <3DE26ED7.3080008@bangor.ac.uk> References: <3DD2D5DB.FF65F8FF@ucsc.edu> Message-ID: <5.2.0.9.2.20021125190458.030e3e80@imap.ecs.soton.ac.uk> At 18:41 25/11/2002, you wrote: >John Rudd wrote: >>Has anyone explored the bennefits or problems with putting the incoming >>directory onto a ramdisk? I know mailscanner preferes to have it on the >>same partition as the mail queue directories, but I'm wondering if it >>might be faster (for the scanning part of the process). > >Isn't the scary thought that if the power goes you lose all the incoming >mail that hasn't been processed yet? (or do you have a truly UPS?) On another point about this, I asked around some people who know a lot more about the internals of operating system design than I do. By putting the directories into a ramdisk, you are forcing the OS to use a fixed amount of ram for this. In general, it is better to leave the OS to manage system resources itself, as it's usually better at it than the "fixed" value you give by having it in a ram disk. Running off real disk, the only things that will be immediately written to the disk are the inode updates (e.g. creating a new file). Everything else (including the contents of the files) is cached in RAM. As MailScanner creates and then deletes quite a few files (the "incoming" directory contents) many of these will never actually hit the disk at all, apart from a few inode updates. So my advice would be to not use a ram disk and let the OS manage your ram usage. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From henker at SHCOM.US Mon Nov 25 20:30:46 2002 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:16:32 2006 Subject: Startup script In-Reply-To: <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> Message-ID: On Mon, 4 Nov 2002, Julian Field wrote: > Write a very short script that sets these variables and then calls > sendmail, something like this > > #!/bin/sh > export LD_PRELOAD=/lib/libensimvwhbw.so > export ENSIMVWH_BWSVCID=1 > /usr/sbin/sendmail "$@" > > and then call this script in MailScanner instead of directly invoking Hiya, quite an old thread, but nonetheless I would like to ask if anybody has had success so far using the bandwidth monitoring of ensim together with MailScanner. I have used MailScanner happily for a couple of months now, but still don't see any smtp traffic which has been somewhat of a problem lately and I don't want to remove MailScanner... Regards, Steffan From mailscannerlist at TNJINFL.COM Mon Nov 25 20:43:20 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:32 2006 Subject: Send mail immediately Message-ID: <1038257000.23712.41.camel@tweety.tnjinfl.com> Is there any way to have mail delivered immediately instead of sitting in a queue? I've got the QUEUETIME set to 1m right now. Since mine is not high volume and I'm not very patient, just wondering if it can be even faster. If not, I can live with a minute.... Thanks, James From jrudd at UCSC.EDU Mon Nov 25 20:43:33 2002 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:16:32 2006 Subject: incoming directory In-Reply-To: <3DE26ED7.3080008@bangor.ac.uk> Message-ID: <904D3D74-00B6-11D7-A5F6-003065F939FE@ucsc.edu> On Monday, Nov 25, 2002, at 10:41 US/Pacific, Martin Sapsed wrote: > John Rudd wrote: >> Has anyone explored the bennefits or problems with putting the >> incoming >> directory onto a ramdisk? I know mailscanner preferes to have it on >> the >> same partition as the mail queue directories, but I'm wondering if it >> might be faster (for the scanning part of the process). > > Isn't the scary thought that if the power goes you lose all the > incoming > mail that hasn't been processed yet? (or do you have a truly UPS?) > Just to clarify, I didn't mean the mqueue.in directory, I meant the directory where mailscanner does its scratch work, "Incoming Work Dir" in the 3.x config file. I could be wrong, but I assume from the usage patterns in my mqueue.in directory that it keeps the message in there until it's done doing the "work". So, if the power were to go out, I'd lose the "work", but not the message. I'm ok with that. (but if that's not a correct assumption on my part, I'd be happy to hear it) From mailscanner at ecs.soton.ac.uk Mon Nov 25 20:52:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: Send mail immediately In-Reply-To: <1038257000.23712.41.camel@tweety.tnjinfl.com> Message-ID: <5.2.0.9.2.20021125205020.01f63e50@imap.ecs.soton.ac.uk> At 20:43 25/11/2002, you wrote: >Is there any way to have mail delivered immediately instead of sitting >in a queue? I've got the QUEUETIME set to 1m right now. Since mine is >not high volume and I'm not very patient, just wondering if it can be >even faster. If not, I can live with a minute.... Set the queuetime back to something reasonable (15m at least), and then set Delivery Method = batch in MailScanner.conf. That will trigger an immediate delivery attempt. In V4 I don't see any need for Delivery Method = queue at all. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 25 20:54:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: incoming directory In-Reply-To: <904D3D74-00B6-11D7-A5F6-003065F939FE@ucsc.edu> References: <3DE26ED7.3080008@bangor.ac.uk> Message-ID: <5.2.0.9.2.20021125205256.03116e98@imap.ecs.soton.ac.uk> At 20:43 25/11/2002, you wrote: >Just to clarify, I didn't mean the mqueue.in directory, I meant the >directory where mailscanner does its scratch work, "Incoming Work Dir" >in the 3.x config file. I could be wrong, but I assume from the usage >patterns in my mqueue.in directory that it keeps the message in there >until it's done doing the "work". So, if the power were to go out, I'd >lose the "work", but not the message. I'm ok with that. > >(but if that's not a correct assumption on my part, I'd be happy to >hear it) You're right, it doesn't remove anything from the incoming queue until the output message is safely in the output queue. So no power out can lose any messages. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Stephen.Dawes at GOV.CALGARY.AB.CA Mon Nov 25 20:50:41 2002 From: Stephen.Dawes at GOV.CALGARY.AB.CA (Dawes, Stephen) Date: Thu Jan 12 21:16:32 2006 Subject: Send mail immediately Message-ID: It is my understanding from reading the sendmail documentation that the "m" in 1m stands for minutes, and that you can use (h)ours, (m)inutes or (s)econds. However, I do not know if MailScanner allows this to be anything other then (m)inutes. I to would be interested. Worst case scenario is, it is worth a try. Stephen Dawes The City of Calgary | Phone: (403) 268-5527 Web Business Office #8300 | Fax: (403) 268-6423 PO Box 2100 Postal Station M. | Email: Stephen.Dawes@calgary.ca Calgary, Alberta, Canada. T2P 2M5 | Web: http://www.calgary.ca FOIPP NOTIFICATION This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. Thank you for your attention and co-operation. > -----Original Message----- > From: James Pifer [mailto:mailscannerlist@TNJINFL.COM] > Sent: 2002 November 25 1:43 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Send mail immediately > > > Is there any way to have mail delivered immediately instead of sitting > in a queue? I've got the QUEUETIME set to 1m right now. Since mine is > not high volume and I'm not very patient, just wondering if it can be > even faster. If not, I can live with a minute.... > > Thanks, > James > From kwang at UCALGARY.CA Mon Nov 25 21:01:28 2002 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:16:32 2006 Subject: errors when installing MailScanner-4.05-3 Message-ID: <3DE28FA8.C4D3309E@ucalgary.ca> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021125/1beb042d/attachment.html From rc at ITSS.NERC.AC.UK Mon Nov 25 21:01:07 2002 From: rc at ITSS.NERC.AC.UK (Ron Campbell) Date: Thu Jan 12 21:16:32 2006 Subject: closing down mailscanner Message-ID: <1038258071.1614.22.camel@deli.nerc-wallingford.ac.uk> What is the preferred way to close down mailscanner? I have a "pkill mailscanner" in the init script which appears to do the job but I am accumulating files /opt/MailScanner/var/MailScanner.XXXXX and corresponding directories /var/spool/MailScanner/incoming/XXXXX. These seem to be left-overs and dont get cleaned up when I restart it. This does not look correct ??? Or maybe I am not starting mailscanner correctly? [I am using the check_mailscanner script.] This is 4.05-3. Must say it looks pretty good so far - these are just minor niggles (which I can probably figure out myself ?) but if someone else has already figured out what to do I would be grateful. Cheers ... Ron From nerijus at USERS.SOURCEFORGE.NET Mon Nov 25 21:06:58 2002 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:16:32 2006 Subject: incoming directory In-Reply-To: <5.2.0.9.2.20021125190458.030e3e80@imap.ecs.soton.ac.uk> References: <3DD2D5DB.FF65F8FF@ucsc.edu> <5.2.0.9.2.20021125190458.030e3e80@imap.ecs.soton.ac.uk> Message-ID: <200211252110.gAPLA1L6016018@mx.ktv.lt> On Mon, 25 Nov 2002 19:10:33 +0000 Julian Field wrote: > By putting the directories into a ramdisk, you are forcing the OS to use a > fixed amount of ram for this. In general, it is better to leave the OS to > manage system resources itself, as it's usually better at it than the > "fixed" value you give by having it in a ram disk. Linux 2.4 has tmpfs filesystem, which does not have ramdisk problems. For example, User-mode Linux can place virtual memory files in tmpfs: Instead, we can use 'tmpfs' which is a dynamic RAM based file system. tmpfs only uses the memory it needs, so unlike ramfs, we don't have to set aside a whole chunk of RAM from the word go. Of course, as with any other memory allocated on a system, if it's unused it will be swapped out to disk. Assuming the host has plenty of memory, from a combination of real RAM and swap space, we can create a large /tmp file system using tmpfs, which is used by the UML kernels. On a host with 1Gb of RAM, we can quite happily create a 4Gb /tmp file system, as long as it has enough swap space to swap out the extra 3Gb of memory. Regards, Nerijus From mailscanner at ecs.soton.ac.uk Mon Nov 25 21:14:38 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: errors when installing MailScanner-4.05-3 In-Reply-To: <3DE28FA8.C4D3309E@ucalgary.ca> Message-ID: <5.2.0.9.2.20021125211205.01fec9f0@imap.ecs.soton.ac.uk> What happened when you (or install.sh) tried to install MIME::Base64? Try doing rpmbuild --rebuild perl-MIME-Base64*src.rpm to rebuild it, and then install the rpm it produces (if the rebuild worked). At 21:01 25/11/2002, you wrote: > >I have the following errors when installing MailScanner-4.05-3. It seems that >perl-MIME-Base64-2.12-1 was not installed properly. Can anyone tell me >how to fix it? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 25 21:10:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: closing down mailscanner In-Reply-To: <1038258071.1614.22.camel@deli.nerc-wallingford.ac.uk> Message-ID: <5.2.0.9.2.20021125210641.030effb8@imap.ecs.soton.ac.uk> At 21:01 25/11/2002, you wrote: >What is the preferred way to close down mailscanner? I have changed this for 4.06 to try and sort this out. Currently it is a not very good. Running the init script with a "stop" parameter is best. >I have a "pkill mailscanner" in the init script which appears to do the >job but I am accumulating files /opt/MailScanner/var/MailScanner.XXXXX >and corresponding directories /var/spool/MailScanner/incoming/XXXXX. >These seem to be left-overs and dont get cleaned up when I restart it. >This does not look correct ??? > >Or maybe I am not starting mailscanner correctly? [I am using the >check_mailscanner script.] check_mailscanner (or check_MailScanner) is the best way, apart from using the init script with "start". >This is 4.05-3. Must say it looks pretty good so far - these are just >minor niggles (which I can probably figure out myself ?) but if someone >else has already figured out what to do I would be grateful. As i say, 4.06 should be better at this. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From kwang at UCALGARY.CA Mon Nov 25 21:39:15 2002 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:16:32 2006 Subject: errors when installing MailScanner-4.05-3 References: <5.2.0.9.2.20021125211205.01fec9f0@imap.ecs.soton.ac.uk> Message-ID: <3DE29883.CE069884@ucalgary.ca> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021125/ed08cf8d/attachment.html From jrudd at UCSC.EDU Mon Nov 25 21:47:42 2002 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:16:32 2006 Subject: incoming directory In-Reply-To: <200211252110.gAPLA1L6016018@mx.ktv.lt> Message-ID: <868708F3-00BF-11D7-A5F6-003065F939FE@ucsc.edu> On Monday, Nov 25, 2002, at 13:06 US/Pacific, Nerijus Baliunas wrote: > On Mon, 25 Nov 2002 19:10:33 +0000 Julian Field > wrote: > >> By putting the directories into a ramdisk, you are forcing the OS to >> use a >> fixed amount of ram for this. In general, it is better to leave the >> OS to >> manage system resources itself, as it's usually better at it than the >> "fixed" value you give by having it in a ram disk. > > Linux 2.4 has tmpfs filesystem, which does not have ramdisk problems. > For > example, User-mode Linux can place virtual memory files in tmpfs: > > Instead, we can use 'tmpfs' which is a dynamic RAM based file system. > tmpfs only uses the memory it needs, so unlike ramfs, we don't have to > set aside a whole chunk of RAM from the word go. [snip] That's largely how it works in Solaris as well (the platform I'm using). Some people use tmpfs and ramdisk interchangeably. In my case, I have 1GB of RAM on those machines. I was thinking of having the incoming work dir set mounted in tmpfs, and limit the size of that tmpfs to 400ish mb. From mailscanner at ecs.soton.ac.uk Mon Nov 25 22:08:27 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: errors when installing MailScanner-4.05-3 In-Reply-To: <3DE29883.CE069884@ucalgary.ca> References: <5.2.0.9.2.20021125211205.01fec9f0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021125220716.030cda20@imap.ecs.soton.ac.uk> At 21:39 25/11/2002, you wrote: >Here is the output when building MIME-Base64-2.12. Okay, so it built the rpm okay. Now try installing it with rpm -Uvh /usr/src/redhat/RPMS/i386/perl-MIME-Base64-2.12-1.i386.rpm and let's see what that produces. >Julian Field wrote: >>What happened when you (or install.sh) tried to install MIME::Base64? >> >>Try doing >> rpmbuild --rebuild perl-MIME-Base64*src.rpm >>to rebuild it, and then install the rpm it produces (if the rebuild worked). >> >>At 21:01 25/11/2002, you wrote: >> > >> >I have the following errors when installing MailScanner-4.05-3. It >> seems that >> >perl-MIME-Base64-2.12-1 was not installed properly. Can anyone tell me >> >how to fix it? >> >>-- >>Julian Field Teaching Systems Manager >>jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >>Tel. 023 8059 2817 University of Southampton >> Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Mon Nov 25 22:17:02 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:32 2006 Subject: Send Web pages In-Reply-To: <35D9989521E9D5118F6700065B38718E0F0EEF@CALIDAD> Message-ID: <5.1.1.6.0.20021125164925.0209c710@192.168.50.2> Could you be more specific? There are three possible sources of message rejection, so the report contained in the body of the message would be required to determine which part of mailscanner is killing your message. Do you get: Report: Possible Microsoft security vulnerability attack if so, configure your mailscanner.conf with: Allow IFrame Tags = yes Otherwise it could be a filename rule, or a virus detection from mcafee, but the report will tell what/why. At 12:28 PM 11/25/2002 -0500, you wrote: >Hi, i can?t send web pages from Outlook express because my e-mail server >return: Warning: E-mail viruses detected, I have mailscanner + sendmail, >and the same page can to send from other e-mail server (mailscan (mcfee) + >exchange) with the same dat version. > > > >How fix my problem. > > > >I need help, thanks. > > > >Atentamente, >_________________________________________ >Ing. MIGUEL FERNANDO MONTOYA MARTINEZ >Jefe de Servicios Telem?ticos >Miguel.Montoya@teletulua.com.co >TELETULUA S.A. E.S.P. >Calle 28 No. 25-61 >Tulu?, (Valle del Cauca), Colombia >Tel: 57+2+2242033 (235) >Fax: 57+2+2242984 >MSN mimontoy >Registro linux 159945 > > From kwang at UCALGARY.CA Mon Nov 25 22:33:38 2002 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:16:32 2006 Subject: errors when installing MailScanner-4.05-3 References: <5.2.0.9.2.20021125211205.01fec9f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021125220716.030cda20@imap.ecs.soton.ac.uk> Message-ID: <3DE2A542.F1C52BAE@ucalgary.ca> Still exactly the same. Thanks Kai Julian Field wrote: > At 21:39 25/11/2002, you wrote: > >Here is the output when building MIME-Base64-2.12. > > Okay, so it built the rpm okay. > Now try installing it with > > rpm -Uvh /usr/src/redhat/RPMS/i386/perl-MIME-Base64-2.12-1.i386.rpm > > and let's see what that produces. > > >Julian Field wrote: > >>What happened when you (or install.sh) tried to install MIME::Base64? > >> > >>Try doing > >> rpmbuild --rebuild perl-MIME-Base64*src.rpm > >>to rebuild it, and then install the rpm it produces (if the rebuild worked). > >> > >>At 21:01 25/11/2002, you wrote: > >> > > >> >I have the following errors when installing MailScanner-4.05-3. It > >> seems that > >> >perl-MIME-Base64-2.12-1 was not installed properly. Can anyone tell me > >> >how to fix it? > >> > >>-- > >>Julian Field Teaching Systems Manager > >>jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >>Tel. 023 8059 2817 University of Southampton > >> Southampton SO17 1BJ > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Mon Nov 25 22:32:09 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:32 2006 Subject: Send Web pages In-Reply-To: <35D9989521E9D5118F6700065B38718E0F0EEF@CALIDAD> References: <35D9989521E9D5118F6700065B38718E0F0EEF@CALIDAD> Message-ID: <1038263530.2579.2.camel@chaos.entrophy-free.net> On Mon, 2002-11-25 at 11:28, Miguel Fernando Montoya Martinez wrote: > Hi, i can?t send web pages from Outlook express because my e-mail server > return: Warning: E-mail viruses detected, I have mailscanner + sendmail, and > the same page can to send from other e-mail server (mailscan (mcfee) + > exchange) with the same dat version. > MailScanner is objecting to OutLook is "sending the webpage" as a .lnk file. You can allow that by editing the filename rules. -- The instructions said to use Windows 98 or better, so I installed RedHat. From P.G.M.Peters at civ.utwente.nl Tue Nov 26 08:03:56 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:32 2006 Subject: SV: How do I get MailScanner to pass Spamassassin Headers through ? In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263ECC6@lkl22.ltkalmar.se> References: <7B475DC5E9502B4D91EA73C283AE48D70263ECC6@lkl22.ltkalmar.se> Message-ID: On Sat, 23 Nov 2002 20:34:38 +0100, you wrote: >Anyone got this saved somewhere, cant find it and need to >figure out how to filter our mail in outlook. >Both new server are up and running.... :) We have a lot more NEW server up and running. >> I have made something to help our people install filters in >> outlook. You >> should be able to view it also on >> http://home.student.utwente.nl/p.g.m.peters/outlookrule_viewlet.html What happened to this URL can be found on www.utwente.nl. The english version is on www.utwente.nl/en. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Tue Nov 26 09:38:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:32 2006 Subject: errors when installing MailScanner-4.05-3 In-Reply-To: <3DE2A542.F1C52BAE@ucalgary.ca> References: <5.2.0.9.2.20021125211205.01fec9f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021125220716.030cda20@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021126093758.0550da08@imap.ecs.soton.ac.uk> At 22:33 25/11/2002, you wrote: >Still exactly the same. Please can you include the output of the "rpm -Uvh" command, so I can see what it did. We might want to take this discussion off the list, too... >Thanks >Kai > >Julian Field wrote: > > > At 21:39 25/11/2002, you wrote: > > >Here is the output when building MIME-Base64-2.12. > > > > Okay, so it built the rpm okay. > > Now try installing it with > > > > rpm -Uvh /usr/src/redhat/RPMS/i386/perl-MIME-Base64-2.12-1.i386.rpm > > > > and let's see what that produces. > > > > >Julian Field wrote: > > >>What happened when you (or install.sh) tried to install MIME::Base64? > > >> > > >>Try doing > > >> rpmbuild --rebuild perl-MIME-Base64*src.rpm > > >>to rebuild it, and then install the rpm it produces (if the rebuild > worked). > > >> > > >>At 21:01 25/11/2002, you wrote: > > >> > > > >> >I have the following errors when installing MailScanner-4.05-3. It > > >> seems that > > >> >perl-MIME-Base64-2.12-1 was not installed properly. Can anyone tell me > > >> >how to fix it? > > >> > > >>-- > > >>Julian Field Teaching Systems Manager > > >>jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > >>Tel. 023 8059 2817 University of Southampton > > >> Southampton SO17 1BJ > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From p.vanbrouwershaven at NETWORKING4ALL.COM Tue Nov 26 09:29:27 2002 From: p.vanbrouwershaven at NETWORKING4ALL.COM (Paul van Brouwershaven - Networking4all) Date: Thu Jan 12 21:16:32 2006 Subject: /var/spool/mqueue.in Message-ID: Hi, I have many e-mail in the /var/spool/mqueue.in directory after we had a disk space problemen on one of or servers. When I do the mailq command I get a message that there is no mail in the que /var/spool/mqueue ???? I have: restarted mailscanner loaded sendmail with /usr/sbin/sendmail -q1m and with /usr/sbin/sendmail -q1m -OQueueDirectory=/var/spool/mqueue.in New e-mail is normaly processed Can someone help me ??? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021126/543d2687/attachment.html From p.vanbrouwershaven at NETWORKING4ALL.COM Tue Nov 26 09:58:08 2002 From: p.vanbrouwershaven at NETWORKING4ALL.COM (Paul van Brouwershaven - Networking4all) Date: Thu Jan 12 21:16:32 2006 Subject: /var/spool/mqueue.in Message-ID: Hi, I have many e-mail in the /var/spool/mqueue.in directory after we had a disk space problemen on one of or servers. When I do the mailq command I get a message that there is no mail in the que /var/spool/mqueue ???? I have: restarted mailscanner loaded sendmail with /usr/sbin/sendmail -q1m and with /usr/sbin/sendmail -q1m -OQueueDirectory=/var/spool/mqueue.in New e-mail is normaly processed Can someone help me ??? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021126/b5ce094c/attachment.html From p.vanbrouwershaven at NETWORKING4ALL.COM Tue Nov 26 10:30:54 2002 From: p.vanbrouwershaven at NETWORKING4ALL.COM (Paul van Brouwershaven - Networking4all) Date: Thu Jan 12 21:16:32 2006 Subject: /var/spool/mqueue.in In-Reply-To: Message-ID: Problem solved itself -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Paul van Brouwershaven - Networking4all Sent: Tuesday, November 26, 2002 10:58 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: /var/spool/mqueue.in Hi, I have many e-mail in the /var/spool/mqueue.in directory after we had a disk space problemen on one of or servers. When I do the mailq command I get a message that there is no mail in the que /var/spool/mqueue ???? I have: restarted mailscanner loaded sendmail with /usr/sbin/sendmail -q1m and with /usr/sbin/sendmail -q1m -OQueueDirectory=/var/spool/mqueue.in New e-mail is normaly processed Can someone help me ??? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021126/427ab157/attachment.html From mailscanner at ecs.soton.ac.uk Tue Nov 26 10:28:06 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: /var/spool/mqueue.in In-Reply-To: Message-ID: <5.2.0.9.2.20021126102551.054fa490@imap.ecs.soton.ac.uk> At 09:58 26/11/2002, you wrote: >I have many e-mail in the /var/spool/mqueue.in directory after we had a >disk space problemen on one of or servers. When I do the mailq command I >get a message that there is no mail in the que /var/spool/mqueue That's because, as you have just said yourself, the "mailq" command looks at "/var/spool/mqueue" and you have lots of messages in "/var/spool/mqueue.in". >restarted mailscanner >loaded sendmail with /usr/sbin/sendmail -q1m and with /usr/sbin/sendmail >-q1m -OQueueDirectory=/var/spool/mqueue.in Why the "-1m", sounds far too small a time gap to me. But anyway... You are running both sendmails with "-q1m". The one that has the mqueue.in mentioned should have "-bd" and not "-q1m". Are the files in mqueue.in quite old? Do any of them start with capital Q or capital D? If so, they are just old message fragments left behind when you kill sendmail. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Tue Nov 26 11:10:28 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:33 2006 Subject: incoming directory In-Reply-To: <3DE26ED7.3080008@bangor.ac.uk> References: <3DD2D5DB.FF65F8FF@ucsc.edu> <3DE26ED7.3080008@bangor.ac.uk> Message-ID: On Mon, 25 Nov 2002 18:41:27 +0000, you wrote: >John Rudd wrote: >> Has anyone explored the bennefits or problems with putting the incoming >> directory onto a ramdisk? I know mailscanner preferes to have it on the >> same partition as the mail queue directories, but I'm wondering if it >> might be faster (for the scanning part of the process). > >Isn't the scary thought that if the power goes you lose all the incoming >mail that hasn't been processed yet? (or do you have a truly UPS?) That doesn't allways work. Our no-break system was still operating when our servers where nothing more than molten steel and some smoke in the wind. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From Denis.Beauchemin at USHERBROOKE.CA Tue Nov 26 13:54:17 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:33 2006 Subject: Send Web pages In-Reply-To: <1038263530.2579.2.camel@chaos.entrophy-free.net> References: <35D9989521E9D5118F6700065B38718E0F0EEF@CALIDAD> <1038263530.2579.2.camel@chaos.entrophy-free.net> Message-ID: <1038318857.7622.134.camel@dbeauchemin.si.usherbrooke.ca> Jim, No it isn't. If you send the page (not a link to one) you receive HTML code. I have just tested it (send page and send link) and the link came OK but the page was rejected because of an "Object Codebase" in it. That was fine except for the sending of an email saying that my PC was probably infected and should be checked. People shouldn't receive notifications if they send HTML attachments with "Object Codebase" in them (this is not a virus). Julian, how could we add them to the "Silent Viruses" rule? Denis Le lun 25/11/2002 ? 17:32, Jim Levie a ?crit : > On Mon, 2002-11-25 at 11:28, Miguel Fernando Montoya Martinez wrote: > > Hi, i can?t send web pages from Outlook express because my e-mail server > > return: Warning: E-mail viruses detected, I have mailscanner + sendmail, and > > the same page can to send from other e-mail server (mailscan (mcfee) + > > exchange) with the same dat version. > > > MailScanner is objecting to OutLook is "sending the webpage" as a .lnk > file. You can allow that by editing the filename rules. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From brose at MED.WAYNE.EDU Tue Nov 26 15:00:52 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:33 2006 Subject: W32/WinEvar Message-ID: This looks like another one for the Silent Virus line, correct? -=B -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021126/a0e083ab/attachment.html From tony.johansson at SVENSKAKYRKAN.SE Tue Nov 26 14:46:37 2002 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:16:33 2006 Subject: Webmin Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D0848@nt.svenskakyrkan.se> Does anyone know what the present state of the mailscanner webmin module is? I searched the archives and found some posts dated June about people working on a module and that it "might" be in the next webmin release. regards, Tony From P.G.M.Peters at civ.utwente.nl Tue Nov 26 15:08:27 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:33 2006 Subject: URL for mailscanner Message-ID: Is the mailscanner website down? I get timeout and connections refused from www.mailscanner.info. Last week we had our mailservers running on MS 3 on SuSe but I've got a RedHat system now. So I will need the new rpms to install mailscanner. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From matt at kaminer.com Tue Nov 26 14:06:14 2002 From: matt at kaminer.com (Matt Kaminer) Date: Thu Jan 12 21:16:33 2006 Subject: BlackList question In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D0848@nt.svenskakyrkan.se> References: <3C4F5084EF16D4119CE700508B6B8B10058D0848@nt.svenskakyrkan.se> Message-ID: <36659.65.205.80.66.1038319574.squirrel@webmail.mmc.net> Has anyone compiled any benchmarks for the speed of processing domain names listed in the blacklist file? I find that each time I get a SPAM message that went undetected by SpamAssassin, I block out the entire domain. Im worried that if I have too many domains in the blacklist file, MailScanner will slow down. For example, I included opti9.net and opti10.net and specialdealsonline.net (these are known notorious spammers that for some reason fall below the SpamAssassin radar). -Matt From mailscanner at ecs.soton.ac.uk Tue Nov 26 15:26:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: URL for mailscanner In-Reply-To: Message-ID: <5.2.0.9.2.20021126152551.055f35a8@imap.ecs.soton.ac.uk> At 15:08 26/11/2002, you wrote: >Is the mailscanner website down? I get timeout and connections refused >from www.mailscanner.info. > >Last week we had our mailservers running on MS 3 on SuSe but I've got a >RedHat system now. So I will need the new rpms to install mailscanner. Our web server rebooted for some (as yet unknown) reason. It's back up now. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 26 15:25:28 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: W32/WinEvar In-Reply-To: Message-ID: <5.2.0.9.2.20021126152517.0586cdf0@imap.ecs.soton.ac.uk> Indeed. Added to the default list for the next release. At 15:00 26/11/2002, you wrote: >This looks like another one for the Silent Virus line, correct? > >-=B -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 26 15:15:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Send Web pages In-Reply-To: <1038318857.7622.134.camel@dbeauchemin.si.usherbrooke.ca> References: <1038263530.2579.2.camel@chaos.entrophy-free.net> <35D9989521E9D5118F6700065B38718E0F0EEF@CALIDAD> <1038263530.2579.2.camel@chaos.entrophy-free.net> Message-ID: <5.2.0.9.2.20021126151252.0587eec0@imap.ecs.soton.ac.uk> What I have done is stop the iframe and codebase checks from being done to attachments. After all, it is only in inline content that they are dangerous. (Unless someone has thoughts to the contrary?) The fix will be in the next release. But if you need it now, it's a dead simple patch to SweepContent.pm: --- /root/unstable/mailscanner/mailscanner/bin/MailScanner/SweepContent.pm Sun Nov 24 12:40:17 2002 +++ SweepContent.pm Tue Nov 26 15:27:15 2002 @@ -223,7 +223,10 @@ # Look for text/html sections my $type = $entity->head->mime_attr('content-type'); + my $disposition = $entity->head->mime_attr('content-disposition'); + $disposition = 'inline' unless $disposition; if ($type && $type =~ /text\/html/i && + $disposition !~ /attachment/i && defined($entity->body) && defined($entity->bodyhandle->path)) { $counter += SearchHTMLBody($message, $id, $entity->bodyhandle->path, $allowiframes, $allowobjects, At 13:54 26/11/2002, you wrote: >Jim, > >No it isn't. If you send the page (not a link to one) you receive HTML >code. > >I have just tested it (send page and send link) and the link came OK but >the page was rejected because of an "Object Codebase" in it. > >That was fine except for the sending of an email saying that my PC was >probably infected and should be checked. > >People shouldn't receive notifications if they send HTML attachments >with "Object Codebase" in them (this is not a virus). > >Julian, how could we add them to the "Silent Viruses" rule? > >Denis > >Le lun 25/11/2002 ? 17:32, Jim Levie a ?crit : > > On Mon, 2002-11-25 at 11:28, Miguel Fernando Montoya Martinez wrote: > > > Hi, i can?t send web pages from Outlook express because my e-mail server > > > return: Warning: E-mail viruses detected, I have mailscanner + > sendmail, and > > > the same page can to send from other e-mail server (mailscan (mcfee) + > > > exchange) with the same dat version. > > > > > MailScanner is objecting to OutLook is "sending the webpage" as a .lnk > > file. You can allow that by editing the filename rules. >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sean at NISD.NET Tue Nov 26 15:55:45 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:33 2006 Subject: Silent viruses Message-ID: If a virus is marked as silent, does the admin still get notices on it? The klez notices are driving me nutz, and I have Klez as a silent virus. So I did it wrong, or I'm being dumb. Thanks >>> mailscanner@ECS.SOTON.AC.UK 11/26/02 09:25AM >>> Indeed. Added to the default list for the next release. At 15:00 26/11/2002, you wrote: >This looks like another one for the Silent Virus line, correct? > >-=B -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 26 16:35:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Silent viruses In-Reply-To: Message-ID: <5.2.0.9.2.20021126163437.0371f0d8@imap.ecs.soton.ac.uk> At 15:55 26/11/2002, you wrote: >If a virus is marked as silent, does the admin still get notices on it? Yes. >The klez notices are driving me nutz, and I have Klez as a silent virus. >So I did it wrong, or I'm being dumb. Why not just set up a filter so that the notices all get written to their own mail folder? The notices are most useful for calculating statistics, I can't imagine anyone actually reads them all do they? > >>> mailscanner@ECS.SOTON.AC.UK 11/26/02 09:25AM >>> >Indeed. Added to the default list for the next release. > >At 15:00 26/11/2002, you wrote: > >This looks like another one for the Silent Virus line, correct? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Tue Nov 26 16:43:01 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:33 2006 Subject: Send Web pages In-Reply-To: <5.2.0.9.2.20021126151252.0587eec0@imap.ecs.soton.ac.uk> References: <1038263530.2579.2.camel@chaos.entrophy-free.net> <35D9989521E9D5118F6700065B38718E0F0EEF@CALIDAD> <1038263530.2579.2.camel@chaos.entrophy-free.net> <5.2.0.9.2.20021126151252.0587eec0@imap.ecs.soton.ac.uk> Message-ID: <1038328980.7644.158.camel@dbeauchemin.si.usherbrooke.ca> Julian, The code I have is quite different than the one being patched: # Look for text/html sections if ($entity->head->mime_attr('content-type') =~ /text\/html/i && defined($entity->body) && defined($entity->bodyhandle->path)) { $counter += SearchHTMLBody($message, $id, $entity->bodyhandle->path, $allowiframes, $allowobjects); } I'm running mailscanner-4.05-3. How should I patch it? Denis Le mar 26/11/2002 ? 10:15, Julian Field a ?crit : > What I have done is stop the iframe and codebase checks from being done to > attachments. After all, it is only in inline content that they are dangerous. > (Unless someone has thoughts to the contrary?) > > The fix will be in the next release. But if you need it now, it's a dead > simple patch to SweepContent.pm: > > --- > /root/unstable/mailscanner/mailscanner/bin/MailScanner/SweepContent.pm > Sun Nov 24 12:40:17 2002 > +++ SweepContent.pm Tue Nov 26 15:27:15 2002 > @@ -223,7 +223,10 @@ > > # Look for text/html sections > my $type = $entity->head->mime_attr('content-type'); > + my $disposition = $entity->head->mime_attr('content-disposition'); > + $disposition = 'inline' unless $disposition; > if ($type && $type =~ /text\/html/i && > + $disposition !~ /attachment/i && > defined($entity->body) && defined($entity->bodyhandle->path)) { > $counter += SearchHTMLBody($message, $id, $entity->bodyhandle->path, > $allowiframes, $allowobjects, > > > At 13:54 26/11/2002, you wrote: > >Jim, > > > >No it isn't. If you send the page (not a link to one) you receive HTML > >code. > > > >I have just tested it (send page and send link) and the link came OK but > >the page was rejected because of an "Object Codebase" in it. > > > >That was fine except for the sending of an email saying that my PC was > >probably infected and should be checked. > > > >People shouldn't receive notifications if they send HTML attachments > >with "Object Codebase" in them (this is not a virus). > > > >Julian, how could we add them to the "Silent Viruses" rule? > > > >Denis > > > >Le lun 25/11/2002 ? 17:32, Jim Levie a ?crit : > > > On Mon, 2002-11-25 at 11:28, Miguel Fernando Montoya Martinez wrote: > > > > Hi, i can?t send web pages from Outlook express because my e-mail server > > > > return: Warning: E-mail viruses detected, I have mailscanner + > > sendmail, and > > > > the same page can to send from other e-mail server (mailscan (mcfee) + > > > > exchange) with the same dat version. > > > > > > > MailScanner is objecting to OutLook is "sending the webpage" as a .lnk > > > file. You can allow that by editing the filename rules. > >-- > >Denis Beauchemin, analyste > >Universit? de Sherbrooke, S.T.I. > >T: 819.821.8000x2252 F: 819.821.8045 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From andersan at LTKALMAR.SE Tue Nov 26 16:45:42 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:33 2006 Subject: SV: SV: How do I get MailScanner to pass Spamassassin Headers thr ough ? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ECF1@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Peter Peters [mailto:P.G.M.Peters@civ.utwente.nl] > Skickat: den 26 november 2002 09:04 > Till: Anders Andersson, IT > Kopia: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: How do I get MailScanner to pass Spamassassin Headers > through ? > > > On Sat, 23 Nov 2002 20:34:38 +0100, you wrote: > > >Anyone got this saved somewhere, cant find it and need to > >figure out how to filter our mail in outlook. > >Both new server are up and running.... :) > > We have a lot more NEW server up and running. It turned out to be an amazing translation stupidity in outlook. So I can only blame outlook-translators since they didnt use the same names for internet-headers as they did in rules-wizard. Now I can filter and it works like it should. Swedish description is on my list of to-do things :) > > >> I have made something to help our people install filters in > >> outlook. You > >> should be able to view it also on > >> > http://home.student.utwente.nl/p.g.m.peters/outlookrule_viewlet.html > > What happened to this URL can be found on www.utwente.nl. The english > version is on www.utwente.nl/en. > > -- > Peter Peters > senior netwerkbeheerder, Centrum voor Informatievoorziening, > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: +31 53 489 2301, fax:+31 53 489 2383, > http://www.utwente.nl/civ > From gavin at NETERGY.COM Tue Nov 26 16:59:17 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:33 2006 Subject: Question Message-ID: I want to do some tracking on Spam and virii going to specific domains. I notice in the logs that the domain doesn't seem to show until the Spam is delivered - if the rules are that it should be deleted does the domain name that it was intended to go to get displayed in the log - if not can it? Thanks Gavin From jkf at ecs.soton.ac.uk Tue Nov 26 16:58:39 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Send Web pages In-Reply-To: <1038328980.7644.158.camel@dbeauchemin.si.usherbrooke.ca> References: <5.2.0.9.2.20021126151252.0587eec0@imap.ecs.soton.ac.uk> <1038263530.2579.2.camel@chaos.entrophy-free.net> <35D9989521E9D5118F6700065B38718E0F0EEF@CALIDAD> <1038263530.2579.2.camel@chaos.entrophy-free.net> <5.2.0.9.2.20021126151252.0587eec0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021126165710.03a1a7e0@imap.ecs.soton.ac.uk> # Look for text/html sections my $type = $entity->head->mime_attr('content-type'); my $disposition = $entity->head->mime_attr('content-disposition'); $disposition = 'inline' unless $disposition; if ($type && $type =~ /text\/html/i && $disposition !~ /attachment/i && defined($entity->body) && defined($entity->bodyhandle->path)) { $counter += SearchHTMLBody($message, $id, $entity->bodyhandle->path, $allowiframes, $allowobjects); } At 16:43 26/11/2002, you wrote: >Julian, > >The code I have is quite different than the one being patched: > # Look for text/html sections > if ($entity->head->mime_attr('content-type') =~ /text\/html/i && > defined($entity->body) && defined($entity->bodyhandle->path)) { > $counter += SearchHTMLBody($message, $id, $entity->bodyhandle->path, > $allowiframes, $allowobjects); > } > >I'm running mailscanner-4.05-3. How should I patch it? > >Denis > >Le mar 26/11/2002 ? 10:15, Julian Field a ?crit : > > What I have done is stop the iframe and codebase checks from being done to > > attachments. After all, it is only in inline content that they are > dangerous. > > (Unless someone has thoughts to the contrary?) > > > > The fix will be in the next release. But if you need it now, it's a dead > > simple patch to SweepContent.pm: > > > > --- > > /root/unstable/mailscanner/mailscanner/bin/MailScanner/SweepContent.pm > > Sun Nov 24 12:40:17 2002 > > +++ SweepContent.pm Tue Nov 26 15:27:15 2002 > > @@ -223,7 +223,10 @@ > > > > # Look for text/html sections > > my $type = $entity->head->mime_attr('content-type'); > > + my $disposition = $entity->head->mime_attr('content-disposition'); > > + $disposition = 'inline' unless $disposition; > > if ($type && $type =~ /text\/html/i && > > + $disposition !~ /attachment/i && > > defined($entity->body) && defined($entity->bodyhandle->path)) { > > $counter += SearchHTMLBody($message, $id, $entity->bodyhandle->path, > > $allowiframes, $allowobjects, > > > > > > At 13:54 26/11/2002, you wrote: > > >Jim, > > > > > >No it isn't. If you send the page (not a link to one) you receive HTML > > >code. > > > > > >I have just tested it (send page and send link) and the link came OK but > > >the page was rejected because of an "Object Codebase" in it. > > > > > >That was fine except for the sending of an email saying that my PC was > > >probably infected and should be checked. > > > > > >People shouldn't receive notifications if they send HTML attachments > > >with "Object Codebase" in them (this is not a virus). > > > > > >Julian, how could we add them to the "Silent Viruses" rule? > > > > > >Denis > > > > > >Le lun 25/11/2002 ? 17:32, Jim Levie a ?crit : > > > > On Mon, 2002-11-25 at 11:28, Miguel Fernando Montoya Martinez wrote: > > > > > Hi, i can?t send web pages from Outlook express because my e-mail > server > > > > > return: Warning: E-mail viruses detected, I have mailscanner + > > > sendmail, and > > > > > the same page can to send from other e-mail server (mailscan > (mcfee) + > > > > > exchange) with the same dat version. > > > > > > > > > MailScanner is objecting to OutLook is "sending the webpage" as a .lnk > > > > file. You can allow that by editing the filename rules. > > >-- > > >Denis Beauchemin, analyste > > >Universit? de Sherbrooke, S.T.I. > > >T: 819.821.8000x2252 F: 819.821.8045 >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 26 17:01:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Question In-Reply-To: Message-ID: <5.2.0.9.2.20021126170132.0596af80@imap.ecs.soton.ac.uk> At 16:59 26/11/2002, you wrote: >I want to do some tracking on Spam and virii going to specific domains. > >I notice in the logs that the domain doesn't seem to show until the Spam is >delivered - if the rules are that it should be deleted does the domain name >that it was intended to go to get displayed in the log - if not can it? As a first check, do you have "Log Spam = yes" in your MailScanner.conf? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Chris.Campbell at FAC.COM Tue Nov 26 17:48:51 2002 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:16:33 2006 Subject: mcafeewrapper Message-ID: I am getting weird timeouts and pages can't be displayed on the searchable archive, so forgive me if this was already answered. I finally have the chance to upgrade to v4, and i thought it went smooth. I now see errors in my logs : MailScanner[23602]: Could not open file >/var/spool/MailScanner/incoming/23602/gAQHYcD2023680.header: No such file or directory mailscanner[23638]: Commercial virus checker failed with real error: Can't run commercial checker mcafee ("/usr/local/uvscan/mcafeewrapper"): No such file or directory at /usr/local/MailScanner/bin/sweep.pl line 404. ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021126/2915da4a/attachment.html From jaearick at COLBY.EDU Tue Nov 26 17:54:34 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:33 2006 Subject: v4: Max Children, sendmail QueueLA, RefuseLA Message-ID: Y'all, I upgraded from v3 to v4 last week with no major issues, until our admissions office fired up their mass-mailer program for prospective applicants. It is one of these PC-based programs that sends out one "customized" message per recipient, for 3K recipients. Suffice to say that it bombs our mail server with messages. With a 2 CPU box (Sun E220R), I had "Max Children" set to 10. With the incoming mass-mail, the system load quickly leveled off at 14 to 16 with oodles of MS and sendmail processes, plus the usual POP connections. Then I noticed that email was backing up, and that I was getting "connection refused" on SMTP connections. I remembered that my sendmail QueueLA setting was 14 and my RefuseLA was 16. So, my "Max Children" setting was high enough to bump up against my sendmail load-average settings when MailScanner was maxxed out, thus causing a degradation in mail service. I lowered "Max Children" to 4, reducing the total load to about 10 during the mass-mailing run, and things ran smoothly. Moral: take a look at your QueueLA and RefuseLA settings in sendmail. Make sure that "Max Children" times the number of CPUS is less than either of these two numbers, plus some breathing room. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- From brose at MED.WAYNE.EDU Tue Nov 26 18:26:36 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:33 2006 Subject: Silent viruses Message-ID: All I do is filter at my client so that it deletes all of them as they come in except for ones generated from hosts on my subnets since those are the only ones that I can do anything about. -----Original Message----- From: Sean Embry [mailto:sean@NISD.NET] Sent: Tuesday, November 26, 2002 10:56 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Silent viruses If a virus is marked as silent, does the admin still get notices on it? The klez notices are driving me nutz, and I have Klez as a silent virus. So I did it wrong, or I'm being dumb. Thanks >>> mailscanner@ECS.SOTON.AC.UK 11/26/02 09:25AM >>> Indeed. Added to the default list for the next release. At 15:00 26/11/2002, you wrote: >This looks like another one for the Silent Virus line, correct? > >-=B -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From billa at STERLING.NET Tue Nov 26 18:31:19 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks Message-ID: Can MailScanner be configured to ignore the final sending address for blacklist checking and check the address previous to the last? The reason for this is that I have a backup mail store and forward server in the event that the pimary one goes down (secondary MX record). What I am finding is that mail is being delivered to the secondary which get's forwarded to the primary MailScanners server. This then bypasses the BlackList RBL test since the final server is a known good one. I still want to check the sender for an RBL entry, but if it is my backup mail server, I would like to check the previous address. Thanks. Hopefully I havent made this too confusing. From mailscanner at ecs.soton.ac.uk Tue Nov 26 18:30:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: mcafeewrapper In-Reply-To: Message-ID: <5.2.0.9.2.20021126182844.02b2ce50@imap.ecs.soton.ac.uk> At 17:48 26/11/2002, you wrote: >I am getting weird timeouts and pages can't be displayed on the searchable >archive, so forgive me if this was already answered. > >I finally have the chance to upgrade to v4, and i thought it went >smooth. I now see errors in my logs : > > MailScanner[23602]: Could not open > file >/var/spool/MailScanner/incoming/23602/gAQHYcD2023680.header: No > such file or directory That error is from version 4 of MailScanner. >mailscanner[23638]: Commercial virus checker failed with real error: Can't >run commercial checker mcafee ("/usr/local/uvscan/mcafeewrapper"): No such >file or directory at /usr/local/MailScanner/bin/sweep.pl line 404. That error is from version 3 of MailScanner. See the problem? Things work rather better if you only run 1 version at a time :) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 26 18:34:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: v4: Max Children, sendmail QueueLA, RefuseLA In-Reply-To: Message-ID: <5.2.0.9.2.20021126183103.01f32c68@imap.ecs.soton.ac.uk> At 17:54 26/11/2002, you wrote: >Y'all, > > I upgraded from v3 to v4 last week with no major issues, until >our admissions office fired up their mass-mailer program for >prospective applicants. It is one of these PC-based programs that >sends out one "customized" message per recipient, for 3K recipients. >Suffice to say that it bombs our mail server with messages. > > With a 2 CPU box (Sun E220R), I had "Max Children" set to 10. >With the incoming mass-mail, the system load quickly leveled off >at 14 to 16 with oodles of MS and sendmail processes, plus the usual >POP connections. Then I noticed that email was backing up, and that >I was getting "connection refused" on SMTP connections. I remembered >that my sendmail QueueLA setting was 14 and my RefuseLA was 16. > > So, my "Max Children" setting was high enough to bump up against >my sendmail load-average settings when MailScanner was maxxed out, >thus causing a degradation in mail service. > > I lowered "Max Children" to 4, reducing the total load to about 10 >during the mass-mailing run, and things ran smoothly. > > Moral: take a look at your QueueLA and RefuseLA settings in sendmail. >Make sure that "Max Children" times the number of CPUS is less than >either of these two numbers, plus some breathing room. As many of the MailScanner processes will be sitting in "network waits" the high load figure you see is nothing to be afraid of. On my test server I jacked up the QueueLA and RefuseLA figures to 20 or 30. Lots of MailScanner children will create a high load average if hit hard, make sure your system is correctly configured to handle it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 26 18:37:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks In-Reply-To: Message-ID: <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> At 18:31 26/11/2002, you wrote: >Can MailScanner be configured to ignore the final sending address for >blacklist checking and check the address previous to the last? No. The only way to do that is to try and parse it out of the headers, and it is trivial for spammers to fake (I'm surprised how few do at the moment). All they need do is directly attack your mail server making the mail appear to come from somewhere safe and you will let it all in. > The reason >for this is that I have a backup mail store and forward server in the event >that the pimary one goes down (secondary MX record). Run MailScanner on all MX hosts and it isn't a problem. Having MX hosts configured differently is a classic way of leaving yourself open to attack. There is usually no good reason for your externally-visible MX hosts to have different configurations. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Tue Nov 26 19:13:10 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks In-Reply-To: <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> References: Message-ID: <5.1.1.6.0.20021126140832.01590cc8@192.168.50.2> Julian, you do realize this is about blacklists right? Checking blacklists (ie: orbs, SBL, etc) back to arbitrary depth (excluding the originating IP if the blacklist contains a DUL) is not a risk. All the spammer can gain by forging an IP is getting themselves blacklisted... and as far as I'm concerned, they can help themselves to all the blacklisting they want. Now whitelist checking, ie: bondedsender, etc, needs to only be done on trusted headers.. because there the spammer can do what you suggest. At 06:37 PM 11/26/2002 +0000, Julian Field wrote: >No. The only way to do that is to try and parse it out of the headers, and >it is trivial for spammers to fake (I'm surprised how few do at the >moment). All they need do is directly attack your mail server making the >mail appear to come from somewhere safe and you will let it all in. From mailscanner at ecs.soton.ac.uk Tue Nov 26 19:20:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks In-Reply-To: <5.1.1.6.0.20021126140832.01590cc8@192.168.50.2> References: <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> At 19:13 26/11/2002, you wrote: >Julian, you do realize this is about blacklists right? Yes thankyou. >Checking blacklists (ie: orbs, SBL, etc) back to arbitrary depth (excluding >the originating IP if the blacklist contains a DUL) is not a risk. All the >spammer can gain by forging an IP is getting themselves blacklisted... and >as far as I'm concerned, they can help themselves to all the blacklisting >they want. Headers say Received: From your-first-server@you.com by your-second-server@you.com Received: Nice-safe-domain@other.com by your-first-server@you.com Received: Another-nice-safe@other2.com by nice-safe-domain@other.com The 2nd and 3rd lines are fake. And so you receive the message not marking it as spam (as it came from nice safe domains). You report the spam to the blacklists and other.com and other2.com get blacklisted. That's going to make them real happy. And the spammer changes to another couple of "other.com" and "other2.com" domains that aren't in the blacklists. And they get blacklisted too, and so on. The spammers don't get blacklisted, "other.com" and "other2.com" do. >Now whitelist checking, ie: bondedsender, etc, needs to only be done on >trusted headers.. because there the spammer can do what you suggest. > >At 06:37 PM 11/26/2002 +0000, Julian Field wrote: >>No. The only way to do that is to try and parse it out of the headers, and >>it is trivial for spammers to fake (I'm surprised how few do at the >>moment). All they need do is directly attack your mail server making the >>mail appear to come from somewhere safe and you will let it all in. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at NETERGY.COM Tue Nov 26 19:51:58 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:33 2006 Subject: Question In-Reply-To: <5.2.0.9.2.20021126170132.0596af80@imap.ecs.soton.ac.uk> Message-ID: oh yes we can see it being logged - but I don't think it logs anything to do with the delivery address which is what I need to extract info. I need to run some tests and then I'll ask again with some more details from the log > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 26 November 2002 17:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Question > > > At 16:59 26/11/2002, you wrote: > >I want to do some tracking on Spam and virii going to specific domains. > > > >I notice in the logs that the domain doesn't seem to show until > the Spam is > >delivered - if the rules are that it should be deleted does the > domain name > >that it was intended to go to get displayed in the log - if not can it? > > As a first check, do you have "Log Spam = yes" in your MailScanner.conf? > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mkettler at EVI-INC.COM Tue Nov 26 19:51:50 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks In-Reply-To: <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> References: <5.1.1.6.0.20021126140832.01590cc8@192.168.50.2> <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.0.20021126144642.01f09eb0@192.168.50.2> Ahem, let me clarify 1) line one is invariant in this case, always the same. 2) lines 2 and 3, or any other header other than 1 MUST NOT be used for whitelists. 3) lines 2 and 3 are used for blacklists and DNS blacklists, but NOT whitelists. So unless the mail admin is an idiot and whitelists "your-second-server", in which case he's whitelisted all of his email, what you describe will not happen. So, if I check only line 1 against my whitelists, and check 2 and 3 against ORBS... how does this get the spam a free ride past the spamfilter based on "nice-safe-domain@other.com"? Yes, that is in fact impossible Julian because of critera #2... think about it a bit.... At 07:20 PM 11/26/2002 +0000, you wrote: >Headers say > Received: From your-first-server@you.com by > your-second-server@you.com > Received: Nice-safe-domain@other.com by your-first-server@you.com > Received: Another-nice-safe@other2.com by nice-safe-domain@other.com > >The 2nd and 3rd lines are fake. And so you receive the message not marking >it as spam (as it came from nice safe domains). You report the spam to the >blacklists and other.com and other2.com get blacklisted. That's going to >make them real happy. And the spammer changes to another couple of >"other.com" and "other2.com" domains that aren't in the blacklists. And >they get blacklisted too, and so on. > >The spammers don't get blacklisted, "other.com" and "other2.com" do. From jim at ENTROPHY-FREE.NET Tue Nov 26 19:44:58 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks In-Reply-To: <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> Message-ID: <1038339899.1455.45.camel@wilowisp.dynetics.com> On Tue, 2002-11-26 at 12:37, Julian Field wrote: > At 18:31 26/11/2002, you wrote: > >Can MailScanner be configured to ignore the final sending address for > >blacklist checking and check the address previous to the last? > > No. The only way to do that is to try and parse it out of the headers, and > it is trivial for spammers to fake (I'm surprised how few do at the > moment). All they need do is directly attack your mail server making the > mail appear to come from somewhere safe and you will let it all in. > If done properly I don't see there being a problem with spammers forging addresses. You don't arbitrarily skip the first header, but instead you compare that MTA's IP to one that MailScanner expects as one of your relay servers. Only if the first MTA is one of your relay servers do you skip that and run the DNS BL checks against the second MTA. So, the check winds up happening as if the relay server wasn't in the message path. I'm running a patched (sendmail only) version of 3.x that does this right now. I haven't fielded 4.x on any production servers yet, partly because I have to have that functionality for most of the sites where I use MailScanner. > > The reason > >for this is that I have a backup mail store and forward server in the event > >that the pimary one goes down (secondary MX record). > > Run MailScanner on all MX hosts and it isn't a problem. Having MX hosts > configured differently is a classic way of leaving yourself open to attack. > There is usually no good reason for your externally-visible MX hosts to > have different configurations. > -- That isn't always a possibility. There are cases where the mail relay systems aren't owned or operated by the organization running MailScanner. And even when you do own the relay servers it may not be desirable to run MailScanner on those systems. A relay server doesn't generally need a lot of CPU power. All it has to do is to be able to keep up with the max inound message rate and have enough disk space for whatever volume of messages that will need to temporarily store, which for most folks is going to be something on the order of what a T1 or two can do. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From jim at ENTROPHY-FREE.NET Tue Nov 26 20:09:51 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks In-Reply-To: <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> Message-ID: <1038341391.1455.52.camel@wilowisp.dynetics.com> On Tue, 2002-11-26 at 13:20, Julian Field wrote: > At 19:13 26/11/2002, you wrote: > >Julian, you do realize this is about blacklists right? > > Yes thankyou. > > >Checking blacklists (ie: orbs, SBL, etc) back to arbitrary depth (excluding > >the originating IP if the blacklist contains a DUL) is not a risk. All the > >spammer can gain by forging an IP is getting themselves blacklisted... and > >as far as I'm concerned, they can help themselves to all the blacklisting > >they want. > > Headers say > Received: From your-first-server@you.com by your-second-server@you.com > Received: Nice-safe-domain@other.com by your-first-server@you.com > Received: Another-nice-safe@other2.com by nice-safe-domain@other.com > > The 2nd and 3rd lines are fake. And so you receive the message not marking > it as spam (as it came from nice safe domains). You report the spam to the > blacklists and other.com and other2.com get blacklisted. That's going to > make them real happy. And the spammer changes to another couple of > "other.com" and "other2.com" domains that aren't in the blacklists. And > they get blacklisted too, and so on. > Maybe I'm missing something, but if you were running a DNS BL on "your-first-server" it would see "Nice-safe-domain@other.com" as the sending MTA. You don't use the professed name for a BL check, instead it need to be done against the IP the MTA connected to. So I don't see why it is a problem to skip "your-first-server" and do a BL check against the MTA for line two (above) The same logic applies to white listed MTA's. If you ran the white list on the relay server that is the same as skipping the relay server on an interior MailScanner using a white list. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From mailscanner at ecs.soton.ac.uk Tue Nov 26 20:35:24 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks In-Reply-To: <1038341391.1455.52.camel@wilowisp.dynetics.com> References: <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021126203205.02d99158@imap.ecs.soton.ac.uk> At 20:09 26/11/2002, you wrote: >On Tue, 2002-11-26 at 13:20, Julian Field wrote: > > At 19:13 26/11/2002, you wrote: > > >Julian, you do realize this is about blacklists right? > > > > Yes thankyou. > > > > >Checking blacklists (ie: orbs, SBL, etc) back to arbitrary depth > (excluding > > >the originating IP if the blacklist contains a DUL) is not a risk. All the > > >spammer can gain by forging an IP is getting themselves blacklisted... and > > >as far as I'm concerned, they can help themselves to all the blacklisting > > >they want. > > > > Headers say > > Received: From your-first-server@you.com by > your-second-server@you.com > > Received: Nice-safe-domain@other.com by your-first-server@you.com > > Received: Another-nice-safe@other2.com by > nice-safe-domain@other.com > > > > The 2nd and 3rd lines are fake. And so you receive the message not marking > > it as spam (as it came from nice safe domains). You report the spam to the > > blacklists and other.com and other2.com get blacklisted. That's going to > > make them real happy. And the spammer changes to another couple of > > "other.com" and "other2.com" domains that aren't in the blacklists. And > > they get blacklisted too, and so on. > > >Maybe I'm missing something, but if you were running a DNS BL on >"your-first-server" it would see "Nice-safe-domain@other.com" as the >sending MTA. The difference is that the first connection to the MTA can be extracted (fairly reliably) from the envelope, without using the headers. All further ones have to be read from the headers, and are hence liable to be faked. There's a big difference between using the first one and using any of the others. Which is why I only consider the first. I don't intend changing that. > You don't use the professed name for a BL check, instead it >need to be done against the IP the MTA connected to. So I don't see why >it is a problem to skip "your-first-server" and do a BL check against >the MTA for line two (above) > >The same logic applies to white listed MTA's. If you ran the white list >on the relay server that is the same as skipping the relay server on an >interior MailScanner using a white list. >-- >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= >The instructions said to use Windows 98 or better, so I installed RedHat > Jim Levie email: >jim@entrophy-free.net -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Tue Nov 26 21:02:20 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks In-Reply-To: <5.2.0.9.2.20021126203205.02d99158@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126203205.02d99158@imap.ecs.soton.ac.uk> Message-ID: <1038344543.1455.80.camel@wilowisp.dynetics.com> On Tue, 2002-11-26 at 14:35, Julian Field wrote: > The difference is that the first connection to the MTA can be extracted > (fairly reliably) from the envelope, without using the headers. All further > ones have to be read from the headers, and are hence liable to be faked. > There's a big difference between using the first one and using any of the > others. Which is why I only consider the first. I don't intend changing that. > I agree that you can't trust anything below the second Received header in a relay environment. But, you can trust the first two since they were added by "your MTA's, provided that the immediate upstream MTA is your relay. As long as you verify that the message was received from one of your relays I don't see a way for a spammer to fake the second Received header and so it should be as safe as the envelope MTA's IP. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From sevans at FOUNDATION.SDSU.EDU Tue Nov 26 21:28:09 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:33 2006 Subject: W32/WinEvar Message-ID: <6214C3F9233D764C9E7029396C355015682771@mail.foundation.sdsu.edu> Suggestion: Make the silent virus line point to a file, then have a way to update that file, either automatically, or manually. Similar to dat updates for virus engines. I see the number of files on the Silent Virus line starting to grow faster and faster. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, November 26, 2002 7:25 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: W32/WinEvar Indeed. Added to the default list for the next release. At 15:00 26/11/2002, you wrote: >This looks like another one for the Silent Virus line, correct? > >-=B -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Tue Nov 26 21:35:10 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks In-Reply-To: <5.2.0.9.2.20021126203205.02d99158@imap.ecs.soton.ac.uk> References: <1038341391.1455.52.camel@wilowisp.dynetics.com> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.0.20021126161942.015d9450@192.168.50.2> /shrug My net suggestion is to disable MailScanner's use of DNSBL's and use SpamAssassin to do it until MailScanner figures out how to do DNSBL's correctly. SA does DNSBL's the correct way (you don't need to trust the input to a blacklist) and allow you to configure the depth of scan. Of course, SA also does DNSWL's (ie: bondedsender) the wrong way because adding bondedsender was an afterthought and re-used the code which is designed to properly support blacklists. My suggestion there is to just zero that rule until a proper whitelist_check function is implemented in SA. Check out SA's num_check_received option, which only affects RBL checks. Eventually SA's going to have to get separate code paths for handling blacklists and whitelists, since trust is critical in the case of white, but does not matter in the case of black. At 08:35 PM 11/26/2002 +0000, you wrote: >The difference is that the first connection to the MTA can be extracted >(fairly reliably) from the envelope, without using the headers. All further >ones have to be read from the headers, and are hence liable to be faked. >There's a big difference between using the first one and using any of the >others. Which is why I only consider the first. I don't intend changing that. From rich at MAIL.WVNET.EDU Tue Nov 26 22:28:33 2002 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:16:33 2006 Subject: Big problem.. help... Message-ID: <1038349713.4378.4.camel@localhost> I just restarted MailScanner and am getting the following error. > Can't use an undefined value as an ARRAY reference at > /usr/lib/MailScanner/MailScanner/Sendmail.pm line 805, > line 15. I was updating to config to change the number of child processes from 5 to 10. I've changed it back to 5 but it still won't startup correctly. I have no idea how to correct this. I'm getting many of these over and over again. -- Richard Lynch From paul at ESPMAIL.CO.UK Tue Nov 26 22:50:03 2002 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks and Spamcop References: <1038341391.1455.52.camel@wilowisp.dynetics.com> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> <5.1.1.6.0.20021126161942.015d9450@192.168.50.2> Message-ID: <002601c2959e$2d31b940$48e030d5@espmail00053> I'm no expert on this, but I recently upgraded SpamAssassin to 2.43 from 2.30. I found 2.30 didn't correctly identify hosts listed in ordb.org but 2.43 does. In fact, it flagged a message tonight as "RCVD_IN_RELAYS_ORDB_ORG" when the headers said: Received: from vhost.cngb.com ([203.93.194.1]) Received: from hgqFnx4N0 ([210.12.225.67]) 203.93.194.1 isn't in ordb.org, it is 210.12.225.67 that is. I see both sides of the argument that says you should only check the host that sends to your server. Anyhow, I'll stick with SpamAssassin for RBL checking rather than MailScanner. I've commented out the RBLs in mailscanner.conf and in spam.assassin.prefs.conf I have these settings: #skip_rbl_checks 1 #score RCVD_IN_BL_SPAMCOP_NET 4 # These next 3 will cost you money, see mailscanner.conf. #score RCVD_IN_RBL 10 #score RCVD_IN_RSS 1 #score RCVD_IN_DUL 1 Do I take it that I need to uncomment the spamcop line to have SpamAssassin check spamcop's blocking list? At http://spamcop.net/bl.shtml they say "This blocking list is somewhat experimental and should not be used in a production environment where legitimate email must be delivered. It is growing more stable and is used by many large sites now ... Many mailservers can operate with blacklists in a "tag only" mode, which is preferable in many situations." What's the general opinion on SpamCop? Given I deliver spam but tag it, it seems useful. From mkettler at EVI-INC.COM Tue Nov 26 23:05:40 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks and Spamcop In-Reply-To: <002601c2959e$2d31b940$48e030d5@espmail00053> References: <1038341391.1455.52.camel@wilowisp.dynetics.com> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> <5.1.1.6.0.20021126161942.015d9450@192.168.50.2> Message-ID: <5.1.1.6.0.20021126180031.016938f8@192.168.50.2> By default SA has no score assigned to spamcop due to the fact that it is not free, it's donation-ware. You'll have to uncomment the score to enable checking of spamcop, but make sure you donate to them. Suggested donations are listed here: http://spamcop.net/fom-serve/cache/299.html See the following SA bug for a discussion of why it's not on by default and some recommendations of this list from some SADevs: http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1155 At 10:50 PM 11/26/2002 +0000, you wrote: >Do I take it that I need to uncomment the spamcop line to have >SpamAssassin check spamcop's blocking list? From rich at MAIL.WVNET.EDU Tue Nov 26 23:25:39 2002 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:16:33 2006 Subject: Big problem.. help... In-Reply-To: <1038349713.4378.4.camel@localhost> References: <1038349713.4378.4.camel@localhost> Message-ID: <1038353139.4378.19.camel@localhost> On Tue, 2002-11-26 at 17:28, Richard Lynch wrote: > I just restarted MailScanner and am getting the following error. > > > > Can't use an undefined value as an ARRAY reference at > > /usr/lib/MailScanner/MailScanner/Sendmail.pm line 805, > > line 15. > > I was updating to config to change the number of child processes from 5 > to 10. I've changed it back to 5 but it still won't startup correctly. > I have no idea how to correct this. I'm getting many of these over and > over again. Follow up... Whatever is causing this is related to some file in the mqueue.in directory. I renamed that directory and re-created an empty one and MailScanner started up fine. I had noticed that the directory had a couple thousand files in it which is what prompted me to up the child process count in the first place. The is a K12 gateway machine and they were being flooded with some k12 announcements. I haven't yet figured out which particular file(s) was causing this but at least the crisis is over. It gives one a disconcerting feeling when the gateway mail scanner won't start and mail is pouring in. -- Richard Lynch From paul at ESPMAIL.CO.UK Wed Nov 27 08:56:00 2002 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks and Spamcop References: <1038341391.1455.52.camel@wilowisp.dynetics.com> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126183427.01f37ec0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021126191356.02c7fe88@imap.ecs.soton.ac.uk> <5.1.1.6.0.20021126161942.015d9450@192.168.50.2> <5.1.1.6.0.20021126180031.016938f8@192.168.50.2> Message-ID: <002a01c295f2$cedc6610$6a0110ac@sbsplc.com> ----- Original Message ----- From: "Matt Kettler" To: Sent: Tuesday, November 26, 2002 11:05 PM Subject: Re: RBL checks and Spamcop > By default SA has no score assigned to spamcop due to the fact that it is > not free, it's donation-ware. > > You'll have to uncomment the score to enable checking of spamcop, but make > sure you donate to them. Thanks for pointing this out. This level of donation seems fine. Is anyone here using SpamCop's blocking list? If so, is it reasonable to assume that I could quarantine all mail that gets into SpamCop's list, rather than accepting MailScanner's default of prefixing the Subject with {SPAM?}? If so, it would be helpful to my users and worth donating. From mailscanner at ecs.soton.ac.uk Wed Nov 27 11:18:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Big problem.. help... In-Reply-To: <1038353139.4378.19.camel@localhost> References: <1038349713.4378.4.camel@localhost> <1038349713.4378.4.camel@localhost> Message-ID: <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> These sorts of strange failures with big queues are often caused by you running out of filehandles. See what "ulimit -a" says (if "ulimit -a" fails then try "limit" as it varies between different shells), and try reducing the maximum size of a batch to 50 or 100 and see if the same problem occurs then. At 23:25 26/11/2002, you wrote: >On Tue, 2002-11-26 at 17:28, Richard Lynch wrote: > > I just restarted MailScanner and am getting the following error. > > > > > > > Can't use an undefined value as an ARRAY reference at > > > /usr/lib/MailScanner/MailScanner/Sendmail.pm line 805, > > > line 15. > > > > I was updating to config to change the number of child processes from 5 > > to 10. I've changed it back to 5 but it still won't startup correctly. > > I have no idea how to correct this. I'm getting many of these over and > > over again. > >Follow up... > >Whatever is causing this is related to some file in the mqueue.in >directory. I renamed that directory and re-created an empty one and >MailScanner started up fine. I had noticed that the directory had a >couple thousand files in it which is what prompted me to up the child >process count in the first place. The is a K12 gateway machine and they >were being flooded with some k12 announcements. I haven't yet figured >out which particular file(s) was causing this but at least the crisis is >over. > >It gives one a disconcerting feeling when the gateway mail scanner won't >start and mail is pouring in. > > >-- >Richard Lynch -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Heinz.Knutzen at DZSH.DE Wed Nov 27 12:23:44 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:16:33 2006 Subject: Download from http://updates.f-prot.com/files/ failed Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FDA2@dzrz-ex-1.dzsh.landsh.de> Hi, since yesterday I get error messages from the f-prot-autoupdate script: F-Prot signature file update script There is a new version of SIGN.DEF, starting download. Download from http://updates.f-prot.com/files/ failed, exiting., Bad file descriptor at /usr/lib/MailScanner/f-prot-autoupdate line 297, line 2. There are 3 problems: 1. The download server in the output of http://updates.f-prot.com/cgi-bin/check-updates?protocol=1&run_as=check_updates is S:ftp://eu-2.updates.f-prot.com/pub/ Presumably, this has changed recently from a http:// to a ftp:// server. Our server reaches the internet via a squid proxy server. Hence, we have a line $HttpProxy = 'x.x.x.x:3128'; in our f-prot-autoupdate. But this isn't used for ftp:// downloads. I have solved this by adding a similar $FtpProxy variable which is used to set the appropriate environment variable: $ENV{'ftp_proxy'} = $FtpProxy if $FtpProxy; 2. f-prot-autoupdate uses a $FallbackServer = 'http://updates.f-prot.com/files/'; This doesn't work either. 3. The error message is bad: Bad file descriptor ... This script should simply exit and shouldn't try to read from a non existing file. Even better, the script should give some hint, for what reason the get command failed. Viele Gr??e -- Heinz Knutzen Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:heinz.knutzen@dzsh.de Tel: +49.431.3295.581 Fax: +49.431.3295.410 From rich at MAIL.WVNET.EDU Wed Nov 27 13:35:56 2002 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:16:33 2006 Subject: Big problem.. help... In-Reply-To: <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> References: <1038349713.4378.4.camel@localhost> <1038349713.4378.4.camel@localhost> <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> Message-ID: <1038404156.1754.23.camel@localhost> On Wed, 2002-11-27 at 06:18, Julian Field wrote: > These sorts of strange failures with big queues are often caused by you > running out of filehandles. See what "ulimit -a" says (if "ulimit -a" fails > then try "limit" as it varies between different shells), and try reducing > the maximum size of a batch to 50 or 100 and see if the same problem occurs > then. > I had already lowered the batch size to 100 based on your previous posts. I could try lower I guess. > Max Unscanned Bytes Per Scan = 100000000 > Max Unsafe Bytes Per Scan = 50000000 > Max Unscanned Messages Per Scan = 100 > Max Unsafe Messages Per Scan = 100 ulimit -a > core file size (blocks, -c) 0 > data seg size (kbytes, -d) unlimited > file size (blocks, -f) unlimited > max locked memory (kbytes, -l) unlimited > max memory size (kbytes, -m) unlimited > open files (-n) 1024 > pipe size (512 bytes, -p) 8 > stack size (kbytes, -s) 8192 > cpu time (seconds, -t) unlimited > max user processes (-u) 7168 > virtual memory (kbytes, -v) unlimited My whole setup is basically vanilla everything. It's a dual PIII with 1 gig of memory. The number of files in the queue is not all that big at this point. There are 924 total files (462 pairs) in the queue that won't allow MS to start up. When I rename that directory back to mqueue.in, MailScanner won't start. I'm becoming convinced that some particular mail file is causing the problem. But, I'm no expert and could be wrong about that. K12 is out for their thanksgiving break until next Monday so I'm not too concerned at the moment. I intend to investigate in more detail this weekend to see if I can determine which file (or files) is causing the problem. For now I'm going to have to put it on the shelf until then. I'll post a followup if I come up with anything more definitive. -- Richard Lynch From mailscanner at ecs.soton.ac.uk Wed Nov 27 14:36:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Download from http://updates.f-prot.com/files/ failed In-Reply-To: <6C645222B0A8BC4FBFACD7606D4306A822FDA2@dzrz-ex-1.dzsh.land sh.de> Message-ID: <5.2.0.9.2.20021127143614.06663418@imap.ecs.soton.ac.uk> Can you mail me the latest version of their check-updates.sh (or whatever their script is called that does the updates) so that I can get my autoupdate script to match please? At 12:23 27/11/2002, you wrote: >Hi, > >since yesterday I get error messages from the f-prot-autoupdate script: > F-Prot signature file update script > There is a new version of SIGN.DEF, starting download. > Download from http://updates.f-prot.com/files/ failed, exiting., > Bad file descriptor at /usr/lib/MailScanner/f-prot-autoupdate line 297, > line 2. > >There are 3 problems: > >1. >The download server in the output of >http://updates.f-prot.com/cgi-bin/check-updates?protocol=1&run_as=check_updates >is >S:ftp://eu-2.updates.f-prot.com/pub/ > >Presumably, this has changed recently from a http:// to a ftp:// server. >Our server reaches the internet via a squid proxy server. >Hence, we have a line > $HttpProxy = 'x.x.x.x:3128'; >in our f-prot-autoupdate. >But this isn't used for ftp:// downloads. >I have solved this by adding a similar $FtpProxy variable >which is used to set the appropriate environment variable: > $ENV{'ftp_proxy'} = $FtpProxy if $FtpProxy; > >2. >f-prot-autoupdate uses a > $FallbackServer = 'http://updates.f-prot.com/files/'; >This doesn't work either. > >3. >The error message is bad: > Bad file descriptor ... >This script should simply exit and shouldn't try to read from a non >existing file. >Even better, the script should give some hint, for what reason the get >command failed. > >Viele Gr??e > >-- Heinz Knutzen > >Datenzentrale Schleswig-Holstein >Altenholzer Str. 10-14, 24161 Altenholz, Germany >http://www.dzsh.de/ >mailto:heinz.knutzen@dzsh.de >Tel: +49.431.3295.581 Fax: +49.431.3295.410 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 27 14:38:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Big problem.. help... In-Reply-To: <1038404156.1754.23.camel@localhost> References: <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> <1038349713.4378.4.camel@localhost> <1038349713.4378.4.camel@localhost> <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021127143735.0386efe8@imap.ecs.soton.ac.uk> At 13:35 27/11/2002, you wrote: >On Wed, 2002-11-27 at 06:18, Julian Field wrote: > > These sorts of strange failures with big queues are often caused by you > > running out of filehandles. See what "ulimit -a" says (if "ulimit -a" fails > > then try "limit" as it varies between different shells), and try reducing > > the maximum size of a batch to 50 or 100 and see if the same problem occurs > > then. > > > >I had already lowered the batch size to 100 based on your previous >posts. I could try lower I guess. > > > Max Unscanned Bytes Per Scan = 100000000 > > Max Unsafe Bytes Per Scan = 50000000 > > Max Unscanned Messages Per Scan = 100 > > Max Unsafe Messages Per Scan = 100 > >ulimit -a > > > core file size (blocks, -c) 0 > > data seg size (kbytes, -d) unlimited > > file size (blocks, -f) unlimited > > max locked memory (kbytes, -l) unlimited > > max memory size (kbytes, -m) unlimited > > open files (-n) 1024 > > pipe size (512 bytes, -p) 8 > > stack size (kbytes, -s) 8192 > > cpu time (seconds, -t) unlimited > > max user processes (-u) 7168 > > virtual memory (kbytes, -v) unlimited > >My whole setup is basically vanilla everything. It's a dual PIII with 1 >gig of memory. The number of files in the queue is not all that big at >this point. There are 924 total files (462 pairs) in the queue that >won't allow MS to start up. When I rename that directory back to >mqueue.in, MailScanner won't start. I'm becoming convinced that some >particular mail file is causing the problem. But, I'm no expert and >could be wrong about that. K12 is out for their thanksgiving break >until next Monday so I'm not too concerned at the moment. I intend to >investigate in more detail this weekend to see if I can determine which >file (or files) is causing the problem. For now I'm going to have to >put it on the shelf until then. I'll post a followup if I come up with >anything more definitive. Try moving the qf+df pairs back in to the mqueue.in about 50 at a time, and see if it stands that or whether there is 1 message that kills it. That way you can get all but the troublesome message delivered. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Heinz.Knutzen at DZSH.DE Wed Nov 27 15:36:15 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:16:33 2006 Subject: Download from http://updates.f-prot.com/files/ failed Message-ID: <6C645222B0A8BC4FBFACD7606D4306A8429CED@dzrz-ex-1.dzsh.landsh.de> See attached check-updates.sh from fp-linux_sb-3.12a.rpm FALLBACKSERVER is still defined as "http://updates.f-prot.com/files/" Still no proxy support there. Viele Gr??e -- Heinz > -----Urspr?ngliche Nachricht----- > Von: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Gesendet am: Mittwoch, 27. November 2002 15:37 > An: MAILSCANNER@JISCMAIL.AC.UK > Betreff: Re: Download from http://updates.f-prot.com/files/ failed > > Can you mail me the latest version of their check-updates.sh > (or whatever > their script is called that does the updates) so that I can get my > autoupdate script to match please? > > At 12:23 27/11/2002, you wrote: > >Hi, > > > >since yesterday I get error messages from the > f-prot-autoupdate script: > > F-Prot signature file update script > > There is a new version of SIGN.DEF, starting download. > > Download from http://updates.f-prot.com/files/ > failed, exiting., > > Bad file descriptor at > /usr/lib/MailScanner/f-prot-autoupdate line 297, > > line 2. > > > >There are 3 problems: > > > >1. > >The download server in the output of > >http://updates.f-prot.com/cgi-bin/check-updates?protocol=1&ru > n_as=check_updates > >is > >S:ftp://eu-2.updates.f-prot.com/pub/ > > > >Presumably, this has changed recently from a http:// to a ftp:// server. >Our server reaches the internet via a squid proxy server. >Hence, we have a line > $HttpProxy = 'x.x.x.x:3128'; >in our f-prot-autoupdate. >But this isn't used for ftp:// downloads. >I have solved this by adding a similar $FtpProxy variable >which is used to set the appropriate environment variable: > $ENV{'ftp_proxy'} = $FtpProxy if $FtpProxy; > >2. >f-prot-autoupdate uses a > $FallbackServer = 'http://updates.f-prot.com/files/'; >This doesn't work either. > >3. >The error message is bad: > Bad file descriptor ... >This script should simply exit and shouldn't try to read from a non >existing file. >Even better, the script should give some hint, for what reason the get >command failed. > >Viele Gr??e > >-- Heinz Knutzen > >Datenzentrale Schleswig-Holstein >Altenholzer Str. 10-14, 24161 Altenholz, Germany >http://www.dzsh.de/ >mailto:heinz.knutzen@dzsh.de >Tel: +49.431.3295.581 Fax: +49.431.3295.410 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Diese Mail wurde durch die Datenzentrale Schleswig-Holstein maschinell auf Viren und gef?hrliche Inhalte untersucht. -------------- next part -------------- A non-text attachment was scrubbed... Name: check-updates.sh Type: application/octet-stream Size: 12647 bytes Desc: check-updates.sh Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021127/ef784dd4/check-updates.obj From dwinkler at ALGORITHMICS.COM Wed Nov 27 16:17:13 2002 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:33 2006 Subject: Multiple Addresses in Notices To Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C000@tormail1.algorithmics.com> An easy one to start... I tried a bunch of things and looked in the FAQ and archive but how do you specify multiple recipients in the Noticies To config option? I tried spaces commas semi-colons. Thanks, Derek Winkler Security Administrator Algorithmics -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021127/3c8e84d0/attachment.html From mailscanner at ecs.soton.ac.uk Wed Nov 27 16:34:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Multiple Addresses in Notices To In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C000@tormail1.algorith mics.com> Message-ID: <5.2.0.9.2.20021127163314.0676d290@imap.ecs.soton.ac.uk> At 16:17 27/11/2002, you wrote: >I tried a bunch of things and looked in the FAQ and archive but how do you >specify multiple recipients in the Noticies To config option? > >I tried spaces commas semi-colons. It currently only supports a single address per message for the notice recipient (you can of course use a ruleset to change the recipient depending on the message). If you need to send the notices to more than 1 recipient at a time, you can just create an alias in sendmail (or Exim) and send the notices to that alias. I never figured anyone would need this :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dwinkler at ALGORITHMICS.COM Wed Nov 27 16:39:03 2002 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:33 2006 Subject: Multiple Addresses in Notices To Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C001@tormail1.algorithmics.com> Not a problem now that I know, the way the config file was worded led me to believe it would accept multiple. -----Original Message----- From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Sent: Wednesday, November 27, 2002 11:35 AM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Multiple Addresses in Notices To At 16:17 27/11/2002, you wrote: >I tried a bunch of things and looked in the FAQ and archive but how do you >specify multiple recipients in the Noticies To config option? > >I tried spaces commas semi-colons. It currently only supports a single address per message for the notice recipient (you can of course use a ruleset to change the recipient depending on the message). If you need to send the notices to more than 1 recipient at a time, you can just create an alias in sendmail (or Exim) and send the notices to that alias. I never figured anyone would need this :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021127/ff19f49a/attachment.html From mailscanner at ecs.soton.ac.uk Wed Nov 27 16:41:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Multiple Addresses in Notices To In-Reply-To: <5.2.0.9.2.20021127163314.0676d290@imap.ecs.soton.ac.uk> References: <06EE2C86D3DAD5119A6C0060943F3C970402C000@tormail1.algorith mics.com> Message-ID: <5.2.0.9.2.20021127164005.06759818@imap.ecs.soton.ac.uk> At 16:34 27/11/2002, you wrote: >At 16:17 27/11/2002, you wrote: >>I tried a bunch of things and looked in the FAQ and archive but how do you >>specify multiple recipients in the Noticies To config option? >> >>I tried spaces commas semi-colons. > >It currently only supports a single address per message for the notice >recipient (you can of course use a ruleset to change the recipient >depending on the message). > >If you need to send the notices to more than 1 recipient at a time, you can >just create an alias in sendmail (or Exim) and send the notices to that alias. > >I never figured anyone would need this :-) The next release will support multiple recipients (space-separated list of addresses). If you want this feature now (I would welcome someone testing it for me), here's the patch to MessageBatch.pm. If you try it, please can you confirm that it works (or doesn't): --- /root/unstable/mailscanner/mailscanner/bin/MailScanner/MessageBatch.pm Sun Nov 24 12:40:17 2002 +++ MessageBatch.pm Wed Nov 27 16:53:57 2002 @@ -563,7 +563,8 @@ my $this = shift; my($id, $message, $counter); - my(%notices, $postie, $notice, %headers, $email); + my(%notices, $notice, %headers, $email); + my(@posties, $posties, $postie); # Create all the email messages $counter = 0; @@ -571,10 +572,13 @@ next if !$message->{infected}; next if $message->{deleted} && !$message->{stillwarn}; next unless MailScanner::Config::Value('sendnotices', $message); - $postie = MailScanner::Config::Value('noticerecipient', $message); - $headers{$postie} = $message->CreatePostmasterHeaders() - unless $headers{$postie}; - $notices{$postie} .= $message->CreatePostmasterNotice(); + $posties = MailScanner::Config::Value('noticerecipient', $message); + @posties = split(" ", $posties); + foreach $postie (@posties) { + $headers{$postie} = $message->CreatePostmasterHeaders() + unless $headers{$postie}; + $notices{$postie} .= $message->CreatePostmasterNotice(); + } $counter++; } while(($postie,$notice) = each %notices) { -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscannerlist at TNJINFL.COM Wed Nov 27 17:37:20 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:33 2006 Subject: Turn off Procmail? Message-ID: <1038418641.18289.14.camel@tweety.tnjinfl.com> I have MailScanner running on Redhat 8 using Sendmail. I'm getting a lot of these messages in the maillog: Warning: program /usr/bin/procmail unsafe: Group writable directory Should I turn off procmail? Should I "dnl" the following lines and m4 sendmail then restart MailScanner? define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl MAILER(procmail)dnl Any other suggestions? Thanks, James From HancockS at MORGANCO.COM Wed Nov 27 18:01:40 2002 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:16:33 2006 Subject: Download from http://updates.f-prot.com/files/ failed Message-ID: <02Nov27.125128est.119053@gateway.morganco.com> I changed it to $FallbackServer = 'ftp://ftp.f-prot.com/pub/'; And I was back in business. I looked on the f-prot sight for the "manual download of signatures" option. Scott Hancock > -----Original Message----- > From: Knutzen, Heinz (DZ-SH) [mailto:Heinz.Knutzen@DZSH.DE] > Sent: Wednesday, November 27, 2002 10:36 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Download from http://updates.f-prot.com/files/ failed > > > See attached check-updates.sh from fp-linux_sb-3.12a.rpm > FALLBACKSERVER is still defined as "http://updates.f-prot.com/files/" > Still no proxy support there. > > Viele Gr??e > > -- Heinz > > > > -----Urspr?ngliche Nachricht----- > > Von: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Gesendet am: Mittwoch, 27. November 2002 15:37 > > An: MAILSCANNER@JISCMAIL.AC.UK > > Betreff: Re: Download from http://updates.f-prot.com/files/ failed > > > > Can you mail me the latest version of their check-updates.sh > > (or whatever > > their script is called that does the updates) so that I can get my > > autoupdate script to match please? > > > > At 12:23 27/11/2002, you wrote: > > >Hi, > > > > > >since yesterday I get error messages from the > > f-prot-autoupdate script: > > > F-Prot signature file update script > > > There is a new version of SIGN.DEF, starting download. > > > Download from http://updates.f-prot.com/files/ > > failed, exiting., > > > Bad file descriptor at > > /usr/lib/MailScanner/f-prot-autoupdate line 297, > > > line 2. > > > > > >There are 3 problems: > > > > > >1. > > >The download server in the output of > > >http://updates.f-prot.com/cgi-bin/check-updates?protocol=1&ru > > n_as=check_updates > > >is > > >S:ftp://eu-2.updates.f-prot.com/pub/ > > > > > >Presumably, this has changed recently from a http:// to a > ftp:// server. > >Our server reaches the internet via a squid proxy server. > >Hence, we have a line > > $HttpProxy = 'x.x.x.x:3128'; > >in our f-prot-autoupdate. > >But this isn't used for ftp:// downloads. > >I have solved this by adding a similar $FtpProxy variable > >which is used to set the appropriate environment variable: > > $ENV{'ftp_proxy'} = $FtpProxy if $FtpProxy; > > > >2. > >f-prot-autoupdate uses a > > $FallbackServer = 'http://updates.f-prot.com/files/'; > >This doesn't work either. > > > >3. > >The error message is bad: > > Bad file descriptor ... > >This script should simply exit and shouldn't try to read from a non > >existing file. > >Even better, the script should give some hint, for what > reason the get > >command failed. > > > >Viele Gr??e > > > >-- Heinz Knutzen > > > >Datenzentrale Schleswig-Holstein > >Altenholzer Str. 10-14, 24161 Altenholz, Germany > >http://www.dzsh.de/ > >mailto:heinz.knutzen@dzsh.de > >Tel: +49.431.3295.581 Fax: +49.431.3295.410 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- > Diese Mail wurde durch die Datenzentrale Schleswig-Holstein > maschinell auf Viren und gef?hrliche Inhalte untersucht. > > From mailscanner at ecs.soton.ac.uk Wed Nov 27 18:29:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Turn off Procmail? In-Reply-To: <1038418641.18289.14.camel@tweety.tnjinfl.com> Message-ID: <5.2.0.9.2.20021127182747.0203c198@imap.ecs.soton.ac.uk> MailScanner is not involved with the delivery of mail at all, so this isn't directly relevant to MailScanner. I suggest you check that /usr/bin isn't group-writable. At 17:37 27/11/2002, you wrote: >I have MailScanner running on Redhat 8 using Sendmail. I'm getting a lot >of these messages in the maillog: >Warning: program /usr/bin/procmail unsafe: Group writable directory > >Should I turn off procmail? Should I "dnl" the following lines and m4 >sendmail then restart MailScanner? >define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl >FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl >MAILER(procmail)dnl > >Any other suggestions? > >Thanks, >James -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 27 18:46:18 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Download from http://updates.f-prot.com/files/ failed In-Reply-To: <6C645222B0A8BC4FBFACD7606D4306A822FDA2@dzrz-ex-1.dzsh.land sh.de> Message-ID: <5.2.0.9.2.20021127184441.02031728@imap.ecs.soton.ac.uk> At 12:23 27/11/2002, you wrote: >Presumably, this has changed recently from a http:// to a ftp:// server. >Our server reaches the internet via a squid proxy server. >Hence, we have a line > $HttpProxy = 'x.x.x.x:3128'; >in our f-prot-autoupdate. >But this isn't used for ftp:// downloads. >I have solved this by adding a similar $FtpProxy variable >which is used to set the appropriate environment variable: > $ENV{'ftp_proxy'} = $FtpProxy if $FtpProxy; I have added this to the script. >The error message is bad: > Bad file descriptor ... >This script should simply exit and shouldn't try to read from a non >existing file. >Even better, the script should give some hint, for what reason the get >command failed. The error message now includes what it was trying to download, and where from, so its output should be clearer. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 27 18:47:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Download from http://updates.f-prot.com/files/ failed In-Reply-To: <02Nov27.125128est.119053@gateway.morganco.com> Message-ID: <5.2.0.9.2.20021127184630.02031868@imap.ecs.soton.ac.uk> At 18:01 27/11/2002, you wrote: >I changed it to > >$FallbackServer = 'ftp://ftp.f-prot.com/pub/'; I have changed the autoupdate script to use this instead of the previous fallback server. >And I was back in business. I looked on the f-prot sight for the "manual >download of signatures" option. > >Scott Hancock > > > > -----Original Message----- > > From: Knutzen, Heinz (DZ-SH) [mailto:Heinz.Knutzen@DZSH.DE] > > Sent: Wednesday, November 27, 2002 10:36 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Download from http://updates.f-prot.com/files/ failed > > > > > > See attached check-updates.sh from fp-linux_sb-3.12a.rpm > > FALLBACKSERVER is still defined as "http://updates.f-prot.com/files/" > > Still no proxy support there. > > > > Viele Gr??e > > > > -- Heinz > > > > > > > -----Urspr?ngliche Nachricht----- > > > Von: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Gesendet am: Mittwoch, 27. November 2002 15:37 > > > An: MAILSCANNER@JISCMAIL.AC.UK > > > Betreff: Re: Download from http://updates.f-prot.com/files/ failed > > > > > > Can you mail me the latest version of their check-updates.sh > > > (or whatever > > > their script is called that does the updates) so that I can get my > > > autoupdate script to match please? > > > > > > At 12:23 27/11/2002, you wrote: > > > >Hi, > > > > > > > >since yesterday I get error messages from the > > > f-prot-autoupdate script: > > > > F-Prot signature file update script > > > > There is a new version of SIGN.DEF, starting download. > > > > Download from http://updates.f-prot.com/files/ > > > failed, exiting., > > > > Bad file descriptor at > > > /usr/lib/MailScanner/f-prot-autoupdate line 297, > > > > line 2. > > > > > > > >There are 3 problems: > > > > > > > >1. > > > >The download server in the output of > > > >http://updates.f-prot.com/cgi-bin/check-updates?protocol=1&ru > > > n_as=check_updates > > > >is > > > >S:ftp://eu-2.updates.f-prot.com/pub/ > > > > > > > >Presumably, this has changed recently from a http:// to a > > ftp:// server. > > >Our server reaches the internet via a squid proxy server. > > >Hence, we have a line > > > $HttpProxy = 'x.x.x.x:3128'; > > >in our f-prot-autoupdate. > > >But this isn't used for ftp:// downloads. > > >I have solved this by adding a similar $FtpProxy variable > > >which is used to set the appropriate environment variable: > > > $ENV{'ftp_proxy'} = $FtpProxy if $FtpProxy; > > > > > >2. > > >f-prot-autoupdate uses a > > > $FallbackServer = 'http://updates.f-prot.com/files/'; > > >This doesn't work either. > > > > > >3. > > >The error message is bad: > > > Bad file descriptor ... > > >This script should simply exit and shouldn't try to read from a non > > >existing file. > > >Even better, the script should give some hint, for what > > reason the get > > >command failed. > > > > > >Viele Gr??e > > > > > >-- Heinz Knutzen > > > > > >Datenzentrale Schleswig-Holstein > > >Altenholzer Str. 10-14, 24161 Altenholz, Germany > > >http://www.dzsh.de/ > > >mailto:heinz.knutzen@dzsh.de > > >Tel: +49.431.3295.581 Fax: +49.431.3295.410 > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > -- > > Diese Mail wurde durch die Datenzentrale Schleswig-Holstein > > maschinell auf Viren und gef?hrliche Inhalte untersucht. > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From hciss at HCIWS.COM Wed Nov 27 19:26:51 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:16:33 2006 Subject: Download from http://updates.f-prot.com/files/ failed References: <5.2.0.9.2.20021127184630.02031868@imap.ecs.soton.ac.uk> Message-ID: <04e301c2964a$f3104030$6501a8c0@matthew> I don't suppose you could make it so it only sends a message to the admin account if the definitions were actually updated? Right now I think there is a quiet option but I would like to receive a message when it actually updates so I know its working but a message every day gets old. Thanks Matt > >I changed it to > > > >$FallbackServer = 'ftp://ftp.f-prot.com/pub/'; > > I have changed the autoupdate script to use this instead of the previous > fallback server. > > >And I was back in business. I looked on the f-prot sight for the "manual > >download of signatures" option. From HancockS at MORGANCO.COM Wed Nov 27 19:44:03 2002 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:16:33 2006 Subject: Exim configuration confusion. Message-ID: <02Nov27.143349est.119087@gateway.morganco.com> Hello all, I'll get right to it because this is a long one. Count 5 paragraphs after this one, if you want to cut this short. The goal: Use Exim and mailscanner for a mail hub for two untrusted W2k domains with two different internet domains. @domA.com and @domB.com. The extra bit of complexity is only certain users from @domB.com should be allowed to send and receive mail to / from the internet but all @domB.com user should be able to send email to @domA.com. @domA.com users are unrestricted. Reference: O'Reilly Exim book page 326-331. Specifically figure 13-1. Or online at www.exim.org 3.2.x spec Heading 46.4 Control of relaying. I understand this figure as it pertains to one Exim mailing process. but experimentation has not yielded expected results with the two Exim processes used with mailscanner. Further, I've not verified my setup against one Exim process but I think that is the next step. I expect to employ the options sender_address_relay, and maybe sender_address_relay_hosts. But the sender in the second exim process seems to be the mailscanner process. I'm hoping the original sender is maintained in the header "post mailscanner" and the problem is user error on my part. I'd like to know where to use sender_address_relay option as it applies to exim and mailscanner. I've tried both config files with no luck. Any insight would be appreciated. I've tried searching Exim specific resources but thought the mailscanner piece was non-standard enough to post here first. Below is reference from www.exim.org. I'm running: Debian: testing Mailscanner 3.24.1 Exim 3.36 Thanks in advance. I'll be back on Wednesday next week. -Scott Hancock In addition to the tests on the host, if sender_address_relay is set, the sender's address from the MAIL command must match one of its patterns to allow outgoing relaying to an arbitrary domain. Also, if there are any rewriting rules with the `X' flag set, such an address is rewritten using those rules, and the result (if different) must verify successfully. See section 34.9 for an example of how this can be used. Normally, therefore, both the host and the sender must be acceptable before an outgoing relay is allowed to proceed. However, if relay_match_host_or_sender is set, an address is accepted for outgoing relaying if either the host or the sender is acceptable. Of course, sender addresses can easily be forged, but the sender check does mean you can prevent some kinds of unwanted mail from going through your host. All three options, relay_domains, host_accept_relay, and host_auth_accept_relay, are unset by default, which means that no relaying of any kind is enabled. This does not prevent a local user from setting up forwarding to some external system, but it does prevent the `percent hack' from relaying to arbitrary domains even when percent_hack_domains is set. As all the relay checking is done at RCPT time on incoming messages, the directors and routers are not involved. Depending on the configuration of these drivers, an address that appears to be remote to the relay checking code (that is, its domain does not match local_domains) may nevertheless end up being delivered locally, and similarly an apparently local address may end up being delivered to some other host. From mailscanner at ecs.soton.ac.uk Wed Nov 27 20:01:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Download from http://updates.f-prot.com/files/ failed In-Reply-To: <04e301c2964a$f3104030$6501a8c0@matthew> References: <5.2.0.9.2.20021127184630.02031868@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021127200120.02063b18@imap.ecs.soton.ac.uk> At 19:26 27/11/2002, you wrote: >I don't suppose you could make it so it only sends a message to the admin >account if the definitions were actually updated? What output do you get if you specify "-cron -quiet" on the command-line? >Right now I think there is a quiet option but I would like to receive a >message when it actually updates so I know its working but a message every >day gets old. > >Thanks > >Matt > > > >I changed it to > > > > > >$FallbackServer = 'ftp://ftp.f-prot.com/pub/'; > > > > I have changed the autoupdate script to use this instead of the previous > > fallback server. > > > > >And I was back in business. I looked on the f-prot sight for the "manual > > >download of signatures" option. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From paul at ESPMAIL.CO.UK Wed Nov 27 22:48:36 2002 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:16:33 2006 Subject: Download from http://updates.f-prot.com/files/ failed References: <5.2.0.9.2.20021127184441.02031728@imap.ecs.soton.ac.uk> Message-ID: <004201c29667$43684520$70e030d5@espmail00053> ----- Original Message ----- From: "Julian Field" To: Sent: 27 November 2002 18:46 Subject: Re: Download from http://updates.f-prot.com/files/ failed > > The error message now includes what it was trying to download, and where > from, so its output should be clearer. Hi Julian. Sorry if I'm jumping the gun. Just had a quick look on the web site. Where is the new script? From mailscanner at ecs.soton.ac.uk Thu Nov 28 02:09:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:33 2006 Subject: Download from http://updates.f-prot.com/files/ failed In-Reply-To: <004201c29667$43684520$70e030d5@espmail00053> References: <5.2.0.9.2.20021127184441.02031728@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021128020807.0205fd20@imap.ecs.soton.ac.uk> At 22:48 27/11/2002, you wrote: > > The error message now includes what it was trying to download, and >where > > from, so its output should be clearer. > >Hi Julian. Sorry if I'm jumping the gun. Just had a quick look on the >web site. Where is the new script? I have mailed it to you separately. If anyone else wants a copy to test for me (need results before the weekend) then please mail me off-list and I'll give it to you. The script will be included in the next release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Thu Nov 28 08:53:52 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:33 2006 Subject: location of rpm-files Message-ID: Where does the installation of rpm-version of MS expect its src.rpm files? I have a directory with install.sh and all the src.rpm files. When I run ./install.sh I get messages like: |Good. You have the patch command. | |Good, you have /usr/src/redhat in place. | |Writing a .rpmmacros file in your home directory to stop |unpackaged files breaking the build process. |You can delete it once MailScanner is installed if you want to. | | |Good, you appear to only have 1 copy of Perl installed. | |You appear to have pod2man but not pod2text. |Creating pod2text for you. | |Good, your version of ExtUtils::MakeMaker is up to date | |This script will pause for a few seconds after each major step, |so do not worry if it appears to stop for a while. |If you want it to stop so you can scroll back through the output |then press Ctrl-S to stop the output and Ctrl-Q to start it again. So everything looks OK. But then: |Rebuilding all the Perl RPMs for your version of Perl | |Attempting to build and install perl-IO-stringy-2.108-1 |perl-IO-stringy-2.108-1.src.rpm: No such file or directory | | | |Missing file /usr/src/redhat/RPMS/noarch/perl-IO-stringy-2.108-1.noarch.rpm. |Maybe it did not build correctly? When I check I find: |# ls -l perl-IO-stringy-2.108-1.src.rpm |-rw-r--r-- 1 mail mail 70157 Nov 3 21:45 perl-IO-stringy-2.108-1.src.rpm -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From D.M.Chapman at UKC.AC.UK Thu Nov 28 10:33:51 2002 From: D.M.Chapman at UKC.AC.UK (D.M.Chapman) Date: Thu Jan 12 21:16:33 2006 Subject: Mailscanner on Solaris 9 *not* protected from "zip of death" Message-ID: <20021128103351.R12542@apple.ukc.ac.uk> Ok, I have been doing some digging following my recent email about mailscanner failing to detect a Denial of Service attack and I may have turned up a fairly serious issue with solaris 9. Bewarned, this is long :-) Executive Summary: If you are running mailscanner on Solaris 9 and you are using the Sun supplied version of perl then you are probably *not* protected against a "zip of death" denial of service attack. We certainly were not :-( Gory details: After we were attacked I (wrongly :-) assumed that the version of mailscanner we were running had a bug that failed to timeout a virus scan that was taking forever. Following confirmation that the latest version (I'm talking v3 here - we use Exim) had protection built in I upgraded the problematic machine yesterday. No problems with the upgrade all looked good. Sent it a zip of death and it died :-( Symptoms are that it detects the first timeout but then when it tests each message seperately it never returns. You will see: Commercial scanner sophos timed out! Denial Of Service attack detected! logged (I suspect that this is an issue with all virus scanners - not just sophos) but you never get the: Commercial scanner sophos timed out! Denial Of Service attack is in message bit. Looking at the processes mailscanner is stuck in a read waiting for the scanner to return something while the scanner is stuck trying to unzip a file that is ununzippable (is that a word?:-). Checking the code suggests that for some reason mailscanner is never getting the second SIGALRM signal for some reason. A truss on the running process suggests the same... Test code (test.pl): ---------8<--------8<-------- sub test { eval { local $SIG{ALRM} = sub { die "Timed Out" }; alarm 2; while() { } } }; print "going once...\n"; &test; print "going twice...\n"; &test; print "gone.\n" ---------8<--------8<-------- As I understand it (correct me if not!) this should run and stick in the read from STDIN until the ALRM signal causes it to drop out of the eval block. If I'm correct then I would expect this to output three lines of text with a 2 second delay between them. Running it on the machine that failed to detect the DOS and it hangs after the second message. Running it on a machine that did detect the DOS and it works as I would expect. Much trussing and head scratching later it appears that the issue is the version of perl that is installed on solaris 9 as standard. It isn't the actual version that is the issue (I happened to have the same release on a sol9 box) but the particular binary that is /usr/bin/perl. This morning I have installed another version of perl onto my sol9 machine and my test program works. Testing mailscanner shows that it now detects a DOS correctly... If you are running Mailscanner on Solaris 9 (maybe other releases as well I guess) then you might want to check this out! Truss output from the sun version: truss /usr/bin/perl test.pl [snip] read(3, " s u b t e s t {\n ".., 8192) = 215 brk(0x00030438) = 0 brk(0x00032438) = 0 brk(0x00032438) = 0 brk(0x00034438) = 0 read(3, 0x0002DFBC, 8192) = 0 llseek(3, 0, SEEK_CUR) = 215 close(3) = 0 ioctl(1, TCGETA, 0xFFBFF7F4) = 0 fstat64(1, 0xFFBFF710) = 0 going once... write(1, " g o i n g o n c e . .".., 14) = 14 sigaction(SIGALRM, 0x00000000, 0xFFBFF948) = 0 sigaction(SIGALRM, 0xFFBFF8A0, 0xFFBFF920) = 0 sigaction(SIGALRM, 0xFFBFF908, 0xFFBFF988) = 0 alarm(2) = 0 ioctl(0, TCGETA, 0xFFBFF8BC) = 0 fstat64(0, 0xFFBFF7D8) = 0 read(0, 0xFF0C144C, 1024) (sleeping...) Received signal #14, SIGALRM, in read() [caught] read(0, 0xFF0C144C, 1024) Err#91 ERESTART sigaction(SIGALRM, 0xFFBFF088, 0xFFBFF108) = 0 going twice... write(1, " g o i n g t w i c e .".., 15) = 15 sigaction(SIGALRM, 0xFFBFF8A0, 0xFFBFF920) = 0 sigaction(SIGALRM, 0xFFBFF908, 0xFFBFF988) = 0 alarm(2) = 0 read(0, 0xFF0C144C, 1024) (sleeping...) A read that carries on for ever,,, Truss output from a new version (from sunfreeware.com): truss /usr/local/bin/perl test.pl [snip] read(3, " s u b t e s t {\n ".., 8192) = 215 brk(0x00122C40) = 0 brk(0x00124C40) = 0 brk(0x00124C40) = 0 brk(0x00126C40) = 0 read(3, 0x001200CC, 8192) = 0 llseek(3, 0, SEEK_CUR) = 215 close(3) = 0 getcontext(0xFFBFF9C8) ioctl(1, TCGETA, 0xFFBFF6BC) = 0 fstat64(1, 0xFFBFF5D8) = 0 going once... write(1, " g o i n g o n c e . .".., 14) = 14 sigaction(SIGALRM, 0x00000000, 0xFFBFF840) = 0 sigaction(SIGALRM, 0xFFBFF7A0, 0xFFBFF820) = 0 sigaction(SIGALRM, 0xFFBFF888, 0xFFBFF908) = 0 alarm(2) = 0 ioctl(0, TCGETA, 0xFFBFD62C) = 0 fstat64(0, 0xFFBFD548) = 0 read(0, 0xFF24144C, 1024) (sleeping...) Received signal #14, SIGALRM, in read() [caught] read(0, 0xFF24144C, 1024) Err#4 EINTR setcontext(0xFFBFD480) getcontext(0xFFBFF6C8) getcontext(0xFFBFF478) setcontext(0xFFBFF478) sigfillset(0xFF240708) = 0 sigprocmask(SIG_UNBLOCK, 0xFFBFFA20, 0x00000000) = 0 sigaction(SIGALRM, 0xFFBFF5A8, 0xFFBFF628) = 0 getcontext(0xFFBFF6F0) setcontext(0xFFBFF6F0) going twice... write(1, " g o i n g t w i c e .".., 15) = 15 sigaction(SIGALRM, 0xFFBFF7A0, 0xFFBFF820) = 0 sigaction(SIGALRM, 0xFFBFF888, 0xFFBFF908) = 0 alarm(2) = 0 read(0, 0xFF24144C, 1024) (sleeping...) Received signal #14, SIGALRM, in read() [caught] read(0, 0xFF24144C, 1024) Err#4 EINTR setcontext(0xFFBFD480) getcontext(0xFFBFF6C8) getcontext(0xFFBFF478) setcontext(0xFFBFF478) sigprocmask(SIG_UNBLOCK, 0xFFBFFA20, 0x00000000) = 0 sigaction(SIGALRM, 0xFFBFF5A8, 0xFFBFF628) = 0 getcontext(0xFFBFF6F0) setcontext(0xFFBFF6F0) gone. write(1, " g o n e .\n", 6) = 6 getcontext(0xFFBFF878) setcontext(0xFFBFF878) getcontext(0xFFBFF9C8) _exit(0) The broken version of perl doesn't seem to bother with any of the {set,get}context calls. Dunno if this is Suns fault, perls fault or something more subtle. Anyway, hope this helps someone avoid the frustrating afternoon that I have yesterday! Cheers, Darren - needs a coffee now! From dave at ESI.COM.AU Thu Nov 28 10:36:26 2002 From: dave at ESI.COM.AU (Dave at ESI) Date: Thu Jan 12 21:16:33 2006 Subject: RBL checks and Spamcop In-Reply-To: <002a01c295f2$cedc6610$6a0110ac@sbsplc.com> Message-ID: On Wed, 27 Nov 2002, Paul Welsh wrote: > Is anyone here using SpamCop's blocking list? If so, is it reasonable to > assume that I could quarantine all mail that gets into SpamCop's list, > rather than accepting MailScanner's default of prefixing the Subject with > {SPAM?}? If so, it would be helpful to my users and worth donating. I reject any mail that Spamcop deems unacceptable. There is nothing sacred about email whatsoever; it is merely one more medium. There is always the telephone, fax, courier, letter, eyeball, DX, telex, pigeon, encrypted broadcast/multicast etc, and that was without even thinking hard. Serious question: why the hell is email regarded as being sacred on this mailing list, and not upon other anti-spam related lists? I mean, would you entrust your business-critical life-saving ultra-important missive to someone who will try and pass it on to someone else, who might in turn think about passing it on to someone else etc? And all of whom have had the opportunity to intercept and inspect said message? No? What, exactly, is so bloody special about email, that it *must* arrive? Exasperated, I remain, -- Dave From P.Holzleitner at UNIDO.ORG Thu Nov 28 10:44:28 2002 From: P.Holzleitner at UNIDO.ORG (Peter HOLZLEITNER) Date: Thu Jan 12 21:16:34 2006 Subject: RBL checks and Spamcop Message-ID: Dave, there's nothing wrong with your definition. Many of us however work in places where management follows a different definition. --Peter -----Original Message----- From: dave@ESI.COM.AU [mailto:dave@ESI.COM.AU] Sent: Thursday, November 28, 2002 11:36 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: RBL checks and Spamcop On Wed, 27 Nov 2002, Paul Welsh wrote: > Is anyone here using SpamCop's blocking list? If so, is it reasonable to > assume that I could quarantine all mail that gets into SpamCop's list, > rather than accepting MailScanner's default of prefixing the Subject with > {SPAM?}? If so, it would be helpful to my users and worth donating. I reject any mail that Spamcop deems unacceptable. There is nothing sacred about email whatsoever; it is merely one more medium. There is always the telephone, fax, courier, letter, eyeball, DX, telex, pigeon, encrypted broadcast/multicast etc, and that was without even thinking hard. Serious question: why the hell is email regarded as being sacred on this mailing list, and not upon other anti-spam related lists? I mean, would you entrust your business-critical life-saving ultra-important missive to someone who will try and pass it on to someone else, who might in turn think about passing it on to someone else etc? And all of whom have had the opportunity to intercept and inspect said message? No? What, exactly, is so bloody special about email, that it *must* arrive? Exasperated, I remain, -- Dave From dave at ESI.COM.AU Thu Nov 28 11:50:46 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:16:34 2006 Subject: RBL checks and Spamcop In-Reply-To: Message-ID: On Thu, 28 Nov 2002, Peter HOLZLEITNER wrote: > there's nothing wrong with your definition. Many of us however > work in places where management follows a different definition. Then find a different PHB? For this and other reasons, I now work in a 100% M$-free environment. -- Dave From mailscanner at ecs.soton.ac.uk Thu Nov 28 12:11:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: Mailscanner on Solaris 9 *not* protected from "zip of death" In-Reply-To: <20021128103351.R12542@apple.ukc.ac.uk> Message-ID: <5.2.0.9.2.20021128120706.03933fc8@imap.ecs.soton.ac.uk> Can you try this instead: At 10:33 28/11/2002, you wrote: >Test code (test.pl): use POSIX qw(:signal_h); my $unblockset = POSIX::SigSet->new(SIGALRM); sub test { eval { local $SIG{ALRM} = sub { die "Timed Out" }; alarm 2; while() { } } sigprocmask(SIG_UNBLOCK, $unblockset) or die "Could not unblock alarm: $!\n"; }; print "going once...\n"; &test; print "going twice...\n"; &test; print "gone.\n" It looks like Sun botched the compilation of Perl so they didn't get all the correct signal handler code. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Jan-Peter.Koopmann at SECEIDOS.DE Thu Nov 28 12:31:34 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:34 2006 Subject: RBL checks and Spamcop Message-ID: <4E7026FF8A422749B1553FE508E0068007EB8E@message.intern.akctech.de> Dave, > Then find a different PHB? PHB? > For this and other reasons, I now work in a 100% M$-free environment. And the problem is connected to MS... why? How? Let's not start a pro/con MS here in this mailing list. And by the way: If you reject mail for some reason and the sender notices, your definition may apply to many companies. If however you accept the mail, the sender must assume that the mail reached you. And in that case you have to make sure that it WILL reach the recipient. Otherwise people would stop using e-mail for important messages. Would not make sense now, would it? Regards, JP From mailscanner at ecs.soton.ac.uk Thu Nov 28 12:36:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: RBL checks and Spamcop In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EB8E@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021128123012.05689198@imap.ecs.soton.ac.uk> Please can we move all religious debates to alt.religion. It is accepted premise of me (and hence of this list) that a) email is an important means of communication b) email is often the preferred means of communication c) email systems should do their best to get manually-created messages with useful content from the sender to the intended recipient(s) d) no operating system or application is totally free of bugs in either their design or implementation e) no operating system or application is totally free of potential security vulnerabilities f) "religious" debates don't achieve anything -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From chicks at CHICKS.NET Thu Nov 28 13:10:04 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:16:34 2006 Subject: RBL checks and Spamcop In-Reply-To: <5.2.0.9.2.20021128123012.05689198@imap.ecs.soton.ac.uk> Message-ID: On Thu, 28 Nov 2002, Julian Field wrote: > f) "religious" debates don't achieve anything MTA load testing? :) -- The truth is rarely pure, and never simple. -Oscar Wilde, writer (1854-1900) From riemer at PALSTRA.COM Thu Nov 28 14:48:38 2002 From: riemer at PALSTRA.COM (Riemer Palstra) Date: Thu Jan 12 21:16:34 2006 Subject: location of rpm-files In-Reply-To: References: Message-ID: On Thu, 28 Nov 2002, Peter Peters wrote: > |Missing file /usr/src/redhat/RPMS/noarch/perl-IO-stringy-2.108-1.noarch.rpm. > |Maybe it did not build correctly? > > When I check I find: > > |# ls -l perl-IO-stringy-2.108-1.src.rpm |-rw-r--r-- 1 mail mail 70157 > Nov 3 21:45 perl-IO-stringy-2.108-1.src.rpm Which is the .src.rpm, not the noarch.rpm. Probably it did not build the noarch binary... -- Riemer Palstra // riemer@palstra.com // http://palstra.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From D.M.Chapman at UKC.AC.UK Thu Nov 28 14:50:33 2002 From: D.M.Chapman at UKC.AC.UK (D.M.Chapman) Date: Thu Jan 12 21:16:34 2006 Subject: Mailscanner on Solaris 9 *not* protected from "zip of death" In-Reply-To: <5.2.0.9.2.20021128120706.03933fc8@imap.ecs.soton.ac.uk>; from mailscanner@ECS.SOTON.AC.UK on Thu, Nov 28, 2002 at 12:11:44PM +0000 References: <20021128103351.R12542@apple.ukc.ac.uk> <5.2.0.9.2.20021128120706.03933fc8@imap.ecs.soton.ac.uk> Message-ID: <20021128145033.C10890@apple.ukc.ac.uk> On Thu, Nov 28, 2002 at 12:11:44PM +0000, Julian Field wrote: > Can you try this instead: > >[snip code] > > It looks like Sun botched the compilation of Perl so they didn't get all > the correct signal handler code. Yep. That works with both versions of perl....That will teach me to save time by using the perl supplied instead of building my own :-( So, as I suspected it is suns fault..... Cheers, Darren From mailscanner at ecs.soton.ac.uk Thu Nov 28 15:05:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: Mailscanner on Solaris 9 *not* protected from "zip of death" In-Reply-To: <20021128145033.C10890@apple.ukc.ac.uk> References: <5.2.0.9.2.20021128120706.03933fc8@imap.ecs.soton.ac.uk> <20021128103351.R12542@apple.ukc.ac.uk> <5.2.0.9.2.20021128120706.03933fc8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021128150335.05703b68@imap.ecs.soton.ac.uk> At 14:50 28/11/2002, you wrote: >On Thu, Nov 28, 2002 at 12:11:44PM +0000, Julian Field wrote: > > Can you try this instead: > > > >[snip code] > > > > It looks like Sun botched the compilation of Perl so they didn't get all > > the correct signal handler code. > > >Yep. That works with both versions of perl....That will teach me to save >time by using the perl supplied instead of building my own :-( > >So, as I suspected it is suns fault..... Just like their own "special" versions of ssh and sendmail. Their sendmail is already notorious and their ssh only supports some of the encryption mechanisms, not all of them like everyone else's ssh implementations. I have added the extra code to all the fork handlers in the next release (wrapped inside an "eval" in case it blows up on some OS's). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dwinkler at ALGORITHMICS.COM Thu Nov 28 15:49:16 2002 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:34 2006 Subject: Archive only header Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C00C@tormail1.algorithmics.com> Is it possible to use the Archive Mail config parameter to archive header only? OR If I'm using sendmail can I run a script to delete body and keep header, not sure of queue file naming conventions but looks like q* files contains header and d* files contain body or data? Thanks in advance, Derek Winkler -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021128/89c68d42/attachment.html From jim at ENTROPHY-FREE.NET Thu Nov 28 16:08:01 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:34 2006 Subject: Mailscanner on Solaris 9 *not* protected from "zip of death" In-Reply-To: <20021128103351.R12542@apple.ukc.ac.uk> References: <20021128103351.R12542@apple.ukc.ac.uk> Message-ID: <1038499682.3162.8.camel@wilowisp.entrophy-free.net> On Thu, 2002-11-28 at 04:33, D.M.Chapman wrote: > Ok, I have been doing some digging following my recent email about > mailscanner failing to detect a Denial of Service attack and I may have > turned up a fairly serious issue with solaris 9. Bewarned, this is long :-) > > Executive Summary: > > If you are running mailscanner on Solaris 9 and you are using the Sun > supplied version of perl then you are probably *not* protected against > a "zip of death" denial of service attack. We certainly were not :-( > You are filing a bug report with Sun on this, right? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From alex at IALEX.NET Thu Nov 28 16:52:32 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:34 2006 Subject: Subject Line Changes Message-ID: Just wondering what people's opinion would be for more information to the admin of the server in the subject line then currently given. Right now i think its 'Warning: Possible Virus send blah blah' The guy that handles this gets like 250 emails like this a day. It would be kinda nice if it would be divided up a little nicer with rules. If this was at home, i'd use procmail and filter by the body, but i was thinking something like. 'Warning: Virus blah blah (Klez)' Also, different subject lines for iframe messages and different ones for blocked file types. Again this is just to the admin, the messages to the user are fine. Thanks From mailscanner at ecs.soton.ac.uk Thu Nov 28 16:45:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: Subject Line Changes In-Reply-To: Message-ID: <5.2.0.9.2.20021128164358.0597d010@imap.ecs.soton.ac.uk> At 16:52 28/11/2002, you wrote: >Just wondering what people's opinion would be for more information to the >admin of the server in the subject line then currently given. > >Right now i think its 'Warning: Possible Virus send blah blah' > >The guy that handles this gets like 250 emails like this a day. It would >be kinda nice if it would be divided up a little nicer with rules. If >this was at home, i'd use procmail and filter by the body, but i was >thinking something like. > >'Warning: Virus blah blah (Klez)' > >Also, different subject lines for iframe messages and different ones for >blocked file types. > >Again this is just to the admin, the messages to the user are fine. That's a whole lot harder to write. Currently I don't make any real attempt to reliably extract the virus name from the virus scanner output. It would be a lot of work to do this, when you can easily just filter or process the body. Remember this would have to work for 14 different scanning engines :-( -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 28 16:42:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: Archive only header In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C00C@tormail1.algorith mics.com> Message-ID: <5.2.0.9.2.20021128164204.03a377c0@imap.ecs.soton.ac.uk> At 15:49 28/11/2002, you wrote: >Is it possible to use the Archive Mail config parameter to archive header >only? > >OR > >If I'm using sendmail can I run a script to delete body and keep header, >not sure of queue file naming conventions but looks like q* files contains >header and d* files contain body or data? qf files contain envelope and header data (header lines all start with "H"). df files contain message body. So just delete all the df's and keep the qf's and you should be fine. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 28 16:43:29 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: Mailscanner on Solaris 9 *not* protected from "zip of death" In-Reply-To: <1038499682.3162.8.camel@wilowisp.entrophy-free.net> References: <20021128103351.R12542@apple.ukc.ac.uk> <20021128103351.R12542@apple.ukc.ac.uk> Message-ID: <5.2.0.9.2.20021128164315.056cef30@imap.ecs.soton.ac.uk> At 16:08 28/11/2002, you wrote: >On Thu, 2002-11-28 at 04:33, D.M.Chapman wrote: > > Ok, I have been doing some digging following my recent email about > > mailscanner failing to detect a Denial of Service attack and I may have > > turned up a fairly serious issue with solaris 9. Bewarned, this is long :-) > > > > Executive Summary: > > > > If you are running mailscanner on Solaris 9 and you are using the Sun > > supplied version of perl then you are probably *not* protected against > > a "zip of death" denial of service attack. We certainly were not :-( > > >You are filing a bug report with Sun on this, right? Darren --- Can I leave you to do that please? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From alex at IALEX.NET Thu Nov 28 18:16:11 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:34 2006 Subject: Subject Line Changes In-Reply-To: <5.2.0.9.2.20021128164358.0597d010@imap.ecs.soton.ac.uk> Message-ID: > > > >Also, different subject lines for iframe messages and different ones for > >blocked file types. > > > >Again this is just to the admin, the messages to the user are fine. > > That's a whole lot harder to write. Currently I don't make any real attempt > to reliably extract the virus name from the virus scanner output. It would > be a lot of work to do this, when you can easily just filter or process the > body. Remember this would have to work for 14 different scanning engines :-( Well, currently there is some logic to enable the 'silent virus' feature. How about subject line for file attachment rejections, a subject line for iframes, a subject line for silent virii and another for non silent virii :) Alex From mailscanner at ecs.soton.ac.uk Thu Nov 28 18:27:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: Subject Line Changes In-Reply-To: References: <5.2.0.9.2.20021128164358.0597d010@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021128182531.02e75f20@imap.ecs.soton.ac.uk> At 18:16 28/11/2002, you wrote: > > > > > >Also, different subject lines for iframe messages and different ones for > > >blocked file types. > > > > > >Again this is just to the admin, the messages to the user are fine. > > > > That's a whole lot harder to write. Currently I don't make any real attempt > > to reliably extract the virus name from the virus scanner output. It would > > be a lot of work to do this, when you can easily just filter or process the > > body. Remember this would have to work for 14 different scanning > engines :-( > >Well, currently there is some logic to enable the 'silent virus' feature. And it's very simple, too. Not half as clever as most people think it is, but if/when it fails it cannot fail in a dangerous way. >How about subject line for file attachment rejections, a subject line for >iframes, a subject line for silent virii and another for non silent virii I guess I could do that. What would it do when there is more than 1 reason for the generation of the notice? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From alex at IALEX.NET Thu Nov 28 22:05:31 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:34 2006 Subject: Subject Line Changes In-Reply-To: <5.2.0.9.2.20021128182531.02e75f20@imap.ecs.soton.ac.uk> Message-ID: > I guess I could do that. What would it do when there is more than 1 reason > for the generation of the notice? One for only iframe One for only filename If iframe&silent, silent If iframe&non silent, virus notice I think :) From glynn at makati.techsquare.com Fri Nov 29 04:47:03 2002 From: glynn at makati.techsquare.com (Glynn S. Condez) Date: Thu Jan 12 21:16:34 2006 Subject: Mailscanner sendmail support Message-ID: <00c201c29762$5cb28df0$8201a8c0@proaccessph.com> Hi all, I would like to know if mailscanner 4-x supports sendmail release 8-12-6, it seems that sendmail.cf resides in /etc/mail while mailscanner looks sendmail.cf in /etc? my lower version of sendmail and mailscanner-3.22.7 and it works fine, any idea how to make the release of sendmail and mailscanner4 work, incase i need to create a symlink to tell sendmail to use sendmail.cf in /etc. TIA --- Glynn --- From jadams at GATEKEEPER.NO-IP.COM Fri Nov 29 07:26:02 2002 From: jadams at GATEKEEPER.NO-IP.COM (Jeff Adams) Date: Thu Jan 12 21:16:34 2006 Subject: SpamAssassin not running Message-ID: <3DE7168A.3050200@gatekeeper.no-ip.com> Hello gang, First off, Thanks Julian for all of your hard work writing and maintaining this package. I think it's the best option out there for what I'm trying to do and I appreciate the hard work. --- so on to the problem: I'm trying to setup an anti-spam mail gateway for my company and I'm having trouble getting spamassassin to run from mailscanner. The incoming messages are getting procesed by mailscanner and delivered by Sendmail, but my spam email tests aren't getting flagged by SA as spam. I think that SA isn't being called from MailScanner, but other than looking in the headers, I can't tell how to determine if SA was run or how to troubleshoot the problem further. Has anyone ran into this problem before? Here are my stats: Sparc Solaris 7 / perl 5.8.0 / MailScanner 4.05-3 / SpamAssassin 2.43 / all the appropriate perl modules. /opt/MailScanner/etc/spam-assassin-prefs.cf (comments removed for brevity) header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com score FRIEND_GREETINGS 100.0 required_hits 5 auto_report_threshold 30 whitelist_from monty@roscom.com ok_locales en rewrite_subject 1 report_header 0 use_terse_report 0 defang_mime 1 skip_rbl_checks 1 score DCC_CHECK 0.0 /opt/MailScaner/etc/mailscanner.conf (comments removed for brevity) Max Children = 5 Incoming Queue Dir = /var/spool/mqueue.in Outgoing Queue Dir = /var/spool/mqueue Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID dir = /opt/MailScanner/var Restart Every = 14400 MTA = sendmail Sendmail = /usr/lib/sendmail Sendmail2 = /usr/lib/sendmail Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Expand TNEF = yes Deliver Unparsable TNEF = yes TNEF Expander = /opt/MailScanner/bin/tnef --maxsize=100000000 TNEF Timeout = 120 Virus Scanning = no Virus Scanners = none Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = Klez Yaha-E Bugbear Still Deliver Silent Viruses = yes Allow IFrame Tags = yes Log IFrame Tags = yes Allow Object Codebase Tags = yes Convert HTML To Text = no Filename Rules = /opt/MailScanner/etc/filename.rules.conf Quarantine Infections = yes Quarantine Whole Message = no Quarantine Whole Messages As Queue Files = no Deleted Bad Filename Message Report = /opt/MailScanner/etc/reports/en/deleted.filename.message.txt Deleted Virus Message Report = /opt/MailScanner/etc/reports/en/deleted.virus.message.txt Stored Bad Filename Message Report = /opt/MailScanner/etc/reports/en/stored.filename.message.txt Stored Virus Message Report = /opt/MailScanner/etc/reports/en/stored.virus.message.txt Disinfected Report = /opt/MailScanner/etc/reports/en/disinfected.report.txt Inline HTML Signature = /opt/MailScanner/etc/reports/en/inline.sig.html Inline Text Signature = /opt/MailScanner/etc/reports/en/inline.sig.txt Inline HTML Warning = /opt/MailScanner/etc/reports/en/inline.warning.html Inline Text Warning = /opt/MailScanner/etc/reports/en/inline.warning.txt Sender Error Report = /opt/MailScanner/etc/reports/en/sender.error.report.txt Sender Bad Filename Report = /opt/MailScanner/etc/reports/en/sender.filename.report.txt Sender Virus Report = /opt/MailScanner/etc/reports/en/sender.virus.report.txt Hide Incoming Work Dir = yes Mail Header = X-MailScanner: Spam Header = X-MailScanner-SpamCheck: Spam Score Header = X-MailScanner-SpamScore: Spam Score Character = + Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Multiple Headers = append Hostname = the MailScanner Sign Messages Already Processed = no Sign Clean Messages = no Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Deliver Cleaned Messages = yes Notify Senders = yes Virus Modify Subject = yes Virus Subject Text = {Virus?} Filename Modify Subject = yes Filename Subject Text = {Virus?} Spam Modify Subject = yes Spam Subject Text = {Spam?} High Scoring Spam Modify Subject = yes High Scoring Spam Subject Text = {Spam?} Warning Is Attachment = yes Attachment Warning Filename = VirusWarning.txt Attachment Encoding Charset = us-ascii Send Notices = yes Notices Include Full Headers = no Notices To = removed Local Postmaster = removed Spam List Definitions = /opt/MailScanner/etc/spam.lists.conf Virus Scanner Definitions = /opt/MailScanner/etc/virus.scanners.conf Spam Checks = yes Spam List Timeout = 30 Max Spam List Timeouts = 7 Is Definitely Not Spam = /opt/MailScanner/etc/rules/spam.whitelist.rules Is Definitely Spam = no Use SpamAssassin = yes Max SpamAssassin Size = 50000 Required SpamAssassin Score = 5 High SpamAssassin Score = 20 SpamAssassin Auto Whitelist = no SpamAssassin Prefs File = /opt/MailScanner/etc/spam.assassin.prefs.conf SpamAssassin Timeout = 60 Max SpamAssassin Timeouts = 20 Check SpamAssassin If On Spam List = yes Always Include SpamAssassin Report = yes Spam Score = yes Spam Actions = deliver High Scoring Spam Actions = deliver Sender Spam Report = /opt/MailScanner/etc/reports/en/sender.spam.report.txt Sender Spam List Report = /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt Sender SpamAssassin Report = /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt Syslog Facility = mail Log Spam = yes Log Permitted Filenames = no Debug = no Deliver In Background = yes Delivery Method = batch Lockfile Dir = /tmp Minimum Code Status = supported PS: I'm not using any virus protection because that's being done ahead of this mail gateway. So I've disabled it in my config above. Thanks! -jeff From mailscanner at ecs.soton.ac.uk Fri Nov 29 09:39:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: SpamAssassin not running In-Reply-To: <3DE7168A.3050200@gatekeeper.no-ip.com> Message-ID: <5.2.0.9.2.20021129093748.03c3cfa0@imap.ecs.soton.ac.uk> At 07:26 29/11/2002, you wrote: >First off, Thanks Julian for all of your hard work writing and >maintaining this package. I think it's the best option out there for >what I'm trying to do and I appreciate the hard work. No problem :-) >I'm trying to setup an anti-spam mail gateway for my company and I'm >having trouble getting spamassassin to run from mailscanner. The >incoming messages are getting procesed by mailscanner and delivered by >Sendmail, but my spam email tests aren't getting flagged by SA as spam. >I think that SA isn't being called from MailScanner, but other than >looking in the headers, I can't tell how to determine if SA was run or >how to troubleshoot the problem further. Has anyone ran into this >problem before? Are you getting no X-MailScanner-SpamCheck: headers at all? If you are getting them, what do they say? Another way of skipping the virus scanning, while still doing all the other checks, is to set Virus Scanning = yes Virus Scanners = none >Here are my stats: > >Sparc Solaris 7 / perl 5.8.0 / MailScanner 4.05-3 / SpamAssassin 2.43 >/ all the appropriate perl modules. > >/opt/MailScanner/etc/spam-assassin-prefs.cf (comments removed for brevity) > >header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i >describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com >score FRIEND_GREETINGS 100.0 >required_hits 5 >auto_report_threshold 30 >whitelist_from monty@roscom.com >ok_locales en >rewrite_subject 1 >report_header 0 >use_terse_report 0 >defang_mime 1 >skip_rbl_checks 1 >score DCC_CHECK 0.0 > >/opt/MailScaner/etc/mailscanner.conf (comments removed for brevity) > >Max Children = 5 >Incoming Queue Dir = /var/spool/mqueue.in >Outgoing Queue Dir = /var/spool/mqueue >Incoming Work Dir = /var/spool/MailScanner/incoming >Quarantine Dir = /var/spool/MailScanner/quarantine >PID dir = /opt/MailScanner/var >Restart Every = 14400 >MTA = sendmail >Sendmail = /usr/lib/sendmail >Sendmail2 = /usr/lib/sendmail >Max Unscanned Bytes Per Scan = 100000000 >Max Unsafe Bytes Per Scan = 50000000 >Max Unscanned Messages Per Scan = 500 >Max Unsafe Messages Per Scan = 100 >Expand TNEF = yes >Deliver Unparsable TNEF = yes >TNEF Expander = /opt/MailScanner/bin/tnef --maxsize=100000000 >TNEF Timeout = 120 >Virus Scanning = no >Virus Scanners = none >Virus Scanner Timeout = 300 >Deliver Disinfected Files = yes >Silent Viruses = Klez Yaha-E Bugbear >Still Deliver Silent Viruses = yes >Allow IFrame Tags = yes >Log IFrame Tags = yes >Allow Object Codebase Tags = yes >Convert HTML To Text = no >Filename Rules = /opt/MailScanner/etc/filename.rules.conf >Quarantine Infections = yes >Quarantine Whole Message = no >Quarantine Whole Messages As Queue Files = no >Deleted Bad Filename Message Report = >/opt/MailScanner/etc/reports/en/deleted.filename.message.txt >Deleted Virus Message Report = >/opt/MailScanner/etc/reports/en/deleted.virus.message.txt >Stored Bad Filename Message Report = >/opt/MailScanner/etc/reports/en/stored.filename.message.txt >Stored Virus Message Report = >/opt/MailScanner/etc/reports/en/stored.virus.message.txt >Disinfected Report = /opt/MailScanner/etc/reports/en/disinfected.report.txt >Inline HTML Signature = /opt/MailScanner/etc/reports/en/inline.sig.html >Inline Text Signature = /opt/MailScanner/etc/reports/en/inline.sig.txt >Inline HTML Warning = /opt/MailScanner/etc/reports/en/inline.warning.html >Inline Text Warning = /opt/MailScanner/etc/reports/en/inline.warning.txt >Sender Error Report = >/opt/MailScanner/etc/reports/en/sender.error.report.txt >Sender Bad Filename Report = >/opt/MailScanner/etc/reports/en/sender.filename.report.txt >Sender Virus Report = >/opt/MailScanner/etc/reports/en/sender.virus.report.txt >Hide Incoming Work Dir = yes >Mail Header = X-MailScanner: >Spam Header = X-MailScanner-SpamCheck: >Spam Score Header = X-MailScanner-SpamScore: >Spam Score Character = + >Clean Header Value = Found to be clean >Infected Header Value = Found to be infected >Disinfected Header Value = Disinfected >Multiple Headers = append >Hostname = the MailScanner >Sign Messages Already Processed = no >Sign Clean Messages = no >Mark Infected Messages = yes >Mark Unscanned Messages = yes >Unscanned Header Value = Not scanned: please contact your Internet >E-Mail Service Provider for details >Deliver Cleaned Messages = yes >Notify Senders = yes >Virus Modify Subject = yes >Virus Subject Text = {Virus?} >Filename Modify Subject = yes >Filename Subject Text = {Virus?} >Spam Modify Subject = yes >Spam Subject Text = {Spam?} >High Scoring Spam Modify Subject = yes >High Scoring Spam Subject Text = {Spam?} >Warning Is Attachment = yes >Attachment Warning Filename = VirusWarning.txt >Attachment Encoding Charset = us-ascii >Send Notices = yes >Notices Include Full Headers = no >Notices To = removed >Local Postmaster = removed >Spam List Definitions = /opt/MailScanner/etc/spam.lists.conf >Virus Scanner Definitions = /opt/MailScanner/etc/virus.scanners.conf >Spam Checks = yes >Spam List Timeout = 30 >Max Spam List Timeouts = 7 >Is Definitely Not Spam = /opt/MailScanner/etc/rules/spam.whitelist.rules >Is Definitely Spam = no >Use SpamAssassin = yes >Max SpamAssassin Size = 50000 >Required SpamAssassin Score = 5 >High SpamAssassin Score = 20 >SpamAssassin Auto Whitelist = no >SpamAssassin Prefs File = /opt/MailScanner/etc/spam.assassin.prefs.conf >SpamAssassin Timeout = 60 >Max SpamAssassin Timeouts = 20 >Check SpamAssassin If On Spam List = yes >Always Include SpamAssassin Report = yes >Spam Score = yes >Spam Actions = deliver >High Scoring Spam Actions = deliver >Sender Spam Report = /opt/MailScanner/etc/reports/en/sender.spam.report.txt >Sender Spam List Report = >/opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt >Sender SpamAssassin Report = >/opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt >Syslog Facility = mail >Log Spam = yes >Log Permitted Filenames = no >Debug = no >Deliver In Background = yes >Delivery Method = batch >Lockfile Dir = /tmp >Minimum Code Status = supported > >PS: I'm not using any virus protection because that's being done ahead >of this mail gateway. So I've disabled it in my config above. > >Thanks! >-jeff -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at NETERGY.COM Fri Nov 29 09:46:29 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:34 2006 Subject: SpamAssassin not running In-Reply-To: <3DE7168A.3050200@gatekeeper.no-ip.com> Message-ID: Jeff Can you copy and paste an email header or a log file entry of an email going through. You should see in the header a spam score 9usually in the number of s i.e. Spam Score ssss Gavin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jeff Adams > Sent: 29 November 2002 07:26 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: SpamAssassin not running > > > Hello gang, > > First off, Thanks Julian for all of your hard work writing and > maintaining this package. I think it's the best option out there for > what I'm trying to do and I appreciate the hard work. --- so on to the > problem: > > I'm trying to setup an anti-spam mail gateway for my company and I'm > having trouble getting spamassassin to run from mailscanner. The > incoming messages are getting procesed by mailscanner and delivered by > Sendmail, but my spam email tests aren't getting flagged by SA as spam. > I think that SA isn't being called from MailScanner, but other than > looking in the headers, I can't tell how to determine if SA was run or > how to troubleshoot the problem further. Has anyone ran into this > problem before? > > Here are my stats: > > Sparc Solaris 7 / perl 5.8.0 / MailScanner 4.05-3 / SpamAssassin 2.43 > / all the appropriate perl modules. > > /opt/MailScanner/etc/spam-assassin-prefs.cf (comments removed > for brevity) > > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > score FRIEND_GREETINGS 100.0 > required_hits 5 > auto_report_threshold 30 > whitelist_from monty@roscom.com > ok_locales en > rewrite_subject 1 > report_header 0 > use_terse_report 0 > defang_mime 1 > skip_rbl_checks 1 > score DCC_CHECK 0.0 > > /opt/MailScaner/etc/mailscanner.conf (comments removed for brevity) > > Max Children = 5 > Incoming Queue Dir = /var/spool/mqueue.in > Outgoing Queue Dir = /var/spool/mqueue > Incoming Work Dir = /var/spool/MailScanner/incoming > Quarantine Dir = /var/spool/MailScanner/quarantine > PID dir = /opt/MailScanner/var > Restart Every = 14400 > MTA = sendmail > Sendmail = /usr/lib/sendmail > Sendmail2 = /usr/lib/sendmail > Max Unscanned Bytes Per Scan = 100000000 > Max Unsafe Bytes Per Scan = 50000000 > Max Unscanned Messages Per Scan = 500 > Max Unsafe Messages Per Scan = 100 > Expand TNEF = yes > Deliver Unparsable TNEF = yes > TNEF Expander = /opt/MailScanner/bin/tnef --maxsize=100000000 > TNEF Timeout = 120 > Virus Scanning = no > Virus Scanners = none > Virus Scanner Timeout = 300 > Deliver Disinfected Files = yes > Silent Viruses = Klez Yaha-E Bugbear > Still Deliver Silent Viruses = yes > Allow IFrame Tags = yes > Log IFrame Tags = yes > Allow Object Codebase Tags = yes > Convert HTML To Text = no > Filename Rules = /opt/MailScanner/etc/filename.rules.conf > Quarantine Infections = yes > Quarantine Whole Message = no > Quarantine Whole Messages As Queue Files = no > Deleted Bad Filename Message Report = > /opt/MailScanner/etc/reports/en/deleted.filename.message.txt > Deleted Virus Message Report = > /opt/MailScanner/etc/reports/en/deleted.virus.message.txt > Stored Bad Filename Message Report = > /opt/MailScanner/etc/reports/en/stored.filename.message.txt > Stored Virus Message Report = > /opt/MailScanner/etc/reports/en/stored.virus.message.txt > Disinfected Report = > /opt/MailScanner/etc/reports/en/disinfected.report.txt > Inline HTML Signature = /opt/MailScanner/etc/reports/en/inline.sig.html > Inline Text Signature = /opt/MailScanner/etc/reports/en/inline.sig.txt > Inline HTML Warning = /opt/MailScanner/etc/reports/en/inline.warning.html > Inline Text Warning = /opt/MailScanner/etc/reports/en/inline.warning.txt > Sender Error Report = > /opt/MailScanner/etc/reports/en/sender.error.report.txt > Sender Bad Filename Report = > /opt/MailScanner/etc/reports/en/sender.filename.report.txt > Sender Virus Report = > /opt/MailScanner/etc/reports/en/sender.virus.report.txt > Hide Incoming Work Dir = yes > Mail Header = X-MailScanner: > Spam Header = X-MailScanner-SpamCheck: > Spam Score Header = X-MailScanner-SpamScore: > Spam Score Character = + > Clean Header Value = Found to be clean > Infected Header Value = Found to be infected > Disinfected Header Value = Disinfected > Multiple Headers = append > Hostname = the MailScanner > Sign Messages Already Processed = no > Sign Clean Messages = no > Mark Infected Messages = yes > Mark Unscanned Messages = yes > Unscanned Header Value = Not scanned: please contact your Internet > E-Mail Service Provider for details > Deliver Cleaned Messages = yes > Notify Senders = yes > Virus Modify Subject = yes > Virus Subject Text = {Virus?} > Filename Modify Subject = yes > Filename Subject Text = {Virus?} > Spam Modify Subject = yes > Spam Subject Text = {Spam?} > High Scoring Spam Modify Subject = yes > High Scoring Spam Subject Text = {Spam?} > Warning Is Attachment = yes > Attachment Warning Filename = VirusWarning.txt > Attachment Encoding Charset = us-ascii > Send Notices = yes > Notices Include Full Headers = no > Notices To = removed > Local Postmaster = removed > Spam List Definitions = /opt/MailScanner/etc/spam.lists.conf > Virus Scanner Definitions = /opt/MailScanner/etc/virus.scanners.conf > Spam Checks = yes > Spam List Timeout = 30 > Max Spam List Timeouts = 7 > Is Definitely Not Spam = /opt/MailScanner/etc/rules/spam.whitelist.rules > Is Definitely Spam = no > Use SpamAssassin = yes > Max SpamAssassin Size = 50000 > Required SpamAssassin Score = 5 > High SpamAssassin Score = 20 > SpamAssassin Auto Whitelist = no > SpamAssassin Prefs File = /opt/MailScanner/etc/spam.assassin.prefs.conf > SpamAssassin Timeout = 60 > Max SpamAssassin Timeouts = 20 > Check SpamAssassin If On Spam List = yes > Always Include SpamAssassin Report = yes > Spam Score = yes > Spam Actions = deliver > High Scoring Spam Actions = deliver > Sender Spam Report = > /opt/MailScanner/etc/reports/en/sender.spam.report.txt > Sender Spam List Report = > /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt > Sender SpamAssassin Report = > /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt > Syslog Facility = mail > Log Spam = yes > Log Permitted Filenames = no > Debug = no > Deliver In Background = yes > Delivery Method = batch > Lockfile Dir = /tmp > Minimum Code Status = supported > > PS: I'm not using any virus protection because that's being done ahead > of this mail gateway. So I've disabled it in my config above. > > Thanks! > -jeff > From nerijus at USERS.SOURCEFORGE.NET Fri Nov 29 13:37:10 2002 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:16:34 2006 Subject: External message bodies cannot be scanned Message-ID: <200211291340.gATDdx6i022356@mx.ktv.lt> Hello, I don't use any commercial virus scanners (I have "Virus Scanning = yes" and "Virus Scanners = none"), only Attachment Filename Checking is used. How can I allow zip attachments to go through? From: MailScanner Date: Fri, 29 Nov 2002 15:26:21 +0200 Subject: Warning: E-mail viruses detected The following e-mail messages were found to have viruses in them: Sender: xxx IP Address: xxx Recipient: xxx Subject: pianinas piano[1][2].zip [1/2] MessageID: gATDJGq9022006 Report: External message bodies cannot be scanned and are removed Regards, Nerijus From vilma at tel.etecsa.cu Fri Nov 29 14:10:52 2002 From: vilma at tel.etecsa.cu (Vilma Alvarez) Date: Thu Jan 12 21:16:34 2006 Subject: External message bodies cannot be scanned References: <200211291340.gATDdx6i022356@mx.ktv.lt> Message-ID: <003201c297b1$202caec0$775ba8c0@ci.tel.etecsa.cu> Hi: I have the same problem! But it is not the zip attachment, the problem is that the message is on pieces. In my case all the MS Outlook users use to do that. Vilma Alvarez ----- Original Message ----- From: "Nerijus Baliunas" To: Sent: Friday, November 29, 2002 8:37 AM Subject: External message bodies cannot be scanned > Hello, > > I don't use any commercial virus scanners (I have "Virus Scanning = yes" > and "Virus Scanners = none"), only Attachment Filename Checking is used. > How can I allow zip attachments to go through? > > From: MailScanner > Date: Fri, 29 Nov 2002 15:26:21 +0200 > Subject: Warning: E-mail viruses detected > > The following e-mail messages were found to have viruses in them: > > Sender: xxx > IP Address: xxx > Recipient: xxx > Subject: pianinas piano[1][2].zip [1/2] > MessageID: gATDJGq9022006 > Report: External message bodies cannot be scanned and are removed > > > Regards, > Nerijus > From mailscanner at ecs.soton.ac.uk Fri Nov 29 14:52:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: External message bodies cannot be scanned In-Reply-To: <200211291340.gATDdx6i022356@mx.ktv.lt> Message-ID: <5.2.0.9.2.20021129145147.03942c50@imap.ecs.soton.ac.uk> At 13:37 29/11/2002, you wrote: >Hello, > >I don't use any commercial virus scanners (I have "Virus Scanning = yes" >and "Virus Scanners = none"), only Attachment Filename Checking is used. >How can I allow zip attachments to go through? > >From: MailScanner >Date: Fri, 29 Nov 2002 15:26:21 +0200 >Subject: Warning: E-mail viruses detected > >The following e-mail messages were found to have viruses in them: > > Sender: xxx >IP Address: xxx > Recipient: xxx > Subject: pianinas piano[1][2].zip [1/2] > MessageID: gATDJGq9022006 > Report: External message bodies cannot be scanned and are removed The problem is not zip attachments, the problem is that the zip attachment is not held within the message itself (it normally is in the message), but is retrieved from some external source by the recipient's mail application, if it happens to implement that (which very few do). If you just send the attachment normally, this won't be a problem. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 29 14:54:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: External message bodies cannot be scanned In-Reply-To: <003201c297b1$202caec0$775ba8c0@ci.tel.etecsa.cu> References: <200211291340.gATDdx6i022356@mx.ktv.lt> Message-ID: <5.2.0.9.2.20021129145250.03951090@imap.ecs.soton.ac.uk> At 14:10 29/11/2002, you wrote: >I have the same problem! But it is not the zip attachment, the problem is >that the message is on pieces. >In my case all the MS Outlook users use to do that. If they send mail attachments in pieces, then there is no way to virus scan the file. At the moment the "Virus Scanning = yes" switch covers all the content scanning, i.e. the virus scanning, the attachment filename scanning and the other content checks. It's a bit late for me to rename "Virus Scanning", so I'm not sure what I could call the 3 or 4 options that would be needed to cover all these cases. >Vilma Alvarez > >----- Original Message ----- >From: "Nerijus Baliunas" >To: >Sent: Friday, November 29, 2002 8:37 AM >Subject: External message bodies cannot be scanned > > > > Hello, > > > > I don't use any commercial virus scanners (I have "Virus Scanning = yes" > > and "Virus Scanners = none"), only Attachment Filename Checking is used. > > How can I allow zip attachments to go through? > > > > From: MailScanner > > Date: Fri, 29 Nov 2002 15:26:21 +0200 > > Subject: Warning: E-mail viruses detected > > > > The following e-mail messages were found to have viruses in them: > > > > Sender: xxx > > IP Address: xxx > > Recipient: xxx > > Subject: pianinas piano[1][2].zip [1/2] > > MessageID: gATDJGq9022006 > > Report: External message bodies cannot be scanned and are removed > > > > > > Regards, > > Nerijus > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From D.M.Chapman at UKC.AC.UK Fri Nov 29 16:33:26 2002 From: D.M.Chapman at UKC.AC.UK (D.M.Chapman) Date: Thu Jan 12 21:16:34 2006 Subject: Mailscanner on Solaris 9 *not* protected from "zip of death" In-Reply-To: <1038499682.3162.8.camel@wilowisp.entrophy-free.net>; from jim@ENTROPHY-FREE.NET on Thu, Nov 28, 2002 at 10:08:01AM -0600 References: <20021128103351.R12542@apple.ukc.ac.uk> <1038499682.3162.8.camel@wilowisp.entrophy-free.net> Message-ID: <20021129163326.K19999@apple.ukc.ac.uk> On Thu, Nov 28, 2002 at 10:08:01AM -0600, Jim Levie wrote: > > If you are running mailscanner on Solaris 9 and you are using the Sun > > supplied version of perl then you are probably *not* protected against > > a "zip of death" denial of service attack. We certainly were not :-( > > > You are filing a bug report with Sun on this, right? Done. They will "get back to me". Darren From mailscannerlist at TNJINFL.COM Fri Nov 29 23:02:46 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:34 2006 Subject: mailertable being ignored - offTopic Message-ID: <1038610966.1888.22.camel@tweety.tnjinfl.com> Sorry to the list for asking about a definite Sendmail problem, but I've posted to Redhat's list and no one there was able to help. I successfully tested our configuration using Redhat 8 in my home environment, but now I'm having a problem trying to pilot it on a new server in production. I can't get Sendmail to forward the mail to the mail server specified in the mailertable. When a message comes in MailScanner does it's thing, but then Sendmail sends the message back through the MX record instead of the server I have specified. (Once this server replaces the one at MX record, I would then get a mail loop problem: MX record points to itself). Here is what I have: Redhat 8, Sendmail(8.12.5-7) /etc/mail/relay-domains has one line: mydomain.com /etc/mail/mailertable has one line: .mydomain.com esmtp:[192.168.1.5] /etc/mail/local-host-names has no entries I ran "make" while in /etc/mail and it returned me to a prompt so I think it ran ok. I restarted Sendmail. The damn thing is still relaying the mail to the mail server at the MX record instead of forwarding it directly to the server specified in the mailertable. Can anyone tell me what I'm missing? Thanks, James From G.Welter at ROCLEIDEN.NL Fri Nov 29 23:08:13 2002 From: G.Welter at ROCLEIDEN.NL (G Welter) Date: Thu Jan 12 21:16:34 2006 Subject: mailertable being ignored - offTopic Message-ID: >>> mailscannerlist@TNJINFL.COM 11/30/02 12:02AM >>> /etc/mail/mailertable has one line: .mydomain.com esmtp:[192.168.1.5] >>> I think the following is the correct syntax: mydomain.com smtp:[192.168.1.5] I'm not sure esmtp is a valid option. Gerben. From jadams at GATEKEEPER.NO-IP.COM Sat Nov 30 00:10:20 2002 From: jadams at GATEKEEPER.NO-IP.COM (Jeff Adams) Date: Thu Jan 12 21:16:34 2006 Subject: SpamAssassin not running References: <5.2.0.9.2.20021129093748.03c3cfa0@imap.ecs.soton.ac.uk> Message-ID: <3DE801EC.9010804@gatekeeper.no-ip.com> > re you getting no X-MailScanner-SpamCheck: headers at all? If you are > getting them, what do they say? > > Another way of skipping the virus scanning, while still doing all the > other > checks, is to set > Virus Scanning = yes > Virus Scanners = none I'm not seeing any header modifications at all. And I tried the virus scanning = yes option to no avail. I'm stumped. Here's a header sample from one of my emails: Received: from gatekeeper.tw.l-3com.com ([128.170.53.21]) by exserversd.tw.l-3com.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id XHVSPBQR; Fri, 29 Nov 2002 15:36:48 -0800 Received: from orngca-mls01.socal.rr.com (orngca-mls01.socal.rr.com [66.75.160.16]) by gatekeeper.tw.l-3com.com (8.12.6/8.12.6) with ESMTP id gATNaoci005146 for ; Fri, 29 Nov 2002 15:36:50 -0800 (PST) Received: from com (2x-x-x-x.san.rr.com [24.x.x.x]) by orngca-mls01.socal.rr.com (8.11.4/8.11.3) with ESMTP id gATNZmQ19835 for ; Fri, 29 Nov 2002 15:35:49 -0800 (PST) Message-ID: <3DE7FAE0.7010603@tw.l-3com.com> Date: Fri, 29 Nov 2002 23:40:16 +0000 From: Ack User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: jadams@gatekeeper.no-ip.com Subject: [Fwd: Sample] Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit From jadams at GATEKEEPER.NO-IP.COM Sat Nov 30 00:36:08 2002 From: jadams at GATEKEEPER.NO-IP.COM (Jeff Adams) Date: Thu Jan 12 21:16:34 2006 Subject: mailertable being ignored - offTopic References: <1038610966.1888.22.camel@tweety.tnjinfl.com> Message-ID: <3DE807F8.70407@gatekeeper.no-ip.com> James, Your config looks fine, but my might want to add something to your mailertable file look like this: .mydomain.com esmtp:[192.168.1.5] mydomain.com esmtp:[192.168.1.5] Check this info to be sure, but I think the dot in front of your domain might be ment to translate user@host.mydomain.com and without the dot translates user@domain.com. Other mailertable tips: Make sure that you are creating your mailertable file with the proper database hash and check your logs for any errors. Be sure that you are adding this feature to your sendmail.mc file, making the sendmail.cf file and installing that one. Don't try to add the feature to sendmail.cf file by hand (I've known people who've tried this). Oh, and make sure that your relay system (192.168.1.5) speaks esmtp. Older mail servers like MS Exchange 5.5 don't speak esmtp. Good luck, -jeff PS: here's a URL that outlines the steps needed for getting mailertable to work. (it's for freebsd, but it worked on my solaris system) http://freebsd.peon.net/tutorials/16/ James Pifer wrote: >Sorry to the list for asking about a definite Sendmail problem, but I've >posted to Redhat's list and no one there was able to help. I >successfully tested our configuration using Redhat 8 in my home >environment, but now I'm having a problem trying to pilot it on a new >server in production. I can't get Sendmail to forward the mail to the >mail server specified in the mailertable. > >When a message comes in MailScanner does it's thing, but then Sendmail >sends the message back through the MX record instead of the server I >have specified. (Once this server replaces the one at MX record, I would >then get a mail loop problem: MX record points to itself). Here is what >I have: >Redhat 8, Sendmail(8.12.5-7) > >/etc/mail/relay-domains has one line: >mydomain.com > >/etc/mail/mailertable has one line: >.mydomain.com esmtp:[192.168.1.5] > >/etc/mail/local-host-names has no entries > >I ran "make" while in /etc/mail and it returned me to a prompt so I >think it ran ok. I restarted Sendmail. The damn thing is still relaying >the mail to the mail server at the MX record instead of forwarding it >directly to the server specified in the mailertable. > >Can anyone tell me what I'm missing? >Thanks, >James > > From jadams at GATEKEEPER.NO-IP.COM Sat Nov 30 01:46:23 2002 From: jadams at GATEKEEPER.NO-IP.COM (Jeff Adams) Date: Thu Jan 12 21:16:34 2006 Subject: SpamAssassin not running (solved) References: <5.2.0.9.2.20021129093748.03c3cfa0@imap.ecs.soton.ac.uk> <3DE801EC.9010804@gatekeeper.no-ip.com> Message-ID: <3DE8186F.6070604@gatekeeper.no-ip.com> Yup, it was my fault all along. I killed the "sendmail -q15m" process to aid in debugging and I noticed that the email was still being delivered! That was my ah-ha! moment... Further investigating showed that I fat-fingered the sendmail startup script and left out the dash in "-ODeliveryMode=queueonly". Obviously that was my problem all along and now it seems to be working. Thanks to all for the help. Another happy MailScanner user! -jeff From mailscannerlist at TNJINFL.COM Sat Nov 30 02:43:32 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:34 2006 Subject: mailertable being ignored - offTopic In-Reply-To: <3DE807F8.70407@gatekeeper.no-ip.com> References: <1038610966.1888.22.camel@tweety.tnjinfl.com> <3DE807F8.70407@gatekeeper.no-ip.com> Message-ID: <1038624213.1887.25.camel@tweety.tnjinfl.com> Jeff, Thanks, it was the leading "." causing the problem. Removed it, reran make, and restarted MailScanner. It delivered my test message properly. Thanks to all who responded. James On Fri, 2002-11-29 at 19:36, Jeff Adams wrote: > James, > > Your config looks fine, but my might want to add something to your > mailertable file look like this: > > .mydomain.com esmtp:[192.168.1.5] > mydomain.com esmtp:[192.168.1.5] > > Check this info to be sure, but I think the dot in front of your domain > might be ment to translate user@host.mydomain.com and without the dot > translates user@domain.com. > > Other mailertable tips: > Make sure that you are creating your mailertable file with the proper > database hash and check your logs for any errors. Be sure that you are > adding this feature to your sendmail.mc file, making the sendmail.cf > file and installing that one. Don't try to add the feature to > sendmail.cf file by hand (I've known people who've tried this). > > Oh, and make sure that your relay system (192.168.1.5) speaks esmtp. > Older mail servers like MS Exchange 5.5 don't speak esmtp. > > Good luck, > -jeff > > PS: here's a URL that outlines the steps needed for getting mailertable > to work. (it's for freebsd, but it worked on my solaris system) > > http://freebsd.peon.net/tutorials/16/ > > James Pifer wrote: > > >Sorry to the list for asking about a definite Sendmail problem, but I've > >posted to Redhat's list and no one there was able to help. I > >successfully tested our configuration using Redhat 8 in my home > >environment, but now I'm having a problem trying to pilot it on a new > >server in production. I can't get Sendmail to forward the mail to the > >mail server specified in the mailertable. > > > >When a message comes in MailScanner does it's thing, but then Sendmail > >sends the message back through the MX record instead of the server I > >have specified. (Once this server replaces the one at MX record, I would > >then get a mail loop problem: MX record points to itself). Here is what > >I have: > >Redhat 8, Sendmail(8.12.5-7) > > > >/etc/mail/relay-domains has one line: > >mydomain.com > > > >/etc/mail/mailertable has one line: > >.mydomain.com esmtp:[192.168.1.5] > > > >/etc/mail/local-host-names has no entries > > > >I ran "make" while in /etc/mail and it returned me to a prompt so I > >think it ran ok. I restarted Sendmail. The damn thing is still relaying > >the mail to the mail server at the MX record instead of forwarding it > >directly to the server specified in the mailertable. > > > >Can anyone tell me what I'm missing? > >Thanks, > >James > > > > From mailscannerlist at TNJINFL.COM Sat Nov 30 02:54:39 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:34 2006 Subject: Shutdown errors Message-ID: <1038624879.1888.33.camel@tweety.tnjinfl.com> I'll be honest, I got lazy and didn't search the archive first. Should I be concerned about these errors when shutting down MailScanner? It's MailScanner version 4.05-3. Everything seems to run ok when it's running. Thanks, James (I'm not really talking about the "FAILED" on the second stop. I assume that's because the Sendmail processes were already stopped the first time...) [root@chiadmin2 mail]# service MailScanner stop Shutting down MailScanner daemons: MailScanner: We haven't got any child processes, which isn't right! , No child processes at /usr/sbin/MailScanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /usr/sbin/MailScanner line 194. [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] [root@chiadmin2 mail]# service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [FAILED] outgoing sendmail: [FAILED] From rich at MAIL.WVNET.EDU Sat Nov 30 15:11:16 2002 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:16:34 2006 Subject: Big problem.. help... In-Reply-To: <5.2.0.9.2.20021127143735.0386efe8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> <1038349713.4378.4.camel@localhost> <1038349713.4378.4.camel@localhost> <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021127143735.0386efe8@imap.ecs.soton.ac.uk> Message-ID: <1038669075.1710.11.camel@localhost> On Wed, 2002-11-27 at 09:38, Julian Field wrote: > Try moving the qf+df pairs back in to the mqueue.in about 50 at a time, and > see if it stands that or whether there is 1 message that kills it. That way > you can get all but the troublesome message delivered. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ Yes, there is one queue file pair that causes the problem. As you suggested I moved 50 at a time until I found the group with the problem file. I then further narrowed it down to a single mail file pair. If I move those two files into the mqueue.in directory I get the error message... > Can't use an undefined value as an ARRAY reference at > /usr/lib/MailScanner/MailScanner/Sendmail.pm line 805, > line 15. The GENnnn part of the message changes as the message is issued over and over again. I also get the messages... > We haven't got any child processes, which isn't right!, No child > processes at /usr/sbin/MailScanner line 191. > We have just tried to reap a process which wasn't one of ours!, No > child processes at /usr/sbin/MailScanner line 194. Ultimately I have to stop mailscanner with "service MailScanner stop", remove the problem file pair and restart it. Clearly there's something wrong with that mail file. I don't understand the format enough to know what it is though. If you would like I can send them to you. Otherwise I'll just delete them. -- Richard Lynch From mailscanner at ecs.soton.ac.uk Sat Nov 30 15:22:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: SuSE users? Message-ID: <5.2.0.9.2.20021130152112.02e91d20@imap.ecs.soton.ac.uk> Would anyone like to help test the SuSE package of MailScanner please? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Nov 30 15:19:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: Shutdown errors In-Reply-To: <1038624879.1888.33.camel@tweety.tnjinfl.com> Message-ID: <5.2.0.9.2.20021130151912.02ce7eb8@imap.ecs.soton.ac.uk> At 02:54 30/11/2002, you wrote: >I'll be honest, I got lazy and didn't search the archive first. Should I >be concerned about these errors when shutting down MailScanner? It's >MailScanner version 4.05-3. Everything seems to run ok when it's >running. Don't worry about this, it's just some very paranoid coding on my part. I've sorted out the error messages in the next release (which is very soon, promise!). >Thanks, >James >(I'm not really talking about the "FAILED" on the second stop. I assume >that's because the Sendmail processes were already stopped the first >time...) > >[root@chiadmin2 mail]# service MailScanner stop >Shutting down MailScanner daemons: > MailScanner: We haven't got any child processes, which >isn't right! >, No child processes at /usr/sbin/MailScanner line 191. >We have just tried to reap a process which wasn't one of ours!, No child >processes > at /usr/sbin/MailScanner line 194. > [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] >[root@chiadmin2 mail]# service MailScanner stop >Shutting down MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [FAILED] > outgoing sendmail: [FAILED] -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Nov 30 15:21:11 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: Big problem.. help... In-Reply-To: <1038669075.1710.11.camel@localhost> References: <5.2.0.9.2.20021127143735.0386efe8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> <1038349713.4378.4.camel@localhost> <1038349713.4378.4.camel@localhost> <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021127143735.0386efe8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021130152034.02e7cf50@imap.ecs.soton.ac.uk> At 15:11 30/11/2002, you wrote: >On Wed, 2002-11-27 at 09:38, Julian Field wrote: > > Try moving the qf+df pairs back in to the mqueue.in about 50 at a time, and > > see if it stands that or whether there is 1 message that kills it. That way > > you can get all but the troublesome message delivered. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >Yes, there is one queue file pair that causes the problem. As you >suggested I moved 50 at a time until I found the group with the problem >file. I then further narrowed it down to a single mail file pair. If I >move those two files into the mqueue.in directory I get the error >message... > > > Can't use an undefined value as an ARRAY reference at > > /usr/lib/MailScanner/MailScanner/Sendmail.pm line 805, > > line 15. > >The GENnnn part of the message changes as the message is issued over and >over again. I also get the messages... > > > We haven't got any child processes, which isn't right!, No child > > processes at /usr/sbin/MailScanner line 191. > > We have just tried to reap a process which wasn't one of ours!, No > > child processes at /usr/sbin/MailScanner line 194. > >Ultimately I have to stop mailscanner with "service MailScanner stop", >remove the problem file pair and restart it. Clearly there's something >wrong with that mail file. I don't understand the format enough to know >what it is though. If you would like I can send them to you. Otherwise >I'll just delete them. Yes, please can you send me the qf+df files. I would like to fix this. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nerijus at USERS.SOURCEFORGE.NET Sat Nov 30 15:57:57 2002 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:16:34 2006 Subject: double extensions Message-ID: <200211301558.gAUFw36i023874@mx.ktv.lt> Hello, IMHO xxx.yyy.doc should be allowed, while xxx.txt.scr and similar not. Regards, Nerijus From Antony at SOFT-SOLUTIONS.CO.UK Sat Nov 30 16:09:56 2002 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:16:34 2006 Subject: double extensions In-Reply-To: <200211301558.gAUFw36i023874@mx.ktv.lt> References: <200211301558.gAUFw36i023874@mx.ktv.lt> Message-ID: <20021130160959.RMUK29196.mta01-svc.ntlworld.com@there> On Saturday 30 November 2002 3:57 pm, Nerijus Baliunas wrote: > Hello, > > IMHO xxx.yyy.doc should be allowed, while xxx.txt.scr and similar not. Same here, and also for filename.xxx.xls Antony -- The truth is rarely pure, and never simple. - Oscar Wilde From mailscanner at ecs.soton.ac.uk Sat Nov 30 16:18:15 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: double extensions In-Reply-To: <20021130160959.RMUK29196.mta01-svc.ntlworld.com@there> References: <200211301558.gAUFw36i023874@mx.ktv.lt> <200211301558.gAUFw36i023874@mx.ktv.lt> Message-ID: <5.2.0.9.2.20021130161703.02e709c8@imap.ecs.soton.ac.uk> At 16:09 30/11/2002, you wrote: >On Saturday 30 November 2002 3:57 pm, Nerijus Baliunas wrote: > > > Hello, > > > > IMHO xxx.yyy.doc should be allowed, while xxx.txt.scr and similar not. > >Same here, and also for filename.xxx.xls In which case edit filename.rules.conf. That's why the config file is there :-) None of the files are "sacred", change what you like. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Nov 30 16:15:27 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:34 2006 Subject: Big problem.. help... In-Reply-To: <5.2.0.9.2.20021130152034.02e7cf50@imap.ecs.soton.ac.uk> References: <1038669075.1710.11.camel@localhost> <5.2.0.9.2.20021127143735.0386efe8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> <1038349713.4378.4.camel@localhost> <1038349713.4378.4.camel@localhost> <5.2.0.9.2.20021127111615.01fbbcd8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021127143735.0386efe8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021130161427.02e90470@imap.ecs.soton.ac.uk> Turned out this was caused by a message with no headers at all. I didn't think this was even possible, I tried pretty hard to create one myself and couldn't do it. Bug fixed for the next release. At 15:21 30/11/2002, you wrote: >At 15:11 30/11/2002, you wrote: >>On Wed, 2002-11-27 at 09:38, Julian Field wrote: >> > Try moving the qf+df pairs back in to the mqueue.in about 50 at a >> time, and >> > see if it stands that or whether there is 1 message that kills it. >> That way >> > you can get all but the troublesome message delivered. >> > -- >> > Julian Field Teaching Systems Manager >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> > Tel. 023 8059 2817 University of Southampton >> > Southampton SO17 1BJ >> >>Yes, there is one queue file pair that causes the problem. As you >>suggested I moved 50 at a time until I found the group with the problem >>file. I then further narrowed it down to a single mail file pair. If I >>move those two files into the mqueue.in directory I get the error >>message... >> >> > Can't use an undefined value as an ARRAY reference at >> > /usr/lib/MailScanner/MailScanner/Sendmail.pm line 805, >> > line 15. >> >>The GENnnn part of the message changes as the message is issued over and >>over again. I also get the messages... >> >> > We haven't got any child processes, which isn't right!, No child >> > processes at /usr/sbin/MailScanner line 191. >> > We have just tried to reap a process which wasn't one of ours!, No >> > child processes at /usr/sbin/MailScanner line 194. >> >>Ultimately I have to stop mailscanner with "service MailScanner stop", >>remove the problem file pair and restart it. Clearly there's something >>wrong with that mail file. I don't understand the format enough to know >>what it is though. If you would like I can send them to you. Otherwise >>I'll just delete them. > >Yes, please can you send me the qf+df files. I would like to fix this. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mime at GMX.DE Sat Nov 30 16:25:57 2002 From: mime at GMX.DE (Michael Meyer) Date: Thu Jan 12 21:16:34 2006 Subject: SuSE users? In-Reply-To: <5.2.0.9.2.20021130152112.02e91d20@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021130152112.02e91d20@imap.ecs.soton.ac.uk> Message-ID: <20021130162557.GA16945@mime.dyndns.org> Julian Field wrote: > Would anyone like to help test the SuSE package of MailScanner please? yes. of course. but i only use it in my private LAN. i can test it with SuSE 7.1 or SuSE 8.0. i use Mailscanner v3 on my SuSE 7.1 since a few months. micha From Antony at SOFT-SOLUTIONS.CO.UK Sat Nov 30 16:29:03 2002 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:16:34 2006 Subject: double extensions In-Reply-To: <5.2.0.9.2.20021130161703.02e709c8@imap.ecs.soton.ac.uk> References: <200211301558.gAUFw36i023874@mx.ktv.lt> <5.2.0.9.2.20021130161703.02e709c8@imap.ecs.soton.ac.uk> Message-ID: <20021130162906.CWXO6732.mta06-svc.ntlworld.com@there> On Saturday 30 November 2002 4:18 pm, Julian Field wrote: > At 16:09 30/11/2002, you wrote: > > > > Hello, > > > > > > IMHO xxx.yyy.doc should be allowed, while xxx.txt.scr and similar not. > > > >Same here, and also for filename.xxx.xls > > In which case edit filename.rules.conf. That's why the config file is there > :-) None of the files are "sacred", change what you like. Oh, indeed - I have. I was just suggesting a useful change to the defaults. Antony. -- Windows: just another pane in the glass.