From isp-list at TULSACONNECT.COM Fri Nov 1 00:58:06 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> References: <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> Message-ID: <5.1.1.6.2.20021031185507.04526d30@securemail.tulsaconnect.com> At 02:25 PM 10/26/2002 +0100, you wrote: >What I have been thinking about is a slightly more general system than >that. You set a parameter to be the name of a Perl function. You write the >function, which is passed a message and returns a result for that rule. >Then you can easily write plugins that do things like this. You also write >an initialisation function that is called at startup for you to setup any >global state such as database conections. > >And you can develop them entirely independent of the MS distribution so >upgrading is simple. Question on that.. in exim, if I specify something like this in the config file: domainlist relay_to_domains = mysql;SELECT DISTINCT domain from domains WHERE mx1='mx10.tulsaconnect.com' AND domain='${domain}'; ..it executes that sql statement for *every* message that passes through - it does not just pull the list of domains once and cache it. In the system you describe above for MailScanner, does it execute the Rule for each message that is processed? (I think it does, but I just want to make sure) --Mike From isp-list at TULSACONNECT.COM Fri Nov 1 01:00:55 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <5.1.1.6.2.20021031185507.04526d30@securemail.tulsaconnect. com> References: <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> Message-ID: <5.1.1.6.2.20021031185844.04519c48@securemail.tulsaconnect.com> >..it executes that sql statement for *every* message that passes through - >it does not just pull the list of domains once and cache it. In the system >you describe above for MailScanner, does it execute the Rule for each >message that is processed? (I think it does, but I just want to make sure) Oh - one more question, relating to SpamAssassin. If I were to use a Rule that set the SpamAssassin score on a *per domain* basis, will that work in "real-time" with the way that MailScanner loads the SpamAssassin Perl stuff into memory at initialization time? That is, would MS pass SA the score required on each message iteration or ? --Mike From hs at UKPS.GWDG.DE Fri Nov 1 07:47:53 2002 From: hs at UKPS.GWDG.DE (Howard Schultens) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found Message-ID: <3DC231A9.5000408@ukps.gwdg.de> Andy Wright wrote: > ... > > sophoswrapper is a script that comes with Mailscanner - not with Sophos > Sweep. Looks like you may have accidentaly deleted it when you did your > Sophos upgrade. > > Andy. > Sophos has apparently changed some things starting with the 3.62 distribution. The previous version that I used, 3.59, had a sophoswrapper and autoupdate in /usr/local/Sophos/bin Mailscanner has its own files sophos-wrapper and sophos-autoupdate in /opt/Mailscanner/lib. That is what has got me confused. I also can't find what module is asking for sophoswrapper (without the hyphen) as a configuration file (sic!), unless it is /usr/local/Sophos/bin/sweep. I can't verify if sophoswrapper in version 3.59 came from Sophos since I deleted the original tar file. This is what I love about systems administration and programming. Sometimes your whole world hangs on a hyphen. ..Howard hs@ukps.gwdg.de From richard at SARA.NL Fri Nov 1 07:55:20 2002 From: richard at SARA.NL (Richard van Drimmelen) Date: Thu Jan 12 21:16:16 2006 Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK References: <200211010746.gA17k8K20513@mta.sara.nl> Message-ID: <3DC23368.6040609@sara.nl> Dear mailscanner owner, I subscribed at jiscmail, but when I want to subscribe to the mailscanner list, I can't see it when clicking on 'Show all lists' and 'Submit'. I see that there are 50 lists available, but no 'mailscanner' list. I seem to misunderstand something...... L-Soft list server at JISCMAIL (1.8e) wrote: > You are not authorized to send mail to the MAILSCANNER list from your > richard@SARA.NL account. You might be authorized to send to the list from > another of your accounts, or perhaps when using another mail program which > generates slightly different addresses, but LISTSERV has no way to associate > this other account or address with yours. If you need assistance or if you have > any question regarding the policy of the MAILSCANNER list, please contact the > list owners: MAILSCANNER-request@JISCMAIL.AC.UK. > > > ------------------------------------------------------------------------ > > Subject: > incoming subdirectories > From: > Richard van Drimmelen > Date: > Fri, 01 Nov 2002 08:48:17 +0100 > > > Running mailscanner v4-01-8 (on Solaris 8): > > In /var/spool/MailScanner/incoming, there are loads of subdirectories. > All directories are numbers: the numbers of the processes that > mailscanner uses, or used. > When mailscanner spawns a new child, the old proces dies, but the old > directries are not removed. > > Is this fixed in a newer version ? > > > kind regardds, -- Richard van Drimmelen | email: richard@sara.nl System Services | phone: +31 20 5928080 SARA Computing Services | fax: +31 20 6683167 From mailscanner at BARENDSE.TO Fri Nov 1 08:26:48 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:16 2006 Subject: small hole in SpamAssassin check? In-Reply-To: <5.1.0.14.2.20021031224037.02360f18@imap.ecs.soton.ac.uk> Message-ID: Indeed, the option was set to no. Strange though because it is just a porn spam mail which should have triggered some of SA options. Anyways, will keep looking! On Thu, 31 Oct 2002, Julian Field wrote: > Compliments to Matt, I hadn't thought of that! :-) > > At 22:05 31/10/2002, you wrote: > >Ok, do you have the following things set in your mailscanner.conf? > > > >Use SpamAssassin = yes > >Always Include SpamAssassin Report = yes > > > >Note that a spamcheck header will not be included for nonspam mails unless > >the always include option is set. > > > >At 09:20 PM 10/31/2002 +0100, Remco Barendse wrote: > >>No, no exceptions made :) > >> > >>The mail is being bounced by a regular isp to my box, neither the ISP > >>domain nor the sender's domain are on any list. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at BARENDSE.TO Fri Nov 1 08:35:10 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:16 2006 Subject: "Greetings" -- sendmail block In-Reply-To: <5.1.0.14.2.20021030151402.07eacea8@imap.ecs.soton.ac.uk> Message-ID: Cool! Unfortunately the only way for me to try it would be on a production server because I don't use M$ Exchange at home :) Could several of these rules be used in the sendmail conf file because Exchange will send out unwanted messages with the following subjects: Delivery Status Notification (Success) Read: Not read: Gelezen: Niet gelezen: I wouldn't want to silently drop any regular mail that must go through the server. Is blocking these kinds of messages on the todo list of features to come :) :) ???? Remco On Wed, 30 Oct 2002, Julian Field wrote: > At 08:43 30/10/2002, you wrote: > >Would this also work for blocking the Delivery Status Notifications like > >Read Receipt and similar messages? > > Probably, yes. > > >Or would this start a war between the linux mail gateway and the exchange > >server resulting in tons of messages bouncing back and forth? > > You can send them to $#discard rather than $#error which, if I remember > rightly, will silently throw them away. > > > >On Fri, 25 Oct 2002, Julian Field wrote: > > > > > In case you want to block this with sendmail, so that it never gets in to > > > your site in the first place, this will do the job in your sendmail.cf > > file: > > > > > > HSubject: $>Check_Subject > > > D{FriendPat}you have an E-Card from > > > D{FriendMsg}This message is probably a nasty E-Card. > > > SCheck_Subject > > > R$* ${FriendPat} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > > > Remember that the whitespace before "$#error" has to be tabs and not > > spaces. > > > > > > If you want to expand the list of subjects, just make more pairs of "D" > > > lines to set the patterns and messages, and add a new R line for each one. > > > > > > At 17:18 25/10/2002, you wrote: > > > >At 17:06 25/10/2002, you wrote: > > > >>On Fri, 25 Oct 2002, Julian Field wrote: > > > >> > Would people prefer > > > >> > 1) Replace the content of messages containing "nasty" headers such as > > > >> this, > > > >> > as if it was a virus > > > >> > 2) Just flag is as spam and handle according to the normal "Spam > > Actions" > > > >> > ? > > > >> > > > > >> > I'm writing (1) at the moment, but it just occurred to me that (2) > > > >> might be > > > >> > better. > > > >> > > > > >> > Your votes please... > > > >> > > > >>This is mere speculation and may be impractical, but... > > > >> > > > >>How about making the behaviour (currently a proposed two-list of > > > >>"virus-like" or "spam-like") somehow selectable by the sys.admin.?? > > > > > > > >How did I know that someone was about to say that... > > > >:-) > > > > > > > >I'm going to go with the SpamAssassin solution for now, it means less work > > > >for me and I've had a long week. More brandy needed.... > > > >-- > > > >Julian Field Teaching Systems Manager > > > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > >Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Nov 1 09:08:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <3DC231A9.5000408@ukps.gwdg.de> Message-ID: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> At 07:47 01/11/2002, you wrote: >Andy Wright wrote: >>sophoswrapper is a script that comes with Mailscanner - not with Sophos >>Sweep. Looks like you may have accidentaly deleted it when you did your >>Sophos upgrade. > >Sophos has apparently changed some things starting with the 3.62 >distribution. The previous version that I used, 3.59, >had a sophoswrapper and autoupdate in /usr/local/Sophos/bin Those scripts were never a part of Sophos (I wrote them!), they were provided as part of the MailScanner version 3 distribution. >Mailscanner has its own files sophos-wrapper and sophos-autoupdate >in /opt/Mailscanner/lib. That is what has got me confused. With the release of MailScanner 4, they have been moved to /opt/MailScanner/lib and renamed slightly. >I also can't find what module is asking for sophoswrapper (without >the hyphen) as a configuration file (sic!), unless it is >/usr/local/Sophos/bin/sweep. Take a look in /opt/MailScanner/etc. There's a file "virus.scanners.conf" in there. >I can't verify if sophoswrapper in version 3.59 came from Sophos >since I deleted the original tar file. No it didn't. >This is what I love about systems administration and programming. >Sometimes your whole world hangs on a hyphen. :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 1 09:05:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <5.1.1.6.2.20021031185507.04526d30@securemail.tulsaconnect. com> References: <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> Message-ID: <5.1.0.14.2.20021101090204.04871a20@imap.ecs.soton.ac.uk> At 00:58 01/11/2002, you wrote: >At 02:25 PM 10/26/2002 +0100, you wrote: >>What I have been thinking about is a slightly more general system than >>that. You set a parameter to be the name of a Perl function. You write the >>function, which is passed a message and returns a result for that rule. >>Then you can easily write plugins that do things like this. You also write >>an initialisation function that is called at startup for you to setup any >>global state such as database conections. >> >>And you can develop them entirely independent of the MS distribution so >>upgrading is simple. > >Question on that.. in exim, if I specify something like this in the config >file: > >domainlist relay_to_domains = mysql;SELECT DISTINCT domain from domains >WHERE mx1='mx10.tulsaconnect.com' AND domain='${domain}'; > >..it executes that sql statement for *every* message that passes through - >it does not just pull the list of domains once and cache it. In the system >you describe above for MailScanner, does it execute the Rule for each >message that is processed? (I think it does, but I just want to make sure) It can do both :-) You get to write an "InitYourFunction" function which is called once at startup (or re-start, so it gets run once every 4 hours by default). This function can create database connections, do SQL queries and cache the results in a global variable, whatever you like. You also write the "YourFunction" function which is called for every message. Whether you make this do an SQL query to a database whose connection you cached, or whether you just look up the results in a global variable that was set by "InitYourFunction" is entirely up to you. One way gets you more speed, the other way picks up any data changes immediately. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 1 09:06:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <5.1.1.6.2.20021031185844.04519c48@securemail.tulsaconnect. com> References: <5.1.1.6.2.20021031185507.04526d30@securemail.tulsaconnect. com> <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> Message-ID: <5.1.0.14.2.20021101090524.04869268@imap.ecs.soton.ac.uk> At 01:00 01/11/2002, you wrote: >>..it executes that sql statement for *every* message that passes through - >>it does not just pull the list of domains once and cache it. In the system >>you describe above for MailScanner, does it execute the Rule for each >>message that is processed? (I think it does, but I just want to make sure) > >Oh - one more question, relating to SpamAssassin. If I were to use a Rule >that set the SpamAssassin score on a *per domain* basis, will that work in >"real-time" with the way that MailScanner loads the SpamAssassin Perl stuff >into memory at initialization time? That is, would MS pass SA the score >required on each message iteration or ? It will be work in "real-time". MS passes SA the required score for each message individually. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 1 09:12:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: "Greetings" -- sendmail block In-Reply-To: References: <5.1.0.14.2.20021030151402.07eacea8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101091154.04861c80@imap.ecs.soton.ac.uk> At 08:35 01/11/2002, you wrote: >Is blocking these kinds of messages on the todo list of features to come Yes, eventually. I still need some more examples of all the status message Exchange can produce (in English) so I can work out a robust way of spotting which ones I want to delete. >On Wed, 30 Oct 2002, Julian Field wrote: > > > At 08:43 30/10/2002, you wrote: > > >Would this also work for blocking the Delivery Status Notifications like > > >Read Receipt and similar messages? > > > > Probably, yes. > > > > >Or would this start a war between the linux mail gateway and the exchange > > >server resulting in tons of messages bouncing back and forth? > > > > You can send them to $#discard rather than $#error which, if I remember > > rightly, will silently throw them away. > > > > > > >On Fri, 25 Oct 2002, Julian Field wrote: > > > > > > > In case you want to block this with sendmail, so that it never gets > in to > > > > your site in the first place, this will do the job in your sendmail.cf > > > file: > > > > > > > > HSubject: $>Check_Subject > > > > D{FriendPat}you have an E-Card from > > > > D{FriendMsg}This message is probably a nasty E-Card. > > > > SCheck_Subject > > > > R$* ${FriendPat} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > > > > > Remember that the whitespace before "$#error" has to be tabs and not > > > spaces. > > > > > > > > If you want to expand the list of subjects, just make more pairs of "D" > > > > lines to set the patterns and messages, and add a new R line for > each one. > > > > > > > > At 17:18 25/10/2002, you wrote: > > > > >At 17:06 25/10/2002, you wrote: > > > > >>On Fri, 25 Oct 2002, Julian Field wrote: > > > > >> > Would people prefer > > > > >> > 1) Replace the content of messages containing "nasty" headers > such as > > > > >> this, > > > > >> > as if it was a virus > > > > >> > 2) Just flag is as spam and handle according to the normal "Spam > > > Actions" > > > > >> > ? > > > > >> > > > > > >> > I'm writing (1) at the moment, but it just occurred to me that (2) > > > > >> might be > > > > >> > better. > > > > >> > > > > > >> > Your votes please... > > > > >> > > > > >>This is mere speculation and may be impractical, but... > > > > >> > > > > >>How about making the behaviour (currently a proposed two-list of > > > > >>"virus-like" or "spam-like") somehow selectable by the sys.admin.?? > > > > > > > > > >How did I know that someone was about to say that... > > > > >:-) > > > > > > > > > >I'm going to go with the SpamAssassin solution for now, it means > less work > > > > >for me and I've had a long week. More brandy needed.... > > > > >-- > > > > >Julian Field Teaching Systems Manager > > > > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > >Tel. 023 8059 2817 University of Southampton > > > > > Southampton SO17 1BJ > > > > > > > > -- > > > > Julian Field Teaching Systems Manager > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > > > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Fri Nov 1 09:22:23 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:16 2006 Subject: version 4 config In-Reply-To: <5.1.0.14.2.20021031174151.061ac238@imap.ecs.soton.ac.uk> References: <200210311131.24989.lbergman@wtxs.net> <5.1.0.14.2.20021031174151.061ac238@imap.ecs.soton.ac.uk> Message-ID: Julian, On Thu, 31 Oct 2002 17:49:11 +0000, you wrote: >>The other question is on the "Spam List = " ruleset. What would be the general >>form of this? > >Space-separated list of blocklists, which are defined in >/etc/MailScanner/spam.lists.conf. I notice you have a number of domain-related RFC-IGNORANT blacklists in that file but you don't have RFC-IGNORANT-IPWHOIS in there with the IP-based blacklists. I have added the following blacklists: |WIREHUB-DNSBL blackholes.wirehub.net. |SPEWS spews.relays.osirusoft.com. |RFC-IGNORANT-IPWHOIS ipwhois.rfc-ignorant.org. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From raymond at PROLOCATION.NET Fri Nov 1 09:25:50 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, > >Sophos has apparently changed some things starting with the 3.62 > >distribution. The previous version that I used, 3.59, > >had a sophoswrapper and autoupdate in /usr/local/Sophos/bin > > Those scripts were never a part of Sophos (I wrote them!), they were > provided as part of the MailScanner version 3 distribution. Could you do a simple check with the RPM upgrade? I am using f-prot but have to delete the Sophos update script from the cron.daily every time i do a RPM upgrade. Thanks, Raymond. From mailscanner at ecs.soton.ac.uk Fri Nov 1 09:34:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: References: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101093358.065a4c28@imap.ecs.soton.ac.uk> At 09:25 01/11/2002, you wrote: >Hi Julian, > > > >Sophos has apparently changed some things starting with the 3.62 > > >distribution. The previous version that I used, 3.59, > > >had a sophoswrapper and autoupdate in /usr/local/Sophos/bin > > > > Those scripts were never a part of Sophos (I wrote them!), they were > > provided as part of the MailScanner version 3 distribution. > >Could you do a simple check with the RPM upgrade? I am using f-prot but >have to delete the Sophos update script from the cron.daily every time i >do a RPM upgrade. No need. The Sophos update cron job checks to see if you have Sophos installed before doing anything. If you haven't got it installed it just quietly exits. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From raymond at PROLOCATION.NET Fri Nov 1 09:52:26 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <5.1.0.14.2.20021101093358.065a4c28@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Could you do a simple check with the RPM upgrade? I am using f-prot but > >have to delete the Sophos update script from the cron.daily every time i > >do a RPM upgrade. > No need. The Sophos update cron job checks to see if you have Sophos > installed before doing anything. If you haven't got it installed it just > quietly exits. Sure, that works, but i'd rather not see it there :) Bye, Raymond. From mailscanner at ecs.soton.ac.uk Fri Nov 1 10:10:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: References: <5.1.0.14.2.20021101093358.065a4c28@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101101008.04a84340@imap.ecs.soton.ac.uk> At 09:52 01/11/2002, you wrote: >Hi! > > > >Could you do a simple check with the RPM upgrade? I am using f-prot but > > >have to delete the Sophos update script from the cron.daily every time i > > >do a RPM upgrade. > > > No need. The Sophos update cron job checks to see if you have Sophos > > installed before doing anything. If you haven't got it installed it just > > quietly exits. > >Sure, that works, but i'd rather not see it there :) And if you were to install Sophos after MailScanner? You would have to create the cron job yourself, which is more difficult than copying+editing one that is already there. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From raymond at PROLOCATION.NET Fri Nov 1 10:28:27 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <5.1.0.14.2.20021101101008.04a84340@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Sure, that works, but i'd rather not see it there :) > And if you were to install Sophos after MailScanner? > You would have to create the cron job yourself, which is more difficult > than copying+editing one that is already there. Normally, when someone used ?pgrade' thats not the case. =) But i'll delete it manuallt now :) Bye, Raymond. From P.G.M.Peters at civ.utwente.nl Fri Nov 1 10:31:04 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> References: <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> Message-ID: <3el4su4tnmqqeo2c4jbq7l6j6qg7q667sm@4ax.com> On Sat, 26 Oct 2002 15:59:19 +0100, you wrote: >If you want to give it a try, you'll find a new set of "mailscanner", >"Config.pm" and "CustomConfig.pm" files attached. Have a read of >CustomConfig.pm and see if it explains enough so you can see what you need >to do. I had problems finding the files inside the .zip file. It turned out I had to change it to a .gz file and the resulting file seemed to be a tar-file. And with that comes my question: There are two functions Initmyfunction and myfunction. But what if I open a database and would like to close it when it is time for MS to restart. Shouldn't there be function like Endmyfunction? -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Fri Nov 1 11:04:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? In-Reply-To: <3el4su4tnmqqeo2c4jbq7l6j6qg7q667sm@4ax.com> References: <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101105645.05f7e978@imap.ecs.soton.ac.uk> At 10:31 01/11/2002, you wrote: >On Sat, 26 Oct 2002 15:59:19 +0100, you wrote: > > >If you want to give it a try, you'll find a new set of "mailscanner", > >"Config.pm" and "CustomConfig.pm" files attached. Have a read of > >CustomConfig.pm and see if it explains enough so you can see what you need > >to do. > >I had problems finding the files inside the .zip file. It turned out I >had to change it to a .gz file and the resulting file seemed to be a >tar-file. > >And with that comes my question: >There are two functions Initmyfunction and myfunction. But what if I >open a database and would like to close it when it is time for MS to >restart. Shouldn't there be function like Endmyfunction? Yes, that did occur to me. But the database should notice that the process on the client end of the function has exited and clear up anyway. Okay, I've added an "End" function to them. It will get called whenever the MailScanner processes die of old age or receive a "SIGHUP" (which forces them to be respawned). Hopefully this is the last change I will have to make, as changing this stuff requires people to change their CustomConfig.pm functions to match the new structure. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From carl.boberg at NRM.SE Fri Nov 1 12:24:58 2002 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:16:16 2006 Subject: Mime problem? Message-ID: Hi all, This logs to my console every now and then since I upgraded to MS 4 (from 3.x) ignoring text in character set `WINDOWS-1252' at /usr/lib/perl5/site_perl/5.6.1/MIME/Parser/Filer.pm line 646 Just wondering if this is something to be concerned about? If it is ignoring text kan it still check it for Spam? Maybe this really should be a question for SA? Tnx in advance. Regards --------------------------------- Carl Boberg System & Network Administrator Dept. of Information Technology Swedish Museum of Natural History Frescativ. 40 104 05 Stockholm carl.boberg@nrm.se Phone: 08-519 551 16 Mobile: 0701-82 40 55 --------------------------------- From hs at UKPS.GWDG.DE Fri Nov 1 12:38:59 2002 From: hs at UKPS.GWDG.DE (Howard Schultens) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found References: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> Message-ID: <3DC275E3.6010600@ukps.gwdg.de> Julian Field wrote, in part: >> > > With the release of MailScanner 4, they have been moved to > /opt/MailScanner/lib and renamed slightly. > >> I also can't find what module is asking for sophoswrapper (without >> the hyphen) as a configuration file (sic!), unless it is >> /usr/local/Sophos/bin/sweep. > > > Take a look in /opt/MailScanner/etc. There's a file "virus.scanners.conf" > in there. > > OK, I see # This is a list of the names of the virus scanning engines, along with the # filename of the command or script to run to invoke each one. sophos /opt/MailScanner/lib/sophos-wrapper in there, but still some part of MailScanner is unhappy and says Nov 1 13:00:02 tonne mailscanner[18621]: Configuration file /usr/local/Sophos/bin/sophoswrapper could not be opened for reading! And the count of viruses found is ALWAYS zero since I updated (to MS 401-8). I don't believe we're THAT clean! ...Howard From mike at CAMAROSS.NET Fri Nov 1 12:43:13 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <3DC275E3.6010600@ukps.gwdg.de> Message-ID: <00b901c281a4$58d88640$6501a8c0@mikedesk> Have you tried reinstalling Sophos with Julian's script? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Howard Schultens Sent: Friday, November 01, 2002 6:39 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sophoswrapper not found Julian Field wrote, in part: >> > > With the release of MailScanner 4, they have been moved to > /opt/MailScanner/lib and renamed slightly. > >> I also can't find what module is asking for sophoswrapper (without >> the hyphen) as a configuration file (sic!), unless it is >> /usr/local/Sophos/bin/sweep. > > > Take a look in /opt/MailScanner/etc. There's a file > "virus.scanners.conf" in there. > > OK, I see # This is a list of the names of the virus scanning engines, along with the # filename of the command or script to run to invoke each one. sophos /opt/MailScanner/lib/sophos-wrapper in there, but still some part of MailScanner is unhappy and says Nov 1 13:00:02 tonne mailscanner[18621]: Configuration file /usr/local/Sophos/bin/sophoswrapper could not be opened for reading! And the count of viruses found is ALWAYS zero since I updated (to MS 401-8). I don't believe we're THAT clean! ...Howard From mailscanner at ecs.soton.ac.uk Fri Nov 1 12:34:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: Mime problem? In-Reply-To: Message-ID: <5.1.0.14.2.20021101123150.05f9d690@imap.ecs.soton.ac.uk> At 12:24 01/11/2002, you wrote: >Hi all, >This logs to my console every now and then since I upgraded to MS 4 (from >3.x) > >ignoring text in character set `WINDOWS-1252' > at /usr/lib/perl5/site_perl/5.6.1/MIME/Parser/Filer.pm line 646 > >Just wondering if this is something to be concerned about? >If it is ignoring text kan it still check it for Spam? >Maybe this really should be a question for SA? I have already fixed this (couple of days ago) and this will be included in the security release of MailScanner 3 and 4 that I will be doing in a day or two. It's not actually very important at all, it doesn't affect the virus scanning. It only affects the attachment filenames, it does not affect the contents of the attachments. It's a MIME-tools problem, which fortunately I have worked around without anyone needing to patch the MIME-tools modules themselves. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 1 12:39:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found In-Reply-To: <3DC275E3.6010600@ukps.gwdg.de> References: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101123806.044fc230@imap.ecs.soton.ac.uk> At 12:38 01/11/2002, you wrote: >Julian Field wrote, in part: > >> >>With the release of MailScanner 4, they have been moved to >>/opt/MailScanner/lib and renamed slightly. >> >>>I also can't find what module is asking for sophoswrapper (without >>>the hyphen) as a configuration file (sic!), unless it is >>>/usr/local/Sophos/bin/sweep. >> >> >>Take a look in /opt/MailScanner/etc. There's a file "virus.scanners.conf" >>in there. >> > >OK, I see > ># This is a list of the names of the virus scanning engines, along with the ># filename of the command or script to run to invoke each one. >sophos /opt/MailScanner/lib/sophos-wrapper > >in there, but still some part of MailScanner is unhappy and says > >Nov 1 13:00:02 tonne mailscanner[18621]: Configuration file >/usr/local/Sophos/bin/sophoswrapper could not be opened for reading! From the fact that it happened at 2 seconds past the hour points to an old cron job. >And the count of viruses found is ALWAYS zero since I updated (to MS >401-8). >I don't believe we're THAT clean! Test out running /opt/MailScanner/lib/sophos-wrapper /tmp and check it outputs something sensible. Also run the autoupdate script by hand and check it leaves a working "sophos-wrapper". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From hs at UKPS.GWDG.DE Fri Nov 1 13:36:26 2002 From: hs at UKPS.GWDG.DE (Howard Schultens) Date: Thu Jan 12 21:16:16 2006 Subject: sophoswrapper not found References: <5.1.0.14.2.20021101090703.04a8e450@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021101123806.044fc230@imap.ecs.soton.ac.uk> Message-ID: <3DC2835A.8080301@ukps.gwdg.de> You really respond quickly! Julian Field wrote: > Test out running > /opt/MailScanner/lib/sophos-wrapper /tmp > and check it outputs something sensible. Also run the autoupdate > script by > hand and check it leaves a working "sophos-wrapper". I just installed MS 4.04-1, and this seems to have fixed the problem. I also did the test with sophos-autoupdate, and it seems to work fine. My crontab for root has the line: 01 08 * * * /opt/MailScanner/lib/sophos-autoupdate >> /var/log/sophos 2>&1 Should be OK(?). .. Howard Schultens hs@ukps.gwdg.de From LISTSERV at JISCMAIL.AC.UK Fri Nov 1 13:36:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: ellis@KAZAKCOMPOSITES.COM requested to join Message-ID: <200211011336.NAA10620@magpie.ecs.soton.ac.uk> Fri, 1 Nov 2002 13:36:31 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Steve Ellis . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER ellis@KAZAKCOMPOSITES.COM Steve Ellis The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+ellis%40KAZAKCOMPOSITES.COM+Steve+Ellis&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Fri Nov 1 13:49:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: phil.leonard@DSIONLINE.COM requested to join Message-ID: <200211011349.NAA12530@magpie.ecs.soton.ac.uk> Fri, 1 Nov 2002 13:49:51 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Philip Leonard . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER phil.leonard@DSIONLINE.COM Philip Leonard The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+phil.leonard%40DSIONLINE.COM+Philip+Leonard&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 1 Nov 2002 13:49:51 GMT Received: from KC1NOC01.noc.dsionline.com (kc1noc01.dsionline.com [12.105.149.130]) by ori.rl.ac.uk (8.11.1/8.11.1) with SMTP id gA1DngX13789 for ; Fri, 1 Nov 2002 13:49:42 GMT Received: from 172.17.1.58 by KC1NOC01.noc.dsionline.com (InterScan E-Mail VirusWall NT); Fri, 01 Nov 2002 07:49:35 -0600 Received: by kc1excon01.mail.dsionline.com with Internet Mail Service (5.5.2655.55) id ; Fri, 1 Nov 2002 07:47:04 -0600 Message-ID: <13D2388EC2C4F04EB343EA2674BC20F225A319@kc1exusr01.mail.dsionline.com> From: "Leonard, Phil" To: "'L-Soft list server at JISCMAIL (1.8e)'" Subject: RE: Command confirmation request (6C26816A) Date: Fri, 1 Nov 2002 07:49:34 -0600 Return-Receipt-To: "Leonard, Phil" MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-Type: text/plain From lbergman at wtxs.net Fri Nov 1 14:50:29 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:16 2006 Subject: relay hits not triggering automatic spam tag Message-ID: <200211010850.29220.lbergman@wtxs.net> I have noticed that if a message has a hit from an RBL that it is not automatically designated high scoring. I am sure this is by design. My questions are these: 1. I have MS doing the rbls not SA so where are the scores for the rbl's coming from? 3. If scores are gained from SA then I can use spam.assassin.prefs.conf to tune the score for the lists I trust for this to always reach the high score as mentioned in the conf file right? 2. If not 1 | 2 the should I change my setup to do all rbl lookups in SA so that I can use spam.assassin.prefs.conf to assign a higher score so that I am sure it is acted on? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Fri Nov 1 15:03:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: relay hits not triggering automatic spam tag In-Reply-To: <200211010850.29220.lbergman@wtxs.net> Message-ID: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> At 14:50 01/11/2002, you wrote: >I have noticed that if a message has a hit from an RBL that it is not >automatically designated high scoring. I am sure this is by design. My >questions are these: > >1. I have MS doing the rbls not SA so where are the scores for the rbl's >coming from? There is no "score" associated with an RBL hit found by MailScanner. >3. If scores are gained from SA then I can use spam.assassin.prefs.conf to >tune the score for the lists I trust for this to always reach the high score >as mentioned in the conf file right? You will need to make SA do the RBL lookups in this case, not MS. >2. If not 1 | 2 the should I change my setup to do all rbl lookups in SA so >that I can use spam.assassin.prefs.conf to assign a higher score so that I am >sure it is acted on? Yes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Fri Nov 1 15:19:04 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:16 2006 Subject: relay hits not triggering automatic spam tag In-Reply-To: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> Message-ID: <200211010919.04292.lbergman@wtxs.net> > >1. I have MS doing the rbls not SA so where are the scores for the rbl's > >coming from? > > There is no "score" associated with an RBL hit found by MailScanner. With this being the case I am wondering: What does the rbl check in MS do or what is it used for? I am sure I am missing something here I just don't know what. Time to hit the SA docs I guess. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From james at PCXPERIENCE.COM Fri Nov 1 15:33:35 2002 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:16:16 2006 Subject: Rules via SQL queries? References: <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021026155413.01dbc960@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021101105645.05f7e978@imap.ecs.soton.ac.uk> Message-ID: <3DC29ECF.7070700@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > At 10:31 01/11/2002, you wrote: > >> On Sat, 26 Oct 2002 15:59:19 +0100, you wrote: >> >> >If you want to give it a try, you'll find a new set of "mailscanner", >> >"Config.pm" and "CustomConfig.pm" files attached. Have a read of >> >CustomConfig.pm and see if it explains enough so you can see what you >> need >> >to do. >> >> I had problems finding the files inside the .zip file. It turned out I >> had to change it to a .gz file and the resulting file seemed to be a >> tar-file. >> >> And with that comes my question: >> There are two functions Initmyfunction and myfunction. But what if I >> open a database and would like to close it when it is time for MS to >> restart. Shouldn't there be function like Endmyfunction? > > > Yes, that did occur to me. But the database should notice that the process > on the client end of the function has exited and clear up anyway. > > Okay, I've added an "End" function to them. It will get called whenever the > MailScanner processes die of old age or receive a "SIGHUP" (which forces > them to be respawned). > > Hopefully this is the last change I will have to make, as changing this > stuff requires people to change their CustomConfig.pm functions to match > the new structure. Alternatively you could use the DBIWrapper module I maintain (http://dbiwrapper.sf.net/) to make your connection to the database. When the object you instantiated goes out of scope I automatically close the connection to the database and cleanup. It currently only supports MySQL, PostgreSQL and ODBC DBI modules. - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9wp7PtUXjwPIRLVERAvRXAKC1ayB5JeQtmUhKCL5vpUYd6i2SVACgxWVs FSbctA3u5hYiJJaKYep+PyQ= =TXDp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Nov 1 15:32:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: relay hits not triggering automatic spam tag In-Reply-To: <200211010919.04292.lbergman@wtxs.net> References: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101153214.04636c88@imap.ecs.soton.ac.uk> At 15:19 01/11/2002, you wrote: > > >1. I have MS doing the rbls not SA so where are the scores for the rbl's > > >coming from? > > > > There is no "score" associated with an RBL hit found by MailScanner. >With this being the case I am wondering: >What does the rbl check in MS do or what is it used for? Presence in an RBL implies spam tag. > I am sure I am >missing something here I just don't know what. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From alex at IALEX.NET Fri Nov 1 15:31:30 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:16 2006 Subject: Mail Relay to Lotus Message-ID: Here's my problem, mail comes into the company via a web-proxy running on the firewall, that will be proxy'ing to the "mailscanner" machine. Call it mail-gw. My wish is it to scan the email and pass it on to the domino server. We run internal and external dns for this hostname, so how i had invisioned it is this. externally mx is ip of the firewall with the proxy internally mx is the ip of the domino server (5) and mail-gw (10) The problem is this, using that setup, any internal systems that require to email internally will try hitting the domino server. Perfect you think, wrong! the domino server (which isn't mine to administer) is setup to only accept connections from the mail-gw ip. Basically i'm trying to get rid of the mcafee scanner that currently sits on a winbox and replace it, but i'm finding it difficult telling mailscanner to scan and forward without relying on DNS. I suppose i could run a seperate dns server on the mailgw and mx is only the domino server, but i think that would be tremendous pain in the ass to have two independent dns servers. Any ideas.. at my old workplace i used amavis and just set DH in sendmail config file to the destination for all mail. Trying this with MailScanner basically got ignored ;) Alex From LISTSERV at JISCMAIL.AC.UK Fri Nov 1 16:55:25 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: elewis@STATE.LIB.GA.US left the list Message-ID: <200211011655.QAA08494@magpie.ecs.soton.ac.uk> Fri, 1 Nov 2002 16:55:25 Erik Lewis has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 1 Nov 2002 16:55:25 GMT Received: from hermes.state.lib.ga.us (hermes.state.lib.ga.us [168.28.68.21]) by ori.rl.ac.uk (8.11.1/8.11.1) with SMTP id gA1GtMX25207 for ; Fri, 1 Nov 2002 16:55:22 GMT Received: From HERMES.STATE.LIB.GA.US (168.28.68.21[168.28.68.21 port:1840]) by hermes.state.lib.ga.us Mail essentials (server 2.422) with SMTP id: <22946@hermes.state.lib.ga.us> for ; Fri, 1 Nov 2002 11:54:09 AM -0500 smtpmailfrom Received: by hermes.state.lib.ga.us with Internet Mail Service (5.5.2653.19) id ; Fri, 1 Nov 2002 11:54:09 -0500 Message-ID: <6D8B1CFE853CD411823B0008C7CFFE279DE1E7@hermes.state.lib.ga.us> From: "Lewis, Erik" To: "'LISTSERV@JISCMAIL.AC.UK'" Subject: Date: Fri, 1 Nov 2002 11:54:07 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" From mailscanner at ecs.soton.ac.uk Fri Nov 1 17:05:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: Mail Relay to Lotus In-Reply-To: Message-ID: <5.1.0.14.2.20021101170405.06062130@imap.ecs.soton.ac.uk> You should be able to use the same DNS/sendmail setup you used before. MailScanner does not get involved in the delivery process in any way whatsoever. Set sendmail+dns so it is doing the forwarding you want to happen, then just drop in MailScanner. At 15:31 01/11/2002, you wrote: >Here's my problem, mail comes into the company via a web-proxy running on >the firewall, that will be proxy'ing to the "mailscanner" machine. Call >it mail-gw. My wish is it to scan the email and pass it on to the domino >server. We run internal and external dns for this hostname, so how i had >invisioned it is this. > >externally mx is ip of the firewall with the proxy >internally mx is the ip of the domino server (5) and mail-gw (10) > >The problem is this, using that setup, any internal systems that require >to email internally will try hitting the domino server. Perfect you >think, wrong! the domino server (which isn't mine to administer) is setup >to only accept connections from the mail-gw ip. > >Basically i'm trying to get rid of the mcafee scanner that currently sits >on a winbox and replace it, but i'm finding it difficult telling >mailscanner to scan and forward without relying on DNS. I suppose i could >run a seperate dns server on the mailgw and mx is only the domino server, >but i think that would be tremendous pain in the ass to have two >independent dns servers. > >Any ideas.. at my old workplace i used amavis and just set DH in sendmail >config file to the destination for all mail. Trying this with MailScanner >basically got ignored ;) > >Alex -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at BARENDSE.TO Fri Nov 1 17:15:33 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:16 2006 Subject: Mail Relay to Lotus In-Reply-To: <5.1.0.14.2.20021101170405.06062130@imap.ecs.soton.ac.uk> Message-ID: or even simpler make an entry in your /etc/mail/mailertablefile like this yourdomain.com esmtp:[10.1.0.20] That's what I do to feed M$ Exchange on a local ip the []'s make sure that sendmail doesn't do a lookup for the ip Remco On Fri, 1 Nov 2002, Julian Field wrote: > You should be able to use the same DNS/sendmail setup you used before. > MailScanner does not get involved in the delivery process in any way > whatsoever. > > Set sendmail+dns so it is doing the forwarding you want to happen, then > just drop in MailScanner. > > At 15:31 01/11/2002, you wrote: > >Here's my problem, mail comes into the company via a web-proxy running on > >the firewall, that will be proxy'ing to the "mailscanner" machine. Call > >it mail-gw. My wish is it to scan the email and pass it on to the domino > >server. We run internal and external dns for this hostname, so how i had > >invisioned it is this. > > > >externally mx is ip of the firewall with the proxy > >internally mx is the ip of the domino server (5) and mail-gw (10) > > > >The problem is this, using that setup, any internal systems that require > >to email internally will try hitting the domino server. Perfect you > >think, wrong! the domino server (which isn't mine to administer) is setup > >to only accept connections from the mail-gw ip. > > > >Basically i'm trying to get rid of the mcafee scanner that currently sits > >on a winbox and replace it, but i'm finding it difficult telling > >mailscanner to scan and forward without relying on DNS. I suppose i could > >run a seperate dns server on the mailgw and mx is only the domino server, > >but i think that would be tremendous pain in the ass to have two > >independent dns servers. > > > >Any ideas.. at my old workplace i used amavis and just set DH in sendmail > >config file to the destination for all mail. Trying this with MailScanner > >basically got ignored ;) > > > >Alex > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lbergman at wtxs.net Fri Nov 1 17:17:36 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:16 2006 Subject: good version of SpamAssassin? Message-ID: <200211011117.36962.lbergman@wtxs.net> I vaguely remember there being some problem with a certain version of SA. Was I imagining this? I am about to go from 2.31 to 2.43 and wanted to ensure I wasn't buggering something up. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From LISTSERV at JISCMAIL.AC.UK Fri Nov 1 17:15:27 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: rhicks@MINES.EDU requested to join Message-ID: <200211011715.RAA11422@magpie.ecs.soton.ac.uk> Fri, 1 Nov 2002 17:15:27 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Robert Hicks . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER rhicks@MINES.EDU Robert Hicks The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+rhicks%40MINES.EDU+Robert+Hicks&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Fri Nov 1 17:20:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: good version of SpamAssassin? In-Reply-To: <200211011117.36962.lbergman@wtxs.net> Message-ID: <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> At 17:17 01/11/2002, you wrote: >I vaguely remember there being some problem with a certain version of SA. Was >I imagining this? I am about to go from 2.31 to 2.43 and wanted to ensure I >wasn't buggering something up. 2.40, 2.41 and 2.42 were trouble. 2.43 is fine. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From joelc at CTCHOUSTON.COM Fri Nov 1 17:27:32 2002 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:16:16 2006 Subject: Mail Relay to Lotus In-Reply-To: Message-ID: <000e01c281cb$f909fa00$c300a8c0@hewlett9por0s0> If I understand correctly your request, I would do this with mailertable in sendmail. You can get sendmail to bypass DNS lookup and go to a specific host for a domain. For example, in mailertable: Boffo.com smtp:[nextserver.boffo.com] This would tell sendmail to ignore DNS and MX rules and send all boffo.com mail to the specified host. Now internal systems can use DNS to find the way to mail out which may be completely different than the way in. I use this for testing all the time and don't have to mess with the cf file or dns to get my system to route mail to specific hosts. I also have clients that need to receive mail over a specific VPN route and this is how I make sure that mail goes out the proper link to the Internet. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Alex Short Sent: Friday, November 01, 2002 9:32 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mail Relay to Lotus Here's my problem, mail comes into the company via a web-proxy running on the firewall, that will be proxy'ing to the "mailscanner" machine. Call it mail-gw. My wish is it to scan the email and pass it on to the domino server. We run internal and external dns for this hostname, so how i had invisioned it is this. externally mx is ip of the firewall with the proxy internally mx is the ip of the domino server (5) and mail-gw (10) The problem is this, using that setup, any internal systems that require to email internally will try hitting the domino server. Perfect you think, wrong! the domino server (which isn't mine to administer) is setup to only accept connections from the mail-gw ip. Basically i'm trying to get rid of the mcafee scanner that currently sits on a winbox and replace it, but i'm finding it difficult telling mailscanner to scan and forward without relying on DNS. I suppose i could run a seperate dns server on the mailgw and mx is only the domino server, but i think that would be tremendous pain in the ass to have two independent dns servers. Any ideas.. at my old workplace i used amavis and just set DH in sendmail config file to the destination for all mail. Trying this with MailScanner basically got ignored ;) Alex From derek at csolve.net Fri Nov 1 17:46:12 2002 From: derek at csolve.net (Derek Buttineau) Date: Thu Jan 12 21:16:16 2006 Subject: Little Bug in V4 References: <5.1.0.14.2.20021026142015.045baed8@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021026081012.03adeff8@securemail.tulsaconnect. com> <5.1.0.14.2.20021101090204.04871a20@imap.ecs.soton.ac.uk> Message-ID: <07f401c281ce$91fe3f80$8850a4cf@derek> In the address2userdomain routine, $user and $domain seem to be reversed.. Was trying to write a custom function and after a little head scratching, and some debugging found that $message->{todomain} contained the username not the domain :) Reversed the two in the function and all worked well :) Anyway, just FYI Derek From mark at TIPPINGMAR.COM Fri Nov 1 17:50:58 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:16:16 2006 Subject: relay hits not triggering automatic spam tag In-Reply-To: <200211010919.04292.lbergman@wtxs.net> References: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> Message-ID: <3DC24E82.18366.14990061@localhost> On 1 Nov 2002 at 9:19, Lewis Bergman wrote: > With this being the case I am wondering: > What does the rbl check in MS do or what is it used for? I am sure I am > missing something here I just don't know what. It's for the folks who are using Mailscanner without Spam Assasin. If you are using Spam Assasin in addition to MS, you probably want to let SA doe the rbl checks instead of MS. -- Mark W. Nienberg, SE Tipping Mar + associates 1906 Shattuck Ave, Berkeley, CA 94704 visit our website at http://www.tippingmar.com From sevans at FOUNDATION.SDSU.EDU Fri Nov 1 18:19:50 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:16 2006 Subject: good version of SpamAssassin? Message-ID: <6214C3F9233D764C9E7029396C355015331604@mail.foundation.sdsu.edu> Although my false negative rate is through the roof. Something to pay attention to. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, November 01, 2002 9:20 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: good version of SpamAssassin? At 17:17 01/11/2002, you wrote: >I vaguely remember there being some problem with a certain version of >SA. Was I imagining this? I am about to go from 2.31 to 2.43 and wanted >to ensure I wasn't buggering something up. 2.40, 2.41 and 2.42 were trouble. 2.43 is fine. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Fri Nov 1 18:28:00 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:16 2006 Subject: spam.assassin.conf Message-ID: <200211011228.00533.lbergman@wtxs.net> I know I am now testing everyone's patience but here I go again. In spam.assassin.conf at the end is this: # Added for MailScanner 14/6/2002 # If you specify these scores, SpamAssassin will do RBL checks as well as # MailScanner, which just wastes CPU power and network bandwidth. Either # do them here by uncommenting the rules below (if you have paid for them) # or else uncomment the "skip_rbl_checks" line above and let MailScanner # do the checks instead. # #score RCVD_IN_BL_SPAMCOP_NET 4 # These next 3 will cost you money, see mailscanner.conf. #score RCVD_IN_RBL 10 #score RCVD_IN_RSS 1 #score RCVD_IN_DUL 1 Which implies to me that only those rules will be invoked unless I add more or do the "score SOME_RULE 1" deal. But in /usr/local/share/spamassassin/20_head_tests.cf there are many more rules listed there like the following: RCVD_IN_OSIRUSOFT_COM X_OSIRU_OPEN_RELAY X_OSIRU_DUL X_OSIRU_SPAM_SRC X_OSIRU_SPAMWARE_SITE X_OSIRU_DUL_FH RCVD_IN_RELAYS_ORDB_ORG RCVD_IN_VISI RCVD_IN_SBL RCVD_IN_ORBS RCVD_IN_DSBL RCVD_IN_BONDEDSENDER RCVD_IN_DUL_FH So my question is do I need to go through and explicitely add a score for each one to make it take affect? It seems that the rest of the rules don't need this so I am a little confused(again). -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mkettler at EVI-INC.COM Fri Nov 1 18:49:43 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:16 2006 Subject: good version of SpamAssassin? In-Reply-To: <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> References: <200211011117.36962.lbergman@wtxs.net> Message-ID: <5.1.1.6.0.20021101134510.019d69c0@192.168.50.2> Agreed, aside from adjusting the SpamAssassin timeouts (look for my prior posting on that in this list just yesterday or the day before) I'm running SpamaAsassin 2.43 under MailScanner 3.24-1 without any problems. I personally also have the AWL disabled, but the 2.43 version doesn't have any significant AWL issues I'm aware of. I just feel that the AWL is a Bad Idea when applied as a single global database like MailScanner winds up doing. Lots of people use it this way without issues, but I see it as a serious minefield fraught with dangers. At 05:20 PM 11/1/2002 +0000, Julian Field wrote: >At 17:17 01/11/2002, you wrote: >>I vaguely remember there being some problem with a certain version of SA. Was >>I imagining this? I am about to go from 2.31 to 2.43 and wanted to ensure I >>wasn't buggering something up. > >2.40, 2.41 and 2.42 were trouble. 2.43 is fine. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mkettler at EVI-INC.COM Fri Nov 1 18:56:29 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:16 2006 Subject: spam.assassin.conf In-Reply-To: <200211011228.00533.lbergman@wtxs.net> Message-ID: <5.1.1.6.0.20021101135022.0187d640@192.168.50.2> The SpamAssassin user configuration over-rides the default scores present in 50_scores.cf. The "for pay" DNSbl's have default score values of 0, but if you re-define them as nonzero it turns them on. The zero-point score is explicitly specified in SpamAssassin's 50_scores.cf. All rules with a score of zero are disabled and do not run. Any rule with a nonzero score, no matter how small, runs. Hence that score disables these blacklists by default, unless later over-ridden by a user or site preferences file. Since lists like OSIRUSOFT are free to use without paying, SpamAssassin has nonzero default scores for those rules. You can over-ride those scores to be zero (effectively disabling the list) or to reduce or increase the score vs the default one. So by default you do NOT need to specify a score for the default set of free DNSBL's to be used by SpamAssassin. You do need Net::DNS installed in your version of Perl however. At 12:28 PM 11/1/2002 -0600, Lewis Bergman wrote: >So my question is do I need to go through and explicitely add a score for each >one to make it take affect? It seems that the rest of the rules don't need >this so I am a little confused(again). From derek at csolve.net Fri Nov 1 19:43:30 2002 From: derek at csolve.net (Derek Buttineau) Date: Thu Jan 12 21:16:16 2006 Subject: Fw: Little Bug in V4 Message-ID: <08a101c281de$f52a2d20$8850a4cf@derek> Scratch that, the error isn't in the address2userdomain function but in the one that calls it to populate the variables :) 162 push @{$this->{touser}}, $user; 163 push @{$this->{todomain}}, $user; It's just pushing the user variable into both arrays :) Derek ----- Original Message ----- From: "Derek Buttineau" To: Sent: Friday, November 01, 2002 12:46 PM Subject: Little Bug in V4 > In the address2userdomain routine, $user and $domain seem to be reversed.. > > Was trying to write a custom function and after a little head scratching, > and some debugging found that $message->{todomain} contained the username > not the domain :) Reversed the two in the function and all worked well :) > > Anyway, just FYI > > Derek > > From rhicks at MINES.EDU Fri Nov 1 19:54:01 2002 From: rhicks at MINES.EDU (Robert Hicks) Date: Thu Jan 12 21:16:16 2006 Subject: email tagged as Denial of Service but not being saved Message-ID: I upgraded from Mailscanner 1.x to 4.03-1 three days ago. The new version(4.03-1) is working great as far as I can tell with the exception of one thing. The issue is that over the past three days I have seen four "Denial of Service" messages logged to syslog but no attachments or body messages are being saved. The user does get an email that says "look here" with the correct message ID as I would expect but the message(and message ID directory) are never created in the quarantine area. Postmaster also does not get any email regarding the DoS message. Syslog normally would show "Saved entire message" or "Saved infected "filename"" but nothing shows in syslog other than "Denial of Service attack in in message gXXXXXXXXXXX." I need to allow the end user the option of at least seeing the quarantined data even if it is a broken or does not contain a properly attached document. Has anyone seen this problem before? From what I can tell, all virus infected files ARE being saved and logged properly. I have increased the timeout TNEF timeout in hope that it will help in some fashion even though it has nothing to do with creating quarantined directories and email postmaster of a DoS message. I just put 4.04-1 earlier today. I haven't seen any new DoS messages be tagged yet. Also..... Is there any way to prevent MailScanner from catching "external body" messages and tagging them? I have seen a couple of other posts on the subject but nothing concrete on being a future release option. AIX 5.1-002, Perl 5.6.0, TNEF=internal, Mcafee, TNEF Timeout = 120, Scanner Timeout=300,Quarantine Infections = yes, Quarantine Whole Message = yes Thanks in advance, Robert From LISTSERV at JISCMAIL.AC.UK Fri Nov 1 19:17:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: thang1.nguyen@MAILTEST.HAWAII.EDU left the list Message-ID: <200211011917.TAA25608@magpie.ecs.soton.ac.uk> Fri, 1 Nov 2002 19:17:35 Thang1 Nguyen has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 1 Nov 2002 19:17:34 GMT Received: from test01 (test01.its.hawaii.edu [128.171.94.190]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA1JHUX18793 for ; Fri, 1 Nov 2002 19:17:30 GMT Received: from conversion-daemon.test01.its.hawaii.edu by test01.its.hawaii.edu (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) id <0H4W00J01W8XDZ@test01.its.hawaii.edu>; Fri, 01 Nov 2002 09:17:21 -1000 (HST) Received: from mailtest.hawaii.edu (test01 [128.171.94.190]) by test01.its.hawaii.edu (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with ESMTP id <0H4W00F15W8XDG@test01.its.hawaii.edu>; Fri, 01 Nov 2002 09:17:21 -1000 (HST) Received: from [128.171.201.101] by test01.its.hawaii.edu (mshttpd); Fri, 01 Nov 2002 09:17:21 -1000 Date: Fri, 01 Nov 2002 09:17:21 -1000 From: Thang Nguyen To: LISTSERV@JISCMAIL.AC.UK Message-id: <286a47ce.47ce286a@mailtest.hawaii.edu> MIME-version: 1.0 X-Mailer: iPlanet Messenger Express 5.1 HotFix 1.4 (built Aug 5 2002) Content-type: text/plain; charset=us-ascii Content-language: en Content-transfer-encoding: 7bit Content-disposition: inline X-Accept-Language: en From alex at IALEX.NET Fri Nov 1 20:06:38 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:16 2006 Subject: Mail Relay to Lotus In-Reply-To: <000e01c281cb$f909fa00$c300a8c0@hewlett9por0s0> Message-ID: Joel, you rock, this is exactly the cluepon i needed. Thanks > If I understand correctly your request, I would do this with mailertable > in sendmail. You can get sendmail to bypass DNS lookup and go to a > specific host for a domain. For example, in mailertable: > > Boffo.com smtp:[nextserver.boffo.com] > > This would tell sendmail to ignore DNS and MX rules and send all > boffo.com mail to the specified host. > > Now internal systems can use DNS to find the way to mail out which may > be completely different than the way in. I use this for testing all the > time and don't have to mess with the cf file or dns to get my system to > route mail to specific hosts. I also have clients that need to receive > mail over a specific VPN route and this is how I make sure that mail > goes out the proper link to the Internet. > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Alex Short > Sent: Friday, November 01, 2002 9:32 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Mail Relay to Lotus > > Here's my problem, mail comes into the company via a web-proxy running > on > the firewall, that will be proxy'ing to the "mailscanner" machine. Call > it mail-gw. My wish is it to scan the email and pass it on to the > domino > server. We run internal and external dns for this hostname, so how i > had > invisioned it is this. > > externally mx is ip of the firewall with the proxy > internally mx is the ip of the domino server (5) and mail-gw (10) > > The problem is this, using that setup, any internal systems that require > to email internally will try hitting the domino server. Perfect you > think, wrong! the domino server (which isn't mine to administer) is > setup > to only accept connections from the mail-gw ip. > > Basically i'm trying to get rid of the mcafee scanner that currently > sits > on a winbox and replace it, but i'm finding it difficult telling > mailscanner to scan and forward without relying on DNS. I suppose i > could > run a seperate dns server on the mailgw and mx is only the domino > server, > but i think that would be tremendous pain in the ass to have two > independent dns servers. > > Any ideas.. at my old workplace i used amavis and just set DH in > sendmail > config file to the destination for all mail. Trying this with > MailScanner > basically got ignored ;) > > Alex > > > From mailscanner at ecs.soton.ac.uk Fri Nov 1 20:56:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: email tagged as Denial of Service but not being saved In-Reply-To: Message-ID: <5.1.0.14.2.20021101205550.0389bea0@imap.ecs.soton.ac.uk> Thanks for reporting that. It is now detecting and handling this correctly. At 19:54 01/11/2002, you wrote: >I upgraded from Mailscanner 1.x to 4.03-1 three days ago. >The new version(4.03-1) is working great as far as I can >tell with the exception of one thing. > >The issue is that over the past three days I have seen four "Denial of >Service" messages logged to syslog but no attachments or body messages are >being saved. >The user does get an email that says "look here" with the correct message >ID as I would expect but the message(and message ID >directory) are never created in the quarantine area. Postmaster also >does not get any email regarding the DoS message. Syslog normally would >show "Saved entire message" or "Saved infected "filename"" but nothing >shows in syslog >other than "Denial of Service attack in in message gXXXXXXXXXXX." >I need to allow the end user the option of at least seeing the >quarantined data even if it is a broken or does not contain a properly >attached document. > >Has anyone seen this problem before? From what I can tell, all virus >infected files ARE being saved and logged properly. I have increased the >timeout TNEF timeout in hope that it will help in some fashion >even though it has nothing to do with creating quarantined directories >and email postmaster of a DoS message. > >I just put 4.04-1 earlier today. I haven't seen any new DoS messages >be tagged yet. > >Also..... >Is there any way to prevent MailScanner from catching "external body" >messages and tagging them? I have seen a couple of other posts on >the subject but nothing concrete on being a future release option. > > >AIX 5.1-002, Perl 5.6.0, TNEF=internal, Mcafee, TNEF Timeout = 120, >Scanner Timeout=300,Quarantine Infections = yes, Quarantine Whole Message >= yes > > >Thanks in advance, > >Robert -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rhicks at MINES.EDU Fri Nov 1 21:35:45 2002 From: rhicks at MINES.EDU (Robert Hicks) Date: Thu Jan 12 21:16:16 2006 Subject: email tagged as Denial of Service but not being saved In-Reply-To: <5.1.0.14.2.20021101205550.0389bea0@imap.ecs.soton.ac.uk> Message-ID: Julian, Thanks for the quick response! Do I need to update anything or did my upgrade to 4.04-1 take care of it? Robert On Fri, 1 Nov 2002, Julian Field wrote: > Thanks for reporting that. It is now detecting and handling this correctly. > > At 19:54 01/11/2002, you wrote: > >I upgraded from Mailscanner 1.x to 4.03-1 three days ago. > >The new version(4.03-1) is working great as far as I can > >tell with the exception of one thing. > > > >The issue is that over the past three days I have seen four "Denial of > >Service" messages logged to syslog but no attachments or body messages are > >being saved. > >The user does get an email that says "look here" with the correct message > >ID as I would expect but the message(and message ID > >directory) are never created in the quarantine area. Postmaster also > >does not get any email regarding the DoS message. Syslog normally would > >show "Saved entire message" or "Saved infected "filename"" but nothing > >shows in syslog > >other than "Denial of Service attack in in message gXXXXXXXXXXX." > >I need to allow the end user the option of at least seeing the > >quarantined data even if it is a broken or does not contain a properly > >attached document. > > > >Has anyone seen this problem before? From what I can tell, all virus > >infected files ARE being saved and logged properly. I have increased the > >timeout TNEF timeout in hope that it will help in some fashion > >even though it has nothing to do with creating quarantined directories > >and email postmaster of a DoS message. > > > >I just put 4.04-1 earlier today. I haven't seen any new DoS messages > >be tagged yet. > > > >Also..... > >Is there any way to prevent MailScanner from catching "external body" > >messages and tagging them? I have seen a couple of other posts on > >the subject but nothing concrete on being a future release option. > > > > > >AIX 5.1-002, Perl 5.6.0, TNEF=internal, Mcafee, TNEF Timeout = 120, > >Scanner Timeout=300,Quarantine Infections = yes, Quarantine Whole Message > >= yes > > > > > >Thanks in advance, > > > >Robert > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Fri Nov 1 21:43:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:16 2006 Subject: email tagged as Denial of Service but not being saved In-Reply-To: References: <5.1.0.14.2.20021101205550.0389bea0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021101213754.038c6000@imap.ecs.soton.ac.uk> At 21:35 01/11/2002, you wrote: >Thanks for the quick response! Do I need to update anything or >did my upgrade to 4.04-1 take care of it? I'll be releasing an update for v3 and v4 in the next couple of days or so, as I've got a couple of minor security fixes to publish which I have back-ported to v3. The security issues have never been exploited by anyone, so I would prefer to get them fixed before anyone else finds them. I leave the commercial guys to delay fixing holes until they have been found and exploited :-) If it's really urgent, I can release earlier, but I would rather do some more testing first. >On Fri, 1 Nov 2002, Julian Field wrote: > > Thanks for reporting that. It is now detecting and handling this correctly. > > > > At 19:54 01/11/2002, you wrote: > > >I upgraded from Mailscanner 1.x to 4.03-1 three days ago. > > >The new version(4.03-1) is working great as far as I can > > >tell with the exception of one thing. > > > > > >The issue is that over the past three days I have seen four "Denial of > > >Service" messages logged to syslog but no attachments or body messages are > > >being saved. > > >The user does get an email that says "look here" with the correct message > > >ID as I would expect but the message(and message ID > > >directory) are never created in the quarantine area. Postmaster also > > >does not get any email regarding the DoS message. Syslog normally would > > >show "Saved entire message" or "Saved infected "filename"" but nothing > > >shows in syslog > > >other than "Denial of Service attack in in message gXXXXXXXXXXX." > > >I need to allow the end user the option of at least seeing the > > >quarantined data even if it is a broken or does not contain a properly > > >attached document. > > > > > >Has anyone seen this problem before? From what I can tell, all virus > > >infected files ARE being saved and logged properly. I have increased the > > >timeout TNEF timeout in hope that it will help in some fashion > > >even though it has nothing to do with creating quarantined directories > > >and email postmaster of a DoS message. > > > > > >I just put 4.04-1 earlier today. I haven't seen any new DoS messages > > >be tagged yet. > > > > > >Also..... > > >Is there any way to prevent MailScanner from catching "external body" > > >messages and tagging them? I have seen a couple of other posts on > > >the subject but nothing concrete on being a future release option. > > > > > > > > >AIX 5.1-002, Perl 5.6.0, TNEF=internal, Mcafee, TNEF Timeout = 120, > > >Scanner Timeout=300,Quarantine Infections = yes, Quarantine Whole Message > > >= yes > > > > > > > > >Thanks in advance, > > > > > >Robert > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rhicks at MINES.EDU Sat Nov 2 02:40:07 2002 From: rhicks at MINES.EDU (Robert Hicks) Date: Thu Jan 12 21:16:16 2006 Subject: email tagged as Denial of Service but not being saved In-Reply-To: <5.1.0.14.2.20021101213754.038c6000@imap.ecs.soton.ac.uk> Message-ID: <666ACD05-EE0C-11D6-A381-0003939CD990@Mines.edu> It isn't urgent enough to bypass testing. Thanks again... On Friday, November 1, 2002, at 02:43 PM, Julian Field wrote: > At 21:35 01/11/2002, you wrote: >> Thanks for the quick response! Do I need to update anything or >> did my upgrade to 4.04-1 take care of it? > > I'll be releasing an update for v3 and v4 in the next couple of days > or so, > as I've got a couple of minor security fixes to publish which I have > back-ported to v3. The security issues have never been exploited by > anyone, > so I would prefer to get them fixed before anyone else finds them. > > I leave the commercial guys to delay fixing holes until they have been > found and exploited :-) > > If it's really urgent, I can release earlier, but I would rather do > some > more testing first. > >> On Fri, 1 Nov 2002, Julian Field wrote: >> > Thanks for reporting that. It is now detecting and handling this >> correctly. >> > >> > At 19:54 01/11/2002, you wrote: >> > >I upgraded from Mailscanner 1.x to 4.03-1 three days ago. >> > >The new version(4.03-1) is working great as far as I can >> > >tell with the exception of one thing. >> > > >> > >The issue is that over the past three days I have seen four >> "Denial of >> > >Service" messages logged to syslog but no attachments or body >> messages are >> > >being saved. >> > >The user does get an email that says "look here" with the correct >> message >> > >ID as I would expect but the message(and message ID >> > >directory) are never created in the quarantine area. Postmaster >> also >> > >does not get any email regarding the DoS message. Syslog normally >> would >> > >show "Saved entire message" or "Saved infected "filename"" but >> nothing >> > >shows in syslog >> > >other than "Denial of Service attack in in message gXXXXXXXXXXX." >> > >I need to allow the end user the option of at least seeing the >> > >quarantined data even if it is a broken or does not contain a >> properly >> > >attached document. >> > > >> > >Has anyone seen this problem before? From what I can tell, all >> virus >> > >infected files ARE being saved and logged properly. I have >> increased the >> > >timeout TNEF timeout in hope that it will help in some fashion >> > >even though it has nothing to do with creating quarantined >> directories >> > >and email postmaster of a DoS message. >> > > >> > >I just put 4.04-1 earlier today. I haven't seen any new DoS >> messages >> > >be tagged yet. >> > > >> > >Also..... >> > >Is there any way to prevent MailScanner from catching "external >> body" >> > >messages and tagging them? I have seen a couple of other posts on >> > >the subject but nothing concrete on being a future release option. >> > > >> > > >> > >AIX 5.1-002, Perl 5.6.0, TNEF=internal, Mcafee, TNEF Timeout = 120, >> > >Scanner Timeout=300,Quarantine Infections = yes, Quarantine Whole >> Message >> > >= yes >> > > >> > > >> > >Thanks in advance, >> > > >> > >Robert >> > >> > -- >> > Julian Field Teaching Systems Manager >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> > Tel. 023 8059 2817 University of Southampton >> > Southampton SO17 1BJ >> > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sat Nov 2 16:25:08 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:16 2006 Subject: MAILSCANNER: moeeni@SHARIF.EDU requested to join Message-ID: <200211021625.QAA21192@magpie.ecs.soton.ac.uk> Sat, 2 Nov 2002 16:25:08 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Mohsen Moeeni . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER moeeni@SHARIF.EDU Mohsen Moeeni The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+moeeni%40SHARIF.EDU+Mohsen+Moeeni&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From David.While at UCE.AC.UK Sun Nov 3 11:47:08 2002 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:16 2006 Subject: ClamAV problem Message-ID: I have just started to use ClamAV with MS and have found an error: The following appears in the log file: ProcessClamAVOutput: unrecognised line "Autodetected 2 CPUs . Starting 2 threads.". Please contact the authors! I am running on a 2 CPU system and I believe ClamAV detects this hence the line in the log file. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 From mailscanner at ecs.soton.ac.uk Sun Nov 3 12:30:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: ClamAV problem In-Reply-To: Message-ID: <5.1.0.14.2.20021103123032.02492e88@imap.ecs.soton.ac.uk> Fixed in 4.05-1. Thanks for reporting that one. At 11:47 03/11/2002, you wrote: >I have just started to use ClamAV with MS and have found an error: > >The following appears in the log file: > >ProcessClamAVOutput: unrecognised line "Autodetected 2 CPUs . Starting 2 >threads.". Please contact the authors! > >I am running on a 2 CPU system and I believe ClamAV detects this hence the >line in the log file. > > > >----------------------------------------------------------------- >David While >Technical Development Manager >Faculty of Computing, Information & English >University of Central England >Tel: 0121 331 6211 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Nov 3 12:52:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: ANNOUNCE: Versions 3.26 and 4.05 released Message-ID: <5.1.0.14.2.20021103124356.02401078@imap.ecs.soton.ac.uk> I have just released versions 4.05 and 3.26. These improve the handling of attachments whose filenames are in unknown character encodings, and improve the handling of attachments whose filenames look malicious, removing a potential security problem before anyone else finds it or exploits it. Neither of these have ever been intentionally exploited. I leave it to the commercial outfits to only fix security vulnerabilities after they have been exploited! New features and changes for Version 4 only: - Can now put "$filename" in inline warning messages to give a comma-separated list of the infected attachment filenames. - Improvement to Trend parser when scanning archives. - Improvement to ClamAV parser for multi-CPU servers. - Added Dutch and Brazilian Portugese reports. - Added an "End" function to the Custom Functions usable in the main conf file. NOTE: If you have added your own Custom Functions to CustomConfig.pl, you will need to add an "End" function for each of them. Download it, as usual, from www.mailscanner.info Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From p.vanbrouwershaven at NETWORKING4ALL.COM Sun Nov 3 20:31:03 2002 From: p.vanbrouwershaven at NETWORKING4ALL.COM (Paul van Brouwershaven - Networking4ALL) Date: Thu Jan 12 21:16:17 2006 Subject: Console Messages (MailScanner-4.05-1) Message-ID: Hi, I installed MailScanner-4.05-1 and I went crazy now from the "Adding mailheader...(cleanheader)" and "Adding spamheader..." messages on my system console. Can you please remove this messages by default or make some configuration settings in the mailscanner.conf !!! Is this a message that must be reported with MailScanner::Log::WarnLog??? Adding mailheader...(cleanheader) Regards, Paul From mailscanner at ecs.soton.ac.uk Sun Nov 3 20:44:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Console Messages (MailScanner-4.05-1) In-Reply-To: Message-ID: <5.1.0.14.2.20021103204337.01e99cb8@imap.ecs.soton.ac.uk> Sorry about that. Some debug output from the new Exim code sneaked in. Fixed and released 4.05-2. At 20:31 03/11/2002, you wrote: >Hi, > >I installed MailScanner-4.05-1 and I went crazy now from the "Adding >mailheader...(cleanheader)" and "Adding spamheader..." messages on my >system console. > >Can you please remove this messages by default or make some >configuration settings in the mailscanner.conf !!! > >Is this a message that must be reported with >MailScanner::Log::WarnLog??? > Adding mailheader...(cleanheader) > >Regards, > >Paul -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sun Nov 3 20:35:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: r.spyker@HCCNET.NL left the list Message-ID: <200211032035.UAA25246@magpie.ecs.soton.ac.uk> Sun, 3 Nov 2002 20:35:16 Roel Spijker has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sun, 3 Nov 2002 20:35:16 GMT Received: from wapgw.hccnet.nl (wapgw.hccnet.nl [62.251.0.19]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA3KZBX11900 for ; Sun, 3 Nov 2002 20:35:11 GMT Received: from smtp.hccnet.nl by wapgw.hccnet.nl via smtp.hccnet.nl [62.251.0.13] with ESMTP for id VAA12424 (8.8.8/1.18); Sun, 3 Nov 2002 21:33:56 +0100 (MET) From: Received: from spare.hccnet.nl by smtp.hccnet.nl via spare.hccnet.nl [62.251.0.29] with ESMTP for id VAA18978 (8.8.8/1.13); Sun, 3 Nov 2002 21:32:41 +0100 (MET) Message-Id: <200211032032.VAA18978@smtp.hccnet.nl> MIME-Version: 1.0 X-Mailer: MIME::Lite 2.102 (B2.11; Q2.03) Date: Sun, 3 Nov 2002 20:32:41 UT To: LISTSERV@JISCMAIL.AC.UK Subject: SIGNOFF MAILSCANNER X-LSVline1: SIGNOFF MAILSCANNER From mail at projectandrew.com Sun Nov 3 21:31:02 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:17 2006 Subject: Small errors Message-ID: <3775.217.155.81.26.1036359062.squirrel@www.projectandrew.com> I just installed 4.05-2 and noticed this in the logs: MailScanner E-Mail Virus Scanner version 4.05-1 starting... Also, when I issue 'service MailScanner stop', I get: MailScanner: We haven't got any child processes, which isn't right!, No child processes at /usr/sbin/MailScanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /usr/sbin/MailScanner line 194. And when I issue it again, MailScanner stops correctly. Otherwise everything is working ok :) Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Sun Nov 3 21:38:06 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Small errors In-Reply-To: <3775.217.155.81.26.1036359062.squirrel@www.projectandrew.c om> Message-ID: <5.1.0.14.2.20021103213611.01e65618@imap.ecs.soton.ac.uk> At 21:31 03/11/2002, you wrote: >MailScanner E-Mail Virus Scanner version 4.05-1 starting... Fixed. >Also, when I issue 'service MailScanner stop', I get: > >MailScanner: We haven't got any child processes, which isn't right!, >No child processes at /usr/sbin/MailScanner line 191. >We have just tried to reap a process which wasn't one of ours!, No child >processes at /usr/sbin/MailScanner line 194. > >And when I issue it again, MailScanner stops correctly. Otherwise >everything is working ok :) What system are you running it on? I am vaguely hoping to get some more development kit, which will mean I can start to get this problem solved in a portable way. The Apache folks solved it by having a separate program (apachectl) to do the job, I'll probably have to go the same way. Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mail at projectandrew.com Sun Nov 3 22:28:26 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:17 2006 Subject: Small errors In-Reply-To: <5.1.0.14.2.20021103213611.01e65618@imap.ecs.soton.ac.uk> References: <3775.217.155.81.26.1036359062.squirrel@www.projectandrew.c om> <5.1.0.14.2.20021103213611.01e65618@imap.ecs.soton.ac.uk> Message-ID: <3862.217.155.81.26.1036362506.squirrel@www.projectandrew.com> > What system are you running it on? > I am vaguely hoping to get some more development kit, which will mean I > can start to get this problem solved in a portable way. The Apache folks > solved it by having a separate program (apachectl) to do the job, I'll > probably have to go the same way. I am running Red Hat 7.2. Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andersan at LTKALMAR.SE Sun Nov 3 22:33:56 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:17 2006 Subject: SV: Small errors Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC3A@lkl22.ltkalmar.se> Had the same problem, running v4 on RH8. Everthing seems to run ok but I get the same erors. Have to check what version Im runnign but I'll have to do that tomorrow. Anything else you need to know? > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 3 november 2002 22:38 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Small errors > > > At 21:31 03/11/2002, you wrote: > >MailScanner E-Mail Virus Scanner version 4.05-1 starting... > > Fixed. > > >Also, when I issue 'service MailScanner stop', I get: > > > >MailScanner: We haven't got any child processes, which > isn't right!, > >No child processes at /usr/sbin/MailScanner line 191. > >We have just tried to reap a process which wasn't one of > ours!, No child > >processes at /usr/sbin/MailScanner line 194. > > > >And when I issue it again, MailScanner stops correctly. Otherwise > >everything is working ok :) > > What system are you running it on? > I am vaguely hoping to get some more development kit, which > will mean I can > start to get this problem solved in a portable way. The > Apache folks solved > it by having a separate program (apachectl) to do the job, > I'll probably > have to go the same way. > > Jules. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Sun Nov 3 22:38:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner kaspersky output parsing patch Message-ID: <5.1.0.14.2.20021103223718.01ee0ec8@imap.ecs.soton.ac.uk> I have just added a patch to the Kaspersky output parser, contributed by Martin Lillepuu. I have added it to the 4.05 and 3.26 versions. >Date: Mon, 4 Nov 2002 02:05:05 +0200 (EET) >To: mailscanner@ecs.soton.ac.uk >Subject: Mailscanner kaspersky output parsing patch > >Here's a little patch to make mailscanner 4.05 work again with >latest Kaspersky Antivirus for linux workstations v4.0.2.2. It looks like >the scanner output is different when you specify one file with full path >or just the directory. When current directory '.' was specified, regexps >failed to parse message id correctly which caused infected messages >passing untouched. According syslog output is also included. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Nov 3 22:41:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: SV: Small errors In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EC3A@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20021103223936.039c2928@imap.ecs.soton.ac.uk> At 22:33 03/11/2002, you wrote: >Had the same problem, running v4 on RH8. >Everthing seems to run ok but I get the same erors. >Have to check what version Im runnign but I'll have to >do that tomorrow. Anything else you need to know? No. I haven't touched the init script for a while now. I'm going to have to see precisely what Apache does to solve this problem, as otherwise the init script will have to have loads of OS-specific switches in it. > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 3 november 2002 22:38 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: Small errors > > > > > > At 21:31 03/11/2002, you wrote: > > >MailScanner E-Mail Virus Scanner version 4.05-1 starting... > > > > Fixed. > > > > >Also, when I issue 'service MailScanner stop', I get: > > > > > >MailScanner: We haven't got any child processes, which > > isn't right!, > > >No child processes at /usr/sbin/MailScanner line 191. > > >We have just tried to reap a process which wasn't one of > > ours!, No child > > >processes at /usr/sbin/MailScanner line 194. > > > > > >And when I issue it again, MailScanner stops correctly. Otherwise > > >everything is working ok :) > > > > What system are you running it on? > > I am vaguely hoping to get some more development kit, which > > will mean I can > > start to get this problem solved in a portable way. The > > Apache folks solved > > it by having a separate program (apachectl) to do the job, > > I'll probably > > have to go the same way. > > > > Jules. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Mon Nov 4 06:06:16 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner kaspersky output parsing patch In-Reply-To: <5.1.0.14.2.20021103223718.01ee0ec8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021103223718.01ee0ec8@imap.ecs.soton.ac.uk> Message-ID: <162057786.1036389976@jemima.zanker.org> On 03 November 2002 22:38 +0000 Julian Field wrote: > I have just added a patch to the Kaspersky output parser, contributed > by Martin Lillepuu. > I have added it to the 4.05 and 3.26 versions. Presumably only the mailscanner rpm has changed between 4.05-1 and 4.05-3 so that is all that needs to be installed? Thanks, Mike. From mailscanner at ecs.soton.ac.uk Mon Nov 4 09:22:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner kaspersky output parsing patch In-Reply-To: <162057786.1036389976@jemima.zanker.org> References: <5.1.0.14.2.20021103223718.01ee0ec8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021103223718.01ee0ec8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021104092206.04685ea0@imap.ecs.soton.ac.uk> At 06:06 04/11/2002, you wrote: >On 03 November 2002 22:38 +0000 Julian Field > wrote: > >>I have just added a patch to the Kaspersky output parser, contributed >>by Martin Lillepuu. >>I have added it to the 4.05 and 3.26 versions. > >Presumably only the mailscanner rpm has changed between 4.05-1 and >4.05-3 so that is all that needs to be installed? Yes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 4 10:25:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner on OSDir.com (new O'Reilly site) Message-ID: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> O'Reilly have created a new website containing a directory of Open Source projects, including MailScanner. If some of you could take 5 minutes adding some comments / votes to the site, I would really appreciate it. The MailScanner project page is at http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=114&ttitle=MailScanner And the home page of their new site is of course http://osdir.com/ >Subject: Mailscanner on OSDir.com (new O'Reilly site) > >Hi Julian, > >I've just added Mailscanner to http://OSDir.com (new O'Reilly site). We'll >likely be building a book partly baed from the votes and comments there so >I invite our users to talk Mailscanner up a bit there: >http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=114&ttitle=MailScanner > >There's a link at the bottom of that page if you or any of them want >visitors to vote/comment on Mailscanner remotely from a website such as >your own. We'll likely be building a book partly based on comments and >votes so adding it to the Mailscanner site probably wouldn't hurt. > >Thanks and Cheers, >-- >Steve Mallett | steve@osdir.com >http://OSDir.com on the O'Reilly Network >http://opensource.org | webmaster@opensource.org >http://open5ource.net -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 10:43:27 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: darius@ROMAG.RO left the list Message-ID: <200211041043.KAA22500@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 10:43:27 Darius scaueru has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Mon, 4 Nov 2002 10:43:24 GMT Received: from romag.ro. (romag.ts.terrasat.ro [81.18.70.59]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA4AhAX01722 for ; Mon, 4 Nov 2002 10:43:12 GMT Received: from there (root@[192.168.10.154]) by romag.ro. (8.10.2/8.10.2) with SMTP id gA4Afn402015 for ; Mon, 4 Nov 2002 12:41:49 +0200 Message-Id: <200211041041.gA4Afn402015@romag.ro.> Content-Type: text/plain; charset="iso-8859-1" From: darius Organization: darius To: LISTSERV@JISCMAIL.AC.UK Subject: SIGNOFF MAILSCANNER Date: Mon, 4 Nov 2002 12:43:45 +0200 X-Mailer: KMail [version 1.3.1] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From P.G.M.Peters at civ.utwente.nl Mon Nov 4 12:41:57 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:17 2006 Subject: relay hits not triggering automatic spam tag In-Reply-To: <3DC24E82.18366.14990061@localhost> References: <5.1.0.14.2.20021101150209.044dc3f8@imap.ecs.soton.ac.uk> <200211010919.04292.lbergman@wtxs.net> <3DC24E82.18366.14990061@localhost> Message-ID: <4mqcsust6nllh3jba4a9uo5hqvbdasao5l@4ax.com> On Fri, 1 Nov 2002 09:50:58 -0800, you wrote: >On 1 Nov 2002 at 9:19, Lewis Bergman wrote: >> With this being the case I am wondering: >> What does the rbl check in MS do or what is it used for? I am sure I am >> missing something here I just don't know what. > >It's for the folks who are using Mailscanner without Spam Assasin. If you >are using Spam Assasin in addition to MS, you probably want to let SA >doe the rbl checks instead of MS. We use MS with SA but handle BL's in MS. We want to offer our users the posibility to decide for themselves what criteria they want to impose on the e-mail they receive. By having as much tags as possible we offer our users the most possibilities. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 12:48:52 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: security@MCGUINNESS.DE requested to join Message-ID: <200211041248.MAA10255@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 12:48:52 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Marc Mc Guinness . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER security@MCGUINNESS.DE Marc Mc Guinness The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+security%40MCGUINNESS.DE+Marc+Mc+Guinness&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Mon, 4 Nov 2002 12:48:52 GMT Received: from post.webmailer.de (natsmtp00.webmailer.de [192.67.198.74]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA4CmnX01410 for ; Mon, 4 Nov 2002 12:48:49 GMT Received: from there (pD9504591.dip.t-dialin.net [217.80.69.145]) by post.webmailer.de (8.9.3/8.8.7) with SMTP id NAA23752 for ; Mon, 4 Nov 2002 13:48:44 +0100 (MET) Message-Id: <200211041248.NAA23752@post.webmailer.de> Content-Type: text/plain; charset="iso-8859-15" From: Marc Mc Guinness To: LISTSERV@JISCMAIL.AC.UK Date: Mon, 4 Nov 2002 14:48:46 +0200 X-Mailer: KMail [version 1.3.1] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 12:50:43 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: moeeni@SHARIF.EDU left the list Message-ID: <200211041250.MAA10457@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 12:50:43 Mohsen Moeeni has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Mon, 4 Nov 2002 12:50:42 GMT Received: from sina.sharif.edu (sina.Sharif.AC.IR [194.225.40.9]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA4CoZX02272 for ; Mon, 4 Nov 2002 12:50:36 GMT Received: (from apache@localhost) by sina.sharif.edu (8.11.6/8.11.6) id gA4Ctoi00980 for LISTSERV@JISCMAIL.AC.UK; Mon, 4 Nov 2002 16:25:50 +0330 X-Authentication-Warning: sina.sharif.edu: apache set sender to moeeni@sharif.edu using -f Received: from 81.31.175.2 ( [81.31.175.2]) as user moeeni@localhost by my.sharif.edu with HTTP; Mon, 04 Nov 2002 16:25:50 +330 Message-ID: <1036414550.3dc66e56b5886@my.sharif.edu> Date: Mon, 04 Nov 2002 16:25:50 +330 From: Mohsen Moeeni To: LISTSERV@JISCMAIL.AC.UK Subject: SIGNOFF MAILSCANNER MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 3.1 From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 13:46:18 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: andy@COMODOGROUP.COM requested to join Message-ID: <200211041346.NAA17139@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 13:46:18 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Andy Davidson . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER andy@COMODOGROUP.COM Andy Davidson The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+andy%40COMODOGROUP.COM+Andy+Davidson&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 14:20:43 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: todd.williams@TFCCI.COM requested to join Message-ID: <200211041420.OAA21787@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 14:20:43 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Todd Williams . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER todd.williams@TFCCI.COM Todd Williams The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+todd.williams%40TFCCI.COM+Todd+Williams&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From thomas_duvally at BROWN.EDU Mon Nov 4 10:32:25 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:16:17 2006 Subject: good version of SpamAssassin? In-Reply-To: <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> Message-ID: <1036405945.2065.5.camel@toms> What were some of the issues? I attempted to use 2.41 and had to abandon it. If the issues were solved in 2.43, I may be able to re-enable it. On Fri, 2002-11-01 at 12:20, Julian Field wrote: > At 17:17 01/11/2002, you wrote: > >I vaguely remember there being some problem with a certain version of SA. Was > >I imagining this? I am about to go from 2.31 to 2.43 and wanted to ensure I > >wasn't buggering something up. > > 2.40, 2.41 and 2.42 were trouble. 2.43 is fine. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Thomas DuVally Brown University From security at MCGUINNESS.DE Mon Nov 4 14:24:47 2002 From: security at MCGUINNESS.DE (Marc Mc Guinness) Date: Thu Jan 12 21:16:17 2006 Subject: could not notify senders and postmaster Message-ID: <200211041424.PAA19297@post.webmailer.de> Hello, I've activated sending messages to the senders and to the postmaster, but it doesn't work: I'm using sendmail 8.12.6-6 on Debian 3.0. My entries in mailscanner.conf are: --------------------------------------------------------------------------- Deliver To Recipients = yes Deliver From Local Domains = yes Notify Senders = yes //the following 3 files are in the path Sender Virus Report =/etc/mailscanner/sender.virus.report.txt Sender Bad Filename Report = /etc/mailscanner/sender.filename.report.txt Sender Error Report = /etc/mailscanner/sender.error.report.txt Notify Local Postmaster = yes Local Postmaster = postmaster //also tried postmaster@mydomain.com -didn't work MTA = sendmail Sendmail = /usr/sbin/sendmail //Tried calling /usr/sbin/sendmail from command line and it worked --------------------------------------------------------------------------- The error message in /var/log/mail/mail.info says: --------------------------------------------------------------------------- Nov 4 13:27:55 spointmail1 mailscanner[10733]: Scanning 2 messages, 652868 bytes Nov 4 13:27:56 spointmail1 mailscanner[10733]: Found 1 viruses in messages gA4CRYC8010761 Nov 4 13:27:56 spointmail1 mailscanner[10733]: Scanned 2 messages, 652868 bytes in 1 seconds Nov 4 13:27:56 spointmail1 mailscanner[10733]: Saved infections to /var/spool/mailscanner/quarantine/20021104/gA4CRYC8010761 Nov 4 13:27:56 spointmail1 mailscanner[10733]: Could not notify senders Nov 4 13:27:56 spointmail1 mailscanner[10733]: Could not notify local postmaster Nov 4 13:27:56 spointmail1 mailscanner[10733]: Commercial disinfector f-secure returned 768 --------------------------------------------------------------------------- Can you please help me? Best regards, Marc Mc Guinness From security at MCGUINNESS.DE Mon Nov 4 14:25:13 2002 From: security at MCGUINNESS.DE (Marc Mc Guinness) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup Message-ID: <200211041425.PAA19966@post.webmailer.de> Hello, I don't know who I could ask. Probably you could help me... I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a copy of every email delivered to the user mailboxes under /var/mail/. This copy shall be saved in user mailboxes under /var/backup/mail/. How can I tell sendmail to write it's mails to two directories? Best regards, Marc Mc Guinness From mailscanner at ecs.soton.ac.uk Mon Nov 4 14:38:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: good version of SpamAssassin? In-Reply-To: <1036405945.2065.5.camel@toms> References: <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021101171949.060ad8d0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021104143809.04575040@imap.ecs.soton.ac.uk> At 10:32 04/11/2002, you wrote: >What were some of the issues? I attempted to use 2.41 and had to >abandon it. If the issues were solved in 2.43, I may be able to >re-enable it. Corruption of auto-whitelist. Upgrade to 2.43 and delete the auto-whitelist (which will be in ~root/.spamassassin). >On Fri, 2002-11-01 at 12:20, Julian Field wrote: > > At 17:17 01/11/2002, you wrote: > > >I vaguely remember there being some problem with a certain version of > SA. Was > > >I imagining this? I am about to go from 2.31 to 2.43 and wanted to > ensure I > > >wasn't buggering something up. > > > > 2.40, 2.41 and 2.42 were trouble. 2.43 is fine. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ >-- >Thomas DuVally >Brown University -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 4 14:40:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <200211041425.PAA19966@post.webmailer.de> Message-ID: <5.1.0.14.2.20021104143947.044d0700@imap.ecs.soton.ac.uk> At 14:25 04/11/2002, you wrote: >Hello, > >I don't know who I could ask. Probably you could help me... >I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a copy >of every email delivered to the user mailboxes under /var/mail/. >This copy shall be saved in user mailboxes under /var/backup/mail/. > >How can I tell sendmail to write it's mails to two directories? That's tricky in sendmail (I may be wrong, quite a few people on this list know more about sendmail than I do!). However, MailScanner 4 will do it for you. The "Archive Mail" feature can save mail messages to a directory or even to another email address, without the recipient noticing anything is happening. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From security at MCGUINNESS.DE Mon Nov 4 15:05:00 2002 From: security at MCGUINNESS.DE (Marc Mc Guinness) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <5.1.0.14.2.20021104143947.044d0700@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021104143947.044d0700@imap.ecs.soton.ac.uk> Message-ID: <200211041505.QAA05059@post.webmailer.de> Hello, Am Montag, 4. November 2002 15:40 schrieb Julian Field: > At 14:25 04/11/2002, you wrote: > >Hello, > > > >I don't know who I could ask. Probably you could help me... > >I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a > > copy of every email delivered to the user mailboxes under > > /var/mail/. This copy shall be saved in user mailboxes under > > /var/backup/mail/. > > > >How can I tell sendmail to write it's mails to two directories? > > That's tricky in sendmail (I may be wrong, quite a few people on > this list know more about sendmail than I do!). > > However, MailScanner 4 will do it for you. The "Archive Mail" > feature can save mail messages to a directory or even to another > email address, without the recipient noticing anything is > happening. I can't use version 4 at the moment (political reason). I've got the mailscanner 3.13.2-4 from debian stable. Probably someone else can help me with telling sendmail to do the backup? Best regards, Marc From Harish.Amin at DEG.STATE.WI.US Mon Nov 4 16:32:27 2002 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:16:17 2006 Subject: Majordomo sending messages as list-owner to a moderated list Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C6680@doamail04> Julian, I running Majordomo on Sun Solaris and sendmail as MTA. I have noticed after a messages is cleaned it sends/posts messages to the lists, which is a moderated list only one person can post. Can I prevent this in Mailscanner or should I have to tweak something on sendmail Your replies are greatly appreciated Thanx Harish Here's the log on /var/log/syslog Nov 4 09:32:11 badger sendmail[28681]: [ID 801593 mail.info] gA4FWBw28681: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 09:32:11 badger sendmail[28682]: [ID 801593 mail.info] gA4FWBc28682: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 09:32:57 badger sendmail[28713]: [ID 801593 mail.info] gA4FWvn28713: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 09:32:58 badger sendmail[28715]: [ID 801593 mail.info] gA4FWw128715: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 09:34:26 badger sendmail[28755]: [ID 801593 mail.info] gA4FYQR28755: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 09:34:30 badger sendmail[28768]: [ID 801593 mail.info] gA4FYU128768: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-wiscatl@Badger.state.wi.us using -f Nov 4 09:35:18 badger sendmail[28791]: [ID 801593 mail.info] gA4FZI628791: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-wiagedffa@Badger.state.wi.us using -f Nov 4 09:43:12 badger sendmail[28985]: [ID 801593 mail.info] gA4FhC228985: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-weccp@Badger.state.wi.us using -f Nov 4 09:45:43 badger sendmail[29051]: [ID 801593 mail.info] gA4Fjh129051: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-ysandsn@Badger.state.wi.us using -f Nov 4 10:00:42 badger sendmail[29313]: [ID 801593 mail.info] gA4G0gc29313: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:00:43 badger sendmail[29314]: [ID 801593 mail.info] gA4G0hJ29314: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:03:19 badger sendmail[29374]: [ID 801593 mail.info] gA4G3JC29374: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:07:31 badger sendmail[29441]: [ID 801593 mail.info] gA4G7Vu29441: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:07:31 badger sendmail[29442]: [ID 801593 mail.info] gA4G7Vv29442: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:08:20 badger sendmail[29461]: [ID 801593 mail.info] gA4G8Kg29461: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:08:20 badger sendmail[29462]: [ID 801593 mail.info] gA4G8Kk29462: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:09:08 badger sendmail[29484]: [ID 801593 mail.info] gA4G98N29484: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:09:08 badger sendmail[29485]: [ID 801593 mail.info] gA4G98G29485: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-web-alerts@Badger.state.wi.us using -f Nov 4 10:09:08 badger sendmail[29488]: [ID 801593 mail.info] gA4G98629488: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:10:01 badger sendmail[29514]: [ID 801593 mail.info] gA4GA1d29514: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:10:01 badger sendmail[29515]: [ID 801593 mail.info] gA4GA1B29515: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-microsoft-alerts@Badger.state.wi.us using -f Nov 4 10:10:01 badger sendmail[29518]: [ID 801593 mail.info] gA4GA1829518: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:12:24 badger sendmail[29599]: [ID 801593 mail.info] gA4GCOj29599: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:12:43 badger sendmail[29615]: [ID 801593 mail.info] gA4GChE29615: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:16:16 badger sendmail[29699]: [ID 801593 mail.info] gA4GGGp29699: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f Nov 4 10:16:16 badger sendmail[29700]: [ID 801593 mail.info] gA4GGGK29700: Authentication-Warning: badger.state.wi.us.: major dom set sender to owner-wiruralsch@Badger.state.wi.us using -f Nov 4 10:16:16 badger sendmail[29703]: [ID 801593 mail.info] gA4GGGv29703: Authentication-Warning: badger.state.wi.us.: major dom set sender to Majordomo-Owner@Badger.state.wi.us using -f From mailscanner at ecs.soton.ac.uk Mon Nov 4 16:56:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Majordomo sending messages as list-owner to a moderated list In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C6680@doamail04> Message-ID: <5.1.0.14.2.20021104165326.046e1ec0@imap.ecs.soton.ac.uk> At 16:32 04/11/2002, you wrote: >Julian, Hey, I'm not the *only* person who fixes problems on this list :-) >I running Majordomo on Sun Solaris and sendmail as MTA. >I have noticed after a messages is cleaned it sends/posts messages to the >lists, which is a moderated list >only one person can post. The errors are nothing to do with MailScanner (which does not get involved with message delivery at all anyway). >Can I prevent this in Mailscanner or should I have to tweak something on >sendmail You need to add "majordom" to the class T in your sendmail.cf file so that sendmail "trusts" majordom and allows it to change the "From" address in mail it creates. You probably already have lines in your sendmail.cf that say Troot Tdaemon Tuucp Just add Tmajordom to that list and restart both sendmail processes. >Here's the log on /var/log/syslog > >Nov 4 09:32:11 badger sendmail[28681]: [ID 801593 mail.info] gA4FWBw28681: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:11 badger sendmail[28682]: [ID 801593 mail.info] gA4FWBc28682: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:57 badger sendmail[28713]: [ID 801593 mail.info] gA4FWvn28713: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:58 badger sendmail[28715]: [ID 801593 mail.info] gA4FWw128715: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:34:26 badger sendmail[28755]: [ID 801593 mail.info] gA4FYQR28755: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:34:30 badger sendmail[28768]: [ID 801593 mail.info] gA4FYU128768: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiscatl@Badger.state.wi.us using -f >Nov 4 09:35:18 badger sendmail[28791]: [ID 801593 mail.info] gA4FZI628791: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiagedffa@Badger.state.wi.us using -f >Nov 4 09:43:12 badger sendmail[28985]: [ID 801593 mail.info] gA4FhC228985: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-weccp@Badger.state.wi.us using -f >Nov 4 09:45:43 badger sendmail[29051]: [ID 801593 mail.info] gA4Fjh129051: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-ysandsn@Badger.state.wi.us using -f >Nov 4 10:00:42 badger sendmail[29313]: [ID 801593 mail.info] gA4G0gc29313: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:00:43 badger sendmail[29314]: [ID 801593 mail.info] gA4G0hJ29314: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:03:19 badger sendmail[29374]: [ID 801593 mail.info] gA4G3JC29374: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:07:31 badger sendmail[29441]: [ID 801593 mail.info] gA4G7Vu29441: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:07:31 badger sendmail[29442]: [ID 801593 mail.info] gA4G7Vv29442: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:08:20 badger sendmail[29461]: [ID 801593 mail.info] gA4G8Kg29461: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:08:20 badger sendmail[29462]: [ID 801593 mail.info] gA4G8Kk29462: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29484]: [ID 801593 mail.info] gA4G98N29484: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29485]: [ID 801593 mail.info] gA4G98G29485: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-web-alerts@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29488]: [ID 801593 mail.info] gA4G98629488: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29514]: [ID 801593 mail.info] gA4GA1d29514: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29515]: [ID 801593 mail.info] gA4GA1B29515: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-microsoft-alerts@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29518]: [ID 801593 mail.info] gA4GA1829518: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:12:24 badger sendmail[29599]: [ID 801593 mail.info] gA4GCOj29599: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:12:43 badger sendmail[29615]: [ID 801593 mail.info] gA4GChE29615: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29699]: [ID 801593 mail.info] gA4GGGp29699: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29700]: [ID 801593 mail.info] gA4GGGK29700: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiruralsch@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29703]: [ID 801593 mail.info] gA4GGGv29703: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Harish.Amin at DEG.STATE.WI.US Mon Nov 4 17:13:28 2002 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:16:17 2006 Subject: Majordomo sending messages as list-owner to a moderated list Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C6683@doamail04> Julian, Thanks for responding so quickly. I think this will fix the problem. Is there anything for weekly or monthly reporting on the activity of MailScanner , so that I can show it my higher ups about how much scanning and cleaning , Mailscanner does or the period like MailStats or Mailog statistics etc Thanx again -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, November 04, 2002 10:56 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Majordomo sending messages as list-owner to a moderated list At 16:32 04/11/2002, you wrote: >Julian, Hey, I'm not the *only* person who fixes problems on this list :-) >I running Majordomo on Sun Solaris and sendmail as MTA. >I have noticed after a messages is cleaned it sends/posts messages to the >lists, which is a moderated list >only one person can post. The errors are nothing to do with MailScanner (which does not get involved with message delivery at all anyway). >Can I prevent this in Mailscanner or should I have to tweak something on >sendmail You need to add "majordom" to the class T in your sendmail.cf file so that sendmail "trusts" majordom and allows it to change the "From" address in mail it creates. You probably already have lines in your sendmail.cf that say Troot Tdaemon Tuucp Just add Tmajordom to that list and restart both sendmail processes. >Here's the log on /var/log/syslog > >Nov 4 09:32:11 badger sendmail[28681]: [ID 801593 mail.info] gA4FWBw28681: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:11 badger sendmail[28682]: [ID 801593 mail.info] gA4FWBc28682: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:57 badger sendmail[28713]: [ID 801593 mail.info] gA4FWvn28713: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:32:58 badger sendmail[28715]: [ID 801593 mail.info] gA4FWw128715: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:34:26 badger sendmail[28755]: [ID 801593 mail.info] gA4FYQR28755: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 09:34:30 badger sendmail[28768]: [ID 801593 mail.info] gA4FYU128768: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiscatl@Badger.state.wi.us using -f >Nov 4 09:35:18 badger sendmail[28791]: [ID 801593 mail.info] gA4FZI628791: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiagedffa@Badger.state.wi.us using -f >Nov 4 09:43:12 badger sendmail[28985]: [ID 801593 mail.info] gA4FhC228985: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-weccp@Badger.state.wi.us using -f >Nov 4 09:45:43 badger sendmail[29051]: [ID 801593 mail.info] gA4Fjh129051: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-ysandsn@Badger.state.wi.us using -f >Nov 4 10:00:42 badger sendmail[29313]: [ID 801593 mail.info] gA4G0gc29313: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:00:43 badger sendmail[29314]: [ID 801593 mail.info] gA4G0hJ29314: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:03:19 badger sendmail[29374]: [ID 801593 mail.info] gA4G3JC29374: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:07:31 badger sendmail[29441]: [ID 801593 mail.info] gA4G7Vu29441: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:07:31 badger sendmail[29442]: [ID 801593 mail.info] gA4G7Vv29442: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:08:20 badger sendmail[29461]: [ID 801593 mail.info] gA4G8Kg29461: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:08:20 badger sendmail[29462]: [ID 801593 mail.info] gA4G8Kk29462: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29484]: [ID 801593 mail.info] gA4G98N29484: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29485]: [ID 801593 mail.info] gA4G98G29485: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-web-alerts@Badger.state.wi.us using -f >Nov 4 10:09:08 badger sendmail[29488]: [ID 801593 mail.info] gA4G98629488: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29514]: [ID 801593 mail.info] gA4GA1d29514: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29515]: [ID 801593 mail.info] gA4GA1B29515: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-microsoft-alerts@Badger.state.wi.us using -f >Nov 4 10:10:01 badger sendmail[29518]: [ID 801593 mail.info] gA4GA1829518: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:12:24 badger sendmail[29599]: [ID 801593 mail.info] gA4GCOj29599: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:12:43 badger sendmail[29615]: [ID 801593 mail.info] gA4GChE29615: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29699]: [ID 801593 mail.info] gA4GGGp29699: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29700]: [ID 801593 mail.info] gA4GGGK29700: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to owner-wiruralsch@Badger.state.wi.us using -f >Nov 4 10:16:16 badger sendmail[29703]: [ID 801593 mail.info] gA4GGGv29703: >Authentication-Warning: badger.state.wi.us.: major >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 4 17:31:15 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Majordomo sending messages as list-owner to a moderated list In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C6683@doamail04> Message-ID: <5.1.0.14.2.20021104173025.0482ab00@imap.ecs.soton.ac.uk> At 17:13 04/11/2002, you wrote: >Julian, > >Thanks for responding so quickly. >I think this will fix the problem. >Is there anything for weekly or monthly reporting on the >activity of MailScanner , so that I can show it my higher ups about >how much scanning and cleaning , Mailscanner does or the period Search in the mailing list archives for any mention of MRTG and you will find the (many) conversations that have taken place on this topic before. Someone out there is already doing what you want to do... >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Monday, November 04, 2002 10:56 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Majordomo sending messages as list-owner to a moderated >list > > >At 16:32 04/11/2002, you wrote: > >Julian, > >Hey, I'm not the *only* person who fixes problems on this list >:-) > > >I running Majordomo on Sun Solaris and sendmail as MTA. > >I have noticed after a messages is cleaned it sends/posts messages to the > >lists, which is a moderated list > >only one person can post. > >The errors are nothing to do with MailScanner (which does not get involved >with message delivery at all anyway). > > >Can I prevent this in Mailscanner or should I have to tweak something on > >sendmail > >You need to add "majordom" to the class T in your sendmail.cf file so that >sendmail "trusts" majordom and allows it to change the "From" address in >mail it creates. You probably already have lines in your sendmail.cf that >say > Troot > Tdaemon > Tuucp >Just add > Tmajordom >to that list and restart both sendmail processes. > > >Here's the log on /var/log/syslog > > > >Nov 4 09:32:11 badger sendmail[28681]: [ID 801593 mail.info] gA4FWBw28681: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 09:32:11 badger sendmail[28682]: [ID 801593 mail.info] gA4FWBc28682: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 09:32:57 badger sendmail[28713]: [ID 801593 mail.info] gA4FWvn28713: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 09:32:58 badger sendmail[28715]: [ID 801593 mail.info] gA4FWw128715: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 09:34:26 badger sendmail[28755]: [ID 801593 mail.info] gA4FYQR28755: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 09:34:30 badger sendmail[28768]: [ID 801593 mail.info] gA4FYU128768: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-wiscatl@Badger.state.wi.us using -f > >Nov 4 09:35:18 badger sendmail[28791]: [ID 801593 mail.info] gA4FZI628791: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-wiagedffa@Badger.state.wi.us using -f > >Nov 4 09:43:12 badger sendmail[28985]: [ID 801593 mail.info] gA4FhC228985: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-weccp@Badger.state.wi.us using -f > >Nov 4 09:45:43 badger sendmail[29051]: [ID 801593 mail.info] gA4Fjh129051: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-ysandsn@Badger.state.wi.us using -f > >Nov 4 10:00:42 badger sendmail[29313]: [ID 801593 mail.info] gA4G0gc29313: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:00:43 badger sendmail[29314]: [ID 801593 mail.info] gA4G0hJ29314: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:03:19 badger sendmail[29374]: [ID 801593 mail.info] gA4G3JC29374: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:07:31 badger sendmail[29441]: [ID 801593 mail.info] gA4G7Vu29441: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:07:31 badger sendmail[29442]: [ID 801593 mail.info] gA4G7Vv29442: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:08:20 badger sendmail[29461]: [ID 801593 mail.info] gA4G8Kg29461: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:08:20 badger sendmail[29462]: [ID 801593 mail.info] gA4G8Kk29462: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:09:08 badger sendmail[29484]: [ID 801593 mail.info] gA4G98N29484: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:09:08 badger sendmail[29485]: [ID 801593 mail.info] gA4G98G29485: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-web-alerts@Badger.state.wi.us using -f > >Nov 4 10:09:08 badger sendmail[29488]: [ID 801593 mail.info] gA4G98629488: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:10:01 badger sendmail[29514]: [ID 801593 mail.info] gA4GA1d29514: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:10:01 badger sendmail[29515]: [ID 801593 mail.info] gA4GA1B29515: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-microsoft-alerts@Badger.state.wi.us using -f > >Nov 4 10:10:01 badger sendmail[29518]: [ID 801593 mail.info] gA4GA1829518: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:12:24 badger sendmail[29599]: [ID 801593 mail.info] gA4GCOj29599: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:12:43 badger sendmail[29615]: [ID 801593 mail.info] gA4GChE29615: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:16:16 badger sendmail[29699]: [ID 801593 mail.info] gA4GGGp29699: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >Nov 4 10:16:16 badger sendmail[29700]: [ID 801593 mail.info] gA4GGGK29700: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to owner-wiruralsch@Badger.state.wi.us using -f > >Nov 4 10:16:16 badger sendmail[29703]: [ID 801593 mail.info] gA4GGGv29703: > >Authentication-Warning: badger.state.wi.us.: major > >dom set sender to Majordomo-Owner@Badger.state.wi.us using -f > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From t.d.lee at DURHAM.AC.UK Mon Nov 4 18:06:00 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:17 2006 Subject: iframe dilemma: a compromise? Message-ID: Having lagged behind in 3.x, we recently jumped to 3.25-1. (Next step is 4.x, but that was a leeap too far at this point.) One of the things that caught us was the new "Allow IFrame Tags" option. Now I'll immediately confess to knowing absolutely nothing about the dark, inner workings of anything vaguely iframe-ish. And I'll also confess to having failed to pay attention to its discussion here during recent weeks. It seems the choice is currently a stark one: either permit iframe (and risk its possible dangers) or forbid iframe (and risk the dangers of unhappy users with big sticks). Might there be the possibility of a compromise? An option something like "convert iframe to text"? (Or was this discussed and deemed unworkable?) -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 17:38:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: joe_honnold@STARKEY.COM requested to join Message-ID: <200211041738.RAA21394@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 17:38:36 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Joe Honnold . The following subscription options have been requested: NOMIME DIGEST ACK NOREPRO. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER joe_honnold@STARKEY.COM Joe Honnold The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+joe_honnold%40STARKEY.COM+Joe+Honnold&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOMIME+DIGEST+ACK+NOREPRO+FOR+joe_honnold%40STARKEY.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 17:38:53 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: joe_honnold@STARKEY.COM requested to join Message-ID: <200211041738.RAA21469@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 17:38:53 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Joe Honnold . The following subscription options have been requested: NOMIME DIGEST CONCEAL. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER joe_honnold@STARKEY.COM Joe Honnold The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+joe_honnold%40STARKEY.COM+Joe+Honnold&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOMIME+DIGEST+CONCEAL+FOR+joe_honnold%40STARKEY.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Mon Nov 4 18:06:15 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: P.Holzleitner@UNIDO.ORG requested to join Message-ID: <200211041806.SAA24842@magpie.ecs.soton.ac.uk> Mon, 4 Nov 2002 18:06:15 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Peter Holzleitner . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER P.Holzleitner@UNIDO.ORG Peter Holzleitner The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+P.Holzleitner%40UNIDO.ORG+Peter+Holzleitner&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From vguerrero at minar.com Mon Nov 4 18:25:05 2002 From: vguerrero at minar.com (Vicente Guerrero M.) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup References: <5.1.0.14.2.20021104143947.044d0700@imap.ecs.soton.ac.uk> <200211041505.QAA05059@post.webmailer.de> Message-ID: <004701c2842f$82046290$620aaa82@ADMINISTRATOR> maybe procmail can help, there is no major problem to install and configure. Hope this helps. vgm ----- Original Message ----- From: "Marc Mc Guinness" To: Sent: Monday, November 04, 2002 9:05 AM Subject: Re: Creating mail copies for backup > Hello, > > Am Montag, 4. November 2002 15:40 schrieb Julian Field: > > At 14:25 04/11/2002, you wrote: > > >Hello, > > > > > >I don't know who I could ask. Probably you could help me... > > >I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a > > > copy of every email delivered to the user mailboxes under > > > /var/mail/. This copy shall be saved in user mailboxes under > > > /var/backup/mail/. > > > > > >How can I tell sendmail to write it's mails to two directories? > > > > That's tricky in sendmail (I may be wrong, quite a few people on > > this list know more about sendmail than I do!). > > > > However, MailScanner 4 will do it for you. The "Archive Mail" > > feature can save mail messages to a directory or even to another > > email address, without the recipient noticing anything is > > happening. > > I can't use version 4 at the moment (political reason). I've got > the mailscanner 3.13.2-4 from debian stable. Probably someone else > can help me with telling sendmail to do the backup? > > Best regards, > > Marc > From mailscanner at ecs.soton.ac.uk Mon Nov 4 18:31:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: iframe dilemma: a compromise? In-Reply-To: Message-ID: <5.1.0.14.2.20021104182526.023b4238@imap.ecs.soton.ac.uk> At 18:06 04/11/2002, you wrote: >Having lagged behind in 3.x, we recently jumped to 3.25-1. (Next step is >4.x, but that was a leeap too far at this point.) One for Christmas, perhaps? If you start experimenting with V4 now, you may be in a position to go "live" over Christmas or thereabouts, as you still have 6 weeks or so to experiment and agree on the configuration. Feel free to recruit me if you want some help or advice with the implications of the various settings. I can remember why I wrote most of them :-) >One of the things that caught us was the new "Allow IFrame Tags" option. > >Now I'll immediately confess to knowing absolutely nothing about the dark, >inner workings of anything vaguely iframe-ish. And I'll also confess to >having failed to pay attention to its discussion here during recent weeks. > >It seems the choice is currently a stark one: either permit iframe (and >risk its possible dangers) or forbid iframe (and risk the dangers of >unhappy users with big sticks). > >Might there be the possibility of a compromise? An option something like >"convert iframe to text"? (Or was this discussed and deemed unworkable?) In version 4, you can allow IFrame tags from any given "trusted" address, which solves the problem. I am loathed to spend the time required to implement all the "domains file" code in version 3, it would be quite a bit of work. If you keep your Outlook and OE users well up to date with patches, then you probably won't have much problem as most of the current viruses that exploit this rely on you not having installed patches that were issued a year ago. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mail at projectandrew.com Mon Nov 4 18:42:42 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:17 2006 Subject: Startup script Message-ID: <1158.217.155.81.25.1036435362.squirrel@www.projectandrew.com> I am still trying to get MailScanner fully working with Ensim WEBppliance - the only part that is not working is a piece of custom ensim code that is normally called from the sendmail startup script. The two lines are: export LD_PRELOAD=/lib/libensimvwhbw.so export ENSIMVWH_BWSVCID=1 If I add these to the MailScanner startup script, MailScanner will accept mail, but will not deliver it to any chrooted site. I also get file not found errors thrown to the console. It seems to me then, to be something that must be passed from the sendmail config for this module to work, which is not passed by MailScanner - it is supposed to track the size of each mail passed through sendmail, so a monthly 'bandwidth allowance' can be applied to each virtual site within Ensim. I don't really know where to go next, and wondered if anybody who knows sendmail in more detail might have any ideas where to look? Does MailScanner refer to all the same sendmail config files that sendmail would if it was called using its own startup script? Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Mon Nov 4 18:57:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Startup script In-Reply-To: <1158.217.155.81.25.1036435362.squirrel@www.projectandrew.c om> Message-ID: <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> I'm not at all convinced this will work, but give it a try: Write a very short script that sets these variables and then calls sendmail, something like this #!/bin/sh export LD_PRELOAD=/lib/libensimvwhbw.so export ENSIMVWH_BWSVCID=1 /usr/sbin/sendmail "$@" and then call this script in MailScanner instead of directly invoking sendmail. You should just edit the "Sendmail =" setting in MailScanner.conf to refer to your script instead of sendmail itself. See what happens with this setup. At 18:42 04/11/2002, you wrote: >I am still trying to get MailScanner fully working with Ensim WEBppliance >- the only part that is not working is a piece of custom ensim code that >is normally called from the sendmail startup script. The two lines are: > > export LD_PRELOAD=/lib/libensimvwhbw.so > export ENSIMVWH_BWSVCID=1 > >If I add these to the MailScanner startup script, MailScanner will accept >mail, but will not deliver it to any chrooted site. I also get file not >found errors thrown to the console. It seems to me then, to be something >that must be passed from the sendmail config for this module to work, >which is not passed by MailScanner - it is supposed to track the size of >each mail passed through sendmail, so a monthly 'bandwidth allowance' can >be applied to each virtual site within Ensim. I don't really know where to >go next, and wondered if anybody who knows sendmail in more detail might >have any ideas where to look? > >Does MailScanner refer to all the same sendmail config files that sendmail >would if it was called using its own startup script? > >Andrew G Allen >email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >--- Disclaimer --- >This e-mail and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they are >addressed. If you have received this email in error, please notify the >system manager. > > > > > >-- >This message has been scanned for viruses and dangerous >content by MailScanner, and is believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Mon Nov 4 19:23:01 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <200211041425.PAA19966@post.webmailer.de> Message-ID: <5.1.1.6.0.20021104142138.01618a18@192.168.50.2> If you're using mailscanner, read your mailscanner.conf. It can do this for you. Also be aware that it might be illegal to do what you ask in some jurisdictions, consult your local lawyer :) From a Mailscanner 3.x conf file: # Do you want to archive all mail in a directory for later inspection? # Be warned if you are in the UK: this may well be illegal due to RIPA # and DPA restrictions! # This can be "yes", "no" or a filename. If it is a filename, the file # may contain complete addresses, domain names or wildcard domains names. # See the sample file for examples. #Archive Mail = /usr/local/MailScanner/etc/domains.to.archive.conf Archive Mail = no At 03:25 PM 11/4/2002 +0100, Marc Mc Guinness wrote: >Hello, > >I don't know who I could ask. Probably you could help me... >I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a copy >of every email delivered to the user mailboxes under /var/mail/. >This copy shall be saved in user mailboxes under /var/backup/mail/. > >How can I tell sendmail to write it's mails to two directories? > >Best regards, > >Marc Mc Guinness From lbergman at wtxs.net Mon Nov 4 19:36:25 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:17 2006 Subject: No virus loggings? Message-ID: <200211041336.25634.lbergman@wtxs.net> I am getting verbose spam logging as noted below. Nov 3 03:41:46 ns2 MailScanner[1437]: Message gA39fd302216 from 209.47.251.47 (bounce.rapid-e.net) is spam according to SpamAssassin (score=8.9, required 5, APPLY_ONLINE, BIG_FONT, CLICK_BELOW, CLICK_BELOW_CAPS, DATE_IN_FUTURE_06_12, DEAR_SOMEBODY, EXCUSE_1, EXCUSE_16, EXCUSE_7, HTML_FONT_FACE_ODD, HTTP_WITH_EMAIL_IN_URL, JAVASCRIPT, JAVASCRIPT_UNSAFE, LINES_OF_YELLING, LINES_OF_YELLING_2, LINES_OF_YELLING_3, MARKETING_PARTNERS, SPAM_PHRASE_08_13, UNSECURED_CREDIT, WEB_BUGS) But all I get about virus scanning is on this order: Nov 3 03:41:46 ns2 MailScanner[1437]: Virus and Content Scanning: Starting Nov 3 03:41:46 ns2 MailScanner[1437]: Uninfected: Delivered 1 messages I know the virus engine is doing its job because virus notices are sent out as configured. This is on MailScanner 4.04.-1 and f-prot 3.12b The -r is added to syslogd startup. What else am I missing here? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Mon Nov 4 19:40:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: No virus loggings? In-Reply-To: <200211041336.25634.lbergman@wtxs.net> Message-ID: <5.1.0.14.2.20021104193854.02357cf0@imap.ecs.soton.ac.uk> At 19:36 04/11/2002, you wrote: >I am getting verbose spam logging as noted below. > >Nov 3 03:41:46 ns2 MailScanner[1437]: Message gA39fd302216 from 209.47.251.47 >(bounce.rapid-e.net) is spam according to SpamAssassin (score=8.9, required >5, APPLY_ONLINE, BIG_FONT, CLICK_BELOW, CLICK_BELOW_CAPS, >DATE_IN_FUTURE_06_12, DEAR_SOMEBODY, EXCUSE_1, EXCUSE_16, EXCUSE_7, >HTML_FONT_FACE_ODD, HTTP_WITH_EMAIL_IN_URL, JAVASCRIPT, JAVASCRIPT_UNSAFE, >LINES_OF_YELLING, LINES_OF_YELLING_2, LINES_OF_YELLING_3, MARKETING_PARTNERS, >SPAM_PHRASE_08_13, UNSECURED_CREDIT, WEB_BUGS) > > >But all I get about virus scanning is on this order: >Nov 3 03:41:46 ns2 MailScanner[1437]: Virus and Content Scanning: Starting >Nov 3 03:41:46 ns2 MailScanner[1437]: Uninfected: Delivered 1 messages > >I know the virus engine is doing its job because virus notices are sent out as >configured. >This is on MailScanner 4.04.-1 and f-prot 3.12b >The -r is added to syslogd startup. What else am I missing here? It doesn't produce any "nothing interesting happened" log entries, after another user claimed it was logging too much. If it finds anything of interest, it will still log it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Mon Nov 4 19:41:47 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:16:17 2006 Subject: V4 Upgrade Experience Message-ID: <49210.129.80.22.133.1036438907.squirrel@tiger.dorfam.ca> I finally got around to upgrading from V3 last Saturday. I've been waiting until the dust settled before I did the deed. BTW, I'm running a Redhat 7.3 server with RH's sendmail/perl, and the latest version of spamassassin. V3 was working without problems before starting. After noticing that Julian had released a new version I grabbed it, untar'd the file, and ran the ./install script. It happily reported that most of the required perl files were already installed, updated a few, and added a couple of others. I modified the new mailscanner.conf file, added the MailScanner service per the doc's and, as I had the luxury, rebooted the server. I know the reboot wasn't necessary if I had shutdown the old deamons but I also wanted to be sure that the server would come back in case of power outages etc. Everything came up running without errors! I've only noticed a couple of minor things that needed tweaking. Small stuff like the f-prot-autoupdate script location had to be changed in my crontab file (it was still pointing to the old location). The bottom line is that this was a totally painless upgrade. Thank you Julian. Gerry From mailscanner at ecs.soton.ac.uk Mon Nov 4 19:43:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: V4 Upgrade Experience In-Reply-To: <49210.129.80.22.133.1036438907.squirrel@tiger.dorfam.ca> Message-ID: <5.1.0.14.2.20021104194257.024218c0@imap.ecs.soton.ac.uk> At 19:41 04/11/2002, you wrote: >The bottom line is that this was a totally painless upgrade. Thank you >Julian. Yay! Thankyou. Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From todd.williams at TFCCI.COM Mon Nov 4 19:39:47 2002 From: todd.williams at TFCCI.COM (Todd Williams) Date: Thu Jan 12 21:16:17 2006 Subject: Sendmail question with regards to MailScanner Message-ID: <00b801c28439$efbf5010$c802a8c0@toddntbox.tfcc.com> Hello, I've searched and not turned up a whole lot of useful help regarding this question, but perhaps someone else has seen what I'm seeing. If an internal user (accidentally?) writes an e-mail to a bogus or unreachable domain name (or in the case an internet connection is down), when sendmail 8.11.6 (with the appropriate command line options for queueonly and a queue directory of /var/spool/mqueue.inbox) takes the message, it attempts to munge on the message (seemingly ignoring the queueonly option), and because it sees the message as a "deferred" message, dumps the message directly into the /var/spool/mqueue directory, which effectively bypasses the MailScanner altogether. While this may be a non-issue, I just wanted to see if others have seen this same behaviour. I thought it odd that even when handed the "-ODeliveryMode=q -OQueueDirectory=/var/spool/mqueue.inbox" options, in the case of a deferred message, sendmail bypasses it's command line parameters and follows the sendmail.cf directive (?) to send it to the default queue directory. I even tried playing with the "-OErrorMode=q" option as well, setting it to "queue only" and the deferred messages still end up in the default /var/spool/mqueue directory the same as before. Everything else under normal conditions works fine. I suspect we could change the queueonly sendmail process to use a different sendmail.cf configuration file which specifies the QueueDirectory as the incoming MailScanner queue directory to force it through the MailScanner irregardless, but I was trying to avoid convoluting things more than necessary. Any thoughts? Thanks, Todd From David.While at UCE.AC.UK Mon Nov 4 19:53:53 2002 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:17 2006 Subject: MRTG etc Message-ID: A number of people have been asking about getting statistic output for MailScanner (quite often for the higher ups!) well I have produced a script that analyses the mail log file and produces the necessary output including MRTG. The first time you run the script it will produce the necessary MRTG config file. It has a number of configurable variables (at the top of the script) and can also use the sendmail access file to automatically ban those IP addresses that consistently send you spam. There have been a number of discussions about SpamCop etc - well this is one solution - turn off your spamcop settings in MailScanner and sendmail and let this script decide to put them into your own access file. After a period of time they are automatically removed again. Currently the virus analysis will only work for ClamAV and inoculan since I don't have access to any other scanners, however it is easy for me to add them in - all I need are some sample mail log file entries from the relevant scanners when they have detected a virus. For a sample of what it produces see http://www.boys-brigade.org.uk/mrtg and to get the script go to http://staff.cie.uce.ac.uk/~dwhile/mailstats/ It isn't a perfect script and if you have any problems please let me know - also if you find it useful let me know. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 From mailscanner at ecs.soton.ac.uk Mon Nov 4 19:55:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Sendmail question with regards to MailScanner In-Reply-To: <00b801c28439$efbf5010$c802a8c0@toddntbox.tfcc.com> Message-ID: <5.1.0.14.2.20021104195442.024199f8@imap.ecs.soton.ac.uk> I would report that as a sendmail bug if that really happens. It shouldn't over-ride its command-line options. At 19:39 04/11/2002, you wrote: >Hello, > >I've searched and not turned up a whole lot of useful help regarding this >question, but perhaps someone else has seen what I'm seeing. > >If an internal user (accidentally?) writes an e-mail to a bogus or >unreachable domain name (or in the case an internet connection is down), >when sendmail 8.11.6 (with the appropriate command line options for >queueonly and a queue directory of /var/spool/mqueue.inbox) takes the >message, it attempts to munge on the message (seemingly ignoring the >queueonly option), and because it sees the message as a "deferred" message, >dumps the message directly into the /var/spool/mqueue directory, which >effectively bypasses the MailScanner altogether. While this may be a >non-issue, I just wanted to see if others have seen this same behaviour. > >I thought it odd that even when handed the >"-ODeliveryMode=q -OQueueDirectory=/var/spool/mqueue.inbox" options, in the >case of a deferred message, sendmail bypasses it's command line parameters >and follows the sendmail.cf directive (?) to send it to the default queue >directory. I even tried playing with the "-OErrorMode=q" option as well, >setting it to "queue only" and the deferred messages still end up in the >default /var/spool/mqueue directory the same as before. Everything else >under normal conditions works fine. I suspect we could change the queueonly >sendmail process to use a different sendmail.cf configuration file which >specifies the QueueDirectory as the incoming MailScanner queue directory to >force it through the MailScanner irregardless, but I was trying to avoid >convoluting things more than necessary. > >Any thoughts? > >Thanks, > >Todd -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Mon Nov 4 19:59:36 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner on OSDir.com (new O'Reilly site) In-Reply-To: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> Message-ID: <37450.129.80.22.133.1036439976.squirrel@tiger.dorfam.ca> > O'Reilly have created a new website containing a directory of Open > Source projects, including MailScanner. If some of you could take 5 > minutes adding some comments / votes to the site, I would really > appreciate it. > > The MailScanner project page is at > http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=114&ttitle=MailScanner > > And the home page of their new site is of course http://osdir.com/ > >>Subject: Mailscanner on OSDir.com (new O'Reilly site) >> >>Hi Julian, >> >>I've just added Mailscanner to http://OSDir.com (new O'Reilly site). >> We'll likely be building a book partly baed from the votes and comments >> there so I invite our users to talk Mailscanner up a bit there: >>http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=114&ttitle=MailScanner >> >>There's a link at the bottom of that page if you or any of them want >> visitors to vote/comment on Mailscanner remotely from a website such as >> your own. We'll likely be building a book partly based on comments and >> votes so adding it to the Mailscanner site probably wouldn't hurt. >> >>Thanks and Cheers, >>-- >>Steve Mallett | steve@osdir.com >>http://OSDir.com on the O'Reilly Network >>http://opensource.org | webmaster@opensource.org >>http://open5ource.net > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ I don't understand this site. MailScanner has a total of 44 votes and an overall rating of 9.43 yet it doesn't appear in the top/popular app's?? Am I missing something? Gerry From mailscanner at ecs.soton.ac.uk Mon Nov 4 20:04:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: 4.05-3 update In-Reply-To: <5.1.1.6.2.20021104115351.00a65db0@mail.okanagan.net> References: <5.1.0.14.2.20021101084729.0487aaa0@imap.ecs.soton.ac.uk> <5.1.1.6.2.20021031151431.00a63890@mail.okanagan.net> Message-ID: <5.1.0.14.2.20021104200225.0309ddd0@imap.ecs.soton.ac.uk> At 20:00 04/11/2002, you wrote: >i see u added SCO Openserver into the startup script, yes, it works fine!! Good. >new issue.. :) > >if you put 500 pieces of mail in the input directory (1000 files), >mailscanner croaks and complains about too many files. Of course, you >then get a spiral of death, more mail comes in... more files etc... > >example: > >Cannot build message from /var/spool/MailScanner/incoming/3964/g >/var/spool/mqueue.in/dfgA4I73L00650, Too many open files > >Commercial virus checker failed with real error: > Can't fork: Too many open files at > /opt/MailScanner/bin/MailScanner/SweepViruses.pm line 412. That's a fault in your OS. Find out how to increase the number of file handles you are allowed to open. Should be a configurable OS parameter. Some other OS has a low limit on the number of file locks allowed at once. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Nov 4 20:06:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner on OSDir.com (new O'Reilly site) In-Reply-To: <37450.129.80.22.133.1036439976.squirrel@tiger.dorfam.ca> References: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021104200516.030b9f00@imap.ecs.soton.ac.uk> At 19:59 04/11/2002, you wrote: > > O'Reilly have created a new website containing a directory of Open > > Source projects, including MailScanner. If some of you could take 5 > > minutes adding some comments / votes to the site, I would really > > appreciate it. > > > > The MailScanner project page is at > > > http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=114&ttitle=MailScanner > > > > And the home page of their new site is of course http://osdir.com/ > > > >>Subject: Mailscanner on OSDir.com (new O'Reilly site) > >> > >>Hi Julian, > >> > >>I've just added Mailscanner to http://OSDir.com (new O'Reilly site). > >> We'll likely be building a book partly baed from the votes and comments > >> there so I invite our users to talk Mailscanner up a bit there: > >>http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=vi > ewdownloaddetails&lid=114&ttitle=MailScanner > >> > >>There's a link at the bottom of that page if you or any of them want > >> visitors to vote/comment on Mailscanner remotely from a website such as > >> your own. We'll likely be building a book partly based on comments and > >> votes so adding it to the Mailscanner site probably wouldn't hurt. > >> > >>Thanks and Cheers, > >>-- > >>Steve Mallett | steve@osdir.com > >>http://OSDir.com on the O'Reilly Network > >>http://opensource.org | webmaster@opensource.org > >>http://open5ource.net > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > > 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >I don't understand this site. MailScanner has a total of 44 votes and an >overall rating of 9.43 yet it doesn't appear in the top/popular app's?? >Am I missing something? I saw that too. I hope it's just die to them not updating the popular apps list very often. If it's still that way tomorrow then I'll ask them what's happening. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Mon Nov 4 20:09:16 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:17 2006 Subject: No virus loggings? In-Reply-To: <5.1.0.14.2.20021104193854.02357cf0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021104193854.02357cf0@imap.ecs.soton.ac.uk> Message-ID: <200211041409.16997.lbergman@wtxs.net> > It doesn't produce any "nothing interesting happened" log entries, after > another user claimed it was logging too much. If it finds anything of > interest, it will still log it. ooops. Your right. After further reveiw I found one such as: Nov 4 10:16:33 ns2 MailScanner[19348]: Virus Scanning: f-prot found 1 infections Nov 4 10:16:33 ns2 MailScanner[19348]: Virus Scanning: Found 1 viruses I vaguely remember something about differing virus scanners producing widely different output being the reason virus names are not output in the logs. Is this correct? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Mon Nov 4 20:14:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: No virus loggings? In-Reply-To: <200211041409.16997.lbergman@wtxs.net> References: <5.1.0.14.2.20021104193854.02357cf0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021104193854.02357cf0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021104201412.0237f398@imap.ecs.soton.ac.uk> At 20:09 04/11/2002, you wrote: > > It doesn't produce any "nothing interesting happened" log entries, after > > another user claimed it was logging too much. If it finds anything of > > interest, it will still log it. >ooops. Your right. After further reveiw I found one such as: >Nov 4 10:16:33 ns2 MailScanner[19348]: Virus Scanning: f-prot found 1 >infections >Nov 4 10:16:33 ns2 MailScanner[19348]: Virus Scanning: Found 1 viruses > >I vaguely remember something about differing virus scanners producing widely >different output being the reason virus names are not output in the logs. Is >this correct? Yes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From novirus at CARLO65.DE Mon Nov 4 20:25:42 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:17 2006 Subject: MRTG etc In-Reply-To: References: Message-ID: <1036441542.5743.96.camel@linroute> Hi David, Am Mon, 2002-11-04 um 20.53 schrieb David While: > A number of people have been asking about getting statistic output for > MailScanner (quite often for the higher ups!) well I have produced a script > that analyses the mail log file and produces the necessary output including > MRTG. The first time you run the script it will produce the necessary MRTG > config file. [...] thanks very much! Regards, Roland From novirus at CARLO65.DE Mon Nov 4 20:35:02 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:17 2006 Subject: MailScanner 4.x installation on SuSE 7.3 Message-ID: <1036442102.5743.107.camel@linroute> Hi, I realized a few difficulties when installing the recent version of MailScanner 4.x on my SuSE Linux 7.3 box from the rpm-Distribution. Just to share my experiences with you, perhaps it may help, some hints: Before starting the install.sh script, you need to make a link, because neither /usr/src/redhat nor /usr/src/RPM exists - "ln -s /usr/src/packages RPM" helps. If you have the sendmail-tls package, provided by SuSE, you need to add --nodeps to the line "rpm -Uhv mailscanner*..." in the install.sh script. Standard installation of SuSE with sendmail, has a subdirectory .hoststat in /var/spool/mqueue. You need to move this subdirectory to /var/spool (or wherever you want), than change the refering line in your /etc/sendmail.cf file. Regards, Roland From mailscanner at ecs.soton.ac.uk Mon Nov 4 20:44:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: MailScanner 4.x installation on SuSE 7.3 In-Reply-To: <1036442102.5743.107.camel@linroute> Message-ID: <5.1.0.14.2.20021104204242.030cef78@imap.ecs.soton.ac.uk> At 20:35 04/11/2002, you wrote: >Before starting the install.sh script, you need to make a link, because >neither /usr/src/redhat nor /usr/src/RPM exists - "ln -s >/usr/src/packages RPM" helps. If you have the sendmail-tls package, >provided by SuSE, you need to add --nodeps to the line "rpm -Uhv >mailscanner*..." in the install.sh script. Fixed in the next release. >Standard installation of SuSE with sendmail, has a subdirectory >.hoststat in /var/spool/mqueue. You need to move this subdirectory to >/var/spool (or wherever you want), than change the refering line in your >/etc/sendmail.cf file. Already fixed in the latest release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mail at projectandrew.com Tue Nov 5 01:03:39 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:17 2006 Subject: MRTG etc In-Reply-To: References: Message-ID: <1163.217.155.81.25.1036458219.squirrel@www.projectandrew.com> Some entries from my log file: Nov 4 17:15:30 host-2 MailScanner[1163]: New Batch: Scanning 1 messages, 140270 bytes Nov 4 17:15:30 host-2 MailScanner[1163]: Spam Checks: Starting Nov 4 17:15:30 host-2 MailScanner[1163]: Virus and Content Scanning: Starting Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in file ./gA4HFT803745/coords.scr Nov 4 17:15:31 host-2 MailScanner[1163]: Virus Scanning: sophos found 1 infections Nov 4 17:15:31 host-2 MailScanner[1163]: /var/spool/MailScanner/incoming/1163/gA4HFT803745/coords.scr Infection: W32/Klez.H@mm Nov 4 17:15:31 host-2 MailScanner[1163]: Virus Scanning: f-prot found 1 infections Nov 4 17:15:31 host-2 MailScanner[1163]: /var/spool/MailScanner/incoming/1163/./gA4HFT803745/coords.scr: Worm/Klez.H FOUND Nov 4 17:15:31 host-2 MailScanner[1163]: Virus Scanning: clamav found 1 infections Nov 4 17:15:31 host-2 MailScanner[1163]: Virus Scanning: Found 1 viruses Nov 4 17:15:31 host-2 MailScanner[1163]: Filename Checks: Possible virus hidden in a screensaver (coords.scr) Nov 4 17:15:31 host-2 MailScanner[1163]: Other Checks: Found 1 problems Nov 4 17:15:31 host-2 MailScanner[1163]: Saved infected "coords.scr" to /var/spool/MailScanner/quarantine/20021104/gA4HFT803745 Nov 4 17:15:31 host-2 MailScanner[1163]: Silent: Delivered 1 messages containing silent viruses I am currently using f-prot, sophos & clamav. Hope this helps... :) Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. > A number of people have been asking about getting statistic output for > MailScanner (quite often for the higher ups!) well I have produced a > script that analyses the mail log file and produces the necessary output > including MRTG. The first time you run the script it will produce the > necessary MRTG config file. > > It has a number of configurable variables (at the top of the script) and > can also use the sendmail access file to automatically ban those IP > addresses that consistently send you spam. There have been a number of > discussions about SpamCop etc - well this is one solution - turn off > your spamcop settings in MailScanner and sendmail and let this script > decide to put them into your own access file. After a period of time > they are automatically removed again. > > Currently the virus analysis will only work for ClamAV and inoculan > since I don't have access to any other scanners, however it is easy for > me to add them in - all I need are some sample mail log file entries > from the relevant scanners when they have detected a virus. > > For a sample of what it produces see http://www.boys-brigade.org.uk/mrtg > and to get the script go to > http://staff.cie.uce.ac.uk/~dwhile/mailstats/ > > It isn't a perfect script and if you have any problems please let me > know - also if you find it useful let me know. > > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English > University of Central England > Tel: 0121 331 6211 > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From smohan at vsnl.com Tue Nov 5 02:10:39 2002 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <004701c2842f$82046290$620aaa82@ADMINISTRATOR> Message-ID: <000001c28470$8aa92660$25405bca@18yamuna> Use .procmailrc in etc which is systemwide. Let the rule be as under :0 c Will copy all mails to a file. You can get the header values and based on that copy it to different files. Another alternative is to have a .procmailrc in each user's home directory. Then file name can be hardcoded for each user. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Vicente Guerrero M. Sent: Monday, November 04, 2002 11:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Creating mail copies for backup maybe procmail can help, there is no major problem to install and configure. Hope this helps. vgm ----- Original Message ----- From: "Marc Mc Guinness" To: Sent: Monday, November 04, 2002 9:05 AM Subject: Re: Creating mail copies for backup > Hello, > > Am Montag, 4. November 2002 15:40 schrieb Julian Field: > > At 14:25 04/11/2002, you wrote: > > >Hello, > > > > > >I don't know who I could ask. Probably you could help me... I'm > > >using sendmail 8.12.6-6 on Debian 3.0 and want to create a copy of > > >every email delivered to the user mailboxes under /var/mail/. This > > >copy shall be saved in user mailboxes under /var/backup/mail/. > > > > > >How can I tell sendmail to write it's mails to two directories? > > > > That's tricky in sendmail (I may be wrong, quite a few people on > > this list know more about sendmail than I do!). > > > > However, MailScanner 4 will do it for you. The "Archive Mail" > > feature can save mail messages to a directory or even to another > > email address, without the recipient noticing anything is happening. > > I can't use version 4 at the moment (political reason). I've got the > mailscanner 3.13.2-4 from debian stable. Probably someone else can > help me with telling sendmail to do the backup? > > Best regards, > > Marc > From brett at BRABYS.CO.ZA Tue Nov 5 06:28:26 2002 From: brett at BRABYS.CO.ZA (Brett Geer) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <200211041425.PAA19966@post.webmailer.de> References: <200211041425.PAA19966@post.webmailer.de> Message-ID: <1036477706.12618.18.camel@brett> procmail can do it as mentioned by others, MailScanner is quite happy to copy in the qf and df files, only issue with this idea is on a busy mail server you get directories with thousands and thousands of files in there real fast. My solution there was to shove the files at a database, I can ship you a copy of my scripts and schema's if you like brett > I don't know who I could ask. Probably you could help me... > I'm using sendmail 8.12.6-6 on Debian 3.0 and want to create a copy > of every email delivered to the user mailboxes under /var/mail/. > This copy shall be saved in user mailboxes under /var/backup/mail/. > > How can I tell sendmail to write it's mails to two directories? -- ------------------------------------------------------------------- This is UNIX country, on a quiet night you can hear Windows reboot From LISTSERV at JISCMAIL.AC.UK Tue Nov 5 00:13:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: wmullis@ESHCOM.COM requested to join Message-ID: <200211050013.AAA06617@magpie.ecs.soton.ac.uk> Tue, 5 Nov 2002 00:13:55 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Wesley Mullis . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER wmullis@ESHCOM.COM Wesley Mullis The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+wmullis%40ESHCOM.COM+Wesley+Mullis&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Tue Nov 5 08:43:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: Creating mail copies for backup In-Reply-To: <1036477706.12618.18.camel@brett> References: <200211041425.PAA19966@post.webmailer.de> <200211041425.PAA19966@post.webmailer.de> Message-ID: <5.1.0.14.2.20021105084203.04610de8@imap.ecs.soton.ac.uk> At 06:28 05/11/2002, you wrote: >procmail can do it as mentioned by others, MailScanner is quite happy to >copy in the qf and df files MailScanner can now either copy the qf+df pair for each message, or a more readable headers+body file of the message. >, only issue with this idea is on a busy mail >server you get directories with thousands and thousands of files in >there real fast. Do it very selectively, and it's only a problem on naff OS's that can't handle big directories very quickly. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From carl.boberg at NRM.SE Tue Nov 5 09:01:35 2002 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:16:17 2006 Subject: F-secure logging Message-ID: Hi, Im trying really hard to make my F-secure log to the maillog as other scanners do, like: Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in file ./gA4HFT803745/coords.scr (this is a Sophos log entry) Has anyone any knowledge about how this could be done? I know it logs the virus type to std out when I run it manually on a virus infected file; ..... [root@pop 20021104]# /usr/lib/MailScanner/f-secure-wrapper * F-Secure Anti-Virus for i386-linux Release 4.15 build 4370 Frisk Software International F-PROT engine version 3.11 build 802 sign.def version 2002-11-04 fssign2.def version 2002-11-04 fsmacro.def version 2002-11-04 gA48ARS02843/.scr infection: W32/Klez.H@mm gA4BbfS11505/love.scr infection: W32/Lentin.F@mm gA4K6kS27585/friends.scr infection: W32/Lentin.F@mm 3 files scanned 3 infections found ..... So why doesnt it do the same in MS? Any ideas? Regards --------------------------------- Carl Boberg System & Network Administrator Dept. of Information Technology Swedish Museum of Natural History Frescativ. 40 104 05 Stockholm carl.boberg@nrm.se Phone: 08-519 551 16 Mobile: 0701-82 40 55 --------------------------------- From mailscanner at ecs.soton.ac.uk Tue Nov 5 09:07:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:17 2006 Subject: F-secure logging In-Reply-To: Message-ID: <5.1.0.14.2.20021105090447.04aa5ec0@imap.ecs.soton.ac.uk> At 09:01 05/11/2002, you wrote: >Im trying really hard to make my F-secure log to the maillog as other >scanners do, like: > >Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in >file ./gA4HFT803745/coords.scr > >(this is a Sophos log entry) > >Has anyone any knowledge about how this could be done? >I know it logs the virus type to std out when I run it manually on a virus >infected file; >..... >[root@pop 20021104]# /usr/lib/MailScanner/f-secure-wrapper * >F-Secure Anti-Virus for i386-linux Release 4.15 build 4370 >Frisk Software International F-PROT engine version 3.11 build 802 >sign.def version 2002-11-04 >fssign2.def version 2002-11-04 >fsmacro.def version 2002-11-04 > >gA48ARS02843/.scr infection: W32/Klez.H@mm >gA4BbfS11505/love.scr infection: W32/Lentin.F@mm >gA4K6kS27585/friends.scr infection: W32/Lentin.F@mm > > 3 files scanned > 3 infections found >..... > >So why doesnt it do the same in MS? >Any ideas? Are you saying you would like a log entry for F-Secure that included the name of the virus found? The latest code already logs the whole of the line that includes the name of the virus (the latest version does, anyway), so you should get a log entry that says things like gA4K6kS27585/friends.scr infection: W32/Lentin.F@mm -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Tue Nov 5 12:57:27 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:17 2006 Subject: F-secure logging In-Reply-To: References: Message-ID: <200211050657.27425.lbergman@wtxs.net> On Tuesday 05 November 2002 03:01 am, Carl Boberg wrote: > Hi, > > Im trying really hard to make my F-secure log to the maillog as other > scanners do, like: > > Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in > file ./gA4HFT803745/coords.scr > > (this is a Sophos log entry) > > Has anyone any knowledge about how this could be done? Well, The code that does the following should be in the next release I would guess. Nov 5 06:52:41 ns2 MailScanner[8374]: Virus and Content Scanning: Starting Nov 5 06:52:41 ns2 MailScanner[8374]: /var/spool/MailScanner/incoming/8374/gA5Cqch11332/eicar_com.zip->eicar.com Infection: EICAR_Test_File Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: F-Prot found virus EICAR_Test_File Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: f-prot found 1 infections Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: Found 1 viruses Nov 5 06:52:41 ns2 MailScanner[8374]: Saved infected "eicar_com.zip" to /var/spool/MailScanner/quarantine/20021105/gA5Cqch11332 This is with f-prot but my output from the wrapper looks identical to yours so I would guess you might get the same output. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mail at projectandrew.com Tue Nov 5 13:35:01 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:17 2006 Subject: Startup script In-Reply-To: <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> References: <1158.217.155.81.25.1036435362.squirrel@www.projectandrew.c <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> Message-ID: <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> No luck :( I've tried doing this in the MailScanner.conf and in the MailScanner startup script. There are no errors produced this time, but no bandwidth is recorded. Is there anyway to decompile the shared library (/lib/libensimvwhbw.so)? I've attached the whole sendmail init script incase you can see something that can be copied/added to the MailScanner script. Is there someway of running MailScanner, but call sendmail using it's own init script? Just looking for ideas... Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. > I'm not at all convinced this will work, but give it a try: > Write a very short script that sets these variables and then calls > sendmail, something like this > > #!/bin/sh > export LD_PRELOAD=/lib/libensimvwhbw.so > export ENSIMVWH_BWSVCID=1 > /usr/sbin/sendmail "$@" > > and then call this script in MailScanner instead of directly invoking > sendmail. You should just edit the "Sendmail =" setting in > MailScanner.conf to refer to your script instead of sendmail itself. > > See what happens with this setup. > > At 18:42 04/11/2002, you wrote: >>I am still trying to get MailScanner fully working with Ensim >> WEBppliance - the only part that is not working is a piece of custom >> ensim code that is normally called from the sendmail startup script. >> The two lines are: >> >> export LD_PRELOAD=/lib/libensimvwhbw.so >> export ENSIMVWH_BWSVCID=1 >> >>If I add these to the MailScanner startup script, MailScanner will >> accept mail, but will not deliver it to any chrooted site. I also get >> file not found errors thrown to the console. It seems to me then, to be >> something that must be passed from the sendmail config for this module >> to work, which is not passed by MailScanner - it is supposed to track >> the size of each mail passed through sendmail, so a monthly 'bandwidth >> allowance' can be applied to each virtual site within Ensim. I don't >> really know where to go next, and wondered if anybody who knows >> sendmail in more detail might have any ideas where to look? >> >>Does MailScanner refer to all the same sendmail config files that >> sendmail would if it was called using its own startup script? >> >>Andrew G Allen >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 >> >>--- Disclaimer --- >>This e-mail and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error, please notify >> the system manager. >> >> >> >> >> >>-- >>This message has been scanned for viruses and dangerous >>content by MailScanner, and is believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- #!/bin/bash # # sendmail This shell script takes care of starting and stopping # sendmail. # # chkconfig: 2345 80 30 # description: Sendmail is a Mail Transport Agent, which is the program \ # that moves mail from one machine to another. # processname: sendmail # config: /etc/sendmail.cf # pidfile: /var/run/sendmail.pid # Source function library. . /etc/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Source sendmail configureation. if [ -f /etc/sysconfig/sendmail ] ; then . /etc/sysconfig/sendmail else DAEMON=no QUEUE=1h fi # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -f /usr/sbin/sendmail ] || exit 0 RETVAL=0 prog="sendmail" start() { # Start daemons. echo -n $"Starting $prog: " /usr/bin/newaliases > /dev/null 2>&1 for i in virtusertable access domaintable ; do if [ -f /etc/mail/$i ] ; then makemap hash /etc/mail/$i < /etc/mail/$i fi done mailertables= if [ -f /etc/mail/mailertable.virtual_domains ]; then mailertables="/etc/mail/mailertable.virtual_domains" fi if [ -f /etc/mail/mailertable ]; then mailertables="$mailertables /etc/mail/mailertable" fi if [ -n "$mailertables" ]; then cat $mailertables | makemap hash /etc/mail/mailertable.db fi genericstables= if [ -f /etc/mail/genericstable.siteadmins ]; then genericstables="/etc/mail/genericstable.siteadmins" fi if [ -f /etc/mail/genericstable ]; then genericstables="$mailertables /etc/mail/genericstable" fi if [ -n "$genericstables" ]; then cat $genericstables | makemap hash /etc/mail/genericstable.db fi export LD_PRELOAD=/lib/libensimvwhbw.so export ENSIMVWH_BWSVCID=1 daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ $([ -n "$QUEUE" ] && echo -q$QUEUE) RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail return $RETVAL } start-fast() { # Start daemons. echo -n $"Starting $prog: " /usr/bin/newaliases > /dev/null 2>&1 for i in virtusertable access domaintable ; do if [ -f /etc/mail/$i ] ; then makemap hash /etc/mail/$i < /etc/mail/$i fi done export LD_PRELOAD=/lib/libensimvwhbw.so export ENSIMVWH_BWSVCID=1 daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ $([ -n "$QUEUE" ] && echo -q$QUEUE) RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail return $RETVAL } stop() { # Stop daemons. echo -n $"Shutting down $prog: " killproc sendmail RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail return $RETVAL } # See how we were called. case "$1" in start) start ;; start-fast) start-fast ;; stop) stop ;; restart|reload) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/sendmail ]; then stop start RETVAL=$? fi ;; status) status sendmail RETVAL=$? ;; restart-fast) stop start-fast RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status|start-fast|restart-fast}" exit 1 esac exit $RETVAL From LISTSERV at JISCMAIL.AC.UK Tue Nov 5 13:15:52 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:17 2006 Subject: MAILSCANNER: m-list@PUGMARKS.COM requested to join Message-ID: <200211051315.NAA21988@magpie.ecs.soton.ac.uk> Tue, 5 Nov 2002 13:15:52 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Arminder Singh . The following subscription options have been requested: CONCEAL. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER m-list@PUGMARKS.COM Arminder Singh The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+m-list%40PUGMARKS.COM+Arminder+Singh&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+CONCEAL+FOR+m-list%40PUGMARKS.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From email at ace.net.au Tue Nov 5 14:28:32 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:16:17 2006 Subject: Fwd: Mailscanner on OSDir.com (new O'Reilly site) In-Reply-To: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> Message-ID: <200211060058320569.413A6B08@smtp1.ace.net.au> Where are we supoposed to add comments? *********** REPLY SEPARATOR *********** On 4/11/2002 at 10:25 AM Julian Field wrote: >O'Reilly have created a new website containing a directory of Open Source >projects, including MailScanner. If some of you could take 5 minutes adding >some comments / votes to the site, I would really appreciate it. > >The MailScanner project page is at >http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewd ownloaddetails&lid=114&ttitle=MailScanner > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From fred at NEVER-MIND.CH Tue Nov 5 14:20:50 2002 From: fred at NEVER-MIND.CH (Frederic Badel) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> References: <1158.217.155.81.25.1036435362.squirrel@www.projectandrew.c <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> Message-ID: <1036506054.2350.41.camel@bonzai> hi, I modified the sendmail init script to use the "queue delivery mode" : daemon /usr/sbin/sendmail -bd -OQueueDirectory=/var/spool/mqueue.in -ODeliveryMode=queueonly and modified the mailscanner init script and comented out every thing about sendmail ... i found some very usefull explanation on the rackshack forum (http://forum.rackshack.net), you should give look... i you want, i can send my modified startup scripts ... hth fred PS sorry for my poor english :( On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: > No luck :( I've tried doing this in the MailScanner.conf and in the > MailScanner startup script. There are no errors produced this time, but no > bandwidth is recorded. > > Is there anyway to decompile the shared library (/lib/libensimvwhbw.so)? > I've attached the whole sendmail init script incase you can see something > that can be copied/added to the MailScanner script. Is there someway of > running MailScanner, but call sendmail using it's own init script? Just > looking for ideas... > > Andrew G Allen > email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > > --- Disclaimer --- > This e-mail and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error, please notify the > system manager. > > > I'm not at all convinced this will work, but give it a try: > > Write a very short script that sets these variables and then calls > > sendmail, something like this > > > > #!/bin/sh > > export LD_PRELOAD=/lib/libensimvwhbw.so > > export ENSIMVWH_BWSVCID=1 > > /usr/sbin/sendmail "$@" > > > > and then call this script in MailScanner instead of directly invoking > > sendmail. You should just edit the "Sendmail =" setting in > > MailScanner.conf to refer to your script instead of sendmail itself. > > > > See what happens with this setup. > > > > At 18:42 04/11/2002, you wrote: > >>I am still trying to get MailScanner fully working with Ensim > >> WEBppliance - the only part that is not working is a piece of custom > >> ensim code that is normally called from the sendmail startup script. > >> The two lines are: > >> > >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> export ENSIMVWH_BWSVCID=1 > >> > >>If I add these to the MailScanner startup script, MailScanner will > >> accept mail, but will not deliver it to any chrooted site. I also get > >> file not found errors thrown to the console. It seems to me then, to be > >> something that must be passed from the sendmail config for this module > >> to work, which is not passed by MailScanner - it is supposed to track > >> the size of each mail passed through sendmail, so a monthly 'bandwidth > >> allowance' can be applied to each virtual site within Ensim. I don't > >> really know where to go next, and wondered if anybody who knows > >> sendmail in more detail might have any ideas where to look? > >> > >>Does MailScanner refer to all the same sendmail config files that > >> sendmail would if it was called using its own startup script? > >> > >>Andrew G Allen > >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >> > >>--- Disclaimer --- > >>This e-mail and any files transmitted with it are confidential and > >> intended solely for the use of the individual or entity to whom they > >> are addressed. If you have received this email in error, please notify > >> the system manager. > >> > >> > >> > >> > >> > >>-- > >>This message has been scanned for viruses and dangerous > >>content by MailScanner, and is believed to be clean. > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > > 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > -- > > This message has been scanned for viruses and dangerous > > content by MailScanner, and is believed to be clean. > > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > ---- > > #!/bin/bash > # > # sendmail This shell script takes care of starting and stopping > # sendmail. > # > # chkconfig: 2345 80 30 > # description: Sendmail is a Mail Transport Agent, which is the program \ > # that moves mail from one machine to another. > # processname: sendmail > # config: /etc/sendmail.cf > # pidfile: /var/run/sendmail.pid > > # Source function library. > . /etc/init.d/functions > > # Source networking configuration. > . /etc/sysconfig/network > > # Source sendmail configureation. > if [ -f /etc/sysconfig/sendmail ] ; then > . /etc/sysconfig/sendmail > else > DAEMON=no > QUEUE=1h > fi > > # Check that networking is up. > [ ${NETWORKING} = "no" ] && exit 0 > > [ -f /usr/sbin/sendmail ] || exit 0 > > RETVAL=0 > prog="sendmail" > > start() { > # Start daemons. > > echo -n $"Starting $prog: " > /usr/bin/newaliases > /dev/null 2>&1 > for i in virtusertable access domaintable ; do > if [ -f /etc/mail/$i ] ; then > makemap hash /etc/mail/$i < /etc/mail/$i > fi > done > mailertables= > if [ -f /etc/mail/mailertable.virtual_domains ]; then > mailertables="/etc/mail/mailertable.virtual_domains" > fi > if [ -f /etc/mail/mailertable ]; then > mailertables="$mailertables /etc/mail/mailertable" > fi > if [ -n "$mailertables" ]; then > cat $mailertables | makemap hash /etc/mail/mailertable.db > fi > genericstables= > if [ -f /etc/mail/genericstable.siteadmins ]; then > genericstables="/etc/mail/genericstable.siteadmins" > fi > if [ -f /etc/mail/genericstable ]; then > genericstables="$mailertables /etc/mail/genericstable" > fi > if [ -n "$genericstables" ]; then > cat $genericstables | makemap hash /etc/mail/genericstable.db > fi > export LD_PRELOAD=/lib/libensimvwhbw.so > export ENSIMVWH_BWSVCID=1 > daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > $([ -n "$QUEUE" ] && echo -q$QUEUE) > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > return $RETVAL > } > > start-fast() { > # Start daemons. > > echo -n $"Starting $prog: " > /usr/bin/newaliases > /dev/null 2>&1 > for i in virtusertable access domaintable ; do > if [ -f /etc/mail/$i ] ; then > makemap hash /etc/mail/$i < /etc/mail/$i > fi > done > export LD_PRELOAD=/lib/libensimvwhbw.so > export ENSIMVWH_BWSVCID=1 > daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > $([ -n "$QUEUE" ] && echo -q$QUEUE) > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > return $RETVAL > } > > stop() { > # Stop daemons. > echo -n $"Shutting down $prog: " > killproc sendmail > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail > return $RETVAL > } > > # See how we were called. > case "$1" in > start) > start > ;; > start-fast) > start-fast > ;; > stop) > stop > ;; > restart|reload) > stop > start > RETVAL=$? > ;; > condrestart) > if [ -f /var/lock/subsys/sendmail ]; then > stop > start > RETVAL=$? > fi > ;; > status) > status sendmail > RETVAL=$? > ;; > restart-fast) > stop > start-fast > RETVAL=$? > ;; > *) > echo $"Usage: $0 {start|stop|restart|condrestart|status|start-fast|restart-fast}" > exit 1 > esac > > exit $RETVAL > > From mailscanner at ecs.soton.ac.uk Tue Nov 5 14:53:06 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: F-secure logging In-Reply-To: <200211050657.27425.lbergman@wtxs.net> References: Message-ID: <5.1.0.14.2.20021105145207.03ff3b50@imap.ecs.soton.ac.uk> I have just added virus name logging for F-Secure. Please don't all ask for the others, some of them are almost impossible due to badly-designed virus scanner output by the manufacturers. At 12:57 05/11/2002, you wrote: >On Tuesday 05 November 2002 03:01 am, Carl Boberg wrote: > > Hi, > > > > Im trying really hard to make my F-secure log to the maillog as other > > scanners do, like: > > > > Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in > > file ./gA4HFT803745/coords.scr > > > > (this is a Sophos log entry) > > > > Has anyone any knowledge about how this could be done? >Well, The code that does the following should be in the next release I would >guess. > >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus and Content Scanning: Starting >Nov 5 06:52:41 ns2 MailScanner[8374]: >/var/spool/MailScanner/incoming/8374/gA5Cqch11332/eicar_com.zip->eicar.com >Infection: EICAR_Test_File >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: F-Prot found virus >EICAR_Test_File >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: f-prot found 1 >infections >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: Found 1 viruses >Nov 5 06:52:41 ns2 MailScanner[8374]: Saved infected "eicar_com.zip" to >/var/spool/MailScanner/quarantine/20021105/gA5Cqch11332 > >This is with f-prot but my output from the wrapper looks identical to yours so >I would guess you might get the same output. >-- >Lewis Bergman >Texas Communications >4309 Maple St. >Abilene, TX 79602-8044 >915-695-6962 ext 115 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 5 14:56:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Fwd: Mailscanner on OSDir.com (new O'Reilly site) In-Reply-To: <200211060058320569.413A6B08@smtp1.ace.net.au> References: <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021104102226.04515ec0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021105145523.03fea8e8@imap.ecs.soton.ac.uk> At 14:28 05/11/2002, you wrote: >Where are we supoposed to add comments? On the left-hand side, there is a "Submit" sub-heading. The first entry under this is "App Review". But I agree, it's hardly clear is it? >*********** REPLY SEPARATOR *********** > >On 4/11/2002 at 10:25 AM Julian Field wrote: > > >O'Reilly have created a new website containing a directory of Open Source > >projects, including MailScanner. If some of you could take 5 minutes >adding > >some comments / votes to the site, I would really appreciate it. > > > >The MailScanner project page is at > >http://osdir.com/modules.php?op=modload&name=Downloads&file=index&req=viewd >ownloaddetails&lid=114&ttitle=MailScanner > > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From tom at TILMANT.COM Tue Nov 5 15:23:46 2002 From: tom at TILMANT.COM (Tom Tilmant) Date: Thu Jan 12 21:16:18 2006 Subject: Stored Mail In-Reply-To: <5.1.0.14.2.20021105145523.03fea8e8@imap.ecs.soton.ac.uk> Message-ID: <001b01c284df$58f77120$6eeb14ac@doublet> When SPAM messages are stored in human "readable format (gA)", is there an easy way to send the message onto the person it was attended for without sending it as an attachment from the mail admin. The users are not local on the machine. Not being an expert in sendmail, I thought I would ask those who are :-). Thanks Tom From mail at projectandrew.com Tue Nov 5 15:44:39 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <1036506054.2350.41.camel@bonzai> References: <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> Message-ID: <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> Does your installation therefore require that the MailScanner & sendmail init scripts both have to be started? If this is the case, the only problem is that on reboot, only MailScanner will start, since when it was installed, sendmail was 'switched off' with chkconfig. Does bandwidth monitoring work ok? I'd still find it useful to see your modified init scripts :) Thanks. Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. > hi, > > I modified the sendmail init script to use the "queue delivery mode" : > daemon /usr/sbin/sendmail -bd -OQueueDirectory=/var/spool/mqueue.in > -ODeliveryMode=queueonly > > and modified the mailscanner init script and comented out every thing > about sendmail ... > > i found some very usefull explanation on the rackshack forum > (http://forum.rackshack.net), you should give look... > > i you want, i can send my modified startup scripts ... > > hth > > fred > > PS sorry for my poor english :( > > On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: >> No luck :( I've tried doing this in the MailScanner.conf and in the >> MailScanner startup script. There are no errors produced this time, >> but no bandwidth is recorded. >> >> Is there anyway to decompile the shared library >> (/lib/libensimvwhbw.so)? I've attached the whole sendmail init script >> incase you can see something that can be copied/added to the >> MailScanner script. Is there someway of running MailScanner, but call >> sendmail using it's own init script? Just looking for ideas... >> >> Andrew G Allen >> email: mail@projectandrew.com | voice: +44 (0) 7958 540596 >> >> --- Disclaimer --- >> This e-mail and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error, please notify >> the system manager. >> >> > I'm not at all convinced this will work, but give it a try: >> > Write a very short script that sets these variables and then calls >> sendmail, something like this >> > >> > #!/bin/sh >> > export LD_PRELOAD=/lib/libensimvwhbw.so >> > export ENSIMVWH_BWSVCID=1 >> > /usr/sbin/sendmail "$@" >> > >> > and then call this script in MailScanner instead of directly >> invoking sendmail. You should just edit the "Sendmail =" setting in >> > MailScanner.conf to refer to your script instead of sendmail >> itself. >> > >> > See what happens with this setup. >> > >> > At 18:42 04/11/2002, you wrote: >> >>I am still trying to get MailScanner fully working with Ensim >> >> WEBppliance - the only part that is not working is a piece of >> custom ensim code that is normally called from the sendmail startup >> script. The two lines are: >> >> >> >> export LD_PRELOAD=/lib/libensimvwhbw.so >> >> export ENSIMVWH_BWSVCID=1 >> >> >> >>If I add these to the MailScanner startup script, MailScanner will >> >> accept mail, but will not deliver it to any chrooted site. I also >> get file not found errors thrown to the console. It seems to me >> then, to be something that must be passed from the sendmail config >> for this module to work, which is not passed by MailScanner - it is >> supposed to track the size of each mail passed through sendmail, so >> a monthly 'bandwidth allowance' can be applied to each virtual site >> within Ensim. I don't really know where to go next, and wondered if >> anybody who knows sendmail in more detail might have any ideas >> where to look? >> >> >> >>Does MailScanner refer to all the same sendmail config files that >> >> sendmail would if it was called using its own startup script? >> >> >> >>Andrew G Allen >> >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 >> >> >> >>--- Disclaimer --- >> >>This e-mail and any files transmitted with it are confidential and >> >> intended solely for the use of the individual or entity to whom >> they are addressed. If you have received this email in error, >> please notify the system manager. >> >> >> >> >> >> >> >> >> >> >> >>-- >> >>This message has been scanned for viruses and dangerous >> >>content by MailScanner, and is believed to be clean. >> > >> > -- >> > Julian Field Teaching Systems Manager >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> Tel. 023 8059 2817 University of Southampton >> > Southampton SO17 1BJ >> > >> > >> > -- >> > This message has been scanned for viruses and dangerous >> > content by MailScanner, and is believed to be clean. >> >> >> >> -- >> This message has been scanned for viruses and dangerous >> content by MailScanner, and is believed to be clean. >> >> ---- >> > >> #!/bin/bash >> # >> # sendmail This shell script takes care of starting and stopping >> # sendmail. >> # >> # chkconfig: 2345 80 30 >> # description: Sendmail is a Mail Transport Agent, which is the >> program \ # that moves mail from one machine to another. >> # processname: sendmail >> # config: /etc/sendmail.cf >> # pidfile: /var/run/sendmail.pid >> >> # Source function library. >> . /etc/init.d/functions >> >> # Source networking configuration. >> . /etc/sysconfig/network >> >> # Source sendmail configureation. >> if [ -f /etc/sysconfig/sendmail ] ; then >> . /etc/sysconfig/sendmail >> else >> DAEMON=no >> QUEUE=1h >> fi >> >> # Check that networking is up. >> [ ${NETWORKING} = "no" ] && exit 0 >> >> [ -f /usr/sbin/sendmail ] || exit 0 >> >> RETVAL=0 >> prog="sendmail" >> >> start() { >> # Start daemons. >> >> echo -n $"Starting $prog: " >> /usr/bin/newaliases > /dev/null 2>&1 >> for i in virtusertable access domaintable ; do >> if [ -f /etc/mail/$i ] ; then >> makemap hash /etc/mail/$i < /etc/mail/$i >> fi >> done >> mailertables= >> if [ -f /etc/mail/mailertable.virtual_domains ]; then >> mailertables="/etc/mail/mailertable.virtual_domains" >> fi >> if [ -f /etc/mail/mailertable ]; then >> mailertables="$mailertables /etc/mail/mailertable" >> fi >> if [ -n "$mailertables" ]; then >> cat $mailertables | makemap hash /etc/mail/mailertable.db >> fi >> genericstables= >> if [ -f /etc/mail/genericstable.siteadmins ]; then >> genericstables="/etc/mail/genericstable.siteadmins" >> fi >> if [ -f /etc/mail/genericstable ]; then >> genericstables="$mailertables /etc/mail/genericstable" >> fi >> if [ -n "$genericstables" ]; then >> cat $genericstables | makemap hash >> /etc/mail/genericstable.db >> fi >> export LD_PRELOAD=/lib/libensimvwhbw.so >> export ENSIMVWH_BWSVCID=1 >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ >> $([ -n "$QUEUE" ] && echo -q$QUEUE) >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail >> return $RETVAL >> } >> >> start-fast() { >> # Start daemons. >> >> echo -n $"Starting $prog: " >> /usr/bin/newaliases > /dev/null 2>&1 >> for i in virtusertable access domaintable ; do >> if [ -f /etc/mail/$i ] ; then >> makemap hash /etc/mail/$i < /etc/mail/$i >> fi >> done >> export LD_PRELOAD=/lib/libensimvwhbw.so >> export ENSIMVWH_BWSVCID=1 >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ >> $([ -n "$QUEUE" ] && echo -q$QUEUE) >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail >> return $RETVAL >> } >> >> stop() { >> # Stop daemons. >> echo -n $"Shutting down $prog: " >> killproc sendmail >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail >> return $RETVAL >> } >> >> # See how we were called. >> case "$1" in >> start) >> start >> ;; >> start-fast) >> start-fast >> ;; >> stop) >> stop >> ;; >> restart|reload) >> stop >> start >> RETVAL=$? >> ;; >> condrestart) >> if [ -f /var/lock/subsys/sendmail ]; then >> stop >> start >> RETVAL=$? >> fi >> ;; >> status) >> status sendmail >> RETVAL=$? >> ;; >> restart-fast) >> stop >> start-fast >> RETVAL=$? >> ;; >> *) >> echo $"Usage: $0 >> {start|stop|restart|condrestart|status|start-fast|restart-fast}" >> exit 1 >> esac >> >> exit $RETVAL >> >> > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at CAMAROSS.NET Tue Nov 5 16:03:20 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:18 2006 Subject: Stored Mail In-Reply-To: <001b01c284df$58f77120$6eeb14ac@doublet> Message-ID: <006a01c284e4$dceaf1f0$6501a8c0@mikedesk> formail -Y -s /usr/sbin/sendmail user@new.address < /path/to/filename -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tom Tilmant Sent: Tuesday, November 05, 2002 9:24 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Stored Mail When SPAM messages are stored in human "readable format (gA)", is there an easy way to send the message onto the person it was attended for without sending it as an attachment from the mail admin. The users are not local on the machine. Not being an expert in sendmail, I thought I would ask those who are :-). Thanks Tom From fred at NEVER-MIND.CH Tue Nov 5 16:31:59 2002 From: fred at NEVER-MIND.CH (Frederic Badel) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> References: <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> Message-ID: <1036513920.2841.70.camel@bonzai> On Tue, 2002-11-05 at 16:44, Andrew G Allen wrote: > Does your installation therefore require that the MailScanner & sendmail > init scripts both have to be started? If this is the case, the only > problem is that on reboot, only MailScanner will start, since when it was > installed, sendmail was 'switched off' with chkconfig. Yes, both need to be run at startup, do a 'chkconfig --level 345 sendmail on' > > Does bandwidth monitoring work ok? I'd still find it useful to see your > modified init scripts :) The bandwith monitoring is working fine thks ;) i've attach the scripts... i've added some comments to let you see were are my modification (they are in CAPS) todo (there's only 24h in a day ;)) : i haven't add the last modification to the MailScanner init script to delete the dir under /var/spool/MailScanner/incoming hope this help cheers fred > > Thanks. > > Andrew G Allen > email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > > --- Disclaimer --- > This e-mail and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error, please notify the > system manager. > > > hi, > > > > I modified the sendmail init script to use the "queue delivery mode" : > > daemon /usr/sbin/sendmail -bd -OQueueDirectory=/var/spool/mqueue.in > > -ODeliveryMode=queueonly > > > > and modified the mailscanner init script and comented out every thing > > about sendmail ... > > > > i found some very usefull explanation on the rackshack forum > > (http://forum.rackshack.net), you should give look... > > > > i you want, i can send my modified startup scripts ... > > > > hth > > > > fred > > > > PS sorry for my poor english :( > > > > On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: > >> No luck :( I've tried doing this in the MailScanner.conf and in the > >> MailScanner startup script. There are no errors produced this time, > >> but no bandwidth is recorded. > >> > >> Is there anyway to decompile the shared library > >> (/lib/libensimvwhbw.so)? I've attached the whole sendmail init script > >> incase you can see something that can be copied/added to the > >> MailScanner script. Is there someway of running MailScanner, but call > >> sendmail using it's own init script? Just looking for ideas... > >> > >> Andrew G Allen > >> email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >> > >> --- Disclaimer --- > >> This e-mail and any files transmitted with it are confidential and > >> intended solely for the use of the individual or entity to whom they > >> are addressed. If you have received this email in error, please notify > >> the system manager. > >> > >> > I'm not at all convinced this will work, but give it a try: > >> > Write a very short script that sets these variables and then calls > >> sendmail, something like this > >> > > >> > #!/bin/sh > >> > export LD_PRELOAD=/lib/libensimvwhbw.so > >> > export ENSIMVWH_BWSVCID=1 > >> > /usr/sbin/sendmail "$@" > >> > > >> > and then call this script in MailScanner instead of directly > >> invoking sendmail. You should just edit the "Sendmail =" setting in > >> > MailScanner.conf to refer to your script instead of sendmail > >> itself. > >> > > >> > See what happens with this setup. > >> > > >> > At 18:42 04/11/2002, you wrote: > >> >>I am still trying to get MailScanner fully working with Ensim > >> >> WEBppliance - the only part that is not working is a piece of > >> custom ensim code that is normally called from the sendmail startup > >> script. The two lines are: > >> >> > >> >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> >> export ENSIMVWH_BWSVCID=1 > >> >> > >> >>If I add these to the MailScanner startup script, MailScanner will > >> >> accept mail, but will not deliver it to any chrooted site. I also > >> get file not found errors thrown to the console. It seems to me > >> then, to be something that must be passed from the sendmail config > >> for this module to work, which is not passed by MailScanner - it is > >> supposed to track the size of each mail passed through sendmail, so > >> a monthly 'bandwidth allowance' can be applied to each virtual site > >> within Ensim. I don't really know where to go next, and wondered if > >> anybody who knows sendmail in more detail might have any ideas > >> where to look? > >> >> > >> >>Does MailScanner refer to all the same sendmail config files that > >> >> sendmail would if it was called using its own startup script? > >> >> > >> >>Andrew G Allen > >> >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >> >> > >> >>--- Disclaimer --- > >> >>This e-mail and any files transmitted with it are confidential and > >> >> intended solely for the use of the individual or entity to whom > >> they are addressed. If you have received this email in error, > >> please notify the system manager. > >> >> > >> >> > >> >> > >> >> > >> >> > >> >>-- > >> >>This message has been scanned for viruses and dangerous > >> >>content by MailScanner, and is believed to be clean. > >> > > >> > -- > >> > Julian Field Teaching Systems Manager > >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >> Tel. 023 8059 2817 University of Southampton > >> > Southampton SO17 1BJ > >> > > >> > > >> > -- > >> > This message has been scanned for viruses and dangerous > >> > content by MailScanner, and is believed to be clean. > >> > >> > >> > >> -- > >> This message has been scanned for viruses and dangerous > >> content by MailScanner, and is believed to be clean. > >> > >> ---- > >> > > > >> #!/bin/bash > >> # > >> # sendmail This shell script takes care of starting and stopping > >> # sendmail. > >> # > >> # chkconfig: 2345 80 30 > >> # description: Sendmail is a Mail Transport Agent, which is the > >> program \ # that moves mail from one machine to another. > >> # processname: sendmail > >> # config: /etc/sendmail.cf > >> # pidfile: /var/run/sendmail.pid > >> > >> # Source function library. > >> . /etc/init.d/functions > >> > >> # Source networking configuration. > >> . /etc/sysconfig/network > >> > >> # Source sendmail configureation. > >> if [ -f /etc/sysconfig/sendmail ] ; then > >> . /etc/sysconfig/sendmail > >> else > >> DAEMON=no > >> QUEUE=1h > >> fi > >> > >> # Check that networking is up. > >> [ ${NETWORKING} = "no" ] && exit 0 > >> > >> [ -f /usr/sbin/sendmail ] || exit 0 > >> > >> RETVAL=0 > >> prog="sendmail" > >> > >> start() { > >> # Start daemons. > >> > >> echo -n $"Starting $prog: " > >> /usr/bin/newaliases > /dev/null 2>&1 > >> for i in virtusertable access domaintable ; do > >> if [ -f /etc/mail/$i ] ; then > >> makemap hash /etc/mail/$i < /etc/mail/$i > >> fi > >> done > >> mailertables= > >> if [ -f /etc/mail/mailertable.virtual_domains ]; then > >> mailertables="/etc/mail/mailertable.virtual_domains" > >> fi > >> if [ -f /etc/mail/mailertable ]; then > >> mailertables="$mailertables /etc/mail/mailertable" > >> fi > >> if [ -n "$mailertables" ]; then > >> cat $mailertables | makemap hash /etc/mail/mailertable.db > >> fi > >> genericstables= > >> if [ -f /etc/mail/genericstable.siteadmins ]; then > >> genericstables="/etc/mail/genericstable.siteadmins" > >> fi > >> if [ -f /etc/mail/genericstable ]; then > >> genericstables="$mailertables /etc/mail/genericstable" > >> fi > >> if [ -n "$genericstables" ]; then > >> cat $genericstables | makemap hash > >> /etc/mail/genericstable.db > >> fi > >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> export ENSIMVWH_BWSVCID=1 > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> start-fast() { > >> # Start daemons. > >> > >> echo -n $"Starting $prog: " > >> /usr/bin/newaliases > /dev/null 2>&1 > >> for i in virtusertable access domaintable ; do > >> if [ -f /etc/mail/$i ] ; then > >> makemap hash /etc/mail/$i < /etc/mail/$i > >> fi > >> done > >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> export ENSIMVWH_BWSVCID=1 > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> stop() { > >> # Stop daemons. > >> echo -n $"Shutting down $prog: " > >> killproc sendmail > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> # See how we were called. > >> case "$1" in > >> start) > >> start > >> ;; > >> start-fast) > >> start-fast > >> ;; > >> stop) > >> stop > >> ;; > >> restart|reload) > >> stop > >> start > >> RETVAL=$? > >> ;; > >> condrestart) > >> if [ -f /var/lock/subsys/sendmail ]; then > >> stop > >> start > >> RETVAL=$? > >> fi > >> ;; > >> status) > >> status sendmail > >> RETVAL=$? > >> ;; > >> restart-fast) > >> stop > >> start-fast > >> RETVAL=$? > >> ;; > >> *) > >> echo $"Usage: $0 > >> {start|stop|restart|condrestart|status|start-fast|restart-fast}" > >> exit 1 > >> esac > >> > >> exit $RETVAL > >> > >> > > > > -- > > This message has been scanned for viruses and dangerous > > content by MailScanner, and is believed to be clean. > > > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: sendmail.txt Type: text/x-sh Size: 3897 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021105/90ec85de/sendmail.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner.txt Type: text/x-sh Size: 4359 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021105/90ec85de/mailscanner.bin From mailscanner at ecs.soton.ac.uk Tue Nov 5 16:44:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Stored Mail In-Reply-To: <001b01c284df$58f77120$6eeb14ac@doublet> References: <5.1.0.14.2.20021105145523.03fea8e8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021105164348.0415e978@imap.ecs.soton.ac.uk> At 15:23 05/11/2002, you wrote: >When SPAM messages are stored in human "readable format (gA)", is there >an easy way to send the message onto the person it was attended for >without sending it as an attachment from the mail admin. The users are >not local on the machine. > >Not being an expert in sendmail, I thought I would ask those who are >:-). sendmail -t < /var/spool/MailScanner........ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From raymond at PROLOCATION.NET Tue Nov 5 16:47:46 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:18 2006 Subject: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) (fwd) Message-ID: Hi! Perhaps interesting for some of you... ---------- Forwarded message ---------- Date: Tue, 5 Nov 2002 12:14:35 +0100 (MET) From: Sebastian Krahmer To: bugtraq@securityfocus.com Subject: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: perl-MailTools Announcement-ID: SuSE-SA:2002:041 Date: Tue Nov 5 11:30:00 CET 2002 Affected products: 7.1, 7.2, 7.3, 8.0, 8.1 SuSE eMail Server III, 3.1 Vulnerability Type: remote command execution Severity (1-10): 6 SuSE default package: no Cross References: - Content of this advisory: 1) security vulnerability resolved: Remote command execution via Mail::Mailer package. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body. Vulnerable to this attack are custom auto reply programs or spam filters which use Mail::Mailer directly or indirectly. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.1 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/perl-MailTools-1.47-29.i586.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/perl-MailTools-1.47-29.src.rpm d41d8cd98f00b204e9800998ecf8427e SuSE-8.0 ftp://ftp.suse.com/pub/suse/i386/update/8.0/perl3/perl-MailTools-1.42-120.i386.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/perl-MailTools-1.42-120.src.rpm d41d8cd98f00b204e9800998ecf8427e SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/perl2/perl-MailTools-1.1401-187.i386.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/perl-MailTools-1.1401-187.src.rpm d41d8cd98f00b204e9800998ecf8427e SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/perl2/perl-MailTools-1.1401-187.i386.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/perl-MailTools-1.1401-187.src.rpm d41d8cd98f00b204e9800998ecf8427e SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/perl2/perl-MailTools-1.1401-188.i386.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/perl-MailTools-1.1401-188.src.rpm d41d8cd98f00b204e9800998ecf8427e Sparc Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/perl2/perl-MailTools-1.1401-65.sparc.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/perl-MailTools-1.1401-65.src.rpm d41d8cd98f00b204e9800998ecf8427e AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/perl2/perl-MailTools-1.1401-69.alpha.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/perl-MailTools-1.1401-69.src.rpm d41d8cd98f00b204e9800998ecf8427e PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/perl2/perl-MailTools-1.1401-110.ppc.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/perl-MailTools-1.1401-110.src.rpm d41d8cd98f00b204e9800998ecf8427e SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/perl2/perl-MailTools-1.1401-111.ppc.rpm d41d8cd98f00b204e9800998ecf8427e source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/perl-MailTools-1.1401-111.src.rpm d41d8cd98f00b204e9800998ecf8427e ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: There is no additional information this time. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. ===================================================================== SuSE's security contact is or . The public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBPcelXXey5gA9JdPZAQGIhAf/ZouJs+LaHJo3nAU9BvnwHAWbY4vdbDqO Il9fPVu9UGaH03nnZdR/IxkBJHtvoUE33aBpWqW2q704h1o9p1jmxe6Us7AGSEq8 27MUPAodZMWzqVV1VrzcLzvRPU+/Ve8wfNhfzSx6/Jt0FF3syrxZ5P1NKtq3sJVj ZObi5tp+UPdpNxXx85vrk4kpBc8MaO5zJ6ugpwNBfK2sUpJx2R/jqYXYjGlDEiBN eRF/e+fHlVN2Tm2pAsg3tiuEEikKCP+3A5bDgX6705SGlu20T9VjfDCxN9VLzrwN coULhgDqNh3Qhr+F9xfLKT42ZysEeysLDXj0TCfvGQoWQUntgOtO0w== =Pwj8 -----END PGP SIGNATURE----- -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~ From mailscanner at ecs.soton.ac.uk Tue Nov 5 17:01:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) (fwd) In-Reply-To: Message-ID: <5.1.0.14.2.20021105170041.07447ec0@imap.ecs.soton.ac.uk> MailScanner does not use the Mail::Mailer mechanism to send mail. It always does that by calling sendmail directly. Therefore there is no reason to suspect that MailScanner might be vulnerable to this problem. At 16:47 05/11/2002, you wrote: >Hi! > >Perhaps interesting for some of you... > >---------- Forwarded message ---------- >Date: Tue, 5 Nov 2002 12:14:35 +0100 (MET) >From: Sebastian Krahmer >To: bugtraq@securityfocus.com >Subject: SuSE Security Announcement: perl-MailTools (SuSE-SA:2002:041) > > >-----BEGIN PGP SIGNED MESSAGE----- > >______________________________________________________________________________ > > SuSE Security Announcement > > Package: perl-MailTools > Announcement-ID: SuSE-SA:2002:041 > Date: Tue Nov 5 11:30:00 CET 2002 > Affected products: 7.1, 7.2, 7.3, 8.0, 8.1 > SuSE eMail Server III, 3.1 > Vulnerability Type: remote command execution > Severity (1-10): 6 > SuSE default package: no > Cross References: - > > Content of this advisory: > 1) security vulnerability resolved: Remote command execution via > Mail::Mailer package. > problem description, discussion, solution and upgrade information > 2) pending vulnerabilities, solutions, workarounds: - > 3) standard appendix (further information) > >______________________________________________________________________________ > >1) problem description, brief discussion, solution, upgrade information > > The SuSE Security Team reviewed critical Perl modules, including the > Mail::Mailer package. This package contains a security hole which allows > remote attackers to execute arbitrary commands in certain circumstances. > This is due to the usage of mailx as default mailer which allows commands > to be embedded in the mail body. > Vulnerable to this attack are custom auto reply programs or spam > filters > which use Mail::Mailer directly or indirectly. > > Please download the update package for your distribution and verify its > integrity by the methods listed in section 3) of this announcement. > Then, install the package using the command "rpm -Fhv file.rpm" to apply > the update. > Our maintenance customers are being notified individually. The packages > are being offered to install from the maintenance web. > > > i386 Intel Platform: > > SuSE-8.1 > >ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/perl-MailTools-1.47-29.i586.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/perl-MailTools-1.47-29.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > SuSE-8.0 > >ftp://ftp.suse.com/pub/suse/i386/update/8.0/perl3/perl-MailTools-1.42-120.i386.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/perl-MailTools-1.42-120.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > SuSE-7.3 > >ftp://ftp.suse.com/pub/suse/i386/update/7.3/perl2/perl-MailTools-1.1401-187.i386.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/perl-MailTools-1.1401-187.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > SuSE-7.2 > >ftp://ftp.suse.com/pub/suse/i386/update/7.2/perl2/perl-MailTools-1.1401-187.i386.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/perl-MailTools-1.1401-187.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > SuSE-7.1 > >ftp://ftp.suse.com/pub/suse/i386/update/7.1/perl2/perl-MailTools-1.1401-188.i386.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/perl-MailTools-1.1401-188.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > > Sparc Platform: > > SuSE-7.3 > >ftp://ftp.suse.com/pub/suse/sparc/update/7.3/perl2/perl-MailTools-1.1401-65.sparc.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/perl-MailTools-1.1401-65.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > > AXP Alpha Platform: > > SuSE-7.1 > >ftp://ftp.suse.com/pub/suse/axp/update/7.1/perl2/perl-MailTools-1.1401-69.alpha.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/perl-MailTools-1.1401-69.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > > PPC Power PC Platform: > > SuSE-7.3 > >ftp://ftp.suse.com/pub/suse/ppc/update/7.3/perl2/perl-MailTools-1.1401-110.ppc.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/perl-MailTools-1.1401-110.src.rpm > d41d8cd98f00b204e9800998ecf8427e > > SuSE-7.1 > >ftp://ftp.suse.com/pub/suse/ppc/update/7.1/perl2/perl-MailTools-1.1401-111.ppc.rpm > d41d8cd98f00b204e9800998ecf8427e > source rpm: > >ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/perl-MailTools-1.1401-111.src.rpm > d41d8cd98f00b204e9800998ecf8427e > >______________________________________________________________________________ > >2) Pending vulnerabilities in SuSE Distributions and Workarounds: > > There is no additional information this time. > >______________________________________________________________________________ > >3) standard appendix: authenticity verification, additional information > > - Package authenticity verification: > > SuSE update packages are available on many mirror ftp servers all over > the world. While this service is being considered valuable and important > to the free and open source software community, many users wish to be > sure about the origin of the package and its content before installing > the package. There are two verification methods that can be used > independently from each other to prove the authenticity of a downloaded > file or rpm package: > 1) md5sums as provided in the (cryptographically signed) announcement. > 2) using the internal gpg signatures of the rpm package. > > 1) execute the command > md5sum > after you downloaded the file from a SuSE ftp server or its mirrors. > Then, compare the resulting md5sum with the one that is listed in the > announcement. Since the announcement containing the checksums is > cryptographically signed (usually using the key security@suse.de), > the checksums show proof of the authenticity of the package. > We disrecommend to subscribe to security lists which cause the > email message containing the announcement to be modified so that > the signature does not match after transport through the mailing > list software. > Downsides: You must be able to verify the authenticity of the > announcement in the first place. If RPM packages are being rebuilt > and a new version of a package is published on the ftp server, all > md5 sums for the files are useless. > > 2) rpm package signatures provide an easy way to verify the authenticity > of an rpm package. Use the command > rpm -v --checksig > to verify the signature of the package, where is the > filename of the rpm package that you have downloaded. Of course, > package authenticity verification can only target an un-installed rpm > package file. > Prerequisites: > a) gpg is installed > b) The package is signed using a certain key. The public part of this > key must be installed by the gpg program in the directory > ~/.gnupg/ under the user's home directory who performs the > signature verification (usually root). You can import the key > that is used by SuSE in rpm packages for SuSE Linux by saving > this announcement to a file ("announcement.txt") and > running the command (do "su -" to be root): > gpg --batch; gpg < announcement.txt | gpg --import > SuSE Linux distributions version 7.1 and thereafter install the > key "build@suse.de" upon installation or upgrade, provided that > the package gpg is installed. The file containing the public key > is placed at the top-level directory of the first CD (pubring.gpg) > and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . > > > - SuSE runs two security mailing lists to which any interested party may > subscribe: > > suse-security@suse.com > - general/linux/SuSE security discussion. > All SuSE security announcements are sent to this list. > To subscribe, send an email to > . > > suse-security-announce@suse.com > - SuSE's announce-only mailing list. > Only SuSE's security announcements are sent to this list. > To subscribe, send an email to > . > > For general information or the frequently asked questions (faq) > send mail to: > or > respectively. > > ===================================================================== > SuSE's security contact is or . > The public key is listed below. > ===================================================================== >______________________________________________________________________________ > > The information in this advisory may be distributed or reproduced, > provided that the advisory is not modified in any way. In particular, > it is desired that the clear-text signature shows proof of the > authenticity of the text. > SuSE Linux AG makes no warranties of any kind whatsoever with respect > to the information contained in this security advisory. > >Type Bits/KeyID Date User ID >pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team >pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key > >- -----BEGIN PGP PUBLIC KEY BLOCK----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: For info see http://www.gnupg.org > >mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff >4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d >M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO >QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK >XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE >D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd >G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM >CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE >myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr >YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD >wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d >NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe >QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe >LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t >XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU >D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 >0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot >1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW >cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E >ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f >AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E >Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ >HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h >t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT >tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM >523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q >2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 >QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw >JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ >1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH >ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 >wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY >EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol >0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK >CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co >SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo >omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt >A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J >/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE >GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf >ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT >ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 >RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ >8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb >B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X >11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA >8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj >qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p >WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL >hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG >BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ >AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi >RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 >zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM >/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 >whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl >D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz >dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI >RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI >DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= >=LRKC >- -----END PGP PUBLIC KEY BLOCK----- > > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.3i >Charset: noconv > >iQEVAwUBPcelXXey5gA9JdPZAQGIhAf/ZouJs+LaHJo3nAU9BvnwHAWbY4vdbDqO >Il9fPVu9UGaH03nnZdR/IxkBJHtvoUE33aBpWqW2q704h1o9p1jmxe6Us7AGSEq8 >27MUPAodZMWzqVV1VrzcLzvRPU+/Ve8wfNhfzSx6/Jt0FF3syrxZ5P1NKtq3sJVj >ZObi5tp+UPdpNxXx85vrk4kpBc8MaO5zJ6ugpwNBfK2sUpJx2R/jqYXYjGlDEiBN >eRF/e+fHlVN2Tm2pAsg3tiuEEikKCP+3A5bDgX6705SGlu20T9VjfDCxN9VLzrwN >coULhgDqNh3Qhr+F9xfLKT42ZysEeysLDXj0TCfvGQoWQUntgOtO0w== >=Pwj8 >-----END PGP SIGNATURE----- > >-- >~ >~ perl self.pl >~ $_='print"\$_=\47$_\47;eval"';eval >~ krahmer@suse.de - SuSE Security Team >~ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 5 17:02:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <51866.213.123.176.242.1036511079.squirrel@www.projectandre w.com> References: <1036506054.2350.41.camel@bonzai> <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> Message-ID: <5.1.0.14.2.20021105170153.073edb10@imap.ecs.soton.ac.uk> At 15:44 05/11/2002, you wrote: >Does your installation therefore require that the MailScanner & sendmail >init scripts both have to be started? No. The 2 sendmail processes required by MailScanner are both started by the MailScanner startup script. > If this is the case, the only >problem is that on reboot, only MailScanner will start, since when it was >installed, sendmail was 'switched off' with chkconfig. That's correct. > > hi, > > > > I modified the sendmail init script to use the "queue delivery mode" : > > daemon /usr/sbin/sendmail -bd -OQueueDirectory=/var/spool/mqueue.in > > -ODeliveryMode=queueonly > > > > and modified the mailscanner init script and comented out every thing > > about sendmail ... > > > > i found some very usefull explanation on the rackshack forum > > (http://forum.rackshack.net), you should give look... > > > > i you want, i can send my modified startup scripts ... > > > > hth > > > > fred > > > > PS sorry for my poor english :( > > > > On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: > >> No luck :( I've tried doing this in the MailScanner.conf and in the > >> MailScanner startup script. There are no errors produced this time, > >> but no bandwidth is recorded. > >> > >> Is there anyway to decompile the shared library > >> (/lib/libensimvwhbw.so)? I've attached the whole sendmail init script > >> incase you can see something that can be copied/added to the > >> MailScanner script. Is there someway of running MailScanner, but call > >> sendmail using it's own init script? Just looking for ideas... > >> > >> Andrew G Allen > >> email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >> > >> --- Disclaimer --- > >> This e-mail and any files transmitted with it are confidential and > >> intended solely for the use of the individual or entity to whom they > >> are addressed. If you have received this email in error, please notify > >> the system manager. > >> > >> > I'm not at all convinced this will work, but give it a try: > >> > Write a very short script that sets these variables and then calls > >> sendmail, something like this > >> > > >> > #!/bin/sh > >> > export LD_PRELOAD=/lib/libensimvwhbw.so > >> > export ENSIMVWH_BWSVCID=1 > >> > /usr/sbin/sendmail "$@" > >> > > >> > and then call this script in MailScanner instead of directly > >> invoking sendmail. You should just edit the "Sendmail =" setting in > >> > MailScanner.conf to refer to your script instead of sendmail > >> itself. > >> > > >> > See what happens with this setup. > >> > > >> > At 18:42 04/11/2002, you wrote: > >> >>I am still trying to get MailScanner fully working with Ensim > >> >> WEBppliance - the only part that is not working is a piece of > >> custom ensim code that is normally called from the sendmail startup > >> script. The two lines are: > >> >> > >> >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> >> export ENSIMVWH_BWSVCID=1 > >> >> > >> >>If I add these to the MailScanner startup script, MailScanner will > >> >> accept mail, but will not deliver it to any chrooted site. I also > >> get file not found errors thrown to the console. It seems to me > >> then, to be something that must be passed from the sendmail config > >> for this module to work, which is not passed by MailScanner - it is > >> supposed to track the size of each mail passed through sendmail, so > >> a monthly 'bandwidth allowance' can be applied to each virtual site > >> within Ensim. I don't really know where to go next, and wondered if > >> anybody who knows sendmail in more detail might have any ideas > >> where to look? > >> >> > >> >>Does MailScanner refer to all the same sendmail config files that > >> >> sendmail would if it was called using its own startup script? > >> >> > >> >>Andrew G Allen > >> >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > >> >> > >> >>--- Disclaimer --- > >> >>This e-mail and any files transmitted with it are confidential and > >> >> intended solely for the use of the individual or entity to whom > >> they are addressed. If you have received this email in error, > >> please notify the system manager. > >> >> > >> >> > >> >> > >> >> > >> >> > >> >>-- > >> >>This message has been scanned for viruses and dangerous > >> >>content by MailScanner, and is believed to be clean. > >> > > >> > -- > >> > Julian Field Teaching Systems Manager > >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >> Tel. 023 8059 2817 University of Southampton > >> > Southampton SO17 1BJ > >> > > >> > > >> > -- > >> > This message has been scanned for viruses and dangerous > >> > content by MailScanner, and is believed to be clean. > >> > >> > >> > >> -- > >> This message has been scanned for viruses and dangerous > >> content by MailScanner, and is believed to be clean. > >> > >> ---- > >> > > > >> #!/bin/bash > >> # > >> # sendmail This shell script takes care of starting and stopping > >> # sendmail. > >> # > >> # chkconfig: 2345 80 30 > >> # description: Sendmail is a Mail Transport Agent, which is the > >> program \ # that moves mail from one machine to another. > >> # processname: sendmail > >> # config: /etc/sendmail.cf > >> # pidfile: /var/run/sendmail.pid > >> > >> # Source function library. > >> . /etc/init.d/functions > >> > >> # Source networking configuration. > >> . /etc/sysconfig/network > >> > >> # Source sendmail configureation. > >> if [ -f /etc/sysconfig/sendmail ] ; then > >> . /etc/sysconfig/sendmail > >> else > >> DAEMON=no > >> QUEUE=1h > >> fi > >> > >> # Check that networking is up. > >> [ ${NETWORKING} = "no" ] && exit 0 > >> > >> [ -f /usr/sbin/sendmail ] || exit 0 > >> > >> RETVAL=0 > >> prog="sendmail" > >> > >> start() { > >> # Start daemons. > >> > >> echo -n $"Starting $prog: " > >> /usr/bin/newaliases > /dev/null 2>&1 > >> for i in virtusertable access domaintable ; do > >> if [ -f /etc/mail/$i ] ; then > >> makemap hash /etc/mail/$i < /etc/mail/$i > >> fi > >> done > >> mailertables= > >> if [ -f /etc/mail/mailertable.virtual_domains ]; then > >> mailertables="/etc/mail/mailertable.virtual_domains" > >> fi > >> if [ -f /etc/mail/mailertable ]; then > >> mailertables="$mailertables /etc/mail/mailertable" > >> fi > >> if [ -n "$mailertables" ]; then > >> cat $mailertables | makemap hash /etc/mail/mailertable.db > >> fi > >> genericstables= > >> if [ -f /etc/mail/genericstable.siteadmins ]; then > >> genericstables="/etc/mail/genericstable.siteadmins" > >> fi > >> if [ -f /etc/mail/genericstable ]; then > >> genericstables="$mailertables /etc/mail/genericstable" > >> fi > >> if [ -n "$genericstables" ]; then > >> cat $genericstables | makemap hash > >> /etc/mail/genericstable.db > >> fi > >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> export ENSIMVWH_BWSVCID=1 > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> start-fast() { > >> # Start daemons. > >> > >> echo -n $"Starting $prog: " > >> /usr/bin/newaliases > /dev/null 2>&1 > >> for i in virtusertable access domaintable ; do > >> if [ -f /etc/mail/$i ] ; then > >> makemap hash /etc/mail/$i < /etc/mail/$i > >> fi > >> done > >> export LD_PRELOAD=/lib/libensimvwhbw.so > >> export ENSIMVWH_BWSVCID=1 > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> stop() { > >> # Stop daemons. > >> echo -n $"Shutting down $prog: " > >> killproc sendmail > >> RETVAL=$? > >> echo > >> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail > >> return $RETVAL > >> } > >> > >> # See how we were called. > >> case "$1" in > >> start) > >> start > >> ;; > >> start-fast) > >> start-fast > >> ;; > >> stop) > >> stop > >> ;; > >> restart|reload) > >> stop > >> start > >> RETVAL=$? > >> ;; > >> condrestart) > >> if [ -f /var/lock/subsys/sendmail ]; then > >> stop > >> start > >> RETVAL=$? > >> fi > >> ;; > >> status) > >> status sendmail > >> RETVAL=$? > >> ;; > >> restart-fast) > >> stop > >> start-fast > >> RETVAL=$? > >> ;; > >> *) > >> echo $"Usage: $0 > >> {start|stop|restart|condrestart|status|start-fast|restart-fast}" > >> exit 1 > >> esac > >> > >> exit $RETVAL > >> > >> > > > > -- > > This message has been scanned for viruses and dangerous > > content by MailScanner, and is believed to be clean. > > > > >-- >This message has been scanned for viruses and dangerous >content by MailScanner, and is believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 5 17:03:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <1036513920.2841.70.camel@bonzai> References: <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> Message-ID: <5.1.0.14.2.20021105170250.0746cd80@imap.ecs.soton.ac.uk> At 16:31 05/11/2002, you wrote: >On Tue, 2002-11-05 at 16:44, Andrew G Allen wrote: > > Does your installation therefore require that the MailScanner & sendmail > > init scripts both have to be started? If this is the case, the only > > problem is that on reboot, only MailScanner will start, since when it was > > installed, sendmail was 'switched off' with chkconfig. > >Yes, both need to be run at startup, >do a 'chkconfig --level 345 sendmail on' NO THEY DON'T (it's my list, and I'll shout if I want to :-) Please see my posting of a minute ago. > > > hi, > > > > > > I modified the sendmail init script to use the "queue delivery mode" : > > > daemon /usr/sbin/sendmail -bd -OQueueDirectory=/var/spool/mqueue.in > > > -ODeliveryMode=queueonly > > > > > > and modified the mailscanner init script and comented out every thing > > > about sendmail ... > > > > > > i found some very usefull explanation on the rackshack forum > > > (http://forum.rackshack.net), you should give look... > > > > > > i you want, i can send my modified startup scripts ... > > > > > > hth > > > > > > fred > > > > > > PS sorry for my poor english :( > > > > > > On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: > > >> No luck :( I've tried doing this in the MailScanner.conf and in the > > >> MailScanner startup script. There are no errors produced this time, > > >> but no bandwidth is recorded. > > >> > > >> Is there anyway to decompile the shared library > > >> (/lib/libensimvwhbw.so)? I've attached the whole sendmail init script > > >> incase you can see something that can be copied/added to the > > >> MailScanner script. Is there someway of running MailScanner, but call > > >> sendmail using it's own init script? Just looking for ideas... > > >> > > >> Andrew G Allen > > >> email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > > >> > > >> --- Disclaimer --- > > >> This e-mail and any files transmitted with it are confidential and > > >> intended solely for the use of the individual or entity to whom they > > >> are addressed. If you have received this email in error, please notify > > >> the system manager. > > >> > > >> > I'm not at all convinced this will work, but give it a try: > > >> > Write a very short script that sets these variables and then calls > > >> sendmail, something like this > > >> > > > >> > #!/bin/sh > > >> > export LD_PRELOAD=/lib/libensimvwhbw.so > > >> > export ENSIMVWH_BWSVCID=1 > > >> > /usr/sbin/sendmail "$@" > > >> > > > >> > and then call this script in MailScanner instead of directly > > >> invoking sendmail. You should just edit the "Sendmail =" setting in > > >> > MailScanner.conf to refer to your script instead of sendmail > > >> itself. > > >> > > > >> > See what happens with this setup. > > >> > > > >> > At 18:42 04/11/2002, you wrote: > > >> >>I am still trying to get MailScanner fully working with Ensim > > >> >> WEBppliance - the only part that is not working is a piece of > > >> custom ensim code that is normally called from the sendmail startup > > >> script. The two lines are: > > >> >> > > >> >> export LD_PRELOAD=/lib/libensimvwhbw.so > > >> >> export ENSIMVWH_BWSVCID=1 > > >> >> > > >> >>If I add these to the MailScanner startup script, MailScanner will > > >> >> accept mail, but will not deliver it to any chrooted site. I also > > >> get file not found errors thrown to the console. It seems to me > > >> then, to be something that must be passed from the sendmail config > > >> for this module to work, which is not passed by MailScanner - it is > > >> supposed to track the size of each mail passed through sendmail, so > > >> a monthly 'bandwidth allowance' can be applied to each virtual site > > >> within Ensim. I don't really know where to go next, and wondered if > > >> anybody who knows sendmail in more detail might have any ideas > > >> where to look? > > >> >> > > >> >>Does MailScanner refer to all the same sendmail config files that > > >> >> sendmail would if it was called using its own startup script? > > >> >> > > >> >>Andrew G Allen > > >> >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 > > >> >> > > >> >>--- Disclaimer --- > > >> >>This e-mail and any files transmitted with it are confidential and > > >> >> intended solely for the use of the individual or entity to whom > > >> they are addressed. If you have received this email in error, > > >> please notify the system manager. > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >>-- > > >> >>This message has been scanned for viruses and dangerous > > >> >>content by MailScanner, and is believed to be clean. > > >> > > > >> > -- > > >> > Julian Field Teaching Systems Manager > > >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > >> Tel. 023 8059 2817 University of Southampton > > >> > Southampton SO17 1BJ > > >> > > > >> > > > >> > -- > > >> > This message has been scanned for viruses and dangerous > > >> > content by MailScanner, and is believed to be clean. > > >> > > >> > > >> > > >> -- > > >> This message has been scanned for viruses and dangerous > > >> content by MailScanner, and is believed to be clean. > > >> > > >> ---- > > >> > > > > > >> #!/bin/bash > > >> # > > >> # sendmail This shell script takes care of starting and stopping > > >> # sendmail. > > >> # > > >> # chkconfig: 2345 80 30 > > >> # description: Sendmail is a Mail Transport Agent, which is the > > >> program \ # that moves mail from one machine to another. > > >> # processname: sendmail > > >> # config: /etc/sendmail.cf > > >> # pidfile: /var/run/sendmail.pid > > >> > > >> # Source function library. > > >> . /etc/init.d/functions > > >> > > >> # Source networking configuration. > > >> . /etc/sysconfig/network > > >> > > >> # Source sendmail configureation. > > >> if [ -f /etc/sysconfig/sendmail ] ; then > > >> . /etc/sysconfig/sendmail > > >> else > > >> DAEMON=no > > >> QUEUE=1h > > >> fi > > >> > > >> # Check that networking is up. > > >> [ ${NETWORKING} = "no" ] && exit 0 > > >> > > >> [ -f /usr/sbin/sendmail ] || exit 0 > > >> > > >> RETVAL=0 > > >> prog="sendmail" > > >> > > >> start() { > > >> # Start daemons. > > >> > > >> echo -n $"Starting $prog: " > > >> /usr/bin/newaliases > /dev/null 2>&1 > > >> for i in virtusertable access domaintable ; do > > >> if [ -f /etc/mail/$i ] ; then > > >> makemap hash /etc/mail/$i < /etc/mail/$i > > >> fi > > >> done > > >> mailertables= > > >> if [ -f /etc/mail/mailertable.virtual_domains ]; then > > >> mailertables="/etc/mail/mailertable.virtual_domains" > > >> fi > > >> if [ -f /etc/mail/mailertable ]; then > > >> mailertables="$mailertables /etc/mail/mailertable" > > >> fi > > >> if [ -n "$mailertables" ]; then > > >> cat $mailertables | makemap hash /etc/mail/mailertable.db > > >> fi > > >> genericstables= > > >> if [ -f /etc/mail/genericstable.siteadmins ]; then > > >> genericstables="/etc/mail/genericstable.siteadmins" > > >> fi > > >> if [ -f /etc/mail/genericstable ]; then > > >> genericstables="$mailertables /etc/mail/genericstable" > > >> fi > > >> if [ -n "$genericstables" ]; then > > >> cat $genericstables | makemap hash > > >> /etc/mail/genericstable.db > > >> fi > > >> export LD_PRELOAD=/lib/libensimvwhbw.so > > >> export ENSIMVWH_BWSVCID=1 > > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > > >> RETVAL=$? > > >> echo > > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > > >> return $RETVAL > > >> } > > >> > > >> start-fast() { > > >> # Start daemons. > > >> > > >> echo -n $"Starting $prog: " > > >> /usr/bin/newaliases > /dev/null 2>&1 > > >> for i in virtusertable access domaintable ; do > > >> if [ -f /etc/mail/$i ] ; then > > >> makemap hash /etc/mail/$i < /etc/mail/$i > > >> fi > > >> done > > >> export LD_PRELOAD=/lib/libensimvwhbw.so > > >> export ENSIMVWH_BWSVCID=1 > > >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ > > >> $([ -n "$QUEUE" ] && echo -q$QUEUE) > > >> RETVAL=$? > > >> echo > > >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > > >> return $RETVAL > > >> } > > >> > > >> stop() { > > >> # Stop daemons. > > >> echo -n $"Shutting down $prog: " > > >> killproc sendmail > > >> RETVAL=$? > > >> echo > > >> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail > > >> return $RETVAL > > >> } > > >> > > >> # See how we were called. > > >> case "$1" in > > >> start) > > >> start > > >> ;; > > >> start-fast) > > >> start-fast > > >> ;; > > >> stop) > > >> stop > > >> ;; > > >> restart|reload) > > >> stop > > >> start > > >> RETVAL=$? > > >> ;; > > >> condrestart) > > >> if [ -f /var/lock/subsys/sendmail ]; then > > >> stop > > >> start > > >> RETVAL=$? > > >> fi > > >> ;; > > >> status) > > >> status sendmail > > >> RETVAL=$? > > >> ;; > > >> restart-fast) > > >> stop > > >> start-fast > > >> RETVAL=$? > > >> ;; > > >> *) > > >> echo $"Usage: $0 > > >> {start|stop|restart|condrestart|status|start-fast|restart-fast}" > > >> exit 1 > > >> esac > > >> > > >> exit $RETVAL > > >> > > >> > > > > > > -- > > > This message has been scanned for viruses and dangerous > > > content by MailScanner, and is believed to be clean. > > > > > > > > > > -- > > This message has been scanned for viruses and dangerous > > content by MailScanner, and is believed to be clean. > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mail at projectandrew.com Tue Nov 5 17:22:39 2002 From: mail at projectandrew.com (Andrew G Allen) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <5.1.0.14.2.20021105170153.073edb10@imap.ecs.soton.ac.uk> References: <1036506054.2350.41.camel@bonzai> <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> <5.1.0.14.2.20021105170153.073edb10@imap.ecs.soton.ac.uk> Message-ID: <55720.213.120.149.3.1036516959.squirrel@www.projectandrew.com> Sorry, I was refering to Frederic Badel's modified scripts for Ensim, rather than the default MainScanner init script. :) Andrew G Allen email: mail@projectandrew.com | voice: +44 (0) 7958 540596 --- Disclaimer --- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. > At 15:44 05/11/2002, you wrote: >>Does your installation therefore require that the MailScanner & >> sendmail init scripts both have to be started? > > No. The 2 sendmail processes required by MailScanner are both started by > the MailScanner startup script. > >> If this is the case, the only >>problem is that on reboot, only MailScanner will start, since when it >> was installed, sendmail was 'switched off' with chkconfig. > > That's correct. > >> > hi, >> > >> > I modified the sendmail init script to use the "queue delivery mode" >> : daemon /usr/sbin/sendmail -bd >> -OQueueDirectory=/var/spool/mqueue.in -ODeliveryMode=queueonly >> > >> > and modified the mailscanner init script and comented out every >> thing about sendmail ... >> > >> > i found some very usefull explanation on the rackshack forum >> > (http://forum.rackshack.net), you should give look... >> > >> > i you want, i can send my modified startup scripts ... >> > >> > hth >> > >> > fred >> > >> > PS sorry for my poor english :( >> > >> > On Tue, 2002-11-05 at 14:35, Andrew G Allen wrote: >> >> No luck :( I've tried doing this in the MailScanner.conf and in the >> MailScanner startup script. There are no errors produced this time, >> but no bandwidth is recorded. >> >> >> >> Is there anyway to decompile the shared library >> >> (/lib/libensimvwhbw.so)? I've attached the whole sendmail init >> script incase you can see something that can be copied/added to the >> >> MailScanner script. Is there someway of running MailScanner, but >> call sendmail using it's own init script? Just looking for ideas... >> >> >> >> Andrew G Allen >> >> email: mail@projectandrew.com | voice: +44 (0) 7958 540596 >> >> >> >> --- Disclaimer --- >> >> This e-mail and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom >> they are addressed. If you have received this email in error, >> please notify the system manager. >> >> >> >> > I'm not at all convinced this will work, but give it a try: Write >> a very short script that sets these variables and then calls >> >> sendmail, something like this >> >> > >> >> > #!/bin/sh >> >> > export LD_PRELOAD=/lib/libensimvwhbw.so >> >> > export ENSIMVWH_BWSVCID=1 >> >> > /usr/sbin/sendmail "$@" >> >> > >> >> > and then call this script in MailScanner instead of directly >> >> invoking sendmail. You should just edit the "Sendmail =" setting in >> >> > MailScanner.conf to refer to your script instead of sendmail >> >> itself. >> >> > >> >> > See what happens with this setup. >> >> > >> >> > At 18:42 04/11/2002, you wrote: >> >> >>I am still trying to get MailScanner fully working with Ensim >> >> >> WEBppliance - the only part that is not working is a piece of >> >> custom ensim code that is normally called from the sendmail startup >> script. The two lines are: >> >> >> >> >> >> export LD_PRELOAD=/lib/libensimvwhbw.so >> >> >> export ENSIMVWH_BWSVCID=1 >> >> >> >> >> >>If I add these to the MailScanner startup script, MailScanner >> will >> >> >> accept mail, but will not deliver it to any chrooted site. I >> also >> >> get file not found errors thrown to the console. It seems to me >> then, to be something that must be passed from the sendmail config >> for this module to work, which is not passed by MailScanner - it is >> supposed to track the size of each mail passed through sendmail, so >> a monthly 'bandwidth allowance' can be applied to each virtual site >> within Ensim. I don't really know where to go next, and wondered if >> anybody who knows sendmail in more detail might have any ideas >> where to look? >> >> >> >> >> >>Does MailScanner refer to all the same sendmail config files that >> >> >> sendmail would if it was called using its own startup script? >> >> >> >> >> >>Andrew G Allen >> >> >>email: mail@projectandrew.com | voice: +44 (0) 7958 540596 >> >> >> >> >> >>--- Disclaimer --- >> >> >>This e-mail and any files transmitted with it are confidential >> and >> >> >> intended solely for the use of the individual or entity to whom >> >> they are addressed. If you have received this email in error, >> please notify the system manager. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>-- >> >> >>This message has been scanned for viruses and dangerous >> >> >>content by MailScanner, and is believed to be clean. >> >> > >> >> > -- >> >> > Julian Field Teaching Systems Manager >> >> > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer >> Science >> >> Tel. 023 8059 2817 University of Southampton >> >> > Southampton SO17 1BJ >> >> > >> >> > >> >> > -- >> >> > This message has been scanned for viruses and dangerous >> >> > content by MailScanner, and is believed to be clean. >> >> >> >> >> >> >> >> -- >> >> This message has been scanned for viruses and dangerous >> >> content by MailScanner, and is believed to be clean. >> >> >> >> ---- >> >> >> > >> >> #!/bin/bash >> >> # >> >> # sendmail This shell script takes care of starting and >> stopping # sendmail. >> >> # >> >> # chkconfig: 2345 80 30 >> >> # description: Sendmail is a Mail Transport Agent, which is the >> program \ # that moves mail from one machine to >> another. # processname: sendmail >> >> # config: /etc/sendmail.cf >> >> # pidfile: /var/run/sendmail.pid >> >> >> >> # Source function library. >> >> . /etc/init.d/functions >> >> >> >> # Source networking configuration. >> >> . /etc/sysconfig/network >> >> >> >> # Source sendmail configureation. >> >> if [ -f /etc/sysconfig/sendmail ] ; then >> >> . /etc/sysconfig/sendmail >> >> else >> >> DAEMON=no >> >> QUEUE=1h >> >> fi >> >> >> >> # Check that networking is up. >> >> [ ${NETWORKING} = "no" ] && exit 0 >> >> >> >> [ -f /usr/sbin/sendmail ] || exit 0 >> >> >> >> RETVAL=0 >> >> prog="sendmail" >> >> >> >> start() { >> >> # Start daemons. >> >> >> >> echo -n $"Starting $prog: " >> >> /usr/bin/newaliases > /dev/null 2>&1 >> >> for i in virtusertable access domaintable ; do >> >> if [ -f /etc/mail/$i ] ; then >> >> makemap hash /etc/mail/$i < /etc/mail/$i >> >> fi >> >> done >> >> mailertables= >> >> if [ -f /etc/mail/mailertable.virtual_domains ]; then >> >> mailertables="/etc/mail/mailertable.virtual_domains" >> >> fi >> >> if [ -f /etc/mail/mailertable ]; then >> >> mailertables="$mailertables /etc/mail/mailertable" >> >> fi >> >> if [ -n "$mailertables" ]; then >> >> cat $mailertables | makemap hash >> /etc/mail/mailertable.db >> >> fi >> >> genericstables= >> >> if [ -f /etc/mail/genericstable.siteadmins ]; then >> >> genericstables="/etc/mail/genericstable.siteadmins" >> >> fi >> >> if [ -f /etc/mail/genericstable ]; then >> >> genericstables="$mailertables /etc/mail/genericstable" >> >> fi >> >> if [ -n "$genericstables" ]; then >> >> cat $genericstables | makemap hash >> >> /etc/mail/genericstable.db >> >> fi >> >> export LD_PRELOAD=/lib/libensimvwhbw.so >> >> export ENSIMVWH_BWSVCID=1 >> >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo >> -bd) \ >> >> $([ -n "$QUEUE" ] && echo >> -q$QUEUE) >> >> RETVAL=$? >> >> echo >> >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail >> >> return $RETVAL >> >> } >> >> >> >> start-fast() { >> >> # Start daemons. >> >> >> >> echo -n $"Starting $prog: " >> >> /usr/bin/newaliases > /dev/null 2>&1 >> >> for i in virtusertable access domaintable ; do >> >> if [ -f /etc/mail/$i ] ; then >> >> makemap hash /etc/mail/$i < /etc/mail/$i >> >> fi >> >> done >> >> export LD_PRELOAD=/lib/libensimvwhbw.so >> >> export ENSIMVWH_BWSVCID=1 >> >> daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo >> -bd) \ >> >> $([ -n "$QUEUE" ] && echo >> -q$QUEUE) >> >> RETVAL=$? >> >> echo >> >> [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail >> >> return $RETVAL >> >> } >> >> >> >> stop() { >> >> # Stop daemons. >> >> echo -n $"Shutting down $prog: " >> >> killproc sendmail >> >> RETVAL=$? >> >> echo >> >> [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail >> >> return $RETVAL >> >> } >> >> >> >> # See how we were called. >> >> case "$1" in >> >> start) >> >> start >> >> ;; >> >> start-fast) >> >> start-fast >> >> ;; >> >> stop) >> >> stop >> >> ;; >> >> restart|reload) >> >> stop >> >> start >> >> RETVAL=$? >> >> ;; >> >> condrestart) >> >> if [ -f /var/lock/subsys/sendmail ]; then >> >> stop >> >> start >> >> RETVAL=$? >> >> fi >> >> ;; >> >> status) >> >> status sendmail >> >> RETVAL=$? >> >> ;; >> >> restart-fast) >> >> stop >> >> start-fast >> >> RETVAL=$? >> >> ;; >> >> *) >> >> echo $"Usage: $0 >> >> {start|stop|restart|condrestart|status|start-fast|restart-fast}" >> exit 1 >> >> esac >> >> >> >> exit $RETVAL >> >> >> >> >> > >> > -- >> > This message has been scanned for viruses and dangerous >> > content by MailScanner, and is believed to be clean. >> >> >> >> >>-- >>This message has been scanned for viruses and dangerous >>content by MailScanner, and is believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From fred at NEVER-MIND.CH Tue Nov 5 17:33:01 2002 From: fred at NEVER-MIND.CH (Frederic Badel) Date: Thu Jan 12 21:16:18 2006 Subject: Startup script In-Reply-To: <5.1.0.14.2.20021105170250.0746cd80@imap.ecs.soton.ac.uk> References: <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> <5.1.0.14.2.20021104185355.023572b0@imap.ecs.soton.ac.uk> <48436.213.123.176.242.1036503301.squirrel@www.projectandrew.com> <1036506054.2350.41.camel@bonzai> <51866.213.123.176.242.1036511079.squirrel@www.projectandrew.com> <5.1.0.14.2.20021105170250.0746cd80@imap.ecs.soton.ac.uk> Message-ID: <1036517582.2350.90.camel@bonzai> On Tue, 2002-11-05 at 18:03, Julian Field wrote: > At 16:31 05/11/2002, you wrote: > >On Tue, 2002-11-05 at 16:44, Andrew G Allen wrote: > > > Does your installation therefore require that the MailScanner & sendmail > > > init scripts both have to be started? If this is the case, the only > > > problem is that on reboot, only MailScanner will start, since when it was > > > installed, sendmail was 'switched off' with chkconfig. > > > >Yes, both need to be run at startup, > >do a 'chkconfig --level 345 sendmail on' > > NO THEY DON'T (it's my list, and I'll shout if I want to :-) > Please see my posting of a minute ago. > please !! don't shout :( i didn't mean to drive you mad ! ;) i was just reporting a workaround i found on rackshack.net ... which work fine on my rh/ensim server ... if someone can find another way of making every thing work together (without breaking all that ensim stuff !), i'd be very happy :) and would use it immediatly ... sorry for the mess on your list ;)) and thanks a lot for your job with MS ! fred From LISTSERV at JISCMAIL.AC.UK Tue Nov 5 18:42:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:18 2006 Subject: MAILSCANNER: ycayer@3WEBMEDIA.COM requested to join Message-ID: <200211051842.SAA11233@magpie.ecs.soton.ac.uk> Tue, 5 Nov 2002 18:42:51 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Yannick Cayer . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER ycayer@3WEBMEDIA.COM Yannick Cayer The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+ycayer%403WEBMEDIA.COM+Yannick+Cayer&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From ycayer at 3WEBMEDIA.COM Tue Nov 5 19:00:51 2002 From: ycayer at 3WEBMEDIA.COM (Yannick Cayer) Date: Thu Jan 12 21:16:18 2006 Subject: MailScanner v 4.05-3 with Mcafee uvscan Message-ID: <200211051900.gA5J0nX10361@ori.rl.ac.uk> Greetings, I have been trying to setup MailScanner with Mcafee, but whenever I test it, mcafee lets viruses through, only warning me about them in the log file. It does not send me (the admin) a notice It sends the email with the infected attachment(s) the the recipient which is not the way I configured MailScanner. If I use Sophos instead of mcafee, It behaves properly: it notifies me (the admin) of a virus and does NOT send the message to the recipient. Like I want it. Am I missing something here or is there any special parameters I must pass on in the mcafee-wrapper file? I know I did not change anything special in the sophos-wrapper file and it behaves properly. (weird) Any help would be greatly appreciated. Thank you in advance. From gavin at NETERGY.COM Tue Nov 5 19:52:46 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:18 2006 Subject: Kaspersky Message-ID: Hi Has anyone got kaspersky to work with mailscanner? anything special to do - I have got it installed and running on a file by file basis but don't seems to get any response with mailscanner. thanks Gavin From mailscanner at ecs.soton.ac.uk Tue Nov 5 20:17:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Kaspersky In-Reply-To: Message-ID: <5.1.0.14.2.20021105201516.0236b7f8@imap.ecs.soton.ac.uk> At 19:52 05/11/2002, you wrote: >Has anyone got kaspersky to work with mailscanner? >anything special to do - I have got it installed and running on a file by >file basis but don't seems to get any response with mailscanner. What happens when you run cd /tmp /usr/lib/kaspersky-wrapper . with a couple of viruses in /tmp? You may need to alter the path to kaspersky in the wrapper script, depending on where you have installed it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at NETERGY.COM Tue Nov 5 20:46:19 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:18 2006 Subject: Kaspersky In-Reply-To: <5.1.0.14.2.20021105201516.0236b7f8@imap.ecs.soton.ac.uk> Message-ID: I get an error Nothing to scan. You should select at least one directory to scan. and the command I put in was /usr/lib/MailScanner/kaspersky-wrapper . with the . at the end Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 05 November 2002 20:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Kaspersky At 19:52 05/11/2002, you wrote: >Has anyone got kaspersky to work with mailscanner? >anything special to do - I have got it installed and running on a file by >file basis but don't seems to get any response with mailscanner. What happens when you run cd /tmp /usr/lib/kaspersky-wrapper . with a couple of viruses in /tmp? You may need to alter the path to kaspersky in the wrapper script, depending on where you have installed it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 5 21:37:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: Kaspersky In-Reply-To: References: <5.1.0.14.2.20021105201516.0236b7f8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021105213713.0251f638@imap.ecs.soton.ac.uk> Anyone any experience with Kaspersky that might be able to help? I haven't got a copy of it to test with :( At 20:46 05/11/2002, you wrote: >I get an error > >Nothing to scan. >You should select at least one directory to scan. > >and the command I put in was /usr/lib/MailScanner/kaspersky-wrapper . with >the . at the end > >Gavin > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: 05 November 2002 20:17 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Kaspersky > > >At 19:52 05/11/2002, you wrote: > >Has anyone got kaspersky to work with mailscanner? > >anything special to do - I have got it installed and running on a file by > >file basis but don't seems to get any response with mailscanner. > >What happens when you run > cd /tmp > /usr/lib/kaspersky-wrapper . >with a couple of viruses in /tmp? >You may need to alter the path to kaspersky in the wrapper script, >depending on where you have installed it. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at netergy.com Tue Nov 5 22:29:42 2002 From: gavin at netergy.com (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:18 2006 Subject: Kaspersky In-Reply-To: <5.1.0.14.2.20021105213713.0251f638@imap.ecs.soton.ac.uk> Message-ID: its on its way to you - 30 day demo :-) so all legal and legit -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 05 November 2002 21:38 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Kaspersky Anyone any experience with Kaspersky that might be able to help? I haven't got a copy of it to test with :( At 20:46 05/11/2002, you wrote: >I get an error > >Nothing to scan. >You should select at least one directory to scan. > >and the command I put in was /usr/lib/MailScanner/kaspersky-wrapper . with >the . at the end > >Gavin > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: 05 November 2002 20:17 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Kaspersky > > >At 19:52 05/11/2002, you wrote: > >Has anyone got kaspersky to work with mailscanner? > >anything special to do - I have got it installed and running on a file by > >file basis but don't seems to get any response with mailscanner. > >What happens when you run > cd /tmp > /usr/lib/kaspersky-wrapper . >with a couple of viruses in /tmp? >You may need to alter the path to kaspersky in the wrapper script, >depending on where you have installed it. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From scouty at BROMBERG.DEMON.NL Tue Nov 5 22:31:46 2002 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:18 2006 Subject: Redhat 8.0 / command: service MailScanner status Message-ID: <200211052231.gA5MVlX32628@ori.rl.ac.uk> Got my new server hardware and have started to build the new server soon to get rid of the old 6.2 box with the fab. 3.x Mail-Scanner... :-) OS : RedHat 8.0 Sendmail : 8.12.5-7 Mail-Scanner : 4.05-3 Everything installed and compiled just fine and messages send from another computer to a user on the new system gets signed ok in the header (found to be clean), A eicar test file was stopped, send to /var/spool/MailScanner/quarantine and a virus warning is send to the user and a copy to me at my postmaster address so far so good... but.... When I issue the command "service MailScanner status" I'm receiving a error on the outgoing sendmail. Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [FAILED] And a snip from /var/log/messages Nov 5 23:28:35 bromberg2 MailScanner: succeeded Nov 5 23:28:35 bromberg2 MailScanner: succeeded Nov 5 23:28:35 bromberg2 MailScanner: failed Since this server is not yet in production I can not send a message from a outlook client over the new MailScanner to the outside but when I issue a command "sendmail email@adres.com" fill in some blabla and hit "." it sends out fine to anyone anywhere... From didier.belhomme at FUNDP.AC.BE Wed Nov 6 08:34:48 2002 From: didier.belhomme at FUNDP.AC.BE (Didier Belhomme) Date: Thu Jan 12 21:16:18 2006 Subject: Redhat 8.0 / command: service MailScanner status In-Reply-To: <200211052231.gA5MVlX32628@ori.rl.ac.uk> Message-ID: <5.1.0.14.0.20021106093247.01ffcef8@pop.fundp.ac.be> At 22:31 5/11/2002 +0000, you wrote: >Everything installed and compiled just fine and messages >send from another computer to a user on the new system gets >signed ok in the header (found to be clean), A eicar test >file was stopped, send to /var/spool/MailScanner/quarantine >and a virus warning is send to the user and a copy to me at >my postmaster address so far so good... but.... > >When I issue the command "service MailScanner status" I'm >receiving a error on the outgoing sendmail. > >Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [FAILED] > >And a snip from /var/log/messages > >Nov 5 23:28:35 bromberg2 MailScanner: succeeded >Nov 5 23:28:35 bromberg2 MailScanner: succeeded >Nov 5 23:28:35 bromberg2 MailScanner: failed Check that another sendmail process is not already running. When the "normal" sendmail service is running, Mailscanner is unable to start the outgoing sendmail process. # service sendmail stop # service MailScanner stop # service MailScanner start should work. Didier Belhomme FUNDP - Service informatique universitaire - UNIX Systems Support Rue Grandgagnage, 21 B-5000 Namur Tel : +32 81 725025 Fax: +32 81 725023 E-mail : didier.belhomme@fundp.ac.be From florusb at ASCIO.COM Wed Nov 6 08:50:42 2002 From: florusb at ASCIO.COM (Florus Both) Date: Thu Jan 12 21:16:18 2006 Subject: Redhat 8.0 / command: service MailScanner status Message-ID: <2F15A97500CFA0469C9BACC2041F8AC7032E7E00@aries.dk.speednames.com> Hi, do a Chkconfig sendmail off And try again, I guess sendmail was already running before you started mailscanner (this happens automagically after an install) Florus Both -----Original Message----- From: Matthijs Althoff [mailto:scouty@BROMBERG.DEMON.NL] Sent: 5. november 2002 23:32 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Redhat 8.0 / command: service MailScanner status Got my new server hardware and have started to build the new server soon to get rid of the old 6.2 box with the fab. 3.x Mail-Scanner... :-) OS : RedHat 8.0 Sendmail : 8.12.5-7 Mail-Scanner : 4.05-3 Everything installed and compiled just fine and messages send from another computer to a user on the new system gets signed ok in the header (found to be clean), A eicar test file was stopped, send to /var/spool/MailScanner/quarantine and a virus warning is send to the user and a copy to me at my postmaster address so far so good... but.... When I issue the command "service MailScanner status" I'm receiving a error on the outgoing sendmail. Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [FAILED] And a snip from /var/log/messages Nov 5 23:28:35 bromberg2 MailScanner: succeeded Nov 5 23:28:35 bromberg2 MailScanner: succeeded Nov 5 23:28:35 bromberg2 MailScanner: failed Since this server is not yet in production I can not send a message from a outlook client over the new MailScanner to the outside but when I issue a command "sendmail email@adres.com" fill in some blabla and hit "." it sends out fine to anyone anywhere... From gavin at NETERGY.COM Wed Nov 6 09:34:13 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:18 2006 Subject: Clam AV - Beware Message-ID: I know its currently unsupported in code status by mailscanner and this doesn't technically alter that but beware if you are planning to use it on a production box with no other scanners. My findings so far with regard to virus detecting is poor we have pushed several real virii through it and it hasn't detected them when f-prot,sophos and kaspersky all have and I'm not talking new ones here one of the ones we are playing with is Melissa which is 2 years old. We have up to date virus definitions for Clamav and it is working as it detects its own test file but not some of the others that I would expect it to. Regards Gavin From t.d.lee at DURHAM.AC.UK Wed Nov 6 09:52:17 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <5.1.0.14.2.20021104182526.023b4238@imap.ecs.soton.ac.uk> Message-ID: On Mon, 4 Nov 2002, Julian Field wrote: > At 18:06 04/11/2002, you wrote: > >[...] > >It seems the choice is currently a stark one: either permit iframe (and > >risk its possible dangers) or forbid iframe (and risk the dangers of > >unhappy users with big sticks). > > > >Might there be the possibility of a compromise? An option something like > >"convert iframe to text"? (Or was this discussed and deemed unworkable?) > > In version 4, you can allow IFrame tags from any given "trusted" address, > which solves the problem. Thanks. But that doesn't really solve the problem, doses it? It merely replaces it with another: a never-ending problem of maintaining a list of such trusted addresses submitted by our 15K-20K users. Even if that were feasible (doubtful!), how would we (the service provider in the university) judge what really is to be "trusted"? Further, one of the purposes of MailScanner is to help to protect the site, not just the individual PC. If a trusted address turns out itself to be troublesome, then doesn't that open the floodgates? (Analogy: suppose one had the facility "trust Bugbear from this address"?) (Perhaps I've misunderstood something?) What I am suggesting is something complementary, to augment your "trusted iframe address" facility, which could still be in place. Namely, an option (for non-trusted addresses) to convert the iframe to text. Thus the basic message will still get through, and still be vaguely human readable. > I am loathed to spend the time required to implement all the "domains file" > code in version 3, it would be quite a bit of work. That's fine. I wasn't even hinting at any such back-port! > If you keep your Outlook and OE users well up to date with patches, then > you probably won't have much problem as most of the current viruses that > exploit this rely on you not having installed patches that were issued a > year ago. But one of the very reasons for MailScanner in the first place is that the users often don't keep themselves up-to-date with patches, and thus they (and other non-up-to-date users) remain vulnerable. (Suppose one user gets caught with such an iframe problem: what might then be the effect on other users whose own virus-scanning is, say, a few weeks behind?) Thanks again for a great product! -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From novirus at CARLO65.DE Wed Nov 6 10:11:42 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: References: Message-ID: <1036577502.23578.14.camel@linroute> Hi David, Am Mit, 2002-11-06 um 10.52 schrieb David Lee: [..] > > In version 4, you can allow IFrame tags from any given "trusted" address, > > which solves the problem. > But that doesn't really solve the problem, doses it? It merely replaces > it with another: a never-ending problem of maintaining a list of such > trusted addresses submitted by our 15K-20K users. finally it is your decision, which one is the petty evil to you. > Even if that were feasible (doubtful!), how would we (the service provider > in the university) judge what really is to be "trusted"? You can't! Never, that is my opinion. I run a site with several domains and I decided not to allow IFrame tags. My customers understand it and there were no problems so far. Julian did a very good job with MailScanner 4.x and of course it is not his task to solve anybodys organisational problems. I am sure, if you convert HTML-mails containing IFrame tags to text-only, you are going to have a whole bunch of user complaints on your desk. Maybe, I did not understand you correctly, but it seems to me, that your favourite decision should be "Allow IFrame tags = no", because you will not find a 100 percent secure solution. Regards, Roland Sorry for my poor english From LISTSERV at JISCMAIL.AC.UK Wed Nov 6 11:38:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:18 2006 Subject: MAILSCANNER: paul-w@BLUEYONDER.CO.UK left the list Message-ID: <200211061138.LAA25940@magpie.ecs.soton.ac.uk> Wed, 6 Nov 2002 11:38:55 Paul Welsh has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [WWW request received from 217.150.102.222] From mailscanner at ecs.soton.ac.uk Wed Nov 6 12:38:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: References: <5.1.0.14.2.20021104182526.023b4238@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> At 09:52 06/11/2002, you wrote: >On Mon, 4 Nov 2002, Julian Field wrote: > > > At 18:06 04/11/2002, you wrote: > > >[...] > > >It seems the choice is currently a stark one: either permit iframe (and > > >risk its possible dangers) or forbid iframe (and risk the dangers of > > >unhappy users with big sticks). > > > > > >Might there be the possibility of a compromise? An option something like > > >"convert iframe to text"? (Or was this discussed and deemed unworkable?) > > > > In version 4, you can allow IFrame tags from any given "trusted" address, > > which solves the problem. > >Further, one of the purposes of MailScanner is to help to protect the >site, not just the individual PC. If a trusted address turns out itself >to be troublesome, then doesn't that open the floodgates? (Analogy: >suppose one had the facility "trust Bugbear from this address"?) Agreed. >What I am suggesting is something complementary, to augment your "trusted >iframe address" facility, which could still be in place. Namely, an >option (for non-trusted addresses) to convert the iframe to text. Thus >the basic message will still get through, and still be vaguely human >readable. > >But one of the very reasons for MailScanner in the first place is that the >users often don't keep themselves up-to-date with patches, and thus they >(and other non-up-to-date users) remain vulnerable. (Suppose one user >gets caught with such an iframe problem: what might then be the effect on >other users whose own virus-scanning is, say, a few weeks behind?) Yes, I understand your point of view much better now. I can see there are certain situations, or certain addresses, where you still want the readable content to get through even if the message contains untrusted IFrames or "Object Codebase" tags. So, say you have Allow IFrame Tags = yes but you also have a new option Convert Dangerous HTML to Text = yes then the message contents would be allowed through (by the 1st option) but it would be stripped down to plain text (by the 2nd option). The definition of "Dangerous" in this context is HTML containing either IFrame tags or Object Codebase tags. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From t.d.lee at DURHAM.AC.UK Wed Nov 6 14:17:02 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> Message-ID: On Wed, 6 Nov 2002, Julian Field wrote: > So, say you have > Allow IFrame Tags = yes > but you also have a new option > Convert Dangerous HTML to Text = yes > then the message contents would be allowed through (by the 1st option) but > it would be stripped down to plain text (by the 2nd option). The definition > of "Dangerous" in this context is HTML containing either IFrame tags or > Object Codebase tags. That sounds like the sort of thing I had envisaged. Thanks. Naturally, if a back-port to 3.x were also reasonable, that, too, would be nice. And, of course, I would volunteer to help verify its working. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From tal at MUSICGENOME.COM Wed Nov 6 14:28:04 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021104182526.023b4238@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> Message-ID: <1036592892.17268.14.camel@johnny5> On Wed, 2002-11-06 at 14:38, Julian Field wrote: > So, say you have > Allow IFrame Tags = yes > but you also have a new option > Convert Dangerous HTML to Text = yes > then the message contents would be allowed through (by the 1st option) but > it would be stripped down to plain text (by the 2nd option). The definition > of "Dangerous" in this context is HTML containing either IFrame tags or > Object Codebase tags. how about converting it into slightly less dangerous HTML? (assuming users still want their HTML mail intact, which I think will mostly be the case) ie, turn IFRAME into DIV or something similar. btw, I'm wondering if an IFRAME without a src attribute is still as dangerous -- Tal Kelrich PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 Key Available at: http://www.hasturkun.com/pub.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/0b46d6e7/attachment.bin From LISTSERV at JISCMAIL.AC.UK Wed Nov 6 15:00:29 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:18 2006 Subject: MAILSCANNER: aweiss@ESHCOM.COM left the list Message-ID: <200211061500.PAA25079@magpie.ecs.soton.ac.uk> Wed, 6 Nov 2002 15:00:29 aweiss@ESHCOM.COM has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- X-LSVMFlags: 16 Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Wed, 6 Nov 2002 15:00:29 GMT Received: from server.esh.local (svcr-216-37-230-6.dsl.svcr.epix.net [216.37.230.6]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA6F0KX05672 for ; Wed, 6 Nov 2002 15:00:20 GMT MIME-Version: 1.0 Subject: X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Wed, 6 Nov 2002 09:59:52 -0500 Message-ID: <9E9BA1804B974B4E869491E1F2F4CCF5224B4E@server.esh.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Index: AcKFpSXJ7pzitFz/Q6GAE7bsNBas5Q== From: "Andrew P. Weiss" To: X-LSVline1: SIGNOFF * From mailscanner at ecs.soton.ac.uk Wed Nov 6 15:04:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <1036592892.17268.14.camel@johnny5> References: <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021104182526.023b4238@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021106122341.046952f8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021106150350.04544328@imap.ecs.soton.ac.uk> At 14:28 06/11/2002, you wrote: >On Wed, 2002-11-06 at 14:38, Julian Field wrote: > > So, say you have > > Allow IFrame Tags = yes > > but you also have a new option > > Convert Dangerous HTML to Text = yes > > then the message contents would be allowed through (by the 1st option) but > > it would be stripped down to plain text (by the 2nd option). The definition > > of "Dangerous" in this context is HTML containing either IFrame tags or > > Object Codebase tags. >how about converting it into slightly less dangerous HTML? (assuming >users still want their HTML mail intact, which I think will mostly be >the case) >ie, turn IFRAME into DIV or something similar. > >btw, I'm wondering if an IFRAME without a src attribute is still as >dangerous You want to guarantee there is no src attribute within a particular iframe? Very nasty parsing problem, that! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Heinz.Knutzen at DZSH.DE Wed Nov 6 15:52:08 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz) Date: Thu Jan 12 21:16:18 2006 Subject: MailScanner-4.05-3 and SuSE 8.0 Message-ID: <096F8FA588BAD211844C0090272F2307017FBAFF@DZSHMAILSRV2> Hi, today I installed MailScanner-4.05-3 from rpm on a system running SuSE 8.0. I will summarize my changes to get it work: 1. add a link /usr/src/RPM to /usr/src/packages (this has been reported before) 2. The postinstall script doesn't work. chkconfig from SuSE seems to be a bit different "chkconfig --level 2 sendmail off # To fix bug in some RedHat dist's" gives an error message: Unknown option: level usage: chkconfig -t|--terse [names] (shows the links) chkconfig -e|--edit [names] (configure services) chkconfig -s|--set [name state]... (configure services) chkconfig -l|--list [--deps] [names] (shows the links) chkconfig -a|--add [names] (runs insserv) chkconfig -d|--del [names] (runs insserv -r) chkconfig -h|--help (print usage) chkconfig [name] same as chkconfig -t chkconfig name state... same as chkconfig -s name state 3. The preuninstall and postuninstall won't work, since SuSE 8.0 doesn't have a "service" command. 4. The init script is placed in /etc/rc.d/init.d/MailScanner This does't work for SuSE. SuSE uses /etc/init.d/ for init scripts. /etc/rc.d is simply a link to /etc/init.d Installing from rpm results in a file /etc/init.d/init.d/MailScanner 5. The init script init.d/MailScanner doesn't work anyhow: - there is no /etc/rc.d/init.d/functions but a /etc/rc.status instead - there is no file /etc/sysconfig/network, but a directory /etc/sysconfig/network - the outgoing sendmail process is named "sendmail: Queue runner.*" for SuSE - there is a different mechanism for failure / success reporting - I don't know if /var/lock/subsys/MailScanner is useful for a SuSE system See my modified init script for SuSE 8.0 attached to this mail. Viele Gr??e -- Heinz Knutzen Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:heinz.knutzen@dzsh.de Tel: +49.431.3295.581 Fax: +49.431.3295.410 <> -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.init Type: application/octet-stream Size: 4808 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/105e0860/MailScanner.obj From t.d.lee at DURHAM.AC.UK Wed Nov 6 16:06:18 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <1036592892.17268.14.camel@johnny5> Message-ID: On Wed, 6 Nov 2002, Tal Kelrich wrote: > On Wed, 2002-11-06 at 14:38, Julian Field wrote: > > So, say you have > > Allow IFrame Tags = yes > > but you also have a new option > > Convert Dangerous HTML to Text = yes > > then the message contents would be allowed through (by the 1st option) but > > it would be stripped down to plain text (by the 2nd option). The definition > > of "Dangerous" in this context is HTML containing either IFrame tags or > > Object Codebase tags. > how about converting it into slightly less dangerous HTML? (assuming > users still want their HTML mail intact, which I think will mostly be > the case) > ie, turn IFRAME into DIV or something similar. So, to generalise, Julian's suggested binary switch: Convert Dangerous HTML to Text = yes this could become something vaguely like: Convert Dangerous HTML = {text|div|\&perl_routine|...} Note the "vaguely like": this is simply exploration of ideas. The "text" would strip out the iframe (result is a text message containing HTML tags: not spectacularly user-friendly, but simple and vaguely readable). The "div" would convert the "iframe": presumably the result would be modified HTML, still viewed in a WWW-browser-like window. The "\&perl_routine" would allow a site to have its own code. (Analogy: I recall some discussion about some sort of "Custom" facility.) For instance, that "perl_routine" might somehow invoke a custom, safer browser (perhaps lynx?). All very hand-wavy! -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From Heinz.Knutzen at DZSH.DE Wed Nov 6 16:28:02 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz) Date: Thu Jan 12 21:16:18 2006 Subject: AW: MailScanner-4.05-3 and SuSE 8.0 Message-ID: <096F8FA588BAD211844C0090272F2307017FBB01@DZSHMAILSRV2> Another issue I forgot to mention: the ./install-sh script tried to upgrade perl-MIME-tools, but this was refused with the following message: "package perl-MIME-tools-5.411a-56 (which is newer than perl-MIME-tools-5.411-pl4.2) is already installed" I don't understand from what RPM knows, which package is "newer". The installed package doesn't have the recent patches applied. Presumably I have to upgrade using --force ? Viele Gr??e -- Heinz > -----Urspr?ngliche Nachricht----- > Von: Knutzen, Heinz [mailto:Heinz.Knutzen@DZSH.DE] > Gesendet am: Mittwoch, 6. November 2002 16:52 > An: MAILSCANNER@JISCMAIL.AC.UK > Betreff: MailScanner-4.05-3 and SuSE 8.0 > > Hi, > > today I installed MailScanner-4.05-3 from rpm on a system > running SuSE 8.0. > I will summarize my changes to get it work: > > 1. add a link /usr/src/RPM to /usr/src/packages (this has > been reported > before) > > 2. The postinstall script doesn't work. > chkconfig from SuSE seems to be a bit different > "chkconfig --level 2 sendmail off # To fix bug in some RedHat dist's" > gives an error message: > Unknown option: level > usage: > chkconfig -t|--terse [names] (shows the links) > chkconfig -e|--edit [names] (configure services) > chkconfig -s|--set [name state]... (configure services) > chkconfig -l|--list [--deps] [names] (shows the links) > chkconfig -a|--add [names] (runs insserv) > chkconfig -d|--del [names] (runs insserv -r) > chkconfig -h|--help (print usage) > > chkconfig [name] same as chkconfig -t > chkconfig name state... same as chkconfig -s name state > > 3. The preuninstall and postuninstall won't work, since SuSE > 8.0 doesn't > have a "service" command. > > 4. The init script is placed in /etc/rc.d/init.d/MailScanner > This does't work for SuSE. > SuSE uses /etc/init.d/ for init scripts. /etc/rc.d is simply a link to > /etc/init.d > Installing from rpm results in a file /etc/init.d/init.d/MailScanner > > 5. The init script init.d/MailScanner doesn't work anyhow: > - there is no /etc/rc.d/init.d/functions but a /etc/rc.status instead > - there is no file /etc/sysconfig/network, but a directory > /etc/sysconfig/network > - the outgoing sendmail process is named "sendmail: Queue > runner.*" for SuSE > - there is a different mechanism for failure / success reporting > - I don't know if /var/lock/subsys/MailScanner is useful for > a SuSE system > See my modified init script for SuSE 8.0 attached to this mail. > > Viele Gr??e > > -- Heinz Knutzen > > Datenzentrale Schleswig-Holstein > Altenholzer Str. 10-14, 24161 Altenholz, Germany > http://www.dzsh.de/ > mailto:heinz.knutzen@dzsh.de > Tel: +49.431.3295.581 Fax: +49.431.3295.410 > <> > From LISTSERV at JISCMAIL.AC.UK Wed Nov 6 15:58:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:18 2006 Subject: MAILSCANNER: kevin.steil@JMFAMILY.COM requested to join Message-ID: <200211061558.PAA04535@magpie.ecs.soton.ac.uk> Wed, 6 Nov 2002 15:58:12 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Kevin Steil . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER kevin.steil@JMFAMILY.COM Kevin Steil The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+kevin.steil%40JMFAMILY.COM+Kevin+Steil&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From ivan at NUCCI.COM.BR Wed Nov 6 17:05:38 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:18 2006 Subject: Clam AV - Beware References: Message-ID: <3DC94BE2.4060109@nucci.com.br> Hi Mr. Gavin Nelmes, What version of clamAV are you using? Perhaps this security bug has been corrected on the latest version (0.53 ). If I can be of any assistance in testing this software, I'll be glad to help. I think the OpenSource comunity will certainly apreciate if clamAV is promoted to a "supported" status. BTW: Does anyone know of a website were I can download viruses as a test platform? Best regards, Ivan Gavin Nelmes-Crocker wrote: >I know its currently unsupported in code status by mailscanner and this >doesn't technically alter that but beware if you are planning to use it on a >production box with no other scanners. > >My findings so far with regard to virus detecting is poor we have pushed >several real virii through it and it hasn't detected them when f-prot,sophos >and kaspersky all have and I'm not talking new ones here one of the ones we >are playing with is Melissa which is 2 years old. We have up to date virus >definitions for Clamav and it is working as it detects its own test file but >not some of the others that I would expect it to. > >Regards > >Gavin > > From mailscanner at ecs.soton.ac.uk Wed Nov 6 17:08:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: References: <1036592892.17268.14.camel@johnny5> Message-ID: <5.1.0.14.2.20021106170426.06ad7aa0@imap.ecs.soton.ac.uk> At 16:06 06/11/2002, you wrote: >On Wed, 6 Nov 2002, Tal Kelrich wrote: > > > On Wed, 2002-11-06 at 14:38, Julian Field wrote: > > > So, say you have > > > Allow IFrame Tags = yes > > > but you also have a new option > > > Convert Dangerous HTML to Text = yes > > > then the message contents would be allowed through (by the 1st > option) but > > > it would be stripped down to plain text (by the 2nd option). The > definition > > > of "Dangerous" in this context is HTML containing either IFrame tags or > > > Object Codebase tags. > > how about converting it into slightly less dangerous HTML? (assuming > > users still want their HTML mail intact, which I think will mostly be > > the case) > > ie, turn IFRAME into DIV or something similar. > >So, to generalise, Julian's suggested binary switch: > Convert Dangerous HTML to Text = yes > >this could become something vaguely like: > Convert Dangerous HTML = {text|div|\&perl_routine|...} > >Note the "vaguely like": this is simply exploration of ideas. > >The "text" would strip out the iframe (result is a text message containing >HTML tags: not spectacularly user-friendly, but simple and vaguely >readable). > >The "div" would convert the "iframe": presumably the result would be >modified HTML, still viewed in a WWW-browser-like window. > >The "\&perl_routine" would allow a site to have its own code. (Analogy: I >recall some discussion about some sort of "Custom" facility.) For >instance, that "perl_routine" might somehow invoke a custom, safer >browser (perhaps lynx?). All very hand-wavy! Eek, that sounds like far too much hard work for me. Don't forget that my proposed "Convert Dangerous HTML to Text" option can be a ruleset or a custom function for working out which messages to massage. Converting the IFrames to Divs is a bit harder for me (as I have to start parsing the HTML tag by tag and replacing certain tags while leaving others alone, and who's to say there aren't possible exploits in Divs too?). Allowing your own code to run at this point is awkward too, as you would have to know quite a lot about the internal structure of MailScanner to even start to be able to do something useful, and you may open yourself up to various attacks in the process. I prefer to keep it simple, if that will satisfy most people. (I can't satisfy all the users all the time, and still get to sleep a few hours each night). David, I'll mail you a URL in a moment so you can try out what I've done. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at NETERGY.COM Wed Nov 6 17:42:36 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:18 2006 Subject: Clam AV - Beware In-Reply-To: <3DC94BE2.4060109@nucci.com.br> Message-ID: the version I'm using is the latest version 0.53 I only installed the other day to see what it was like. the best site I have found for virii to use in testing is http://vx.netlux.org/ I have been using Melissa a lot as its nice and old and therefore should be picked up by everything - that's what disappointed me when ClamAV missed it but i am happy to be corrected - I'm not on any of the clamav mailing lists so maybe you could test as well and bring it up there if you have the same findings. Regards Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Ivan Mirisola Sent: 06 November 2002 17:06 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Clam AV - Beware Hi Mr. Gavin Nelmes, What version of clamAV are you using? Perhaps this security bug has been corrected on the latest version (0.53 ). If I can be of any assistance in testing this software, I'll be glad to help. I think the OpenSource comunity will certainly apreciate if clamAV is promoted to a "supported" status. BTW: Does anyone know of a website were I can download viruses as a test platform? Best regards, Ivan Gavin Nelmes-Crocker wrote: >I know its currently unsupported in code status by mailscanner and this >doesn't technically alter that but beware if you are planning to use it on a >production box with no other scanners. > >My findings so far with regard to virus detecting is poor we have pushed >several real virii through it and it hasn't detected them when f-prot,sophos >and kaspersky all have and I'm not talking new ones here one of the ones we >are playing with is Melissa which is 2 years old. We have up to date virus >definitions for Clamav and it is working as it detects its own test file but >not some of the others that I would expect it to. > >Regards > >Gavin > > From mailscanner at ecs.soton.ac.uk Wed Nov 6 18:11:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: AW: MailScanner-4.05-3 and SuSE 8.0 In-Reply-To: <096F8FA588BAD211844C0090272F2307017FBB01@DZSHMAILSRV2> Message-ID: <5.1.0.14.2.20021106181027.0238fbb0@imap.ecs.soton.ac.uk> At 16:28 06/11/2002, you wrote: >Another issue I forgot to mention: > >the ./install-sh script tried to upgrade perl-MIME-tools, >but this was refused with the following message: >"package perl-MIME-tools-5.411a-56 (which is newer than >perl-MIME-tools-5.411-pl4.2) is already installed" > >I don't understand from what RPM knows, which package is "newer". >The installed package doesn't have the recent patches applied. >Presumably I have to upgrade using --force ? Yes, you will have to --force it. Thanks for all the other comments, looks like I need to build a SuSE-specific version as there are too many differences from RedHat to be able to construct an RPM that will do both. Oh for some more hardware... > > -----Urspr?ngliche Nachricht----- > > Von: Knutzen, Heinz [mailto:Heinz.Knutzen@DZSH.DE] > > Gesendet am: Mittwoch, 6. November 2002 16:52 > > An: MAILSCANNER@JISCMAIL.AC.UK > > Betreff: MailScanner-4.05-3 and SuSE 8.0 > > > > Hi, > > > > today I installed MailScanner-4.05-3 from rpm on a system > > running SuSE 8.0. > > I will summarize my changes to get it work: > > > > 1. add a link /usr/src/RPM to /usr/src/packages (this has > > been reported > > before) > > > > 2. The postinstall script doesn't work. > > chkconfig from SuSE seems to be a bit different > > "chkconfig --level 2 sendmail off # To fix bug in some RedHat dist's" > > gives an error message: > > Unknown option: level > > usage: > > chkconfig -t|--terse [names] (shows the links) > > chkconfig -e|--edit [names] (configure services) > > chkconfig -s|--set [name state]... (configure services) > > chkconfig -l|--list [--deps] [names] (shows the links) > > chkconfig -a|--add [names] (runs insserv) > > chkconfig -d|--del [names] (runs insserv -r) > > chkconfig -h|--help (print usage) > > > > chkconfig [name] same as chkconfig -t > > chkconfig name state... same as chkconfig -s name state > > > > 3. The preuninstall and postuninstall won't work, since SuSE > > 8.0 doesn't > > have a "service" command. > > > > 4. The init script is placed in /etc/rc.d/init.d/MailScanner > > This does't work for SuSE. > > SuSE uses /etc/init.d/ for init scripts. /etc/rc.d is simply a link to > > /etc/init.d > > Installing from rpm results in a file /etc/init.d/init.d/MailScanner > > > > 5. The init script init.d/MailScanner doesn't work anyhow: > > - there is no /etc/rc.d/init.d/functions but a /etc/rc.status instead > > - there is no file /etc/sysconfig/network, but a directory > > /etc/sysconfig/network > > - the outgoing sendmail process is named "sendmail: Queue > > runner.*" for SuSE > > - there is a different mechanism for failure / success reporting > > - I don't know if /var/lock/subsys/MailScanner is useful for > > a SuSE system > > See my modified init script for SuSE 8.0 attached to this mail. > > > > Viele Gr??e > > > > -- Heinz Knutzen > > > > Datenzentrale Schleswig-Holstein > > Altenholzer Str. 10-14, 24161 Altenholz, Germany > > http://www.dzsh.de/ > > mailto:heinz.knutzen@dzsh.de > > Tel: +49.431.3295.581 Fax: +49.431.3295.410 > > <> > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From tal at MUSICGENOME.COM Wed Nov 6 18:20:32 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <5.1.0.14.2.20021106170426.06ad7aa0@imap.ecs.soton.ac.uk> References: <1036592892.17268.14.camel@johnny5> <5.1.0.14.2.20021106170426.06ad7aa0@imap.ecs.soton.ac.uk> Message-ID: <1036606832.17268.86.camel@johnny5> On Wed, 2002-11-06 at 19:08, Julian Field wrote: > Eek, that sounds like far too much hard work for me. Don't forget that my > proposed "Convert Dangerous HTML to Text" option can be a ruleset or a > custom function for working out which messages to massage. > > Converting the IFrames to Divs is a bit harder for me (as I have to start > parsing the HTML tag by tag and replacing certain tags while leaving others > alone, and who's to say there aren't possible exploits in Divs too?). > Allowing your own code to run at this point is awkward too, as you would > have to know quite a lot about the internal structure of MailScanner to > even start to be able to do something useful, and you may open yourself up > to various attacks in the process. Couldn't you just use Anomy Sanitizer's Anomy::HTMLCleaner? it seems to be pretty much well written, as well as maintained (though some print STDERR and logging should be changed) (http://mailtools.anomy.net/) -- Tal Kelrich PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 Key Available at: http://www.hasturkun.com/pub.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/9451c1ec/attachment.bin From mailscanner at ecs.soton.ac.uk Wed Nov 6 18:39:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:18 2006 Subject: iframe dilemma: a compromise? In-Reply-To: <1036606832.17268.86.camel@johnny5> References: <5.1.0.14.2.20021106170426.06ad7aa0@imap.ecs.soton.ac.uk> <1036592892.17268.14.camel@johnny5> <5.1.0.14.2.20021106170426.06ad7aa0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021106183430.037bfe50@imap.ecs.soton.ac.uk> At 18:20 06/11/2002, you wrote: >On Wed, 2002-11-06 at 19:08, Julian Field wrote: > > Eek, that sounds like far too much hard work for me. Don't forget that my > > proposed "Convert Dangerous HTML to Text" option can be a ruleset or a > > custom function for working out which messages to massage. > > > > Converting the IFrames to Divs is a bit harder for me (as I have to start > > parsing the HTML tag by tag and replacing certain tags while leaving others > > alone, and who's to say there aren't possible exploits in Divs too?). > > Allowing your own code to run at this point is awkward too, as you would > > have to know quite a lot about the internal structure of MailScanner to > > even start to be able to do something useful, and you may open yourself up > > to various attacks in the process. >Couldn't you just use Anomy Sanitizer's Anomy::HTMLCleaner? >it seems to be pretty much well written, as well as maintained >(though some print STDERR and logging should be changed) >(http://mailtools.anomy.net/) That certainly sounds like a possibility, but I don't think it's a short term solution which is what people seem to want at the moment. When I get time, I will take a look at the HTMLCleaner as it may be better than the HTML-Parser module I use at the moment to do this. One concern is what it considers to need "cleaning". At the moment, the HTML stripping I do removes all HTML tags, which is brutal but safe. I don't want to leave potential security holes due to any HTML that HTMLCleaner leaves intact. That may not be a problem, I haven't studied it yet. But thanks for the pointer! I'll take a look when I get time. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ivan at NUCCI.COM.BR Wed Nov 6 19:01:26 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:18 2006 Subject: Clam AV - Beware References: Message-ID: <3DC96706.2060006@nucci.com.br> Dear Mr. Gavin, I tested the same virus on vx.netlux.org with clamAV 0.51 and it also failed to discover. I have reported this issue to clamAV's site and hope to see some fix very soon. ----------------------------------------------------------------------------------- Nov 6 16:55:48 nucci sendmail[9060]: gA6Jtlp09060: from=, size=44395, class=0, nrcpts=1, msgid=<000d01c285cf$05c31270$0502a8c0@C5>, proto=SMTP, daemon=MTA, Nov 6 16:55:48 nucci MailScanner[9358]: New Batch: Scanning 1 messages, 44802 bytes Nov 6 16:55:50 nucci MailScanner[9358]: Virus and Content Scanning: Starting Nov 6 16:55:50 nucci MailScanner[9358]: Uninfected: Delivered 1 messages ----------------------------------------------------------------------------------- Thanks again, Ivan Gavin Nelmes-Crocker wrote: >I know its currently unsupported in code status by mailscanner and this >doesn't technically alter that but beware if you are planning to use it on a >production box with no other scanners. > >My findings so far with regard to virus detecting is poor we have pushed >several real virii through it and it hasn't detected them when f-prot,sophos >and kaspersky all have and I'm not talking new ones here one of the ones we >are playing with is Melissa which is 2 years old. We have up to date virus >definitions for Clamav and it is working as it detects its own test file but >not some of the others that I would expect it to. > >Regards > >Gavin > > From vanhorn at whidbey.com Wed Nov 6 19:25:37 2002 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:16:18 2006 Subject: Upgrade problems to 4.05 References: <0b0c01c27118$eda6f190$1c0a0a0a@pugmarks34team> <5.1.0.14.2.20021011135424.04352c00@imap.ecs.soton.ac.uk> Message-ID: <3DC96CB1.2FE7B832@whidbey.com> Julian, I've been running with 4.00.0a13 ever since that frantic weekend when you were spitting out a new alpha every few hours. (You released them all, I installed them all, did either of us get any sleep?) At that time I couldn't get the ./install.sh to ever work, and you had me uninstalling each package, in reverse order, and then installing each package in order. It's been a while, so I decided to catch up again and just grabbed 4.05 to try. With that many other installs behind you, I thought I'd give the installer another shot. After congratulating me for having the patch command and /usr/src/redhat, it gave me this: You appear to have 2 versions of Perl installed, the normal one in /usr/bin and one in /usr/local. This often happens if you have used CPAN to install modules. I strongly advise you remove all traces of perl from within /usr/local and then run this script again. If you do not want to do that, and really want to continue, then you will need to run this script as ./install.sh ignore-perl That neatly illustrates the most frustrating thing about my Linux/Unix experience. If anyone on earth should know where Perl modules should be, it has to be CPAN, right? And if anyone on earth should know where files belong on a RedHat system, it would be rpm, right? So how come every machine I have ever run more than a week has at least two sets of several Perl directories? (Never mind that I have to have two versions of Python now.) I know, you didn't make this mess. But I certainly don't feel confident removing all traces of Perl from /usr/local, and the only trace I see there is mod_perl.pm -> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl.pm which is a link to yet a third location. Is there a risk in running more than one copy of Perl things? Is it greater than the risk of running less than one? Or, as seems more likely to me, having seven copies of Perl things but none of them is in the place that something else wants it to be? As much as I despise Microsoft, I at least know where everything goes in a Windows system! So, I'm thinking about going back to the familiar routine of removing each RPM in turn and reinstallting them one at a time. That way the only thing I have to worry about is to restore my MailScanner.conf. (Which reminds me, why can't RPM note if a valid conf file is in place and leave it alone?) Also, I have noticed a major difference in the messages I get when a virus is found. When I was running 3.23 I got the headers of the offending message, now I get a short summary. Is this a change from MailScanner 3 to 4, or a change from Kasparsky to f-prot which I made at the same time for economic reasons? This can wait a bit, viruses are being stopped and the mail is getting delivered. Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/716078e9/attachment.html From brian at PORTSMOUTH-COLLEGE.AC.UK Wed Nov 6 19:33:02 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers) Date: Thu Jan 12 21:16:18 2006 Subject: mailscanner.conf.rpmnew Message-ID: <003501c285cb$5258c5c0$69c8a8c0@tpc.ac.uk> I've just upgrade from 3.13 to 3.25-1 via the RPM and everything seems to be ok except !!! When I look in the etc directory in Mailscanner directory I see a new file called mailscanner.conf.rpmnew Should I merge the old setting from my existing conf file into the rpmnew file then rename this to mailscanner.conf ?? Thanks in advance Brian Chivers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/3bd1d8b7/attachment.html From ivan at NUCCI.COM.BR Wed Nov 6 19:34:45 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:18 2006 Subject: ClamAV - New Test Results References: <3DC96706.2060006@nucci.com.br> Message-ID: <3DC96ED5.5000007@nucci.com.br> Hi All, I have performed new tests with some famous viruses found on vx.netlux.org. Only Melissa failed to be discovered by clamAV. I don't know why. The virus is found on a "visual basic for ms-word" format and had to be included in a document. Maybe clamAV is trying to find the original file that contaned the virus but this must be a wrong doing. My AVG Free Edition does check the document generated and is able to see that there is a virus within. Any thoughts, I'll be glad to hear. Sincerely, Ivan ------------------------------Love Letter Test------------------------------------ Nov 6 17:27:36 nucci sendmail[17092]: gA6KRZp17092: from=, size=11995, class=0, nrcpts=1, msgid=<002d01c285d3$77256bd0$0502a8c0@C5>, proto=SMTP, Nov 6 17:27:37 nucci MailScanner[10818]: New Batch: Scanning 1 messages, 12402 bytes Nov 6 17:27:37 nucci MailScanner[10818]: Virus and Content Scanning: Starting Nov 6 17:27:38 nucci MailScanner[10818]: Virus Scanning: clamav found 1 infections Nov 6 17:27:38 nucci MailScanner[10818]: Virus Scanning: Found 1 viruses Nov 6 17:27:38 nucci MailScanner[10818]: Filename Checks: Possible Microsoft Visual Basic script attack (I-Worm.LoveLetter.vbs) Nov 6 17:27:38 nucci MailScanner[10818]: Other Checks: Found 1 problems Nov 6 17:27:38 nucci MailScanner[10818]: Saved infected "I-Worm.LoveLetter.vbs" to /var/spool/MailScanner/quarantine/20021106/gA6KRZp17092 Nov 6 17:27:38 nucci MailScanner[10818]: Cleaned: Delivered 1 cleaned messages ------------------------------Love Letter Test------------------------------------ ------------------------------Prety Park Test------------------------------------- Nov 6 17:25:37 nucci sendmail[15773]: gA6KPap15773: from=, size=52034, class=0, nrcpts=1, msgid=<002301c285d3$30265f50$0502a8c0@C5>, proto=SMTP Nov 6 17:25:40 nucci MailScanner[4547]: New Batch: Scanning 1 messages, 52441 bytes Nov 6 17:25:40 nucci MailScanner[4547]: Virus and Content Scanning: Starting Nov 6 17:25:41 nucci MailScanner[4547]: Filename Checks: Possible virus hidden in a screensaver (I-Worm.PrettyPark.scr) Nov 6 17:25:41 nucci MailScanner[4547]: Other Checks: Found 1 problems Nov 6 17:25:41 nucci MailScanner[4547]: Saved infected "I-Worm.PrettyPark.scr" to /var/spool/MailScanner/quarantine/20021106/gA6KPap15773 Nov 6 17:25:41 nucci MailScanner[4547]: Cleaned: Delivered 1 cleaned messages ------------------------------Prety Park Test------------------------------------- --------------------------------Magister Test------------------------------------- Nov 6 17:23:34 nucci sendmail[15225]: gA6KNXp15225: from=, size=85924, class=0, nrcpts=1, msgid=<001901c285d2$e6e5ee50$0502a8c0@C5>, proto=SMTP Nov 6 17:23:35 nucci MailScanner[4152]: New Batch: Scanning 1 messages, 86332 bytes Nov 6 17:23:35 nucci MailScanner[4152]: Virus and Content Scanning: Starting Nov 6 17:23:37 nucci MailScanner[4152]: Virus Scanning: clamav found 1 infections Nov 6 17:23:37 nucci MailScanner[4152]: Virus Scanning: Found 1 viruses Nov 6 17:23:37 nucci MailScanner[4152]: Filename Checks: Possible virus hidden in a screensaver (I-Worm.Magistr.b.scr) Nov 6 17:23:37 nucci MailScanner[4152]: Other Checks: Found 1 problems Nov 6 17:23:37 nucci MailScanner[4152]: Saved infected "I-Worm.Magistr.b.scr" to /var/spool/MailScanner/quarantine/20021106/gA6KNXp15225 Nov 6 17:23:37 nucci MailScanner[4152]: Cleaned: Delivered 1 cleaned messages --------------------------------Magister Test------------------------------------- ------------------------------Nimda Test------------------------------------------ Nov 6 17:21:07 nucci sendmail[14736]: gA6KL7p14736: from=, size=2947, class=0, nrcpts=1, msgid=<000d01c285d2$8f8f1320$0502a8c0@C5>, proto=SMTP Nov 6 17:21:07 nucci MailScanner[4152]: New Batch: Scanning 1 messages, 3354 bytes Nov 6 17:21:07 nucci MailScanner[4152]: Virus and Content Scanning: Starting Nov 6 17:21:08 nucci MailScanner[4152]: Virus Scanning: clamav found 1 infections Nov 6 17:21:08 nucci MailScanner[4152]: Virus Scanning: Found 1 viruses Nov 6 17:21:08 nucci MailScanner[4152]: Saved infected "I-Worm.Nimda.html" to /var/spool/MailScanner/quarantine/20021106/gA6KL7p14736 Nov 6 17:21:08 nucci MailScanner[4152]: Cleaned: Delivered 1 cleaned messages ------------------------------Nimda Test------------------------------------------ Ivan Mirisola wrote: > Dear Mr. Gavin, > > I tested the same virus on vx.netlux.org with clamAV 0.51 and it also > failed to discover. I have reported this issue to clamAV's site and hope > to see some fix very soon. > > ----------------------------------------------------------------------------------- > > Nov 6 16:55:48 nucci sendmail[9060]: gA6Jtlp09060: > from=, size=44395, class=0, nrcpts=1, > msgid=<000d01c285cf$05c31270$0502a8c0@C5>, proto=SMTP, daemon=MTA, Nov > 6 16:55:48 nucci MailScanner[9358]: New Batch: Scanning 1 messages, > 44802 bytes > Nov 6 16:55:50 nucci MailScanner[9358]: Virus and Content Scanning: > Starting > Nov 6 16:55:50 nucci MailScanner[9358]: Uninfected: Delivered 1 messages > ----------------------------------------------------------------------------------- > > > Thanks again, > Ivan > > > Gavin Nelmes-Crocker wrote: > >> I know its currently unsupported in code status by mailscanner and this >> doesn't technically alter that but beware if you are planning to use >> it on a >> production box with no other scanners. >> >> My findings so far with regard to virus detecting is poor we have pushed >> several real virii through it and it hasn't detected them when >> f-prot,sophos >> and kaspersky all have and I'm not talking new ones here one of the >> ones we >> are playing with is Melissa which is 2 years old. We have up to date >> virus >> definitions for Clamav and it is working as it detects its own test >> file but >> not some of the others that I would expect it to. >> >> Regards >> >> Gavin >> >> From mike at CAMAROSS.NET Wed Nov 6 19:37:11 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:18 2006 Subject: mailscanner.conf.rpmnew In-Reply-To: <003501c285cb$5258c5c0$69c8a8c0@tpc.ac.uk> Message-ID: I would if the time/date stamp on the .rpmnew is more recent. Chances are, there are more options to be set in the .rpmnew that you'll need/want. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Brian Chivers Sent: Wednesday, November 06, 2002 1:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: mailscanner.conf.rpmnew I've just upgrade from 3.13 to 3.25-1 via the RPM and everything seems to be ok except !!! When I look in the etc directory in Mailscanner directory I see a new file called mailscanner.conf.rpmnew Should I merge the old setting from my existing conf file into the rpmnew file then rename this to mailscanner.conf ?? Thanks in advance Brian Chivers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Nov 6 19:37:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:19 2006 Subject: Upgrade problems to 4.05 In-Reply-To: <3DC96CB1.2FE7B832@whidbey.com> References: <0b0c01c27118$eda6f190$1c0a0a0a@pugmarks34team> <5.1.0.14.2.20021011135424.04352c00@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021106193025.02370e20@imap.ecs.soton.ac.uk> At 19:25 06/11/2002, you wrote: >I've been running with 4.00.0a13 ever since that frantic weekend when you >were spitting out a new alpha every few hours. (You released them all, I >installed them all, did either of us get any sleep?) At that time I >couldn't get the ./install.sh to ever work, and you had me uninstalling >each package, in reverse order, and then installing each package in order. I have hazy memories of that weekend... Given more hardware, I could build test systems for other OS's. VMWare helps a lot (my main desktop pc can run run 3 different OS's at the same time) but it's not a complete solution to the problem. >It's been a while, so I decided to catch up again and just grabbed 4.05 to >try. With that many other installs behind you, I thought I'd give the >installer another shot. After congratulating me for having the patch >command and /usr/src/redhat, it gave me this: >You appear to have 2 versions of Perl installed, >the normal one in /usr/bin and one in /usr/local. >This often happens if you have used CPAN to install modules. >I strongly advise you remove all traces of perl from >within /usr/local and then run this script again. > >If you do not want to do that, and really want to continue, >then you will need to run this script as > ./install.sh ignore-perl > >That neatly illustrates the most frustrating thing about my Linux/Unix >experience. If anyone on earth should know where Perl modules should be, >it has to be CPAN, right? And if anyone on earth should know where files >belong on a RedHat system, it would be rpm, right? So how come every >machine I have ever run more than a week has at least two sets of several >Perl directories? (Never mind that I have to have two versions of Python now.) > >I know, you didn't make this mess. But I certainly don't feel confident >removing all traces of Perl from /usr/local, and the only trace I see there is > mod_perl.pm -> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl.pm >which is a link to yet a third location. Is there a risk in running more >than one copy of Perl things? It can affect where cpan tries to install things, which may not be where /usr/bin/perl finds things. The test in my script looks for /usr/bin/perl and /usr/local/bin/perl, and complains if they both exist. Try cd /usr/local find . -name '*perl*' -print to find potential targets, > Is it greater than the risk of running less than one? Or, as seems more > likely to me, having seven copies of Perl things but none of them is in > the place that something else wants it to be? As much as I despise > Microsoft, I at least know where everything goes in a Windows system! > >So, I'm thinking about going back to the familiar routine of removing each >RPM in turn and reinstallting them one at a time. That way the only thing >I have to worry about is to restore my MailScanner.conf. (Which reminds >me, why can't RPM note if a valid conf file is in place and leave it alone?) RPM does do this, and will leave you with both the new one and your old one, so you can sort out your customisations. >Also, I have noticed a major difference in the messages I get when a virus >is found. When I was running 3.23 I got the headers of the offending >message, now I get a short summary. Is this a change from MailScanner 3 to >4, or a change from Kasparsky to f-prot which I made at the same time for >economic reasons? This is a configuration option, called something containing "Full Headers" if I remember rightly. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/183531d7/attachment.html From mike at CAMAROSS.NET Wed Nov 6 19:45:11 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: <5.1.0.14.2.20021106193025.02370e20@imap.ecs.soton.ac.uk> Message-ID: I know out of all the people on this list and users of MailScanner which Julian provides for FREE, we should be able to come up with some spare hardware to get him the tools he needs. I know I have RAM, some drives, a couple of older processors, etc that I will gladly donate to the cause. If international shipping is a problem, I know Julian accepts donations via Paypal. Come on folks...let's show some appreciation and help Julian help US! Mike From gavin at NETERGY.COM Wed Nov 6 20:02:16 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: Message-ID: what are the hardware woes? I'm happy to contribute some equipment to the cause as well, I have some at least 1 spare motherboard with low end cpu and a large 1u unit again low cpu but fully working and redhat compatible. We are looking to benefit commercially its the least I can do. Regards Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: 06 November 2002 19:45 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Hardware Woes I know out of all the people on this list and users of MailScanner which Julian provides for FREE, we should be able to come up with some spare hardware to get him the tools he needs. I know I have RAM, some drives, a couple of older processors, etc that I will gladly donate to the cause. If international shipping is a problem, I know Julian accepts donations via Paypal. Come on folks...let's show some appreciation and help Julian help US! Mike From mike at CAMAROSS.NET Wed Nov 6 20:03:55 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: Message-ID: I'll let Julian tell us what his needs/requirements are :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Gavin Nelmes-Crocker Sent: Wednesday, November 06, 2002 2:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Hardware Woes what are the hardware woes? I'm happy to contribute some equipment to the cause as well, I have some at least 1 spare motherboard with low end cpu and a large 1u unit again low cpu but fully working and redhat compatible. We are looking to benefit commercially its the least I can do. Regards Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: 06 November 2002 19:45 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Hardware Woes I know out of all the people on this list and users of MailScanner which Julian provides for FREE, we should be able to come up with some spare hardware to get him the tools he needs. I know I have RAM, some drives, a couple of older processors, etc that I will gladly donate to the cause. If international shipping is a problem, I know Julian accepts donations via Paypal. Come on folks...let's show some appreciation and help Julian help US! Mike From mailscanner at ecs.soton.ac.uk Wed Nov 6 20:49:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: References: Message-ID: <5.1.0.14.2.20021106203843.02c13eb8@imap.ecs.soton.ac.uk> At 20:03 06/11/2002, you wrote: >I'll let Julian tell us what his needs/requirements are :) My ideal list is this at the moment: PC to run SuSE / Ensim / RedHat Cobalt raq Cobalt cube (or is it qube these days) and a Sun workgroup server for various Solaris versions. I need them for not only development, but also performance testing so that potential users know what hardware they need for their mail load for the current version. I know that lot is asking a bit much of any of you, I'm trying to get some sponsorship/donations locally too. If anyone needs ammunition for their financial directors, get a quote from MessageLabs or Trend for a nasty surprise! We did this and nearly fainted. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Gavin Nelmes-Crocker >Sent: Wednesday, November 06, 2002 2:02 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Hardware Woes > > >what are the hardware woes? > >I'm happy to contribute some equipment to the cause as well, I have some at >least 1 spare motherboard with low end cpu and a large 1u unit again low cpu >but fully working and redhat compatible. > >We are looking to benefit commercially its the least I can do. > >Regards > >Gavin > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Mike Kercher >Sent: 06 November 2002 19:45 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Hardware Woes > > >I know out of all the people on this list and users of MailScanner which >Julian provides for FREE, we should be able to come up with >some spare hardware to get him the tools he needs. I know I have RAM, some >drives, a couple of older processors, etc that I will >gladly donate to the cause. If international shipping is a problem, I know >Julian accepts donations via Paypal. Come on >folks...let's show some appreciation and help Julian help US! > >Mike -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From richard.siddall at elirion.net Wed Nov 6 21:07:09 2002 From: richard.siddall at elirion.net (Richard Siddall) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes References: <5.1.0.14.2.20021106203843.02c13eb8@imap.ecs.soton.ac.uk> Message-ID: <3DC9847D.B8C9D8D4@elirion.net> Julian Field wrote: > > At 20:03 06/11/2002, you wrote: > >I'll let Julian tell us what his needs/requirements are :) > > My ideal list is this at the moment: > > PC to run SuSE / Ensim / RedHat > Cobalt raq > Cobalt cube (or is it qube these days) > and a Sun workgroup server for various Solaris versions. > All 240V / 50 Hz or auto-switching, I assume. Julian, have you looked at the Sun Cobalt RaQ Hotel? http://developer.cobalt.com/resources/hotel.php (You may have to register first at: http://developer.cobalt.com/sol/dev.maintenance.php) I haven't used it. Apparently they have the Qube 3, but not the RaQ XTR or 550. Regards, Richard Siddall From mailscanner at ecs.soton.ac.uk Wed Nov 6 21:28:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: <3DC9847D.B8C9D8D4@elirion.net> References: <5.1.0.14.2.20021106203843.02c13eb8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021106212429.02bc17d8@imap.ecs.soton.ac.uk> At 21:07 06/11/2002, you wrote: >Julian Field wrote: > > At 20:03 06/11/2002, you wrote: > > >I'll let Julian tell us what his needs/requirements are :) > > > > My ideal list is this at the moment: > > > > PC to run SuSE / Ensim / RedHat > > Cobalt raq > > Cobalt cube (or is it qube these days) > > and a Sun workgroup server for various Solaris versions. > > > >All 240V / 50 Hz or auto-switching, I assume. Yes please. Fortunately PC power supplies are cheap. >Julian, have you looked at the Sun Cobalt RaQ Hotel? >http://developer.cobalt.com/resources/hotel.php >(You may have to register first at: >http://developer.cobalt.com/sol/dev.maintenance.php) >I haven't used it. Apparently they have the Qube 3, but not the RaQ >XTR or 550. That looks like a possibility for testing builds. Unfortunately I can't guarantee being able to spend lots of hours at some specific dates, so this would be less suitable for development use. Occasionally my real job gets in the way :-) The other development docs there definitely look very useful though. And as I didn't know they existed, a Sun LX50 would be very handy too. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at NETERGY.COM Wed Nov 6 21:58:46 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: <5.1.0.14.2.20021106212429.02bc17d8@imap.ecs.soton.ac.uk> Message-ID: ok this hardware list is getting longer by the minute :-) Ok I'm committing a 1U 700Mhz 20Gb 128Mb unit to the cause - does anyone have a DHL or similar account who would like to donate shipping we're only talking about ?15 as I'm based in the UK, otherwise I will drop it in but it may take me some time to be in Southampton again (before Christmas is the best at the moment) The unit runs redhat but will need to be wiped as I don't have the password anymore, the box has only been set-up and not used (previous company I worked for went belly up) As for the Cobalt stuff I can probably lend something for a reasonable period for testing sorry no LX50 or RaQ550 but I have some friends in Southampton who customize a lot of RaQ550's so I will ask if they can help. I used to work for Cobalt so maybe there are some strings to be pulled sadly with Sun its not as easy as it was. In my Cobalt days I would have been driving down with one of each of our products in sponsorship sadly Sun don't always view it like that. That's the best I can do at the moment - Mailscanner is awesome and I have to say Julian is one of the hardest working maintainer/programmers I've dealt with recently. Regards Gavin ps the box is boxed and ready to ship if anyone is quick with courier details!!!!!! don't be shy. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 06 November 2002 21:28 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Hardware Woes At 21:07 06/11/2002, you wrote: >Julian Field wrote: > > At 20:03 06/11/2002, you wrote: > > >I'll let Julian tell us what his needs/requirements are :) > > > > My ideal list is this at the moment: > > > > PC to run SuSE / Ensim / RedHat > > Cobalt raq > > Cobalt cube (or is it qube these days) > > and a Sun workgroup server for various Solaris versions. > > > >All 240V / 50 Hz or auto-switching, I assume. Yes please. Fortunately PC power supplies are cheap. >Julian, have you looked at the Sun Cobalt RaQ Hotel? >http://developer.cobalt.com/resources/hotel.php >(You may have to register first at: >http://developer.cobalt.com/sol/dev.maintenance.php) >I haven't used it. Apparently they have the Qube 3, but not the RaQ >XTR or 550. That looks like a possibility for testing builds. Unfortunately I can't guarantee being able to spend lots of hours at some specific dates, so this would be less suitable for development use. Occasionally my real job gets in the way :-) The other development docs there definitely look very useful though. And as I didn't know they existed, a Sun LX50 would be very handy too. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From novirus at CARLO65.DE Wed Nov 6 22:40:02 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: References: Message-ID: <1036622402.23579.21.camel@linroute> Hi Gavin, Am Mit, 2002-11-06 um 22.58 schrieb Gavin Nelmes-Crocker: > ok this hardware list is getting longer by the minute :-) > > Ok I'm committing a 1U 700Mhz 20Gb 128Mb unit to the cause - does anyone > have a DHL or similar account who would like to donate shipping we're only > talking about ?15 as I'm based in the UK, otherwise I will drop it in but it > may take me some time to be in Southampton again (before Christmas is the > best at the moment) I do not have a DHL account, but I think, I can call the german branch of DHL and have them picking up the box at your address to deliver it to Julian. Let me just sort this out tomorrow morning. Otherwhise I will sent you the money. Regards, Roland From gavin at NETERGY.COM Wed Nov 6 23:50:57 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: <1036622402.23579.21.camel@linroute> Message-ID: Roland you are most kind let me know and I will let you have all the details for collection, I'm sure Julian will also forward you the delivery address. Regards Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Roland Ehle Sent: 06 November 2002 22:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Hardware Woes Hi Gavin, Am Mit, 2002-11-06 um 22.58 schrieb Gavin Nelmes-Crocker: > ok this hardware list is getting longer by the minute :-) > > Ok I'm committing a 1U 700Mhz 20Gb 128Mb unit to the cause - does anyone > have a DHL or similar account who would like to donate shipping we're only > talking about ?15 as I'm based in the UK, otherwise I will drop it in but it > may take me some time to be in Southampton again (before Christmas is the > best at the moment) I do not have a DHL account, but I think, I can call the german branch of DHL and have them picking up the box at your address to deliver it to Julian. Let me just sort this out tomorrow morning. Otherwhise I will sent you the money. Regards, Roland From vguerrero at minar.com Wed Nov 6 23:56:53 2002 From: vguerrero at minar.com (Vicente Guerrero M.) Date: Thu Jan 12 21:16:19 2006 Subject: F-PROT problem? Message-ID: <00d901c285f0$2eb3b650$620aaa82@ADMINISTRATOR> I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. Everything its seems to be working ok, but if I send a message from an external account (hotmail) with a virus attached, I have no warning about an infected message. I tried the EICAR_test file too, but nothing happened, I just get these lines in maillog: Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: from=, size=96715, class=0, pri=126715, nrcpts=1, msgid=, proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, 97125 bytes Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: to=, delay=00:00:09, xdelay=00:00:00, mailer=local, stat=Sent I tested f-prot manually and it says the infection is there (EICAR_test and an infected file (Magistr). I really apreciate your help to solve this issue. BTW, I got warned about some infected messages, but they are the ones with IFrame tags in it. Thanks in advance (Sorry about my poor English) vgm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021106/5a0c4184/attachment.html From devin at JETDATA.CA Wed Nov 6 23:58:44 2002 From: devin at JETDATA.CA (Devin Smith) Date: Thu Jan 12 21:16:19 2006 Subject: Hardware Woes In-Reply-To: <5.1.0.14.2.20021106212429.02bc17d8@imap.ecs.soton.ac.uk> Message-ID: <006501c285f0$7538d7e0$a384e5c6@rd.csandall.com> Hi Julian, while I can't offer to send it to the UK, I will certainly set up a RaQ4 or Qube 3 online for your use. Just email me and I will take the steps to get it online for you, as I'd really love to see you have your mailscanner package easily integrated with the RaQ/Qube! Steve Bassi took an older version and made a .pkg file for the RaQ4, but it is getting outdated and I'd love to have the v4 code available. :-) > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field > Sent: Wednesday, November 06, 2002 2:28 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Hardware Woes > > > At 21:07 06/11/2002, you wrote: > >Julian Field wrote: > > > At 20:03 06/11/2002, you wrote: > > > >I'll let Julian tell us what his needs/requirements are :) > > > > > > My ideal list is this at the moment: > > > > > > PC to run SuSE / Ensim / RedHat > > > Cobalt raq > > > Cobalt cube (or is it qube these days) > > > and a Sun workgroup server for various Solaris versions. > > > > > > >All 240V / 50 Hz or auto-switching, I assume. > > Yes please. Fortunately PC power supplies are cheap. > > >Julian, have you looked at the Sun Cobalt RaQ Hotel? > >http://developer.cobalt.com/resources/hotel.php > >(You may have to register first at: > >http://developer.cobalt.com/sol/dev.maintenance.php) > >I haven't used it. Apparently they have the Qube 3, but not the RaQ > >XTR or 550. > > That looks like a possibility for testing builds. > Unfortunately I can't > guarantee being able to spend lots of hours at some specific > dates, so this > would be less suitable for development use. Occasionally my > real job gets > in the way :-) The other development docs there definitely > look very useful > though. > > And as I didn't know they existed, a Sun LX50 would be very handy too. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > From fong at SHUNKAM.COM Thu Nov 7 02:50:07 2002 From: fong at SHUNKAM.COM (fong) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network Message-ID: <001d01c28608$62b45140$57046898@shunkam.com> Did anyone configure mailscanner+sendmail+sophos? I had try to use sendmail on redhat 7.3 and only relay on my network, that is ok. After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/201353ed/attachment.html From mike at CAMAROSS.NET Thu Nov 7 02:49:06 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network In-Reply-To: <001d01c28608$62b45140$57046898@shunkam.com> Message-ID: Sounds like sendmail since neither MailScanner nor Sophos have anything to do with relaying of mail. Did you install Sophos using the script supplied with MailScanner? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of fong Sent: Wednesday, November 06, 2002 8:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Relay by other network Did anyone configure mailscanner+sendmail+sophos? I had try to use sendmail on redhat 7.3 and only relay on my network, that is ok. After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang From fong at SHUNKAM.COM Thu Nov 7 03:12:33 2002 From: fong at SHUNKAM.COM (fong) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network References: Message-ID: <003c01c2860b$83ad4c50$57046898@shunkam.com> Thanks.. Yes, I was install Sophos using the script supplied with MailScanner. ----- Original Message ----- From: "Mike Kercher" To: Sent: Thursday, November 07, 2002 10:49 AM Subject: Re: Relay by other network > Sounds like sendmail since neither MailScanner nor Sophos have anything to do with relaying of mail. Did you install Sophos using > the script supplied with MailScanner? > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of fong > Sent: Wednesday, November 06, 2002 8:50 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Relay by other network > > > Did anyone configure mailscanner+sendmail+sophos? > > I had try to use sendmail on redhat 7.3 and only relay on my network, that is ok. > > After I installed mailscanner and sophos on the same pc, I make the following configuration: > > Sendmail port no: 8888 > Sophos port no: 25 (redirect to sendmail after scanned) > > So that all mail will be scanned before send to sendmail. It also make relay by other network. > > How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? > > I hope you understand my bad english. > > Appreciate for any help.... > > Fong Cheang From smohan at VSNL.COM Thu Nov 7 08:45:11 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network In-Reply-To: <001d01c28608$62b45140$57046898@shunkam.com> Message-ID: I've used this combination for 1 year now on 4 machines. Why are you changing sendmail port? Mailscanner starts two instances of sendmail - one in queued delivery mode accepting incoming connections and one just flushing out the queue. There is no need to change. If you are attaching port 25 to Sophos, then I guess you are using their mail gateway and not mailscanner. MailScanner user the sweep commandline program and is a replacement for the Sophos Mail Gateway. Relaying in sendmail is controlled thro' /etc/mail/access file which has entries that look like IP/domainname/email id OK/RELAY?REJECT e.g. 192.168.0 RELAY will relay for your local Class C subnet assuming it is 192.168.0 subnet. Restart MailScanner after this. sendmail start up converts this file to a access.db file. Also take care that sendmail MTA listen to your actual IP and not 127.0.0.1. HTH Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of fong Sent: 07 November 2002 08:20 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Relay by other network Did anyone configure mailscanner+sendmail+sophos? After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/55053cae/attachment.html From fong at SHUNKAM.COM Thu Nov 7 10:03:14 2002 From: fong at SHUNKAM.COM (fong) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network References: Message-ID: <015a01c28644$e38e5810$57046898@shunkam.com> Thanks Mohan Since someone told me that if you install both software on same machine, you should change the port of sendmail. Do I change any configure in sophos's config(mmsmtp.cfg) file? Should I start the sophos daemon(mmsmtpd) and mailscanner daemon or instead of start mailscanner daemon only? Fong Cheang ----- Original Message ----- From: S Mohan To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 4:45 PM Subject: Re: Relay by other network I've used this combination for 1 year now on 4 machines. Why are you changing sendmail port? Mailscanner starts two instances of sendmail - one in queued delivery mode accepting incoming connections and one just flushing out the queue. There is no need to change. If you are attaching port 25 to Sophos, then I guess you are using their mail gateway and not mailscanner. MailScanner user the sweep commandline program and is a replacement for the Sophos Mail Gateway. Relaying in sendmail is controlled thro' /etc/mail/access file which has entries that look like IP/domainname/email id OK/RELAY?REJECT e.g. 192.168.0 RELAY will relay for your local Class C subnet assuming it is 192.168.0 subnet. Restart MailScanner after this. sendmail start up converts this file to a access.db file. Also take care that sendmail MTA listen to your actual IP and not 127.0.0.1. HTH Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of fong Sent: 07 November 2002 08:20 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Relay by other network Did anyone configure mailscanner+sendmail+sophos? After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/8c0c5568/attachment.html From mailscanner at ecs.soton.ac.uk Thu Nov 7 10:51:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:19 2006 Subject: Relay by other network In-Reply-To: <015a01c28644$e38e5810$57046898@shunkam.com> References: Message-ID: <5.1.0.14.2.20021107104933.01e19a28@imap.ecs.soton.ac.uk> At 10:03 07/11/2002, you wrote: >Since someone told me that if you install both software on same machine, >you should change the port of sendmail. >Do I change any configure in sophos's config(mmsmtp.cfg) file? >Should I start the sophos daemon(mmsmtpd) and mailscanner daemon or >instead of start mailscanner daemon only? There is no point running the Sophos MailMonitor email gateway package as well as MailScanner on the same system. MailScanner does not use Sophos' MailMonitor at all, it uses their "sweep" command-line utility. If you want to use MailScanner, then uninstall MailMonitor completely. > >Fong Cheang >----- Original Message ----- >From: S Mohan >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Thursday, November 07, 2002 4:45 PM >Subject: Re: Relay by other network > >I've used this combination for 1 year now on 4 machines. Why are you >changing sendmail port? Mailscanner starts two instances of sendmail - one >in queued delivery mode accepting incoming connections and one just >flushing out the queue. There is no need to change. If you are attaching >port 25 to Sophos, then I guess you are using their mail gateway and not >mailscanner. MailScanner user the sweep commandline program and is a >replacement for the Sophos Mail Gateway. Relaying in sendmail is >controlled thro' /etc/mail/access file which has entries that look like > >IP/domainname/email id OK/RELAY?REJECT > >e.g. >192.168.0 RELAY will relay for your local Class C subnet assuming it is >192.168.0 subnet. > >Restart MailScanner after this. sendmail start up converts this file to a >access.db file. Also take care that sendmail MTA listen to your actual IP >and not 127.0.0.1. > >HTH >Mohan >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of fong >Sent: 07 November 2002 08:20 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Relay by other network > >Did anyone configure mailscanner+sendmail+sophos? > >After I installed mailscanner and sophos on the same pc, I make the >following configuration: > >Sendmail port no: 8888 >Sophos port no: 25 (redirect to sendmail after scanned) > >So that all mail will be scanned before send to sendmail. It also make >relay by other network. > >How can I control the relay domain? Is it the problem of sophos, sendmail >or mailscanner? > >I hope you understand my bad english. > >Appreciate for any help.... > >Fong Cheang > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/71b1a768/attachment.html From mailscanner at ecs.soton.ac.uk Thu Nov 7 11:02:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:19 2006 Subject: F-PROT problem? In-Reply-To: <00d901c285f0$2eb3b650$620aaa82@ADMINISTRATOR> Message-ID: <5.1.0.14.2.20021107105839.032b2e80@imap.ecs.soton.ac.uk> Something is going wrong in how MailScanner is calling your copy of F-Prot. If you do these 2 commands, it should output some sort of summary showing how many files it scanned, at the very least. cd /tmp /usr/lib/MailScaner/f-prot-wrapper -old -archive -dumb . (don't forget the dot on the end) If you get some sort of "command not found" error, then you have installed your copy of F-Prot somewhere different than the standard location, and you will need to alter the f-prot-wrapper script so it calls it in the right place. That script is very simple, you'll soon work out what you need to change in it. Let us know how you get on. At 23:56 06/11/2002, you wrote: >I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. > >Everything its seems to be working ok, but if I send a message from an >external account (hotmail) with a virus attached, I have no warning about >an infected message. I tried the EICAR_test file too, but nothing >happened, I just get these lines in maillog: > >Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: >from=<user@hotmail.com>, size=96715, class=0, >pri=126715, nrcpts=1, >msgid=<OE17Bt3J3JCj2fBUA510000094e@hotmail.com>, >proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] >Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting >Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, >97125 bytes >Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting >Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages >Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: >to=<mail_user@minar.com>, delay=00:00:09, >xdelay=00:00:00, mailer=local, stat=Sent >I tested f-prot manually and it says the infection is there (EICAR_test >and an infected file (Magistr). I really apreciate your help to solve this >issue. > > >BTW, I got warned about some infected messages, but they are the ones with >IFrame tags in it. > > >Thanks in advance > > >(Sorry about my poor English) > > >vgm -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/e3ac850f/attachment.html From andersan at LTKALMAR.SE Thu Nov 7 12:08:17 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:19 2006 Subject: SV: F-PROT problem? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC53@lkl22.ltkalmar.se> Just a little thought, Im not a big fan of hotmail but I know they use mcafee to scan for viruses. I dont have a clue if they scan outgoing mail but I would hope they do /Anders -----Ursprungligt meddelande----- Fr?n: Vicente Guerrero M. [mailto:vguerrero@MINAR.COM] Skickat: den 7 november 2002 00:57 Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: F-PROT problem? I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. Everything its seems to be working ok, but if I send a message from an external account (hotmail) with a virus attached, I have no warning about an infected message. I tried the EICAR_test file too, but nothing happened, I just get these lines in maillog: Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: from=< user@hotmail.com >, size=96715, class=0, pri=126715, nrcpts=1, msgid=< OE17Bt3J3JCj2fBUA510000094e@hotmail.com >, proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, 97125 bytes Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: to=< mail_user@minar.com >, delay=00:00:09, xdelay=00:00:00, mailer=local, stat=Sent I tested f-prot manually and it says the infection is there (EICAR_test and an infected file (Magistr). I really apreciate your help to solve this issue. BTW, I got warned about some infected messages, but they are the ones with IFrame tags in it. Thanks in advance (Sorry about my poor English) vgm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/e339cdd8/attachment.html From iah at DMU.AC.UK Thu Nov 7 12:47:19 2002 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:16:20 2006 Subject: Help - mqueue.in filling up Message-ID: I just attempted an upgrade on one of my mail gateways from version 3.23-6 to 4.05-3. Things seemed to be working fine for a little while and then mailscanner appeared to stop processing mqueue.in. I reverted back to 3.23-6 but the problem still exists has anybody got any ideas...? Thanks in advance Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/cec94762/attachment.html From novirus at CARLO65.DE Thu Nov 7 12:53:48 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:20 2006 Subject: Hardware Woes In-Reply-To: References: Message-ID: <1036673628.23579.35.camel@linroute> Hi Gavin, Am Don, 2002-11-07 um 00.50 schrieb Gavin Nelmes-Crocker: > Roland you are most kind let me know and I will let you have all the details > for collection, I'm sure Julian will also forward you the delivery address. I just called DHL in Germany, to see what they can do. They told me, that I need an international Customer number to have your parcel shipped to Julian. It doesn't make sense for me, to apply for such a number, I never need it. So my suggestion: if you could provide your address details and the amount you need for shipping, I send you an international money order. This seems to be the easiest way. Regards, Roland From novirus at CARLO65.DE Thu Nov 7 12:57:21 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:20 2006 Subject: Help - mqueue.in filling up In-Reply-To: References: Message-ID: <1036673841.23579.41.camel@linroute> Hi Andy, Am Don, 2002-11-07 um 13.47 schrieb Andy Humberston: > I just attempted an upgrade on one of my mail gateways from > version 3.23-6 to 4.05-3. Things seemed to be working fine for > a little while and then mailscanner appeared to stop processing > mqueue.in. I reverted back to 3.23-6 but the problem still exists > has anybody got any ideas...? did you check your configuration files? Did you check, if MailScanner is running? (ps -ax |grep MailScanner or with version 4.x check_Mailscanner) Regards, Roland From kevin.steil at jmfamily.com Thu Nov 7 13:56:50 2002 From: kevin.steil at jmfamily.com (Kevin J. Steil) Date: Thu Jan 12 21:16:20 2006 Subject: *.pl Message-ID: <03E83F2E1D95D311870600A02461F55A05963D9A@drfsxchp3.corp.jmfamily.com> I am looking at doing some debugging of MailScanner and SpamAssassin, but I can not find the sendmail.pl or for that matter another .pl(s). I using the Current Version of MailScanner and SpamAssassin, Can someone please point me in the right direction? Also, it is running on RedHat 7.3 with sendmail. Thank you, Kevin Steil Sr. Enterprise Architect, ITS JM Family Enterprises, Inc. Our Mission: "To Deliver Technology Solutions Through Teamwork That Enhance Business Value Every Day!" -------------------------------------------------- This e-mail transmission contains information intended only for the use of the recipient(s) named above. Further, it contains information that may be privileged and confidential. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message (including any attachments) is strictly prohibited. If you have received this e-mail in error, please notify the sender by reply e-mail and then delete this message from your mail system. Thank you for your compliance. From mailscanner at ecs.soton.ac.uk Thu Nov 7 14:20:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: *.pl In-Reply-To: <03E83F2E1D95D311870600A02461F55A05963D9A@drfsxchp3.corp.jm family.com> Message-ID: <5.1.0.14.2.20021107141921.05929e18@imap.ecs.soton.ac.uk> If you are running version 3, then they are in /usr/local/MailScanner/bin. If you are running version 4, they don't exist but it is all *.pm files in /usr/lib/MailScanner. You can always find out the files that are contained in a package with a command like this: rpm -ql mailscanner At 13:56 07/11/2002, you wrote: >I am looking at doing some debugging of MailScanner and SpamAssassin, >but I can not find the sendmail.pl or for that matter another .pl(s). >I using the Current Version of MailScanner and SpamAssassin, Can someone >please point me in the right direction? Also, it is running on RedHat >7.3 with sendmail. > >Thank you, > >Kevin Steil >Sr. Enterprise Architect, ITS >JM Family Enterprises, Inc. > >Our Mission: >"To Deliver Technology Solutions >Through Teamwork >That Enhance Business Value >Every Day!" > > > > > > > > > > >-------------------------------------------------- >This e-mail transmission contains information intended only for the use of >the recipient(s) named above. Further, it contains information that may be >privileged and confidential. If you are not the intended recipient, you >are hereby notified that any dissemination, distribution, or copying of >this message (including any attachments) is strictly prohibited. If you >have received this e-mail in error, please notify the sender by reply >e-mail and then delete this message from your mail system. Thank you for >your compliance. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Thu Nov 7 14:19:12 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson (by way of Julian Field )) Date: Thu Jan 12 21:16:20 2006 Subject: promote Braid/A to "viruses.to.delete.conf" Message-ID: <5.1.0.14.2.20021107141856.058f0678@imap.ecs.soton.ac.uk> Y'all, I suggest that you add "Braid/A" to your silently-delete list in viruses.to.delete.conf. I got the warning below from my own mailscanner and I don't use a PC for email. I saw someplace the other day that Braid/A uses the same tricks as Klez/H to forge the sender. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- ---------- Forwarded message ---------- Return-Path: Received: from emerald.colby.edu (localhost [127.0.0.1]) by emerald.colby.edu (8.12.6/8.12.6/1.13') with ESMTP id gA7827uf022629 for ; Thu, 7 Nov 2002 03:02:07 -0500 (EST) Received: (from root@localhost) by emerald.colby.edu (8.12.6/8.12.5/Submit) id gA7827ZA022628; Thu, 7 Nov 2002 03:02:07 -0500 (EST) Date: Thu, 7 Nov 2002 03:02:07 -0500 (EST) Message-Id: <200211070802.gA7827ZA022628@emerald.colby.edu> From: "MailScanner" To: jaearick@colby.edu Subject: Warning: E-mail viruses detected X-MailScanner: ftbc Our virus detector has just been triggered by a message you sent:- To: jaearick@colby.edu Subject: ???? Date: Thu Nov 7 03:02:07 2002 Any infected parts of the message have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: >>> Virus 'W32/Braid-A' found in file ./gA7820uf022539/README.EXE -- MailScanner Email Virus Scanner www.mailscanner.info -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ispmgr at CLAS.NET Thu Nov 7 14:21:16 2002 From: ispmgr at CLAS.NET (Youn Gonzales) Date: Thu Jan 12 21:16:20 2006 Subject: Relay by other network References: <001d01c28608$62b45140$57046898@shunkam.com> Message-ID: <00af01c28668$efe15d00$813112d0@ISPMGR> i believe you need to use mailertable in sendmail. Youn Gonzales System Administrator Comptia A+, Network+, INET+, Cisco CCNA/CCDA Certified Technician Microsoft Certified Professional The basic tool for the manipulation of reality is the manipulation of words. If you can control the meaning of words, you can control the people who must use the words. Philip K. Dick ----- Original Message ----- From: fong To: MAILSCANNER@JISCMAIL.AC.UK Sent: Wednesday, November 06, 2002 8:50 PM Subject: Relay by other network Did anyone configure mailscanner+sendmail+sophos? I had try to use sendmail on redhat 7.3 and only relay on my network, that is ok. After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/0f8f5917/attachment.html From Denis.Beauchemin at USHERBROOKE.CA Thu Nov 7 14:35:52 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:20 2006 Subject: promote Braid/A to "viruses.to.delete.conf" In-Reply-To: <5.1.0.14.2.20021107141856.058f0678@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021107141856.058f0678@imap.ecs.soton.ac.uk> Message-ID: <1036679752.8141.4.camel@dbeauchemin.si.usherb.ca> If you use McAfee, use W32/Braid@MM. BTW in the last 2 days we trapped 9 Braid-infected attachments because we don't let .EXE files through. McAfee just issued their DAT file yesterday afternoon and now they flag the files as virus-infected. Had it not been of our .EXE rule we would have let 9 virus-infected files through! Better safe than sorry! Denis On Thu, 2002-11-07 at 09:19, Jeff A. Earickson (by way of Julian Field ) wrote: > Y'all, > > I suggest that you add "Braid/A" to your silently-delete list in > viruses.to.delete.conf. I got the warning below from my own mailscanner > and I don't use a PC for email. I saw someplace the other day that > Braid/A uses the same tricks as Klez/H to forge the sender. > > ----------------------------------- > Jeff A. Earickson, Ph.D > Senior UNIX Sysadmin and Email Guru > Information Technology Services > Colby College, 4214 Mayflower Hill, > Waterville ME, 04901-8842 > phone: 207-872-3659 (fax = 3076) > ----------------------------------- > > ---------- Forwarded message ---------- > Return-Path: > Received: from emerald.colby.edu (localhost [127.0.0.1]) > by emerald.colby.edu (8.12.6/8.12.6/1.13') with ESMTP id > gA7827uf022629 > for ; Thu, 7 Nov 2002 03:02:07 -0500 (EST) > Received: (from root@localhost) > by emerald.colby.edu (8.12.6/8.12.5/Submit) id gA7827ZA022628; > Thu, 7 Nov 2002 03:02:07 -0500 (EST) > Date: Thu, 7 Nov 2002 03:02:07 -0500 (EST) > Message-Id: <200211070802.gA7827ZA022628@emerald.colby.edu> > From: "MailScanner" > To: jaearick@colby.edu > Subject: Warning: E-mail viruses detected > X-MailScanner: ftbc > > Our virus detector has just been triggered by a message you sent:- > To: jaearick@colby.edu > Subject: ???? > Date: Thu Nov 7 03:02:07 2002 > Any infected parts of the message have not been delivered. > > This message is simply to warn you that your computer system may have a > virus present and should be checked. > > The virus detector said this about the message: > Report: >>> Virus 'W32/Braid-A' found in file ./gA7820uf022539/README.EXE > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From dustin.baer at IHS.COM Thu Nov 7 14:38:11 2002 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:16:20 2006 Subject: promote Braid/A to "viruses.to.delete.conf" References: <5.1.0.14.2.20021107141856.058f0678@imap.ecs.soton.ac.uk> <1036679752.8141.4.camel@dbeauchemin.si.usherb.ca> Message-ID: <3DCA7AD3.181C4375@ihs.com> Denis Beauchemin wrote: > > If you use McAfee, use W32/Braid@MM. Just use "Braid" since it looks for anything in the output. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From vguerrero at minar.com Thu Nov 7 14:40:37 2002 From: vguerrero at minar.com (Vicente Guerrero M.) Date: Thu Jan 12 21:16:20 2006 Subject: F-PROT problem? References: <5.1.0.14.2.20021107105839.032b2e80@imap.ecs.soton.ac.uk> Message-ID: <014d01c2866b$a2ebf2f0$620aaa82@ADMINISTRATOR> I've tried the command you told me and it seems to be working ok since I got a summary of files been scanned. I checked the script and it seems to be right too. Some other clue? Thanks ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 5:02 AM Subject: Re: F-PROT problem? Something is going wrong in how MailScanner is calling your copy of F-Prot. If you do these 2 commands, it should output some sort of summary showing how many files it scanned, at the very least. cd /tmp /usr/lib/MailScaner/f-prot-wrapper -old -archive -dumb . (don't forget the dot on the end) If you get some sort of "command not found" error, then you have installed your copy of F-Prot somewhere different than the standard location, and you will need to alter the f-prot-wrapper script so it calls it in the right place. That script is very simple, you'll soon work out what you need to change in it. Let us know how you get on. At 23:56 06/11/2002, you wrote: I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. Everything its seems to be working ok, but if I send a message from an external account (hotmail) with a virus attached, I have no warning about an infected message. I tried the EICAR_test file too, but nothing happened, I just get these lines in maillog: Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: from=, size=96715, class=0, pri=126715, nrcpts=1, msgid=, proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, 97125 bytes Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: to=, delay=00:00:09, xdelay=00:00:00, mailer=local, stat=Sent I tested f-prot manually and it says the infection is there (EICAR_test and an infected file (Magistr). I really apreciate your help to solve this issue. BTW, I got warned about some infected messages, but they are the ones with IFrame tags in it. Thanks in advance (Sorry about my poor English) vgm -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/b6ee1dc1/attachment.html From novirus at CARLO65.DE Thu Nov 7 14:43:27 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:20 2006 Subject: Help - mqueue.in filling up In-Reply-To: References: Message-ID: <1036680207.23577.51.camel@linroute> Hi Andy, oki. I have reposted this message to the mailing list, because I have no further idea. Just to repeat: messages seem to be delivered, but a copy remains in mqueue.in. Sorry, but I don't know how to help you. Regards, Roland Am Don, 2002-11-07 um 14.11 schrieb Andy Humberston: > > Roland > > I have stopped the daemon process, to reduce the > number of mails entering the mqueue.in directory. > But I have left the -q15m one running in order to > process the output from mailscanner. > > Andy > > > -----Original Message----- > > From: Roland Ehle [mailto:novirus@carlo65.de] > > Sent: 07 November 2002 13:10 > > To: Andy Humberston > > Subject: RE: Help - mqueue.in filling up > > > > > > Just one other important thing to remember: you need to have > > 2 sendmail processes, in order to have MailScanner working. > > > > Am Don, 2002-11-07 um 13.58 schrieb Andy Humberston: > > > > > > Roland, > > > > > > I checked these and also checked the permissions > > > on the directories, but I am unable to locate the > > > problem. > > > > > > Now entering panic mode :) > > > > > > Andy > > > > > > > -----Original Message----- > > > > From: Roland Ehle [mailto:novirus@CARLO65.DE] > > > > Sent: 07 November 2002 12:57 > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Help - mqueue.in filling up > > > > > > > > > > > > Hi Andy, > > > > > > > > Am Don, 2002-11-07 um 13.47 schrieb Andy Humberston: > > > > > I just attempted an upgrade on one of my mail gateways from > > > > > version > > > > > 3.23-6 to 4.05-3. Things seemed to be working fine for a > > > > little while > > > > > and then mailscanner appeared to stop processing mqueue.in. I > > > > > reverted back to 3.23-6 but the problem still exists has > > > > anybody got > > > > > any ideas...? > > > > > > > > did you check your configuration files? Did you check, if > > > > MailScanner is running? (ps -ax |grep MailScanner or with > > version 4.x > > > > check_Mailscanner) > > > > > > > > Regards, > > > > Roland > > > > > > > > > > > > > > From iah at DMU.AC.UK Thu Nov 7 14:45:14 2002 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:16:20 2006 Subject: Help - mqueue.in filling up Message-ID: Thanks to Roland and Youn, I shutdown the incoming sendmail process and allowed version 3 or mailscanner to clear the backlog. Every thing seems to be operating correctly now. I will reattempt the upgrade later :) Andy > oki. I have reposted this message to the mailing list, > because I have no further idea. Just to repeat: messages seem > to be delivered, but a copy remains in mqueue.in. > From gavin at NETERGY.COM Thu Nov 7 15:00:28 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems Message-ID: okay decided today to play with rule sets. the domain one went fine only scanning the domains I allow but when I come to do the outgoing mail signing I run into problems I have my rules files -rw-r--r-- 1 root root 82 Nov 7 14:39 sig.html.rules -rw-r--r-- 1 root root 81 Nov 7 14:39 sig.text.rules and in my conf file I have Inline HTML Signature = /etc/MailScanner/reports/en/inline.sig.html Inline Text Signature = /etc/MailScanner/rules/sig.txt.rules I had a problem with html so I thought I would only test txt but I get this error in the maillog Nov 7 14:52:45 nvsd MailScanner[16564]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 7 14:52:45 nvsd MailScanner[16564]: Cannot open ruleset file /etc/MailScanner/rules/sig.txt.rules, No such file or directory Nov 7 14:52:54 nvsd MailScanner[16568]: MailScanner am I missing something stupid here? Gavin From dustin.baer at IHS.COM Thu Nov 7 15:04:11 2002 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems References: Message-ID: <3DCA80EB.428743DA@ihs.com> Gavin Nelmes-Crocker wrote: > > okay decided today to play with rule sets. > > the domain one went fine only scanning the domains I allow > > but when I come to do the outgoing mail signing I run into problems > > I have my rules files > > -rw-r--r-- 1 root root 81 Nov 7 14:39 sig.text.rules > > and in my conf file I have > > Inline Text Signature = /etc/MailScanner/rules/sig.txt.rules sig.text.rules != sig.txt.rules Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From gavin at NETERGY.COM Thu Nov 7 15:14:06 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems In-Reply-To: <3DCA80EB.428743DA@ihs.com> Message-ID: thanks for that Dustin - I just couldn't see it - now that works but I get a problem with the html one (and I have checked the filenames on this one) Nov 7 15:09:00 nvsd MailScanner[17700]: Syntax error in line 1 of ruleset file /etc/MailScanner/rules/sig.html.rules for keyword inlinehtmlsig this is the rule file From: *@choclatier.co.uk /etc/MailScanner/reports/en/choclatier.html.txt which I copied from the example - by the looks of the error it looks as though its looking for inlinehtmlsig somewhere on that line any ideas? Gavin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Dustin Baer > Sent: 07 November 2002 15:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Rule set problems > > > Gavin Nelmes-Crocker wrote: > > > > okay decided today to play with rule sets. > > > > the domain one went fine only scanning the domains I allow > > > > but when I come to do the outgoing mail signing I run into problems > > > > I have my rules files > > > > -rw-r--r-- 1 root root 81 Nov 7 14:39 sig.text.rules > > > > and in my conf file I have > > > > Inline Text Signature = /etc/MailScanner/rules/sig.txt.rules > > > sig.text.rules != sig.txt.rules > > Dustin > > -- > Dustin Baer > Unix Administrator/Postmaster > Information Handling Services > 15 Inverness Way East > Englewood, CO 80112 > 303-397-2836 > From andy.wright at BARDSEY.DEMON.CO.UK Thu Nov 7 15:15:00 2002 From: andy.wright at BARDSEY.DEMON.CO.UK (Andy Wright) Date: Thu Jan 12 21:16:20 2006 Subject: Hardware Woes References: <1036673628.23579.35.camel@linroute> Message-ID: <002401c28670$c5f14de0$70f286d9@vaio> I have a UK account with Amtrak - I'd be happy to arrange shipping to/from UK addresses. Andy. ----- Original Message ----- From: "Roland Ehle" To: Sent: Thursday, November 07, 2002 12:53 PM Subject: Re: Hardware Woes > Hi Gavin, > > Am Don, 2002-11-07 um 00.50 schrieb Gavin Nelmes-Crocker: > > Roland you are most kind let me know and I will let you have all the details > > for collection, I'm sure Julian will also forward you the delivery address. > > I just called DHL in Germany, to see what they can do. They told me, > that I need an international Customer number to have your parcel shipped > to Julian. It doesn't make sense for me, to apply for such a number, I > never need it. So my suggestion: if you could provide your address > details and the amount you need for shipping, I send you an > international money order. This seems to be the easiest way. > > Regards, > Roland From kevin.steil at jmfamily.com Thu Nov 7 16:03:49 2002 From: kevin.steil at jmfamily.com (Kevin J. Steil) Date: Thu Jan 12 21:16:20 2006 Subject: *.pl In-Reply-To: <03E83F2E1D95D311870600A02461F55A05DB7755@drfsxchp3.corp.jmfamily.com> Message-ID: <03E83F2E1D95D311870600A02461F55A05963D9D@drfsxchp3.corp.jmfamily.com> I don't seem to have the sendmail.pl.. the only .pl is the configdefs.pl.....help...I need to debug SpamAssaassin and MailScanner Thank you, Kevin Steil Sr. Enterprise Architect, ITS JM Family Enterprises, Inc. Our Mission: "To Deliver Technology Solutions Through Teamwork That Enhance Business Value Every Day!" -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] Sent: Thursday, November 07, 2002 9:21 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: *.pl If you are running version 3, then they are in /usr/local/MailScanner/bin. If you are running version 4, they don't exist but it is all *.pm files in /usr/lib/MailScanner. You can always find out the files that are contained in a package with a command like this: rpm -ql mailscanner At 13:56 07/11/2002, you wrote: >I am looking at doing some debugging of MailScanner and SpamAssassin, >but I can not find the sendmail.pl or for that matter another .pl(s). >I using the Current Version of MailScanner and SpamAssassin, Can someone >please point me in the right direction? Also, it is running on RedHat >7.3 with sendmail. > >Thank you, > >Kevin Steil >Sr. Enterprise Architect, ITS >JM Family Enterprises, Inc. > >Our Mission: >"To Deliver Technology Solutions >Through Teamwork >That Enhance Business Value >Every Day!" > > > > > > > > > > >-------------------------------------------------- >This e-mail transmission contains information intended only for the use of >the recipient(s) named above. Further, it contains information that may be >privileged and confidential. If you are not the intended recipient, you >are hereby notified that any dissemination, distribution, or copying of >this message (including any attachments) is strictly prohibited. If you >have received this e-mail in error, please notify the sender by reply >e-mail and then delete this message from your mail system. Thank you for >your compliance. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------------------------------------------- This e-mail transmission contains information intended only for the use of the recipient(s) named above. Further, it contains information that may be privileged and confidential. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message (including any attachments) is strictly prohibited. If you have received this e-mail in error, please notify the sender by reply e-mail and then delete this message from your mail system. Thank you for your compliance. From mailscanner at ecs.soton.ac.uk Thu Nov 7 16:46:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems In-Reply-To: References: <3DCA80EB.428743DA@ihs.com> Message-ID: <5.1.0.14.2.20021107164635.04a4c148@imap.ecs.soton.ac.uk> At 15:14 07/11/2002, you wrote: >thanks for that Dustin - I just couldn't see it - now that works but I get a >problem with the html one (and I have checked the filenames on this one) > >Nov 7 15:09:00 nvsd MailScanner[17700]: Syntax error in line 1 of ruleset >file /etc/MailScanner/rules/sig.html.rules for keyword inlinehtmlsig > >this is the rule file > >From: *@choclatier.co.uk >/etc/MailScanner/reports/en/choclatier.html.txt Are you sure it hasn't really word-wrapped that onto 2 lines? >which I copied from the example - by the looks of the error it looks as >though its looking for inlinehtmlsig somewhere on that line > >any ideas? > >Gavin > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Dustin Baer > > Sent: 07 November 2002 15:04 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Rule set problems > > > > > > Gavin Nelmes-Crocker wrote: > > > > > > okay decided today to play with rule sets. > > > > > > the domain one went fine only scanning the domains I allow > > > > > > but when I come to do the outgoing mail signing I run into problems > > > > > > I have my rules files > > > > > > -rw-r--r-- 1 root root 81 Nov 7 14:39 sig.text.rules > > > > > > and in my conf file I have > > > > > > Inline Text Signature = /etc/MailScanner/rules/sig.txt.rules > > > > > > sig.text.rules != sig.txt.rules > > > > Dustin > > > > -- > > Dustin Baer > > Unix Administrator/Postmaster > > Information Handling Services > > 15 Inverness Way East > > Englewood, CO 80112 > > 303-397-2836 > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gavin at NETERGY.COM Thu Nov 7 16:53:16 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems In-Reply-To: <5.1.0.14.2.20021107164635.04a4c148@imap.ecs.soton.ac.uk> Message-ID: > >Nov 7 15:09:00 nvsd MailScanner[17700]: Syntax error in line 1 > of ruleset > >file /etc/MailScanner/rules/sig.html.rules for keyword inlinehtmlsig > > > >this is the rule file > > > >From: *@choclatier.co.uk > >/etc/MailScanner/reports/en/choclatier.html.txt > > Are you sure it hasn't really word-wrapped that onto 2 lines? > > no in the file it is on one line - just Outlook munging the mails Gavin From mailscanner at ecs.soton.ac.uk Thu Nov 7 16:53:13 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems In-Reply-To: References: <5.1.0.14.2.20021107164635.04a4c148@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021107165210.049758f8@imap.ecs.soton.ac.uk> At 16:53 07/11/2002, you wrote: > > >Nov 7 15:09:00 nvsd MailScanner[17700]: Syntax error in line 1 > > of ruleset > > >file /etc/MailScanner/rules/sig.html.rules for keyword inlinehtmlsig > > > > > >this is the rule file > > > > > >From: *@choclatier.co.uk > > >/etc/MailScanner/reports/en/choclatier.html.txt > > > > Are you sure it hasn't really word-wrapped that onto 2 lines? >no in the file it is on one line - just Outlook munging the mails Does the file /etc/MailScanner/reports/en/choclatier.html.txt exist? Other than that, I can't really see what it is complaining about. Add a blank line after that line, just in case the line is actually incomplete. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From t.d.lee at DURHAM.AC.UK Thu Nov 7 17:18:10 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:20 2006 Subject: MS4.x config/runtime issues Message-ID: We have been using MailScanner v3.x on Solaris for a long time. In the last couple of weeks I have begun installing a test v4.x . See, for example, yesterday's discussion about "iframe dilemma", following which I am now trying Julian's latest pre-release 4.x (although none of the issues below relate to this "pre-release": I had already uncovered them all a week or so ago under 4.04-1). What follows are issues that 4.x/Solaris/our-site has exposed, and I am wondering what is the most appropriate way forward. 1. bin/MailScanner/Log.pm : MS gave a message: Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] By commenting out the line: eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r this then worked, apparently with no ill effect. Seems to be sort of Perl/Solaris interaction (Perl 5.6.0; Solaris 8). Does the MS code need to be more tolerant, and/or autoconf'd? 2. lib/mcafee-wrapper: has pathname "/usr/local/uvscan/uvscan" hardcoded. At our site the pathname is different. OK, I can tweak things to make it work. But in v3 this had been configurable in etc/mailscanner.conf and v4.x seems to have gone backwards: no longer configurable. (Or is it your intention that this should ultimately be a site-driven autoconf thing. In which case, can I urge you to begin to include the the "configure" and autoconf stuff please!) 3. With v3, I had had the default (and sensible!): Outgoing Queue Dir = /var/spool/mqueue To ensure co-residency on the same physical partition of the other directories, they had been subdirectories of this: Incoming Queue Dir = /var/spool/mqueue/mq.in Incoming Work Dir = /var/spool/mqueue/incoming Quarantine Dir = /var/spool/mqueue/quarantine Solid and safe. Further, the standard "/var/spool/mqueue" (i.e. "Outgoing Queue Dir") was also a separate partition for ease of system maintenance (including possible OS replacement). So it also contained a "lost+found". But under v4 this gives errors: Queue directory /var/spool/mqueue cannot contain sub-directories, currently contains dir lost+found at /opt/MailScanner/bin/MailScanner/Sendmail.pm line 839 (Presumably each of the other directories could also have given an analogous message, had it got that far.) Is there any reason why v4.x forbids such subdirectory use? (Note that the apparently simple solution of making the partition "/var/spool" instead of "/var/spool/mqueue" makes OS replacement potentially more tricky, as "/var/spool" contians "system" things other than mqueue. Does MailScanner really require this restriction? Can it be removed? If this is necessary, "bin/MailScanner/Sendmail.pm" would then require changing so that so that "sub KickMessage {}" could pass an argument "-oQ" as it invokes sendmail. What is the best for us (our site, and Julian as MS author) to proceed on these issues? By the way, Julian, did you get those autoconf-isms I sent you from the MS 4 you had privately sent me a couple of weeks ago? Hope this helps make MS even better! -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From gavin at NETERGY.COM Thu Nov 7 17:29:28 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:20 2006 Subject: Rule set problems In-Reply-To: <5.1.0.14.2.20021107165210.049758f8@imap.ecs.soton.ac.uk> Message-ID: > At 16:53 07/11/2002, you wrote: > > > >Nov 7 15:09:00 nvsd MailScanner[17700]: Syntax error in line 1 > > > of ruleset > > > >file /etc/MailScanner/rules/sig.html.rules for keyword inlinehtmlsig > > > > > > > >this is the rule file > > > > > > > >From: *@choclatier.co.uk > > > >/etc/MailScanner/reports/en/choclatier.html.txt > > > > > > Are you sure it hasn't really word-wrapped that onto 2 lines? > >no in the file it is on one line - just Outlook munging the mails > > Does the file /etc/MailScanner/reports/en/choclatier.html.txt exist? > Other than that, I can't really see what it is complaining about. > Add a blank line after that line, just in case the line is > actually incomplete. thank you I think I need to go to bed and start the day again tomorrow the file is in fact choclatier.sig.html humble apologies it now appears to be happy and working again Gavin From lele at PROFIM.FLORIDA.IT Thu Nov 7 17:40:46 2002 From: lele at PROFIM.FLORIDA.IT (Emanuele Salvador) Date: Thu Jan 12 21:16:20 2006 Subject: Stuffit files (Macintosh specific) Message-ID: <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> Is there a way to make unpack and process .sit (StuffIt files), very common in macintosh world? I compressed eicar.com and it flew freely thru MailScanner nets. Regards, Emanuele Salvador A carrot is as close as a rabbit gets to a diamond. - Don Van Vliet - From mailscanner at ecs.soton.ac.uk Thu Nov 7 19:04:56 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: MS4.x config/runtime issues In-Reply-To: Message-ID: <5.1.0.14.2.20021107182018.031e7ec0@imap.ecs.soton.ac.uk> At 17:18 07/11/2002, you wrote: >1. bin/MailScanner/Log.pm : MS gave a message: > Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] > By commenting out the line: > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r > this then worked, apparently with no ill effect. > Seems to be sort of Perl/Solaris interaction (Perl 5.6.0; Solaris 8). > Does the MS code need to be more tolerant, and/or autoconf'd? The failure message doesn't actually cause any harm. Basically it tries to use a domain socket instead of a UDP socket, so you don't have to open up your syslogd to accept UDP logging requests from other machines (which might be used as a DoS attack on your server by forcing gigabytes of syslog traffic). Please can you try the attached patch to Log.pm to see if it removes the error message on your system. >2. lib/mcafee-wrapper: has pathname "/usr/local/uvscan/uvscan" hardcoded. > At our site the pathname is different. OK, I can tweak things to make > it work. But in v3 this had been configurable in etc/mailscanner.conf > and v4.x seems to have gone backwards: no longer configurable. You just edit the wrapper. The setting in mailscanner.conf in V3 set the location of the wrapper, not the location of uvscan itself. So this isn't actually any different. If you moved uvscan to somewhere else, you would have edited the wrapper to point to the correct location. In V4 you can find the wrapper script more easily as they are all in the same place. > (Or is it your intention that this should ultimately be a site-driven > autoconf thing. In which case, can I urge you to begin to include the > the "configure" and autoconf stuff please!) All the autoconf stuff is still in development. Sorry I haven't got this out the door yet. >3. With v3, I had had the default (and sensible!): > Outgoing Queue Dir = /var/spool/mqueue > > To ensure co-residency on the same physical partition of the other > directories, they had been subdirectories of this: > Incoming Queue Dir = /var/spool/mqueue/mq.in > Incoming Work Dir = /var/spool/mqueue/incoming > Quarantine Dir = /var/spool/mqueue/quarantine > Solid and safe. Interesting setup, hadn't occurred to me that people might do that. > Further, the standard "/var/spool/mqueue" (i.e. "Outgoing Queue Dir") > was also a separate partition for ease of system maintenance (including > possible OS replacement). So it also contained a "lost+found". > > But under v4 this gives errors: > Queue directory /var/spool/mqueue cannot contain sub-directories, > currently contains dir lost+found at > /opt/MailScanner/bin/MailScanner/Sendmail.pm line 839 > > (Presumably each of the other directories could also have given an > analogous message, had it got that far.) > > Is there any reason why v4.x forbids such subdirectory use? > (Note that the apparently simple solution of making the partition > "/var/spool" instead of "/var/spool/mqueue" makes OS replacement > potentially more tricky, as "/var/spool" contians "system" things other > than mqueue. > > Does MailScanner really require this restriction? Can it be removed? I thought it was a good idea at the time, but setups such as yours hadn't occurred to me. On reflection it may be better to remove the check. I will still look for a q1 or qf directory though, in an attempt to find split queue directories which sendmail will use if it finds them. So you can get it going now, the minimal patch to Sendmail.pm is attached to this message. There is actually just 1 extra line of code. >By the way, Julian, did you get those autoconf-isms I sent you from the >MS 4 you had privately sent me a couple of weeks ago? Yes thanks. Just need to find time to do some more work on autoconf. >Hope this helps make MS even better! I hope my responses above answer most of the issues you have raised. All constructive comments are always appreciated :-) -------------- next part -------------- A non-text attachment was scrubbed... Name: Sendmail.pm.patch Type: application/octet-stream Size: 778 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/c8ead941/Sendmail.pm.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: Log.pm.patch Type: application/octet-stream Size: 604 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/c8ead941/Log.pm.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Thu Nov 7 19:18:29 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:20 2006 Subject: Stuffit files (Macintosh specific) In-Reply-To: <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> References: <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> Message-ID: <1036696709.8142.28.camel@dbeauchemin.si.usherb.ca> On Thu, 2002-11-07 at 12:40, Emanuele Salvador wrote: > Is there a way to make unpack and process .sit (StuffIt files), very > common in macintosh world? > I compressed eicar.com and it flew freely thru MailScanner nets. I don't know of any virus that compresses its infected file before sending it to someone else. If that were to happen we would have to rethink our strategy that encourages people to use zip files to send .exe and other file types that we quarantine on our gateway. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Thu Nov 7 19:13:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Stuffit files (Macintosh specific) In-Reply-To: <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> Message-ID: <5.1.0.14.2.20021107191228.03235018@imap.ecs.soton.ac.uk> At 17:40 07/11/2002, you wrote: >Is there a way to make unpack and process .sit (StuffIt files), very >common in macintosh world? >I compressed eicar.com and it flew freely thru MailScanner nets. It's down to the virus scanners to scan inside archives. I suggest you ask the virus scanner vendor(s) if they can search inside Stuffit files, ideally they should do it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 7 19:23:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Stuffit files (Macintosh specific) In-Reply-To: <1036696709.8142.28.camel@dbeauchemin.si.usherb.ca> References: <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> <0C0F25DF-F278-11D6-90AF-003065B74B5E@profim.florida.it> Message-ID: <5.1.0.14.2.20021107192053.023925b8@imap.ecs.soton.ac.uk> At 19:18 07/11/2002, you wrote: >I don't know of any virus that compresses its infected file before >sending it to someone else. If it did, it wouldn't be very "successful" as it would require a whole series of actions by the user, not just a single click. The really dumb users, who are most susceptible to the Social Engineering attack mechanisms used by current viruses, wouldn't even know what to do with a zip file anyway. The time you do need to be able to scan inside compressed archives is for finding macro viruses. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From scouty at BROMBERG.DEMON.NL Thu Nov 7 20:04:03 2002 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:20 2006 Subject: Redhat 8.0 / command: service MailScanner status Message-ID: <200211072004.gA7K43X23101@ori.rl.ac.uk> On Wed, 6 Nov 2002 09:50:42 +0100, Florus Both wrote: >Hi, do a > >Chkconfig sendmail off >And try again, I guess sendmail was already running before you started >mailscanner (this happens automagically after an install) Not working still having a failure on sendmail outgoing. When I did a reboot I noticed a error "/etc/rc6.d/K30MailScanner" and at some times the error "We haven't got any child processes, which isn't right!, No child processes at /usr/sbin/MailScanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /usr/sbin/MailScanner line 194." From mailscanner at ecs.soton.ac.uk Thu Nov 7 20:09:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Redhat 8.0 / command: service MailScanner status In-Reply-To: <200211072004.gA7K43X23101@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20021107200828.031e4560@imap.ecs.soton.ac.uk> At 20:04 07/11/2002, you wrote: >On Wed, 6 Nov 2002 09:50:42 +0100, Florus Both wrote: > > >Hi, do a > > > >Chkconfig sendmail off > >And try again, I guess sendmail was already running before you started > >mailscanner (this happens automagically after an install) > >Not working still having a failure on sendmail outgoing. When I >did a reboot I noticed a error "/etc/rc6.d/K30MailScanner" and >at some times the error "We haven't got any child processes, >which isn't right!, No child processes at /usr/sbin/MailScanner >line 191. We have just tried to reap a process which wasn't one >of ours!, No child processes at /usr/sbin/MailScanner line 194." Check your maillog to see if MailScanner output something useful in there. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From vanhorn at whidbey.com Thu Nov 7 20:46:46 2002 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:16:20 2006 Subject: Upgrade problems to 4.05 References: <0b0c01c27118$eda6f190$1c0a0a0a@pugmarks34team> <5.1.0.14.2.20021011135424.04352c00@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021106193025.02370e20@imap.ecs.soton.ac.uk> Message-ID: <3DCAD136.E8D3D025@whidbey.com> Julian Field wrote: > At 19:25 06/11/2002, you wrote: > >> Also, I have noticed a major difference in the messages I get when a >> virus is found. When I was running 3.23 I got the headers of the >> offending message, now I get a short summary. Is this a change from >> MailScanner 3 to 4, or a change from Kasparsky to f-prot which I >> made at the same time for economic reasons? > > This is a configuration option, called something containing "Full > Headers" if I remember rightly. In deed, at line 359 in my MailScanner.conf: Notices Include Full Headers = yes I built and supervise five firewalls for my largest client, and I keep a crib-sheet of those addresses close at hand. With Full Headers I was able to quickly note when the first address in a blocked message was one of those five, and catch our own problems quickly. After restoring this setting yesterday I was able to identify the largest single source of virus messages in the last month, and it turned out to be the general manager of the company! Fortunately, she's out of town today and I've arranged for her ethernet to be unplugged. I'll quietly run FixKlez.com on her machine this afternoon. I just wish I'd raised this question sooner. Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/323c77f0/attachment.html From mailscanner at ecs.soton.ac.uk Thu Nov 7 20:25:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Redhat 8.0 / command: service MailScanner status In-Reply-To: <5.1.0.14.2.20021107200828.031e4560@imap.ecs.soton.ac.uk> References: <200211072004.gA7K43X23101@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20021107202409.024a7ea8@imap.ecs.soton.ac.uk> At 20:09 07/11/2002, you wrote: >At 20:04 07/11/2002, you wrote: >>On Wed, 6 Nov 2002 09:50:42 +0100, Florus Both wrote: >> >> >Hi, do a >> > >> >Chkconfig sendmail off >> >And try again, I guess sendmail was already running before you started >> >mailscanner (this happens automagically after an install) >> >>Not working still having a failure on sendmail outgoing. When I >>did a reboot I noticed a error "/etc/rc6.d/K30MailScanner" and >>at some times the error "We haven't got any child processes, >>which isn't right!, No child processes at /usr/sbin/MailScanner >>line 191. We have just tried to reap a process which wasn't one >>of ours!, No child processes at /usr/sbin/MailScanner line 194." I have modified the code to remove these errors, they aren't anywhere near as serious as they sound :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From scouty at BROMBERG.DEMON.NL Thu Nov 7 21:07:52 2002 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:20 2006 Subject: Redhat 8.0 / command: service MailScanner status Message-ID: <200211072107.gA7L7qX29078@ori.rl.ac.uk> On Thu, 7 Nov 2002 20:09:22 +0000, Julian Field wrote: >>Not working still having a failure on sendmail outgoing. When I >>did a reboot I noticed a error "/etc/rc6.d/K30MailScanner" and >>at some times the error "We haven't got any child processes, >>which isn't right!, No child processes at /usr/sbin/MailScanner >>line 191. We have just tried to reap a process which wasn't one >>of ours!, No child processes at /usr/sbin/MailScanner line 194." >Check your maillog to see if MailScanner output something useful in there. from /var/log/messages # service sendmail stop Nov 7 21:52:41 bromberg2 sendmail: sendmail shutdown succeeded # service MailScanner stop Nov 7 21:52:53 bromberg2 MailScanner: MailScanner shutdown succeeded Nov 7 21:52:53 bromberg2 MailScanner: sendmail shutdown succeeded Nov 7 21:52:53 bromberg2 MailScanner: sendmail shutdown failed # service MailScanner start Nov 7 21:53:25 bromberg2 MailScanner: succeeded After a clean boot from /var/log/maillog, MailScanner output 5 times this for each process started from mailscanner.conf (?) bromberg2 sendmail[516]: alias database /etc/aliases rebuilt by root bromberg2 sendmail[516]: /etc/aliases: 62 aliases, longest 10 bytes, 599 bytes total bromberg2 sendmail[525]: starting daemon (8.12.5): SMTP bromberg2 sendmail[530]: starting daemon (8.12.5): queueing@00:15:00 bromberg2 MailScanner[546]: MailScanner bromberg2 MailScanner[546]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... bromberg2 MailScanner[546]: Using locktype = flock None of the above service commands produces logs in maillog, even the reap errors etc are not logged just send to console.. I'm a bit lost is it my sendmail or mailscanner messing up? Is their anyone on the list who had a successful redhat 8.0 and latest MailScanner combination running? From scouty at BROMBERG.DEMON.NL Thu Nov 7 21:14:45 2002 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:20 2006 Subject: mailscanner.conf.rpmnew Message-ID: <200211072114.gA7LEkX29611@ori.rl.ac.uk> On Wed, 6 Nov 2002 19:33:02 -0000, Brian Chivers wrote: > I've just upgrade from 3.13 to 3.25-1 via the RPM and > everything seems to be ok except !!! When I look in the > etc directory in Mailscanner directory I see a new file > called mailscanner.conf.rpmnew > Should I merge the old setting from my existing conf file > into the rpmnew file then rename this to mailscanner.conf ?? Yes It might contain some new options put in my Julian. Edit the mailscanner.conf.rpmnew this is the new configuration file, then delete the mailscanner.conf and rename the rpmnew to mailscanner.conf and issue the command "/etc/rc.d/init.d/ mailscanner restart" From mailscanner at ecs.soton.ac.uk Thu Nov 7 21:17:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:20 2006 Subject: Redhat 8.0 / command: service MailScanner status In-Reply-To: <200211072107.gA7L7qX29078@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20021107210902.03241c70@imap.ecs.soton.ac.uk> At 21:07 07/11/2002, you wrote: >On Thu, 7 Nov 2002 20:09:22 +0000, Julian Field > wrote: > > >>Not working still having a failure on sendmail outgoing. When I > >>did a reboot I noticed a error "/etc/rc6.d/K30MailScanner" and > >>at some times the error "We haven't got any child processes, > >>which isn't right!, No child processes at /usr/sbin/MailScanner > >>line 191. We have just tried to reap a process which wasn't one > >>of ours!, No child processes at /usr/sbin/MailScanner line 194." > > >Check your maillog to see if MailScanner output something useful in there. > >from /var/log/messages > ># service sendmail stop >Nov 7 21:52:41 bromberg2 sendmail: sendmail shutdown succeeded That stopped the sendmail process which your next command also tried to stop, so there's little womnder why it complained. Once using MailScanner, don't start up or shut down sendmail using the sendmail init script. MailScanner handles all that for you. ># service MailScanner stop >Nov 7 21:52:53 bromberg2 MailScanner: MailScanner shutdown succeeded >Nov 7 21:52:53 bromberg2 MailScanner: sendmail shutdown succeeded >Nov 7 21:52:53 bromberg2 MailScanner: sendmail shutdown failed > ># service MailScanner start >Nov 7 21:53:25 bromberg2 MailScanner: succeeded > >After a clean boot from /var/log/maillog, MailScanner output >5 times this for each process started from mailscanner.conf (?) This is because you have "Max Children = 5" in your /etc/MailScanner.conf file, and the log entries are produced as each of the 5 parallel processes start. >bromberg2 sendmail[516]: alias database /etc/aliases rebuilt by root >bromberg2 sendmail[516]: /etc/aliases: 62 aliases, longest 10 bytes, > 599 bytes total >bromberg2 sendmail[525]: starting daemon (8.12.5): SMTP >bromberg2 sendmail[530]: starting daemon (8.12.5): queueing@00:15:00 >bromberg2 MailScanner[546]: MailScanner >bromberg2 MailScanner[546]: MailScanner E-Mail Virus Scanner > version 4.05-3 starting... >bromberg2 MailScanner[546]: Using locktype = flock > >None of the above service commands produces logs >in maillog, even the reap errors etc are not logged just >send to console.. The reap errors should stop in the next release. It is just down to the exact order in which the "stop" actually kills off the processes. > I'm a bit lost is it my sendmail or >mailscanner messing up? Neither. I hope I have explained it well enough for you to understand. > Is their anyone on the list who >had a successful redhat 8.0 and latest MailScanner >combination running? Yes, lots of sites are happily running RH8 and MS4. Including me of course :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From novirus at CARLO65.DE Thu Nov 7 21:35:35 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:20 2006 Subject: Virus Message-ID: <1036704935.23578.76.camel@linroute> Hi, this is probably a strange question in your eyes, but I would like to have a virus or better a virus infected mail, to check different scanners. Unfortunately the only thing I find is the EICAR test virus, but thats not enough. Anybody a hint? Regards, Roland From raymond at PROLOCATION.NET Thu Nov 7 21:36:39 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:20 2006 Subject: Virus In-Reply-To: <1036704935.23578.76.camel@linroute> Message-ID: Hi! > this is probably a strange question in your eyes, but I would like to > have a virus or better a virus infected mail, to check different > scanners. Unfortunately the only thing I find is the EICAR test virus, > but thats not enough. Give me a address and i'll send you a nice .zip to test your scanner setup with. Bye, Raymond. From novirus at CARLO65.DE Thu Nov 7 21:39:19 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:20 2006 Subject: Virus In-Reply-To: References: Message-ID: <1036705159.23579.78.camel@linroute> Hi Raymond, thanks very much. Please use roland@inbox4u.de. Roland Am Don, 2002-11-07 um 22.36 schrieb Raymond Dijkxhoorn: > Hi! > > > this is probably a strange question in your eyes, but I would like to > > have a virus or better a virus infected mail, to check different > > scanners. Unfortunately the only thing I find is the EICAR test virus, > > but thats not enough. > > Give me a address and i'll send you a nice .zip to test your scanner setup > with. > > Bye, > Raymond. > > From vguerrero at minar.com Thu Nov 7 22:10:50 2002 From: vguerrero at minar.com (Vicente Guerrero M.) Date: Thu Jan 12 21:16:21 2006 Subject: F-PROT problem? References: <5.1.0.14.2.20021107105839.032b2e80@imap.ecs.soton.ac.uk> <014d01c2866b$a2ebf2f0$620aaa82@ADMINISTRATOR> Message-ID: <036301c286aa$88441240$620aaa82@ADMINISTRATOR> Hi all, I just wanted to tell you I finally solved the problem whit f-prot. Im happy right now, and Im getting ready to check some other features in MailScanner. Thanks to Julian and the people that helped me to solve the "f-prot mistery" :) vgm ----- Original Message ----- From: Vicente Guerrero M. To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 8:40 AM Subject: Re: F-PROT problem? I've tried the command you told me and it seems to be working ok since I got a summary of files been scanned. I checked the script and it seems to be right too. Some other clue? Thanks ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 5:02 AM Subject: Re: F-PROT problem? Something is going wrong in how MailScanner is calling your copy of F-Prot. If you do these 2 commands, it should output some sort of summary showing how many files it scanned, at the very least. cd /tmp /usr/lib/MailScaner/f-prot-wrapper -old -archive -dumb . (don't forget the dot on the end) If you get some sort of "command not found" error, then you have installed your copy of F-Prot somewhere different than the standard location, and you will need to alter the f-prot-wrapper script so it calls it in the right place. That script is very simple, you'll soon work out what you need to change in it. Let us know how you get on. At 23:56 06/11/2002, you wrote: I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. Everything its seems to be working ok, but if I send a message from an external account (hotmail) with a virus attached, I have no warning about an infected message. I tried the EICAR_test file too, but nothing happened, I just get these lines in maillog: Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: from=, size=96715, class=0, pri=126715, nrcpts=1, msgid=, proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, 97125 bytes Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: to=, delay=00:00:09, xdelay=00:00:00, mailer=local, stat=Sent I tested f-prot manually and it says the infection is there (EICAR_test and an infected file (Magistr). I really apreciate your help to solve this issue. BTW, I got warned about some infected messages, but they are the ones with IFrame tags in it. Thanks in advance (Sorry about my poor English) vgm -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/b91214e0/attachment.html From mailscanner at ecs.soton.ac.uk Thu Nov 7 22:14:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: F-PROT problem? In-Reply-To: <036301c286aa$88441240$620aaa82@ADMINISTRATOR> References: <5.1.0.14.2.20021107105839.032b2e80@imap.ecs.soton.ac.uk> <014d01c2866b$a2ebf2f0$620aaa82@ADMINISTRATOR> Message-ID: <5.1.0.14.2.20021107221317.03314498@imap.ecs.soton.ac.uk> At 22:10 07/11/2002, you wrote: >Hi all, I just wanted to tell you I finally solved the problem whit >f-prot. Im happy right now, and Im getting ready to check some other >features in MailScanner. What was the solution? It's useful to get solutions into the mailing list archive for everyone else's benefit. >----- Original Message ----- >From: Vicente Guerrero M. >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Thursday, November 07, 2002 8:40 AM >Subject: Re: F-PROT problem? > >I've tried the command you told me and it seems to be working ok since I >got a summary of files been scanned. I checked the script and it seems to >be right too. Some other clue? > > >Thanks >----- Original Message ----- >From: Julian Field >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Thursday, November 07, 2002 5:02 AM >Subject: Re: F-PROT problem? > >Something is going wrong in how MailScanner is calling your copy of F-Prot. >If you do these 2 commands, it should output some sort of summary showing >how many files it scanned, at the very least. > cd /tmp > /usr/lib/MailScaner/f-prot-wrapper -old -archive -dumb . >(don't forget the dot on the end) > >If you get some sort of "command not found" error, then you have installed >your copy of F-Prot somewhere different than the standard location, and >you will need to alter the f-prot-wrapper script so it calls it in the >right place. That script is very simple, you'll soon work out what you >need to change in it. > >Let us know how you get on. > >At 23:56 06/11/2002, you wrote: >>I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. >> >>Everything its seems to be working ok, but if I send a message from an >>external account (hotmail) with a virus attached, I have no warning about >>an infected message. I tried the EICAR_test file too, but nothing >>happened, I just get these lines in maillog: >> >>Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: >>from=<user@hotmail.com>, size=96715, class=0, >>pri=126715, nrcpts=1, >>msgid=<OE17Bt3J3JCj2fBUA510000094e@hotmail.com>, >>proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] >>Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting >>Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, >>97125 bytes >>Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting >>Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages >>Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: >>to=<mail_user@minar.com>, delay=00:00:09, >>xdelay=00:00:00, mailer=local, stat=Sent >>I tested f-prot manually and it says the infection is there (EICAR_test >>and an infected file (Magistr). I really apreciate your help to solve >>this issue. >> >> >>BTW, I got warned about some infected messages, but they are the ones >>with IFrame tags in it. >> >> >>Thanks in advance >> >> >>(Sorry about my poor English) >> >> >>vgm >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/a60a80a9/attachment.html From vguerrero at minar.com Thu Nov 7 22:28:39 2002 From: vguerrero at minar.com (Vicente Guerrero M.) Date: Thu Jan 12 21:16:21 2006 Subject: F-PROT problem? References: <5.1.0.14.2.20021107105839.032b2e80@imap.ecs.soton.ac.uk> <014d01c2866b$a2ebf2f0$620aaa82@ADMINISTRATOR> <5.1.0.14.2.20021107221317.03314498@imap.ecs.soton.ac.uk> Message-ID: <038b01c286ad$0569f710$620aaa82@ADMINISTRATOR> I'm sorry. Well, I know this gonna sounds kinda stupid, but the fact is I was making changes in /opt/Mailscanner/etc/MailScanner.conf instead of /etc/Mailscanner/MailScanner.conf. That's it. I'm shamed, but I can tell you I learn a lot of thing these days. Thanks again for your patience and understanding (Im relatively new to linux stuff) Best Regards vgm P.S. I've told you about my bad english? ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 4:14 PM Subject: Re: F-PROT problem? At 22:10 07/11/2002, you wrote: Hi all, I just wanted to tell you I finally solved the problem whit f-prot. Im happy right now, and Im getting ready to check some other features in MailScanner. What was the solution? It's useful to get solutions into the mailing list archive for everyone else's benefit. ----- Original Message ----- From: Vicente Guerrero M. To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 8:40 AM Subject: Re: F-PROT problem? I've tried the command you told me and it seems to be working ok since I got a summary of files been scanned. I checked the script and it seems to be right too. Some other clue? Thanks ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 5:02 AM Subject: Re: F-PROT problem? Something is going wrong in how MailScanner is calling your copy of F-Prot. If you do these 2 commands, it should output some sort of summary showing how many files it scanned, at the very least. cd /tmp /usr/lib/MailScaner/f-prot-wrapper -old -archive -dumb . (don't forget the dot on the end) If you get some sort of "command not found" error, then you have installed your copy of F-Prot somewhere different than the standard location, and you will need to alter the f-prot-wrapper script so it calls it in the right place. That script is very simple, you'll soon work out what you need to change in it. Let us know how you get on. At 23:56 06/11/2002, you wrote: I have RedHat 7.1, Sendmail8.9.3, MailScanner 4.04-1 and f-prot 3.12b. Everything its seems to be working ok, but if I send a message from an external account (hotmail) with a virus attached, I have no warning about an infected message. I tried the EICAR_test file too, but nothing happened, I just get these lines in maillog: Nov 6 17:34:11 ns0 sendmail[5914]: RAA05914: from=, size=96715, class=0, pri=126715, nrcpts=1, msgid=, proto=ESMTP, relay=oe17.law7.hotmail.com [216.33.236.121] Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Found 2 messages waiting Nov 6 17:34:11 ns0 MailScanner[5190]: New Batch: Scanning 1 messages, 97125 bytes Nov 6 17:34:12 ns0 MailScanner[5190]: Virus and Content Scanning: Starting Nov 6 17:34:12 ns0 MailScanner[5190]: Uninfected: Delivered 1 messages Nov 6 17:34:12 ns0 sendmail[5919]: RAA05914: to=, delay=00:00:09, xdelay=00:00:00, mailer=local, stat=Sent I tested f-prot manually and it says the infection is there (EICAR_test and an infected file (Magistr). I really apreciate your help to solve this issue. BTW, I got warned about some infected messages, but they are the ones with IFrame tags in it. Thanks in advance (Sorry about my poor English) vgm -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021107/d3298124/attachment.html From alex at IALEX.NET Thu Nov 7 22:03:40 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail Message-ID: For the archiving of mail feature, how can you archive some users and not others. The only option i have seen is *where* to save the archived email. Alex From mike at CAMAROSS.NET Thu Nov 7 22:58:21 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: Message-ID: <000d01c286b1$2d381a20$6501a8c0@mikedesk> With v.4, use a ruleset -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Alex Short Sent: Thursday, November 07, 2002 4:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Archiving Mail For the archiving of mail feature, how can you archive some users and not others. The only option i have seen is *where* to save the archived email. Alex From email at ace.net.au Fri Nov 8 00:14:00 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:16:21 2006 Subject: Stuffit files (Macintosh specific) In-Reply-To: <5.1.0.14.2.20021107191228.03235018@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021107191228.03235018@imap.ecs.soton.ac.uk> Message-ID: <200211081044000134.4D9F2414@smtp1.ace.net.au> On W2k mail server that I also have, I run a mime decoder before running the virus scanner, would that be possible with MS? Peter *********** REPLY SEPARATOR *********** On 7/11/2002 at 7:13 PM Julian Field wrote: >At 17:40 07/11/2002, you wrote: >>Is there a way to make unpack and process .sit (StuffIt files), very >>common in macintosh world? >>I compressed eicar.com and it flew freely thru MailScanner nets. > >It's down to the virus scanners to scan inside archives. I suggest you ask >the virus scanner vendor(s) if they can search inside Stuffit files, >ideally they should do it. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From gavin at NETERGY.COM Fri Nov 8 00:13:30 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again Message-ID: ok after a couple of abortive attempts earlier today where typos and miss-naming of files gave me problems I am now finding something odd happening Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, mailer=esmtp, pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], dsn=2.0.0, stat=Sent (gA7NsV006079 Message accepted for delivery) Nov 8 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: from=, size=4220, class=0, nrcpts=1, msgid=, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=anchor-post-32.mail.demon.net [194.217.242.90] Nov 8 00:00:03 nvsd MailScanner[7477]: New Batch: Scanning 1 messages, 4759 bytes Nov 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting Nov 8 00:00:06 nvsd MailScanner[7477]: Virus and Content Scanning: Starting Nov 8 00:00:07 nvsd MailScanner[7477]: Could not open inline file /opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or directory Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered 1 messages the second line up is the problem, I don't have /opt/MailScanner specified anywhere in my config or any of my rules files even doing an egrep -r /opt/MailScanner only returns this from the MailScanner directory in /etc [root MailScanner]# egrep -r /opt/MailScanner/ * rules/EXAMPLES: Set "Is Definitely Not Spam = /opt/MailScanner/etc/rules/whitelist.rules". rules/EXAMPLES: Set "Is Definitely Spam = /opt/MailScanner/etc/rules/blacklist.rules". rules/EXAMPLES: Set "Sign Clean Messages = /opt/MailScanner/etc/rules/signing.rules". rules/EXAMPLES: Set "Inline Text Signature = /opt/MailScanner/etc/rules/sig.text.rules" & rules/EXAMPLES: set "Inline HTML Signature = /opt/MailScanner/etc/rules/sig.html.rules". rules/EXAMPLES: From: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt rules/EXAMPLES: From: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt rules/EXAMPLES: Set "Virus Scanning = /opt/MailScanner/etc/rules/virus.scanning.rules". rules/EXAMPLES: Set "Sign Clean Messages = /opt/MailScanner/etc/rules/signing.rules". only the example file. however if do the same in /usr/lib/MailScanner, I get this suggesting there is some throwback to an earlier version hiding somewhere? the end result is no inline sig [root MailScanner]# egrep -r /opt/MailScanner/ * MailScanner/ConfigDefs.pl:piddir /opt/MailScanner/var MailScanner/ConfigDefs.pl:spamassassinprefsfile /opt/MailScanner/etc/spam.assassin.prefs.conf MailScanner/ConfigDefs.pl:SpamListDefinitions /opt/MailScanner/etc/spam.lists.conf MailScanner/ConfigDefs.pl:VirusScannerDefinitions /opt/MailScanner/etc/virus.scanners.conf MailScanner/ConfigDefs.pl:TNEFExpander /opt/MailScanner/bin/tnef --maxsize=100000000 MailScanner/ConfigDefs.pl:DeletedFilenameMessage /opt/MailScanner/etc/reports/en/deleted.filename.message.txt MailScanner/ConfigDefs.pl:DeletedVirusMessage /opt/MailScanner/etc/reports/en/deleted.virus.message.txt MailScanner/ConfigDefs.pl:DisinfectedReportText /opt/MailScanner/etc/reports/en/disinfected.report.txt MailScanner/ConfigDefs.pl:inlinehtmlsig /opt/MailScanner/etc/reports/en/inline.sig.html MailScanner/ConfigDefs.pl:inlinehtmlwarning /opt/MailScanner/etc/reports/en/inline.warning.html MailScanner/ConfigDefs.pl:inlinetextsig /opt/MailScanner/etc/reports/en/inline.sig.txt MailScanner/ConfigDefs.pl:inlinetextwarning /opt/MailScanner/etc/reports/en/inline.warning.txt MailScanner/ConfigDefs.pl:sendererrorreport /opt/MailScanner/etc/reports/en/sender.error.report.txt MailScanner/ConfigDefs.pl:senderfilenamereport /opt/MailScanner/etc/reports/en/sender.filename.report.txt MailScanner/ConfigDefs.pl:SenderRBLSpamReport /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt MailScanner/ConfigDefs.pl:SenderSASpamReport /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt MailScanner/ConfigDefs.pl:SenderBothSpamReport /opt/MailScanner/etc/reports/en/sender.spam.report.txt MailScanner/ConfigDefs.pl:sendervirusreport /opt/MailScanner/etc/reports/en/sender.virus.report.txt MailScanner/ConfigDefs.pl:StoredFilenameMessage /opt/MailScanner/etc/reports/en/stored.filename.message.txt MailScanner/ConfigDefs.pl:StoredVirusMessage /opt/MailScanner/etc/reports/en/stored.virus.message.txt MailScanner/ConfigDefs.pl:#FilenameRules /opt/MailScanner/etc/filename.rules.conf From mike at CAMAROSS.NET Fri Nov 8 00:16:04 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again In-Reply-To: Message-ID: <001701c286bc$074ebed0$6501a8c0@mikedesk> What OS are you running...and is this the RPM version or the tarball? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Gavin Nelmes-Crocker Sent: Thursday, November 07, 2002 6:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: possible bug or me up to late again ok after a couple of abortive attempts earlier today where typos and miss-naming of files gave me problems I am now finding something odd happening Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, mailer=esmtp, pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], dsn=2.0.0, stat=Sent (gA7NsV006079 Message accepted for delivery) Nov 8 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: from=, size=4220, class=0, nrcpts=1, msgid=, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=anchor-post-32.mail.demon.net [194.217.242.90] Nov 8 00:00:03 nvsd MailScanner[7477]: New Batch: Scanning 1 messages, 4759 bytes Nov 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting Nov 8 00:00:06 nvsd MailScanner[7477]: Virus and Content Scanning: Starting Nov 8 00:00:07 nvsd MailScanner[7477]: Could not open inline file /opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or directory Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered 1 messages the second line up is the problem, I don't have /opt/MailScanner specified anywhere in my config or any of my rules files even doing an egrep -r /opt/MailScanner only returns this from the MailScanner directory in /etc [root MailScanner]# egrep -r /opt/MailScanner/ * rules/EXAMPLES: Set "Is Definitely Not Spam = /opt/MailScanner/etc/rules/whitelist.rules". rules/EXAMPLES: Set "Is Definitely Spam = /opt/MailScanner/etc/rules/blacklist.rules". rules/EXAMPLES: Set "Sign Clean Messages = /opt/MailScanner/etc/rules/signing.rules". rules/EXAMPLES: Set "Inline Text Signature = /opt/MailScanner/etc/rules/sig.text.rules" & rules/EXAMPLES: set "Inline HTML Signature = /opt/MailScanner/etc/rules/sig.html.rules". rules/EXAMPLES: From: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt rules/EXAMPLES: From: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt rules/EXAMPLES: Set "Virus Scanning = /opt/MailScanner/etc/rules/virus.scanning.rules". rules/EXAMPLES: Set "Sign Clean Messages = /opt/MailScanner/etc/rules/signing.rules". only the example file. however if do the same in /usr/lib/MailScanner, I get this suggesting there is some throwback to an earlier version hiding somewhere? the end result is no inline sig [root MailScanner]# egrep -r /opt/MailScanner/ * MailScanner/ConfigDefs.pl:piddir /opt/MailScanner/var MailScanner/ConfigDefs.pl:spamassassinprefsfile /opt/MailScanner/etc/spam.assassin.prefs.conf MailScanner/ConfigDefs.pl:SpamListDefinitions /opt/MailScanner/etc/spam.lists.conf MailScanner/ConfigDefs.pl:VirusScannerDefinitions /opt/MailScanner/etc/virus.scanners.conf MailScanner/ConfigDefs.pl:TNEFExpander /opt/MailScanner/bin/tnef --maxsize=100000000 MailScanner/ConfigDefs.pl:DeletedFilenameMessage /opt/MailScanner/etc/reports/en/deleted.filename.message.txt MailScanner/ConfigDefs.pl:DeletedVirusMessage /opt/MailScanner/etc/reports/en/deleted.virus.message.txt MailScanner/ConfigDefs.pl:DisinfectedReportText /opt/MailScanner/etc/reports/en/disinfected.report.txt MailScanner/ConfigDefs.pl:inlinehtmlsig /opt/MailScanner/etc/reports/en/inline.sig.html MailScanner/ConfigDefs.pl:inlinehtmlwarning /opt/MailScanner/etc/reports/en/inline.warning.html MailScanner/ConfigDefs.pl:inlinetextsig /opt/MailScanner/etc/reports/en/inline.sig.txt MailScanner/ConfigDefs.pl:inlinetextwarning /opt/MailScanner/etc/reports/en/inline.warning.txt MailScanner/ConfigDefs.pl:sendererrorreport /opt/MailScanner/etc/reports/en/sender.error.report.txt MailScanner/ConfigDefs.pl:senderfilenamereport /opt/MailScanner/etc/reports/en/sender.filename.report.txt MailScanner/ConfigDefs.pl:SenderRBLSpamReport /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt MailScanner/ConfigDefs.pl:SenderSASpamReport /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt MailScanner/ConfigDefs.pl:SenderBothSpamReport /opt/MailScanner/etc/reports/en/sender.spam.report.txt MailScanner/ConfigDefs.pl:sendervirusreport /opt/MailScanner/etc/reports/en/sender.virus.report.txt MailScanner/ConfigDefs.pl:StoredFilenameMessage /opt/MailScanner/etc/reports/en/stored.filename.message.txt MailScanner/ConfigDefs.pl:StoredVirusMessage /opt/MailScanner/etc/reports/en/stored.virus.message.txt MailScanner/ConfigDefs.pl:#FilenameRules /opt/MailScanner/etc/filename.rules.conf From gavin at NETERGY.COM Fri Nov 8 00:17:30 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again In-Reply-To: <001701c286bc$074ebed0$6501a8c0@mikedesk> Message-ID: this is on a Cobalt RaQ running Redhatish for those that don't know Cobalts, I'm running the rpm version 4.05-3 > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Mike Kercher > Sent: 08 November 2002 00:16 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: possible bug or me up to late again > > > What OS are you running...and is this the RPM version or the tarball? > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Gavin Nelmes-Crocker > Sent: Thursday, November 07, 2002 6:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: possible bug or me up to late again > > > ok after a couple of abortive attempts earlier today where typos and > miss-naming of files gave me problems I am now finding something odd > happening > > Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: > to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, > mailer=esmtp, pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], > dsn=2.0.0, stat=Sent (gA7NsV006079 Message accepted for delivery) Nov 8 > 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: > from=, size=4220, class=0, nrcpts=1, > msgid=, > bodytype=8BITMIME, proto=ESMTP, daemon=MTA, > relay=anchor-post-32.mail.demon.net [194.217.242.90] Nov 8 00:00:03 > nvsd MailScanner[7477]: New Batch: Scanning 1 messages, 4759 bytes Nov > 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting Nov 8 00:00:06 > nvsd MailScanner[7477]: Virus and Content Scanning: Starting Nov 8 > 00:00:07 nvsd MailScanner[7477]: Could not open inline file > /opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or > directory Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered > 1 messages > > the second line up is the problem, I don't have /opt/MailScanner > specified anywhere in my config or any of my rules files even doing an > egrep -r /opt/MailScanner only returns this from the MailScanner > directory in /etc > > [root MailScanner]# egrep -r /opt/MailScanner/ * > rules/EXAMPLES: Set "Is Definitely Not Spam = > /opt/MailScanner/etc/rules/whitelist.rules". > rules/EXAMPLES: Set "Is Definitely Spam = > /opt/MailScanner/etc/rules/blacklist.rules". > rules/EXAMPLES: Set "Sign Clean Messages = > /opt/MailScanner/etc/rules/signing.rules". > rules/EXAMPLES: Set "Inline Text Signature = > /opt/MailScanner/etc/rules/sig.text.rules" & > rules/EXAMPLES: set "Inline HTML Signature = > /opt/MailScanner/etc/rules/sig.html.rules". > rules/EXAMPLES: From: *@domain1.com > /opt/MailScanner/etc/reports/domain1.sig.txt > rules/EXAMPLES: From: *@domain2.com > /opt/MailScanner/etc/reports/domain2.sig.txt > rules/EXAMPLES: Set "Virus Scanning = > /opt/MailScanner/etc/rules/virus.scanning.rules". > rules/EXAMPLES: Set "Sign Clean Messages = > /opt/MailScanner/etc/rules/signing.rules". > > only the example file. > > however if do the same in /usr/lib/MailScanner, I get this suggesting > there is some throwback to an earlier version hiding somewhere? the end > result is no inline sig > > [root MailScanner]# egrep -r /opt/MailScanner/ * > MailScanner/ConfigDefs.pl:piddir > /opt/MailScanner/var > MailScanner/ConfigDefs.pl:spamassassinprefsfile > /opt/MailScanner/etc/spam.assassin.prefs.conf > MailScanner/ConfigDefs.pl:SpamListDefinitions > /opt/MailScanner/etc/spam.lists.conf > MailScanner/ConfigDefs.pl:VirusScannerDefinitions > /opt/MailScanner/etc/virus.scanners.conf > MailScanner/ConfigDefs.pl:TNEFExpander > /opt/MailScanner/bin/tnef --maxsize=100000000 > MailScanner/ConfigDefs.pl:DeletedFilenameMessage > /opt/MailScanner/etc/reports/en/deleted.filename.message.txt > MailScanner/ConfigDefs.pl:DeletedVirusMessage > /opt/MailScanner/etc/reports/en/deleted.virus.message.txt > MailScanner/ConfigDefs.pl:DisinfectedReportText > /opt/MailScanner/etc/reports/en/disinfected.report.txt > MailScanner/ConfigDefs.pl:inlinehtmlsig > /opt/MailScanner/etc/reports/en/inline.sig.html > MailScanner/ConfigDefs.pl:inlinehtmlwarning > /opt/MailScanner/etc/reports/en/inline.warning.html > MailScanner/ConfigDefs.pl:inlinetextsig > /opt/MailScanner/etc/reports/en/inline.sig.txt > MailScanner/ConfigDefs.pl:inlinetextwarning > /opt/MailScanner/etc/reports/en/inline.warning.txt > MailScanner/ConfigDefs.pl:sendererrorreport > /opt/MailScanner/etc/reports/en/sender.error.report.txt > MailScanner/ConfigDefs.pl:senderfilenamereport > /opt/MailScanner/etc/reports/en/sender.filename.report.txt > MailScanner/ConfigDefs.pl:SenderRBLSpamReport > /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt > MailScanner/ConfigDefs.pl:SenderSASpamReport > /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt > MailScanner/ConfigDefs.pl:SenderBothSpamReport > /opt/MailScanner/etc/reports/en/sender.spam.report.txt > MailScanner/ConfigDefs.pl:sendervirusreport > /opt/MailScanner/etc/reports/en/sender.virus.report.txt > MailScanner/ConfigDefs.pl:StoredFilenameMessage > /opt/MailScanner/etc/reports/en/stored.filename.message.txt > MailScanner/ConfigDefs.pl:StoredVirusMessage > /opt/MailScanner/etc/reports/en/stored.virus.message.txt > MailScanner/ConfigDefs.pl:#FilenameRules > /opt/MailScanner/etc/filename.rules.conf > From mike at CAMAROSS.NET Fri Nov 8 00:41:58 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again In-Reply-To: Message-ID: I have v4.x running on a RAQ. None of my paths point to /opt anymore though. If you are not using /opt/MailScanner anymore, you might consider renaming it or moving it elsewhere and see if your problem clears up. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Gavin Nelmes-Crocker Sent: Thursday, November 07, 2002 6:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: possible bug or me up to late again this is on a Cobalt RaQ running Redhatish for those that don't know Cobalts, I'm running the rpm version 4.05-3 > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Mike Kercher > Sent: 08 November 2002 00:16 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: possible bug or me up to late again > > > What OS are you running...and is this the RPM version or the tarball? > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Gavin Nelmes-Crocker > Sent: Thursday, November 07, 2002 6:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: possible bug or me up to late again > > > ok after a couple of abortive attempts earlier today where typos and > miss-naming of files gave me problems I am now finding something odd > happening > > Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: > to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, > mailer=esmtp, pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], > dsn=2.0.0, stat=Sent (gA7NsV006079 Message accepted for delivery) Nov 8 > 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: > from=, size=4220, class=0, nrcpts=1, > msgid=, > bodytype=8BITMIME, proto=ESMTP, daemon=MTA, > relay=anchor-post-32.mail.demon.net [194.217.242.90] Nov 8 00:00:03 > nvsd MailScanner[7477]: New Batch: Scanning 1 messages, 4759 bytes Nov > 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting Nov 8 00:00:06 > nvsd MailScanner[7477]: Virus and Content Scanning: Starting Nov 8 > 00:00:07 nvsd MailScanner[7477]: Could not open inline file > /opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or > directory Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered > 1 messages > > the second line up is the problem, I don't have /opt/MailScanner > specified anywhere in my config or any of my rules files even doing an > egrep -r /opt/MailScanner only returns this from the MailScanner > directory in /etc > > [root MailScanner]# egrep -r /opt/MailScanner/ * > rules/EXAMPLES: Set "Is Definitely Not Spam = > /opt/MailScanner/etc/rules/whitelist.rules". > rules/EXAMPLES: Set "Is Definitely Spam = > /opt/MailScanner/etc/rules/blacklist.rules". > rules/EXAMPLES: Set "Sign Clean Messages = > /opt/MailScanner/etc/rules/signing.rules". > rules/EXAMPLES: Set "Inline Text Signature = > /opt/MailScanner/etc/rules/sig.text.rules" & > rules/EXAMPLES: set "Inline HTML Signature = > /opt/MailScanner/etc/rules/sig.html.rules". > rules/EXAMPLES: From: *@domain1.com > /opt/MailScanner/etc/reports/domain1.sig.txt > rules/EXAMPLES: From: *@domain2.com > /opt/MailScanner/etc/reports/domain2.sig.txt > rules/EXAMPLES: Set "Virus Scanning = > /opt/MailScanner/etc/rules/virus.scanning.rules". > rules/EXAMPLES: Set "Sign Clean Messages = > /opt/MailScanner/etc/rules/signing.rules". > > only the example file. > > however if do the same in /usr/lib/MailScanner, I get this suggesting > there is some throwback to an earlier version hiding somewhere? the end > result is no inline sig > > [root MailScanner]# egrep -r /opt/MailScanner/ * > MailScanner/ConfigDefs.pl:piddir > /opt/MailScanner/var > MailScanner/ConfigDefs.pl:spamassassinprefsfile > /opt/MailScanner/etc/spam.assassin.prefs.conf > MailScanner/ConfigDefs.pl:SpamListDefinitions > /opt/MailScanner/etc/spam.lists.conf > MailScanner/ConfigDefs.pl:VirusScannerDefinitions > /opt/MailScanner/etc/virus.scanners.conf > MailScanner/ConfigDefs.pl:TNEFExpander > /opt/MailScanner/bin/tnef --maxsize=100000000 > MailScanner/ConfigDefs.pl:DeletedFilenameMessage > /opt/MailScanner/etc/reports/en/deleted.filename.message.txt > MailScanner/ConfigDefs.pl:DeletedVirusMessage > /opt/MailScanner/etc/reports/en/deleted.virus.message.txt > MailScanner/ConfigDefs.pl:DisinfectedReportText > /opt/MailScanner/etc/reports/en/disinfected.report.txt > MailScanner/ConfigDefs.pl:inlinehtmlsig > /opt/MailScanner/etc/reports/en/inline.sig.html > MailScanner/ConfigDefs.pl:inlinehtmlwarning > /opt/MailScanner/etc/reports/en/inline.warning.html > MailScanner/ConfigDefs.pl:inlinetextsig > /opt/MailScanner/etc/reports/en/inline.sig.txt > MailScanner/ConfigDefs.pl:inlinetextwarning > /opt/MailScanner/etc/reports/en/inline.warning.txt > MailScanner/ConfigDefs.pl:sendererrorreport > /opt/MailScanner/etc/reports/en/sender.error.report.txt > MailScanner/ConfigDefs.pl:senderfilenamereport > /opt/MailScanner/etc/reports/en/sender.filename.report.txt > MailScanner/ConfigDefs.pl:SenderRBLSpamReport > /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt > MailScanner/ConfigDefs.pl:SenderSASpamReport > /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt > MailScanner/ConfigDefs.pl:SenderBothSpamReport > /opt/MailScanner/etc/reports/en/sender.spam.report.txt > MailScanner/ConfigDefs.pl:sendervirusreport > /opt/MailScanner/etc/reports/en/sender.virus.report.txt > MailScanner/ConfigDefs.pl:StoredFilenameMessage > /opt/MailScanner/etc/reports/en/stored.filename.message.txt > MailScanner/ConfigDefs.pl:StoredVirusMessage > /opt/MailScanner/etc/reports/en/stored.virus.message.txt > MailScanner/ConfigDefs.pl:#FilenameRules > /opt/MailScanner/etc/filename.rules.conf > From smohan at vsnl.com Fri Nov 8 02:28:53 2002 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:16:21 2006 Subject: Relay by other network In-Reply-To: <015a01c28644$e38e5810$57046898@shunkam.com> Message-ID: <004101c286ce$95fe4850$28405bca@18yamuna> No. Do not install mmsmtp. Just install sweep or savi. Ideally, you must just get the tar file of Sophos SAVI/Sweep. Install MailScanner and run Sophos.install from the same directory where the tar file exists. This script will do all the installation and command line options of sendmail. If you have installed mmsmtp, uninstall it first. The configuration you have done is what mmsmtp proposes for running the gateway and MTA on the same machine. Julian has taken a different and IMHO a much better route. In case we feel mailscanner is misbehaving, simply stop mailscanner and start sendmail. We need not tinker with sendmail configuration every time this switch is made. Julian - I think your scheme is by far the best I've seen. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of fong Sent: Thursday, November 07, 2002 3:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Relay by other network Thanks Mohan Since someone told me that if you install both software on same machine, you should change the port of sendmail. Do I change any configure in sophos's config(mmsmtp.cfg) file? Should I start the sophos daemon(mmsmtpd) and mailscanner daemon or instead of start mailscanner daemon only? Fong Cheang ----- Original Message ----- From: S Mohan To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, November 07, 2002 4:45 PM Subject: Re: Relay by other network I've used this combination for 1 year now on 4 machines. Why are you changing sendmail port? Mailscanner starts two instances of sendmail - one in queued delivery mode accepting incoming connections and one just flushing out the queue. There is no need to change. If you are attaching port 25 to Sophos, then I guess you are using their mail gateway and not mailscanner. MailScanner user the sweep commandline program and is a replacement for the Sophos Mail Gateway. Relaying in sendmail is controlled thro' /etc/mail/access file which has entries that look like IP/domainname/email id OK/RELAY?REJECT e.g. 192.168.0 RELAY will relay for your local Class C subnet assuming it is 192.168.0 subnet. Restart MailScanner after this. sendmail start up converts this file to a access.db file. Also take care that sendmail MTA listen to your actual IP and not 127.0.0.1. HTH Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of fong Sent: 07 November 2002 08:20 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Relay by other network Did anyone configure mailscanner+sendmail+sophos? After I installed mailscanner and sophos on the same pc, I make the following configuration: Sendmail port no: 8888 Sophos port no: 25 (redirect to sendmail after scanned) So that all mail will be scanned before send to sendmail. It also make relay by other network. How can I control the relay domain? Is it the problem of sophos, sendmail or mailscanner? I hope you understand my bad english. Appreciate for any help.... Fong Cheang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021108/f8cf41b5/attachment.html From smohan at vsnl.com Fri Nov 8 02:54:52 2002 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: Message-ID: <004a01c286d2$36f5ae80$28405bca@18yamuna> In the archiving mail option, give a ruleset name. Say /etc/MailScanner/rules/archive.rules. This file must have the following entries. To: emailid or directory. From: similar as above. In this manner, you can copy incoming and out going mails for each user or domain to email ids. If directory name is given, MailScanner stores in qf+df format. If email id is given, the mail gets delivered to the mailbox. You can use which ever is useful. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Alex Short Sent: Friday, November 08, 2002 3:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Archiving Mail For the archiving of mail feature, how can you archive some users and not others. The only option i have seen is *where* to save the archived email. Alex From alex at IALEX.NET Fri Nov 8 04:01:03 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail References: <004a01c286d2$36f5ae80$28405bca@18yamuna> Message-ID: <06dc01c286db$78356440$6400000a@clerks> Ah yes, now i see it :) Two questions-- any way to save it in one file/message, (ie not qf+df) Also, is there a way to do *@domain.com /var/archive but not for notme@domain.com ? Alex ----- Original Message ----- From: "S Mohan" To: Sent: Thursday, November 07, 2002 9:54 PM Subject: Re: Archiving Mail > In the archiving mail option, give a ruleset name. Say > /etc/MailScanner/rules/archive.rules. This file must have the following > entries. > > To: emailid or directory. > From: similar as above. > > In this manner, you can copy incoming and out going mails for each user > or domain to email ids. If directory name is given, MailScanner stores > in qf+df format. If email id is given, the mail gets delivered to the > mailbox. You can use which ever is useful. > > Mohan > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Alex Short > Sent: Friday, November 08, 2002 3:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Archiving Mail > > > For the archiving of mail feature, how can you archive some users and > not others. The only option i have seen is *where* to save the archived > email. > > Alex > > > From sevans at FOUNDATION.SDSU.EDU Fri Nov 8 04:22:34 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail Message-ID: <6214C3F9233D764C9E7029396C355015331640@mail.foundation.sdsu.edu> There is an option in MailScanner.conf after version 4.02-1. Can't remember the name of the option though. Rulesets are configured top to bottom. So put a line that says notme@domain.com no @domain.com /var/archive Or however something along those lines. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Alex Short [mailto:alex@IALEX.NET] Sent: Thursday, November 07, 2002 8:01 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Archiving Mail Ah yes, now i see it :) Two questions-- any way to save it in one file/message, (ie not qf+df) Also, is there a way to do *@domain.com /var/archive but not for notme@domain.com ? Alex ----- Original Message ----- From: "S Mohan" To: Sent: Thursday, November 07, 2002 9:54 PM Subject: Re: Archiving Mail > In the archiving mail option, give a ruleset name. Say > /etc/MailScanner/rules/archive.rules. This file must have the > following entries. > > To: emailid or directory. > From: similar as above. > > In this manner, you can copy incoming and out going mails for each > user or domain to email ids. If directory name is given, MailScanner > stores in qf+df format. If email id is given, the mail gets delivered > to the mailbox. You can use which ever is useful. > > Mohan > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Alex Short > Sent: Friday, November 08, 2002 3:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Archiving Mail > > > For the archiving of mail feature, how can you archive some users and > not others. The only option i have seen is *where* to save the > archived email. > > Alex > > > From smohan at VSNL.COM Fri Nov 8 06:23:34 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: <06dc01c286db$78356440$6400000a@clerks> Message-ID: I've not tried it but I've seen Julian's mail that says it is supported. Mohan -----Original Message----- From: Alex Short [mailto:alex@ialex.net] Sent: 08 November 2002 09:31 To: smohan@vsnl.com; MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Archiving Mail Ah yes, now i see it :) Two questions-- any way to save it in one file/message, (ie not qf+df) Also, is there a way to do *@domain.com /var/archive but not for notme@domain.com ? Alex ----- Original Message ----- From: "S Mohan" To: Sent: Thursday, November 07, 2002 9:54 PM Subject: Re: Archiving Mail > In the archiving mail option, give a ruleset name. Say > /etc/MailScanner/rules/archive.rules. This file must have the following > entries. > > To: emailid or directory. > From: similar as above. > > In this manner, you can copy incoming and out going mails for each user > or domain to email ids. If directory name is given, MailScanner stores > in qf+df format. If email id is given, the mail gets delivered to the > mailbox. You can use which ever is useful. > > Mohan > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Alex Short > Sent: Friday, November 08, 2002 3:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Archiving Mail > > > For the archiving of mail feature, how can you archive some users and > not others. The only option i have seen is *where* to save the archived > email. > > Alex > > > From Heinz.Knutzen at DZSH.DE Fri Nov 8 08:52:01 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz) Date: Thu Jan 12 21:16:21 2006 Subject: setlogsock('unix') in *-autoupdate scripts Message-ID: <096F8FA588BAD211844C0090272F2307017FBB16@DZSHMAILSRV2> I would like to have Sys::Syslog::setlogsock('unix') be added to f-prot-autoupdate and possibly the other *-autoupdate scripts. This should be similar to MailScanner/Log.pm: eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r Viele Gr??e -- Heinz Knutzen Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:heinz.knutzen@dzsh.de Tel: +49.431.3295.581 Fax: +49.431.3295.410 From mailscanner at ecs.soton.ac.uk Fri Nov 8 09:11:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: <6214C3F9233D764C9E7029396C355015331640@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20021108090542.06fbdeb0@imap.ecs.soton.ac.uk> At 04:22 08/11/2002, you wrote: >There is an option in MailScanner.conf after version 4.02-1. Can't >remember the name of the option though. # When you quarantine an entire message, do you want to store it as # raw mail queue files (so you can easily send them onto users) or # as human-readable files (header then body in 1 file)? Quarantine Whole Messages As Queue Files = no >Rulesets are configured top to bottom. So put a line that says > >notme@domain.com no >@domain.com /var/archive > >Or however something along those lines. Very nearly, you just forgot the direction off the front. So possibly you want FromTo: notme@domain.com no FromTo: *@domain.com /var/archive FromTo: default no "FromTo:" will match any message coming from the address or going to it. You will have to restart MailScanner (or kill -HUP all the processes) to force it to re-read the configuration files and recompile the rulesets. >-----Original Message----- >From: Alex Short [mailto:alex@IALEX.NET] >Sent: Thursday, November 07, 2002 8:01 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Archiving Mail > > >Ah yes, now i see it :) > >Two questions-- any way to save it in one file/message, (ie not qf+df) >Also, is there a way to do *@domain.com /var/archive but not for >notme@domain.com > >? > >Alex >----- Original Message ----- >From: "S Mohan" >To: >Sent: Thursday, November 07, 2002 9:54 PM >Subject: Re: Archiving Mail > > > > In the archiving mail option, give a ruleset name. Say > > /etc/MailScanner/rules/archive.rules. This file must have the > > following entries. > > > > To: emailid or directory. > > From: similar as above. > > > > In this manner, you can copy incoming and out going mails for each > > user or domain to email ids. If directory name is given, MailScanner > > stores in qf+df format. If email id is given, the mail gets delivered > > to the mailbox. You can use which ever is useful. > > > > Mohan > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Alex Short > > Sent: Friday, November 08, 2002 3:34 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Archiving Mail > > > > > > For the archiving of mail feature, how can you archive some users and > > not others. The only option i have seen is *where* to save the > > archived email. > > > > Alex > > > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 09:13:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: setlogsock('unix') in *-autoupdate scripts In-Reply-To: <096F8FA588BAD211844C0090272F2307017FBB16@DZSHMAILSRV2> Message-ID: <5.1.0.14.2.20021108091232.06fadeb0@imap.ecs.soton.ac.uk> At 08:52 08/11/2002, you wrote: >I would like to have Sys::Syslog::setlogsock('unix') >be added to f-prot-autoupdate and possibly the other *-autoupdate scripts. > >This should be similar to >MailScanner/Log.pm: eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't >need syslogd -r Once someone has confirmed that my Log.pm.patch posted here last night ("Re: MS4.x config/runtime issues") works and removes the error message. Then I'll include it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 09:17:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again In-Reply-To: Message-ID: <5.1.0.14.2.20021108091459.04aa61d0@imap.ecs.soton.ac.uk> At 00:13 08/11/2002, you wrote: >ok after a couple of abortive attempts earlier today where typos and >miss-naming of files gave me problems I am now finding something odd >happening > >Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: >to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, mailer=esmtp, >pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], dsn=2.0.0, >stat=Sent (gA7NsV006079 Message accepted for delivery) >Nov 8 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: >from=, size=4220, class=0, nrcpts=1, >msgid=, >bodytype=8BITMIME, proto=ESMTP, daemon=MTA, >relay=anchor-post-32.mail.demon.net [194.217.242.90] >Nov 8 00:00:03 nvsd MailScanner[7477]: New Batch: Scanning 1 messages, 4759 >bytes >Nov 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting >Nov 8 00:00:06 nvsd MailScanner[7477]: Virus and Content Scanning: Starting >Nov 8 00:00:07 nvsd MailScanner[7477]: Could not open inline file >/opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or directory >Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered 1 messages > >the second line up is the problem, I don't have /opt/MailScanner specified >anywhere in my config or any of my rules files even doing an egrep -r >/opt/MailScanner >only returns this from the MailScanner directory in /etc It thinks you haven't specified a value for the configuration option Inline Text Signature and is therefore using its internal default value (which doesn't happen to exist on your system). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 09:14:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: Stuffit files (Macintosh specific) In-Reply-To: <200211081044000134.4D9F2414@smtp1.ace.net.au> References: <5.1.0.14.2.20021107191228.03235018@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021107191228.03235018@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021108091347.04862378@imap.ecs.soton.ac.uk> At 00:14 08/11/2002, you wrote: >On W2k mail server that I also have, I run a mime decoder before running >the virus scanner, would that be possible with MS? MS decodes all the MIME messages anyway, it has to. >Peter > > >*********** REPLY SEPARATOR *********** > >On 7/11/2002 at 7:13 PM Julian Field wrote: > > >At 17:40 07/11/2002, you wrote: > >>Is there a way to make unpack and process .sit (StuffIt files), very > >>common in macintosh world? > >>I compressed eicar.com and it flew freely thru MailScanner nets. > > > >It's down to the virus scanners to scan inside archives. I suggest you ask > >the virus scanner vendor(s) if they can search inside Stuffit files, > >ideally they should do it. > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Richard.Lush at HP.COM Fri Nov 8 09:33:19 2002 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question Message-ID: Hi All, I'm using fetchmail to collect emails from my ISPs and then MailScanner to scan them and send them on to my exchange server. The question I have is on the IP headers. You can see here the information I am getting on the spam messages. I'm getting 127.0.0.1 and in brackets the real domain name of the sender. Message gA7KiTLN013054 from 127.0.0.1 (ns1.sexycity.com) is spam according to SpamAssassin (score=14, required 7, FROM_NAME_NO_SPACES, BUGGY_CGI, CLICK_BELOW, GUARANTEE, UPPERCASE_25_50, NORMAL_HTTP_TO_IP, CLICK_HERE_LINK, SUBJ_ALL_CAPS, NO_MX_FOR_FROM) Does anyone know how I can get the real IP address back in? I'm using Dave Whiles MRTG script and at the moment only see the 127.0.0.1. (I had the access list turned on and blocked myself - oops!) Any ideas are gratefully received. Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021108/5ceb2ac0/attachment.html From gavin at NETERGY.COM Fri Nov 8 10:07:10 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:21 2006 Subject: possible bug or me up to late again In-Reply-To: <5.1.0.14.2.20021108091459.04aa61d0@imap.ecs.soton.ac.uk> Message-ID: thanks, it came to me this morning shaving - I hadn't put a default rule in my rules file so if defaulted to the ConfigDef file which as you say looks at somewhere I don't have - sorted now Thanks Gavin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 08 November 2002 09:17 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: possible bug or me up to late again > > > At 00:13 08/11/2002, you wrote: > >ok after a couple of abortive attempts earlier today where typos and > >miss-naming of files gave me problems I am now finding something odd > >happening > > > >Nov 7 23:59:32 nvsd sendmail[7507]: gA7NxSd07503: > >to=gavin@web-hoster.co.uk, delay=00:00:04, xdelay=00:00:01, mailer=esmtp, > >pri=124206, relay=mail.web-hoster.co.uk. [213.165.143.4], dsn=2.0.0, > >stat=Sent (gA7NsV006079 Message accepted for delivery) > >Nov 8 00:00:03 nvsd sendmail[7530]: gA7Nxxd07530: > >from=, size=4220, class=0, nrcpts=1, > >msgid=, > >bodytype=8BITMIME, proto=ESMTP, daemon=MTA, > >relay=anchor-post-32.mail.demon.net [194.217.242.90] > >Nov 8 00:00:03 nvsd MailScanner[7477]: New Batch: Scanning 1 > messages, 4759 > >bytes > >Nov 8 00:00:03 nvsd MailScanner[7477]: Spam Checks: Starting > >Nov 8 00:00:06 nvsd MailScanner[7477]: Virus and Content > Scanning: Starting > >Nov 8 00:00:07 nvsd MailScanner[7477]: Could not open inline file > >/opt/MailScanner/etc/reports/en/inline.sig.txt, No such file or directory > >Nov 8 00:00:07 nvsd MailScanner[7477]: Uninfected: Delivered 1 messages > > > >the second line up is the problem, I don't have /opt/MailScanner > specified > >anywhere in my config or any of my rules files even doing an egrep -r > >/opt/MailScanner > >only returns this from the MailScanner directory in /etc > > It thinks you haven't specified a value for the configuration option > Inline Text Signature > and is therefore using its internal default value (which doesn't happen to > exist on your system). > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From ant at DVERE.NET Fri Nov 8 10:07:06 2002 From: ant at DVERE.NET (Ant La Porte) Date: Thu Jan 12 21:16:21 2006 Subject: ClamAV - New Test Results In-Reply-To: <3DC96ED5.5000007@nucci.com.br> References: <3DC96706.2060006@nucci.com.br> <3DC96ED5.5000007@nucci.com.br> Message-ID: <48567.10.0.0.5.1036750026.squirrel@webmail.dvere.dyndns.org> Ivan Mirisola said: > Hi All, > > I have performed new tests with some famous viruses found on > vx.netlux.org. Only Melissa failed to be discovered by clamAV. I don't > know why. The virus is found on a "visual basic for ms-word" format and > had to be included in a document. Maybe clamAV is trying to find the > original file that contaned the virus but this must be a wrong doing. My > AVG Free Edition does check the document generated and is able to see > that there is a virus within. > > Any thoughts, I'll be glad to hear. > > Sincerely, > Ivan > This thread on the openativirus-discuss list may be related: http://marc.theaimsgroup.com/?l=openantivirus-discuss&m=103590759412100&w=2 -- Ant La Porte - Dvere Network Services From scouty at BROMBERG.DEMON.NL Fri Nov 8 10:09:38 2002 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:21 2006 Subject: MRTG etc Message-ID: <200211081009.gA8A9cX19729@ori.rl.ac.uk> On Mon, 4 Nov 2002 19:53:53 +0000, David While wrote: >Currently the virus analysis will only work for ClamAV and inoculan since I >don't have access to any other scanners, however it is easy for me to add >them in - all I need are some sample mail log file entries from the >relevant scanners when they have detected a virus. $ uvscan --version (mcafee) Virus Scan for Linux v4.14.0 Scan engine v4.1.60 for Linux. Virus data file v4232 created Nov 06 2002 OS : RedHat 6.2 Sendmail : 8.11.6/8.11.6 MailScanner : 3.24-1 Scanning for 62223 viruses, trojans and variants. mailscanner[13551]: Scanning 1 messages, 70605 bytes mailscanner[13551]: /g9NJdEl14740/wedding.imp.scr Found the W32/Bugbear@MM virus !!! mailscanner[13551]: Detected Microsoft-specific exploits in g9NJdEl14740 mailscanner[13551]: Possible virus hidden in a screensaver (wedding.imp.scr) mailscanner[13551]: Found 3 viruses in messages g9NJdEl14740 mailscanner[13551]: Scanned 1 messages, 70605 bytes in 4 seconds mailscanner[13551]: Saved entire message to /var/spool/MailScanner/quarantine/20021023/g9NJdEl14740 mailscanner[13551]: Deleted infected messages g9NJdEl14740 sendmail[14747]: g9NJdPR14747: from=virus-admin@bromberg.demon.nl, size=1779, class=0, nrcpts=1, msgi mailscanner[13551]: Notified virus-admin@bromberg.demon.nl about 1 infections From t.d.lee at DURHAM.AC.UK Fri Nov 8 10:08:23 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:21 2006 Subject: MS4.x config/runtime issues In-Reply-To: <5.1.0.14.2.20021107182018.031e7ec0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 7 Nov 2002, Julian Field wrote: > At 17:18 07/11/2002, you wrote: > >1. bin/MailScanner/Log.pm : MS gave a message: > > Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] > > By commenting out the line: > > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r > > this then worked, apparently with no ill effect. > > Seems to be sort of Perl/Solaris interaction (Perl 5.6.0; Solaris 8). > > Does the MS code need to be more tolerant, and/or autoconf'd? > > The failure message doesn't actually cause any harm. Basically it tries to > use a domain socket instead of a UDP socket, so you don't have to open up > your syslogd to accept UDP logging requests from other machines (which > might be used as a DoS attack on your server by forcing gigabytes of syslog > traffic). Thanks, Julian. Overall: Good News, No News (yet) and Bad News. So, in reverse order... > Please can you try the attached patch to Log.pm to see if it removes the > error message on your system. The Log.pm patch doesn't seem to remove the message; the versions seem indistinguishable in behaviour. Note also that both versions have a further problem. This only comes to light after five of the previous messages had been issued. (Because of that previous behaviour, my trials had never got as far as revealing the further problem.) After about five of the: Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] it then gives: We haven't got any child processes, which isn't right!, No child processes at /opt/MailScanner/bin/mailscanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /opt/MailScanner/bin/mailscanner line 194. Basically MS doesn't ever really get started: the messages just sit in the inbound queue. > >2. lib/mcafee-wrapper: has pathname "/usr/local/uvscan/uvscan" hardcoded. > > At our site the pathname is different. OK, I can tweak things to make > > it work. But in v3 this had been configurable in etc/mailscanner.conf > > and v4.x seems to have gone backwards: no longer configurable. > > You just edit the wrapper. The setting in mailscanner.conf in V3 set the > location of the wrapper, not the location of uvscan itself. So this isn't > actually any different. If you moved uvscan to somewhere else, you would > have edited the wrapper to point to the correct location. In V4 you can > find the wrapper script more easily as they are all in the same place. OK, I'll look deeper, and get back to you if I still think there might be an issue. > >3. With v3, I had had the default (and sensible!): > > Outgoing Queue Dir = /var/spool/mqueue > > > > To ensure co-residency on the same physical partition of the other > > directories, they had been subdirectories of this: > > Incoming Queue Dir = /var/spool/mqueue/mq.in > > Incoming Work Dir = /var/spool/mqueue/incoming > > Quarantine Dir = /var/spool/mqueue/quarantine > > Solid and safe. > >[...] > > Is there any reason why v4.x forbids such subdirectory use? > >[...] > > Does MailScanner really require this restriction? Can it be removed? > > I thought it was a good idea at the time, but setups such as yours hadn't > occurred to me. On reflection it may be better to remove the check. I will > still look for a q1 or qf directory though, in an attempt to find split > queue directories which sendmail will use if it finds them. So you can get > it going now, the minimal patch to Sendmail.pm is attached to this message. > There is actually just 1 extra line of code. Good News: That seems fine. Many thanks. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From mailscanner at ecs.soton.ac.uk Fri Nov 8 10:42:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: MS4.x config/runtime issues In-Reply-To: References: <5.1.0.14.2.20021107182018.031e7ec0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021108104101.07142e20@imap.ecs.soton.ac.uk> At 10:08 08/11/2002, you wrote: >On Thu, 7 Nov 2002, Julian Field wrote: > > At 17:18 07/11/2002, you wrote: > > >1. bin/MailScanner/Log.pm : MS gave a message: > > > Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] > > > By commenting out the line: > > > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r > > > this then worked, apparently with no ill effect. > > > Seems to be sort of Perl/Solaris interaction (Perl 5.6.0; Solaris 8). > > > Does the MS code need to be more tolerant, and/or autoconf'd? > > > > The failure message doesn't actually cause any harm. Basically it tries to > > use a domain socket instead of a UDP socket, so you don't have to open up > > your syslogd to accept UDP logging requests from other machines (which > > might be used as a DoS attack on your server by forcing gigabytes of syslog > > traffic). > >Thanks, Julian. Overall: Good News, No News (yet) and Bad News. > >So, in reverse order... > > > Please can you try the attached patch to Log.pm to see if it removes the > > error message on your system. > >The Log.pm patch doesn't seem to remove the message; the versions seem >indistinguishable in behaviour. Can you try this: use Sys::Syslog; use Carp; eval { $SIG{'__DIE__'} = 'IGNORE'; croak "Bye bye"; }; $SIG{'__DIE__'} = 'DEFAULT'; print "Hello there\n"; and tell me what it outputs. On my system I just get "Hello there". If the "__DIE__" handler isn't working as expected, it will stop with an error. >Note also that both versions have a further problem. This only comes to >light after five of the previous messages had been issued. (Because of >that previous behaviour, my trials had never got as far as revealing the >further problem.) After about five of the: > Your vendor has not defined the Sys::Syslog macro _PATH_LOG at [...] >it then gives: > We haven't got any child processes, which isn't right!, No child > processes at /opt/MailScanner/bin/mailscanner line 191. > We have just tried to reap a process which wasn't one of ours!, No > child processes at /opt/MailScanner/bin/mailscanner line 194. For now, you can comment out the setlogsock line. > > I thought it was a good idea at the time, but setups such as yours hadn't > > occurred to me. On reflection it may be better to remove the check. I will > > still look for a q1 or qf directory though, in an attempt to find split > > queue directories which sendmail will use if it finds them. So you can get > > it going now, the minimal patch to Sendmail.pm is attached to this message. > > There is actually just 1 extra line of code. > >Good News: That seems fine. Many thanks. Goodo! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From novirus at CARLO65.DE Fri Nov 8 11:41:15 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question In-Reply-To: References: Message-ID: <1036755675.23579.105.camel@linroute> Hi Richard, Am Fre, 2002-11-08 um 10.33 schrieb Lush, Richard: > Hi All, > > I'm using fetchmail to collect emails from my ISPs and then MailScanner > to scan them and send them on to my exchange server. The question I > have is on the IP headers. > > You can see here the information I am getting on the spam messages. I'm > getting 127.0.0.1 and in brackets the real domain name of the sender. afaik there is no solution for this. When you use fetchmail, the sender is always localhost. Eplanation: fetchmail picks up the mail and sends it via smtp to the local recipient. But, concerning Dave Whiles MRTG script, I have a proposal: in my eyes it seems to be better to have the senders address instead of the sending SMTP-Server in the log and access-list. I have customers, who forward their mails from their free-mail accounts, such as yahoo, web.de, gmx, to their accounts on my server. When I first used the script I had suddenly yahoo Mailservers on my access list. Regards, Roland From Richard.Lush at HP.COM Fri Nov 8 11:53:16 2002 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question Message-ID: Thanks Roland, I guessed that might have been the answer but am pretty new to fetchmail and mailscanner. -----Original Message----- From: Roland Ehle [mailto:novirus@CARLO65.DE] Sent: 08 November 2002 11:41 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Fetchmail and MailScanner question Hi Richard, Am Fre, 2002-11-08 um 10.33 schrieb Lush, Richard: > Hi All, > > I'm using fetchmail to collect emails from my ISPs and then > MailScanner to scan them and send them on to my exchange server. The > question I have is on the IP headers. > > You can see here the information I am getting on the spam messages. > I'm getting 127.0.0.1 and in brackets the real domain name of the > sender. afaik there is no solution for this. When you use fetchmail, the sender is always localhost. Eplanation: fetchmail picks up the mail and sends it via smtp to the local recipient. But, concerning Dave Whiles MRTG script, I have a proposal: in my eyes it seems to be better to have the senders address instead of the sending SMTP-Server in the log and access-list. I have customers, who forward their mails from their free-mail accounts, such as yahoo, web.de, gmx, to their accounts on my server. When I first used the script I had suddenly yahoo Mailservers on my access list. Regards, Roland From carl.boberg at NRM.SE Fri Nov 8 11:56:15 2002 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:16:21 2006 Subject: Log issue In-Reply-To: <5.1.0.14.2.20021108104101.07142e20@imap.ecs.soton.ac.uk> Message-ID: Hi, I noticed that MS does a rescan on every virus infected message. That is all well and good but I have a little problem with this... Im using David Whiles perlscript to scan the maillog to find viruses which does this with a regular exp. to find the line with the virus name and the infected filename. Since MS does the rescan I get the double amount of viruses in my output... Question is: Is the rescan really neccessary? (Probably is a good idea) If so, can I modify the rescan log entries somehow? If not, how do I turn it off? >From my log: First scan: ... MailScanner[1281]: New Batch: Scanning 1 messages, 2491 bytes MailScanner[1281]: Spam Checks: Starting MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: EICAR_Test_File MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: EICAR_Test_File MailScanner[1281]: Virus Scanning: f-secure found 2 infections MailScanner[1281]: Virus Scanning: Found 2 viruses MailScanner[1281]: Saved infected "eicar-1.zip" to /.../20021108/gA8BPSU01371 MailScanner[1281]: Saved infected "eicar.zip" to /.../quarantine/20021108/gA8BPSU01371 MailScanner[1281]: Cleaned: Delivered 1 cleaned messages .... Then Rescan: .... MailScanner[1281]: Notices: Warned about 1 messages MailScanner[1281]: Disinfection: Attempting to disinfect 1 messages MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: EICAR_Test_File MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: EICAR_Test_File MailScanner[1281]: Virus Scanning: f-secure found 2 infections MailScanner[1281]: Disinfection: Rescan found only 2 viruses .... BTW. Julian Field ROCKS! Best regards --------------------------------- Carl Boberg System & Network Administrator Dept. of Information Technology Swedish Museum of Natural History Frescativ. 40 104 05 Stockholm carl.boberg@nrm.se Phone: 08-519 551 16 Mobile: 0701-82 40 55 --------------------------------- From David.While at UCE.AC.UK Fri Nov 8 12:01:50 2002 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question Message-ID: I did originally have the senders address (as reported in the brackets in the log entry), however the address reported by MailScanner in the log file is the address from the envelope of the original email which in most cases of Spam is forged. I started to do reverse DNS lookups on the IP address but the majority of senders of Spam don't have the reverse DNS entries set up. The sending SMTP server is the only reliable information - it is the server that sent the spam to you - that is all you can tell. To do what you are suggesting would require MailScanner to analyse the email and look at the headers to try and determine the originator of the spam which I suspect would be a fairly complex task (perhaps Julian would like to comment!). Hotmail does do Spam checking (according to their website) by activating the junk mail filter so maybe the users should turn this on so that the mail isn't forwarded. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 Roland Ehle Sent by: MailScanner mailing list 08/11/2002 11:41 Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Fetchmail and MailScanner question Hi Richard, Am Fre, 2002-11-08 um 10.33 schrieb Lush, Richard: > Hi All, > > I'm using fetchmail to collect emails from my ISPs and then MailScanner > to scan them and send them on to my exchange server. The question I > have is on the IP headers. > > You can see here the information I am getting on the spam messages. I'm > getting 127.0.0.1 and in brackets the real domain name of the sender. afaik there is no solution for this. When you use fetchmail, the sender is always localhost. Eplanation: fetchmail picks up the mail and sends it via smtp to the local recipient. But, concerning Dave Whiles MRTG script, I have a proposal: in my eyes it seems to be better to have the senders address instead of the sending SMTP-Server in the log and access-list. I have customers, who forward their mails from their free-mail accounts, such as yahoo, web.de, gmx, to their accounts on my server. When I first used the script I had suddenly yahoo Mailservers on my access list. Regards, Roland -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021108/43a405b1/attachment.html From t.d.lee at durham.ac.uk Fri Nov 8 12:04:17 2002 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Jan 12 21:16:21 2006 Subject: MS4.x config/runtime issues In-Reply-To: <5.1.0.14.2.20021108104101.07142e20@imap.ecs.soton.ac.uk> Message-ID: On Fri, 8 Nov 2002, Julian Field wrote: > Can you try this: > > use Sys::Syslog; > use Carp; > > eval { $SIG{'__DIE__'} = 'IGNORE'; > croak "Bye bye"; > }; > $SIG{'__DIE__'} = 'DEFAULT'; > print "Hello there\n"; > > and tell me what it outputs. On my system I just get "Hello there". If the > "__DIE__" handler isn't working as expected, it will stop with an error. Get "Hello there". In the interim I had also tried further adjustments in that area of Log.pm, namely simply printing a message before and after the: eval { Sys::Syslog::setlogsock('unix'); }; (in its various incarnations). This confirmed that it was successfully getting past this point. In that sense all would *appear* to well. (So I fully expected the "Hello there" from your test, anyway.) Another of my trials had been: eval { Sys::Syslog::setlogsock('unix') || Sys::Syslog::setlogsock('inet'); }; Again, that had successfully passed this point, but still produced all the messages, including my test "{before|after} setlogsock()", and including the: We haven't got any child processes [...] We have just tried to reap a process which wasn't one of ours! So I'm reasonably happy that our signal/DIE/eval stuff is OK. Rather, it looks as though the mere attempt to do "setlogsock('unix')" is itself having a longer-term side-effect which causes later problems. Am I hitting something odd in perl 5.6.0, I wonder? Given that we have a shared (from NetApp filers) perl installation across our Solaris/UNIX service we're not in a position simply to upgrade it at the drop of a hat. I'd have to find some other workaround, at least in the short-term. > For now, you can comment out the setlogsock line. Sure, that's a fine temporary hack, for us, for the moment. Looking to the wider community, is there some way that "Log.pm" could itself do the &_PATH_LOG check before committing to the apparently trojan "setlogsock('unix')"? (It seems ironic that our virus-scanner's innocent-looking "setlogsock('unix')" seems to have a infection-like result within itself!) Thanks again, Julian, for your attention to this. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From novirus at CARLO65.DE Fri Nov 8 12:11:58 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question In-Reply-To: References: Message-ID: <1036757518.23514.112.camel@linroute> Hi David, Am Fre, 2002-11-08 um 13.01 schrieb David While: > I did originally have the senders address (as reported in the brackets in > the log entry), however the address reported by MailScanner in the log > file is the address from the envelope of the original email which in most > cases of Spam is forged. I started to do reverse DNS lookups on the IP > address but the majority of senders of Spam don't have the reverse DNS > entries set up. > > The sending SMTP server is the only reliable information - it is the > server that sent the spam to you - that is all you can tell. Fully ACK. > To do what you are suggesting would require MailScanner to analyse the > email and look at the headers to try and determine the originator of the > spam which I suspect would be a fairly complex task (perhaps Julian would > like to comment!). I think, this is to much work, for statistical purposes only. But thank you for this information. > Hotmail does do Spam checking (according to their website) by activating > the junk mail filter so maybe the users should turn this on so that the > mail isn't forwarded. I know, Yahoo does it too, meanwhile, but others don't as you may see on my statistics page (http://www.is-on-stream.de/mrtg). The top spammer IPs are those from the german Freemailers GMX and WEB.de. Regards, Roland From Richard.Lush at HP.COM Fri Nov 8 12:39:32 2002 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:21 2006 Subject: MailScanner not virus scanning Message-ID: Hi All, I have Sophos and f-prot both configured within MailScanner.conf but it would appear the virus scanners are not running. I am not getting any error messages they are just not running. (i.e. no messages showing the maillog, in fact I haven't seen anything since upgrading) This sounds similar to a problem report earlier by someone else I think, I am running Redhat 8.0 with MailScanner 4.05-3. The wrappers run ok (tested manually). The only change I have made is upgrade. (Julian, I upgraded after you added the Sophos changes I tested to the rpm). I've been sending some test viruses from VX Heavens, Mcafee is picking them up on Exchange but MailScanner is not. Any ideas? Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021108/7d4bfe74/attachment.html From Richard.Lush at HP.COM Fri Nov 8 12:49:43 2002 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:21 2006 Subject: MailScanner not virus scanning Message-ID: OK, the plot thickens. It seems that it is running but the virus engines are not picking up some older viruses (that's nice!). Just sent Nimda through and it picked it up but some old word viruses are not being picked up. Interestingly enough, I scanned the older files that are not being picked up with Norton on my client and it didn't detect them either. I guess MacAfee is going something extra checking. Richard -----Original Message----- From: Lush, Richard Sent: 08 November 2002 12:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner not virus scanning Hi All, I have Sophos and f-prot both configured within MailScanner.conf but it would appear the virus scanners are not running. I am not getting any error messages they are just not running. (i.e. no messages showing the maillog, in fact I haven't seen anything since upgrading) This sounds similar to a problem report earlier by someone else I think, I am running Redhat 8.0 with MailScanner 4.05-3. The wrappers run ok (tested manually). The only change I have made is upgrade. (Julian, I upgraded after you added the Sophos changes I tested to the rpm). I've been sending some test viruses from VX Heavens, Mcafee is picking them up on Exchange but MailScanner is not. Any ideas? Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021108/64ce5811/attachment.html From novirus at CARLO65.DE Fri Nov 8 13:45:08 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:21 2006 Subject: Virus In-Reply-To: References: Message-ID: <1036763108.23514.133.camel@linroute> Hi Raymond, it was a serious request from my side and don't worry I will not blame you or so. Regards, Roland Am Don, 2002-11-07 um 22.36 schrieb Raymond Dijkxhoorn: > Hi! > > > this is probably a strange question in your eyes, but I would like to > > have a virus or better a virus infected mail, to check different > > scanners. Unfortunately the only thing I find is the EICAR test virus, > > but thats not enough. > > Give me a address and i'll send you a nice .zip to test your scanner setup > with. > > Bye, > Raymond. > > From mailscanner at ecs.soton.ac.uk Fri Nov 8 12:22:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: Fetchmail and MailScanner question In-Reply-To: Message-ID: <5.1.0.14.2.20021108122157.042ba8c0@imap.ecs.soton.ac.uk> At 12:01 08/11/2002, you wrote: >To do what you are suggesting would require MailScanner to analyse the >email and look at the headers to try and determine the originator of the >spam which I suspect would be a fairly complex task (perhaps Julian would >like to comment!). Nightmare. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 12:21:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: Log issue In-Reply-To: References: <5.1.0.14.2.20021108104101.07142e20@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021108121921.03ef6e98@imap.ecs.soton.ac.uk> At 11:56 08/11/2002, you wrote: >Question is: >Is the rescan really neccessary? (Probably is a good idea) Yes. Vital. >If so, can I modify the rescan log entries somehow? >If not, how do I turn it off? I have changed the logging so that you will get Virus Scanning: f-secure found 2 infections but then Virus Re-scanning: f-secure found 2 infections so you don't get identical log entries for different things. I hope that doesn't break too many people's scripts! >First scan: >... >MailScanner[1281]: New Batch: Scanning 1 messages, 2491 bytes >MailScanner[1281]: Spam Checks: Starting >MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: >EICAR_Test_File >MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: >EICAR_Test_File >MailScanner[1281]: Virus Scanning: f-secure found 2 infections >MailScanner[1281]: Virus Scanning: Found 2 viruses >MailScanner[1281]: Saved infected "eicar-1.zip" to >/.../20021108/gA8BPSU01371 >MailScanner[1281]: Saved infected "eicar.zip" to >/.../quarantine/20021108/gA8BPSU01371 >MailScanner[1281]: Cleaned: Delivered 1 cleaned messages >.... >Then Rescan: >.... >MailScanner[1281]: Notices: Warned about 1 messages >MailScanner[1281]: Disinfection: Attempting to disinfect 1 messages >MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: >EICAR_Test_File >MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: >EICAR_Test_File >MailScanner[1281]: Virus Scanning: f-secure found 2 infections >MailScanner[1281]: Disinfection: Rescan found only 2 viruses >.... > >BTW. Julian Field ROCKS! :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From alex at IALEX.NET Fri Nov 8 13:49:28 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: <5.1.0.14.2.20021108090542.06fbdeb0@imap.ecs.soton.ac.uk> Message-ID: Julian, When putting these parameters in the ruleset the email is still getting forwarded because it matches. ie. FromTo: alex@domain.com no FromTo: *@domain.com archive@domain.com email to alex@domain.com is still getting forwarded. Alex > At 04:22 08/11/2002, you wrote: > >There is an option in MailScanner.conf after version 4.02-1. Can't > >remember the name of the option though. > > # When you quarantine an entire message, do you want to store it as > # raw mail queue files (so you can easily send them onto users) or > # as human-readable files (header then body in 1 file)? > Quarantine Whole Messages As Queue Files = no > > >Rulesets are configured top to bottom. So put a line that says > > > >notme@domain.com no > >@domain.com /var/archive > > > >Or however something along those lines. > > Very nearly, you just forgot the direction off the front. So possibly you want > FromTo: notme@domain.com no > FromTo: *@domain.com /var/archive > FromTo: default no > > "FromTo:" will match any message coming from the address or going to it. > You will have to restart MailScanner (or kill -HUP all the processes) to > force it to re-read the configuration files and recompile the rulesets. > > >-----Original Message----- > >From: Alex Short [mailto:alex@IALEX.NET] > >Sent: Thursday, November 07, 2002 8:01 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Archiving Mail > > > > > >Ah yes, now i see it :) > > > >Two questions-- any way to save it in one file/message, (ie not qf+df) > >Also, is there a way to do *@domain.com /var/archive but not for > >notme@domain.com > > > >? > > > >Alex > >----- Original Message ----- > >From: "S Mohan" > >To: > >Sent: Thursday, November 07, 2002 9:54 PM > >Subject: Re: Archiving Mail > > > > > > > In the archiving mail option, give a ruleset name. Say > > > /etc/MailScanner/rules/archive.rules. This file must have the > > > following entries. > > > > > > To: emailid or directory. > > > From: similar as above. > > > > > > In this manner, you can copy incoming and out going mails for each > > > user or domain to email ids. If directory name is given, MailScanner > > > stores in qf+df format. If email id is given, the mail gets delivered > > > to the mailbox. You can use which ever is useful. > > > > > > Mohan > > > > > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > Behalf Of Alex Short > > > Sent: Friday, November 08, 2002 3:34 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Archiving Mail > > > > > > > > > For the archiving of mail feature, how can you archive some users and > > > not others. The only option i have seen is *where* to save the > > > archived email. > > > > > > Alex > > > > > > > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > > From gavin at NETERGY.COM Fri Nov 8 15:17:32 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:21 2006 Subject: unusual question Message-ID: Ok this is an odd one - I want to test the Spam capabilities harder now presently we forward Spam that arrives with us but that only checks content with spamassasin and not really checking any RBL etc as it looks as though it comes from me not the spammer. So the question - I am going to setup a domain especially for this and then I want to register (if you can call it that) for as much Spam and porn rubbish as I can. Does anyone know any sure fire places to put your email address that will result in being spammed? I am fairly broad minded but please nothing illegal. Regards Gavin From j.cormie at ABERTAY.AC.UK Fri Nov 8 15:19:47 2002 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:21 2006 Subject: unusual question Message-ID: <6F7DF531DBB3D41197B600508B55D4020404AAC6@mail3.tay.ac.uk> > Does anyone know any sure fire places to put your email > address that will result in being spammed? Just use the email address to "unsubscribe" from some emails, that should get some attention From mailscanner at ecs.soton.ac.uk Fri Nov 8 15:20:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: Archiving Mail In-Reply-To: References: <5.1.0.14.2.20021108090542.06fbdeb0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021108150819.040fbe90@imap.ecs.soton.ac.uk> At 13:49 08/11/2002, you wrote: >Julian, > >When putting these parameters in the ruleset the email is still getting >forwarded because it matches. > >ie. > >FromTo: alex@domain.com no >FromTo: *@domain.com archive@domain.com > >email to alex@domain.com is still getting forwarded. Unfortunately the Archive Mail parameter collects all the addresses+directories from matching rules. The *@domain.com will cause alex@domain.com to be archived to archive@domain.com. I envisioned people potentially wanting some addresses to be archived in more than 1 place, not specific users not being archived at all. Add having "not" as part of the address to match wouldn't help either, as "not alex@domain.com" would be true for "jim@otherdomain.com", so you would end up archiving *all* your mail. You really need some way to specify a "nowhere" result which over-rides all the other results. Perhaps some "magic value" such as "none", which would cause it to immediately make the whole result blank. But then if we get a virus called "none" we might be in trouble making up the "Viruses To Delete" list. Guess I could use something wacky like "*none*" but it doesn't exactly sound like a good solution, does it? Looks like a right hack to me :-( > > At 04:22 08/11/2002, you wrote: > > >There is an option in MailScanner.conf after version 4.02-1. Can't > > >remember the name of the option though. > > > > # When you quarantine an entire message, do you want to store it as > > # raw mail queue files (so you can easily send them onto users) or > > # as human-readable files (header then body in 1 file)? > > Quarantine Whole Messages As Queue Files = no > > > > >Rulesets are configured top to bottom. So put a line that says > > > > > >notme@domain.com no > > >@domain.com /var/archive > > > > > >Or however something along those lines. > > > > Very nearly, you just forgot the direction off the front. So possibly > you want > > FromTo: notme@domain.com no > > FromTo: *@domain.com /var/archive > > FromTo: default no > > > > "FromTo:" will match any message coming from the address or going to it. > > You will have to restart MailScanner (or kill -HUP all the processes) to > > force it to re-read the configuration files and recompile the rulesets. > > > > >-----Original Message----- > > >From: Alex Short [mailto:alex@IALEX.NET] > > >Sent: Thursday, November 07, 2002 8:01 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Archiving Mail > > > > > > > > >Ah yes, now i see it :) > > > > > >Two questions-- any way to save it in one file/message, (ie not qf+df) > > >Also, is there a way to do *@domain.com /var/archive but not for > > >notme@domain.com > > > > > >? > > > > > >Alex > > >----- Original Message ----- > > >From: "S Mohan" > > >To: > > >Sent: Thursday, November 07, 2002 9:54 PM > > >Subject: Re: Archiving Mail > > > > > > > > > > In the archiving mail option, give a ruleset name. Say > > > > /etc/MailScanner/rules/archive.rules. This file must have the > > > > following entries. > > > > > > > > To: emailid or directory. > > > > From: similar as above. > > > > > > > > In this manner, you can copy incoming and out going mails for each > > > > user or domain to email ids. If directory name is given, MailScanner > > > > stores in qf+df format. If email id is given, the mail gets delivered > > > > to the mailbox. You can use which ever is useful. > > > > > > > > Mohan > > > > > > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > > Behalf Of Alex Short > > > > Sent: Friday, November 08, 2002 3:34 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Archiving Mail > > > > > > > > > > > > For the archiving of mail feature, how can you archive some users and > > > > not others. The only option i have seen is *where* to save the > > > > archived email. > > > > > > > > Alex > > > > > > > > > > > > > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 15:06:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:21 2006 Subject: MS4.x config/runtime issues In-Reply-To: References: <5.1.0.14.2.20021108104101.07142e20@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021108144327.040dad78@imap.ecs.soton.ac.uk> At 12:04 08/11/2002, you wrote: >On Fri, 8 Nov 2002, Julian Field wrote: > > > Can you try this: > > > > use Sys::Syslog; > > use Carp; > > > > eval { $SIG{'__DIE__'} = 'IGNORE'; > > croak "Bye bye"; > > }; > > $SIG{'__DIE__'} = 'DEFAULT'; > > print "Hello there\n"; > > > > and tell me what it outputs. On my system I just get "Hello there". If the > > "__DIE__" handler isn't working as expected, it will stop with an error. > >Get "Hello there". > >In the interim I had also tried further adjustments in that area of >Log.pm, namely simply printing a message before and after the: > eval { Sys::Syslog::setlogsock('unix'); }; >(in its various incarnations). > >This confirmed that it was successfully getting past this point. In that >sense all would *appear* to well. (So I fully expected the "Hello there" >from your test, anyway.) > >Another of my trials had been: > eval { Sys::Syslog::setlogsock('unix') || > Sys::Syslog::setlogsock('inet'); }; > >Again, that had successfully passed this point, but still produced all the >messages, including my test "{before|after} setlogsock()", and including >the: > We haven't got any child processes [...] > We have just tried to reap a process which wasn't one of ours! > >So I'm reasonably happy that our signal/DIE/eval stuff is OK. > >Rather, it looks as though the mere attempt to do "setlogsock('unix')" is >itself having a longer-term side-effect which causes later problems. Am I >hitting something odd in perl 5.6.0, I wonder? > >Given that we have a shared (from NetApp filers) perl installation across >our Solaris/UNIX service we're not in a position simply to upgrade it at >the drop of a hat. I'd have to find some other workaround, at least in >the short-term. > > > For now, you can comment out the setlogsock line. > >Sure, that's a fine temporary hack, for us, for the moment. > >Looking to the wider community, is there some way that "Log.pm" could >itself do the &_PATH_LOG check before committing to the apparently trojan >"setlogsock('unix')"? (It seems ironic that our virus-scanner's >innocent-looking "setlogsock('unix')" seems to have a infection-like >result within itself!) This is weird. The __DIE__ handler apparently works fine, and swallows "croak" messages. Inside Sys::Syslog it does a croak if the macro _PATH_LOG is not defined (which is actually a bug in Sys::Syslog). So how come with the __DIE__ handler you still get the croak message? And it certainly shouldn't cause it to stop completely. That bit of code will have to back how it was (and you'll have to just comment out the setlogsock line), until I understand DynaLoader a lot better than I do now. I can't figure it at the moment. The bug is in AUTOLOAD itself (in Sys::Syslog) which makes it very hard to over-ride. I can't make it work, anyway. If someone else can, then let me know. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Fri Nov 8 15:52:14 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:22 2006 Subject: unusual question In-Reply-To: Message-ID: <5.1.1.6.0.20021108103614.01a2b380@192.168.50.2> Here's the best places I know of to get spam without soliciting it, these are places that spammers tend to "troll" for addresses: 1) usenet. make a few (legitimate please) posts to usenet groups with an unobscured address. 2) whois. Make sure you've got an email address in your whois database entries of your domain registration. 3) postmaster/webmaster. Many spammers just add these on. Some add on "mail@" as well since this is the default user that sendmail runs as on most linux boxes. 4) website. Put a mailto link on your website. Also create a geocities or other popular "free website" service with a mailto link. 5) mailing lists with public web archives. 6) as soon as you get a "millions of emails CD" or "millions of fax numbers on CD" message, be sure to unsubscribe. As far as I can tell those guys in particular never honor such removes and this will promote your status to being a "verified" address. Most spammer's don't honor removes, but these guys are in the business of selling lists, and the bigger the better. If you want to get more commercial/porn junk mail, even if it means you'll get some mail you did legitimately "opt-in" for (along with some you may not have): 1) go to some porn sites and many of them have "enter your email address for access" type deals. Eventually you'll hit one that also submits their database to a "millions of emails CD" database. 2) become a registered user at http://www.SomeoneLikesYou.com. Their privacy policy state that they don't sell all the email addresses they get, but that they DO sell the emails and mailing addresses of the users that do fully register. At 03:17 PM 11/8/2002 +0000, you wrote: >Ok this is an odd one - I want to test the Spam capabilities harder now >presently we forward Spam that arrives with us but that only checks content >with spamassasin and not really checking any RBL etc as it looks as though >it comes from me not the spammer. > >So the question - I am going to setup a domain especially for this and then >I want to register (if you can call it that) for as much Spam and porn >rubbish as I can. Does anyone know any sure fire places to put your email >address that will result in being spammed? > >I am fairly broad minded but please nothing illegal. > >Regards > >Gavin From mkettler at EVI-INC.COM Fri Nov 8 16:02:58 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:22 2006 Subject: unusual question In-Reply-To: <5.1.1.6.0.20021108103614.01a2b380@192.168.50.2> References: Message-ID: <5.1.1.6.0.20021108110148.01a0be80@192.168.50.2> Ack, that wasn't supposed to be a link to the orignal HTML of the spammish mail I got referencing them. It was supposed to be just a plain link to www.someonelikesyou.com. I guess that's what I get for copy-pasting :( >2) become a registered user at >http://www.SomeoneLikesYou.com. From raymond at PROLOCATION.NET Fri Nov 8 16:18:09 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:22 2006 Subject: Virus In-Reply-To: <1036763108.23514.133.camel@linroute> Message-ID: Hi! > it was a serious request from my side and don't worry I will not blame > you or so. > > Give me a address and i'll send you a nice .zip to test your scanner setup > > with. I will make a nice collection tonight. Bye, Raymond. From carl.boberg at NRM.SE Fri Nov 8 16:21:33 2002 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:16:22 2006 Subject: Log issue In-Reply-To: <5.1.0.14.2.20021108121921.03ef6e98@imap.ecs.soton.ac.uk> Message-ID: Thanks thats great! But that wasnt really what I meant... Im sorry but I wasnt clear enough. What I meant was that the lines with: MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: EICAR_Test_File I get one line per virus and the virus name on the same line (wich is perfect). But the exact same lines show up again when it does rescan. Do you see what Im getting at? Thing is that I would love to fix the log line so that it looked something like this: MailScanner[1281]: f-secure found [./gA8BPSU01371/eicar.zip] eicar.com Infection: EICAR_Test_File and the rescan line: MailScanner[1281]: f-secure rescan found [./gA8BPSU01371/eicar.zip] eicar.com Infection: EICAR_Test_File or something similar... Is this asking too much? If so can you point me to where I can fiddle around with this myself? Best regards The Very Greatful Carl > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Friday, November 08, 2002 13:21 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Log issue > > > At 11:56 08/11/2002, you wrote: > >Question is: > >Is the rescan really neccessary? (Probably is a good idea) > > Yes. Vital. > > >If so, can I modify the rescan log entries somehow? > >If not, how do I turn it off? > > I have changed the logging so that you will get > Virus Scanning: f-secure found 2 infections > but then > Virus Re-scanning: f-secure found 2 infections > so you don't get identical log entries for different things. > > I hope that doesn't break too many people's scripts! > > >First scan: > >... > >MailScanner[1281]: New Batch: Scanning 1 messages, 2491 bytes > >MailScanner[1281]: Spam Checks: Starting > >MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: > >EICAR_Test_File > >MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: > >EICAR_Test_File > >MailScanner[1281]: Virus Scanning: f-secure found 2 infections > >MailScanner[1281]: Virus Scanning: Found 2 viruses > >MailScanner[1281]: Saved infected "eicar-1.zip" to > >/.../20021108/gA8BPSU01371 > >MailScanner[1281]: Saved infected "eicar.zip" to > >/.../quarantine/20021108/gA8BPSU01371 > >MailScanner[1281]: Cleaned: Delivered 1 cleaned messages > >.... > >Then Rescan: > >.... > >MailScanner[1281]: Notices: Warned about 1 messages > >MailScanner[1281]: Disinfection: Attempting to disinfect 1 messages > >MailScanner[1281]: [./gA8BPSU01371/eicar.zip] eicar.com^Iinfection: > >EICAR_Test_File > >MailScanner[1281]: [./gA8BPSU01371/eicar-1.zip] eicar.com^Iinfection: > >EICAR_Test_File > >MailScanner[1281]: Virus Scanning: f-secure found 2 infections > >MailScanner[1281]: Disinfection: Rescan found only 2 viruses > >.... > > > >BTW. Julian Field ROCKS! > > :-) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From novirus at CARLO65.DE Fri Nov 8 16:25:21 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:22 2006 Subject: Virus In-Reply-To: References: Message-ID: <1036772721.23579.145.camel@linroute> That's great. If you want to prevent the bounces arriving at your account, just take testi@inbox4u.de as sender/reply-to address. Am Fre, 2002-11-08 um 17.18 schrieb Raymond Dijkxhoorn: > Hi! > > > it was a serious request from my side and don't worry I will not blame > > you or so. > > > > Give me a address and i'll send you a nice .zip to test your scanner setup > > > with. > > I will make a nice collection tonight. > > Bye, > Raymond. > > From LISTSERV at JISCMAIL.AC.UK Fri Nov 8 16:59:37 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:22 2006 Subject: MAILSCANNER: royce.williams@ACSALASKA.NET left the list Message-ID: <200211081659.QAA29342@magpie.ecs.soton.ac.uk> Fri, 8 Nov 2002 16:59:37 Royce Williams has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Fri Nov 8 17:13:26 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:22 2006 Subject: MAILSCANNER: brahn@WOH.RR.COM requested to join Message-ID: <200211081713.RAA01604@magpie.ecs.soton.ac.uk> Fri, 8 Nov 2002 17:13:26 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Bruce Rahn . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER brahn@WOH.RR.COM Bruce Rahn The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+brahn%40WOH.RR.COM+Bruce+Rahn&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From ivan at NUCCI.COM.BR Fri Nov 8 17:29:40 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:22 2006 Subject: ClamAV - New Test Results References: <3DC96706.2060006@nucci.com.br> <3DC96ED5.5000007@nucci.com.br> <48567.10.0.0.5.1036750026.squirrel@webmail.dvere.dyndns.org> Message-ID: <3DCBF484.3000803@nucci.com.br> Thanks Ant La Porte, I think you're right. Perhaps clamAV's virus database is searching for some wrong pattern on this particular case. Maybe a few virus patterns are wrongly made. That was my first thought when I came up with this problem. Maybe when the project started out, the developers didn't thought this could be an issue and fixed the pattern searching when dealing with the new viruses - since Melissa is an old one. I hope the people from OpenAntiVirus Project can fix this problem in future releases. Sorry people. I don't think this issue is related to this list. Maybe I'll post something on to the TheAimsGroup. Right now I am just glad my server is not delivering BugBear to other users. Thanks anyway, Ivan Ant La Porte wrote: >Ivan Mirisola said: > > >>Hi All, >> >>I have performed new tests with some famous viruses found on >>vx.netlux.org. Only Melissa failed to be discovered by clamAV. I don't >>know why. The virus is found on a "visual basic for ms-word" format and >>had to be included in a document. Maybe clamAV is trying to find the >>original file that contaned the virus but this must be a wrong doing. My >>AVG Free Edition does check the document generated and is able to see >>that there is a virus within. >> >>Any thoughts, I'll be glad to hear. >> >>Sincerely, >>Ivan >> >> >> > >This thread on the openativirus-discuss list may be related: >http://marc.theaimsgroup.com/?l=openantivirus-discuss&m=103590759412100&w=2 > >-- >Ant La Porte - Dvere Network Services > > From t.d.lee at DURHAM.AC.UK Fri Nov 8 18:39:24 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation Message-ID: Earlier this afternnon, I changed our main site relay (Solaris 8) from MS 3.25-1 to 4.06-1 (i.e. from 3 to 4). [For the curious: 4.06-1 is a version Julian had given me to test the "iframe-conversion" option.] Neither our 3.x nor 4.x has used SpamAssassin. Under 3.x, our log files used to get entries of the form: Message [...] is spam according to ORDB-RBL and these were later detected via our "sendmail.logs.pl" to extract the daily spam-count. But these entries no longer appear with 4.x. Which means our daily spam count (derived from "sendmail.logs.pl") will apparently reduce to zero. But I'm reasonably sure SPAM is being detected because I see: RBL checks: [...] found in ORDB-RBL Looking deeper, I see that the code (which seems to have migrated from 3.x "bin/sendmail.pl" to 4.x "bin/MailScanner/Message.pm") has changed its structure. With 4.x, if the config file says "Use SpamAssassin = no", the code in "bin/MailScanner/Message.pm" seems to return (line ~315), so it never gets never the code that produces the "according to" message (line ~390). 1. Is this observation correct (or have I somehow mis-configured)? 2. Is this change in behaviour (version 3 -> 4)intentional or accidental? 3. Where do we go from here? (My config problem, or Julian's coding problem?) (Off at a tangent, re: iframe: The good news (I presume) is that the log files have "Content Checks: Detected Microsoft-specific exploits [...]" entries.) -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From lbergman at wtxs.net Fri Nov 8 18:49:11 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:23 2006 Subject: The Challenge Message-ID: <200211081249.11611.lbergman@wtxs.net> All the talk and offers of donating hardware to Julian to further improve MS are great. I just don't think they go far enough. We are a commercial entity. We charge people money as a result of Julian's efforts. I think it is only fair that Julian be awarded at least some paltry sum as a result. I believe this should be the case if your are a large educational institution or a business. If you gain economic benefit by either costs saved or profits produced you should consider rewarding Julian's hard work out of gratitude. He hasn't asked for anything but I think version 4 proves it is high time to step up and reward him without him asking. My company has done this already. We wanted certain features which were either not on the radar screen or way down the list. Julian did not ask but I offered to "bump" these features up the list in exchange for paying him since he would obviously forgore some other pleasurable pursuits. As a direct result you have the old "domains.to.scan.conf" and its version 4 equivalent "Spam Checks". The improved F-Prot logging is also a result as well as some other minor things. We only did this when we thought that the features we requested were of use to the general population of MailScanner. I now challenge the rest of you to do the same. To date we have paid Julian $350.00 USD and there is no other software available that could do what MS does for even ten times that amount. When you ask for something that benefits you and causes Julian (or Nick) to do some work, seriously consider paying them. I think you could all let your conscience guide you as to when this is appropriate. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From lbergman at wtxs.net Fri Nov 8 18:57:16 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: References: Message-ID: <200211081257.16440.lbergman@wtxs.net> > Under 3.x, our log files used to get entries of the form: > Message [...] is spam according to ORDB-RBL > But these entries no longer appear with 4.x. Which means our daily spam > count (derived from "sendmail.logs.pl") will apparently reduce to zero. > But I'm reasonably sure SPAM is being detected because I see: > RBL checks: [...] found in ORDB-RBL Before I migrated all of my rbl's to SA I used to get messages logged about the rbl lists but I don't remember the form. If the RBL checks: [...] found in ORDB-RBL is being spit out why can't you use that? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From t.d.lee at DURHAM.AC.UK Fri Nov 8 19:02:52 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: <200211081257.16440.lbergman@wtxs.net> Message-ID: On Fri, 8 Nov 2002, Lewis Bergman wrote: > > Under 3.x, our log files used to get entries of the form: > > Message [...] is spam according to ORDB-RBL > > > But these entries no longer appear with 4.x. Which means our daily spam > > count (derived from "sendmail.logs.pl") will apparently reduce to zero. > > But I'm reasonably sure SPAM is being detected because I see: > > RBL checks: [...] found in ORDB-RBL > Before I migrated all of my rbl's to SA I used to get messages logged about > the rbl lists but I don't remember the form. If the RBL checks: [...] found > in ORDB-RBL is being spit out why can't you use that? Certainly I could use that. But I thought it worth mentioning "for the greater good of all" because it seems to be a change, possibly accidental, between v3 and v4, and because it has a knock-on effect with the widely used "sendmail.logs.pl". Thanks. Best wishes. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From mailscanner at ecs.soton.ac.uk Fri Nov 8 19:41:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: Message-ID: <5.1.0.14.2.20021108193934.03267630@imap.ecs.soton.ac.uk> At 18:39 08/11/2002, you wrote: >Earlier this afternnon, I changed our main site relay (Solaris 8) from MS >3.25-1 to 4.06-1 (i.e. from 3 to 4). [For the curious: 4.06-1 is a >version Julian had given me to test the "iframe-conversion" option.] > >Neither our 3.x nor 4.x has used SpamAssassin. >Under 3.x, our log files used to get entries of the form: > Message [...] is spam according to ORDB-RBL >and these were later detected via our "sendmail.logs.pl" to extract the >daily spam-count. >But these entries no longer appear with 4.x. Which means our daily spam >count (derived from "sendmail.logs.pl") will apparently reduce to zero. >But I'm reasonably sure SPAM is being detected because I see: > RBL checks: [...] found in ORDB-RBL >Looking deeper, I see that the code (which seems to have migrated from 3.x >"bin/sendmail.pl" to 4.x "bin/MailScanner/Message.pm") has changed its >structure. That's because V4 is a complete re-write from the ground up. The only bits of code that stayed were the virus scanner parsers. >With 4.x, if the config file says "Use SpamAssassin = no", the code in >"bin/MailScanner/Message.pm" seems to return (line ~315), so it never gets >never the code that produces the "according to" message (line ~390). >1. Is this observation correct (or have I somehow mis-configured)? Correct. >2. Is this change in behaviour (version 3 -> 4)intentional or accidental? Accidental. >3. Where do we go from here? (My config problem, or Julian's coding > problem?) I'll mail you a new Message.pm to try. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 8 19:45:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: References: <200211081257.16440.lbergman@wtxs.net> Message-ID: <5.1.0.14.2.20021108194328.03267e08@imap.ecs.soton.ac.uk> At 19:02 08/11/2002, you wrote: >it has a knock-on effect with the widely >used "sendmail.logs.pl". sendmail.logs.pl was a really dirty hack I knocked up in a hurry at work one day. Never thought anyone might actually use it! One of these fine days, when I'm sitting at work with nothing to do, I'll get around to rewriting it rather better. :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Fri Nov 8 19:50:22 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:23 2006 Subject: The Challenge -- The Invoice In-Reply-To: <200211081249.11611.lbergman@wtxs.net> Message-ID: Y'all, I well agree that Julian deserves renumeration for his fine work with MailScanner. Colby College has benefited tremendously from his work. The problem in a business bureaucracy is the beancounters. They want to see an invoice for a product/service, a legal description of what they are paying for, etc -- ye olde paper trail. The managers also want accountability and budget control. I can't just get purchasing to send somebody a check because I say he's a good guy. I have the same headache with other valuable "free but please contribute" software like SpamCop. We use their blocklist; same issue with $$$. We do pay for RBL+ ($125/year, I think) because they have a means of billing us. But that means RBL+ suddenly has to have a support staff, a billing office, paperwork, file tax forms -- be a business. Frankly, RBL+ isn't a tenth as useful as SpamCop. The sad thing here is that while MailScanner is "free", Sophos sweep is not. We pay good money to use sweep within MailScanner on our mail server. We would have paid Sophos even more to use their inferior MailMonitor software -- if their sales person hadn't recommended MailScanner to me instead. IMHO, Sophos and the other anti-virus vendors should be paying Julian for promoting sales of their products. The problem, for me at least, is not the money. It is the paperwork needed to issue the check/cheque. Maybe Julian needs to start sending out bills... ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- On Fri, 8 Nov 2002, Lewis Bergman wrote: > Date: Fri, 8 Nov 2002 12:49:11 -0600 > From: Lewis Bergman > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: The Challenge > > All the talk and offers of donating hardware to Julian to further improve MS > are great. I just don't think they go far enough. We are a commercial entity. > We charge people money as a result of Julian's efforts. I think it is only > fair that Julian be awarded at least some paltry sum as a result. > > I believe this should be the case if your are a large educational institution > or a business. If you gain economic benefit by either costs saved or profits > produced you should consider rewarding Julian's hard work out of gratitude. > He hasn't asked for anything but I think version 4 proves it is high time to > step up and reward him without him asking. > > My company has done this already. We wanted certain features which were either > not on the radar screen or way down the list. Julian did not ask but I > offered to "bump" these features up the list in exchange for paying him since > he would obviously forgore some other pleasurable pursuits. As a direct > result you have the old "domains.to.scan.conf" and its version 4 equivalent > "Spam Checks". The improved F-Prot logging is also a result as well as some > other minor things. We only did this when we thought that the features we > requested were of use to the general population of MailScanner. > > I now challenge the rest of you to do the same. To date we have paid Julian > $350.00 USD and there is no other software available that could do what MS > does for even ten times that amount. When you ask for something that benefits > you and causes Julian (or Nick) to do some work, seriously consider paying > them. I think you could all let your conscience guide you as to when this is > appropriate. > -- > Lewis Bergman > Texas Communications > 4309 Maple St. > Abilene, TX 79602-8044 > 915-695-6962 ext 115 > From mailscanner at ecs.soton.ac.uk Fri Nov 8 19:57:29 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:23 2006 Subject: The Challenge -- The Invoice In-Reply-To: References: <200211081249.11611.lbergman@wtxs.net> Message-ID: <5.1.0.14.2.20021108195401.0330df50@imap.ecs.soton.ac.uk> At 19:50 08/11/2002, you wrote: >Y'all, > I well agree that Julian deserves renumeration for his fine work with >MailScanner. Colby College has benefited tremendously from his work. >The problem in a business bureaucracy is the beancounters. They want to >see an invoice for a product/service, a legal description of what they >are paying for, etc -- ye olde paper trail. The managers also want >accountability and budget control. I can't just get purchasing >to send somebody a check because I say he's a good guy. > > I have the same headache with other valuable "free but please contribute" >software like SpamCop. We use their blocklist; same issue with $$$. >We do pay for RBL+ ($125/year, I think) because they have a means of >billing us. But that means RBL+ suddenly has to have a support staff, >a billing office, paperwork, file tax forms -- be a business. Frankly, >RBL+ isn't a tenth as useful as SpamCop. > > The sad thing here is that while MailScanner is "free", Sophos sweep >is not. We pay good money to use sweep within MailScanner on our mail >server. We would have paid Sophos even more to use their inferior >MailMonitor software -- if their sales person hadn't recommended >MailScanner to me instead. IMHO, Sophos and the other anti-virus >vendors should be paying Julian for promoting sales of their products. > > The problem, for me at least, is not the money. It is the paperwork >needed to issue the check/cheque. Maybe Julian needs to start sending >out bills... I have a consulting company run by a friend of mine (with all the necessary "official" paperwork) in the UK. I can always issue invoices through his company if that helps. That way the taxman gets 50% of it, but it's very official. If you would like paper invoices issued by a UK registered company, that's no problem at all. And I am already personally registered in the US for tax purposes as well as in the UK. >----------------------------------- >Jeff A. Earickson, Ph.D >Senior UNIX Sysadmin and Email Guru >Information Technology Services >Colby College, 4214 Mayflower Hill, >Waterville ME, 04901-8842 >phone: 207-872-3659 (fax = 3076) >----------------------------------- > >On Fri, 8 Nov 2002, Lewis Bergman wrote: > > > Date: Fri, 8 Nov 2002 12:49:11 -0600 > > From: Lewis Bergman > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: The Challenge > > > > All the talk and offers of donating hardware to Julian to further > improve MS > > are great. I just don't think they go far enough. We are a commercial > entity. > > We charge people money as a result of Julian's efforts. I think it is only > > fair that Julian be awarded at least some paltry sum as a result. > > > > I believe this should be the case if your are a large educational > institution > > or a business. If you gain economic benefit by either costs saved or > profits > > produced you should consider rewarding Julian's hard work out of gratitude. > > He hasn't asked for anything but I think version 4 proves it is high > time to > > step up and reward him without him asking. > > > > My company has done this already. We wanted certain features which were > either > > not on the radar screen or way down the list. Julian did not ask but I > > offered to "bump" these features up the list in exchange for paying him > since > > he would obviously forgore some other pleasurable pursuits. As a direct > > result you have the old "domains.to.scan.conf" and its version 4 equivalent > > "Spam Checks". The improved F-Prot logging is also a result as well as some > > other minor things. We only did this when we thought that the features we > > requested were of use to the general population of MailScanner. > > > > I now challenge the rest of you to do the same. To date we have paid Julian > > $350.00 USD and there is no other software available that could do what MS > > does for even ten times that amount. When you ask for something that > benefits > > you and causes Julian (or Nick) to do some work, seriously consider paying > > them. I think you could all let your conscience guide you as to when > this is > > appropriate. > > -- > > Lewis Bergman > > Texas Communications > > 4309 Maple St. > > Abilene, TX 79602-8044 > > 915-695-6962 ext 115 > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Fri Nov 8 20:23:48 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:23 2006 Subject: unusual question In-Reply-To: Message-ID: <004001c28764$befe6e60$6501a8c0@mikedesk> Yeah...go post some messages in the newsgroups. You can also look for messages with a title like "Spambot Bait" and the like. They are filled with hundreds of email addresses :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Gavin Nelmes-Crocker Sent: Friday, November 08, 2002 9:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: unusual question Ok this is an odd one - I want to test the Spam capabilities harder now presently we forward Spam that arrives with us but that only checks content with spamassasin and not really checking any RBL etc as it looks as though it comes from me not the spammer. So the question - I am going to setup a domain especially for this and then I want to register (if you can call it that) for as much Spam and porn rubbish as I can. Does anyone know any sure fire places to put your email address that will result in being spammed? I am fairly broad minded but please nothing illegal. Regards Gavin From alex at IALEX.NET Fri Nov 8 20:38:09 2002 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:23 2006 Subject: Friend-Greetings.com Message-ID: I had blocked for friendgreetings.com and 'you have an e-card from' from last month, but just a heads up that one of my users received a: 'you have a Greeting card from' And a link to www.friend-greetings.com Just a warning, the second i saw it I added friend-greeting.com to my deny list and now changing the spamassassin rule to toss it into the high score spam list. Weee.. Alex From sysadmin at DMS.UMONTREAL.CA Fri Nov 8 22:13:10 2002 From: sysadmin at DMS.UMONTREAL.CA (Chris Albert) Date: Thu Jan 12 21:16:23 2006 Subject: Cannot open ruleset file 7.5.... Message-ID: <3DCC36F6.103@dms.umontreal.ca> Greetings, Trying to upgrade to version 4 (MailScanner-4.05-3, on Solaris 7, perl 5.6.1, sophos,SA 2.43..) and I get the following error messages, resulting from setting # required_hits value can be set to different values for different messages. Required SpamAssassin Score = 7.5 An intermediate value that seemed useful in the past, but now gets interpreted as a file name: Cannot open ruleset file 7.5, \ No such file or directory at /opt/MailScanner/bin/MailScanner/Config.pm line 891 But seems to work okay if I give an integer value for the required minimum spam score. Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From mike at CAMAROSS.NET Fri Nov 8 22:20:51 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:23 2006 Subject: Cannot open ruleset file 7.5.... In-Reply-To: <3DCC36F6.103@dms.umontreal.ca> Message-ID: <004601c28775$18e37b40$6501a8c0@mikedesk> Try either 7 or 8 Seems like I had a similar problem where it wouldn't accept the decimal point. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Albert Sent: Friday, November 08, 2002 4:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Cannot open ruleset file 7.5.... Greetings, Trying to upgrade to version 4 (MailScanner-4.05-3, on Solaris 7, perl 5.6.1, sophos,SA 2.43..) and I get the following error messages, resulting from setting # required_hits value can be set to different values for different messages. Required SpamAssassin Score = 7.5 An intermediate value that seemed useful in the past, but now gets interpreted as a file name: Cannot open ruleset file 7.5, \ No such file or directory at /opt/MailScanner/bin/MailScanner/Config.pm line 891 But seems to work okay if I give an integer value for the required minimum spam score. Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Fri Nov 8 22:22:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:23 2006 Subject: Cannot open ruleset file 7.5.... In-Reply-To: <3DCC36F6.103@dms.umontreal.ca> Message-ID: <5.1.0.14.2.20021108222056.033de1f8@imap.ecs.soton.ac.uk> Many thanks for the bug report. I thought I had fixed this before, but I only half-fixed it :-( If you edit Config.pm, and change line 1343 to say $isrules = 1 if $first !~ /^[\d.]*$/; # Rules aren't all digits or . then the problem should disappear. This will be included in the next release. At 22:13 08/11/2002, you wrote: >Greetings, > >Trying to upgrade to version 4 >(MailScanner-4.05-3, on Solaris 7, perl 5.6.1, >sophos,SA 2.43..) and I get the following error >messages, resulting from setting ># required_hits value can be set to different values for different >messages. >Required SpamAssassin Score = 7.5 > >An intermediate value that seemed useful in the past, >but now gets interpreted as a file name: > > >Cannot open ruleset file 7.5, \ >No such file or directory at /opt/MailScanner/bin/MailScanner/Config.pm >line 891 > >But seems to work okay if I give an integer value >for the required minimum spam score. > >Chris > >-- >-------------------------------------------------------------------- > Christopher Albert > Responsable des services informatiques > Departement de mathematiques et de statistique > Universite de Montreal > > bureau 6188, Pavillon Andre-Aisenstadt > Tel: (514) 343-2281 Fax: (514) 343-5700 >-------------------------------------------------------------------- > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mrlynx at LAING.E-TARLAC.COM Sat Nov 9 00:35:57 2002 From: mrlynx at LAING.E-TARLAC.COM (Joseph C. Bautista -mrlynx-) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: <5.1.0.14.2.20021108194328.03267e08@imap.ecs.soton.ac.uk> Message-ID: On Fri, 8 Nov 2002, Julian Field wrote: > At 19:02 08/11/2002, you wrote: > >it has a knock-on effect with the widely > >used "sendmail.logs.pl". > > sendmail.logs.pl was a really dirty hack I knocked up in a hurry at work > one day. > Never thought anyone might actually use it! > > One of these fine days, when I'm sitting at work with nothing to do, I'll > get around to rewriting it rather better. That ROCKS!!! Just wondering, with all the MS stuff, when is the last time you're sitting and nothing to do? Awesome! > :-) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=- _ _ _ - o' \,=./ `o - (o o) - +--------------ooO--(_)-----Ooo------------+ | Mr. Joseph C. Bautista | | NOC, e-Tarlac.com | | email add: mrlynx@e-tarlac.com | | URL: http://www.e-tarlac.com | +--------------------------(_)-------------+ - |__|__| - - | | | | - - ooO Ooo - -- This message has been scanned for viruses and dangerous content by e-Tarlac e-Mail Virus Scanner, and is believed to be clean. From mike at CAMAROSS.NET Sat Nov 9 03:06:56 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:23 2006 Subject: [Virus Detected] {VIRUS?} HMIME-Version: 1.0 In-Reply-To: <200211090241.gA92faam027527@mail.atcnet.net> Message-ID: Now THAT'S ironic! :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of mailscanner Sent: Friday, November 08, 2002 8:42 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: [Virus Detected] {VIRUS?} HMIME-Version: 1.0 Warning: This message has had one or more attachments removed. Warning: Please read the "VirusWarning.txt" attachment(s) for more information. Warning: This message has had one or more attachments removed. Please read the "VirusWarning.txt" attachment(s) for more information. From LISTSERV at JISCMAIL.AC.UK Sat Nov 9 03:22:08 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:23 2006 Subject: MAILSCANNER: m-list@PUGMARKS.COM left the list Message-ID: <200211090322.DAA14529@magpie.ecs.soton.ac.uk> Sat, 9 Nov 2002 03:22:08 Arminder Singh has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [WWW request received from 203.129.220.98] From LISTSERV at JISCMAIL.AC.UK Sat Nov 9 10:58:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:23 2006 Subject: MAILSCANNER: paul@ESPMAIL.CO.UK requested to join Message-ID: <200211091058.KAA24530@magpie.ecs.soton.ac.uk> Sat, 9 Nov 2002 10:58:51 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Paul Welsh . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER paul@ESPMAIL.CO.UK Paul Welsh The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+paul%40ESPMAIL.CO.UK+Paul+Welsh&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Sat Nov 9 11:42:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:23 2006 Subject: MS v3->v4 issue/observation In-Reply-To: References: <5.1.0.14.2.20021108194328.03267e08@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021109114122.03058e98@imap.ecs.soton.ac.uk> At 00:35 09/11/2002, you wrote: >On Fri, 8 Nov 2002, Julian Field wrote: > > At 19:02 08/11/2002, you wrote: > > >it has a knock-on effect with the widely > > >used "sendmail.logs.pl". > > > > sendmail.logs.pl was a really dirty hack I knocked up in a hurry at work > > one day. > > Never thought anyone might actually use it! > > > > One of these fine days, when I'm sitting at work with nothing to do, I'll > > get around to rewriting it rather better. > >That ROCKS!!! Just wondering, with all the MS stuff, when is the last time >you're sitting and nothing to do? Errr.... Christmas Day last year during the inevitable showing of an old James Bond film on the TV possibly? :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mark at TIPPINGMAR.COM Sat Nov 9 20:07:31 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:16:23 2006 Subject: {VIRUS?} {VIRUS?} HMIME-Version: 1.0 In-Reply-To: <200211090241.gA92faam027527@mail.atcnet.net> Message-ID: Hmm, what happened here? That was my mail server that identified the message from the list as a virus and sent the notification back to the list. 1. Why did the list accept a post from my mail server (obviously not a list member). 2. Why aren't there notifications here from everyone else? Mark On Friday, November 8, 2002, at 06:41 PM, mailscanner wrote: > Warning: This message has had one or more attachments removed. > Warning: Please read the "VirusWarning.txt" attachment(s) for more > information. > > This is a message from the MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail attachment "the entire message" > was found to be infected by a virus and has been > replaced by this warning message. > > The attachment is being stored on the mail server and > it is possible for mark to retrieve it using the info > in this message. > > At Fri Nov 8 18:53:31 2002 the virus scanner said: > Possible Microsoft security vulnerability attack > > Note: Look on the MailScanner in /var/spool/MailScanner/quarantine > (message gA92rIZ09681). > -- > Postmaster From novirus at CARLO65.DE Sat Nov 9 20:11:29 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:23 2006 Subject: {VIRUS?} {VIRUS?} HMIME-Version: 1.0 In-Reply-To: References: Message-ID: <1036872689.20798.25.camel@linroute> Hi Mark, it would be interesting to have the original message header, such as sender and subject, to identify. As far, as I can see, I did not receive this message. Regards, Roland Am Sam, 2002-11-09 um 21.07 schrieb Mark Nienberg: > Hmm, what happened here? That was my mail server that identified the > message from the list as a virus and sent the notification back to the > list. > > 1. Why did the list accept a post from my mail server (obviously not a > list member). > > 2. Why aren't there notifications here from everyone else? > > Mark > > On Friday, November 8, 2002, at 06:41 PM, mailscanner wrote: > > > Warning: This message has had one or more attachments removed. > > Warning: Please read the "VirusWarning.txt" attachment(s) for more > > information. > > > > This is a message from the MailScanner E-Mail Virus Protection Service > > ---------------------------------------------------------------------- > > The original e-mail attachment "the entire message" > > was found to be infected by a virus and has been > > replaced by this warning message. > > > > The attachment is being stored on the mail server and > > it is possible for mark to retrieve it using the info > > in this message. > > > > At Fri Nov 8 18:53:31 2002 the virus scanner said: > > Possible Microsoft security vulnerability attack > > > > Note: Look on the MailScanner in /var/spool/MailScanner/quarantine > > (message gA92rIZ09681). > > -- > > Postmaster > > From novirus at CARLO65.DE Sat Nov 9 20:28:11 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:23 2006 Subject: {VIRUS?} {VIRUS?} HMIME-Version: 1.0 In-Reply-To: References: Message-ID: <1036873691.20796.32.camel@linroute> Oki sorry, I did receive the message and it contained an IFrame tag. Just found the warning message in my postmasters mailbox. Very strange thing that. Am Sam, 2002-11-09 um 21.07 schrieb Mark Nienberg: > Hmm, what happened here? That was my mail server that identified the > message from the list as a virus and sent the notification back to the > list. > > 1. Why did the list accept a post from my mail server (obviously not a > list member). > > 2. Why aren't there notifications here from everyone else? > > Mark > > On Friday, November 8, 2002, at 06:41 PM, mailscanner wrote: > > > Warning: This message has had one or more attachments removed. > > Warning: Please read the "VirusWarning.txt" attachment(s) for more > > information. > > > > This is a message from the MailScanner E-Mail Virus Protection Service > > ---------------------------------------------------------------------- > > The original e-mail attachment "the entire message" > > was found to be infected by a virus and has been > > replaced by this warning message. > > > > The attachment is being stored on the mail server and > > it is possible for mark to retrieve it using the info > > in this message. > > > > At Fri Nov 8 18:53:31 2002 the virus scanner said: > > Possible Microsoft security vulnerability attack > > > > Note: Look on the MailScanner in /var/spool/MailScanner/quarantine > > (message gA92rIZ09681). > > -- > > Postmaster > > From novirus at CARLO65.DE Sat Nov 9 20:32:42 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:23 2006 Subject: {VIRUS?} {VIRUS?} HMIME-Version: 1.0 In-Reply-To: References: Message-ID: <1036873962.20797.35.camel@linroute> Mark, just for your information. Your mailscanner did not send a notification back to the list, nobody did at all. But your mailscanner replaced the original message by the warning text. Regards, Roland (a little bit confused about all that :-)) Am Sam, 2002-11-09 um 21.07 schrieb Mark Nienberg: > Hmm, what happened here? That was my mail server that identified the > message from the list as a virus and sent the notification back to the > list. > > 1. Why did the list accept a post from my mail server (obviously not a > list member). > > 2. Why aren't there notifications here from everyone else? > > Mark > > On Friday, November 8, 2002, at 06:41 PM, mailscanner wrote: > > > Warning: This message has had one or more attachments removed. > > Warning: Please read the "VirusWarning.txt" attachment(s) for more > > information. > > > > This is a message from the MailScanner E-Mail Virus Protection Service > > ---------------------------------------------------------------------- > > The original e-mail attachment "the entire message" > > was found to be infected by a virus and has been > > replaced by this warning message. > > > > The attachment is being stored on the mail server and > > it is possible for mark to retrieve it using the info > > in this message. > > > > At Fri Nov 8 18:53:31 2002 the virus scanner said: > > Possible Microsoft security vulnerability attack > > > > Note: Look on the MailScanner in /var/spool/MailScanner/quarantine > > (message gA92rIZ09681). > > -- > > Postmaster > > From novirus at CARLO65.DE Sat Nov 9 20:35:39 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:23 2006 Subject: {Virus?} [MAILSCANNER] {VIRUS?} HMIME-Version: 1.0 In-Reply-To: <200211090241.gA92faam027527@mail.atcnet.net> References: <200211090241.gA92faam027527@mail.atcnet.net> Message-ID: <1036874139.20796.38.camel@linroute> Can somebody explain please, why I do have a replaced html-message part, but the base64-encoded part of the message is still in there and not decoded. Regards, Roland Am Sam, 2002-11-09 um 03.41 schrieb mailscanner: > Warnung: Diese Nachricht enthielt einen oder mehrere Dateianhaenge, die entfernt wurden > Warnung: (msg-7015-1.html) > Warnung: Bitte lesen Sie den oder die "VirusWarning.txt" Dateianhaenge fuer genauere Informationen. > > > ---- > > Dies ist eine Nachricht vom MailScanner (E-Mail Virus Protection Service) > ------------------------------------------------------------------------- > Der Dateianhang "msg-7015-1.html" > ist von einem Virus verseucht und wurde durch diese Nachricht ersetzt. > > Wenn Sie eine Kopie der Original Nachricht wuenschen, wenden Sie sich bitte > per Mail oder Telefon an Ihren Systemadministrator. Bitte halten Sie diese > Meldung bereit. > > Am Sat Nov 9 03:53:28 2002 meldete der Virenscanner folgendes: > Found dangerous IFrame tag in HTML message > > > Hinweis an den Administrator: > Datei ist auf Rechner: the MailScanner im Verzeichnis /var/spool/MailScanner/quarantine/20021109 (NachrichtenID gA92rQ307820) abgespeichert. > > -- > Postmaster > ---- > > This is a message from the MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail attachment ".exe" > was believed to be infected by a virus and has been replaced by this warning > message. > > If you wish to receive a copy of the *infected* attachment, please > e-mail helpdesk and include the whole of this message > in your request. Alternatively, you can call them, with > the contents of this message to hand when you call. > > At Fri Nov 8 19:42:26 2002 the virus scanner said: > >>> Virus 'W32/Klez-H' found in file ./gA92faam027527/.exe > > Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine (message gA92faam027527). > -- > Postmaster > ---- > > Content-Type: application/octet-stream; > name=I256022-4[1].jpg > Content-Transfer-Encoding: base64 > Content-ID: > > /9j/4AAQSkZJRgABAgEASABIAAD/7Q2mUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAA > AAEAAQBIAAAAAQABOEJJTQQNAAAAAAAEAAAAeDhCSU0D8wAAAAAACAAAAAAAAAAAOEJJTQQK > AAAAAAABAAA4QklNJxAAAAAAAAoAAQAAAAAAAAACOEJJTQP1AAAAAABIAC9mZgABAGxmZgAG From mark at TIPPINGMAR.COM Sat Nov 9 20:41:34 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:16:23 2006 Subject: {VIRUS?} {VIRUS?} HMIME-Version: 1.0 In-Reply-To: <1036873962.20797.35.camel@linroute> Message-ID: Ah! Thanks for that. I grok it now. On Saturday, November 9, 2002, at 12:32 PM, Roland Ehle wrote: > Mark, > > just for your information. Your mailscanner did not send a notification > back to the list, nobody did at all. But your mailscanner replaced the > original message by the warning text. > > Regards, > Roland (a little bit confused about all that :-)) From sysadmin at DMS.UMONTREAL.CA Sat Nov 9 22:24:51 2002 From: sysadmin at DMS.UMONTREAL.CA (Chris Albert) Date: Thu Jan 12 21:16:23 2006 Subject: Mailscanner-4.05-3 Message-ID: <3DCD8B33.2000705@dms.umontreal.ca> Greetings, I've recently installed version 4 from a tarball on a Solaris U10, and I just wanted to point out that 1. The script Sophos.install uses linux names for the compressed tarball and tarball variables. 2. Given the changes in the filesytem hierarchy under the quarantine directory and the new naming convention for spam files saved there, the script df2mbox no longer works correctly. I saw on the mailing list that Julian had considered including df2mbox in the distribution. I personnaly have found this little tool quite useful if you save high ranked spam to make periodic checks, especially after SA upgrades, or to show users that you have only quarantined junk. In fact, other contibutors have put other scripts up on the mailing list that have been useful too (e.g.Peter Peters) , and I think it would be nice if the 'contributed tools' portion of the website contained some of these tools as well. I realize these are trivial issues , but I get the impression that the designers of this tool are perfectionists. As for version 4, even in my little shop, there is a noticeable increase in speed and memory efficiency. Bravo gentlemen. Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From LISTSERV at JISCMAIL.AC.UK Sat Nov 9 12:48:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:23 2006 Subject: MAILSCANNER: security@MCGUINNESS.DE left the list Message-ID: <200211091248.MAA05922@magpie.ecs.soton.ac.uk> Sat, 9 Nov 2002 12:48:36 Marc Mc Guinness has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sat, 9 Nov 2002 12:48:36 GMT Received: from post.webmailer.de (natsmtp00.webmailer.de [192.67.198.74]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA9CmbX20983 for ; Sat, 9 Nov 2002 12:48:37 GMT Received: from there (pD9004B47.dip.t-dialin.net [217.0.75.71]) by post.webmailer.de (8.9.3/8.8.7) with SMTP id NAA19183 for ; Sat, 9 Nov 2002 13:48:29 +0100 (MET) Message-Id: <200211091248.NAA19183@post.webmailer.de> Content-Type: text/plain; charset="iso-8859-15" From: Marc Mc Guinness To: listserv@jiscmail.ac.uk Subject: SIGNOFF MAILSCANNER Date: Sat, 9 Nov 2002 14:48:32 +0200 X-Mailer: KMail [version 1.3.1] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From LISTSERV at JISCMAIL.AC.UK Sat Nov 9 14:40:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:23 2006 Subject: MAILSCANNER: Jan-Peter.Koopmann@SECEIDOS.DE requested to join Message-ID: <200211091441.OAA17307@magpie.ecs.soton.ac.uk> Sat, 9 Nov 2002 14:40:38 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Jan-Peter Koopmann . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER Jan-Peter.Koopmann@SECEIDOS.DE Jan-Peter Koopmann The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+Jan-Peter.Koopmann%40SECEIDOS.DE+Jan-Peter+Koopmann&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sat Nov 9 18:34:44 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:24 2006 Subject: MAILSCANNER: Antony@SOFT-SOLUTIONS.CO.UK requested to join Message-ID: <200211091834.SAA10597@magpie.ecs.soton.ac.uk> Sat, 9 Nov 2002 18:34:44 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Antony Stone . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER Antony@SOFT-SOLUTIONS.CO.UK Antony Stone The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+Antony%40SOFT-SOLUTIONS.CO.UK+Antony+Stone&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sat, 9 Nov 2002 18:34:44 GMT Received: from mta05-svc.ntlworld.com (mta05-svc.ntlworld.com [62.253.162.45]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id gA9IYfX18245 for ; Sat, 9 Nov 2002 18:34:41 GMT Received: from there ([62.254.142.59]) by mta05-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP id <20021109183441.ZGQH27595.mta05-svc.ntlworld.com@there> for ; Sat, 9 Nov 2002 18:34:41 +0000 Content-Type: text/plain; charset="iso-8859-1" From: Antony Stone Organization: Software Solutions To: "L-Soft list server at JISCMAIL (1.8e)" Subject: Re: Command confirmation request (3F7EF376) Date: Sat, 9 Nov 2002 18:34:38 +0000 X-Mailer: KMail [version 1.3.2] References: <20021109183248.6DFCC92FE1@mail6.easyspace.com> In-Reply-To: <20021109183248.6DFCC92FE1@mail6.easyspace.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20021109183441.ZGQH27595.mta05-svc.ntlworld.com@there> From LISTSERV at JISCMAIL.AC.UK Sun Nov 10 14:18:58 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:24 2006 Subject: MAILSCANNER: pvogel@VR.CL requested to join Message-ID: <200211101419.OAA21498@magpie.ecs.soton.ac.uk> Sun, 10 Nov 2002 14:18:58 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Pablo Vogel . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER pvogel@VR.CL Pablo Vogel The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+pvogel%40VR.CL+Pablo+Vogel&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Sun Nov 10 15:04:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: Mailscanner-4.05-3 In-Reply-To: <3DCD8B33.2000705@dms.umontreal.ca> Message-ID: <5.1.0.14.2.20021110142857.0244add0@imap.ecs.soton.ac.uk> At 22:24 09/11/2002, you wrote: >I've recently installed version 4 from a tarball on a Solaris U10, >and I just wanted to point out that > >1. The script Sophos.install uses linux names for >the compressed tarball and tarball variables. I should probably just put in Linux and non-Linux versions of it. I'll take a look. >2. Given the changes in the filesytem hierarchy >under the quarantine directory and the new naming >convention for spam files saved there, the script df2mbox >no longer works correctly. Please try the attached one and let me know if it works okay or not. None of my servers here quarantine spam (for legal reasons). >I saw on the mailing list that Julian had considered including >df2mbox in the distribution. I personnaly have found this little >tool quite useful if you save high ranked spam to make periodic >checks, especially after SA upgrades, or to show users that >you have only quarantined junk. Done. >In fact, other contibutors have put other scripts up on the mailing >list that have been useful too (e.g.Peter Peters) , and I think it >would be nice if the 'contributed tools' portion of the website >contained some of these tools as well. Good idea. What would people like to see in it? And where can I get the latest versions of the contributed scripts? >I realize these are trivial issues , but I get the impression >that the designers of this tool are perfectionists. Me, perfectionist, never :-) >As for version 4, even in my little shop, there is a noticeable increase >in speed and memory efficiency. Bravo gentlemen. Thankyou! -------------- next part -------------- A non-text attachment was scrubbed... Name: df2mbox Type: application/octet-stream Size: 1559 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021110/5bc78a73/df2mbox.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From email at ace.net.au Sun Nov 10 15:04:42 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:16:24 2006 Subject: OT Sendmail In-Reply-To: <5.1.1.6.0.20021108110148.01a0be80@192.168.50.2> References: <5.1.1.6.0.20021108110148.01a0be80@192.168.50.2> Message-ID: <200211110134420878.0C4E9EF3@smtp1.ace.net.au> Slightly off-topic. Some twonk has started using randomly generated email addresses based on a domain that I host as the return address for a massive spamming session. I am getting hammered with rejection noticed from msn, yahoo etc Is there a way for sendmail to block these rejection notices outright? I tried adding mailer-daemon@* REJECT to the /etc/mail/access to no avail. I can kill them with MS, but would prefer to block them before they even get that far to save bandwidth and CPU on the mail server. Thanks in advance for any help on this one. Peter From sysadmin at DMS.UMONTREAL.CA Sun Nov 10 15:32:19 2002 From: sysadmin at DMS.UMONTREAL.CA (Chris Albert) Date: Thu Jan 12 21:16:24 2006 Subject: Mailscanner-4.05-3 References: <5.1.0.14.2.20021110142857.0244add0@imap.ecs.soton.ac.uk> Message-ID: <3DCE7C03.8020909@dms.umontreal.ca> Julian Field wrote: > At 22:24 09/11/2002, you wrote: > >> I've recently installed version 4 from a tarball on a Solaris U10, >> and I just wanted to point out that >> >> 1. The script Sophos.install uses linux names for >> the compressed tarball and tarball variables. > > > I should probably just put in Linux and non-Linux versions of it. I'll > take > a look. > >> 2. Given the changes in the filesytem hierarchy >> under the quarantine directory and the new naming >> convention for spam files saved there, the script df2mbox >> no longer works correctly. > > > Please try the attached one and let me know if it works okay or not. None > of my servers here quarantine spam (for legal reasons). Well the directory part seems right, but since I moved to v4 all the messages under spam begin with gA... . If I replace all occurances of qf with gA and change the occurance of df$id to cat gA$id, the script seems to work, except the output file is not readable by mutt -f in the same way as before. However if I look at the file with less, it seems correct; though I dont exactly understand why you eliminate the S from Subject, for example. Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Sun Nov 10 15:39:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: Mailscanner-4.05-3 In-Reply-To: <3DCE7C03.8020909@dms.umontreal.ca> References: <5.1.0.14.2.20021110142857.0244add0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021110153720.02431970@imap.ecs.soton.ac.uk> At 15:32 10/11/2002, you wrote: >Julian Field wrote: > >>At 22:24 09/11/2002, you wrote: >> >>>I've recently installed version 4 from a tarball on a Solaris U10, >>>and I just wanted to point out that >>> >>>1. The script Sophos.install uses linux names for >>>the compressed tarball and tarball variables. >> >> >>I should probably just put in Linux and non-Linux versions of it. I'll >>take >>a look. >> >>>2. Given the changes in the filesytem hierarchy >>>under the quarantine directory and the new naming >>>convention for spam files saved there, the script df2mbox >>>no longer works correctly. >> >> >>Please try the attached one and let me know if it works okay or not. None >>of my servers here quarantine spam (for legal reasons). > >Well the directory part seems right, but since I moved to v4 >all the messages under spam begin with gA... . You need to be storing the quarantine files in "raw queue files" format # When you quarantine an entire message, do you want to store it as # raw mail queue files (so you can easily send them onto users) or # as human-readable files (header then body in 1 file)? Quarantine Whole Messages As Queue Files = yes Otherwise there is no need to use the df2mbox script at all, as the quarantined files are already readable whole messages. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From henrik at CHELLE.NU Mon Nov 11 09:42:25 2002 From: henrik at CHELLE.NU (Henrik Kjellsson) Date: Thu Jan 12 21:16:24 2006 Subject: Licensing Message-ID: <3DCF7B81.7000906@chelle.nu> Hi! This might be abit Off Topic. A customer of the company that I work for has asked for a new mailsecurity solution and ofcourse I thought of Mailscanner. However the company is abit costsensitive and can not afford an expensive solution. So I'm wondering what kind of licenses for the antivirus software do you use on your sites? /Chelle From tony.johansson at SVENSKAKYRKAN.SE Mon Nov 11 09:58:50 2002 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:16:24 2006 Subject: SV: Licensing Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D07C2@nt.svenskakyrkan.se> Hello, I would recommend F-Prot We protect 11.000 users with Mailscanner and F-Prot at a total licensing cost of $450 for two servers Trend wanted $130.000 so I would hesitate to recommend them to anyone cost-sensitive... regards, tony -----Ursprungligt meddelande----- Fr?n: Henrik Kjellsson [mailto:henrik@CHELLE.NU] Skickat: Monday, November 11, 2002 10:42 AM Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: Licensing Hi! This might be abit Off Topic. A customer of the company that I work for has asked for a new mailsecurity solution and ofcourse I thought of Mailscanner. However the company is abit costsensitive and can not afford an expensive solution. So I'm wondering what kind of licenses for the antivirus software do you use on your sites? /Chelle From mailscanner at ecs.soton.ac.uk Mon Nov 11 10:42:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: Licensing In-Reply-To: <3DCF7B81.7000906@chelle.nu> Message-ID: <5.1.0.14.2.20021111104108.01fb1648@imap.ecs.soton.ac.uk> At 09:42 11/11/2002, you wrote: >A customer of the company that I work for has asked for a new >mailsecurity solution and ofcourse I thought of Mailscanner. However the >company is abit costsensitive and can not afford an expensive solution. >So I'm wondering what kind of licenses for the antivirus software do you >use on your sites? The cheapest solutions are usually F-Prot (www.f-prot.com) and RAV (www.ravantivirus.com) as I *believe* they both charge per server rather than per user. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Mon Nov 11 10:52:39 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:24 2006 Subject: Installation questions.. Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC60@lkl22.ltkalmar.se> HI Ive finally recieved my new servers and wanna make the best out of it. But there are a few questions I would like some input on. Server config: 2x 1,4 GHz 1256 Mb 2x 18G scsi/raid1 RH 8.0 The servers will also work as DNS and DNS-cashing servers Since I really dont have a clue how MS/SA works regarding language is there any point installing support for other language ie. swedish then english? What is the most bussy dir for mailscanner so I can put that in the beginning of hardrive(mqueue/mqueue.in or the /urs/lib/MailScanner)? Thinking of making separate partitions for mqueue in case I need to reinstall? Anything else i should consider or should not do? Kind regards /Anders From mailscanner at ecs.soton.ac.uk Mon Nov 11 11:40:24 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: Installation questions.. In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EC60@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20021111113240.036e4440@imap.ecs.soton.ac.uk> At 10:52 11/11/2002, you wrote: >Server config: >2x 1,4 GHz >1256 Mb >2x 18G scsi/raid1 >RH 8.0 >The servers will also work as DNS and DNS-cashing servers > >Since I really dont have a clue how MS/SA works regarding language >is there any point installing support for other language ie. swedish >then english? MS/SA won't make much use of other languages. You can set the character encoding you want to use (probably ISO-8859-15 in your case) in MailScanner.conf, and then just translate the reports into Swedish. (Please can you send me the translation results if you do this so I can add them to the distribution!) >What is the most bussy dir for mailscanner so I can put that in the >beginning of hardrive(mqueue/mqueue.in or the /urs/lib/MailScanner)? Doesn't make any difference these days as the "cylinder/head/sector" address is totally artificial now as they are translated from the real position on the disks. >Thinking of making separate partitions for mqueue in case I need >to reinstall? I would advise putting /var/spool into a partition on its own. That way mqueue+mqueue.in are on the same partition, and sendmail will handle gracefully odd things happening like your quarantine filling up. You might want to put /var/log on its own too, so rampant logs don't knock your server out. >Anything else i should consider or should not do? > >Kind regards > >/Anders -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Mon Nov 11 11:44:52 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:24 2006 Subject: SV: Installation questions.. Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC62@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 11 november 2002 12:40 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Installation questions.. > > > At 10:52 11/11/2002, you wrote: > >Server config: > >2x 1,4 GHz > >1256 Mb > >2x 18G scsi/raid1 > >RH 8.0 > >The servers will also work as DNS and DNS-cashing servers > > > >Since I really dont have a clue how MS/SA works regarding language > >is there any point installing support for other language ie. swedish > >then english? > > MS/SA won't make much use of other languages. You can set the > character > encoding you want to use (probably ISO-8859-15 in your case) in > MailScanner.conf, and then just translate the reports into > Swedish. (Please > can you send me the translation results if you do this so I > can add them to > the distribution!) I sure will do that asap its done....thanks Julian > > >What is the most bussy dir for mailscanner so I can put that in the > >beginning of hardrive(mqueue/mqueue.in or the /urs/lib/MailScanner)? > > Doesn't make any difference these days as the "cylinder/head/sector" > address is totally artificial now as they are translated from the real > position on the disks. > > >Thinking of making separate partitions for mqueue in case I need > >to reinstall? > > I would advise putting /var/spool into a partition on its > own. That way > mqueue+mqueue.in are on the same partition, and sendmail will handle > gracefully odd things happening like your quarantine filling up. > > You might want to put /var/log on its own too, so rampant > logs don't knock > your server out. > > >Anything else i should consider or should not do? > > > >Kind regards > > > >/Anders > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From andersan at LTKALMAR.SE Mon Nov 11 11:55:27 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:24 2006 Subject: SV: Installation questions.. Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC63@lkl22.ltkalmar.se> Just thpought of one more question, how to do handle the time set. Cant figure out what best, to put bios clock to GNT and then tell RH to use UTC+1 or use local time. /Anders > -----Ursprungligt meddelande----- > Fr?n: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] > Skickat: den 11 november 2002 12:45 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: SV: Installation questions.. > > > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 11 november 2002 12:40 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: Installation questions.. > > > > > > At 10:52 11/11/2002, you wrote: > > >Server config: > > >2x 1,4 GHz > > >1256 Mb > > >2x 18G scsi/raid1 > > >RH 8.0 > > >The servers will also work as DNS and DNS-cashing servers > > > > > >Since I really dont have a clue how MS/SA works regarding language > > >is there any point installing support for other language > ie. swedish > > >then english? > > > > MS/SA won't make much use of other languages. You can set the > > character > > encoding you want to use (probably ISO-8859-15 in your case) in > > MailScanner.conf, and then just translate the reports into > > Swedish. (Please > > can you send me the translation results if you do this so I > > can add them to > > the distribution!) > > I sure will do that asap its done....thanks Julian > > > > > >What is the most bussy dir for mailscanner so I can put that in the > > >beginning of hardrive(mqueue/mqueue.in or the > /urs/lib/MailScanner)? > > > > Doesn't make any difference these days as the "cylinder/head/sector" > > address is totally artificial now as they are translated > from the real > > position on the disks. > > > > >Thinking of making separate partitions for mqueue in case I need > > >to reinstall? > > > > I would advise putting /var/spool into a partition on its > > own. That way > > mqueue+mqueue.in are on the same partition, and sendmail will handle > > gracefully odd things happening like your quarantine filling up. > > > > You might want to put /var/log on its own too, so rampant > > logs don't knock > > your server out. > > > > >Anything else i should consider or should not do? > > > > > >Kind regards > > > > > >/Anders > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > From andersan at LTKALMAR.SE Mon Nov 11 13:17:15 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:24 2006 Subject: SV: Installation questions.. Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC67@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > At 10:52 11/11/2002, you wrote: > >Server config: > >2x 1,4 GHz > >1256 Mb > >2x 18G scsi/raid1 > >RH 8.0 > >The servers will also work as DNS and DNS-cashing servers > > > >Since I really dont have a clue how MS/SA works regarding language > >is there any point installing support for other language ie. swedish > >then english? > > MS/SA won't make much use of other languages. You can set the > character > encoding you want to use (probably ISO-8859-15 in your case) in > MailScanner.conf, and then just translate the reports into > Swedish. (Please > can you send me the translation results if you do this so I > can add them to > the distribution!) > > >What is the most bussy dir for mailscanner so I can put that in the > >beginning of hardrive(mqueue/mqueue.in or the /urs/lib/MailScanner)? > > Doesn't make any difference these days as the "cylinder/head/sector" > address is totally artificial now as they are translated from the real > position on the disks. > > >Thinking of making separate partitions for mqueue in case I need > >to reinstall? > > I would advise putting /var/spool into a partition on its > own. That way > mqueue+mqueue.in are on the same partition, and sendmail will handle > gracefully odd things happening like your quarantine filling up. Is there any idea of making /var/spool/MailScanner or.../quarantine a seperate partition or just make /var/spool big enough to handle both quarantine etc... say like 10 G's > > You might want to put /var/log on its own too, so rampant > logs don't knock > your server out. > > >Anything else i should consider or should not do? > > > >Kind regards > > > >/Anders > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From x.mailscanner.mail at MELLONI.COM Mon Nov 11 14:09:50 2002 From: x.mailscanner.mail at MELLONI.COM (Bruno) Date: Thu Jan 12 21:16:24 2006 Subject: Virus-carrying spam Message-ID: <200211111409.gABE9nX20397@ori.rl.ac.uk> In case nobody noticed yet, I'd like to bring to your attention that spam and viruses are no longer separate issues. One of my accounts has been consistently receiving spam that carries the Klez virus for the last week. Mailscanner seems to stop it fine, but it is a disturbing new development and I thought it should be mentioned. From mailscanner at ecs.soton.ac.uk Mon Nov 11 14:44:05 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: SV: Installation questions.. In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EC67@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20021111144118.044eff80@imap.ecs.soton.ac.uk> At 13:17 11/11/2002, you wrote: > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > At 10:52 11/11/2002, you wrote: > > >Server config: > > >2x 1,4 GHz > > >1256 Mb > > >2x 18G scsi/raid1 > > >RH 8.0 > > >The servers will also work as DNS and DNS-cashing servers > > > > > >Since I really dont have a clue how MS/SA works regarding language > > >is there any point installing support for other language ie. swedish > > >then english? > > > > MS/SA won't make much use of other languages. You can set the > > character > > encoding you want to use (probably ISO-8859-15 in your case) in > > MailScanner.conf, and then just translate the reports into > > Swedish. (Please > > can you send me the translation results if you do this so I > > can add them to > > the distribution!) > > > > >What is the most bussy dir for mailscanner so I can put that in the > > >beginning of hardrive(mqueue/mqueue.in or the /urs/lib/MailScanner)? > > > > Doesn't make any difference these days as the "cylinder/head/sector" > > address is totally artificial now as they are translated from the real > > position on the disks. > > > > >Thinking of making separate partitions for mqueue in case I need > > >to reinstall? > > > > I would advise putting /var/spool into a partition on its > > own. That way > > mqueue+mqueue.in are on the same partition, and sendmail will handle > > gracefully odd things happening like your quarantine filling up. > >Is there any idea of making /var/spool/MailScanner or.../quarantine >a seperate partition or just make /var/spool big enough to handle >both quarantine etc... say like 10 G's If you put incoming and quarantine on the same partition as the mqueue.in and mqueue, then just before you run out of disk space sendmail will stop accepting incoming connections until you give it more space. So you don't a) risk message corruption caused by not having enough space to extract the attachments b) risk data loss by not having a full quarantine In MailScanner I intentionally do not watch for disk full errors because 1) it's very hard to do portably 2) sendmail is very good at it already -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Richard.Lush at HP.COM Mon Nov 11 14:55:59 2002 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:24 2006 Subject: Virus-carrying spam Message-ID: I don't agree that they are the same issue. Viruses are staring to use spam techniques but they are still separate issues. A spam messages won't delete files but a virus will. That account that is receiving a klez it is not receiving spam, it is receiving a virus. Just my two pence worth. Richard -----Original Message----- From: Bruno [mailto:x.mailscanner.mail@MELLONI.COM] Sent: 11 November 2002 14:10 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Virus-carrying spam In case nobody noticed yet, I'd like to bring to your attention that spam and viruses are no longer separate issues. One of my accounts has been consistently receiving spam that carries the Klez virus for the last week. Mailscanner seems to stop it fine, but it is a disturbing new development and I thought it should be mentioned. From gavin at NETERGY.COM Mon Nov 11 15:04:56 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:24 2006 Subject: Bogofilter Message-ID: Hi Is it possible to use this http://bogofilter.sourceforge.net/bogofilter-faq.html in place of or as well as Spamassasin - what are peoples thoughts on how this works good/bad etc. Thanks Gavin From mailscanner at ecs.soton.ac.uk Mon Nov 11 15:24:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: Bogofilter In-Reply-To: Message-ID: <5.1.0.14.2.20021111152327.062a0ec0@imap.ecs.soton.ac.uk> At 15:04 11/11/2002, you wrote: >Is it possible to use this >http://bogofilter.sourceforge.net/bogofilter-faq.html in place of or as well >as Spamassasin - what are peoples thoughts on how this works good/bad etc. The SpamAssassin folks have plans to include Bayesian techniques in their filtering engine at some point, so I didn't really investigate this any further. If lots of people want it and can confirm that it is worth all the effort required, then I'll take a look. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ipswitch at APK.NET Mon Nov 11 15:39:04 2002 From: ipswitch at APK.NET (Stuart Krivis) Date: Thu Jan 12 21:16:24 2006 Subject: Bogofilter In-Reply-To: References: Message-ID: <333845968.1037011144@[10.1.3.2]> --On Monday, November 11, 2002 3:04 PM +0000 Gavin Nelmes-Crocker wrote: > > Is it possible to use this > http://bogofilter.sourceforge.net/bogofilter-faq.html in place of or as > well as Spamassasin - what are peoples thoughts on how this works > good/bad etc. bogofilter won't run anywhere other than Linux so that limits things a bit. It also doesn't really fit very well into a stabdard mail setup. It certainly can't really be used as you would use MailScanner and/or SpamAssassin within the MTA. It fits in much better at the MUA level, but then you have to worry about how to integrate it with the myriad e-mail clients in use.... -- Stuart Krivis Hostmaster and Purchasing Manager APK Net, Inc. 216-241-7166 Voice 1621 Euclid Ave., Suite 1230 216-241-7522 FAX Cleveland, OH 44115 From ipswitch at APK.NET Mon Nov 11 15:42:23 2002 From: ipswitch at APK.NET (Stuart Krivis) Date: Thu Jan 12 21:16:24 2006 Subject: Bogofilter In-Reply-To: <5.1.0.14.2.20021111152327.062a0ec0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021111152327.062a0ec0@imap.ecs.soton.ac.uk> Message-ID: <334045296.1037011343@[10.1.3.2]> --On Monday, November 11, 2002 3:24 PM +0000 Julian Field wrote: > At 15:04 11/11/2002, you wrote: >> Is it possible to use this >> http://bogofilter.sourceforge.net/bogofilter-faq.html in place of or as >> well as Spamassasin - what are peoples thoughts on how this works >> good/bad etc. > > The SpamAssassin folks have plans to include Bayesian techniques in their > filtering engine at some point, so I didn't really investigate this any > further. I don't see how they're going to work that, unless they plan to apply it to an entire server, in which case you lose much of the benefit. -- Stuart Krivis Hostmaster and Purchasing Manager APK Net, Inc. 216-241-7166 Voice 1621 Euclid Ave., Suite 1230 216-241-7522 FAX Cleveland, OH 44115 From lbergman at wtxs.net Mon Nov 11 16:33:42 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:24 2006 Subject: Bogofilter In-Reply-To: References: Message-ID: <200211111033.42360.lbergman@wtxs.net> On Monday 11 November 2002 09:04 am, Gavin Nelmes-Crocker wrote: > Hi > > Is it possible to use this > http://bogofilter.sourceforge.net/bogofilter-faq.html in place of or as > well as Spamassasin - what are peoples thoughts on how this works good/bad > etc. There doesn't seem to be enough info available on the site to say one way or the other. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mrl at GENSTEAM.COM Mon Nov 11 19:55:18 2002 From: mrl at GENSTEAM.COM (Mary Ross Lynch) Date: Thu Jan 12 21:16:24 2006 Subject: how to install vipul's razor Message-ID: <007701c289bc$42ebc5c0$370410ac@ns.uu.net> I am running the latest versions of MailScanner/Sophos/Spamassassin on RedHat 7.0 with sendmail to scan email messages as they pass the mail gateway. Everything working great. However, I would like to add Vipul's Razor to the mix. And wonder what I should install to do this. I have looked around the various sites, but can't quite figure out what should be installed... I did find this quote on a spamassassin site: "Spamassassin will detect whether Razor is available and, by default, use it if so." Would appreciate any help, Thanks, Mary R. Lynch Systems Administrator General Steamship Corp. From mkettler at EVI-INC.COM Mon Nov 11 20:55:17 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:24 2006 Subject: how to install vipul's razor In-Reply-To: <007701c289bc$42ebc5c0$370410ac@ns.uu.net> Message-ID: <5.1.1.6.0.20021111154609.01fa5138@192.168.50.2> Just download the razor-agents tarball from razor.sf.net and install it as per the directions in the INSTALL file. Done. The perl modules needed by razor can be installed from CPAN like the documentation says, but they leave out that the command to get into cpan is: perl -MCPAN -e shell you can then do: install Net::Ping install Net::DNS etc. (the full list is in the INSTALL file). SpamAssassin will automatically use razor if it's installed, just like they say. No additional configuration is necessary, although if you want to tweak your razor settings you'll have to edit the razor-agent.conf file, but it's not really necessary. If you want to test if SpamAssassin is using razor run: spamassassin -tD I am running the latest versions of MailScanner/Sophos/Spamassassin on >RedHat 7.0 with >sendmail to scan email messages as they pass the mail gateway. Everything >working great. > >However, I would like to add Vipul's Razor to the mix. And wonder what I >should install >to do this. I have looked around the various sites, but can't quite figure >out what >should be installed... > >I did find this quote on a spamassassin site: > >"Spamassassin will detect whether Razor is available and, by default, use >it if so." > >Would appreciate any help, > >Thanks, > >Mary R. Lynch >Systems Administrator >General Steamship Corp. From srusin at ICONTECH.COM Mon Nov 11 21:08:49 2002 From: srusin at ICONTECH.COM (Steve Rusin) Date: Thu Jan 12 21:16:24 2006 Subject: white/black list question... Message-ID: <5.1.1.6.0.20021111160329.02ce5118@elvis.icontech.com> Does the latest version of MailScanner allow me to scan or not scan mail not only from a specific user, but to a specific user? I want to implement a "This mail is/is not spam" option, and I'd like to do something like this in the white list file: toandfrom: myemail@mydomain.com not_a_spammer@other_domain.com yes so that any mail coming to myemail@mydomain from not_a_spammer@other_domain.com will not be scanned, however if the mail was coming from not_a_spammer@other_domain.com to another_email@mydomain.com, it would be scanned. My apologies if this has already been covered, I searched the archives to no avail. Thanks, STeve ------------------------------- Stephen Rusin srusin@icontech.com Programmer Icon Technologies, Inc. http://www.icontech.com p: 570.876.6908 f: 570.876.8538 ------------------------------- 09.11.2001 - Remember. From mailscanner at ecs.soton.ac.uk Mon Nov 11 21:48:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:24 2006 Subject: white/black list question... In-Reply-To: <5.1.1.6.0.20021111160329.02ce5118@elvis.icontech.com> Message-ID: <5.1.0.14.2.20021111214450.03db0e80@imap.ecs.soton.ac.uk> At 21:08 11/11/2002, you wrote: >Does the latest version of MailScanner allow me to scan or not scan mail >not only from a specific user, but to a specific user? I want to implement >a "This mail is/is not spam" option, and I'd like to do something like this >in the white list file: > >toandfrom: myemail@mydomain.com not_a_spammer@other_domain.com yes > >so that any mail coming to myemail@mydomain from >not_a_spammer@other_domain.com will not be scanned, however if the mail was >coming from not_a_spammer@other_domain.com to another_email@mydomain.com, >it would be scanned. The rules only currently allow 1 address to match, not combinations of addresses (the whole system could get absurdly complex!). However, if you are up to writing a teeny bit of Perl code, you can do this with a custom function in CustomConfig.pm. This could even read the relevant matching email addresses from a database if you wanted. How many different combinations of this sort of rule are you trying to handle? 1, 5, 5000? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mrl at GENSTEAM.COM Mon Nov 11 23:02:47 2002 From: mrl at GENSTEAM.COM (Mary Ross Lynch) Date: Thu Jan 12 21:16:24 2006 Subject: how to install vipul's razor In-Reply-To: <5.1.1.6.0.20021111154609.01fa5138@192.168.50.2> Message-ID: <003d01c289d6$73774c40$370410ac@ns.uu.net> Thanks very much, Matt. Will try it now. Mary -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Kettler Sent: Monday, November 11, 2002 12:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: how to install vipul's razor Just download the razor-agents tarball from razor.sf.net and install it as per the directions in the INSTALL file. Done. The perl modules needed by razor can be installed from CPAN like the documentation says, but they leave out that the command to get into cpan is: perl -MCPAN -e shell you can then do: install Net::Ping install Net::DNS etc. (the full list is in the INSTALL file). SpamAssassin will automatically use razor if it's installed, just like they say. No additional configuration is necessary, although if you want to tweak your razor settings you'll have to edit the razor-agent.conf file, but it's not really necessary. If you want to test if SpamAssassin is using razor run: spamassassin -tD I am running the latest versions of MailScanner/Sophos/Spamassassin on >RedHat 7.0 with >sendmail to scan email messages as they pass the mail gateway. Everything >working great. > >However, I would like to add Vipul's Razor to the mix. And wonder what I >should install >to do this. I have looked around the various sites, but can't quite figure >out what >should be installed... > >I did find this quote on a spamassassin site: > >"Spamassassin will detect whether Razor is available and, by default, use >it if so." > >Would appreciate any help, > >Thanks, > >Mary R. Lynch >Systems Administrator >General Steamship Corp. From robert at VCT.SI Tue Nov 12 11:53:37 2002 From: robert at VCT.SI (Robert) Date: Thu Jan 12 21:16:24 2006 Subject: IFrame tags Message-ID: <3DD0F9D1.14025.5608232@localhost> Hi Recently there was a discussion on IFrame tags in e-mails, but I still don't get it. If you allow IFrame tags in MailScanner, and the incoming mail with IFrame tag is infected, the virus scanner should intercept it, right? As far as I can see, the only time "Allow IFrame Tags" option is useful, when there is a quickly spreading new virus (exploiting this vunerability) and my virus scanner is not yet updated with new definitions. Am I missing something here? -- Robert Manfreda VCT d.o.o., Idrija From brian at PORTSMOUTH-COLLEGE.AC.UK Tue Nov 12 13:40:06 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers - ICT Support Officer Portsmouth College) Date: Thu Jan 12 21:16:24 2006 Subject: Licensing References: <3DCF7B81.7000906@chelle.nu> Message-ID: <006501c28a51$02d51be0$65c8a8c0@portsmouthcollege.ac.uk> We run Sophos. As an educational establishment we get very good pricing. Brian Chivers ----- Original Message ----- From: "Henrik Kjellsson" To: Sent: Monday, November 11, 2002 9:42 AM Subject: Licensing Hi! This might be abit Off Topic. A customer of the company that I work for has asked for a new mailsecurity solution and ofcourse I thought of Mailscanner. However the company is abit costsensitive and can not afford an expensive solution. So I'm wondering what kind of licenses for the antivirus software do you use on your sites? /Chelle -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brose at MED.WAYNE.EDU Tue Nov 12 13:47:42 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:24 2006 Subject: IFrame tags Message-ID: Someone can correct me if I'm wrong, but I believe the problem is that IFRAME can be used to reference a URL to remote system and doesn't need to contain a executabled code. The IFRAME can cause the email client to download and execute the code from that remote system so a vvirus scanner on a mail gateway is ineffective because the message doesn't include the code. -----Original Message----- From: Robert [mailto:robert@VCT.SI] Sent: Tuesday, November 12, 2002 6:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: IFrame tags Hi Recently there was a discussion on IFrame tags in e-mails, but I still don't get it. If you allow IFrame tags in MailScanner, and the incoming mail with IFrame tag is infected, the virus scanner should intercept it, right? As far as I can see, the only time "Allow IFrame Tags" option is useful, when there is a quickly spreading new virus (exploiting this vunerability) and my virus scanner is not yet updated with new definitions. Am I missing something here? -- Robert Manfreda VCT d.o.o., Idrija From novirus at CARLO65.DE Tue Nov 12 14:02:10 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:24 2006 Subject: IFrame tags In-Reply-To: References: Message-ID: <1037109730.6484.33.camel@linroute> Hi, Am Die, 2002-11-12 um 14.47 schrieb Rose, Bobby: > Someone can correct me if I'm wrong, but I believe the problem is that > IFRAME can be used to reference a URL to remote system and doesn't need > to contain a executabled code. The IFRAME can cause the email client to > download and execute the code from that remote system so a vvirus > scanner on a mail gateway is ineffective because the message doesn't > include the code. exactly this is the problem. The infected code will not found, during the download with the MUA, only in a full system scan. I decided not to allow IFrame and my customers are happy with it, You just need a good explanation for the reason. Regards, Roland From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 12 13:59:25 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:24 2006 Subject: reporting to Razor/Pyzor Message-ID: <4E7026FF8A422749B1553FE508E0068004ABA3@message.intern.akctech.de> Hi, is there a way to tell MailScanner to report Spam to Razor/Pzor e.g. via SpamAssassin? Thanks, JP -- ------------------------------------------------------------------------ ------- Seceidos GmbH | Jan-Peter Koopmann | Senior Engineer Wilhelminenstr. 2 | Tel.: +49 (6151) 66843-43 64283 Darmstadt | +49 (6151) 9511-252 (24H VoiceCenter) Germany | Fax: +49 (6151) 66843-52 ------------------------------------------------------------------------ ------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021112/616f10c7/attachment.html From LISTSERV at JISCMAIL.AC.UK Tue Nov 12 14:18:26 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:16:24 2006 Subject: MAILSCANNER: srusin@ICONTECH.COM left the list Message-ID: <200211121419.OAA16407@magpie.ecs.soton.ac.uk> Tue, 12 Nov 2002 14:18:26 Stephen Rusin has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From lsu at DC.LUTH.SE Tue Nov 12 15:11:38 2002 From: lsu at DC.LUTH.SE (Lennart Sundstr|m) Date: Thu Jan 12 21:16:24 2006 Subject: F-secure logging In-Reply-To: Your message of Tue, 05 Nov 2002 14:53:06 GMT. <5.1.0.14.2.20021105145207.03ff3b50@imap.ecs.soton.ac.uk> Message-ID: <200211121511.gACFBenG018970@samson.dc.luth.se> Do you have a patch for that? -- Lennart Sundstrom, Incident Response Team, Lule? University of Technology, S-971 87 Lule?, Sweden Tel: +46 920 492 528 Email: lsu@dc.luth.se On Tue, 05 Nov 2002 14:53:06 GMT, Julian Field wrote: > I have just added virus name logging for F-Secure. > Please don't all ask for the others, some of them are almost impossible due > to badly-designed virus scanner output by the manufacturers. > > At 12:57 05/11/2002, you wrote: > >On Tuesday 05 November 2002 03:01 am, Carl Boberg wrote: > > > Hi, > > > > > > Im trying really hard to make my F-secure log to the maillog as other > > > scanners do, like: > > > > > > Nov 4 17:15:31 host-2 MailScanner[1163]: >>> Virus 'W32/Klez-H' found in > > > file ./gA4HFT803745/coords.scr > > > > > > (this is a Sophos log entry) > > > > > > Has anyone any knowledge about how this could be done? > >Well, The code that does the following should be in the next release I would > >guess. > > > >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus and Content Scanning: Starting > >Nov 5 06:52:41 ns2 MailScanner[8374]: > >/var/spool/MailScanner/incoming/8374/gA5Cqch11332/eicar_com.zip->eicar.com > >Infection: EICAR_Test_File > >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: F-Prot found virus > >EICAR_Test_File > >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: f-prot found 1 > >infections > >Nov 5 06:52:41 ns2 MailScanner[8374]: Virus Scanning: Found 1 viruses > >Nov 5 06:52:41 ns2 MailScanner[8374]: Saved infected "eicar_com.zip" to > >/var/spool/MailScanner/quarantine/20021105/gA5Cqch11332 > > > >This is with f-prot but my output from the wrapper looks identical to yours so > >I would guess you might get the same output. > >-- > >Lewis Bergman > >Texas Communications > >4309 Maple St. > >Abilene, TX 79602-8044 > >915-695-6962 ext 115 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From lbergman at wtxs.net Tue Nov 12 16:23:03 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:24 2006 Subject: F-secure logging In-Reply-To: <200211121511.gACFBenG018970@samson.dc.luth.se> References: <200211121511.gACFBenG018970@samson.dc.luth.se> Message-ID: <200211121023.03653.lbergman@wtxs.net> On Tuesday 12 November 2002 09:11 am, Lennart Sundstr|m wrote: > Do you have a patch for that? As I said I am sure it will be in the next release. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mk at quadstone.com Tue Nov 12 16:37:17 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Bad attachments not being removed in V4.05-3 Message-ID: <20021112163717.GA17388@quadstone.com> We are currently using MailScanner V3.24-1 and have just tried out V4.05-3. We don't have a Virus scanner on our mail gateway, but do want to quarantine attachments specified in filename.rules.conf. In V3.24 this works, in V4.05-3 the bad attachments are not quarantined. We have "Virus Scanning = no" set in both versions. What's changed? Michael -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From mailscanner at ecs.soton.ac.uk Tue Nov 12 16:55:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Bad attachments not being removed in V4.05-3 In-Reply-To: <20021112163717.GA17388@quadstone.com> Message-ID: <5.1.0.14.2.20021112165354.05003308@imap.ecs.soton.ac.uk> At 16:37 12/11/2002, you wrote: >We are currently using MailScanner V3.24-1 and have just tried out V4.05-3. >We don't have a Virus scanner on our mail gateway, but do want to quarantine >attachments specified in filename.rules.conf. >In V3.24 this works, in V4.05-3 the bad attachments are not quarantined. > >We have "Virus Scanning = no" set in both versions. > >What's changed? Pretty much everything :-) I re-wrote it from scratch. You won't get far trying to use a mailscanner.conf from version 3 on version 4. I suggest you go through the version 4 conf file carefully. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 12 16:53:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: reporting to Razor/Pyzor In-Reply-To: <4E7026FF8A422749B1553FE508E0068004ABA3@message.intern.akct ech.de> Message-ID: <5.1.0.14.2.20021112165248.0500afa0@imap.ecs.soton.ac.uk> At 13:59 12/11/2002, you wrote: >is there a way to tell MailScanner to report Spam to Razor/Pzor e.g. via >SpamAssassin? *Please* search the list archives before you post questions to the list. This subject was discussed less than 24 hours ago! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From billa at STERLING.NET Tue Nov 12 17:48:51 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:25 2006 Subject: F-prot Enterprise Message-ID: Will mailscanner work with the enterprise (daemonized) version of F-prot? Is anyone running this with any success? Thanks. From mailscanner at ecs.soton.ac.uk Tue Nov 12 17:58:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: F-prot Enterprise In-Reply-To: Message-ID: <5.1.0.14.2.20021112175345.02e27fb8@imap.ecs.soton.ac.uk> At 17:48 12/11/2002, you wrote: >Will mailscanner work with the enterprise (daemonized) version of F-prot? >Is anyone running this with any success? Thanks. I wrote some support for the Enterprise (daemon) version. Then I speed-tested it. Then I removed support again :-) At low loads it doesn't matter which of the daemon or the command-line scanner is faster. All that happens is your message batch size is a bit bigger. At high loads, you have large message batches (up to the maximum configured in your MailScanner.conf). MailScanner handles large batches more efficiently than small batches (it only calls the scanner once for each batch) so its efficiency actually improves as the load gets bigger. With large message batches, it is faster to call the command-line scanner than the daemon, as you have to squirt all the file locations into a socket to talk to the daemon, which is actually quite slow. So the summary is that I don't support it because you don't want to be using it. Just buy the Small Business Edition and save your money. A winner all round, methinks :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From combslm at APPSTATE.EDU Tue Nov 12 18:35:32 2002 From: combslm at APPSTATE.EDU (Laramie Combs) Date: Thu Jan 12 21:16:25 2006 Subject: virus name in postmaster report Message-ID: <002601c28a7a$4baa4b50$160c0a98@maverick> Hello all, I am from Appalachian State University in Boone, NC (USA) and we are currently using the latest 3.x version of Mailscanner. We love the product, and are impressed with the time and effort that Julian (and others) have obviously put into this. I was wondering if there is a way to get the virus name into the subject of the email that gets sent to "postmaster" when a virus is detected. I searched the list archives, and didn't really find anything on it. We are using Sophos for anti-virus if this helps. Thanks for all your hard work Julian. -Laramie Combs Network Analyst -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021112/7d5cb836/attachment.html From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 12 18:52:23 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:25 2006 Subject: AW: reporting to Razor/Pyzor Message-ID: <4E7026FF8A422749B1553FE508E00680053D25@message.intern.akctech.de> > *Please* search the list archives before you post questions to the list. > This subject was discussed less than 24 hours ago! I am too blind then. *Please* tell me the ID or what to search for? If I search for Razor or Pyzor the next things I find are from June... From mk at QUADSTONE.COM Tue Nov 12 18:57:34 2002 From: mk at QUADSTONE.COM (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Bad attachments not being removed in V4.05-3 In-Reply-To: <5.1.0.14.2.20021112165354.05003308@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021112165354.05003308@imap.ecs.soton.ac.uk> Message-ID: <1037127454.3dd14f1ef1cee@edinmail.quadstone.com> Quoting Julian Field : > At 16:37 12/11/2002, you wrote: > >We are currently using MailScanner V3.24-1 and have just tried out V4.05-3. > >We don't have a Virus scanner on our mail gateway, but do want to > quarantine > >attachments specified in filename.rules.conf. > >In V3.24 this works, in V4.05-3 the bad attachments are not quarantined. > > > >We have "Virus Scanning = no" set in both versions. > > > >What's changed? > > Pretty much everything :-) > I re-wrote it from scratch. > > You won't get far trying to use a mailscanner.conf from version 3 on version > 4. > I suggest you go through the version 4 conf file carefully. I did use the version 4 config files with version 4. Michael > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- Michael Keightley Tel: +44 131 240 3137 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From mailscanner at ecs.soton.ac.uk Tue Nov 12 19:15:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: virus name in postmaster report In-Reply-To: <002601c28a7a$4baa4b50$160c0a98@maverick> Message-ID: <5.1.0.14.2.20021112191041.01fb2740@imap.ecs.soton.ac.uk> At 18:35 12/11/2002, you wrote: >I am from Appalachian State University in Boone, NC (USA) and we are >currently using the latest 3.x version of Mailscanner. > >We love the product, and are impressed with the time and effort that >Julian (and others) have obviously put into this. Thankyou. >I was wondering if there is a way to get the virus name into the subject >of the email that gets sent to "postmaster" when a virus is detected. If you send all the postmaster notifications to 1 mailbox, then it's dead easy to extract them anyway. To get a list of viruses with the number of each that has been caught, sorted with most common at the top, just use a script like this: #!/bin/sh fgrep '>>>' Mail/Archive/Viruses | \ cut -d\' -f2 | \ sort | \ uniq -c | \ sort -nr This should work fine for Sophos. > Thanks for all your hard work Julian. No worries. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 12 19:16:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: AW: reporting to Razor/Pyzor In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D25@message.intern.akct ech.de> Message-ID: <5.1.0.14.2.20021112191626.03777f50@imap.ecs.soton.ac.uk> At 18:52 12/11/2002, you wrote: > > *Please* search the list archives before you post questions to the >list. > > This subject was discussed less than 24 hours ago! > >I am too blind then. *Please* tell me the ID or what to search for? If I >search for Razor or Pyzor the next things I find are from June... The thread from last night had the subject Re: how to install vipul's razor -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 12 19:17:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Bad attachments not being removed in V4.05-3 In-Reply-To: <1037127454.3dd14f1ef1cee@edinmail.quadstone.com> References: <5.1.0.14.2.20021112165354.05003308@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021112165354.05003308@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021112191702.01fe6810@imap.ecs.soton.ac.uk> At 18:57 12/11/2002, you wrote: >Quoting Julian Field : > > At 16:37 12/11/2002, you wrote: > > >We are currently using MailScanner V3.24-1 and have just tried out > V4.05-3. > > >We don't have a Virus scanner on our mail gateway, but do want to > > quarantine > > >attachments specified in filename.rules.conf. > > >In V3.24 this works, in V4.05-3 the bad attachments are not quarantined. > > > > > >We have "Virus Scanning = no" set in both versions. > > > > > >What's changed? > > > > Pretty much everything :-) > > I re-wrote it from scratch. > > > > You won't get far trying to use a mailscanner.conf from version 3 on > version > > 4. > > I suggest you go through the version 4 conf file carefully. >I did use the version 4 config files with version 4. In which case mail me your conf file(s) and I'll take a look for you. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From todd.williams at TFCCI.COM Tue Nov 12 19:24:21 2002 From: todd.williams at TFCCI.COM (Todd Williams) Date: Thu Jan 12 21:16:25 2006 Subject: Question regarding 4.05-3 and virus scanner lock files Message-ID: <01b901c28a81$1ae9cf20$c802a8c0@toddntbox.tfcc.com> Hi, I have a few questions about the antivirus locking file mechanisms. I'm running 4.05-3 on a Redhat test/development box with McAfee uvscan and found that the last time I sent a message, it made this lock file in /tmp/McAfeeBusy.lock : # ls -alrt /tmp ... -rw------- 1 root root 50 Nov 11 17:33 McAfeeBusy.lock ... # cat /tmp/McAfeeBusy.lock Virus checker locked for scanning by mcafee 27087 Process 27087 is still running (a MailScanner child), but there have been no messages coming into this machine (test box). The last message received was around the same time the lock file was created. The issue (I think?) is, whenever the last test message was sent through, the MailScanner checked the message for viruses, and left the lock file laying around. Is this normal behaviour? Should it not unlock/unlink the file when it's completed? Are the MailScanner processes limited to running one copy of the virus scanner at a time? Also, what happens when the mcafee-autoupdate script attempts to run -- will it bail and fail to run properly because the lockfile exists? I'm also considering changing the default lock file directory to /var/lock - there should not be any issues there, right? Thanks in advance, Todd P.S. MailScanner is a wonderful thing!! From mailscanner at ecs.soton.ac.uk Tue Nov 12 19:36:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Question regarding 4.05-3 and virus scanner lock files In-Reply-To: <01b901c28a81$1ae9cf20$c802a8c0@toddntbox.tfcc.com> Message-ID: <5.1.0.14.2.20021112193128.0390a138@imap.ecs.soton.ac.uk> At 19:24 12/11/2002, you wrote: >I have a few questions about the antivirus locking file mechanisms. I'm >running 4.05-3 on a Redhat test/development box with McAfee uvscan and found >that the last time I sent a message, it made this lock file in >/tmp/McAfeeBusy.lock : > ># ls -alrt /tmp >... >-rw------- 1 root root 50 Nov 11 17:33 McAfeeBusy.lock >... ># cat /tmp/McAfeeBusy.lock >Virus checker locked for scanning by mcafee 27087 > >Process 27087 is still running (a MailScanner child), but there have been no >messages coming into this machine (test box). The last message received was >around the same time the lock file was created. The issue (I think?) is, >whenever the last test message was sent through, the MailScanner checked the >message for viruses, and left the lock file laying around. Is this normal >behaviour? Yes. It doesn't bother deleting the lockfile as there is no need to. > Should it not unlock/unlink the file when it's completed? It unlocks it, but does not delete it. > Are >the MailScanner processes limited to running one copy of the virus scanner >at a time? No. MailScanner gets a "shared" lock on the file. Many shared locks can exist at once. You can't have any shared locks while someone has an "exclusive" lock on the file. The autoupdate scripts get an exclusive lock, thereby excluding all the MailScanner processes while they update the virus scanner. > Also, what happens when the mcafee-autoupdate script attempts to >run -- will it bail and fail to run properly because the lockfile exists? >I'm also considering changing the default lock file directory to /var/lock - >there should not be any issues there, right? You will need to set the location in the autoupdate script if you change it in MailScanner.conf. >P.S. MailScanner is a wonderful thing!! Thanks! Have you added a comment to the "guest book" on the web site yet? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From billa at STERLING.NET Tue Nov 12 20:05:14 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:25 2006 Subject: Mismarked mail - AWL Message-ID: How is scoring determined for AWL? I can find the scores for SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK, however can't see what score is given to AWL. Why is it being triggered? This should be a valid email, which it is in version 3, however with version 4 it is being triggered. X-MailScanner-SpamCheck: SpamAssassin (score=7.7, required 5, AWL, SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK) From mike at CAMAROSS.NET Tue Nov 12 20:07:08 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:25 2006 Subject: Mismarked mail - AWL In-Reply-To: Message-ID: AWL is AutoWhiteList -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Bill Anderson Sent: Tuesday, November 12, 2002 2:05 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mismarked mail - AWL How is scoring determined for AWL? I can find the scores for SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK, however can't see what score is given to AWL. Why is it being triggered? This should be a valid email, which it is in version 3, however with version 4 it is being triggered. X-MailScanner-SpamCheck: SpamAssassin (score=7.7, required 5, AWL, SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK) From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 12 20:14:56 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:25 2006 Subject: AW: AW: reporting to Razor/Pyzor Message-ID: <4E7026FF8A422749B1553FE508E00680053D26@message.intern.akctech.de> > The thread from last night had the subject > Re: how to install vipul's razor I am aware of this threat but it does not answer my question: Is there a way to automatically report spam to razor/pyzor? I would love to automatically report high scoring spam. I know there once was an auto_report_threshold in SpamAssassin but it does not seem to be documented anymore. Moreover it said it only reported to razor. Thanks, JP From mike at CAMAROSS.NET Tue Nov 12 20:19:49 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:25 2006 Subject: AW: reporting to Razor/Pyzor In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D26@message.intern.akctech.de> Message-ID: That would probably the high score action...set your action in a ruleset. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jan-Peter Koopmann Sent: Tuesday, November 12, 2002 2:15 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: AW: AW: reporting to Razor/Pyzor > The thread from last night had the subject > Re: how to install vipul's razor I am aware of this threat but it does not answer my question: Is there a way to automatically report spam to razor/pyzor? I would love to automatically report high scoring spam. I know there once was an auto_report_threshold in SpamAssassin but it does not seem to be documented anymore. Moreover it said it only reported to razor. Thanks, JP From mkettler at EVI-INC.COM Tue Nov 12 20:48:37 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:25 2006 Subject: Mismarked mail - AWL In-Reply-To: References: Message-ID: <5.1.1.6.0.20021112153041.0192efa8@192.168.50.2> Well, the question wasn't "what is the AWL" it's "how is the AWL scored". Quite frankly it's my opinion that using the AWL with MailScanner is nothing short of broken. You can see my post under the subject "Re: [SAtalk] AWL broken in 2.43?" over on the SATalk list about one strong example of how the SA AWL breaks if you have a global AWL database, something which happens by necessity with MailScanner. I'd strongly recommend editing your MailScanner configs to disable the auto-whitelist. This is particularly catastrophic if you try to use any of SA's manual whitelisting features at the same time. As far as the AWL scoring method itself, the AWL is a system that tracks the average score of emails from a given sender/server IP combination. Each time an email arrives it is scored, and the AWL "pushes" the score of the individual email towards the average by a configurable factor. By default this "factor" is 0.5. So the final score of the email winds up being: (normal_score * (1-factor)) + (average_score * factor) so in the case of .5 it splits the difference between the current email and the average. This causes users that consistently send spam to have their scores raised, and those that consistently send nonspam to have their scores lowered. Of course, you can see how if you have manual whitelists and a global AWL, in particular to: type whitelists, the AWL winds up averaging the effects of those settings to all users on the system. i.e.: if I ALL_SPAM_TO my postmaster account and a spammer spams postmaster, then 10 other users, he'll have a roughly -100 score average when he sends to the other 10. I've effectively created a way for spammers to site-wide whitelist themselves by spaming a particular account first. At 02:07 PM 11/12/2002 -0600, Mike Kercher wrote: >AWL is AutoWhiteList > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Bill Anderson >Sent: Tuesday, November 12, 2002 2:05 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Mismarked mail - AWL > > >How is scoring determined for AWL? I can find the scores for SMTPD_IN_RCVD, >SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK, however can't see what score is given >to AWL. Why is it being triggered? This should be a valid email, which it >is in version 3, however with version 4 it is being triggered. > >X-MailScanner-SpamCheck: SpamAssassin (score=7.7, required 5, AWL, > SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK) From mailscanner at ecs.soton.ac.uk Tue Nov 12 21:02:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Mismarked mail - AWL In-Reply-To: <5.1.1.6.0.20021112153041.0192efa8@192.168.50.2> References: Message-ID: <5.1.0.14.2.20021112210036.03782168@imap.ecs.soton.ac.uk> Methinks I might want to change the default value in the distribution. Thanks for doing the thorough analysis. At 20:48 12/11/2002, you wrote: >Well, the question wasn't "what is the AWL" it's "how is the AWL scored". > >Quite frankly it's my opinion that using the AWL with MailScanner is >nothing short of broken. You can see my post under the subject "Re: >[SAtalk] AWL broken in 2.43?" over on the SATalk list about one strong >example of how the SA AWL breaks if you have a global AWL database, >something which happens by necessity with MailScanner. > >I'd strongly recommend editing your MailScanner configs to disable the >auto-whitelist. > >This is particularly catastrophic if you try to use any of SA's manual >whitelisting features at the same time. > >As far as the AWL scoring method itself, the AWL is a system that tracks >the average score of emails from a given sender/server IP combination. Each >time an email arrives it is scored, and the AWL "pushes" the score of the >individual email towards the average by a configurable factor. By default >this "factor" is 0.5. > >So the final score of the email winds up being: > >(normal_score * (1-factor)) + (average_score * factor) > >so in the case of .5 it splits the difference between the current email and >the average. This causes users that consistently send spam to have their >scores raised, and those that consistently send nonspam to have their >scores lowered. > >Of course, you can see how if you have manual whitelists and a global AWL, >in particular to: type whitelists, the AWL winds up averaging the effects >of those settings to all users on the system. > >i.e.: if I ALL_SPAM_TO my postmaster account and a spammer spams >postmaster, then 10 other users, he'll have a roughly -100 score average >when he sends to the other 10. I've effectively created a way for spammers >to site-wide whitelist themselves by spaming a particular account first. > > > > > >At 02:07 PM 11/12/2002 -0600, Mike Kercher wrote: >>AWL is AutoWhiteList >> >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>Behalf Of Bill Anderson >>Sent: Tuesday, November 12, 2002 2:05 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Mismarked mail - AWL >> >> >>How is scoring determined for AWL? I can find the scores for SMTPD_IN_RCVD, >>SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK, however can't see what score is given >>to AWL. Why is it being triggered? This should be a valid email, which it >>is in version 3, however with version 4 it is being triggered. >> >>X-MailScanner-SpamCheck: SpamAssassin (score=7.7, required 5, AWL, >> SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Tue Nov 12 21:20:20 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:25 2006 Subject: Mismarked mail - AWL In-Reply-To: <5.1.0.14.2.20021112210036.03782168@imap.ecs.soton.ac.uk> References: <5.1.1.6.0.20021112153041.0192efa8@192.168.50.2> Message-ID: <5.1.1.6.0.20021112160916.01892478@192.168.50.2> It's unfortunate that having a single global AWL is such a double-edged sword. The biggest benefits of the AWL show up when you use it globally, unfortunately the problems with it increase by a few orders of magnitude making it a trouble-causing nightmare. It *can* work, but it has some seriously unexpected side effects that most people aren't aware of. I'm also not a big fan of the AWL in general as I fear it will eventually encourage spammers to send you "bursts" of messages. 1 low scoring nonspam message to get themselves a whitelist entry followed by a spam message. If the first message scores zero, the second will need to score a 10 to get tagged with the default settings. I've not seen that sort of behavior yet, but it's not something I'd like to encourage. I'm a strong proponent of the "let the merits of each email stand upon it's own" approach, with manual whitelist_from_rcvd entries to allow in spamish newsletters of your choosing. Of course, that's a lot more work than just turning on the AWL, but it's by far less prone to error too. At 09:02 PM 11/12/2002 +0000, Julian Field wrote: >Methinks I might want to change the default value in the distribution. >Thanks for doing the thorough analysis. From gavin at NETERGY.COM Tue Nov 12 22:32:40 2002 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:25 2006 Subject: dealing with the quarantine Message-ID: I know this was touched on a while ago but I don't think I saw a definitive answer, also now that that we can quarantine Spam as well. 2 things in the quarantine I notice the directories are in a date format such as year/month/day is this our server or is it in the code somewhere that I can tweak to be European date format i.e. year at the end. next and most important thing which is probably more of a sendmail issue if you have a Spam or a virus mail that a customer needs/wants (why I'm not sure) how do you get it processed - I suppose you need to do it from localhost and have a rule that won't block it or scan it from localhost but how do you get sendmail to process that raw file? Thanks Gavin From ivan at NUCCI.COM.BR Tue Nov 12 22:48:58 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:25 2006 Subject: Flash (SWF) in e-mail References: <1037109730.6484.33.camel@linroute> Message-ID: <3DD1855A.9080102@nucci.com.br> Hi All, Is there a way to prevent all email containing object tags to go through except when dealing with flash. I would like to deliver such messages but not the really dangerous ones. If it's not possible, is there a way to deliver the SWF files as attachments and remove the HTML code that calls it? TIA, --- Ivan From novirus at CARLO65.DE Tue Nov 12 23:00:05 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:25 2006 Subject: Flash (SWF) in e-mail In-Reply-To: <3DD1855A.9080102@nucci.com.br> References: <1037109730.6484.33.camel@linroute> <3DD1855A.9080102@nucci.com.br> Message-ID: <1037142005.6484.61.camel@linroute> Hi Ivan, Am Die, 2002-11-12 um 23.48 schrieb Ivan Mirisola: > Is there a way to prevent all email containing object tags to go through > except when dealing with flash. > I would like to deliver such messages but not the really dangerous ones. No this is not possible. > If it's not possible, is there a way to deliver the SWF files as > attachments and remove the HTML code that calls it? As the swf files are not attached to the mail, but remain on the website, which is called in the IFrame-tag, there is no possibility. Regards, Roland From ivan at NUCCI.COM.BR Tue Nov 12 23:21:38 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:25 2006 Subject: Flash (SWF) in e-mail References: <1037109730.6484.33.camel@linroute> <3DD1855A.9080102@nucci.com.br> <1037142005.6484.61.camel@linroute> Message-ID: <3DD18D02.5020801@nucci.com.br> Hi Roland, I have seen many e-mail that have SWF attachments and the HTML tag calls the filename on the mime part. It would be just like a hidden attachment in an e-mail but you would see the SWF within the email. I know that there is a virus that could be hidden in a SWF, that's why I wanted to remove just the HTML part that reffers to the SWF and make the SWF visible as an attachment. Is it possible? Thanks again Roland Ehle wrote: >Hi Ivan, > > >Am Die, 2002-11-12 um 23.48 schrieb Ivan Mirisola: > > >>Is there a way to prevent all email containing object tags to go through >>except when dealing with flash. >>I would like to deliver such messages but not the really dangerous ones. >> >> > >No this is not possible. > > > >>If it's not possible, is there a way to deliver the SWF files as >>attachments and remove the HTML code that calls it? >> >> > >As the swf files are not attached to the mail, but remain on the >website, which is called in the IFrame-tag, there is no possibility. > >Regards, >Roland > > From vanhorn at whidbey.com Wed Nov 13 00:12:38 2002 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:16:25 2006 Subject: Problem with autoupdate.f-prot References: <0fae50400001ca2PCOW024M@blueyonder.co.uk> <004201c27e6a$b48678e0$6a0110ac@sbsplc.com> <5.1.0.14.2.20021030145144.07dbe040@imap.ecs.soton.ac.uk> Message-ID: <3DD198F6.895BC5@whidbey.com> I switched to using cd /usr/lib/MailScanner; ./f-prot-autoupdate -cron and didnt see any change in behaviour. I dropped the " -cron" and still saw no behaviour. After one of the files is updated at f-prot, four times a day I get a message like the one below. Just like with the script from f-prot, the command works just fine from the command line. In fact, I normally copy the command out of the Subject line of the error message and paste it into the shell. I am generally logged on as root, and the cron script is set to run as root, so that's not the difference. Any ideas? Van Date: Tue, 12 Nov 2002 13:00:03 -0800 From: root@verbose.twistedhistory.com (Cron Daemon) To: root@verbose.twistedhistory.com Subject: Cron cd /usr/lib/MailScanner;./f-prot-autoupdate X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-MailScanner: Found to be clean FTP address for retrieving files is ftp://eu-1.updates.f-prot.com/pub/ F-Prot signature file update script There is a new version of SIGN.DEF, starting download. Download completed. Fatal error while unzipping file., Bad file descriptor at ./f-prot-autoupdate line 294, line 2. Julian Field wrote: > At 06:09 30/10/2002, you wrote: > >I'm running the updater /usr/local/f-prot_3.12b/check-updates.sh with the cron > >suffix, and I've never seen it work. But I go to the command line and it works > >just fine. So I end up using the failure message as a trigger to manually run > >it. > > > >Reading your message, it looks like you are running a different script, but I > >don't have an autoupdate.f-prot on my system. Should this have been part of > >the install? Or is this something I should go hunting for? I would welcome a > >script that normally works with the occasional failure instead of the script > >that never runs. > > You will have /usr/lib/MailScanner/f-prot-autoupdate. Use that. > > >I'm running 4.00.0a13-1, in case that explains why I don't have the script you > >are using. > > > >Van > > > > > > > >Paul Welsh wrote: > > > > > I'm using Julian's f-prot autoupdate script: > > > > > > # $Id: autoupdate,v 1.3.2.5 2002/07/15 00:47:26 nwp Exp $ > > > > > > and today I got the following error in my logs: > > > > > > FTP address for retrieving files is ftp://eu-1.updates.f-prot.com/pub/ > > > F-Prot signature file update script > > > There is a new version of SIGN.DEF, starting download. > > > Download completed. > > > Updated SIGN.DEF. > > > There is a new version of SIGN2.DEF, starting download. > > > Updated SIGN2.DEF. > > > There is a new version of MACRO.DEF, starting download. > > > Download completed. > > > Download completed. > > > Could not find correct version of MACRO.DEF, exiting., Bad file descriptor > > > at /etc/cron.daily/autoupdate.f-prot line 294, chunk 4. > > > > > > I ran the script again from the command line and no error messages - > > > everything was up to date apparently. > > > > > > I'm on MailScanner 3.22 with F-Prot 3.12a. > > > >-- > >---------------------------------------------------------- > >Sign up now for Quotes of the Day, a handful of quotations > >on a theme delivered every morning. > >Enlightenment! Daily, for free! > >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > > > >For web hosting and maintenance, > >visit Van's home page: http://www.domainvanhorn.com/van/ > >---------------------------------------------------------- > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From novirus at CARLO65.DE Wed Nov 13 00:10:58 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:25 2006 Subject: Flash (SWF) in e-mail In-Reply-To: <3DD18D02.5020801@nucci.com.br> References: <1037109730.6484.33.camel@linroute> <3DD1855A.9080102@nucci.com.br> <1037142005.6484.61.camel@linroute> <3DD18D02.5020801@nucci.com.br> Message-ID: <1037146258.6484.75.camel@linroute> Hi Ivan, AFAIK there are only 2 possibilities: Allow Object Codebase = no or yes. So far there is no option, to use rulesets or allow only certain objects. The only thing you can do, is to use a ruleset to allow object Codebase from certain senders only. Regards, Roland Am Mit, 2002-11-13 um 00.21 schrieb Ivan Mirisola: > Hi Roland, > > I have seen many e-mail that have SWF attachments and the HTML tag > calls the filename on the mime part. It would be just like a > hidden attachment in an e-mail but you would see the SWF within the email. > I know that there is a virus that could be hidden in a SWF, that's why I > wanted to remove just the HTML part that reffers to the SWF and make the > SWF visible as an attachment. > Is it possible? > > Thanks again > > Roland Ehle wrote: > > >Hi Ivan, > > > > > >Am Die, 2002-11-12 um 23.48 schrieb Ivan Mirisola: > > > > > >>Is there a way to prevent all email containing object tags to go through > >>except when dealing with flash. > >>I would like to deliver such messages but not the really dangerous ones. > >> > >> > > > >No this is not possible. > > > > > > > >>If it's not possible, is there a way to deliver the SWF files as > >>attachments and remove the HTML code that calls it? > >> > >> > > > >As the swf files are not attached to the mail, but remain on the > >website, which is called in the IFrame-tag, there is no possibility. > > > >Regards, > >Roland From gerry at DORFAM.CA Wed Nov 13 02:11:18 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:16:25 2006 Subject: AW: AW: reporting to Razor/Pyzor In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D26@message.intern.akctech.de> Message-ID: On Tue, 12 Nov 2002, Jan-Peter Koopmann wrote: > > The thread from last night had the subject > > Re: how to install vipul's razor > > I am aware of this threat but it does not answer my question: > > Is there a way to automatically report spam to razor/pyzor? I would love > to automatically report high scoring spam. I know there once was an > auto_report_threshold in SpamAssassin but it does not seem to be > documented anymore. Moreover it said it only reported to razor. > > Thanks, > JP > I'm going from memory here but I thought that the spamassassin folks were no longer trying to auto update razor. I believe people thought it was too open to abuse??? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From Jan-Peter.Koopmann at SECEIDOS.DE Wed Nov 13 08:38:19 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:25 2006 Subject: AW: reporting to Razor/Pyzor Message-ID: <4E7026FF8A422749B1553FE508E0068004ABAB@message.intern.akctech.de> Hi Mike, > That would probably the high score action...set your action > in a ruleset. How? I do not really know what you mean. Can you give me a few more hints? Do I do this within the SpamAssassin config? Regards, JP From P.G.M.Peters at civ.utwente.nl Wed Nov 13 10:56:03 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:25 2006 Subject: dealing with the quarantine In-Reply-To: References: Message-ID: <8qb4tuglluvfefo1sroqpeh12vtholcd8m@4ax.com> On Tue, 12 Nov 2002 22:32:40 -0000, you wrote: >2 things in the quarantine I notice the directories are in a date format >such as year/month/day is this our server or is it in the code somewhere >that I can tweak to be European date format i.e. year at the end. I would advice against using "our" format. The way it is coded now is very easy to sort. When you want to remove a month worth of quarantined files you just rm -rf yearmonth*. Or if you want to remove the first ten days of this month: rm -rf 2002111*. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Wed Nov 13 10:56:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: dealing with the quarantine In-Reply-To: Message-ID: <5.1.0.14.2.20021113105000.0300a628@imap.ecs.soton.ac.uk> At 22:32 12/11/2002, you wrote: >2 things in the quarantine I notice the directories are in a date format >such as year/month/day is this our server or is it in the code somewhere >that I can tweak to be European date format i.e. year at the end. The date format is yyyymmdd intentionally. If you alphabetically or numerically sort the directory names (like "ls" does) then you get the dates in chronological order. So a simple "ls" command will sort them with oldest first, newest last. >next and most important thing which is probably more of a sendmail issue if >you have a Spam or a virus mail that a customer needs/wants (why I'm not >sure) how do you get it processed - I suppose you need to do it from >localhost and have a rule that won't block it or scan it from localhost but >how do you get sendmail to process that raw file? If you store the messages as raw queue files (i.e. the qf+df pair) then you can just drop the files into /var/spool/mqueue. If you want to trigger immediate delivery of it, then do /usr/sbin/sendmail -qIxxxxxxxxx -v where xxxxxxxxx is the raw queue filename excluding the qf or df off the front of it. That way it won't get scanned at all. If you are using an old version of sendmail, and you have the whole message stored as 1 file, then you can do sendmail -t < blahblah where blahblah is the filename of the quarantined message. If you are using a newer sendmail (8.11 and beyond I believe) and you have the whole message stored as 1 file, then it's harder as invoking sendmail directly will still cause the message to be scanned. At that point you will need rulesets which stop MailScanner scanning messages coming from 127.0.0.1. >Thanks > >Gavin -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 13 11:04:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Problem with autoupdate.f-prot In-Reply-To: <3DD198F6.895BC5@whidbey.com> References: <0fae50400001ca2PCOW024M@blueyonder.co.uk> <004201c27e6a$b48678e0$6a0110ac@sbsplc.com> <5.1.0.14.2.20021030145144.07dbe040@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021113110136.030110a8@imap.ecs.soton.ac.uk> At 00:12 13/11/2002, you wrote: >I switched to using >cd /usr/lib/MailScanner; ./f-prot-autoupdate -cron >and didnt see any change in behaviour. I dropped the " -cron" and still saw no >behaviour. After one of the files is updated at f-prot, four times a day I >get a >message like the one below. > >Just like with the script from f-prot, the command works just fine from >the command >line. In fact, I normally copy the command out of the Subject line of the >error >message and paste it into the shell. I am generally logged on as root, and >the cron >script is set to run as root, so that's not the difference. Can you try the attached f-prot-autoupdate from your cron job and see if it works any better? The "unzip" command is bailing out for no very good reason. >Any ideas? > >Van > > > > > >Date: Tue, 12 Nov 2002 13:00:03 -0800 >From: root@verbose.twistedhistory.com (Cron Daemon) >To: root@verbose.twistedhistory.com >Subject: Cron cd /usr/lib/MailScanner;./f-prot-autoupdate >X-Cron-Env: >X-Cron-Env: >X-Cron-Env: >X-Cron-Env: >X-MailScanner: Found to be clean > > >FTP address for retrieving files is ftp://eu-1.updates.f-prot.com/pub/ >F-Prot signature file update script >There is a new version of SIGN.DEF, starting download. >Download completed. >Fatal error while unzipping file., Bad file descriptor at >./f-prot-autoupdate line >294, line 2. > > > >Julian Field wrote: > > > At 06:09 30/10/2002, you wrote: > > >I'm running the updater /usr/local/f-prot_3.12b/check-updates.sh with > the cron > > >suffix, and I've never seen it work. But I go to the command line and > it works > > >just fine. So I end up using the failure message as a trigger to > manually run > > >it. > > > > > >Reading your message, it looks like you are running a different > script, but I > > >don't have an autoupdate.f-prot on my system. Should this have been > part of > > >the install? Or is this something I should go hunting for? I would > welcome a > > >script that normally works with the occasional failure instead of the > script > > >that never runs. > > > > You will have /usr/lib/MailScanner/f-prot-autoupdate. Use that. > > > > >I'm running 4.00.0a13-1, in case that explains why I don't have the > script you > > >are using. > > > > > >Van > > > > > > > > > > > >Paul Welsh wrote: > > > > > > > I'm using Julian's f-prot autoupdate script: > > > > > > > > # $Id: autoupdate,v 1.3.2.5 2002/07/15 00:47:26 nwp Exp $ > > > > > > > > and today I got the following error in my logs: > > > > > > > > FTP address for retrieving files is ftp://eu-1.updates.f-prot.com/pub/ > > > > F-Prot signature file update script > > > > There is a new version of SIGN.DEF, starting download. > > > > Download completed. > > > > Updated SIGN.DEF. > > > > There is a new version of SIGN2.DEF, starting download. > > > > Updated SIGN2.DEF. > > > > There is a new version of MACRO.DEF, starting download. > > > > Download completed. > > > > Download completed. > > > > Could not find correct version of MACRO.DEF, exiting., Bad file > descriptor > > > > at /etc/cron.daily/autoupdate.f-prot line 294, chunk 4. > > > > > > > > I ran the script again from the command line and no error messages - > > > > everything was up to date apparently. > > > > > > > > I'm on MailScanner 3.22 with F-Prot 3.12a. > > > > > >-- > > >---------------------------------------------------------- > > >Sign up now for Quotes of the Day, a handful of quotations > > >on a theme delivered every morning. > > >Enlightenment! Daily, for free! > > >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > > > > > >For web hosting and maintenance, > > >visit Van's home page: http://www.domainvanhorn.com/van/ > > >---------------------------------------------------------- > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >-- >---------------------------------------------------------- >Sign up now for Quotes of the Day, a handful of quotations >on a theme delivered every morning. >Enlightenment! Daily, for free! >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > >For web hosting and maintenance, >visit Van's home page: http://www.domainvanhorn.com/van/ >---------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: f-prot-autoupdate Type: application/octet-stream Size: 9104 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021113/00cbee35/f-prot-autoupdate.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ivan at NUCCI.COM.BR Wed Nov 13 13:36:52 2002 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:25 2006 Subject: Flash (SWF) in e-mail References: <1037109730.6484.33.camel@linroute> <3DD1855A.9080102@nucci.com.br> <1037142005.6484.61.camel@linroute> <3DD18D02.5020801@nucci.com.br> <1037146258.6484.75.camel@linroute> Message-ID: <3DD25574.5030609@nucci.com.br> Perhaps this could be a new feature request. I think this would make MailScanner more flexible Thanks anyway, --- Ivan Roland Ehle wrote: >Hi Ivan, > >AFAIK there are only 2 possibilities: Allow Object Codebase = no or yes. >So far there is no option, to use rulesets or allow only certain >objects. The only thing you can do, is to use a ruleset to allow object >Codebase from certain senders only. > >Regards, >Roland >Am Mit, 2002-11-13 um 00.21 schrieb Ivan Mirisola: > > >>Hi Roland, >> >>I have seen many e-mail that have SWF attachments and the HTML tag >> calls the filename on the mime part. It would be just like a >>hidden attachment in an e-mail but you would see the SWF within the email. >>I know that there is a virus that could be hidden in a SWF, that's why I >>wanted to remove just the HTML part that reffers to the SWF and make the >>SWF visible as an attachment. >>Is it possible? >> >>Thanks again >> >>Roland Ehle wrote: >> >> >> >>>Hi Ivan, >>> >>> >>>Am Die, 2002-11-12 um 23.48 schrieb Ivan Mirisola: >>> >>> >>> >>> >>>>Is there a way to prevent all email containing object tags to go through >>>>except when dealing with flash. >>>>I would like to deliver such messages but not the really dangerous ones. >>>> >>>> >>>> >>>> >>>No this is not possible. >>> >>> >>> >>> >>> >>>>If it's not possible, is there a way to deliver the SWF files as >>>>attachments and remove the HTML code that calls it? >>>> >>>> >>>> >>>> >>>As the swf files are not attached to the mail, but remain on the >>>website, which is called in the IFrame-tag, there is no possibility. >>> >>>Regards, >>>Roland >>> >>> From mike at CAMAROSS.NET Wed Nov 13 13:37:59 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:25 2006 Subject: AW: reporting to Razor/Pyzor In-Reply-To: <4E7026FF8A422749B1553FE508E0068004ABAB@message.intern.akctech.de> Message-ID: <006901c28b19$e1ba9560$6501a8c0@mikedesk> I don't run razor here anymore but when I used to, I had an alias setup on my local machine (/etc/aliases) to forward messages sent to razor@ to a specified email address. Now it's just a list of email addresses that have spammed me...so they get all of my high scoring spam. In my MailScanner.conf, I have this: # This is just like the "Spam Actions" option above, except that it applies # then the score from SpamAssassin is higher than the "High SpamAssassin Score" # value. # deliver - deliver the message as normal # delete - delete the message # store - store the message in the quarantine # bounce - send a rejection message back to the sender # forward user@domain.com - forward a copy of the message to user@domain.com # striphtml - convert all in-line HTML content to plain text # # Note that the bounce message is created in such a way as to stop it # bouncing back to your site. # # This can also be the filename of a ruleset. High Scoring Spam Actions = forward razor@localhost Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jan-Peter Koopmann Sent: Wednesday, November 13, 2002 2:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: AW: reporting to Razor/Pyzor Hi Mike, > That would probably the high score action...set your action > in a ruleset. How? I do not really know what you mean. Can you give me a few more hints? Do I do this within the SpamAssassin config? Regards, JP From mk at quadstone.com Wed Nov 13 14:10:12 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Whitelist for IFrame Tags? Message-ID: <20021113141012.GA1629@quadstone.com> Can the whitelist be used for messages containing IFrame Tags in version 4? The problem is if we set "Allow IFrame Tags = no" then people's Daily Dilbert cartoon gets quarantined!! Michael -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From mailscanner at ecs.soton.ac.uk Wed Nov 13 14:21:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Whitelist for IFrame Tags? In-Reply-To: <20021113141012.GA1629@quadstone.com> Message-ID: <5.1.0.14.2.20021113141910.0739da30@imap.ecs.soton.ac.uk> At 14:10 13/11/2002, you wrote: >Can the whitelist be used for messages containing IFrame Tags in version 4? Yes. >The problem is if we set "Allow IFrame Tags = no" then people's Daily Dilbert >cartoon gets quarantined!! You just use a ruleset for it. Allow IFrame Tags = /opt/MailScanner/etc/rules/allow.iframe.tags.rules Then in that file put From: *@*.dilbert.com yes From: other@mailinglist.com yes FromOrTo: default no (FromOrTo will work just as well as FromTo, it's just a bit clearer what it means) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dustin.baer at IHS.COM Wed Nov 13 14:19:04 2002 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:16:25 2006 Subject: Whitelist for IFrame Tags? References: <20021113141012.GA1629@quadstone.com> Message-ID: <3DD25F58.1EB68F52@ihs.com> Michael Keightley wrote: > > Can the whitelist be used for messages containing IFrame Tags in version 4? > The problem is if we set "Allow IFrame Tags = no" then people's Daily Dilbert > cartoon gets quarantined!! mailscanner.conf: Allow IFrame Tags = /opt/MailScanner/etc/rules/AllowIFrameTags.rules /opt/MailScanner/etc/rules/AllowIFrameTags.rules: From: *@comicsmail.unitedmedia.com yes Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From p.vanbrouwershaven at NETWORKING4ALL.COM Wed Nov 13 14:49:21 2002 From: p.vanbrouwershaven at NETWORKING4ALL.COM (Paul van Brouwershaven - Networking4all) Date: Thu Jan 12 21:16:25 2006 Subject: Multiple Reports Message-ID: Hi, I want to send a combined report to my client one in EN and one in NL can I do this with a command of must I change the reports?? Regards, Paul From mailscanner at ecs.soton.ac.uk Wed Nov 13 14:51:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Multiple Reports In-Reply-To: Message-ID: <5.1.0.14.2.20021113145106.0738cfa8@imap.ecs.soton.ac.uk> At 14:49 13/11/2002, you wrote: >I want to send a combined report to my client one in EN and one in NL >can I do this with a command of must I change the reports?? You will have to change the reports so that they say exactly what you want them to say. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mk at quadstone.com Wed Nov 13 15:27:37 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 Message-ID: <20021113152737.GB1629@quadstone.com> After starting up version 4, I am getting lots of these messages in the mail log: Nov 13 15:20:29 postie.quadstone.co.uk MailScanner[26958]: Failed to link message body between queues (/var/spool/mqueue/dfgADFKNXH026972 --> /var/spool/mqueue.in/dfgADFKNXH026972) I am running Sendmail version 8.12.3 on Solaris 8. Michael -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From mailscanner at ecs.soton.ac.uk Wed Nov 13 15:32:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 In-Reply-To: <20021113152737.GB1629@quadstone.com> Message-ID: <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> At 15:27 13/11/2002, you wrote: >After starting up version 4, I am getting lots of these messages in the mail >log: > >Nov 13 15:20:29 postie.quadstone.co.uk MailScanner[26958]: Failed to link >message body between queues (/var/spool/mqueue/dfgADFKNXH026972 --> >/var/spool/mqueue.in/dfgADFKNXH026972) Either the file already exists in the outgoing queue, or the 2 queues aren't on the same partition, or you are running V3 and V4 simultaneously. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mk at quadstone.com Wed Nov 13 15:45:43 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 In-Reply-To: <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> References: <20021113152737.GB1629@quadstone.com> <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> Message-ID: <20021113154543.GD1629@quadstone.com> When I start version 4 up, lots of mailscanner processes are started, not just one!! I guess this is causing the error message. Version 3 isn't running. Why would so many processes be started up? % pkill -9 mailscanner % ps -ef | grep mailscanner | grep -v grep % /var/opt/MailScanner/bin/check_mailscanner Starting virus scanner... # Wait 10 secs.... % ps -ef | grep mailscanner | grep -v grep root 27398 27389 0 15:38:04 ? 0:06 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / root 27410 27389 0 15:38:14 ? 0:07 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / root 27390 27389 0 15:37:44 ? 0:06 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / root 27411 27389 0 15:38:24 ? 0:05 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / root 27389 1 0 15:37:44 ? 0:00 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / root 27445 1 6 15:40:03 ? 0:05 /usr/bin/perl /var/opt/mailscanner/bin/mailscanner /var/opt/mailscanner/etc/mai root 27393 27389 0 15:37:54 ? 0:05 /usr/bin/perl -I/var/opt/MailScanner/bin /var/opt/MailScanner/bin/mailscanner / On Wed, Nov 13, 2002 at 03:32:35PM +0000, Julian Field wrote: > At 15:27 13/11/2002, you wrote: > >After starting up version 4, I am getting lots of these messages in the > >mail > >log: > > > >Nov 13 15:20:29 postie.quadstone.co.uk MailScanner[26958]: Failed to link > >message body between queues (/var/spool/mqueue/dfgADFKNXH026972 --> > >/var/spool/mqueue.in/dfgADFKNXH026972) > > Either the file already exists in the outgoing queue, or the 2 queues > aren't on the same partition, or you are running V3 and V4 simultaneously. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From info at pro-invest.ca Wed Nov 13 15:51:23 2002 From: info at pro-invest.ca (Investor Services) Date: Thu Jan 12 21:16:25 2006 Subject: MRTG Message-ID: Hi Julian, Could you please tell me how you do this.. "Every night the day's mail logs are collected and put in 1 directory, which is where the script gets them from" Thanks, >>>>>>>>>>>>>>>>>>>>> Mark Tavares IS Tech Support Professional Investments Inc. (613)384-7511 ext. 221 1-888-548-8868 <<<<<<<<<<<<<<<<<<<<< From Antony at SOFT-SOLUTIONS.CO.UK Wed Nov 13 15:50:12 2002 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 In-Reply-To: <20021113154543.GD1629@quadstone.com> References: <20021113152737.GB1629@quadstone.com> <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> <20021113154543.GD1629@quadstone.com> Message-ID: <200211131550.gADFoJe32216@vulcan.rissington.net> On Wednesday 13 November 2002 3:45 pm, Michael Keightley wrote: > When I start version 4 up, lots of mailscanner processes are started, not > just one!! I guess this is causing the error message. Version 3 isn't > running. Why would so many processes be started up? What value do you have for "Max Children" in your config file ? Antony. -- Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. - William Gibson, Neuromancer (1984) From mk at quadstone.com Wed Nov 13 16:11:56 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 In-Reply-To: <200211131550.gADFoJe32216@vulcan.rissington.net> References: <20021113152737.GB1629@quadstone.com> <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> <20021113154543.GD1629@quadstone.com> <200211131550.gADFoJe32216@vulcan.rissington.net> Message-ID: <20021113161156.GE1629@quadstone.com> On Wed, Nov 13, 2002 at 03:50:12PM +0000, Antony Stone wrote: > On Wednesday 13 November 2002 3:45 pm, Michael Keightley wrote: > > > When I start version 4 up, lots of mailscanner processes are started, not > > just one!! I guess this is causing the error message. Version 3 isn't > > running. Why would so many processes be started up? > > What value do you have for "Max Children" in your config file ? The default (5). Michael > > Antony. > > -- > > Behind the counter a boy with a shaven head stared vacantly into space, > a dozen spikes of microsoft protruding from the socket behind his ear. > > - William Gibson, Neuromancer (1984) -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From Antony at SOFT-SOLUTIONS.CO.UK Wed Nov 13 16:19:58 2002 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:16:25 2006 Subject: Problems with version 4 In-Reply-To: <20021113161156.GE1629@quadstone.com> References: <20021113152737.GB1629@quadstone.com> <200211131550.gADFoJe32216@vulcan.rissington.net> <20021113161156.GE1629@quadstone.com> Message-ID: <200211131620.gADGK7e32267@vulcan.rissington.net> On Wednesday 13 November 2002 4:11 pm, Michael Keightley wrote: > On Wed, Nov 13, 2002 at 03:50:12PM +0000, Antony Stone wrote: > > On Wednesday 13 November 2002 3:45 pm, Michael Keightley wrote: > > > When I start version 4 up, lots of mailscanner processes are started, > > > not just one!! I guess this is causing the error message. Version 3 > > > isn't running. Why would so many processes be started up? > > > > What value do you have for "Max Children" in your config file ? > > The default (5). So that explains the six instances in your previous posting - one parent plus five child processes. Antony. -- Anyone that's normal doesn't really achieve much. - Mark Blair, Australian rocket engineer From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 16:28:27 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C355015331665@mail.foundation.sdsu.edu> I am ready to just block all e-mail. I attached the two possibilitys now according to Mcafee. Does anybody have a long term solution for these guys. I believe the rule that Julian suggested adding to spam.assassin.prefs.conf only covers the first one. Steve Evans SDSU Foundation (619) 594-0653 -------------- next part -------------- Subject: %Recipient% you have an E-Card from %Sender%. Body: Greetings! %sender% has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You can pickup your E-Card at the FriendGreetings.com by clicking on the link below. http://www.friendgreetings.com/pickup/pickup.aspx?code=%recipient%&id=%code% Message: ------------------------------------------------------------------------ %Recipient%, I sent you a greeting card. Please pick it up. %Sender% ------------------------------------------------------------------------ -------------- next part -------------- Subject: %Recipient% you have a greeting card from %Sender%. Body: %Recipient%, %sender% has sent you an greeting card -- a postcard from Friend-Greetings.com. You can pickup your greeting card at Friend-Greetings.com by clicking on the link below. http://www.friend-greeting.com/%number%/pickup.html?code=%name%&id=%number% Message: ------------------------------------------------------------------------ %Recipient%, I sent you a greeting card - please pick it up. %Sender% ------------------------------------------------------------------------ From David.While at UCE.AC.UK Wed Nov 13 16:58:50 2002 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:25 2006 Subject: Teeny problem? Message-ID: Does the Silent Viruses setting use a case sensitive lookup ? I suspect it doesn't which causes a problem with some scanners which produce the bugbear virus as BugBear and others that produce Bugbear. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021113/45f9320d/attachment.html From krice at SERVERSANDSOLUTIONS.COM Wed Nov 13 17:10:51 2002 From: krice at SERVERSANDSOLUTIONS.COM (Ken Rice) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <6214C3F9233D764C9E7029396C355015331665@mail.foundation.sdsu.edu> References: <6214C3F9233D764C9E7029396C355015331665@mail.foundation.sdsu.edu> Message-ID: <20021113121051.04bdec1d.krice@serversandsolutions.com> On Wed, 13 Nov 2002 08:28:27 -0800 Steve Evans wrote: > I am ready to just block all e-mail. how about yahoo, hotmail, web2mail, msn.com... 8-) > I attached the two possibilitys now according to Mcafee. Does anybody > have a long term solution for these guys. I believe the rule that > Julian suggested adding to spam.assassin.prefs.conf only covers the > first one. I have the "luxury" of running servers for our corporation, including lists for our customers, so we have no "public" users. (We're a liberal corporation, but with no 'Net policies). Since email passing through our email server(s) are supposedly only business-related, I use 2 approaches. One is sendmail based, in my sendmail.mc I have: LOCAL_RULESETS F{JunkSubs} /etc/mail/junksubs.txt F{SSJunk} /etc/mail/ssjunk.txt HSubject: $>Check_Subject SCheck_Subject R$={JunkSubs}$* $: NMJUNKSUB R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" my ssjunk.txt includes: e-card greeting.card greeting.cardyou.have.an.e-card you.have.a.greeting.card.from along with many other phrases/words from v*agra on, including some sick stuff. In my spam.assassin.prefs.conf (mailscanner-3.26-1): blacklist_from *@*.friendgreetings.com blacklist_from *@friendgreetings.com blacklist_from *@*.friend-greetings.com blacklist_from *@friend-greetings.com and many others. I believe the above format to be correct, but, anyone, pls critique, 'cause it appears to work for me. (Is a TAB really necessary after the "blacklist_from" ? But, as I mentioned this is corporate, so if an employee does complain that they aren't getting some "legit" email like an e-card, I try to nicely explain why they're blocked. (or am I really being a "nice" BOFH??) Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin and the expensive Sophos, upper-level here is QUITE impressed with how we can tweak our email flow. And, it's just one more example of a great, reliable open-source software, running on Linux here, so much that I'm within an inch of convincing them that our primary *nix platform for Oracle should now be Linux. Sorry for the ramble, Ken Rice The Library Corporation (first commercial CD-ROM made (with Hitachi back then) in the world) http://www.tlcdelivers.com Yeah, serversANDsolutions.com is my domain, but they let me work from home a lot for many reasons. opensource, of course! From brian at PORTSMOUTH-COLLEGE.AC.UK Wed Nov 13 17:26:51 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding References: <6214C3F9233D764C9E7029396C355015331665@mail.foundation.sdsu.edu> Message-ID: <001601c28b39$da60aa00$f0c8a8c0@brianhome> Couldn't you just block these site's ? that way they won't be able to visit the site and download the nasty bit's. I realise this is not ideal but better then nothing. Brian Chivers ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 4:28 PM Subject: FriendlyGreeting is Expanding I am ready to just block all e-mail. I attached the two possibilitys now according to Mcafee. Does anybody have a long term solution for these guys. I believe the rule that Julian suggested adding to spam.assassin.prefs.conf only covers the first one. Steve Evans SDSU Foundation (619) 594-0653 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sean at NISD.NET Wed Nov 13 17:26:12 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: A clue by four applied vigorously to the user's head that clicks on this works wonders. >>> krice@SERVERSANDSOLUTIONS.COM 11/13/02 11:10AM >>> On Wed, 13 Nov 2002 08:28:27 -0800 Steve Evans wrote: > I am ready to just block all e-mail. how about yahoo, hotmail, web2mail, msn.com... 8-) > I attached the two possibilitys now according to Mcafee. Does anybody > have a long term solution for these guys. I believe the rule that > Julian suggested adding to spam.assassin.prefs.conf only covers the > first one. I have the "luxury" of running servers for our corporation, including lists for our customers, so we have no "public" users. (We're a liberal corporation, but with no 'Net policies). Since email passing through our email server(s) are supposedly only business-related, I use 2 approaches. One is sendmail based, in my sendmail.mc I have: LOCAL_RULESETS F{JunkSubs} /etc/mail/junksubs.txt F{SSJunk} /etc/mail/ssjunk.txt HSubject: $>Check_Subject SCheck_Subject R$={JunkSubs}$* $: NMJUNKSUB R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" my ssjunk.txt includes: e-card greeting.card greeting.cardyou.have.an.e-card you.have.a.greeting.card.from along with many other phrases/words from v*agra on, including some sick stuff. In my spam.assassin.prefs.conf (mailscanner-3.26-1): blacklist_from *@*.friendgreetings.com blacklist_from *@friendgreetings.com blacklist_from *@*.friend-greetings.com blacklist_from *@friend-greetings.com and many others. I believe the above format to be correct, but, anyone, pls critique, 'cause it appears to work for me. (Is a TAB really necessary after the "blacklist_from" ? But, as I mentioned this is corporate, so if an employee does complain that they aren't getting some "legit" email like an e-card, I try to nicely explain why they're blocked. (or am I really being a "nice" BOFH??) Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin and the expensive Sophos, upper-level here is QUITE impressed with how we can tweak our email flow. And, it's just one more example of a great, reliable open-source software, running on Linux here, so much that I'm within an inch of convincing them that our primary *nix platform for Oracle should now be Linux. Sorry for the ramble, Ken Rice The Library Corporation (first commercial CD-ROM made (with Hitachi back then) in the world) http://www.tlcdelivers.com Yeah, serversANDsolutions.com is my domain, but they let me work from home a lot for many reasons. opensource, of course! From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 17:51:53 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C35501533166A@mail.foundation.sdsu.edu> Let me clarify, we provide e-mail for about %85 of our e-mail users, and they connect to the internet however they want. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Brian Chivers [mailto:brian@PORTSMOUTH-COLLEGE.AC.UK] Sent: Wednesday, November 13, 2002 9:27 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: FriendlyGreeting is Expanding Couldn't you just block these site's ? that way they won't be able to visit the site and download the nasty bit's. I realise this is not ideal but better then nothing. Brian Chivers ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 4:28 PM Subject: FriendlyGreeting is Expanding I am ready to just block all e-mail. I attached the two possibilitys now according to Mcafee. Does anybody have a long term solution for these guys. I believe the rule that Julian suggested adding to spam.assassin.prefs.conf only covers the first one. Steve Evans SDSU Foundation (619) 594-0653 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 17:51:31 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C355015331669@mail.foundation.sdsu.edu> We have. But we have home users, and we act as an ISP for about 85% of our mail users. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Brian Chivers [mailto:brian@PORTSMOUTH-COLLEGE.AC.UK] Sent: Wednesday, November 13, 2002 9:27 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: FriendlyGreeting is Expanding Couldn't you just block these site's ? that way they won't be able to visit the site and download the nasty bit's. I realise this is not ideal but better then nothing. Brian Chivers ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 4:28 PM Subject: FriendlyGreeting is Expanding I am ready to just block all e-mail. I attached the two possibilitys now according to Mcafee. Does anybody have a long term solution for these guys. I believe the rule that Julian suggested adding to spam.assassin.prefs.conf only covers the first one. Steve Evans SDSU Foundation (619) 594-0653 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 17:54:34 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C35501533166B@mail.foundation.sdsu.edu> Blocking the friendlygreeting domains won't work because the "Virus" comes from a user. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Ken Rice [mailto:krice@SERVERSANDSOLUTIONS.COM] Sent: Wednesday, November 13, 2002 9:11 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: FriendlyGreeting is Expanding On Wed, 13 Nov 2002 08:28:27 -0800 Steve Evans wrote: > I am ready to just block all e-mail. how about yahoo, hotmail, web2mail, msn.com... 8-) > I attached the two possibilitys now according to Mcafee. Does anybody > have a long term solution for these guys. I believe the rule that > Julian suggested adding to spam.assassin.prefs.conf only covers the > first one. I have the "luxury" of running servers for our corporation, including lists for our customers, so we have no "public" users. (We're a liberal corporation, but with no 'Net policies). Since email passing through our email server(s) are supposedly only business-related, I use 2 approaches. One is sendmail based, in my sendmail.mc I have: LOCAL_RULESETS F{JunkSubs} /etc/mail/junksubs.txt F{SSJunk} /etc/mail/ssjunk.txt HSubject: $>Check_Subject SCheck_Subject R$={JunkSubs}$* $: NMJUNKSUB R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" my ssjunk.txt includes: e-card greeting.card greeting.cardyou.have.an.e-card you.have.a.greeting.card.from along with many other phrases/words from v*agra on, including some sick stuff. In my spam.assassin.prefs.conf (mailscanner-3.26-1): blacklist_from *@*.friendgreetings.com blacklist_from *@friendgreetings.com blacklist_from *@*.friend-greetings.com blacklist_from *@friend-greetings.com and many others. I believe the above format to be correct, but, anyone, pls critique, 'cause it appears to work for me. (Is a TAB really necessary after the "blacklist_from" ? But, as I mentioned this is corporate, so if an employee does complain that they aren't getting some "legit" email like an e-card, I try to nicely explain why they're blocked. (or am I really being a "nice" BOFH??) Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin and the expensive Sophos, upper-level here is QUITE impressed with how we can tweak our email flow. And, it's just one more example of a great, reliable open-source software, running on Linux here, so much that I'm within an inch of convincing them that our primary *nix platform for Oracle should now be Linux. Sorry for the ramble, Ken Rice The Library Corporation (first commercial CD-ROM made (with Hitachi back then) in the world) http://www.tlcdelivers.com Yeah, serversANDsolutions.com is my domain, but they let me work from home a lot for many reasons. opensource, of course! From brian at PORTSMOUTH-COLLEGE.AC.UK Wed Nov 13 18:01:18 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding References: <6214C3F9233D764C9E7029396C35501533166B@mail.foundation.sdsu.edu> Message-ID: <000e01c28b3e$aa86f640$f0c8a8c0@brianhome> Yah but surely if they can't get to the website to download the program it doesn't pose a threat. Am I misunderstanding this ?? Brian Chivers ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 5:54 PM Subject: Re: FriendlyGreeting is Expanding > Blocking the friendlygreeting domains won't work because the "Virus" > comes from a user. > > Steve Evans > SDSU Foundation > (619) 594-0653 > > -----Original Message----- > From: Ken Rice [mailto:krice@SERVERSANDSOLUTIONS.COM] > Sent: Wednesday, November 13, 2002 9:11 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FriendlyGreeting is Expanding > > > On Wed, 13 Nov 2002 08:28:27 -0800 > Steve Evans wrote: > > > I am ready to just block all e-mail. > > how about yahoo, hotmail, web2mail, msn.com... 8-) > > > I attached the two possibilitys now according to Mcafee. Does anybody > > have a long term solution for these guys. I believe the rule that > > Julian suggested adding to spam.assassin.prefs.conf only covers the > > first one. > > I have the "luxury" of running servers for our corporation, including > lists for our customers, > so we have no "public" users. (We're a liberal corporation, but with no > 'Net policies). > Since email passing through our email server(s) are supposedly only > business-related, I use 2 approaches. > > One is sendmail based, in my sendmail.mc I have: > > LOCAL_RULESETS > F{JunkSubs} /etc/mail/junksubs.txt > F{SSJunk} /etc/mail/ssjunk.txt > > HSubject: $>Check_Subject > > SCheck_Subject > R$={JunkSubs}$* $: NMJUNKSUB > R$* $={SSJunk} $* $#error $: NMJUNKSUB > R$* NMJUNKSUB $* $#error $: "553 Rejected" > > my ssjunk.txt includes: > e-card > greeting.card > greeting.cardyou.have.an.e-card > you.have.a.greeting.card.from > along with many other phrases/words from v*agra on, including some sick > stuff. > > In my spam.assassin.prefs.conf (mailscanner-3.26-1): > blacklist_from *@*.friendgreetings.com > blacklist_from *@friendgreetings.com > blacklist_from *@*.friend-greetings.com > blacklist_from *@friend-greetings.com > and many others. I believe the above format to be correct, but, anyone, > pls critique, 'cause it appears to work for me. > > (Is a TAB really necessary after the "blacklist_from" ? > > But, as I mentioned this is corporate, so if an employee does complain > that > they aren't getting some "legit" email like an e-card, I try to nicely > explain > why they're blocked. (or am I really being a "nice" BOFH??) > > Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin > and the > expensive Sophos, upper-level here is QUITE impressed with how we can > tweak our email flow. > And, it's just one more example of a great, reliable open-source > software, running on Linux here, > so much that I'm within an inch of convincing them that our primary *nix > platform for Oracle > should now be Linux. > > Sorry for the ramble, > > Ken Rice > The Library Corporation > (first commercial CD-ROM made (with Hitachi back then) in the world) > http://www.tlcdelivers.com > > Yeah, serversANDsolutions.com is my domain, but they let me work from > home a lot for many reasons. > > opensource, of course! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 18:04:29 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C35501533166C@mail.foundation.sdsu.edu> We can't block all our users from getting to their site. Most of our e-mail users are on different networks. And even the ones that do physically reside on our network work from home sometimes. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Brian Chivers [mailto:brian@PORTSMOUTH-COLLEGE.AC.UK] Sent: Wednesday, November 13, 2002 10:01 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: FriendlyGreeting is Expanding Yah but surely if they can't get to the website to download the program it doesn't pose a threat. Am I misunderstanding this ?? Brian Chivers ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 5:54 PM Subject: Re: FriendlyGreeting is Expanding > Blocking the friendlygreeting domains won't work because the "Virus" > comes from a user. > > Steve Evans > SDSU Foundation > (619) 594-0653 > > -----Original Message----- > From: Ken Rice [mailto:krice@SERVERSANDSOLUTIONS.COM] > Sent: Wednesday, November 13, 2002 9:11 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FriendlyGreeting is Expanding > > > On Wed, 13 Nov 2002 08:28:27 -0800 > Steve Evans wrote: > > > I am ready to just block all e-mail. > > how about yahoo, hotmail, web2mail, msn.com... 8-) > > > I attached the two possibilitys now according to Mcafee. Does > > anybody have a long term solution for these guys. I believe the > > rule that Julian suggested adding to spam.assassin.prefs.conf only > > covers the first one. > > I have the "luxury" of running servers for our corporation, including > lists for our customers, so we have no "public" users. (We're a > liberal corporation, but with no 'Net policies). > Since email passing through our email server(s) are supposedly only > business-related, I use 2 approaches. > > One is sendmail based, in my sendmail.mc I have: > > LOCAL_RULESETS > F{JunkSubs} /etc/mail/junksubs.txt > F{SSJunk} /etc/mail/ssjunk.txt > > HSubject: $>Check_Subject > > SCheck_Subject > R$={JunkSubs}$* $: NMJUNKSUB > R$* $={SSJunk} $* $#error $: NMJUNKSUB > R$* NMJUNKSUB $* $#error $: "553 Rejected" > > my ssjunk.txt includes: > e-card > greeting.card > greeting.cardyou.have.an.e-card > you.have.a.greeting.card.from > along with many other phrases/words from v*agra on, including some > sick stuff. > > In my spam.assassin.prefs.conf (mailscanner-3.26-1): blacklist_from > *@*.friendgreetings.com blacklist_from *@friendgreetings.com > blacklist_from *@*.friend-greetings.com > blacklist_from *@friend-greetings.com > and many others. I believe the above format to be correct, but, anyone, > pls critique, 'cause it appears to work for me. > > (Is a TAB really necessary after the "blacklist_from" ? > > But, as I mentioned this is corporate, so if an employee does complain > that they aren't getting some "legit" email like an e-card, I try to > nicely explain > why they're blocked. (or am I really being a "nice" BOFH??) > > Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin > and the expensive Sophos, upper-level here is QUITE impressed with how > we can tweak our email flow. > And, it's just one more example of a great, reliable open-source > software, running on Linux here, > so much that I'm within an inch of convincing them that our primary *nix > platform for Oracle > should now be Linux. > > Sorry for the ramble, > > Ken Rice > The Library Corporation > (first commercial CD-ROM made (with Hitachi back then) in the world) > http://www.tlcdelivers.com > > Yeah, serversANDsolutions.com is my domain, but they let me work from > home a lot for many reasons. > > opensource, of course! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brian at PORTSMOUTH-COLLEGE.AC.UK Wed Nov 13 18:07:43 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding References: <6214C3F9233D764C9E7029396C35501533166C@mail.foundation.sdsu.edu> Message-ID: <001301c28b3f$900d33a0$f0c8a8c0@brianhome> Ah, OK. Luckily I don't have to deal with this type of enviroment so I'm able to take a simplier way out. All our machines connect via proxies so we can just block the site. If the users moan I can just say that it isn't for college use and to do it at home. Brian ----- Original Message ----- From: "Steve Evans" To: Sent: Wednesday, November 13, 2002 6:04 PM Subject: Re: FriendlyGreeting is Expanding > We can't block all our users from getting to their site. Most of our > e-mail users are on different networks. And even the ones that do > physically reside on our network work from home sometimes. > > Steve Evans > SDSU Foundation > (619) 594-0653 > > -----Original Message----- > From: Brian Chivers [mailto:brian@PORTSMOUTH-COLLEGE.AC.UK] > Sent: Wednesday, November 13, 2002 10:01 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FriendlyGreeting is Expanding > > > Yah but surely if they can't get to the website to download the program > it doesn't pose a threat. > > Am I misunderstanding this ?? > > Brian Chivers > ----- Original Message ----- > From: "Steve Evans" > To: > Sent: Wednesday, November 13, 2002 5:54 PM > Subject: Re: FriendlyGreeting is Expanding > > > > Blocking the friendlygreeting domains won't work because the "Virus" > > comes from a user. > > > > Steve Evans > > SDSU Foundation > > (619) 594-0653 > > > > -----Original Message----- > > From: Ken Rice [mailto:krice@SERVERSANDSOLUTIONS.COM] > > Sent: Wednesday, November 13, 2002 9:11 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: FriendlyGreeting is Expanding > > > > > > On Wed, 13 Nov 2002 08:28:27 -0800 > > Steve Evans wrote: > > > > > I am ready to just block all e-mail. > > > > how about yahoo, hotmail, web2mail, msn.com... 8-) > > > > > I attached the two possibilitys now according to Mcafee. Does > > > anybody have a long term solution for these guys. I believe the > > > rule that Julian suggested adding to spam.assassin.prefs.conf only > > > covers the first one. > > > > I have the "luxury" of running servers for our corporation, including > > lists for our customers, so we have no "public" users. (We're a > > liberal corporation, but with no 'Net policies). > > Since email passing through our email server(s) are supposedly only > > business-related, I use 2 approaches. > > > > One is sendmail based, in my sendmail.mc I have: > > > > LOCAL_RULESETS > > F{JunkSubs} /etc/mail/junksubs.txt > > F{SSJunk} /etc/mail/ssjunk.txt > > > > HSubject: $>Check_Subject > > > > SCheck_Subject > > R$={JunkSubs}$* $: NMJUNKSUB > > R$* $={SSJunk} $* $#error $: NMJUNKSUB > > R$* NMJUNKSUB $* $#error $: "553 Rejected" > > > > my ssjunk.txt includes: > > e-card > > greeting.card > > greeting.cardyou.have.an.e-card > > you.have.a.greeting.card.from > > along with many other phrases/words from v*agra on, including some > > sick stuff. > > > > In my spam.assassin.prefs.conf (mailscanner-3.26-1): blacklist_from > > *@*.friendgreetings.com blacklist_from *@friendgreetings.com > > blacklist_from *@*.friend-greetings.com > > blacklist_from *@friend-greetings.com > > and many others. I believe the above format to be correct, but, > anyone, > > pls critique, 'cause it appears to work for me. > > > > (Is a TAB really necessary after the "blacklist_from" ? > > > > But, as I mentioned this is corporate, so if an employee does complain > > > that they aren't getting some "legit" email like an e-card, I try to > > nicely explain > > why they're blocked. (or am I really being a "nice" BOFH??) > > > > Anyway, MANY THANKS to Julian Field, as with Mailscanner, SpamAssassin > > > and the expensive Sophos, upper-level here is QUITE impressed with how > > > we can tweak our email flow. > > And, it's just one more example of a great, reliable open-source > > software, running on Linux here, > > so much that I'm within an inch of convincing them that our primary > *nix > > platform for Oracle > > should now be Linux. > > > > Sorry for the ramble, > > > > Ken Rice > > The Library Corporation > > (first commercial CD-ROM made (with Hitachi back then) in the world) > > http://www.tlcdelivers.com > > > > Yeah, serversANDsolutions.com is my domain, but they let me work from > > home a lot for many reasons. > > > > opensource, of course! > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From krice at SERVERSANDSOLUTIONS.COM Wed Nov 13 18:14:52 2002 From: krice at SERVERSANDSOLUTIONS.COM (Ken Rice) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <6214C3F9233D764C9E7029396C35501533166B@mail.foundation.sdsu.edu> References: <6214C3F9233D764C9E7029396C35501533166B@mail.foundation.sdsu.edu> Message-ID: <20021113131452.498503d5.krice@serversandsolutions.com> On Wed, 13 Nov 2002 09:54:34 -0800 Steve Evans wrote: > Blocking the friendlygreeting domains won't work because the "Virus" > comes from a user. Yes, thx, I just grepped my maillogs. The local_ruleset is the one... > One is sendmail based, in my sendmail.mc I have: > > LOCAL_RULESETS > F{JunkSubs} /etc/mail/junksubs.txt > F{SSJunk} /etc/mail/ssjunk.txt > > HSubject: $>Check_Subject > > SCheck_Subject > R$={JunkSubs}$* $: NMJUNKSUB > R$* $={SSJunk} $* $#error $: NMJUNKSUB > R$* NMJUNKSUB $* $#error $: "553 Rejected" > > my ssjunk.txt includes: > e-card > greeting.card > greeting.cardyou.have.an.e-card > you.have.a.greeting.card.from Ken Rice The Library Corporation From mailscannerlist at TNJINFL.COM Wed Nov 13 18:35:50 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:25 2006 Subject: [Fwd: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK] Message-ID: <1037212550.13361.41.camel@tweety.tnjinfl.com> I looked at the FAQ before posting, and didn't find my answer. I've installed Redhat 8 (with Sendmail of course) and then added MailScanner, SpamAssassin, and F-Prot. My mail is being delivered, but I'm not sure that it's going through the spam and virus filters. I received 6 spam messages last evening. -How can I tell if it's working correctly or not? -Are there any log files? I checked maillog and it looked like only sendmail activity. -It also looks like Redhat 8 install Procmail by default. Do I need to do anything with this, like shut it off or configure it? Any help is appreciated. Thanks, James From lbergman at wtxs.net Wed Nov 13 18:49:45 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:25 2006 Subject: [Fwd: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK] In-Reply-To: <1037212550.13361.41.camel@tweety.tnjinfl.com> References: <1037212550.13361.41.camel@tweety.tnjinfl.com> Message-ID: <200211131249.45784.lbergman@wtxs.net> On Wednesday 13 November 2002 12:35 pm, James Pifer wrote: > I looked at the FAQ before posting, and didn't find my answer. > > I've installed Redhat 8 (with Sendmail of course) and then added > MailScanner, SpamAssassin, and F-Prot. My mail is being delivered, but I'm > not sure that it's going through the spam and virus filters. I received 6 > spam messages last evening. > You should go to the web site and look at some info there. > -How can I tell if it's working correctly or not? ps aux | grep MailScanner, look at the headers... > -Are there any log files? I checked maillog and it looked like only > sendmail activity. Did you start it per the instructions? > -It also looks like Redhat 8 install Procmail by default. Do I need to > do anything with this, like shut it off or configure it? No, MailScanner has nothing to do with Procmail -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Wed Nov 13 18:43:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: MRTG In-Reply-To: Message-ID: <5.1.0.14.2.20021113184229.03859f68@imap.ecs.soton.ac.uk> At 15:51 13/11/2002, you wrote: >Hi Julian, > >Could you please tell me how you do this.. > >"Every night the day's mail logs are collected and put in 1 directory, which >is where the script gets them from" I just have cron jobs on my mail servers that use rcp or scp to copy the day's maillog over to the host that runs MRTG. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 13 18:52:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <6214C3F9233D764C9E7029396C355015331665@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20021113184837.0385cf30@imap.ecs.soton.ac.uk> At 16:28 13/11/2002, you wrote: >I am ready to just block all e-mail. Do that and I'll have to go back to collecting things (glasses, clocks, bottles of brandy...) :-) >I attached the two possibilitys now according to Mcafee. Does anybody >have a long term solution for these guys. I believe the rule that >Julian suggested adding to spam.assassin.prefs.conf only covers the >first one. I have only seen these two. The second one appeared last week. Updates for sendmail.cf or spam.assassin.prefs.conf are included here for everyone's benefit. If I hear any more news in this I'll let you all know. Stop them in sendmail: HSubject: $>Check_Subject D{FriendPat1}you have an E-Card from D{FriendPat2}you have a greeting card from D{FriendMsg}This message is probably a nasty E-Card. SCheck_Subject R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} Or stop them in SpamAssassin: header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com score FRIEND_GREETINGS 100.0 header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com score FRIEND_GREETINGS2 100.0 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 13 19:03:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: Teeny problem? In-Reply-To: Message-ID: <5.1.0.14.2.20021113185735.03841da8@imap.ecs.soton.ac.uk> At 16:58 13/11/2002, you wrote: >Does the Silent Viruses setting use a case sensitive lookup ? I suspect it >doesn't which causes a problem with some scanners which produce the >bugbear virus as BugBear and others that produce Bugbear. It is case sensitive, You really should customise this list to the exact output from your virus scanner. But on the assumption that most people don't, I'll change to case-insensitive so the default list does something sensible on more systems. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Nov 13 18:55:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:25 2006 Subject: [Fwd: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK] In-Reply-To: <200211131249.45784.lbergman@wtxs.net> References: <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> Message-ID: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> At 18:49 13/11/2002, you wrote: >On Wednesday 13 November 2002 12:35 pm, James Pifer wrote: > > I looked at the FAQ before posting, and didn't find my answer. > > > > I've installed Redhat 8 (with Sendmail of course) and then added > > MailScanner, SpamAssassin, and F-Prot. My mail is being delivered, but I'm > > not sure that it's going through the spam and virus filters. I received 6 > > spam messages last evening. > > >You should go to the web site and look at some info there. > > -How can I tell if it's working correctly or not? >ps aux | grep MailScanner, look at the headers... > > > -Are there any log files? I checked maillog and it looked like only > > sendmail activity. >Did you start it per the instructions? If you aren't sure, then do this: service sendmail stop chkconfig sendmail off chkconfig MailScanner on service MailScanner start And as Lewis said, look at the mail headers, you should see signs of MailScanner there. Note that by default, SpamAssassin is not enabled. If you have installed it, you need to enable it in MailScanner.conf. > > -It also looks like Redhat 8 install Procmail by default. Do I need to > > do anything with this, like shut it off or configure it? >No, MailScanner has nothing to do with Procmail > >-- >Lewis Bergman >Texas Communications >4309 Maple St. >Abilene, TX 79602-8044 >915-695-6962 ext 115 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From David.While at UCE.AC.UK Wed Nov 13 19:16:10 2002 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:25 2006 Subject: Teeny problem? Message-ID: Customising is OK if you only use one scanner but if you use multiple scanners then you end up having to put in potentially as many entries as you have scanners for each virus. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 Julian Field cc: Sent by: Subject: Re: Teeny problem? MailScanner mailing list 13/11/2002 19:03 Please respond to MailScanner mailing list At 16:58 13/11/2002, you wrote: >Does the Silent Viruses setting use a case sensitive lookup ? I suspect it >doesn't which causes a problem with some scanners which produce the >bugbear virus as BugBear and others that produce Bugbear. It is case sensitive, You really should customise this list to the exact output from your virus scanner. But on the assumption that most people don't, I'll change to case-insensitive so the default list does something sensible on more systems. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Wed Nov 13 19:24:54 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: <6214C3F9233D764C9E7029396C355015682708@mail.foundation.sdsu.edu> Basically the difference between blocking them in Sendmail or SpamAssassin is the amount of work the server does, and if you want more control on what happens to the message. So SpamAssassin allows you to re-direct for example, sendmail just bounces. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, November 13, 2002 10:53 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: FriendlyGreeting is Expanding At 16:28 13/11/2002, you wrote: >I am ready to just block all e-mail. Do that and I'll have to go back to collecting things (glasses, clocks, bottles of brandy...) :-) >I attached the two possibilitys now according to Mcafee. Does anybody >have a long term solution for these guys. I believe the rule that >Julian suggested adding to spam.assassin.prefs.conf only covers the >first one. I have only seen these two. The second one appeared last week. Updates for sendmail.cf or spam.assassin.prefs.conf are included here for everyone's benefit. If I hear any more news in this I'll let you all know. Stop them in sendmail: HSubject: $>Check_Subject D{FriendPat1}you have an E-Card from D{FriendPat2}you have a greeting card from D{FriendMsg}This message is probably a nasty E-Card. SCheck_Subject R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} Or stop them in SpamAssassin: header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com score FRIEND_GREETINGS 100.0 header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com score FRIEND_GREETINGS2 100.0 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Wed Nov 13 19:31:53 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:25 2006 Subject: FriendlyGreeting is Expanding Message-ID: Since the second one came out, I just updated the SA rule plus added the addresses to our firewall to keep users from even getting to those sites. Also, I think there is probably more to these guys that's not being talked about. Is it possible that they are also stealing the email addresses for sale to spammers? -----Original Message----- From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] Sent: Wednesday, November 13, 2002 11:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: FriendlyGreeting is Expanding I am ready to just block all e-mail. I attached the two possibilitys now according to Mcafee. Does anybody have a long term solution for these guys. I believe the rule that Julian suggested adding to spam.assassin.prefs.conf only covers the first one. Steve Evans SDSU Foundation (619) 594-0653 From mailscanner at ecs.soton.ac.uk Wed Nov 13 20:14:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Teeny problem? In-Reply-To: Message-ID: <5.1.0.14.2.20021113201331.02451eb8@imap.ecs.soton.ac.uk> At 19:16 13/11/2002, you wrote: >Customising is OK if you only use one scanner but if you use multiple >scanners then you end up having to put in potentially as many entries as >you have scanners for each virus. Good point. This is a very small change and will be included in the next release. > 13/11/2002 19:03 > Please respond to > MailScanner > mailing list > >At 16:58 13/11/2002, you wrote: > >Does the Silent Viruses setting use a case sensitive lookup ? I suspect it > >doesn't which causes a problem with some scanners which produce the > >bugbear virus as BugBear and others that produce Bugbear. > >It is case sensitive, You really should customise this list to the exact >output from your virus scanner. > >But on the assumption that most people don't, I'll change to >case-insensitive so the default list does something sensible on more >systems. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Wed Nov 13 21:18:01 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:26 2006 Subject: sender.virus.report.txt Message-ID: <200211131518.01902.lbergman@wtxs.net> I don't seem to be getting any sender virus reports sent out. I am using the eicar.com zip file to test. I was trying to make sure that all email is getting scanned on its way out ( for some reason the ip's were not doing that). Using the domain wildcard seems to work as expected. Along the way I noticed that when a rule like "From: *.wtxs.net yes" was employed I never received the sender.virus.report.txt. What I think is all the relevant info is below. Any ideas? Have I overlooked something as usual? My virus.check rules contains this kind of stuff: --------------------------------------------------------- # Default rules here FromOrTo: default no #From: 192.168.1. yes #From: 208.29.17. yes #From: 65.170.187. yes #From: 65.170.190. yes From: *.wtxs.net yes From: *.abi.tconline.net yes # Address for someone to send to if they # got a bounce To: noreject@wtxs.net no # Put whole doamins up here FromTo: hansoncattle.com yes # Put employees here FromTo: jevans@wtxs.net yes FromTo: jthompson@wtxs.net yes ------------------------------------------------------ MailScanner.conf has this: Notify Senders = yes Sender Virus Report = /etc/MailScanner/reports/en/sender.virus.report.txt -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From jrudd at UCSC.EDU Wed Nov 13 22:44:43 2002 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:16:26 2006 Subject: incoming directory Message-ID: <3DD2D5DB.FF65F8FF@ucsc.edu> Has anyone explored the bennefits or problems with putting the incoming directory onto a ramdisk? I know mailscanner preferes to have it on the same partition as the mail queue directories, but I'm wondering if it might be faster (for the scanning part of the process). Anyone have thoughts about that? John From mailscanner at BARENDSE.TO Thu Nov 14 09:10:42 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <5.1.0.14.2.20021113184837.0385cf30@imap.ecs.soton.ac.uk> Message-ID: Should or shouldn't that include LOCAL_RULESETS before the lines below that you put in sendmail.mc (they can be put in sendmail.mc right, I have never been able to figure out how the .cf files work) Also where do I put it in sendmail.mc? I just added at the bottom of the file, replaced the whitespaces with tabs after the last few lines starting from $* up until the $#error bit. Then my mail server simply stopped accepting any mail whatsoever.... May I suggest a 'complete morons guide to stopping FriendlyGreeting cards' for people like me? :) Remco On Wed, 13 Nov 2002, Julian Field wrote: > At 16:28 13/11/2002, you wrote: > >I am ready to just block all e-mail. > > Do that and I'll have to go back to collecting things (glasses, clocks, > bottles of brandy...) > :-) > > >I attached the two possibilitys now according to Mcafee. Does anybody > >have a long term solution for these guys. I believe the rule that > >Julian suggested adding to spam.assassin.prefs.conf only covers the > >first one. > > I have only seen these two. The second one appeared last week. Updates for > sendmail.cf or spam.assassin.prefs.conf are included here for everyone's > benefit. If I hear any more news in this I'll let you all know. > > Stop them in sendmail: > > HSubject: $>Check_Subject > D{FriendPat1}you have an E-Card from > D{FriendPat2}you have a greeting card from > D{FriendMsg}This message is probably a nasty E-Card. > SCheck_Subject > R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} > R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} > > Or stop them in SpamAssassin: > > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > score FRIEND_GREETINGS 100.0 > header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i > describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com > score FRIEND_GREETINGS2 100.0 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at BARENDSE.TO Thu Nov 14 09:25:28 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <20021113121051.04bdec1d.krice@serversandsolutions.com> Message-ID: Hi Ken! This is *very* interesting as it indeeds opens up some possibilities to block nasty stuff. Just wondering though, you have included what is in your ssjunk.txt file but what do you have in the junksubs.txt file? Also are the dots between the words really necessary, and will sendmail treat the subjects and texts in the e-mails case insensitive? Would be really great if you could send your sendmail.mc and the ssjunk.txt and junksubs.txt attached :) Thanks for any info! On Wed, 13 Nov 2002, Ken Rice wrote: > > I have the "luxury" of running servers for our corporation, including lists for our customers, > so we have no "public" users. (We're a liberal corporation, but with no 'Net policies). > Since email passing through our email server(s) are supposedly only business-related, I use 2 approaches. > > One is sendmail based, in my sendmail.mc I have: > > LOCAL_RULESETS > F{JunkSubs} /etc/mail/junksubs.txt > F{SSJunk} /etc/mail/ssjunk.txt > > HSubject: $>Check_Subject > > SCheck_Subject > R$={JunkSubs}$* $: NMJUNKSUB > R$* $={SSJunk} $* $#error $: NMJUNKSUB > R$* NMJUNKSUB $* $#error $: "553 Rejected" > > my ssjunk.txt includes: > e-card > greeting.card > greeting.cardyou.have.an.e-card > you.have.a.greeting.card.from > along with many other phrases/words from v*agra on, including some sick stuff. > > In my spam.assassin.prefs.conf (mailscanner-3.26-1): > blacklist_from *@*.friendgreetings.com > blacklist_from *@friendgreetings.com > blacklist_from *@*.friend-greetings.com > blacklist_from *@friend-greetings.com > and many others. I believe the above format to be correct, but, anyone, > pls critique, 'cause it appears to work for me. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From robert at VCT.SI Thu Nov 14 11:09:36 2002 From: robert at VCT.SI (Robert) Date: Thu Jan 12 21:16:26 2006 Subject: IFrame tags In-Reply-To: <1037109730.6484.33.camel@linroute> References: Message-ID: <3DD39280.32660.F84ECD5@localhost> Hi I understand this now, but I have one more question - how does IFrame tag get in normal (virus-free) e-mails? I receive many mails, sent from OE or Outlook, but very few of them have IFrame tags in them. What should a user do, to get rid of them? Sending plain-text messages is one of them, any other solution maybe? Robert > exactly this is the problem. The infected code will not found, during > the download with the MUA, only in a full system scan. I decided not to > allow IFrame and my customers are happy with it, You just need a good > explanation for the reason. > > Regards, > Roland -- Robert Manfreda VCT d.o.o., Idrija From mailscanner at ecs.soton.ac.uk Thu Nov 14 11:08:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: incoming directory In-Reply-To: <3DD2D5DB.FF65F8FF@ucsc.edu> Message-ID: <5.1.0.14.2.20021114110620.039a7a88@imap.ecs.soton.ac.uk> At 22:44 13/11/2002, you wrote: >Has anyone explored the bennefits or problems with putting the incoming >directory onto a ramdisk? I know mailscanner preferes to have it on the >same partition as the mail queue directories, but I'm wondering if it >might be faster (for the scanning part of the process). If you have got loads of RAM, then it should at least work. Though weigh it up against potentially increasing speed by running more child processes (which will require more RAM). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 14 11:11:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: References: <5.1.0.14.2.20021113184837.0385cf30@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021114110952.024b0fa0@imap.ecs.soton.ac.uk> At 09:10 14/11/2002, you wrote: >Should or shouldn't that include LOCAL_RULESETS before the lines below >that you put in sendmail.mc (they can be put in sendmail.mc right, I >have never been able to figure out how the .cf files work) It should come after the LOCAL_RULESETS line in the sendmail.mc file. >Also where do I put it in sendmail.mc? Anywhere are LOCAL_RULESETS should work. >I just added at the bottom of the file, replaced the whitespaces with >tabs after the last few lines starting from $* up until the $#error bit. >Then my mail server simply stopped accepting any mail whatsoever.... > >May I suggest a 'complete morons guide to stopping FriendlyGreeting cards' >for people like me? :) > >Remco > >On Wed, 13 Nov 2002, Julian Field wrote: > > > At 16:28 13/11/2002, you wrote: > > >I am ready to just block all e-mail. > > > > Do that and I'll have to go back to collecting things (glasses, clocks, > > bottles of brandy...) > > :-) > > > > >I attached the two possibilitys now according to Mcafee. Does anybody > > >have a long term solution for these guys. I believe the rule that > > >Julian suggested adding to spam.assassin.prefs.conf only covers the > > >first one. > > > > I have only seen these two. The second one appeared last week. Updates for > > sendmail.cf or spam.assassin.prefs.conf are included here for everyone's > > benefit. If I hear any more news in this I'll let you all know. > > > > Stop them in sendmail: > > > > HSubject: $>Check_Subject > > D{FriendPat1}you have an E-Card from > > D{FriendPat2}you have a greeting card from > > D{FriendMsg}This message is probably a nasty E-Card. > > SCheck_Subject > > R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} > > R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > Or stop them in SpamAssassin: > > > > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > > score FRIEND_GREETINGS 100.0 > > header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i > > describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com > > score FRIEND_GREETINGS2 100.0 > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at BARENDSE.TO Thu Nov 14 11:21:07 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <5.1.0.14.2.20021114110952.024b0fa0@imap.ecs.soton.ac.uk> Message-ID: Great, thanks! Last question, what is the format of the following line? HSubject: $>Check_Subject HSubject: $>Check_Subject On Thu, 14 Nov 2002, Julian Field wrote: > At 09:10 14/11/2002, you wrote: > >Should or shouldn't that include LOCAL_RULESETS before the lines below > >that you put in sendmail.mc (they can be put in sendmail.mc right, I > >have never been able to figure out how the .cf files work) > > It should come after the LOCAL_RULESETS line in the sendmail.mc file. > > >Also where do I put it in sendmail.mc? > > Anywhere are LOCAL_RULESETS should work. > > >I just added at the bottom of the file, replaced the whitespaces with > >tabs after the last few lines starting from $* up until the $#error bit. > >Then my mail server simply stopped accepting any mail whatsoever.... > > > >May I suggest a 'complete morons guide to stopping FriendlyGreeting cards' > >for people like me? :) > > > >Remco > > > >On Wed, 13 Nov 2002, Julian Field wrote: > > > > > At 16:28 13/11/2002, you wrote: > > > >I am ready to just block all e-mail. > > > > > > Do that and I'll have to go back to collecting things (glasses, clocks, > > > bottles of brandy...) > > > :-) > > > > > > >I attached the two possibilitys now according to Mcafee. Does anybody > > > >have a long term solution for these guys. I believe the rule that > > > >Julian suggested adding to spam.assassin.prefs.conf only covers the > > > >first one. > > > > > > I have only seen these two. The second one appeared last week. Updates for > > > sendmail.cf or spam.assassin.prefs.conf are included here for everyone's > > > benefit. If I hear any more news in this I'll let you all know. > > > > > > Stop them in sendmail: > > > > > > HSubject: $>Check_Subject > > > D{FriendPat1}you have an E-Card from > > > D{FriendPat2}you have a greeting card from > > > D{FriendMsg}This message is probably a nasty E-Card. > > > SCheck_Subject > > > R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > > > Or stop them in SpamAssassin: > > > > > > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > > > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > > > score FRIEND_GREETINGS 100.0 > > > header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i > > > describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com > > > score FRIEND_GREETINGS2 100.0 > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Nov 14 11:28:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: References: <5.1.0.14.2.20021114110952.024b0fa0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021114112743.039e3ed8@imap.ecs.soton.ac.uk> At 11:21 14/11/2002, you wrote: >Last question, what is the format of the following line? >HSubject: $>Check_Subject >HSubject: $>Check_Subject One space, not a tab. >On Thu, 14 Nov 2002, Julian Field wrote: > > > At 09:10 14/11/2002, you wrote: > > >Should or shouldn't that include LOCAL_RULESETS before the lines below > > >that you put in sendmail.mc (they can be put in sendmail.mc right, I > > >have never been able to figure out how the .cf files work) > > > > It should come after the LOCAL_RULESETS line in the sendmail.mc file. > > > > >Also where do I put it in sendmail.mc? > > > > Anywhere are LOCAL_RULESETS should work. > > > > >I just added at the bottom of the file, replaced the whitespaces with > > >tabs after the last few lines starting from $* up until the $#error bit. > > >Then my mail server simply stopped accepting any mail whatsoever.... > > > > > >May I suggest a 'complete morons guide to stopping FriendlyGreeting cards' > > >for people like me? :) > > > > > >Remco > > > > > >On Wed, 13 Nov 2002, Julian Field wrote: > > > > > > > At 16:28 13/11/2002, you wrote: > > > > >I am ready to just block all e-mail. > > > > > > > > Do that and I'll have to go back to collecting things (glasses, clocks, > > > > bottles of brandy...) > > > > :-) > > > > > > > > >I attached the two possibilitys now according to Mcafee. Does anybody > > > > >have a long term solution for these guys. I believe the rule that > > > > >Julian suggested adding to spam.assassin.prefs.conf only covers the > > > > >first one. > > > > > > > > I have only seen these two. The second one appeared last week. > Updates for > > > > sendmail.cf or spam.assassin.prefs.conf are included here for > everyone's > > > > benefit. If I hear any more news in this I'll let you all know. > > > > > > > > Stop them in sendmail: > > > > > > > > HSubject: $>Check_Subject > > > > D{FriendPat1}you have an E-Card from > > > > D{FriendPat2}you have a greeting card from > > > > D{FriendMsg}This message is probably a nasty E-Card. > > > > SCheck_Subject > > > > R$* ${FriendPat1} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > R$* ${FriendPat2} $* $#error $@ 5.7.1 $: ${FriendMsg} > > > > > > > > Or stop them in SpamAssassin: > > > > > > > > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > > > > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > > > > score FRIEND_GREETINGS 100.0 > > > > header FRIEND_GREETINGS2 Subject =~ /you have a greeting > card from/i > > > > describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com > > > > score FRIEND_GREETINGS2 100.0 > > > > > > > > -- > > > > Julian Field Teaching Systems Manager > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > > > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscannerlist at TNJINFL.COM Thu Nov 14 14:44:55 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:26 2006 Subject: Forward to specified mailbox In-Reply-To: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> References: <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> Message-ID: <1037285096.12383.148.camel@tweety.tnjinfl.com> Is it possible to forward a message marked as Spam to a specific mailbox? In the conf I see that you can forward a copy, but what if a company doesn't want to user to get a copy unless it is verified as real mail? (I know, legal implications, but the company can make that determination) Can MailScanner do that or would I need to use Procmail for that? If so, how do I make Procmail get called after all the MailScanner stuff? Thanks for any help! Regards, James From lbergman at wtxs.net Thu Nov 14 14:47:57 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:26 2006 Subject: Forward to specified mailbox In-Reply-To: <1037285096.12383.148.camel@tweety.tnjinfl.com> References: <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037285096.12383.148.camel@tweety.tnjinfl.com> Message-ID: <200211140847.57685.lbergman@wtxs.net> On Thursday 14 November 2002 08:44 am, James Pifer wrote: > Is it possible to forward a message marked as Spam to a specific > mailbox? In the conf I see that you can forward a copy, but what if a > company doesn't want to user to get a copy unless it is verified as real > mail? (I know, legal implications, but the company can make that > determination) > > Can MailScanner do that or would I need to use Procmail for that? If so, > how do I make Procmail get called after all the MailScanner stuff? > It is already called. Just use the /etc/procmailrc file and specify the header you used along with the value for spam characters you set up. I am no procmail wizard but I am sure someone here already does that since the feature wsa added for that purpose. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Thu Nov 14 14:57:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Forward to specified mailbox In-Reply-To: <1037285096.12383.148.camel@tweety.tnjinfl.com> References: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021114145654.04543220@imap.ecs.soton.ac.uk> At 14:44 14/11/2002, you wrote: >Is it possible to forward a message marked as Spam to a specific >mailbox? In the conf I see that you can forward a copy, but what if a >company doesn't want to user to get a copy unless it is verified as real >mail? (I know, legal implications, but the company can make that >determination) If you specify the spam actions as just "forward other@mailbox.com" then it won't deliver it to the original recipient. It only delivers it to the original recipient if you specify "deliver" as well. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From novirus at CARLO65.DE Thu Nov 14 15:17:25 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:26 2006 Subject: German version of David While's mailstat script Message-ID: <1037287045.6516.108.camel@linroute> Hi, I finally managed to get a german version of Davids mailstat.pl script, to have the output in my favourite language :-) Anybody who is interested can download it at http://www.inbox4u.de/mailstats_ge.pl Comments can be adressed to my standard address roland@inbox4u.de Important: to have a complete german output, you have to edit the mrtg.cfg file. Add the line Language: german. This works fine with mrtg version 2.9.25 Regards, Roland From tim at PHALANSTERY.CO.UK Thu Nov 14 15:31:21 2002 From: tim at PHALANSTERY.CO.UK (Tim Sellar) Date: Thu Jan 12 21:16:26 2006 Subject: Bogofilter Message-ID: <200211141531.gAEFVLX32654@ori.rl.ac.uk> There is a relevant artivle showing Bogofilter vs. SpamAssassin here: http://lwn.net/Articles/9460/. Given bogofilters huge performance advantage I am considering implementing it as a primary spam filter. Mail which gets past it would then be passed to Spam Assassin acting as a secondary filter. I would hope this gives the best of both worlds. As a system wide filter I cannot guarantee the effectiveness of any initial training I apply to bogofilter to reflect an individuals particular email but can hopefully rely on Spam Assassin to catch most of what bogofilter misses. Over time, spam trapped by SA will be fed back (automatically?) to improve bogofilter's effectiveness and reduce reliance on SA - hopefully giving better system performance... Anyone see any flaws with this two-pronged approach? What this does mean is I need to look at getting Mailscanner working with both Exim and bogofilter... Tim From sysadmin at DMS.UMONTREAL.CA Thu Nov 14 15:45:31 2002 From: sysadmin at DMS.UMONTREAL.CA (Administrateur Systeme) Date: Thu Jan 12 21:16:26 2006 Subject: Bogofilter References: <200211141531.gAEFVLX32654@ori.rl.ac.uk> Message-ID: <3DD3C51B.8010209@DMS.UMontreal.CA> Tim Sellar wrote: >There is a relevant artivle showing Bogofilter vs. SpamAssassin here: >http://lwn.net/Articles/9460/. > >Given bogofilters huge performance advantage I am considering implementing >it as a primary spam filter. Mail which gets past it would then be passed to >Spam Assassin acting as a secondary filter. I would hope this gives the best >of both worlds. As a system wide filter I cannot guarantee the effectiveness >of any initial training I apply to bogofilter to reflect an individuals >particular email but can hopefully rely on Spam Assassin to catch most of >what bogofilter misses. Over time, spam trapped by SA will be fed back >(automatically?) to improve bogofilter's effectiveness and reduce reliance >on SA - hopefully giving better system performance... > >Anyone see any flaws with this two-pronged approach? > >What this does mean is I need to look at getting Mailscanner working with >both Exim and bogofilter... > >Tim > > Doesn't the SA 2.50 incorporate a bayesian filter along the lines of P. Graham's paper ? Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From brose at MED.WAYNE.EDU Thu Nov 14 16:04:58 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:26 2006 Subject: W32/Braid-A or W32/Brid-A Message-ID: Does anyone know if this guys is like Klez and forges? I read the description Symantec but it doesn't say. I've been getting those stupid replies from users proclaiming that "I didn't send this" or "I don't know this person" Just wondering if it's one to add to the virus drop list. From mailscanner at BARENDSE.TO Thu Nov 14 16:20:07 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: <200211141531.gAEFVLX32654@ori.rl.ac.uk> Message-ID: Hi! I just upgraded my RedHat 7.3 box from Mailscanner 3 to Mailscanner 4. When installing I got an error message: package perl-MIME-Base64-2.12-14 (which is newer than perl-MIME-Base64-2.12-1) Which version is better? And when I try to restart MailScanner it gives this output: [root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart Shutting down MailScanner daemons: MailScanner: We haven't got any child processes, which isn't right!, No child processes at /usr/sbin/MailScanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /usr/sbin/MailScanner line 194. [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] A simple MailScanner stop and then start does work correctly without any errors?!? Cheers! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Nov 14 16:18:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: W32/Braid-A or W32/Brid-A In-Reply-To: Message-ID: <5.1.0.14.2.20021114161811.0794b860@imap.ecs.soton.ac.uk> At 16:04 14/11/2002, you wrote: >Does anyone know if this guys is like Klez and forges? Yes it does. > I read the >description Symantec but it doesn't say. I've been getting those stupid >replies from users proclaiming that "I didn't send this" or "I don't >know this person" > >Just wondering if it's one to add to the virus drop list. You should, yes. It is included in the defaults of the next release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 14 16:34:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: References: <200211141531.gAEFVLX32654@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> At 16:20 14/11/2002, you wrote: >Hi! > >I just upgraded my RedHat 7.3 box from Mailscanner 3 to Mailscanner 4. > >When installing I got an error message: >package perl-MIME-Base64-2.12-14 (which is newer than perl-MIME-Base64-2.12-1) >Which version is better? It's probably just differences in build numbers between me and RedHat. The version already installed should work just fine. >And when I try to restart MailScanner it gives this output: > >[root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart >Shutting down MailScanner daemons: > MailScanner: We haven't got any child processes, which >isn't right!, No child processes at /usr/sbin/MailScanner line 191. >We have just tried to reap a process which wasn't one of ours!, No child >processes at /usr/sbin/MailScanner line 194. This is down to the exact order in which the processes are shut down. I have removed this error message from the next release as it causes confusion. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Thu Nov 14 16:53:49 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> References: <200211141531.gAEFVLX32654@ori.rl.ac.uk> <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> Message-ID: <1037292829.4324.101.camel@dbeauchemin.si.usherbrooke.ca> Le jeu 14/11/2002 ? 11:34, Julian Field a ?crit : > >And when I try to restart MailScanner it gives this output: > > > >[root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart > >Shutting down MailScanner daemons: > > MailScanner: We haven't got any child processes, which > >isn't right!, No child processes at /usr/sbin/MailScanner line 191. > >We have just tried to reap a process which wasn't one of ours!, No child > >processes at /usr/sbin/MailScanner line 194. > > This is down to the exact order in which the processes are shut down. I > have removed this error message from the next release as it causes confusion. Julian, I don't believe that not printing the error message will make things OK since a restart does a stop followed by a start and the start can't succeed unless the stop has stopped all processes (which it doesn't). Denis PS: The versions I run (mailscanner-4.04-1 and mailscanner-4.05-3) still exhibit this problem. -- Denis Beauchemin Universit? de Sherbrooke From mailscanner at ecs.soton.ac.uk Thu Nov 14 17:07:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: <1037292829.4324.101.camel@dbeauchemin.si.usherbrooke.ca> References: <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> <200211141531.gAEFVLX32654@ori.rl.ac.uk> <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021114170515.04aa7478@imap.ecs.soton.ac.uk> At 16:53 14/11/2002, you wrote: >Le jeu 14/11/2002 ? 11:34, Julian Field a ?crit : > > > >And when I try to restart MailScanner it gives this output: > > > > > >[root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart > > >Shutting down MailScanner daemons: > > > MailScanner: We haven't got any child processes, which > > >isn't right!, No child processes at /usr/sbin/MailScanner line 191. > > >We have just tried to reap a process which wasn't one of ours!, No child > > >processes at /usr/sbin/MailScanner line 194. > > > > This is down to the exact order in which the processes are shut down. I > > have removed this error message from the next release as it causes > confusion. > >Julian, > >I don't believe that not printing the error message will make things OK >since a restart does a stop followed by a start and the start can't >succeed unless the stop has stopped all processes (which it doesn't). The error messages you included didn't imply that the stop didn't stop everything. I know there are problems with the init.d script, it's far from perfect. I need to build a whole range of machines with different versions of different distributions installed, to sort this out. That takes time... (and requires me to be in my office). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Thu Nov 14 18:42:57 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:26 2006 Subject: W32/Braid-A or W32/Brid-A Message-ID: I'm seeing something odd.... Some virus message reports don't have the virus part mentioned but sometimes it does? Any ideas why this would happen? A timeout that needs adjusted or something? If it's not tagging it with the virus then it will still send the report back to the wrong user. Sender: IP Address: 141.217.202.31 Recipient: vheil@med.wayne.edu Subject: Undelivered Mail Returned to Sender MessageID: gAEGvLUZ010962 Report: Found dangerous IFrame tag in HTML message Report: Executables are very dangerous in email and must be zipped. (README.EXE) -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, November 14, 2002 11:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: W32/Braid-A or W32/Brid-A At 16:04 14/11/2002, you wrote: >Does anyone know if this guys is like Klez and forges? Yes it does. > I read the >description Symantec but it doesn't say. I've been getting those >stupid replies from users proclaiming that "I didn't send this" or "I >don't know this person" > >Just wondering if it's one to add to the virus drop list. You should, yes. It is included in the defaults of the next release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 14 18:49:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: W32/Braid-A or W32/Brid-A In-Reply-To: Message-ID: <5.1.0.14.2.20021114184831.03183e08@imap.ecs.soton.ac.uk> Can you send me a couple of example messages please? Password-protected zip is the best way. At 18:42 14/11/2002, you wrote: >I'm seeing something odd.... > >Some virus message reports don't have the virus part mentioned but >sometimes it does? Any ideas why this would happen? A timeout that >needs adjusted or something? If it's not tagging it with the virus then >it will still send the report back to the wrong user. > > Sender: >IP Address: 141.217.202.31 > Recipient: vheil@med.wayne.edu > Subject: Undelivered Mail Returned to Sender > MessageID: gAEGvLUZ010962 > Report: Found dangerous IFrame tag in HTML message > Report: Executables are very dangerous in email and must be zipped. >(README.EXE) > > > > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, November 14, 2002 11:19 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: W32/Braid-A or W32/Brid-A > > >At 16:04 14/11/2002, you wrote: > >Does anyone know if this guys is like Klez and forges? > >Yes it does. > > > I read the > >description Symantec but it doesn't say. I've been getting those > >stupid replies from users proclaiming that "I didn't send this" or "I > >don't know this person" > > > >Just wondering if it's one to add to the virus drop list. > >You should, yes. It is included in the defaults of the next release. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lyons at digitalvoodoo.org Thu Nov 14 18:50:02 2002 From: lyons at digitalvoodoo.org (Timothy M. Lyons) Date: Thu Jan 12 21:16:26 2006 Subject: Mailscanner 4.05-3 build fails Message-ID: <008e01c28c0e$a406b910$6401a8c0@seeker> Hello. I'm trying to install Mailscanner on a Sun Ultra5 running Auroralinux 0.42 (based on RedHat 7.3) The build goes well until the very end when I get the following: Preparing... ########################################### [100%] 1:perl-Convert-TNEF ########################################### [100%] Installing tnef decoder Preparing... ########################################### [100%] package tnef-1.1.2-sizelimit1 is for a different architecture Now to install MailScanner itself. error: failed dependencies: tnef >= 1.1.1 is needed by mailscanner-4.05-3 Please do not forget to kill your MailScanner version 3 processes before starting version 4. # Is there a version of tnef-1.1.2-sizelimit1 for linux on sparc64? From jrudd at UCSC.EDU Thu Nov 14 18:59:52 2002 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:16:26 2006 Subject: incoming directory Message-ID: <3DD3F2A8.D6F22EBA@ucsc.edu> > From: Julian Field > > At 22:44 13/11/2002, you wrote: > >Has anyone explored the bennefits or problems with putting the incoming > >directory onto a ramdisk? I know mailscanner preferes to have it on the > >same partition as the mail queue directories, but I'm wondering if it > >might be faster (for the scanning part of the process). > > If you have got loads of RAM, then it should at least work. Though weigh it > up against potentially increasing speed by running more child processes > (which will require more RAM). Well, the machines in question will shortly have a gig of memory, and I was thinking about giving them 200mb of ram disk (they're currently running on 128mb memory). The incoming directory never seems to be terribly large. As for child processes ... I'm still running 3.x. And, no, upgrading to 4.x isn't something I can do in the near future (production machines; change = bad ... 4.x is scheduled to be in the machines that will replace these, about 2 or so months from now). John From Denis.Beauchemin at USHERBROOKE.CA Thu Nov 14 19:03:26 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: <5.1.0.14.2.20021114170515.04aa7478@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> <200211141531.gAEFVLX32654@ori.rl.ac.uk> <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021114170515.04aa7478@imap.ecs.soton.ac.uk> Message-ID: <1037300606.4324.131.camel@dbeauchemin.si.usherbrooke.ca> Julian, I know you do a tremendous job with MS and I am thankful for it. This is a minor problem and you can take all the time you need to fix it. If the init.d script fails to kill all processes with the killproc function, why don't you try something different such as: kill $(for i in $(awk '/^ *PID dir =/{print $NF}' /etc/MailScanner/MailScanner.conf)/*; do echo ${i##*.}; done) if [[ $? == 0 ]]; then echo_success else echo_failure fi You already have the process IDs, why not use them? I've replaced the killproc by my suggestion and it works fine here. Denis Le jeu 14/11/2002 ? 12:07, Julian Field a ?crit : > At 16:53 14/11/2002, you wrote: > >Le jeu 14/11/2002 ? 11:34, Julian Field a ?crit : > > > > > >And when I try to restart MailScanner it gives this output: > > > > > > > >[root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart > > > >Shutting down MailScanner daemons: > > > > MailScanner: We haven't got any child processes, which > > > >isn't right!, No child processes at /usr/sbin/MailScanner line 191. > > > >We have just tried to reap a process which wasn't one of ours!, No child > > > >processes at /usr/sbin/MailScanner line 194. > > > > > > This is down to the exact order in which the processes are shut down. I > > > have removed this error message from the next release as it causes > > confusion. > > > >Julian, > > > >I don't believe that not printing the error message will make things OK > >since a restart does a stop followed by a start and the start can't > >succeed unless the stop has stopped all processes (which it doesn't). > > The error messages you included didn't imply that the stop didn't stop > everything. > I know there are problems with the init.d script, it's far from perfect. I > need to build a whole range of machines with different versions of > different distributions installed, to sort this out. That takes time... > (and requires me to be in my office). -- Denis Beauchemin Universit? de Sherbrooke From mailscanner at ecs.soton.ac.uk Thu Nov 14 19:22:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Mailscanner 4.05-3 build fails In-Reply-To: <008e01c28c0e$a406b910$6401a8c0@seeker> Message-ID: <5.1.0.14.2.20021114192222.03014520@imap.ecs.soton.ac.uk> You need the srpm. I have mailed this to you separately. At 18:50 14/11/2002, you wrote: >Hello. > >I'm trying to install Mailscanner on a Sun Ultra5 running Auroralinux >0.42 (based on RedHat 7.3) > >The build goes well until the very end when I get the following: > >Preparing... ########################################### >[100%] > 1:perl-Convert-TNEF ########################################### >[100%] > >Installing tnef decoder > >Preparing... ########################################### >[100%] >package tnef-1.1.2-sizelimit1 is for a different architecture > >Now to install MailScanner itself. > >error: failed dependencies: > tnef >= 1.1.1 is needed by mailscanner-4.05-3 >Please do not forget to kill your MailScanner version 3 processes before >starting version 4. ># > >Is there a version of tnef-1.1.2-sizelimit1 for linux on sparc64? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Nov 14 19:27:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: MailScanner restart fails? In-Reply-To: <1037300606.4324.131.camel@dbeauchemin.si.usherbrooke.ca> References: <5.1.0.14.2.20021114170515.04aa7478@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> <200211141531.gAEFVLX32654@ori.rl.ac.uk> <5.1.0.14.2.20021114163212.079d05d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021114170515.04aa7478@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021114192430.01edb008@imap.ecs.soton.ac.uk> At 19:03 14/11/2002, you wrote: >Julian, > >I know you do a tremendous job with MS and I am thankful for it. This >is a minor problem and you can take all the time you need to fix it. :-) >If the init.d script fails to kill all processes with the killproc >function, why don't you try something different such as: >kill $(for i in $(awk '/^ *PID dir =/{print $NF}' >/etc/MailScanner/MailScanner.conf)/*; do echo ${i##*.}; done) >if [[ $? == 0 ]]; then > echo_success >else > echo_failure >fi Just need to ensure that there aren't pid files there that shouldn't be. But otherwise looks good. The init.d script is on my list of things to work on. >You already have the process IDs, why not use them? So long as they are trustworthy... >I've replaced the killproc by my suggestion and it works fine here. > >Denis >Le jeu 14/11/2002 ? 12:07, Julian Field a ?crit : > > At 16:53 14/11/2002, you wrote: > > >Le jeu 14/11/2002 ? 11:34, Julian Field a ?crit : > > > > > > > >And when I try to restart MailScanner it gives this output: > > > > > > > > > >[root@linuxgw rules]# /etc/rc.d/init.d/MailScanner restart > > > > >Shutting down MailScanner daemons: > > > > > MailScanner: We haven't got any child processes, which > > > > >isn't right!, No child processes at /usr/sbin/MailScanner line 191. > > > > >We have just tried to reap a process which wasn't one of ours!, No > child > > > > >processes at /usr/sbin/MailScanner line 194. > > > > > > > > This is down to the exact order in which the processes are shut down. I > > > > have removed this error message from the next release as it causes > > > confusion. > > > > > >Julian, > > > > > >I don't believe that not printing the error message will make things OK > > >since a restart does a stop followed by a start and the start can't > > >succeed unless the stop has stopped all processes (which it doesn't). > > > > The error messages you included didn't imply that the stop didn't stop > > everything. > > I know there are problems with the init.d script, it's far from perfect. I > > need to build a whole range of machines with different versions of > > different distributions installed, to sort this out. That takes time... > > (and requires me to be in my office). >-- >Denis Beauchemin >Universit? de Sherbrooke -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lyons at digitalvoodoo.org Thu Nov 14 19:31:14 2002 From: lyons at digitalvoodoo.org (Timothy M. Lyons) Date: Thu Jan 12 21:16:26 2006 Subject: Mailscanner 4.05-3 build fails In-Reply-To: <5.1.0.14.2.20021114192222.03014520@imap.ecs.soton.ac.uk> Message-ID: <000301c28c14$650e3660$6401a8c0@seeker> I'll keep my eye out for it. Thanks Julian! --Tim -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, November 14, 2002 14:23 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner 4.05-3 build fails You need the srpm. I have mailed this to you separately. At 18:50 14/11/2002, you wrote: >Hello. > >I'm trying to install Mailscanner on a Sun Ultra5 running Auroralinux >0.42 (based on RedHat 7.3) > >The build goes well until the very end when I get the following: > >Preparing... ########################################### >[100%] > 1:perl-Convert-TNEF ########################################### >[100%] > >Installing tnef decoder > >Preparing... ########################################### >[100%] >package tnef-1.1.2-sizelimit1 is for a different architecture > >Now to install MailScanner itself. > >error: failed dependencies: > tnef >= 1.1.1 is needed by mailscanner-4.05-3 >Please do not forget to kill your MailScanner version 3 processes >before starting version 4. # > >Is there a version of tnef-1.1.2-sizelimit1 for linux on sparc64? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscannerlist at TNJINFL.COM Thu Nov 14 20:28:45 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:26 2006 Subject: Almost there.... In-Reply-To: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> References: <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> Message-ID: <1037305726.12383.158.camel@tweety.tnjinfl.com> What's the proper way to restart everything after making a config change to any of the conf files with MailScanner? For example, MailScanner.conf, spam.mailassassin.prefs.conf, etc. I've tried the following: service sendmail off chkconfig sendmail off chkconfig MailScanner on service MailScanner start These seem to run ok, but the changes don't seem to take affect. Seems like I have to reboot once or twice before it starts working. Is it timing or am I missing something? Also, I have the Delivery Method set to queue instead of batch, since this will be running in high volume eventually. The MTA is Sendmail and the messages seem to sit in the outgoing queue for a while. I haven't figured out how long they sit there yet, but how does the MTA choose how long to wait before sending them? If I flush them (using Webmin) they are sent right away. I assume this is a Sendmail issue, but since I'm not sure I thought I'd ask here. Thanks, James From mike at CAMAROSS.NET Thu Nov 14 20:29:51 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:26 2006 Subject: Almost there.... In-Reply-To: <1037305726.12383.158.camel@tweety.tnjinfl.com> Message-ID: <00f701c28c1c$95e23cc0$6501a8c0@mikedesk> /etc/rc.d/init.d/MailScanner reload Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of James Pifer Sent: Thursday, November 14, 2002 2:29 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Almost there.... What's the proper way to restart everything after making a config change to any of the conf files with MailScanner? For example, MailScanner.conf, spam.mailassassin.prefs.conf, etc. I've tried the following: service sendmail off chkconfig sendmail off chkconfig MailScanner on service MailScanner start These seem to run ok, but the changes don't seem to take affect. Seems like I have to reboot once or twice before it starts working. Is it timing or am I missing something? Also, I have the Delivery Method set to queue instead of batch, since this will be running in high volume eventually. The MTA is Sendmail and the messages seem to sit in the outgoing queue for a while. I haven't figured out how long they sit there yet, but how does the MTA choose how long to wait before sending them? If I flush them (using Webmin) they are sent right away. I assume this is a Sendmail issue, but since I'm not sure I thought I'd ask here. Thanks, James From brent at TECHFORPEOPLE.NET Fri Nov 15 08:32:20 2002 From: brent at TECHFORPEOPLE.NET (Brent Emerson) Date: Thu Jan 12 21:16:26 2006 Subject: spam action to deliver messages pre-scanned Message-ID: (Sorry if this has already been suggested/discussed - couldn't find it in the archives.) I'm wondering how difficult it would be to add yet another Spam Action to MS allowing admins to forward (to an arbitrary address) copies of the messages identified as spam, but in their prescanned state (exactly as the message was received by MS) rather than with the MS/SA/etc markup. This would be especially nice when using SpamAssassin, which can remove its markup but doesn't promise to return a message that's identical to the original. This would be useful to stockpile messages that could be checked over by a human and, once verified as spam, submitted in their untouched state to systems like razor, which seem to be distrustful of submissions from automata. Otherwise we could all go to the trouble of creating troll accounts and seeding them all over the place and hoping spammers will find them, but that seems like a lot of work for a slow gradual payoff--and we already have so many active accounts (our real users) getting so much spam. I'd just love to get my hands on a mailbox full of untouched versions of the many messages MS/SA is identifying so accurately! brent emerson ----techforpeople: hosting for nonprofits and the arts--------------- nposhield: protection from email viruses/spam/abuse | web hosting -------------member of the tech underground (techunderground.org)---- From mkettler at EVI-INC.COM Thu Nov 14 22:04:26 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:26 2006 Subject: Almost there.... In-Reply-To: <1037305726.12383.158.camel@tweety.tnjinfl.com> References: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.0.20021114170206.025cc978@192.168.50.2> I can answer the time-interval part of your question... If you're going to do queue only processing change the delay time for the queue only copy of sendmail started by MailScanner. To do this edit /etc/sysconfig/mailscanner # # Put in here the time between runs for the outgoing sendmail mqueue # if you don't want the default of 15 minutes (15m). # QUEUETIME=5m Note that emails will only be processed at the interval specified, or when you manually run sendmail -q At 03:28 PM 11/14/2002 -0500, you wrote: >Also, I have the Delivery Method set to queue instead of batch, since >this will be running in high volume eventually. The MTA is Sendmail and >the messages seem to sit in the outgoing queue for a while. I haven't >figured out how long they sit there yet, but how does the MTA choose how >long to wait before sending them? If I flush them (using Webmin) they >are sent right away. I assume this is a Sendmail issue, but since I'm >not sure I thought I'd ask here. > >Thanks, >James From mailscanner at BARENDSE.TO Fri Nov 15 08:59:11 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: html2text output not really clean? In-Reply-To: <1037287045.6516.108.camel@linroute> Message-ID: Hi! I am using Mailscanner 4.05-3 and have a mobile user collecting mail onm his laptop. I want to use the html2text feature to prevent expensive phonecalls to collect e-mail in HTML format that keep the connection open for hours. MS is running on a RedHat 7.3 box. I have this line in my /etc/MailScanner/MailScanner.conf : Convert HTML To Text = /etc/MailScanner/rules/html2text.rules The html2text.rules contains: To r.barendse@somedomain.com yes To remco@somedomain.com yes Fromorto default no The output in maillog seems correct: Nov 15 09:44:19 linuxgw MailScanner[7367]: Content Checks: Need to convert HTML to plain text in 1 messages Nov 15 09:44:20 linuxgw MailScanner[7367]: Content Checks: Detected and will convert HTML message to plain text in gAF8iAN07366 When I start pine and look in the inbox, I still see small messages being huge in size (13-40 Kb). The top of the e-mail contains stuff like : @font-face { font-family: Tahoma; } @font-face { font-family: Verdana; } @page Section1 {size:595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in 70.9pt; mso-header-margin: and similar rubble throughout the e-mail : ….Whaaat ?? ? You gotta be kidding me….?! Now if I retrieve the contents of the mailbox using Outlook Express the e-mail *appears* to be stripped of html rubble because the formatting has changed (colors and font sizes are different). The size of the e-mail is slightly reduced (the original HTML mail was 21 Kb, the end result is 13 Kb (still too much for only 80 lines of text). Why is there still all this font and other rubble in the e-mails and how can I strip them completely? Thanks!! Remco -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From novirus at CARLO65.DE Fri Nov 15 09:03:13 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:26 2006 Subject: spam action to deliver messages pre-scanned In-Reply-To: References: Message-ID: <1037350993.7296.3.camel@linroute> Hi Brent, Am Fre, 2002-11-15 um 09.32 schrieb Brent Emerson: > (Sorry if this has already been suggested/discussed - couldn't find it in > the archives.) > > I'm wondering how difficult it would be to add yet another Spam Action to > MS allowing admins to forward (to an arbitrary address) copies of the > messages identified as spam, but in their prescanned state (exactly as the > message was received by MS) rather than with the MS/SA/etc markup. This > would be especially nice when using SpamAssassin, which can remove its > markup but doesn't promise to return a message that's identical to the > original. In MailScanner version 4.x you can combine several actions, one of which is forward. I can not tell you, if the forwarded message is untouched concerning its X-MailScanner headers, but I don't think so. As message has passed all MailScanner checks prior to the forwarding action, it probably has the MailScanner additions to the header. I don't see a problem to forward mails like these to razor. Regards, Roland From mailscanner at ecs.soton.ac.uk Fri Nov 15 09:15:16 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: spam action to deliver messages pre-scanned In-Reply-To: Message-ID: <5.1.0.14.2.20021115091403.045ea3b8@imap.ecs.soton.ac.uk> At 08:32 15/11/2002, you wrote: >I'm wondering how difficult it would be to add yet another Spam Action to >MS allowing admins to forward (to an arbitrary address) copies of the >messages identified as spam, but in their prescanned state (exactly as the >message was received by MS) rather than with the MS/SA/etc markup. This >would be especially nice when using SpamAssassin, which can remove its >markup but doesn't promise to return a message that's identical to the >original. MailScanner doesn't uses SpamAssassin's own message markup code, it strictly limits it to an obvious header. So if Razor really objects to MailScanner-processed messages, you could easily remove this header from the message automatically before it goes to Razor. >This would be useful to stockpile messages that could be checked over by a >human and, once verified as spam, submitted in their untouched state to >systems like razor, which seem to be distrustful of submissions from >automata. Otherwise we could all go to the trouble of creating troll >accounts and seeding them all over the place and hoping spammers will find >them, but that seems like a lot of work for a slow gradual payoff--and we >already have so many active accounts (our real users) getting so much >spam. I'd just love to get my hands on a mailbox full of untouched >versions of the many messages MS/SA is identifying so accurately! > >brent emerson > > >----techforpeople: hosting for nonprofits and the arts--------------- > nposhield: protection from email viruses/spam/abuse | web hosting >-------------member of the tech underground (techunderground.org)---- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 09:16:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: html2text output not really clean? In-Reply-To: References: <1037287045.6516.108.camel@linroute> Message-ID: <5.1.0.14.2.20021115091606.04487e68@imap.ecs.soton.ac.uk> Can you send me 1 of the messages for me to experiment with please? At 08:59 15/11/2002, you wrote: >Hi! > >I am using Mailscanner 4.05-3 and have a mobile user collecting mail onm >his laptop. I want to use the html2text feature to prevent expensive >phonecalls to collect e-mail in HTML format that keep the connection open >for hours. MS is running on a RedHat 7.3 box. > >I have this line in my /etc/MailScanner/MailScanner.conf : >Convert HTML To Text = /etc/MailScanner/rules/html2text.rules > >The html2text.rules contains: >To r.barendse@somedomain.com yes >To remco@somedomain.com yes >Fromorto default no > >The output in maillog seems correct: >Nov 15 09:44:19 linuxgw MailScanner[7367]: Content Checks: Need to convert >HTML to plain text in 1 messages >Nov 15 09:44:20 linuxgw MailScanner[7367]: Content Checks: Detected and >will convert HTML message to plain text in gAF8iAN07366 > >When I start pine and look in the inbox, I still see small messages >being huge in size (13-40 Kb). The top of the e-mail contains stuff like : >@font-face { font-family: Tahoma; } @font-face { font-family: Verdana; } >@page Section1 {size:595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in >70.9pt; mso-header-margin: > >and similar rubble throughout the e-mail : >….Whaaat ?? > >You gotta be kidding me….?! > >Now if I retrieve the contents of the mailbox using Outlook Express the >e-mail *appears* to be stripped of html rubble because the formatting has >changed (colors and font sizes are different). The size of the e-mail is >slightly reduced (the original HTML mail was 21 Kb, the end result is 13 >Kb (still too much for only 80 lines of text). > >Why is there still all this font and other rubble in the e-mails and how >can I strip them completely? > >Thanks!! > >Remco > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 09:12:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Almost there.... In-Reply-To: <1037305726.12383.158.camel@tweety.tnjinfl.com> References: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> At 20:28 14/11/2002, you wrote: >What's the proper way to restart everything after making a config change >to any of the conf files with MailScanner? For example, >MailScanner.conf, spam.mailassassin.prefs.conf, etc. > >I've tried the following: >service sendmail off >chkconfig sendmail off >chkconfig MailScanner on >service MailScanner start That's installation-time stuff. You just want service MailScanner reload >Also, I have the Delivery Method set to queue instead of batch, since >this will be running in high volume eventually. I still use batch even with a high volume. As MailScanner V4 runs lots of processes in parallel, you don't really need "queue" much any more. I do my speed tests with "batch" and my development PC (about the equivalent of a modern ?700 (or $1000 US) pc) can do over 250,000 messages per day. > The MTA is Sendmail and >the messages seem to sit in the outgoing queue for a while. I haven't >figured out how long they sit there yet, but how does the MTA choose how >long to wait before sending them? If I flush them (using Webmin) they >are sent right away. I assume this is a Sendmail issue, but since I'm >not sure I thought I'd ask here. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at BARENDSE.TO Fri Nov 15 09:48:03 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:26 2006 Subject: html2text output not really clean? In-Reply-To: <5.1.0.14.2.20021115091606.04487e68@imap.ecs.soton.ac.uk> Message-ID: Ok, I will bounce you two messages, can I send them to a non-public address? One thing that might matter : the e-mail I will send will be generated by M$ Word as e-mail editor. I have noticed that the html output of Outlook itself is a lot cleaner and doesn't contain anywhere near the amount of rubble that Word throws in.... Maybe it is only the Word specific rubble that isn't cleaned? Also I have found something else. If html2text is enabled for one specific user (smith@somedomain.com) but the message is cc'ed to another user on the some domain/box (chris@somedomain.com) then both users will get the message in `plain' text. This is logical because the one df/qf message is converted but may be undesirable. Maybe a thing to add at the bottom of the todo list if it's possible at all? Remco On Fri, 15 Nov 2002, Julian Field wrote: > Can you send me 1 of the messages for me to experiment with please? > > At 08:59 15/11/2002, you wrote: > >Hi! > > > >I am using Mailscanner 4.05-3 and have a mobile user collecting mail onm > >his laptop. I want to use the html2text feature to prevent expensive > >phonecalls to collect e-mail in HTML format that keep the connection open > >for hours. MS is running on a RedHat 7.3 box. > > > >I have this line in my /etc/MailScanner/MailScanner.conf : > >Convert HTML To Text = /etc/MailScanner/rules/html2text.rules > > > >The html2text.rules contains: > >To r.barendse@somedomain.com yes > >To remco@somedomain.com yes > >Fromorto default no > > > >The output in maillog seems correct: > >Nov 15 09:44:19 linuxgw MailScanner[7367]: Content Checks: Need to convert > >HTML to plain text in 1 messages > >Nov 15 09:44:20 linuxgw MailScanner[7367]: Content Checks: Detected and > >will convert HTML message to plain text in gAF8iAN07366 > > > >When I start pine and look in the inbox, I still see small messages > >being huge in size (13-40 Kb). The top of the e-mail contains stuff like : > >@font-face { font-family: Tahoma; } @font-face { font-family: Verdana; } > >@page Section1 {size:595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in > >70.9pt; mso-header-margin: > > > >and similar rubble throughout the e-mail : > >….Whaaat ?? > > > >You gotta be kidding me….?! > > > >Now if I retrieve the contents of the mailbox using Outlook Express the > >e-mail *appears* to be stripped of html rubble because the formatting has > >changed (colors and font sizes are different). The size of the e-mail is > >slightly reduced (the original HTML mail was 21 Kb, the end result is 13 > >Kb (still too much for only 80 lines of text). > > > >Why is there still all this font and other rubble in the e-mails and how > >can I strip them completely? > > > >Thanks!! > > > >Remco > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From viers at UNILIM.FR Fri Nov 15 09:38:26 2002 From: viers at UNILIM.FR (Nicolas Viers - SCI Limoges) Date: Thu Jan 12 21:16:26 2006 Subject: Virus test Message-ID: <5.0.2.1.2.20021115102833.022d6368@pop.unilim.fr> Hello, with mailscanner 2.60 when i test virus with eicar i had the warning message send to the recipient, sender and postmaster. It was usefull to test With the 4.05-3 mailscanner only send message with "non infection" to the recipient. How to test with the same effect of a real virus ? Thanks a lot ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ From paul at ESPMAIL.CO.UK Fri Nov 15 09:45:47 2002 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:16:26 2006 Subject: IFrame tags References: <200211150003.AAA32156@www.espmail.co.uk> Message-ID: <005e01c28c8b$c6e081a0$6a0110ac@sbsplc.com> A fair number of innocent messages, eg, the daily Dilbert comic strip, get stopped by the IFrame blocking. Exuse my ignorance, but is there any way to allow messages from specific addresses to get through the IFrame scanning? From raymond at PROLOCATION.NET Fri Nov 15 09:56:26 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:26 2006 Subject: Virus test In-Reply-To: <5.0.2.1.2.20021115102833.022d6368@pop.unilim.fr> Message-ID: Hi! > With the 4.05-3 mailscanner only send message with "non infection" > to the recipient. > How to test with the same effect of a real virus ? If you really want i can send a zip with some variants so you can test your setup... Bye, Raymond. From klon at NYBRO.DK Fri Nov 15 12:10:06 2002 From: klon at NYBRO.DK (Thomas Hanson) Date: Thu Jan 12 21:16:26 2006 Subject: How to notify only certain senders of virus in thier email? Message-ID: <013f01c28c9f$efa91700$52df26c0@r58> Hi I would like to only notify senders of a certain domain or subset of ip addresses if they have a virus in the email they sent. Is there a way to do this in MailScanner 4.05 ? It says you can put a file with rules instead of just yes and no. But how should that file look like say if I only wanted to notify senders belonging to the domain mydomain.com Thanks, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021115/78a69596/attachment.html From mike at CAMAROSS.NET Fri Nov 15 13:00:24 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:26 2006 Subject: How to notify only certain senders of virus in thier email? In-Reply-To: <013f01c28c9f$efa91700$52df26c0@r58> Message-ID: <000601c28ca6$f6fb7690$6501a8c0@mikedesk> FromTo: default no FromTo: *@yourdomain.com yes FromTo: *@yourotherdomian.com no Julian has made the rule construction very flexible and forgiving :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Thomas Hanson Sent: Friday, November 15, 2002 6:10 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to notify only certain senders of virus in thier email? Hi I would like to only notify senders of a certain domain or subset of ip addresses if they have a virus in the email they sent. Is there a way to do this in MailScanner 4.05 ? It says you can put a file with rules instead of just yes and no. But how should that file look like say if I only wanted to notify senders belonging to the domain mydomain.com Thanks, Thomas From novirus at CARLO65.DE Fri Nov 15 13:15:40 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:16:26 2006 Subject: German version of David's mailstats Message-ID: <1037366140.7296.10.camel@linroute> Hi, big sorry to everybody who tried to download the script. I forgot, that my server has suexec restrictions, so download was impossible. New link to a tar-file: http://www.inbox4u.de/mailstats_ge.tar Regards, Roland From viers at UNILIM.FR Fri Nov 15 13:47:25 2002 From: viers at UNILIM.FR (Nicolas Viers - SCI Limoges) Date: Thu Jan 12 21:16:26 2006 Subject: Mailscanner 4.05-3 and virus infection Message-ID: <5.0.2.1.2.20021115143922.02332bd8@pop.unilim.fr> Hello, i had pb with my mailscanner config (4.05-3) When i test with virus file, the mail log file said: Nov 15 14:26:33 limdns-new MailScanner[13585]: /usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/URFRIEND.SCR Found virus or variant W32/Yaha !!! Nov 15 14:26:33 limdns-new MailScanner[13585]: /usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/VALUE.EXE Found virus or variant W32/Klez !!! Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: mcafee found 8 infections Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: Found 8 viruses Nov 15 14:26:33 limdns-new MailScanner[13585]: Uninfected: Delivered 1 messages Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 15 14:26:33 limdns-new MailScanner[15008]: Using locktype = flock 8 virus are found, but the attach file was delivered with the message "no infection was found" Mcafee said viruses found and mailscanner Unifected: deliver 1 message Why mailscanner does not put infected file in quarantine directory ? I had another mailscanner 2.60 version and it works fine with this zip infected file ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ From Denis.Beauchemin at USHERBROOKE.CA Fri Nov 15 14:24:46 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:26 2006 Subject: Filename rules and virus Message-ID: <1037370286.6238.23.camel@dbeauchemin.si.usherbrooke.ca> Hello, I just discovered something strange: an email with an infected .EXE got trapped by MS and quarantined (as per the filename rules) but McAfee was able to disinfect it so MS decided to send it to the recipient, disregarding the filename rules! Nov 15 06:36:08 smtp3 MailScanner[29982]: New Batch: Scanning 1 messages, 207433 bytes Nov 15 06:36:08 smtp3 MailScanner[29982]: Spam Checks: Starting Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus and Content Scanning: Starting Nov 15 06:36:08 smtp3 MailScanner[29982]: /gAFBa4w14876/Server.exe contient le virus W32/Magistr.b@MM !!! Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus Scanning: mcafee found 1 infections Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus Scanning: Found 1 viruses Nov 15 06:36:08 smtp3 MailScanner[29982]: Filename Checks: Fichiers EXE dangereux (Server.exe) Nov 15 06:36:08 smtp3 MailScanner[29982]: Other Checks: Found 1 problems Nov 15 06:36:08 smtp3 MailScanner[29982]: Saved infected "Server.exe" to /quarantaine/usherbrooke/20021115/gAFBa4w14876 Nov 15 06:36:08 smtp3 MailScanner[29982]: Cleaned: Delivered 1 cleaned messages Nov 15 06:36:09 smtp3 MailScanner[29982]: Sender Warnings: Delivered 1 warnings to virus senders Nov 15 06:36:09 smtp3 MailScanner[29982]: Disinfection: Attempting to disinfect 1 messages Nov 15 06:36:09 smtp3 sendmail[14887]: gAFBa8L14883: to=source@sympatico.ca, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30868, relay=smtp12.sy mpatico.ca. [209.226.175.80], dsn=5.1.1, stat=User unknown Nov 15 06:36:09 smtp3 MailScanner[29982]: Disinfection: Rescan found only 0 viruses Nov 15 06:36:09 smtp3 sendmail[14887]: gAFBa8L14883: gAFBa9K14887: postmaster notify: User unknown Nov 15 06:36:09 smtp3 sendmail[14890]: gAFBa9D14890: from=quarantaine@usherbrooke.ca, size=157267, class=0, nrcpts=1, msgid=<200211151136.gAFBa9D14890@smtp3.ush erbrooke.ca>, bodytype=8BITMIME, relay=root@localhost Nov 15 06:36:22 smtp3 sendmail[14893]: gAFBa9D14890: to=destination@usherbrooke.ca, ctladdr=quarantaine@usherbrooke.ca (0/0), delay=00:00:13, xdelay=00:00: 13, mailer=relay, pri=187267, relay=c-s.usherbrooke.ca. [132.210.x.y], dsn=2.0.0, stat=Sent (GAA150818 Message accepted for delivery) Can someone figure out what is going on? Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From tony.johansson at SVENSKAKYRKAN.SE Fri Nov 15 14:41:51 2002 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:16:26 2006 Subject: Double file extensions Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D07F6@nt.svenskakyrkan.se> I allow .pdf documents via mail but deny any double file extensions As a result, files such as "Important meeting.q4.nov.pdf" gets denied How do I write a rule which basically allows *.pdf no matter how many extensions? regards, Tony From bigdog at DOGPOUND.VNET.NET Fri Nov 15 14:52:46 2002 From: bigdog at DOGPOUND.VNET.NET (Matthew Davis) Date: Thu Jan 12 21:16:26 2006 Subject: Filename rules and virus In-Reply-To: <1037370286.6238.23.camel@dbeauchemin.si.usherbrooke.ca>; from Denis.Beauchemin@USHERBROOKE.CA on Fri, Nov 15, 2002 at 09:24:46AM -0500 References: <1037370286.6238.23.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <20021115095246.A308@dogpound.vnet.net> * Denis Beauchemin (Denis.Beauchemin@USHERBROOKE.CA) wrote: > Hello, > > I just discovered something strange: an email with an infected .EXE got > trapped by MS and quarantined (as per the filename rules) but McAfee was > able to disinfect it so MS decided to send it to the recipient, > disregarding the filename rules! > > Can someone figure out what is going on? Check your MailScanner.conf # Should I attempt to disinfect infected attachments and then deliver # the clean ones. "Disinfection" involves removing viruses from files # (such as removing macro viruses from documents). "Cleaning" is the # replacement of infected attachments with "VirusWarning.txt" text # attachments. # This can also be the filename of a ruleset. Deliver Disinfected Files = yes -- Matthew Davis http://dogpound.vnet.net/ ---------------------------------------------------------------- Borg spreadsheet: Locutus 1-2-3 ---------------------------------------------------------------- Friday, November 15, 2002 / 09:51AM From mailscanner at ecs.soton.ac.uk Fri Nov 15 15:01:28 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Double file extensions In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D07F6@nt.svenskakyrkan. se> Message-ID: <5.2.0.9.2.20021115150101.047b2e20@imap.ecs.soton.ac.uk> At 14:41 15/11/2002, you wrote: >I allow .pdf documents via mail but deny any double file extensions >As a result, files such as "Important meeting.q4.nov.pdf" gets denied > >How do I write a rule which basically allows *.pdf no matter how many >extensions? allow \.pdf$ - - above the "deny double extensions" rule. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 14:38:27 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: IFrame tags In-Reply-To: <005e01c28c8b$c6e081a0$6a0110ac@sbsplc.com> References: <200211150003.AAA32156@www.espmail.co.uk> Message-ID: <5.2.0.9.2.20021115143705.04660800@imap.ecs.soton.ac.uk> At 09:45 15/11/2002, you wrote: >A fair number of innocent messages, eg, the daily Dilbert comic strip, get >stopped by the IFrame blocking. > >Exuse my ignorance, but is there any way to allow messages from specific >addresses to get through the IFrame scanning? In version 4, you can make a ruleset that allows iframes from some places but not others. A ruleset file such as From: *@dilbert.com yes From: *@newsletters.microsoft.com yes FromOrTo: default no would do the trick. Obviously you need to get the "dilbert.com" domain name correct from looking at a real Dilbert daily comic strip. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 14:59:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:26 2006 Subject: Filename rules and virus In-Reply-To: <1037370286.6238.23.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.2.0.9.2.20021115145840.04421150@imap.ecs.soton.ac.uk> That's a subtle one. Fixed for the next release. In the mean time the patch is a 1-line change if you need this functionality in a hurry: --- /root/unstable/mailscanner/mailscanner/bin/MailScanner/MessageBatch.pm Fri Nov 8 16:13:58 2002 +++ MessageBatch.pm Fri Nov 15 15:12:15 2002 @@ -607,6 +607,7 @@ if ($message->{deleted} || $message->{cantparse} || $message->{badtnef} || + $message->{nameinfected} || ($message->{allreports} && $message->{allreports}{""}) || !MailScanner::Config::Value('deliverdisinfected',$message)) { $message->DeleteMessage(); At 14:24 15/11/2002, you wrote: >Hello, > >I just discovered something strange: an email with an infected .EXE got >trapped by MS and quarantined (as per the filename rules) but McAfee was >able to disinfect it so MS decided to send it to the recipient, >disregarding the filename rules! > >Nov 15 06:36:08 smtp3 MailScanner[29982]: New Batch: Scanning 1 messages, >207433 bytes >Nov 15 06:36:08 smtp3 MailScanner[29982]: Spam Checks: Starting >Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus and Content Scanning: Starting >Nov 15 06:36:08 smtp3 MailScanner[29982]: >/gAFBa4w14876/Server.exe contient le virus W32/Magistr.b@MM !!! >Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus Scanning: mcafee found 1 >infections >Nov 15 06:36:08 smtp3 MailScanner[29982]: Virus Scanning: Found 1 viruses >Nov 15 06:36:08 smtp3 MailScanner[29982]: Filename Checks: Fichiers EXE >dangereux (Server.exe) >Nov 15 06:36:08 smtp3 MailScanner[29982]: Other Checks: Found 1 problems >Nov 15 06:36:08 smtp3 MailScanner[29982]: Saved infected "Server.exe" to >/quarantaine/usherbrooke/20021115/gAFBa4w14876 >Nov 15 06:36:08 smtp3 MailScanner[29982]: Cleaned: Delivered 1 cleaned >messages >Nov 15 06:36:09 smtp3 MailScanner[29982]: Sender Warnings: Delivered 1 >warnings to virus senders >Nov 15 06:36:09 smtp3 MailScanner[29982]: Disinfection: Attempting to >disinfect 1 messages >Nov 15 06:36:09 smtp3 sendmail[14887]: gAFBa8L14883: >to=source@sympatico.ca, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, >pri=30868, relay=smtp12.sy >mpatico.ca. [209.226.175.80], dsn=5.1.1, stat=User unknown >Nov 15 06:36:09 smtp3 MailScanner[29982]: Disinfection: Rescan found only >0 viruses >Nov 15 06:36:09 smtp3 sendmail[14887]: gAFBa8L14883: gAFBa9K14887: >postmaster notify: User unknown >Nov 15 06:36:09 smtp3 sendmail[14890]: gAFBa9D14890: >from=quarantaine@usherbrooke.ca, size=157267, class=0, nrcpts=1, >msgid=<200211151136.gAFBa9D14890@smtp3.ush >erbrooke.ca>, bodytype=8BITMIME, relay=root@localhost >Nov 15 06:36:22 smtp3 sendmail[14893]: gAFBa9D14890: >to=destination@usherbrooke.ca, ctladdr=quarantaine@usherbrooke.ca (0/0), >delay=00:00:13, xdelay=00:00: >13, mailer=relay, pri=187267, relay=c-s.usherbrooke.ca. [132.210.x.y], >dsn=2.0.0, stat=Sent (GAA150818 Message accepted for delivery) > >Can someone figure out what is going on? > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 14:36:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: html2text output not really clean? In-Reply-To: References: <5.1.0.14.2.20021115091606.04487e68@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021115135340.04655008@imap.ecs.soton.ac.uk> At 09:48 15/11/2002, you wrote: >Ok, I will bounce you two messages, can I send them to a non-public >address? Even better, can you put the queue files into a password-protected zip and mail that to me please? >One thing that might matter : the e-mail I will send will >be generated by M$ Word as e-mail editor. I have noticed that the html output >of Outlook itself is a lot cleaner and doesn't contain anywhere near the >amount of rubble that Word throws in.... >Maybe it is only the Word specific rubble that isn't cleaned? Maybe so. >Also I have found something else. If html2text is enabled for one specific >user (smith@somedomain.com) but the message is cc'ed to another user >on the some domain/box (chris@somedomain.com) then both users will get the >message in `plain' text. This is logical because the one df/qf message is >converted but may be undesirable. Maybe a thing to add at the bottom of >the todo list if it's possible at all? I have never done any splitting of messages. What applies to 1 recipient applies to all recipients. I'm unwilling to change that unless there is a very good reason to. >Remco > >On Fri, 15 Nov 2002, Julian Field wrote: > > > Can you send me 1 of the messages for me to experiment with please? > > > > At 08:59 15/11/2002, you wrote: > > >Hi! > > > > > >I am using Mailscanner 4.05-3 and have a mobile user collecting mail onm > > >his laptop. I want to use the html2text feature to prevent expensive > > >phonecalls to collect e-mail in HTML format that keep the connection open > > >for hours. MS is running on a RedHat 7.3 box. > > > > > >I have this line in my /etc/MailScanner/MailScanner.conf : > > >Convert HTML To Text = /etc/MailScanner/rules/html2text.rules > > > > > >The html2text.rules contains: > > >To r.barendse@somedomain.com yes > > >To remco@somedomain.com yes > > >Fromorto default no > > > > > >The output in maillog seems correct: > > >Nov 15 09:44:19 linuxgw MailScanner[7367]: Content Checks: Need to convert > > >HTML to plain text in 1 messages > > >Nov 15 09:44:20 linuxgw MailScanner[7367]: Content Checks: Detected and > > >will convert HTML message to plain text in gAF8iAN07366 > > > > > >When I start pine and look in the inbox, I still see small messages > > >being huge in size (13-40 Kb). The top of the e-mail contains stuff like : > > >@font-face { font-family: Tahoma; } @font-face { font-family: Verdana; } > > >@page Section1 {size:595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in > > >70.9pt; mso-header-margin: > > > > > >and similar rubble throughout the e-mail : > > >….Whaaat ?? > > > > > >You gotta be kidding me….?! > > > > > >Now if I retrieve the contents of the mailbox using Outlook Express the > > >e-mail *appears* to be stripped of html rubble because the formatting has > > >changed (colors and font sizes are different). The size of the e-mail is > > >slightly reduced (the original HTML mail was 21 Kb, the end result is 13 > > >Kb (still too much for only 80 lines of text). > > > > > >Why is there still all this font and other rubble in the e-mails and how > > >can I strip them completely? > > > > > >Thanks!! > > > > > >Remco > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Fri Nov 15 15:33:37 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:27 2006 Subject: Filename rules and virus In-Reply-To: <5.2.0.9.2.20021115145840.04421150@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021115145840.04421150@imap.ecs.soton.ac.uk> Message-ID: <1037374417.7307.1.camel@dbeauchemin.si.usherbrooke.ca> Thanks! Patch applied. BTW the mod I submitted yesterday for the init.d script is not working better than your original code today. Denis Le ven 15/11/2002 ? 09:59, Julian Field a ?crit : > That's a subtle one. Fixed for the next release. In the mean time the patch > is a 1-line change if you need this functionality in a hurry: > > --- > /root/unstable/mailscanner/mailscanner/bin/MailScanner/MessageBatch.pm > Fri Nov 8 16:13:58 2002 > +++ MessageBatch.pm Fri Nov 15 15:12:15 2002 > @@ -607,6 +607,7 @@ > if ($message->{deleted} || > $message->{cantparse} || > $message->{badtnef} || > + $message->{nameinfected} || > ($message->{allreports} && $message->{allreports}{""}) || > !MailScanner::Config::Value('deliverdisinfected',$message)) { > $message->DeleteMessage(); > > > At 14:24 15/11/2002, you wrote: -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Fri Nov 15 15:46:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? Message-ID: <5.2.0.9.2.20021115154020.0463e750@imap.ecs.soton.ac.uk> Guess what, I'm on the scrounge again :-) Just a little request this time: Anyone fancy buying me a copy of the latest release of SuSE Linux please? I can't download ISO's from them :-( I would like to sort out the SuSE installation and init.d problems once and for all, and I have a machine to run it on now (by very kind donation from Gavin Nelmes-Crocker ). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brian at PORTSMOUTH-COLLEGE.AC.UK Fri Nov 15 15:57:38 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers - ICT Support Officer Portsmouth College) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? References: <5.2.0.9.2.20021115154020.0463e750@imap.ecs.soton.ac.uk> Message-ID: <009201c28cbf$b8841020$65c8a8c0@portsmouthcollege.ac.uk> What version of Suse are you after. I'm off to a HantsLug meeting tomorrow so I might be able to get a copy from someone there ?? Brian Chivers ----- Original Message ----- From: "Julian Field" To: Sent: Friday, November 15, 2002 3:46 PM Subject: SuSE? Guess what, I'm on the scrounge again :-) Just a little request this time: Anyone fancy buying me a copy of the latest release of SuSE Linux please? I can't download ISO's from them :-( I would like to sort out the SuSE installation and init.d problems once and for all, and I have a machine to run it on now (by very kind donation from Gavin Nelmes-Crocker ). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Chris.Campbell at FAC.COM Fri Nov 15 16:00:41 2002 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? Message-ID: Julian, I have the dvd and 8 cds if you want. contact me personally if you wish. ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com Brian Chivers - ICT Support Officer Portsmouth College Sent by: MailScanner mailing list 11/15/2002 10:57 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: SuSE? What version of Suse are you after. I'm off to a HantsLug meeting tomorrow so I might be able to get a copy from someone there ?? Brian Chivers ----- Original Message ----- From: "Julian Field" To: Sent: Friday, November 15, 2002 3:46 PM Subject: SuSE? Guess what, I'm on the scrounge again :-) Just a little request this time: Anyone fancy buying me a copy of the latest release of SuSE Linux please? I can't download ISO's from them :-( I would like to sort out the SuSE installation and init.d problems once and for all, and I have a machine to run it on now (by very kind donation from Gavin Nelmes-Crocker ). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021115/7194f483/attachment.html From krice at SERVERSANDSOLUTIONS.COM Fri Nov 15 16:06:20 2002 From: krice at SERVERSANDSOLUTIONS.COM (Ken Rice) Date: Thu Jan 12 21:16:27 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: References: <20021113121051.04bdec1d.krice@serversandsolutions.com> Message-ID: <20021115110620.388ad0b6.krice@serversandsolutions.com> On Thu, 14 Nov 2002 10:25:28 +0100 Remco Barendse wrote: > Just wondering though, you have included what is in your ssjunk.txt > file but what do you have in the junksubs.txt file? ssjunk.txt is for a word or phrase appearing anywhere in the Subject: junksubs.txt is for word or phrase or characters that begins (MUST begin) the Subject: My junksubs.txt only includes this: ADV > Also are the dots between the words really necessary, and will > sendmail treat the subjects and texts in the e-mails case insensitive? case-insensitive dots = spaces in the phrase a portion of ssjunk.txt: add.inches chance.of.a.lifetime don't.just.dream fu*k *enis p*rn The stars are literal, I didn't edit the above. I have 351 entries in that file, can't catch all, but many. I only have 200 users but about 100 mailing lists, and it helps. (Just couldn't block "cash" when the CFO tries to email the CEO "Cash Statements"...) The tail of our sendmail.mc: MAILER(smtp)dnl MAILER(procmail)dnl LOCAL_RULESETS F{JunkSubs} /etc/mail/junksubs.txt F{SSJunk} /etc/mail/ssjunk.txt HSubject: $>Check_Subject SCheck_Subject R$={JunkSubs}$* $: NMJUNKSUB R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "5.7.1 Rejected" Rather than bounce all these back, I'll probably let our people see the ssjunk.txt list, although some will be offended, and then change the above to DISCARD. But we're then taking a chance of throwing away and not notifying a sender that we won't accept their email based on what they type into the Subject:. And that would not be polite nor proper (or maybe too bright on our part) to someone who isn't that familar with English phrasing/grammar, including the native West Virginians, Marylanders and Pennsylvanians here, and myself somedays of course. Apologies to the list if this is off-topic. Ken Rice SysAdmin The Library Corporation From mailscanner at ecs.soton.ac.uk Fri Nov 15 16:15:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? In-Reply-To: <009201c28cbf$b8841020$65c8a8c0@portsmouthcollege.ac.uk> References: <5.2.0.9.2.20021115154020.0463e750@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021115161505.086bc190@imap.ecs.soton.ac.uk> At 15:57 15/11/2002, you wrote: >What version of Suse are you after. I'm off to a HantsLug meeting tomorrow >so I might be able to get a copy from someone there ?? 8.1 appears to be the latest. >Brian Chivers >----- Original Message ----- >From: "Julian Field" >To: >Sent: Friday, November 15, 2002 3:46 PM >Subject: SuSE? > > >Guess what, I'm on the scrounge again :-) >Just a little request this time: > >Anyone fancy buying me a copy of the latest release of SuSE Linux please? >I can't download ISO's from them :-( > >I would like to sort out the SuSE installation and init.d problems once and >for all, and I have a machine to run it on now (by very kind donation from >Gavin Nelmes-Crocker ). >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Nov 15 16:41:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Mailscanner 4.05-3 and virus infection In-Reply-To: <5.0.2.1.2.20021115143922.02332bd8@pop.unilim.fr> Message-ID: <5.2.0.9.2.20021115164108.042881f8@imap.ecs.soton.ac.uk> Just an update for the benefit of the list. This problem is apparently resolved now (I just don't quite know how :-) At 13:47 15/11/2002, you wrote: > Hello, >i had pb with my mailscanner config (4.05-3) >When i test with virus file, the mail log file said: >Nov 15 14:26:33 limdns-new MailScanner[13585]: >/usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/URFRIEND.SCR >Found virus or variant W32/Yaha !!! > >Nov 15 14:26:33 limdns-new MailScanner[13585]: >/usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/VALUE.EXE >Found virus or variant W32/Klez !!! > >Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: mcafee >found 8 infections >Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: Found 8 viruses >Nov 15 14:26:33 limdns-new MailScanner[13585]: Uninfected: Delivered 1 >messages >Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner >Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner E-Mail Virus >Scanner version 4.05-3 starting... > >Nov 15 14:26:33 limdns-new MailScanner[15008]: Using locktype = flock > >8 virus are found, but the attach file was delivered with the message >"no infection was found" >Mcafee said viruses found and mailscanner Unifected: deliver 1 message > >Why mailscanner does not put infected file in quarantine directory ? > >I had another mailscanner 2.60 version and it works fine with this zip >infected file -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at wtxs.net Fri Nov 15 17:36:17 2002 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:27 2006 Subject: stupid responses list Message-ID: <200211151136.17086.lbergman@wtxs.net> After I installed version 4 I started bouncing spam instead of just deleting it. I include in the report an address the sender may use to contact me that will not be blocked. Some of the responses I get are quite comical. Maybe there should be a place to post these for all to enjoy. A small excerpt follows: I sent two e-mail messages to jessekossman@wtxs.net this morning that were rejected by your "SpamAssassin". They WERE NOT SPAM. You have destroyed said messages, so I (and Jesse) have ALREADY been inconvenienced by you. If you were to carry out your threat to contact my ISP and request that my "account be removed" would most certainly anger me greatly. Thus contact my ISP at your peril. I suggest that you go yell at the programmers that designed the SpamAssassin, and beat them about the head and shoulders. (You should learn how to spell "behavior".) -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscannerlist at TNJINFL.COM Fri Nov 15 19:09:22 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:27 2006 Subject: Almost there.... In-Reply-To: <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> Message-ID: <1037387363.13470.199.camel@tweety.tnjinfl.com> Julian, I did the service MailScanner reload and it responded ok, yet it's still marking all emails from hotmail.com as Spam. I did a text search of every file under /etc/MailScanner and there is no reference to hotmail.com. Unless it stored somewhere else. Any idea how to get this thing to refresh and not have that domain blacklisted any more? Thanks, James On Fri, 2002-11-15 at 04:12, Julian Field wrote: > At 20:28 14/11/2002, you wrote: > >What's the proper way to restart everything after making a config change > >to any of the conf files with MailScanner? For example, > >MailScanner.conf, spam.mailassassin.prefs.conf, etc. > > > >I've tried the following: > >service sendmail off > >chkconfig sendmail off > >chkconfig MailScanner on > >service MailScanner start > > That's installation-time stuff. > > You just want > service MailScanner reload > > >Also, I have the Delivery Method set to queue instead of batch, since > >this will be running in high volume eventually. > > I still use batch even with a high volume. As MailScanner V4 runs lots of > processes in parallel, you don't really need "queue" much any more. I do my > speed tests with "batch" and my development PC (about the equivalent of a > modern ?700 (or $1000 US) pc) can do over 250,000 messages per day. > > > The MTA is Sendmail and > >the messages seem to sit in the outgoing queue for a while. I haven't > >figured out how long they sit there yet, but how does the MTA choose how > >long to wait before sending them? If I flush them (using Webmin) they > >are sent right away. I assume this is a Sendmail issue, but since I'm > >not sure I thought I'd ask here. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mkettler at EVI-INC.COM Fri Nov 15 19:38:49 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:27 2006 Subject: Almost there.... In-Reply-To: <1037387363.13470.199.camel@tweety.tnjinfl.com> References: <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> Are you using SpamAssassin with MailScanner? If so, make sure you are running 2.43 or 2.42 (2.43 preferred for AWL bugfix reasons but not critical). If not, which spam lists are you using? Try turning some off to see which one is listing hotmail.com's MX as a spam source. Or you could check the marked email to see what MX it came from and pump that into: http://relays.osirusoft.com/cgi-bin/rbcheck.cgi for a report of a very large number of blacklists to see which, if any, list that mailserver. At 02:09 PM 11/15/2002 -0500, you wrote: >Julian, > >I did the service MailScanner reload and it responded ok, yet it's still >marking all emails from hotmail.com as Spam. I did a text search of >every file under /etc/MailScanner and there is no reference to >hotmail.com. Unless it stored somewhere else. > >Any idea how to get this thing to refresh and not have that domain >blacklisted any more? > >Thanks, >James From mailscannerlist at TNJINFL.COM Fri Nov 15 19:50:53 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:27 2006 Subject: Almost there.... In-Reply-To: <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> References: <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> Message-ID: <1037389854.12383.208.camel@tweety.tnjinfl.com> Yes, I installed 2.43-2. hotmail.com was not being blocked before I added it to the spam.assassin.prefs.conf files, so I don't think running the rbcheck.cgi is the answer do you? Once I added hotmail.com to that conf file, and then somehow got it to apply, then the mail from hotmail started getting marked as spam. Thanks, James On Fri, 2002-11-15 at 14:38, Matt Kettler wrote: > Are you using SpamAssassin with MailScanner? If so, make sure you are > running 2.43 or 2.42 (2.43 preferred for AWL bugfix reasons but not critical). > > If not, which spam lists are you using? Try turning some off to see which > one is listing hotmail.com's MX as a spam source. Or you could check the > marked email to see what MX it came from and pump that into: > > http://relays.osirusoft.com/cgi-bin/rbcheck.cgi > > for a report of a very large number of blacklists to see which, if any, > list that mailserver. > > > At 02:09 PM 11/15/2002 -0500, you wrote: > >Julian, > > > >I did the service MailScanner reload and it responded ok, yet it's still > >marking all emails from hotmail.com as Spam. I did a text search of > >every file under /etc/MailScanner and there is no reference to > >hotmail.com. Unless it stored somewhere else. > > > >Any idea how to get this thing to refresh and not have that domain > >blacklisted any more? > > > >Thanks, > >James From Denis.Beauchemin at USHERBROOKE.CA Fri Nov 15 20:03:53 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:27 2006 Subject: Internationalization Message-ID: <1037390633.7395.47.camel@dbeauchemin.si.usherbrooke.ca> Julian, MailScanner is almost perfect in terms of internationalization but there are some hard coded strings in some modules. I for one had to modify the following modules for French: Message.pm SweepContent.pm SweepViruses.pm and a fast scan seems to indicate that MessageBatch.pm and SweepOther.pm also contain such strings. Could it be possible to implement an internationalization file that would contain localized versions of those messages? Something in the lines of "localization.rules": Could not analyze = "Could not analyze message\n" Dangerous Codebase Object = "Found dangerous Object Codebase tag in HTML message\n" # Could not analyze = "Impossible d'analyser le courriel\n" # Dangerous Codebase Object = "Une balise ?Object Codebase? non s?curitaire a ?t? trouv?e dans le message HTML\n" that would be loaded into variables and then used in your Perl modules? All you would have to do initially would be to extract your hard coded strings from your modules and put them in a file that you would have to parse and load on startup; your modules would then use the values loaded in the variables. We would do the translations and send them back to you to be included in the MS package. That would greatly simplify upgrades! Thanks again for all the time you spend supporting MS. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From bidwell at ANDREWS.EDU Fri Nov 15 20:00:15 2002 From: bidwell at ANDREWS.EDU (Daniel Bidwell) Date: Thu Jan 12 21:16:27 2006 Subject: Directory ownership under debian Message-ID: <1037390416.1163.11.camel@samwise> I have installed mailscanner 3.24.1 with sendmail on a debien intel machine and the directory permissions are giving me trouble. mailscanner will not run unless /var/spool/mqueue is owned by the user smmsp and sendmail will not accept incomming mail unless /var/spool/mqueue is owned by root. I would like to upgrade to version 4.x but would like to get this working first unless it will be easier to run version 4.x. -- Daniel R. Bidwell | bidwell@andrews.edu Andrews University Computer Science & Information Systems Department If two always agree, one of them is unnecessary "Friends don't let friends do DOS" "In theory, theory and practice are the same. In practice, however, they are not." From mailscanner at ecs.soton.ac.uk Fri Nov 15 20:26:28 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Internationalization In-Reply-To: <1037390633.7395.47.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> At 20:03 15/11/2002, you wrote: >MailScanner is almost perfect in terms of internationalization but there >are some hard coded strings in some modules. I for one had to modify >the following modules for French: >Message.pm >SweepContent.pm >SweepViruses.pm > >and a fast scan seems to indicate that MessageBatch.pm and SweepOther.pm >also contain such strings. > >Could it be possible to implement an internationalization file that >would contain localized versions of those messages? Something in the >lines of "localization.rules": >Could not analyze = "Could not analyze message\n" >Dangerous Codebase Object = "Found dangerous Object Codebase tag in HTML >message\n" ># Could not analyze = "Impossible d'analyser le courriel\n" ># Dangerous Codebase Object = "Une balise ?Object Codebase? non >s?curitaire a ?t? trouv?e dans le message HTML\n" > >that would be loaded into variables and then used in your Perl modules? > >All you would have to do initially would be to extract your hard coded >strings from your modules and put them in a file that you would have to >parse and load on startup; your modules would then use the values loaded >in the variables. We would do the translations and send them back to >you to be included in the MS package. > >That would greatly simplify upgrades! Okay, that sounds like a good idea. Not sure whether to allow rulesets for the files or not yet. Will have a think about it this weekend and come up with something which will do the job, but not add more complexity than necessary. >Thanks again for all the time you spend supporting MS. No problem. Thanks for the suggestion. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Fri Nov 15 20:35:06 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:27 2006 Subject: Error message on console Message-ID: <1037392506.7395.54.camel@dbeauchemin.si.usherbrooke.ca> Hello again Julian, The following error message pops up on my console now and then: Premature padding of base64 data at /usr/lib/perl5/site_perl/5.6.1/MIME/Decoder/Base64.pm line 109. This sounds like something external to MS... Is this something to worry about? Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From combslm at APPSTATE.EDU Fri Nov 15 20:40:26 2002 From: combslm at APPSTATE.EDU (Laramie Combs) Date: Thu Jan 12 21:16:27 2006 Subject: virus name in postmaster report References: <5.1.0.14.2.20021112191041.01fb2740@imap.ecs.soton.ac.uk> Message-ID: <025e01c28ce7$3a6bc2f0$160c0a98@maverick> That works great - thanks. -Laramie ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, November 12, 2002 2:15 PM Subject: Re: virus name in postmaster report > At 18:35 12/11/2002, you wrote: > >I am from Appalachian State University in Boone, NC (USA) and we are > >currently using the latest 3.x version of Mailscanner. > > > >We love the product, and are impressed with the time and effort that > >Julian (and others) have obviously put into this. > > Thankyou. > > >I was wondering if there is a way to get the virus name into the subject > >of the email that gets sent to "postmaster" when a virus is detected. > > If you send all the postmaster notifications to 1 mailbox, then it's dead > easy to extract them anyway. To get a list of viruses with the number of > each that has been caught, sorted with most common at the top, just use a > script like this: > > #!/bin/sh > > fgrep '>>>' Mail/Archive/Viruses | \ > cut -d\' -f2 | \ > sort | \ > uniq -c | \ > sort -nr > > This should work fine for Sophos. > > > Thanks for all your hard work Julian. > > No worries. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Fri Nov 15 20:40:29 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Error message on console In-Reply-To: <1037392506.7395.54.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.1.0.14.2.20021115203703.02438dd0@imap.ecs.soton.ac.uk> It's the Base64 decoder module complaining about a message it doesn't like. There's not much that can be done about it at present. I have the biggest set of the most horrible test messages you'll ever see, and I need to work through them all and get MailScanner to handle them all correctly. That's a pretty big job which I am going to start on soon. So hopefully messages like this will become a thing of the past... I wouldn't worry about it for now, it's extremely rare. At 20:35 15/11/2002, you wrote: >Hello again Julian, > >The following error message pops up on my console now and then: >Premature padding of base64 data at >/usr/lib/perl5/site_perl/5.6.1/MIME/Decoder/Base64.pm line 109. > >This sounds like something external to MS... Is this something to worry >about? > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brian at PORTSMOUTH-COLLEGE.AC.UK Fri Nov 15 20:45:52 2002 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? References: <5.2.0.9.2.20021115154020.0463e750@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021115161505.086bc190@imap.ecs.soton.ac.uk> Message-ID: <001d01c28ce7$fd020fe0$69c8a8c0@tpc.ac.uk> OK I'll ask about Brian ----- Original Message ----- From: "Julian Field" To: Sent: Friday, November 15, 2002 4:15 PM Subject: Re: SuSE? > At 15:57 15/11/2002, you wrote: > >What version of Suse are you after. I'm off to a HantsLug meeting tomorrow > >so I might be able to get a copy from someone there ?? > > 8.1 appears to be the latest. > > > >Brian Chivers > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Friday, November 15, 2002 3:46 PM > >Subject: SuSE? > > > > > >Guess what, I'm on the scrounge again :-) > >Just a little request this time: > > > >Anyone fancy buying me a copy of the latest release of SuSE Linux please? > >I can't download ISO's from them :-( > > > >I would like to sort out the SuSE installation and init.d problems once and > >for all, and I have a machine to run it on now (by very kind donation from > >Gavin Nelmes-Crocker ). > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.siddall at ELIRION.NET Fri Nov 15 21:07:49 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:16:27 2006 Subject: Internationalization References: <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> Message-ID: <3DD56225.A87528B5@elirion.net> Julian Field wrote: > [snip] > > > >All you would have to do initially would be to extract your hard coded > >strings from your modules and put them in a file that you would have to > >parse and load on startup; your modules would then use the values loaded > >in the variables. We would do the translations and send them back to > >you to be included in the MS package. > > > >That would greatly simplify upgrades! > > Okay, that sounds like a good idea. Not sure whether to allow rulesets for > the files or not yet. Will have a think about it this weekend and come up > with something which will do the job, but not add more complexity than > necessary. > Let me put in a plug for GNU Gettext. There are several modules on CPAN that support it or emulate it. Essentially you wrap all the UK English strings in subroutine calls. The subroutine uses the string as a key to look up the equivalent in a locale-specific language. All you have to do is set the locale when the program starts (and supply translations in a text file). (No point in reinventing the wheel.) Regards, Richard Siddall http://www.gnu.org/directory/localization/gettext.html http://search.cpan.org/search?query=gettext&mode=all From mkettler at EVI-INC.COM Fri Nov 15 21:11:51 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:27 2006 Subject: Almost there.... In-Reply-To: <1037389854.12383.208.camel@tweety.tnjinfl.com> References: <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> Message-ID: <5.1.1.6.0.20021115155958.02361a10@192.168.50.2> Ahh.. you're probably suffering from the AWL. I'd recommend that you go to your mailscanner.conf and change this line: SpamAssassin Auto Whitelist = yes to SpamAssassin Auto Whitelist = no Basically when you hand-blacklisted hotmail.com, everyone with a hotmail address that sent you mail during that time got a HUGE penalty score in their auto-whitelist entry. Now that the manual blacklisting is gone, those senders still have a past history of high scores. If you like the AWL feature, you can leave it on, but shut down MailScanner, delete your auto_whitelist.db (probably /root/.spamassassin/auto_whitelist.db) and restart it. Personally, I'd advise against using the AWL when used as a global DB like MailScanner uses it, but that's really your choice to make. (note: this problem is not one of the problems of using the AWL with a global database, that's a separate issue. This is just the nature of the AWL. It tries to make past spammers pay for their mistakes in future emails, just as it tries to give credit to past non-spam senders to prevent their mail from being tagged) At 02:50 PM 11/15/2002 -0500, James Pifer wrote: >Yes, I installed 2.43-2. > >hotmail.com was not being blocked before I added it to the >spam.assassin.prefs.conf files, so I don't think running the rbcheck.cgi >is the answer do you? Once I added hotmail.com to that conf file, and >then somehow got it to apply, then the mail from hotmail started getting >marked as spam. > >Thanks, >James From mailscanner at BARENDSE.TO Fri Nov 15 21:23:02 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:27 2006 Subject: FriendlyGreeting is Expanding In-Reply-To: <20021115110620.388ad0b6.krice@serversandsolutions.com> Message-ID: I works perfectly now, all those buggers get rejected :) What doesn't work however are the * expressions. I added fu*k like in the example but if i send a message with fuck in the header it doesn't get rejected? Furthermore I want to kill off any message with quote : Delivery Status Notification (Success) unquote as a subject. I don't want to block the failed ones, just the success version. I tried several versions for a line but it never gets blocked. How do I make sendmail recognize the () ?? i tried delivery.status.notification.*success delivery.status.notification.(success) delivery.status.notification.\(success\) Even better, could I make another ruleset but copying the first one to create a second rule so I can reject some messages and discard others? Would this be the correct addition to sendmail.mc correct in that case (sendmail has never been a friend of mine)?? LOCAL_RULESETS F{JunkSubs} /etc/mail/junksubs.txt F{SSJunk} /etc/mail/ssjunk.txt F{DiscardSubs} /etc/mail/discardsubs.txt HSubject: $>Check_Subject SCheck_Subject R$={JunkSubs}$* $: NMJUNKSUB R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" R$* $={DiscardSubs} $* $#discard Thanks!! On Fri, 15 Nov 2002, Ken Rice wrote: > On Thu, 14 Nov 2002 10:25:28 +0100 > Remco Barendse wrote: > > > Just wondering though, you have included what is in your ssjunk.txt > > file but what do you have in the junksubs.txt file? > > ssjunk.txt is for a word or phrase appearing anywhere in the Subject: > junksubs.txt is for word or phrase or characters that begins (MUST begin) the Subject: > > My junksubs.txt only includes this: > ADV > > > Also are the dots between the words really necessary, and will > > sendmail treat the subjects and texts in the e-mails case insensitive? > > case-insensitive > dots = spaces in the phrase > > a portion of ssjunk.txt: > add.inches > chance.of.a.lifetime > don't.just.dream > fu*k > *enis > p*rn > > The stars are literal, I didn't edit the above. I have 351 entries in that file, > can't catch all, but many. I only have 200 users but about 100 mailing lists, and it helps. > (Just couldn't block "cash" when the CFO tries to email the CEO "Cash Statements"...) > > The tail of our sendmail.mc: > > MAILER(smtp)dnl > MAILER(procmail)dnl > LOCAL_RULESETS > F{JunkSubs} /etc/mail/junksubs.txt > F{SSJunk} /etc/mail/ssjunk.txt > > HSubject: $>Check_Subject > > SCheck_Subject > R$={JunkSubs}$* $: NMJUNKSUB > R$* $={SSJunk} $* $#error $: NMJUNKSUB > R$* NMJUNKSUB $* $#error $: "5.7.1 Rejected" > > Rather than bounce all these back, I'll probably let our people see the ssjunk.txt list, although > some will be offended, and then change the above to DISCARD. But we're then taking a chance > of throwing away and not notifying a sender that we won't accept their email based on what they > type into the Subject:. And that would not be polite nor proper (or maybe too bright on our part) > to someone who isn't that familar with English phrasing/grammar, > including the native West Virginians, Marylanders and Pennsylvanians here, > and myself somedays of course. > > Apologies to the list if this is off-topic. > > Ken Rice > SysAdmin > The Library Corporation > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Nov 15 21:28:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Internationalization In-Reply-To: <3DD56225.A87528B5@elirion.net> References: <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021115212540.03596008@imap.ecs.soton.ac.uk> At 21:07 15/11/2002, you wrote: >Let me put in a plug for GNU Gettext. There are several modules on >CPAN that support it or emulate it. > >Essentially you wrap all the UK English strings in subroutine calls. >The subroutine uses the string as a key to look up the >equivalent in a locale-specific language. All you have to do is >set the locale when the program starts (and supply translations in >a text file). > >(No point in reinventing the wheel.) At fiirst glance that doesn't sound like noticeably less work than what I was thinking of doing anyway, and it adds another dependency. But I'll take a look and see if it looks useful. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From WPS.MFRIEDEL at WPSIC.COM Fri Nov 15 21:39:00 2002 From: WPS.MFRIEDEL at WPSIC.COM (FRIEDEL, MARK) Date: Thu Jan 12 21:16:27 2006 Subject: SuSE? Message-ID: <200211152139.GNUY@wpsic.com> --- Received from WPS.MFRIEDEL 224-2255 11-15-02 339p Julian, I could arrange for you to have your own personal instance on our mainframe. We're running SLES 7.0 64-bit for zSeries. Mark Friedel, RHCE WPS Health Insurance (608)224-2255 ---------------------------------------------------------------------------- From: brian@PORTSMOUTH-COLLEGE.AC.UK To: MAILSCANNER@JISCMAIL.AC.UK Date: Fri, 15 Nov 2002 20:45:52 -0000 Subject: Re: SuSE? OK I'll ask about Brian ----- Original Message ----- From: "Julian Field" To: Sent: Friday, November 15, 2002 4:15 PM Subject: Re: SuSE? > At 15:57 15/11/2002, you wrote: > >What version of Suse are you after. I'm off to a HantsLug meeting tomorrow > >so I might be able to get a copy from someone there ?? > 8.1 appears to be the latest. > >Brian Chivers > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Friday, November 15, 2002 3:46 PM > >Subject: SuSE? > > > > > >Guess what, I'm on the scrounge again :-) > >Just a little request this time: > > > >Anyone fancy buying me a copy of the latest release of SuSE Linux please? > >I can't download ISO's from them :-( > > > >I would like to sort out the SuSE installation and init.d problems once and > >for all, and I have a machine to run it on now (by very kind donation from > >Gavin Nelmes-Crocker ). > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ---- 11-15-02 339p ---- Sent to ------------------------------------- -> MAILSCANNER@JISCMAIL.AC.UK From mailscannerlist at TNJINFL.COM Sat Nov 16 01:36:03 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:27 2006 Subject: Almost there.... In-Reply-To: <5.1.1.6.0.20021115155958.02361a10@192.168.50.2> References: <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <1037212550.13361.41.camel@tweety.tnjinfl.com> <1037212550.13361.41.camel@tweety.tnjinfl.com> <5.1.0.14.2.20021113185349.03841f20@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115091056.0475ece0@imap.ecs.soton.ac.uk> <5.1.1.6.0.20021115143424.01ab6e88@192.168.50.2> <5.1.1.6.0.20021115155958.02361a10@192.168.50.2> Message-ID: <1037410564.26372.6.camel@tweety.tnjinfl.com> That was it. Thanks for the info. I have to say, this stuff is pretty cool. It has been catching 100% of my spam. Regards, James On Fri, 2002-11-15 at 16:11, Matt Kettler wrote: > Ahh.. you're probably suffering from the AWL. > > I'd recommend that you go to your mailscanner.conf and change this line: > > SpamAssassin Auto Whitelist = yes > > to > > SpamAssassin Auto Whitelist = no > > > Basically when you hand-blacklisted hotmail.com, everyone with a hotmail > address that sent you mail during that time got a HUGE penalty score in > their auto-whitelist entry. Now that the manual blacklisting is gone, those > senders still have a past history of high scores. > > If you like the AWL feature, you can leave it on, but shut down > MailScanner, delete your auto_whitelist.db (probably > /root/.spamassassin/auto_whitelist.db) and restart it. Personally, I'd > advise against using the AWL when used as a global DB like MailScanner uses > it, but that's really your choice to make. > > (note: this problem is not one of the problems of using the AWL with a > global database, that's a separate issue. This is just the nature of the > AWL. It tries to make past spammers pay for their mistakes in future > emails, just as it tries to give credit to past non-spam senders to prevent > their mail from being tagged) > > > > At 02:50 PM 11/15/2002 -0500, James Pifer wrote: > >Yes, I installed 2.43-2. > > > >hotmail.com was not being blocked before I added it to the > >spam.assassin.prefs.conf files, so I don't think running the rbcheck.cgi > >is the answer do you? Once I added hotmail.com to that conf file, and > >then somehow got it to apply, then the mail from hotmail started getting > >marked as spam. > > > >Thanks, > >James From sevans at FOUNDATION.SDSU.EDU Sat Nov 16 03:19:42 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:27 2006 Subject: Log Entry Explanation Message-ID: <6214C3F9233D764C9E7029396C355015682733@mail.foundation.sdsu.edu> Could someone tell me what this is about. Thanks. Nov 15 16:47:36 mx MailScanner[22916]: Content Checks: Detected and rejected external message body in gAG0lYl26644 Steve Evans SDSU Foundation (619) 594-0653 From dpowell at LSSI.NET Sat Nov 16 15:50:27 2002 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:16:27 2006 Subject: How to install patch command on RH 7.3 Message-ID: <004701c28d87$e29b11b0$0100a8c0@hightower1> I get the following when I try to install MailScanner. [root@www:/home/dpowell/MailScanner/MailScanner-4.05-3]# ./install.sh You need to install the patch command from your Linux distribution. Once you have done that, please try running this script again. [root@www:/home/dpowell/MailScanner/MailScanner-4.05-3]# Can some one tell me how to install the patch command? Thanks Darrin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021116/459ca75e/attachment.html From dpowell at LSSI.NET Sat Nov 16 15:52:23 2002 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:16:27 2006 Subject: How to install patch command on RH 7.3 References: <004701c28d87$e29b11b0$0100a8c0@hightower1> Message-ID: <005101c28d88$2770d590$0100a8c0@hightower1> Disregare, I found an RPM for the patch command. ----- Original Message ----- From: Darrin Powell To: MAILSCANNER@JISCMAIL.AC.UK Sent: Saturday, November 16, 2002 10:50 AM Subject: How to install patch command on RH 7.3 I get the following when I try to install MailScanner. [root@www:/home/dpowell/MailScanner/MailScanner-4.05-3]# ./install.sh You need to install the patch command from your Linux distribution. Once you have done that, please try running this script again. [root@www:/home/dpowell/MailScanner/MailScanner-4.05-3]# Can some one tell me how to install the patch command? Thanks Darrin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021116/3d18ef7c/attachment.html From mailscanner at ecs.soton.ac.uk Sat Nov 16 17:58:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Log Entry Explanation In-Reply-To: <6214C3F9233D764C9E7029396C355015682733@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20021116175429.03d4ec48@imap.ecs.soton.ac.uk> At 03:19 16/11/2002, you wrote: >Could someone tell me what this is about. Thanks. > >Nov 15 16:47:36 mx MailScanner[22916]: Content Checks: Detected and >rejected external message body in gAG0lYl26644 There is a very odd RFC that allows the body of the message to be stored on an external server and fetched by various methods (including mail and ftp) by the email client application. Netscape is about the only application that supports this, and the IETF drafts are the only messages that ever use it. Because the contents of the message body aren't actually in the message, they are banned by MailScanner. And having MailScanner fetch the contents of the body from the remote server won't help either, as it's trivial for the server holding the body to give the mail server a nice harmless one and the final client machine a malicious one. There really is just about no reasonable way of scanning the message contents. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Sat Nov 16 18:21:37 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:27 2006 Subject: Log Entry Explanation Message-ID: <6214C3F9233D764C9E7029396C355015682734@mail.foundation.sdsu.edu> Just curious. Thanks a lot. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Saturday, November 16, 2002 9:59 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Log Entry Explanation At 03:19 16/11/2002, you wrote: >Could someone tell me what this is about. Thanks. > >Nov 15 16:47:36 mx MailScanner[22916]: Content Checks: Detected and >rejected external message body in gAG0lYl26644 There is a very odd RFC that allows the body of the message to be stored on an external server and fetched by various methods (including mail and ftp) by the email client application. Netscape is about the only application that supports this, and the IETF drafts are the only messages that ever use it. Because the contents of the message body aren't actually in the message, they are banned by MailScanner. And having MailScanner fetch the contents of the body from the remote server won't help either, as it's trivial for the server holding the body to give the mail server a nice harmless one and the final client machine a malicious one. There really is just about no reasonable way of scanning the message contents. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Nov 17 14:51:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:27 2006 Subject: Calling all translators Message-ID: <5.2.0.9.2.20021117144946.032627a0@imap.ecs.soton.ac.uk> I have moved all the output strings into a configuration file so they can be translated into different languages, so MailScanner hopefully doesn't output much to a user that has to be in English. I have attached the file, and would be grateful if people could translate it into other languages for me. Thanks folks! Jules. -------------- next part -------------- A non-text attachment was scrubbed... Name: languages.conf Type: application/octet-stream Size: 2049 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021117/4d2d8b1b/languages.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Sun Nov 17 15:51:36 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:28 2006 Subject: SV: Calling all translators Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EC8C@lkl22.ltkalmar.se> Just did a fast look at the file.. will this file complement or replace the normal msg files or is it just for the log file and conf file? Just curious.... as usual /Anders > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 17 november 2002 15:52 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Calling all translators > > > I have moved all the output strings into a configuration file > so they can > be translated into different languages, so MailScanner > hopefully doesn't > output much to a user that has to be in English. > > I have attached the file, and would be grateful if people > could translate > it into other languages for me. > > Thanks folks! > Jules. > From mailscanner at ecs.soton.ac.uk Sun Nov 17 15:58:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: SV: Calling all translators In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EC8C@lkl22.ltkalmar.se > Message-ID: <5.2.0.9.2.20021117155716.03297c18@imap.ecs.soton.ac.uk> At 15:51 17/11/2002, you wrote: >Just did a fast look at the file.. will this file >complement or replace the normal msg files or >is it just for the log file and conf file? >Just curious.... as usual It's all the output strings that aren't already in the msg files. The log file and conf files will remain in English. > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 17 november 2002 15:52 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Calling all translators > > > > > > I have moved all the output strings into a configuration file > > so they can > > be translated into different languages, so MailScanner > > hopefully doesn't > > output much to a user that has to be in English. > > > > I have attached the file, and would be grateful if people > > could translate > > it into other languages for me. > > > > Thanks folks! > > Jules. > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Nov 17 16:09:13 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Internationalization In-Reply-To: <3DD56225.A87528B5@elirion.net> References: <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021117160716.03296d40@imap.ecs.soton.ac.uk> At 21:07 15/11/2002, you wrote: >Let me put in a plug for GNU Gettext. There are several modules on >CPAN that support it or emulate it. > >Essentially you wrap all the UK English strings in subroutine calls. >The subroutine uses the string as a key to look up the >equivalent in a locale-specific language. All you have to do is >set the locale when the program starts (and supply translations in >a text file). That only appears to easily allow for 1 language at a time. I allow you to choose different languages for different messages, like you can already with the message report files. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nerijus at USERS.SOURCEFORGE.NET Mon Nov 18 02:01:07 2002 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:16:28 2006 Subject: Internationalization In-Reply-To: <5.2.0.9.2.20021117160716.03296d40@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021117160716.03296d40@imap.ecs.soton.ac.uk> Message-ID: <200211180210.gAI2A2vR004128@mx.ktv.lt> On Sun, 17 Nov 2002 16:09:13 +0000 Julian Field wrote: > That only appears to easily allow for 1 language at a time. > I allow you to choose different languages for different messages, like you > can already with the message report files. Is it possible to use 2 (both) languages in a message at the same time? Regards, Nerijus From rbremer at FUTURE-GATE.COM Mon Nov 18 08:14:44 2002 From: rbremer at FUTURE-GATE.COM (Ronny Bremer) Date: Thu Jan 12 21:16:28 2006 Subject: Calling all translators Message-ID: Jules, ok, find a German translation attached to this email. Please note, that some of the message might be changed as it is hard to translate out of context. I do not know, whether some of the string are used within a larger sentence, for instance. Also, I would not recommend translating the headers (NotSpam, Black- Whitelisted), as they are not directly shown to end users (unless they want to and then they should know a little bit of english ) Ronny >>> mailscanner@ECS.SOTON.AC.UK 11/17/02 03:51pm >>> I have moved all the output strings into a configuration file so they can be translated into different languages, so MailScanner hopefully doesn't output much to a user that has to be in English. I have attached the file, and would be grateful if people could translate it into other languages for me. Thanks folks! Jules. -------------- next part -------------- A non-text attachment was scrubbed... Name: languages.conf Type: application/octet-stream Size: 2340 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021118/88004979/languages.obj From SJCJonker at SJC.NL Mon Nov 18 09:59:07 2002 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:16:28 2006 Subject: Calling all translators In-Reply-To: <5.2.0.9.2.20021117144946.032627a0@imap.ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, Here is my attempt at translating this file. I must admit it's harder then it looks. But i think it is reasonable. But if you are dutch also don't hesitate to check this, because i D0n,t meka mistakeS. ;-) P.S. If somebody knows an translation in dutch for timeout in the context as mentioned in te file.... On Sun, 17 Nov 2002, Julian Field wrote: > I have moved all the output strings into a configuration file so they can > be translated into different languages, so MailScanner hopefully doesn't > output much to a user that has to be in English. > > I have attached the file, and would be grateful if people could translate > it into other languages for me. > > Thanks folks! > Jules. - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker - -- Outlook Express is actually an incredibly effective virus distribution system which only pretends to be an email program. [by Eric Lee] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE92LntH0P/oLuWBrcRAvJPAKCRx5XiGayDJH3UTH1hmEeIqGz/xACfbnjJ Iv/SRanWqCX4EH4dUr49Qgo= =38OR -----END PGP SIGNATURE----- -------------- next part -------------- # # This file contains all the word, phrases and sentences that are output # to a user by MailScanner. They are all here so that you can translate # them into your language. # You should only edit what is on the right of each "=". # If you set the "Language Strings" option in MailScanner.conf to be a # ruleset (or even a function!) then you can output responses in different # languages to different users and customers. # # Used in spam header Blacklisted = blacklisted Whitelisted = whitelisted NotSpam = not spam # used when creating VirusWarning.txt TheEntireMessage = het gehele bericht NotNamed = niet benoemd # used for sysadmin notifications NoticeSubject = Waarschuwing: E-mail virussen gedetecteerd FullHeadersAre = De volledige headers zijn # used for delivering truly disinfected attachments Disinfected = Gedesinfecteerd # used for virus report in unparsable messages CantAnalyze = Kon het bericht niet analyseren # used for virus report in unparsable TNEF messages BadTNEF = Kon de Outlook Rich Text bijlage niet verwerken # used for creating sysadmin notifications NoticeHeading = De volgende e-mail berichten zijn gedetecteerd als besmet met een virus # used when SpamAssassin has timed out too often SADisabled = Uitgeschakeld vanwege %d opeenvolgende timeouts # used when message size exceeds configured SpamAssassin max message size SATooLarge = Bericht groter dan maximale grote voor spam test # used when trying to use SpamAssassin on a bad message with no headers SANoHeaders = Bericht bevatte geen headers # used when creating SpamAssassin results header score = score required = vereist SATimedOut = timed out # used when creating reports for messages with dangerous content PartialMessage = Gefragmenteerde berichten kunnen niet worden geanalyseerd en zijn daarom verwijderd FoundIFrame = Gevaarlijke IFrame tag in HTML bericht gevonden FoundObject = Gevaarlijke Object Codebase tag in HTML bericht gevonden ExternalBody = Externe bericht inhoud kan niet worden gescaned en zijn daarom verwijderd EudoraLongMIME = Eudora long-MIME-boundary aanval # used when detecting denial-of-service attacks DOSAttack = Denial of Service aanval in bericht! From Heinz.Knutzen at DZSH.DE Mon Nov 18 10:03:23 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:16:28 2006 Subject: AW: Calling all translators Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FD98@dzrz-ex-1.dzsh.landsh.de> One minor correction for the german translation from Ronny: # used for virus report in unparsable TNEF messages BadTNEF = Fehler beim verarbeiten des Outlook Rich Text Anhangs --> # used for virus report in unparsable TNEF messages BadTNEF = Fehler beim Verarbeiten des Outlook Rich Text Anhangs Viele Gr??e -- Heinz > -----Urspr?ngliche Nachricht----- > Von: Ronny Bremer [mailto:rbremer@FUTURE-GATE.COM] > Gesendet am: Montag, 18. November 2002 09:15 > An: MAILSCANNER@JISCMAIL.AC.UK > Betreff: Re: Calling all translators > > Jules, > > ok, find a German translation attached to this email. > > Please note, that some of the message might be changed as it > is hard to translate out of context. I do not know, whether > some of the string are used within a larger sentence, for instance. > > Also, I would not recommend translating the headers (NotSpam, > Black- Whitelisted), as they are not directly shown to end > users (unless they want to and then they should know a little > bit of english ) > > Ronny > > >>> mailscanner@ECS.SOTON.AC.UK 11/17/02 03:51pm >>> > I have moved all the output strings into a configuration file > so they can > be translated into different languages, so MailScanner > hopefully doesn't > output much to a user that has to be in English. > > I have attached the file, and would be grateful if people > could translate > it into other languages for me. > > Thanks folks! > Jules. > > From mailscanner at ecs.soton.ac.uk Mon Nov 18 10:36:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Internationalization In-Reply-To: <200211180210.gAI2A2vR004128@mx.ktv.lt> References: <5.2.0.9.2.20021117160716.03296d40@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021115202500.0243ebd8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021117160716.03296d40@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021118103608.02c557a8@imap.ecs.soton.ac.uk> At 02:01 18/11/2002, you wrote: >On Sun, 17 Nov 2002 16:09:13 +0000 Julian Field > wrote: > > > That only appears to easily allow for 1 language at a time. > > I allow you to choose different languages for different messages, like you > > can already with the message report files. > >Is it possible to use 2 (both) languages in a message at the same time? Just set up your own custom languages.conf file containing both languages. You are free to change what I provide... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From viers at UNILIM.FR Mon Nov 18 10:55:13 2002 From: viers at UNILIM.FR (Nicolas Viers - SCI Limoges) Date: Thu Jan 12 21:16:28 2006 Subject: Mailscanner 4.05-3 and virus infection (end) Message-ID: <5.0.2.1.2.20021118114850.0231ff58@pop.unilim.fr> Hello, I post this mail to give the response to my pb It was: ---------------------------------------------------------- i had pb with my mailscanner config (4.05-3) When i test with virus file, the mail log file said: Nov 15 14:26:33 limdns-new MailScanner[13585]: /usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/URFRIEND.SCR Found virus or variant W32/Yaha !!! Nov 15 14:26:33 limdns-new MailScanner[13585]: /usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/VALUE.EXE Found virus or variant W32/Klez !!! Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: mcafee found 8 infections Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: Found 8 viruses Nov 15 14:26:33 limdns-new MailScanner[13585]: Uninfected: Delivered 1 messages Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 15 14:26:33 limdns-new MailScanner[15008]: Using locktype = flock 8 virus are found, but the attach file was delivered with the message "no infection was found" Mcafee said viruses found and mailscanner Unifected: deliver 1 message Why mailscanner does not put infected file in quarantine directory ? I had another mailscanner 2.60 version and it works fine with this zip infected file Maybe it was due to a bad version of my perl modules And i don't had install first the rpm version. when i do this (rpm version) mailscanner works fine. I want to give a precision: in the mailscanner.conf file there is a directive "Deliver Cleaned Messages" When i put No to this no message were sent to the sender of the virus. With "yes" it's ok For me this directive apply to virus cleaned by mailscanner and not detected. ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ From mailscanner at ecs.soton.ac.uk Mon Nov 18 11:07:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Mailscanner 4.05-3 and virus infection (end) In-Reply-To: <5.0.2.1.2.20021118114850.0231ff58@pop.unilim.fr> Message-ID: <5.2.0.9.2.20021118110451.02232ab8@imap.ecs.soton.ac.uk> I suspect that your path to the incoming directory that you have in your mailscanner.conf file has some links in it. You must put the *real* path to the incoming directory in your mailscanner.conf file, like this: Incoming Work Dir = /usr/local/MailScanner-4.05-3/var/incoming At 10:55 18/11/2002, you wrote: > Hello, >I post this mail to give the response to my pb >It was: >---------------------------------------------------------- >i had pb with my mailscanner config (4.05-3) >When i test with virus file, the mail log file said: >Nov 15 14:26:33 limdns-new MailScanner[13585]: >/usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/URFRIEND.SCR >Found virus or variant W32/Yaha !!! > >Nov 15 14:26:33 limdns-new MailScanner[13585]: >/usr/local/MailScanner-4.05-3/var/incoming/13585/gAFDQQAl014953/test.zip/VALUE.EXE >Found virus or variant W32/Klez !!! > >Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: mcafee >found 8 infections >Nov 15 14:26:33 limdns-new MailScanner[13585]: Virus Scanning: Found 8 viruses >Nov 15 14:26:33 limdns-new MailScanner[13585]: Uninfected: Delivered 1 >messages >Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner >Nov 15 14:26:33 limdns-new MailScanner[15008]: MailScanner E-Mail Virus >Scanner version 4.05-3 starting... > >Nov 15 14:26:33 limdns-new MailScanner[15008]: Using locktype = flock > >8 virus are found, but the attach file was delivered with the message >"no infection was found" >Mcafee said viruses found and mailscanner Unifected: deliver 1 message > >Why mailscanner does not put infected file in quarantine directory ? > >I had another mailscanner 2.60 version and it works fine with this zip >infected file > > > >Maybe it was due to a bad version of my perl modules >And i don't had install first the rpm version. > >when i do this (rpm version) mailscanner works fine. > >I want to give a precision: >in the mailscanner.conf file there is a directive "Deliver Cleaned Messages" >When i put No to this no message were sent to the sender of the virus. >With "yes" >it's ok >For me this directive apply to virus cleaned by mailscanner and not detected. > > >____________________________________________________________ > >Nicolas Viers | Service Commun Informatique >M?l: viers@unilim.fr | 123, avenue Albert Thomas > | 87060 Limoges cedex >Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 > http://www.unilim.fr/sci >____________________________________________________________ > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mlo at UNI2.DK Mon Nov 18 12:13:18 2002 From: mlo at UNI2.DK (Martin Lorensen) Date: Thu Jan 12 21:16:28 2006 Subject: Internationalization In-Reply-To: <5.2.0.9.2.20021118103608.02c557a8@imap.ecs.soton.ac.uk> Message-ID: On Mon, 18 Nov 2002, Julian Field wrote: > > > That only appears to easily allow for 1 language at a time. > > > I allow you to choose different languages for different messages, like you > > > can already with the message report files. > > > >Is it possible to use 2 (both) languages in a message at the same time? > > Just set up your own custom languages.conf file containing both languages. > You are free to change what I provide... What I would like was some way of having MailScanner merging 2 repports and 2 langugage sets. Today some of the translated reports includes both the national and the english version - thats kind of silly and adds complexity when something should be changed. Another thing would be to have alle the configuration options for repports replaced by a "language-base-path" and a report-filename. That way you only need to change one line when changeing the language. My "dream" is to have a single config-file option "Language" which could be "en", "de", "nl" etc. - or "de-en", "nl-en" etc. Where the last case would have MailScanner merging the two repports. This would requere some more work on the repports, e.g. having a way to say "English version bellow", not having 2 headers and 2 footers etc. Just my thoughts.... -- A happy MailScanner user, Martin Lorensen From Heinz.Knutzen at DZSH.DE Mon Nov 18 13:08:00 2002 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:16:28 2006 Subject: Again: Inline Text Signature and attachment-only mail Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FD9A@dzrz-ex-1.dzsh.landsh.de> Hi, one month ago I sent this bug report: > One user received a mail with an empty body and two text/plain attachments. > Mailscanner inserted the "Inline Text Signature" into the first attachment. > The user got some trouble from this, because the attachment > was used as input for some program which disliked the signature. ... > MailScanner uses SignCleanMessage to insert the signature > into the first part of a multipart message. > > MailScanner shouldn't insert a signature into an attachment > which is marked with > Content-Disposition: attachment; filename="something.txt" When releasing 3.24-1, Julian wrote I have also fixed 1 minor bug affecting the warning message added to infected messages containing no main message body at all. This didn't solve the original problem, since my problem was with inline signatures, but Julian fixed inline warnings. In mailscanner-4.05-3, file Message.pm, function "SignWarningMessage" there is a line # Won't sign attachments. return 0 if $top->head->mime_attr('content-disposition') =~ /attachment/i; Please add similar code to function "SignCleanEntity" in the same file. Viele Gr??e -- Heinz Knutzen Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:heinz.knutzen@dzsh.de Tel: +49.431.3295.581 Fax: +49.431.3295.410 From mailscannerlist at TNJINFL.COM Mon Nov 18 13:12:34 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:28 2006 Subject: Working well Message-ID: <1037625154.2330.11.camel@tweety.tnjinfl.com> With the help of the last two responses I received on my posts everything appears to be working well. I have this installed on my home mail server as a testing for possibly using the setup (MailScanner/SpamAssassin/Sendmail/F-Prot) where I work. It will be much higher volume, but that doesn't worry me. If we do try to use this we will forward any message that is marked as spam to s specific mailbox that will have to be monitored, probably by our HR department, to make sure all legitimate mail is forwarded to the recipient. One question I still have is, how do you handle a situation where messages are marked as spam but really aren't? Let's assume it's not because of DNS Blacklist, but because of content. I can't give an example since it hasn't happened to me yet, so this is hypathetically speaking. I assume if it's content that SpamAssassin is what is marking it as spam. Are the config files(content filters) for SpamAssasin configurable? Where would this be done at? If it's not SpamAssassin, what would it be? If there's a FAQ or Doc I should be looking at let me know. Thanks. James From nerijus at USERS.SOURCEFORGE.NET Mon Nov 18 13:34:32 2002 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:16:28 2006 Subject: Working well In-Reply-To: <1037625154.2330.11.camel@tweety.tnjinfl.com> References: <1037625154.2330.11.camel@tweety.tnjinfl.com> Message-ID: <200211181340.gAIDe4vR000436@mx.ktv.lt> On Mon, 18 Nov 2002 08:12:34 -0500 James Pifer wrote: > Are the config files(content filters) for SpamAssasin configurable? > Where would this be done at? Yes - why don't you just read SpamAssassin documentation? Regards, Nerijus From mike at CAMAROSS.NET Mon Nov 18 13:43:47 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:28 2006 Subject: Working well In-Reply-To: <1037625154.2330.11.camel@tweety.tnjinfl.com> Message-ID: <000101c28f08$85416140$6501a8c0@mikedesk> There is a score file for SpamAssassin that you can change...I wouldn't advise tweaking it too much. I leave that to the SA guys :) You might start off with your threshold set a little higher for messages to be marked as spam. I currently have mine set at 9 (I think) and see very few false positives. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of James Pifer Sent: Monday, November 18, 2002 7:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Working well With the help of the last two responses I received on my posts everything appears to be working well. I have this installed on my home mail server as a testing for possibly using the setup (MailScanner/SpamAssassin/Sendmail/F-Prot) where I work. It will be much higher volume, but that doesn't worry me. If we do try to use this we will forward any message that is marked as spam to s specific mailbox that will have to be monitored, probably by our HR department, to make sure all legitimate mail is forwarded to the recipient. One question I still have is, how do you handle a situation where messages are marked as spam but really aren't? Let's assume it's not because of DNS Blacklist, but because of content. I can't give an example since it hasn't happened to me yet, so this is hypathetically speaking. I assume if it's content that SpamAssassin is what is marking it as spam. Are the config files(content filters) for SpamAssasin configurable? Where would this be done at? If it's not SpamAssassin, what would it be? If there's a FAQ or Doc I should be looking at let me know. Thanks. James From wkuiters at FREE.FR Mon Nov 18 14:18:05 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:16:28 2006 Subject: Calling all translators In-Reply-To: References: <5.2.0.9.2.20021117144946.032627a0@imap.ecs.soton.ac.uk> Message-ID: <20021118141805.GA1495@bragann> Hoi, On Mon, Nov 18, 2002 at 10:59:07AM +0100, Stijn Jonker wrote: > Hello all, > > Here is my attempt at translating this file. I must admit it's harder then > it looks. But i think it is reasonable. > > But if you are dutch also don't hesitate to check this, because i D0n,t > meka mistakeS. ;-) I added a few corrections and suggestions to the good work of Stijn. The concerned lines are singled out. -- |\ /| Willem G.J. Kuiters |0 0| (/"\) --- "The malicious have a dark happiness" --- / \ --- -- Victor Hugo --- (( U U )) --- --- " " " " --(Htag.pl 0.0.19)-- -------------- next part -------------- # # This file contains all the word, phrases and sentences that are output # to a user by MailScanner. They are all here so that you can translate # them into your language. # You should only edit what is on the right of each "=". # If you set the "Language Strings" option in MailScanner.conf to be a # ruleset (or even a function!) then you can output responses in different # languages to different users and customers. # # Used in spam header Blacklisted = blacklisted Whitelisted = whitelisted NotSpam = not spam # used when creating VirusWarning.txt TheEntireMessage = het gehele bericht NotNamed = niet benoemd # used for sysadmin notifications NoticeSubject = Waarschuwing: E-mail virussen gevonden FullHeadersAre = De volledige headers zijn # used for delivering truly disinfected attachments Disinfected = Gedesinfecteerd # used for virus report in unparsable messages CantAnalyze = Kon het bericht niet analyseren # used for virus report in unparsable TNEF messages BadTNEF = Kon de Outlook Rich Text bijlage niet verwerken # used for creating sysadmin notifications NoticeHeading = De volgende e-mail berichten blijken besmet met een virus # used when SpamAssassin has timed out too often SADisabled = Uitgeschakeld vanwege %d opeenvolgende timeouts # used when message size exceeds configured SpamAssassin max message size SATooLarge = Bericht groter dan maximale grootte voor spam test # used when trying to use SpamAssassin on a bad message with no headers SANoHeaders = Bericht bevatte geen headers # used when creating SpamAssassin results header score = score required = vereist SATimedOut = timed out # used when creating reports for messages with dangerous content PartialMessage = Gefragmenteerde berichten kunnen niet worden geanalyseerd en zijn daarom verwijderd FoundIFrame = Gevaarlijke IFrame tag in HTML bericht gevonden FoundObject = Gevaarlijke Object Codebase tag in HTML bericht gevonden ExternalBody = Externe bericht inhoud kan niet worden gescanned en is daarom verwijderd EudoraLongMIME = Eudora long-MIME-boundary aanval # used when detecting denial-of-service attacks DOSAttack = Denial of Service aanval in bericht! From mailscanner at ecs.soton.ac.uk Mon Nov 18 14:24:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Again: Inline Text Signature and attachment-only mail In-Reply-To: <6C645222B0A8BC4FBFACD7606D4306A822FD9A@dzrz-ex-1.dzsh.land sh.de> Message-ID: <5.2.0.9.2.20021118142300.033bace0@imap.ecs.soton.ac.uk> Sorry about that, must have missed it. I have just added it to the code for 4.06 (the next release). At 13:08 18/11/2002, you wrote: >Hi, > >one month ago I sent this bug report: > > > One user received a mail with an empty body and two text/plain attachments. > > Mailscanner inserted the "Inline Text Signature" into the first attachment. > > The user got some trouble from this, because the attachment > > was used as input for some program which disliked the signature. >... > > MailScanner uses SignCleanMessage to insert the signature > > into the first part of a multipart message. > > > > MailScanner shouldn't insert a signature into an attachment > > which is marked with > > Content-Disposition: attachment; filename="something.txt" > >When releasing 3.24-1, Julian wrote > I have also fixed 1 minor bug affecting the warning message added to > infected messages containing no main message body at all. > >This didn't solve the original problem, >since my problem was with inline signatures, >but Julian fixed inline warnings. > >In mailscanner-4.05-3, file Message.pm, function "SignWarningMessage" >there is a line > # Won't sign attachments. > return 0 if $top->head->mime_attr('content-disposition') =~ > /attachment/i; > >Please add similar code to function "SignCleanEntity" in the same file. > >Viele Gr??e > >-- Heinz Knutzen > >Datenzentrale Schleswig-Holstein >Altenholzer Str. 10-14, 24161 Altenholz, Germany >http://www.dzsh.de/ >mailto:heinz.knutzen@dzsh.de >Tel: +49.431.3295.581 Fax: +49.431.3295.410 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Mon Nov 18 17:02:12 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:28 2006 Subject: Working well (SA customization tips) In-Reply-To: <1037625154.2330.11.camel@tweety.tnjinfl.com> Message-ID: <5.1.1.6.0.20021118103352.015eb2e8@192.168.50.2> Ok, I'll admit upfront that I do a bit more "rule tinkering" than most end users do, and I sometimes do a small contribution to the SA Development effort. So I confess up front that I probably customize SA more than most users will. That said, I don't think that writing a few simple custom rules are beyond the scope of what a "normal" user might want to do. Before you go off tuning your ruleset, first make sure you're running a reasonable version of SA. If you're getting an unreasonable number false positives/negatives, and are running something older than 2.42, upgrade. 2.40 and 2.41 had absolutely horrid scores (due to a combination of a few bad rules, a minor issue in the GA, and some mis-placed emails in the corpus). Older versions aren't likely to be very effective against current spam. Other "general" tweaks you can apply are to increase the threshold, and to (lightly) bump down the scores of rules which are false-positive prone on your email. You can apply these to your spam.assassin.prefs and the SpamAssassin man page mentioned below should be sufficient to show you the format for these options. Note that any score line in your prefs file will supercede anything in 50_scores.cf, so to adjust a score, just create a new score in your prefs file like this one (these are adjustments from my config, with scores changed a little from what I really use) # How many hits before a mail is considered spam. required_hits 5.2 #X_OSIRU_SPAM_SRC is high collateral damage, trim score down a little score X_OSIRU_SPAM_SRC 1.5 SA is tuned for a more or less "general purpose" variety of email. Depending on what industry you work in, you might get more "spam-alike" marketing than most. Fortunately you also know there are certain "catch phrases" for your industry that aren't likely to appear in spam mail. I tend to have a small handful of "correction" rules that decrease the score of emails pertaining to the industry my company works in. This makes it a bit less likely that newsletters and marketing information that people here have requested will be tagged as spam. Note: you should not need to make a whole lot of these rules, in general I'd think hard before making more than 10 of them. What follows is a quickie guide to simple SA rule writing, targeted towards MailScanner users --------------------------- The first thing you'll want to do is skim through man Mail::SpamAssassin::Conf. Then go to your /usr/share/spamassassin and look at some of the rules in 20_head_tests.cf and 20_body_tests.cf. (note: it is strongly advised that you NOT edit the files in /usr/share/spamassassin) Since you're running MailScanner the best place to put your rules is in MailScanner's spam.assassin.prefs.conf, but I'd recommend writing and testing them using the command-line tools while editing /root/.spamassassin/user_prefs. The simplest rules look for a basic text string, and assign a score, like this one (this is one mine): body BUGTRAQ_MENTIONED /\bbugtraq\b/i describe BUGTRAQ_MENTIONED mentions bugtraq in body score BUGTRAQ_MENTIONED -1.0 The describe line is optional, and not very relevant to MailScanner setups. I put it in there for my own reference. The body rule itself is just a regex string match which is started and terminated with forward slash characters (/). The \b's are used inside the string to indicate "any kind of word break" including spaces, tabs, newlines, etc and are generally a good idea at the beginning and end of most rules (unless you want it to match even if there is no word break). A string match ending with "not" will match not, note, notice, etc but one ending with "not\b" will only match not. the /i at the end makes the entire text match case insensitive. Some rules you might want to leave this off, others you might want it on. The regex's can be a lot more complicated, but most things you'll want to do yourself should be simple enough with rules like this one. After you write a rule, you need to test it. Every time you add a rule you risk a typo causing SpamAssassin to skip large chunks of your rules. If you followed my advice about trying them on root's user_prefs first, test the rules using SpamAssassin's command line: spamassassin --lint This will make SA complain about rule syntax. Note that if MailScanner calls SpamAssassin and there's a typo it will SILENTLY skip rules until it can start parsing the config file again. You can also test your rules against emails that are in raw text format (note: this must be a complete SMTP formatted email, with headers, with a empty blank line after the headers before the body begins, as per RFC requirements) spamassassin -tD One question I still have is, how do you handle a situation where >messages are marked as spam but really aren't? Let's assume it's not >because of DNS Blacklist, but because of content. I can't give an >example since it hasn't happened to me yet, so this is hypathetically >speaking. I assume if it's content that SpamAssassin is what is marking >it as spam. > >Are the config files(content filters) for SpamAssasin configurable? >Where would this be done at? If it's not SpamAssassin, what would it be? >If there's a FAQ or Doc I should be looking at let me know. Note: Emails authored under this address do not reflect the opinions of my employer unless otherwise stated. Facts contained are also prone to human error. If either of these statements are not humanly obvious to you, I suggest careful thought before leaping to any other conclusions. :) From sean at NISD.NET Mon Nov 18 17:33:10 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:28 2006 Subject: Working well (SA customization tips) Message-ID: This is great! Just the kind of info I've been looking for. >>> mkettler@EVI-INC.COM 11/18/02 11:02AM >>> Ok, I'll admit upfront that I do a bit more "rule tinkering" than most end From mailscannerlist at TNJINFL.COM Mon Nov 18 17:36:05 2002 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:28 2006 Subject: Working well (SA customization tips) In-Reply-To: <5.1.1.6.0.20021118103352.015eb2e8@192.168.50.2> References: <5.1.1.6.0.20021118103352.015eb2e8@192.168.50.2> Message-ID: <1037640965.2332.19.camel@tweety.tnjinfl.com> Matt, Thank you very much for the response. That's exactly what I was looking for, real world examples and experience! (thanks to Mike for his earlier response too) I am running 2.43 so I should be up to date. Like I said, on my server at home it has 100% successful, but I only two or three email accounts that receive any spam. I'm assuming if we use this at our company we'll come across some that get tagged that really aren't. Best regards, James On Mon, 2002-11-18 at 12:02, Matt Kettler wrote: > Ok, I'll admit upfront that I do a bit more "rule tinkering" than most end > users do, and I sometimes do a small contribution to the SA Development > effort. So I confess up front that I probably customize SA more than most > users will. > > That said, I don't think that writing a few simple custom rules are beyond > the scope of what a "normal" user might want to do. > > Before you go off tuning your ruleset, first make sure you're running a > reasonable version of SA. If you're getting an unreasonable number false > positives/negatives, and are running something older than 2.42, upgrade. > 2.40 and 2.41 had absolutely horrid scores (due to a combination of a few > bad rules, a minor issue in the GA, and some mis-placed emails in the > corpus). Older versions aren't likely to be very effective against current > spam. > > Other "general" tweaks you can apply are to increase the threshold, and to > (lightly) bump down the scores of rules which are false-positive prone on > your email. You can apply these to your spam.assassin.prefs and the > SpamAssassin man page mentioned below should be sufficient to show you the > format for these options. Note that any score line in your prefs file will > supercede anything in 50_scores.cf, so to adjust a score, just create a new > score in your prefs file like this one (these are adjustments from my > config, with scores changed a little from what I really use) > > # How many hits before a mail is considered spam. > required_hits 5.2 > #X_OSIRU_SPAM_SRC is high collateral damage, trim score down a little > score X_OSIRU_SPAM_SRC 1.5 > > > SA is tuned for a more or less "general purpose" variety of email. > Depending on what industry you work in, you might get more "spam-alike" > marketing than most. Fortunately you also know there are certain "catch > phrases" for your industry that aren't likely to appear in spam mail. > > I tend to have a small handful of "correction" rules that decrease the > score of emails pertaining to the industry my company works in. This makes > it a bit less likely that newsletters and marketing information that people > here have requested will be tagged as spam. > > Note: you should not need to make a whole lot of these rules, in general > I'd think hard before making more than 10 of them. > > What follows is a quickie guide to simple SA rule writing, targeted towards > MailScanner users > --------------------------- > > The first thing you'll want to do is skim through man > Mail::SpamAssassin::Conf. Then go to your /usr/share/spamassassin and look > at some of the rules in 20_head_tests.cf and 20_body_tests.cf. (note: it is > strongly advised that you NOT edit the files in /usr/share/spamassassin) > > Since you're running MailScanner the best place to put your rules is in > MailScanner's spam.assassin.prefs.conf, but I'd recommend writing and > testing them using the command-line tools while editing > /root/.spamassassin/user_prefs. > > The simplest rules look for a basic text string, and assign a score, like > this one (this is one mine): > > body BUGTRAQ_MENTIONED /\bbugtraq\b/i > describe BUGTRAQ_MENTIONED mentions bugtraq in body > score BUGTRAQ_MENTIONED -1.0 > > The describe line is optional, and not very relevant to MailScanner setups. > I put it in there for my own reference. > > The body rule itself is just a regex string match which is started and > terminated with forward slash characters (/). > > The \b's are used inside the string to indicate "any kind of word break" > including spaces, tabs, newlines, etc and are generally a good idea at the > beginning and end of most rules (unless you want it to match even if there > is no word break). A string match ending with "not" will match not, note, > notice, etc but one ending with "not\b" will only match not. > > the /i at the end makes the entire text match case insensitive. Some rules > you might want to leave this off, others you might want it on. > > The regex's can be a lot more complicated, but most things you'll want to > do yourself should be simple enough with rules like this one. > > After you write a rule, you need to test it. Every time you add a rule you > risk a typo causing SpamAssassin to skip large chunks of your rules. If you > followed my advice about trying them on root's user_prefs first, test the > rules using SpamAssassin's command line: > > spamassassin --lint > > This will make SA complain about rule syntax. Note that if MailScanner > calls SpamAssassin and there's a typo it will SILENTLY skip rules until it > can start parsing the config file again. > > You can also test your rules against emails that are in raw text format > (note: this must be a complete SMTP formatted email, with headers, with a > empty blank line after the headers before the body begins, as per RFC > requirements) > > spamassassin -tD > Once you've got rules that don't error, and suit your needs put them into > your spam.assassin.prefs.conf > > > > > At 08:12 AM 11/18/2002 -0500, you wrote: > >One question I still have is, how do you handle a situation where > >messages are marked as spam but really aren't? Let's assume it's not > >because of DNS Blacklist, but because of content. I can't give an > >example since it hasn't happened to me yet, so this is hypathetically > >speaking. I assume if it's content that SpamAssassin is what is marking > >it as spam. > > > >Are the config files(content filters) for SpamAssasin configurable? > >Where would this be done at? If it's not SpamAssassin, what would it be? > >If there's a FAQ or Doc I should be looking at let me know. > > Note: Emails authored under this address do not reflect the opinions of my > employer unless otherwise stated. Facts contained are also prone to human > error. If either of these statements are not humanly obvious to you, I > suggest careful thought before leaping to any other conclusions. :) From sevans at FOUNDATION.SDSU.EDU Mon Nov 18 17:39:41 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:28 2006 Subject: Working well (SA customization tips) Message-ID: <6214C3F9233D764C9E7029396C355015682737@mail.foundation.sdsu.edu> Great info. One question on the SA versions. I upgraded to 2.42 (might have been 2.43) and had huge problems with false negatives. The probably tripled. Have you heard of that happening before. I run SA without any RBL's, and without Razor. (though I'm thinking about going down the razor path soon.) Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Matt Kettler [mailto:mkettler@EVI-INC.COM] Sent: Monday, November 18, 2002 9:02 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Working well (SA customization tips) Ok, I'll admit upfront that I do a bit more "rule tinkering" than most end users do, and I sometimes do a small contribution to the SA Development effort. So I confess up front that I probably customize SA more than most users will. That said, I don't think that writing a few simple custom rules are beyond the scope of what a "normal" user might want to do. Before you go off tuning your ruleset, first make sure you're running a reasonable version of SA. If you're getting an unreasonable number false positives/negatives, and are running something older than 2.42, upgrade. 2.40 and 2.41 had absolutely horrid scores (due to a combination of a few bad rules, a minor issue in the GA, and some mis-placed emails in the corpus). Older versions aren't likely to be very effective against current spam. Other "general" tweaks you can apply are to increase the threshold, and to (lightly) bump down the scores of rules which are false-positive prone on your email. You can apply these to your spam.assassin.prefs and the SpamAssassin man page mentioned below should be sufficient to show you the format for these options. Note that any score line in your prefs file will supercede anything in 50_scores.cf, so to adjust a score, just create a new score in your prefs file like this one (these are adjustments from my config, with scores changed a little from what I really use) # How many hits before a mail is considered spam. required_hits 5.2 #X_OSIRU_SPAM_SRC is high collateral damage, trim score down a little score X_OSIRU_SPAM_SRC 1.5 SA is tuned for a more or less "general purpose" variety of email. Depending on what industry you work in, you might get more "spam-alike" marketing than most. Fortunately you also know there are certain "catch phrases" for your industry that aren't likely to appear in spam mail. I tend to have a small handful of "correction" rules that decrease the score of emails pertaining to the industry my company works in. This makes it a bit less likely that newsletters and marketing information that people here have requested will be tagged as spam. Note: you should not need to make a whole lot of these rules, in general I'd think hard before making more than 10 of them. What follows is a quickie guide to simple SA rule writing, targeted towards MailScanner users --------------------------- The first thing you'll want to do is skim through man Mail::SpamAssassin::Conf. Then go to your /usr/share/spamassassin and look at some of the rules in 20_head_tests.cf and 20_body_tests.cf. (note: it is strongly advised that you NOT edit the files in /usr/share/spamassassin) Since you're running MailScanner the best place to put your rules is in MailScanner's spam.assassin.prefs.conf, but I'd recommend writing and testing them using the command-line tools while editing /root/.spamassassin/user_prefs. The simplest rules look for a basic text string, and assign a score, like this one (this is one mine): body BUGTRAQ_MENTIONED /\bbugtraq\b/i describe BUGTRAQ_MENTIONED mentions bugtraq in body score BUGTRAQ_MENTIONED -1.0 The describe line is optional, and not very relevant to MailScanner setups. I put it in there for my own reference. The body rule itself is just a regex string match which is started and terminated with forward slash characters (/). The \b's are used inside the string to indicate "any kind of word break" including spaces, tabs, newlines, etc and are generally a good idea at the beginning and end of most rules (unless you want it to match even if there is no word break). A string match ending with "not" will match not, note, notice, etc but one ending with "not\b" will only match not. the /i at the end makes the entire text match case insensitive. Some rules you might want to leave this off, others you might want it on. The regex's can be a lot more complicated, but most things you'll want to do yourself should be simple enough with rules like this one. After you write a rule, you need to test it. Every time you add a rule you risk a typo causing SpamAssassin to skip large chunks of your rules. If you followed my advice about trying them on root's user_prefs first, test the rules using SpamAssassin's command line: spamassassin --lint This will make SA complain about rule syntax. Note that if MailScanner calls SpamAssassin and there's a typo it will SILENTLY skip rules until it can start parsing the config file again. You can also test your rules against emails that are in raw text format (note: this must be a complete SMTP formatted email, with headers, with a empty blank line after the headers before the body begins, as per RFC requirements) spamassassin -tD One question I still have is, how do you handle a situation where >messages are marked as spam but really aren't? Let's assume it's not >because of DNS Blacklist, but because of content. I can't give an >example since it hasn't happened to me yet, so this is hypathetically >speaking. I assume if it's content that SpamAssassin is what is marking >it as spam. > >Are the config files(content filters) for SpamAssasin configurable? >Where would this be done at? If it's not SpamAssassin, what would it >be? If there's a FAQ or Doc I should be looking at let me know. Note: Emails authored under this address do not reflect the opinions of my employer unless otherwise stated. Facts contained are also prone to human error. If either of these statements are not humanly obvious to you, I suggest careful thought before leaping to any other conclusions. :) From billa at STERLING.NET Mon Nov 18 20:17:38 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? Message-ID: I notice there are several ways to utilize blacklists. Looks like you can do it in mailscanner, sendmail, and the other option is to let Spamassassin do it. Any ideas on the best way to implement with pros and cons would be greatly appreciated? Thanks. From mlo at UNI2.DK Mon Nov 18 20:32:15 2002 From: mlo at UNI2.DK (Martin Lorensen) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? In-Reply-To: Message-ID: On Mon, 18 Nov 2002, Bill Anderson wrote: > I notice there are several ways to utilize blacklists. Looks like you > can do it in mailscanner, sendmail, and the other option is to let > Spamassassin do it. Any ideas on the best way to implement with pros > and cons would be greatly appreciated? Thanks. Sendmail is IMHO always perfered if you can do it there - The simple reason is that you don't have to do bounces to often faked sender-adresses. Only cache in doint it in sendmail would be that you might not have enough information or you might want to get more information (e.g. content of mail to be able to deliver with a changed subject) before you have to reject the message. If you blacklist in mailscanner you don't have to call SpamAssasin, on the negative side is then that SA's AWL doesn't get more clever - but I guess that is of little use of the origin is a blacklisted site or address. -- Martin Lorensen From richard.siddall at ELIRION.NET Mon Nov 18 20:39:12 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? References: Message-ID: <3DD94FF0.DC29A338@elirion.net> Bill Anderson wrote: > > I notice there are several ways to utilize blacklists. Looks like you can > do it in mailscanner, sendmail, and the other option is to let Spamassassin > do it. Any ideas on the best way to implement with pros and cons would be > greatly appreciated? Thanks. !!!FAQ Alert!!! I guess my view is that it depends on your confidence in the blacklist: 1/ If you absolutely trust the blacklist and want to reject the mail, false positives and all, use it in sendmail. That will result in the least processing load too. 2/ If you absolutely trust the blacklist, but want only to flag the message as spam, use it in MailScanner. 3/ If you have mixed feelings about the blacklist, but consider it useful in detecting spam, use it in SpamAssassin (and consider tuning the score SA assigns). I hope this helps. Bear in mind that the more blacklists you use, the longer it takes to process each message. If you're rejecting mail in sendmail, the sender can time out while waiting for you to check all the blacklists. Regards, Richard Siddall. From support at INVICTANET.CO.UK Mon Nov 18 20:40:10 2002 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:16:28 2006 Subject: Yuk! Message-ID: Hi I think this is from a de-IFRAMEd message. Can anyone suggest why it looks so 'orrible? Also, why have I got "irusWarning.txt" (I'm using v3.26-2) Martyn -----Original Message----- From: FT.com News by email [mailto:ymnl+672583.125202216.2@newsbyemail.ft.com] Sent: 18 November 2002 15:03 To: martynr@invictanet.co.uk Subject: {VIRUS?} Your Money update Content-Type: text/plain; charset=s-ascii"; name=irusWarning.txt" Content-Disposition: inline; filename=irusWarning.txt" Content-Transfer-Encoding: quoted-printable This is a message from the MailScanner E-Mail Virus Protection Service -------------------------------------------------------------------- -- The original e-mail attachment "the entire message" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Mon Nov 18 15:05:45 2002 the virus scanner said: Possible Microsoft security vulnerability attack Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine (message gAIF5bjK050146). -- Postmaster From lyons at digitalvoodoo.org Mon Nov 18 20:48:05 2002 From: lyons at digitalvoodoo.org (Timothy M. Lyons) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? In-Reply-To: <3DD94FF0.DC29A338@elirion.net> Message-ID: <000201c28f43$cbadeff0$6401a8c0@seeker> I personally use multiple blacklists - however I only use one of them with sendmail (relays.ordb.org), I then implement spamcop.net and Infinite-Monkeys within MailScanner. I find that ordb is quick and gives me a pretty good coverage, plus I have had very few problems with false positives - those that I have noticed, have been resubmitted and cleaned out quickly. Spamcop however tends to be a bit too aggressive and has inadvertently blocked out numerous valid senders so I wont use it on my server other than with MailScanner/SA to indicate the possibility. Just my .02 --Tim -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Richard Siddall Sent: Monday, November 18, 2002 15:39 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Best way to use blacklists? Bill Anderson wrote: > > I notice there are several ways to utilize blacklists. Looks like you > can do it in mailscanner, sendmail, and the other option is to let > Spamassassin do it. Any ideas on the best way to implement with pros > and cons would be greatly appreciated? Thanks. !!!FAQ Alert!!! I guess my view is that it depends on your confidence in the blacklist: 1/ If you absolutely trust the blacklist and want to reject the mail, false positives and all, use it in sendmail. That will result in the least processing load too. 2/ If you absolutely trust the blacklist, but want only to flag the message as spam, use it in MailScanner. 3/ If you have mixed feelings about the blacklist, but consider it useful in detecting spam, use it in SpamAssassin (and consider tuning the score SA assigns). I hope this helps. Bear in mind that the more blacklists you use, the longer it takes to process each message. If you're rejecting mail in sendmail, the sender can time out while waiting for you to check all the blacklists. Regards, Richard Siddall. From MailScanner at LISTS.COM.AR Mon Nov 18 21:01:44 2002 From: MailScanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:16:28 2006 Subject: Calling all translators In-Reply-To: <3DFD0E385303F649AB7C31D651DEDD00071779@mafalda.pert.com.ar> Message-ID: <3DD92B08.1826.19BB0673@localhost> Mmhhhh... I wasn't reading the list lately... but browsed thru the subjects and got this one... I quickly browsed the 'languages.conf' file and it scares me a bit... It has too many too short phrases that I fear you intend to glue together at message generation time... the point is that Spanish (and all latin languages, including at least French and Italian) have quite a different sentence order than English... I'm so worried that the results look like those automatic translations you see in the web... Regretfully I'm stuck with lots of work and couldn't yet put my hands on MS (I have a pending ZMailer implementation)... Maybe if you could put the complete phrases in context in a comment before the config line, I could be more brave in translating... I also hope that Luis Peromarta is still around, 'cause he did a great job reviewing my previous translation and making it much better overall.. El 17 Nov 2002 a las 11:51, Julian Field escribi?: > I have moved all the output strings into a configuration file so they > can > be translated into different languages, so MailScanner hopefully doesn't > output much to a user that has to be in English. > > I have attached the file, and would be grateful if people could > translate > it into other languages for me. > > Thanks folks! > Jules. > > -- Mariano Absatz El Baby ---------------------------------------------------------- What is a "free" gift ? Aren't all gifts free? From devin at JETDATA.CA Mon Nov 18 21:31:33 2002 From: devin at JETDATA.CA (Devin Smith) Date: Thu Jan 12 21:16:28 2006 Subject: Unsubscribe Message-ID: <002701c28f49$e1f1a5d0$f184e5c6@rd.csandall.com> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021118/626aa6b0/attachment.html From P.G.M.Peters at civ.utwente.nl Tue Nov 19 08:10:28 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? In-Reply-To: <3DD94FF0.DC29A338@elirion.net> References: <3DD94FF0.DC29A338@elirion.net> Message-ID: On Mon, 18 Nov 2002 15:39:12 -0500, you wrote: >I hope this helps. Bear in mind that the more blacklists you use, >the longer it takes to process each message. If you're rejecting >mail in sendmail, the sender can time out while waiting for you >to check all the blacklists. I use 10 blacklists (in MS) and i keep processing several messages within seconds. Only when one of the blacklists times out (currently occasionally infinite monkeys) it takes up to 20 seconds to process a batch. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 10:34:54 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format Message-ID: <4E7026FF8A422749B1553FE508E00680053D84@message.intern.akctech.de> Hi Julian, I just discovered something that makes my life a bit more difficult. I would love to have a header that tells me whether or not something is spam or not. Currently I see things like this: X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=7, required 6, AWL, BAD_HELO_WARNING, BIG_FONT, CTYPE_JUST_HTML, EXCUSE_1, HTML_50_70, HTML_COMMENT_UNIQUE_ID, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_NOHASH, HTML_FONT_COLOR_RED, HTML_FONT_COLOR_YELLOW, MSG_ID_ADDED_BY_MTA_3, NO_REAL_NAME, SPAM_PHRASE_02_03, SUBJECT_HAS_DATE, WEB_BUGS, X_AUTH_WARNING) X-MailScanner-SpamScore: sssssss or X-MailScanner-SpamCheck: SpamAssassin X-MailScanner-SpamCheck: spamcop.net There is no simple rule for Outlook etc. that would allow me to put all Spam-Mail in some folder. Currently I would have to put all possible X-MailScanner-SpamCheck Messages in the word list. Proposal: X-MailScanner-SpamCheck: spam, whatever (e.g. SpamAssassin or spamcop.net etc.) and X-MailScanner-SpamCheck: not spam, whatever (e.g. whitelisted) Moreover: The X-MailScanner-SpamScore should not be in the header if for some reason MailScanner determines that the message is not spam. I used to have a rule in Outlook that put all messages with X-MailScanner-SpamScore: ssssss in the junk mailfolder. As you can see in the first example this is not helpful. Thanks, JP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021119/20435f09/attachment.html From info at blacknight-solutions.com Tue Nov 19 11:21:23 2002 From: info at blacknight-solutions.com (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D84@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E00680053D84@message.intern.akctech.de> Message-ID: <24897.213.136.131.214.1037704883.squirrel@www.blacknightsolutions.com> In MailScanner.conf check your settings. I have it set to change the subject line for Spam and Virus, so I can easily filter messages in Eudora. From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 12:59:44 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format Message-ID: <4E7026FF8A422749B1553FE508E00680053D87@message.intern.akctech.de> Hi, > In MailScanner.conf check your settings. I have it set to > change the subject line for Spam and Virus, so I can easily > filter messages in Eudora. I know but you should not change the subject if you report spam to the corresponding abuse centers (or spamcop etc.). Regards, JP From mk at quadstone.com Tue Nov 19 15:53:48 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:16:28 2006 Subject: Problems with version 4 In-Reply-To: <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> References: <20021113152737.GB1629@quadstone.com> <5.1.0.14.2.20021113153116.07420ec0@imap.ecs.soton.ac.uk> Message-ID: <20021119155348.GA3968@quadstone.com> This problem was caused by me forgetting to change "mailscanner" to "MailScanner" in the cron jon that runs check_mailscanner. So it was starting up the old version. 0,20,40 * * * * [ -x /var/opt/MailScanner/bin/check_mailscanner ] && /var/opt/MailScanner/bin/check_mailscanner >/dev/null 2>&1 Michael On Wed, Nov 13, 2002 at 03:32:35PM +0000, Julian Field wrote: > At 15:27 13/11/2002, you wrote: > >After starting up version 4, I am getting lots of these messages in the > >mail > >log: > > > >Nov 13 15:20:29 postie.quadstone.co.uk MailScanner[26958]: Failed to link > >message body between queues (/var/spool/mqueue/dfgADFKNXH026972 --> > >/var/spool/mqueue.in/dfgADFKNXH026972) > > Either the file already exists in the outgoing queue, or the 2 queues > aren't on the same partition, or you are running V3 and V4 simultaneously. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From jim at ENTROPHY-FREE.NET Tue Nov 19 15:59:17 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D84@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E00680053D84@message.intern.akctech.de> Message-ID: <1037721557.16055.37.camel@chaos.entrophy-free.net> On Tue, 2002-11-19 at 04:34, Jan-Peter Koopmann wrote: > Hi Julian, > > I just discovered something that makes my life a bit more difficult. I > would love to have a header that tells me whether or not something is > spam or not. Currently I see things like this: > > X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=7, > required 6, AWL, BAD_HELO_WARNING, BIG_FONT, CTYPE_JUST_HTML, > EXCUSE_1, HTML_50_70, HTML_COMMENT_UNIQUE_ID, HTML_FONT_COLOR_BLUE, > HTML_FONT_COLOR_NOHASH, HTML_FONT_COLOR_RED, HTML_FONT_COLOR_YELLOW, > MSG_ID_ADDED_BY_MTA_3, NO_REAL_NAME, SPAM_PHRASE_02_03, > SUBJECT_HAS_DATE, WEB_BUGS, X_AUTH_WARNING) > X-MailScanner-SpamScore: sssssss > > or > > X-MailScanner-SpamCheck: SpamAssassin > X-MailScanner-SpamCheck: spamcop.net > > There is no simple rule for Outlook etc. that would allow me to put all > Spam-Mail in some folder. Currently I would have to put all possible > X-MailScanner-SpamCheck Messages in the word list. Proposal: Easy enough to do. You decide what spam score would be spam and filter on the X-MailScanner-SpamScore header. For example if you decided that anything wih a spam score of 5 was spam you'd tell Outlook that any message whose X-MailScanner-SpamCheck: header contained sssss should go into a Spam folder. > > X-MailScanner-SpamCheck: spam, whatever (e.g. SpamAssassin or > spamcop.net etc.) and > X-MailScanner-SpamCheck: not spam, whatever (e.g. whitelisted) > > Moreover: The X-MailScanner-SpamScore should not be in the header if for > some reason MailScanner determines that the message is not spam. I used > to have a rule in Outlook that put all messages with > X-MailScanner-SpamScore: ssssss in the junk mailfolder. As you can see > in the first example this is not helpful. > The MailScanner configuration sets the lower threshold that triggers the inclusion of the SpamCheck/SpamScore headers. Messages that garner a SpamAssassin score below that threshold won't trigger the inclusion of those headers, and thus "aren't spam'. Because of the nature of the beast, it is quite possible to see messages with a spam score of 10-12 or less that aren't really spam, depending on who you get legitimate mail from. Most of the time, in my experience, anything with a spam score of 8 or more is spam, but I do get some mailings from legitimate sources that garner a score of 5-7. So you have to be careful when setting the lower and upper thresholds in MailScanner. Personally I find it best to set the lower threshold in the 3-5 range and sort out what isn't really spam at the mail client. Along the same lines I set the high threshold, where we drop messages, in the 12-15 range to reduce the likelyhood of discarding legitimate mail. That setting gets rid of a large amount of the objectionable and blatant spam and users can sort through the rest. -- The instructions said to use Windows 98 or better, so I installed RedHat. From billa at STERLING.NET Tue Nov 19 16:06:14 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? In-Reply-To: <000201c28f43$cbadeff0$6401a8c0@seeker> Message-ID: If you use MailScanner first for blacklists, does it always call spamassasin, or does it just flag the email as spam and bypass SA? Where in SA do you select what blacklists to use? Thanks again for all the GREAT help. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Timothy M. Lyons > Sent: Monday, November 18, 2002 12:48 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Best way to use blacklists? > > > I personally use multiple blacklists - however I only use one of them > with sendmail (relays.ordb.org), I then implement spamcop.net and > Infinite-Monkeys within MailScanner. > > I find that ordb is quick and gives me a pretty good coverage, plus I > have had very few problems with false positives - those that I have > noticed, have been resubmitted and cleaned out quickly. Spamcop however > tends to be a bit too aggressive and has inadvertently blocked out > numerous valid senders so I wont use it on my server other than with > MailScanner/SA to indicate the possibility. > > Just my .02 > > --Tim > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Richard Siddall > Sent: Monday, November 18, 2002 15:39 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Best way to use blacklists? > > > Bill Anderson wrote: > > > > I notice there are several ways to utilize blacklists. Looks like you > > > can do it in mailscanner, sendmail, and the other option is to let > > Spamassassin do it. Any ideas on the best way to implement with pros > > and cons would be greatly appreciated? Thanks. > > !!!FAQ Alert!!! > > I guess my view is that it depends on your confidence in the blacklist: > > 1/ If you absolutely trust the blacklist and want to reject the mail, > false positives and all, use it in sendmail. That will result in the > least processing load too. > > 2/ If you absolutely trust the blacklist, but want only to flag the > message as spam, use it in MailScanner. > > 3/ If you have mixed feelings about the blacklist, but consider it > useful in detecting spam, use it in SpamAssassin (and consider tuning > the score SA assigns). > > I hope this helps. Bear in mind that the more blacklists you use, the > longer it takes to process each message. If you're rejecting mail in > sendmail, the sender can time out while waiting for you to check all the > blacklists. > > Regards, > > Richard Siddall. > From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 16:31:56 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format Message-ID: <4E7026FF8A422749B1553FE508E00680053D88@message.intern.akctech.de> Hi, > > There is no simple rule for Outlook etc. that would allow me to put > > all Spam-Mail in some folder. Currently I would have to put all > > possible X-MailScanner-SpamCheck Messages in the word list. > Proposal: > > Easy enough to do. You decide what spam score would be spam > and filter on the X-MailScanner-SpamScore header. For example > if you decided that anything wih a spam score of 5 was spam > you'd tell Outlook that any message whose > X-MailScanner-SpamCheck: header contained sssss should go > into a Spam folder. Yet if you use this even messages that are not spam (due to whitelist) but have a high SpamAssassin score are sorted out by the rule. Unfortunately Outlook cannot create rules like "Move message if X-MailScanner-Spamscore: sssss unless X-MailScanner-SpamCheck: not spam"... > The MailScanner configuration sets the lower threshold that > triggers the inclusion of the SpamCheck/SpamScore headers. > Messages that garner a SpamAssassin score below that > threshold won't trigger the inclusion of those headers, and > thus "aren't spam'. So? Again think of whitelists. If a message is in the whitelist I do not care about the SpamScore from SpamAssassin. The whole point of the whitelist is to overrule SpamAssassin. > Because of the nature of the beast, it is quite possible to > see messages with a spam score of 10-12 or less that aren't > really spam, depending on who you get legitimate mail from. That is quite correct and the first exampled showed just that. But if I put something in the whitelist explicitely I do not what the message to be moved by my Outlook rule due to a SpamScore of 10 or so. The headers are very informational telling me that the message is not spam due to the whitelist but would have had a SpamAssassin score of 10. This is nice and informational but impossible for Outlook to use for rules. That is why I would love to see the simple extention to the X-MailScanner-SpamCheck header. It should be very easy to implement a (spam, not spam) message. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 16:35:00 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? Message-ID: <4E7026FF8A422749B1553FE508E00680053D89@message.intern.akctech.de> Hi, > If you use MailScanner first for blacklists, does it always > call spamassasin, or does it just flag the email as spam and > bypass SA? Where in SA do you select what blacklists to use? > Thanks again for all the GREAT help. Have you tried this setting in mailscanner.conf: # If the message sender is on any of the Spam Lists, do you still want # to do the SpamAssassin checks? Setting this to "no" will reduce the load # on your server, but will stop the High Scoring Spam Actions from ever # happening. # This can also be the filename of a ruleset. Check SpamAssassin If On Spam List = yes This might (!) also work for blacklist. I would have to look at the sources first but try it. Regards, JP From billa at STERLING.NET Tue Nov 19 16:44:25 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D89@message.intern.akctech.de> Message-ID: Thanks. I read it, but it did not register. I guess I still want the mail to be checked by spam assassin for the high score. I have a custom list that elevates the score to 100 if it is a porno spam. Anything over 50 will be deleted. My guess is the best thing to do is to turn on blacklist in Mailscanner and turn off blacklist checking in SA and set Check SpamAssassin If On Spam List = yes. This way the email will be marked as spam, then passed of to SA to see if it might be porn. Is it fairly simple to turn off all blacklist checking in SA? If so how? I want to avoid checking the blacklists twice. Thanks again. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jan-Peter Koopmann > Sent: Tuesday, November 19, 2002 8:35 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Best way to use blacklists? > > > Hi, > > > If you use MailScanner first for blacklists, does it always > > call spamassasin, or does it just flag the email as spam and > > bypass SA? Where in SA do you select what blacklists to use? > > Thanks again for all the GREAT help. > > Have you tried this setting in mailscanner.conf: > > # If the message sender is on any of the Spam Lists, do you still want > # to do the SpamAssassin checks? Setting this to "no" will reduce the > load > # on your server, but will stop the High Scoring Spam Actions from ever > # happening. > # This can also be the filename of a ruleset. > Check SpamAssassin If On Spam List = yes > > This might (!) also work for blacklist. I would have to look at the > sources first but try it. > > Regards, > JP > From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 16:52:10 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:28 2006 Subject: Best way to use blacklists? Message-ID: <4E7026FF8A422749B1553FE508E00680053D8A@message.intern.akctech.de> > Is it fairly simple to turn off all blacklist checking in SA? > If so how? I want to avoid checking the blacklists twice. I would say simply give SA no blacklist entry/filename in the spam.assassing.prefs file. Just a wild guess. But if SpamAssassin has no blacklist associated, what list does it use? :-) Regards, JP From mailscanner at ecs.soton.ac.uk Tue Nov 19 16:52:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Header change format In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D88@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021119165112.090bcce0@imap.ecs.soton.ac.uk> Is the outcome of all this that you would like the "SpamScore" header to be empty (or maybe not even exist?) when the message is whitelisted? Empty? Or not exist? Any contributions or thoughts most welcome... Jules. At 16:31 19/11/2002, you wrote: >Hi, > > > > There is no simple rule for Outlook etc. that would allow me to put > > > all Spam-Mail in some folder. Currently I would have to put all > > > possible X-MailScanner-SpamCheck Messages in the word list. > > Proposal: > > > > Easy enough to do. You decide what spam score would be spam > > and filter on the X-MailScanner-SpamScore header. For example > > if you decided that anything wih a spam score of 5 was spam > > you'd tell Outlook that any message whose > > X-MailScanner-SpamCheck: header contained sssss should go > > into a Spam folder. > >Yet if you use this even messages that are not spam (due to whitelist) >but have a high SpamAssassin score are sorted out by the rule. >Unfortunately Outlook cannot create rules like "Move message if >X-MailScanner-Spamscore: sssss unless X-MailScanner-SpamCheck: not >spam"... > > > The MailScanner configuration sets the lower threshold that > > triggers the inclusion of the SpamCheck/SpamScore headers. > > Messages that garner a SpamAssassin score below that > > threshold won't trigger the inclusion of those headers, and > > thus "aren't spam'. > >So? Again think of whitelists. If a message is in the whitelist I do not >care about the SpamScore from SpamAssassin. The whole point of the >whitelist is to overrule SpamAssassin. > > > Because of the nature of the beast, it is quite possible to > > see messages with a spam score of 10-12 or less that aren't > > really spam, depending on who you get legitimate mail from. > >That is quite correct and the first exampled showed just that. But if I >put something in the whitelist explicitely I do not what the message to >be moved by my Outlook rule due to a SpamScore of 10 or so. > >The headers are very informational telling me that the message is not >spam due to the whitelist but would have had a SpamAssassin score of 10. >This is nice and informational but impossible for Outlook to use for >rules. That is why I would love to see the simple extention to the >X-MailScanner-SpamCheck header. It should be very easy to implement a >(spam, not spam) message. > >Regards, > JP -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 19 16:45:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:28 2006 Subject: Calling all translators In-Reply-To: <3DD92B08.1826.19BB0673@localhost> References: <3DFD0E385303F649AB7C31D651DEDD00071779@mafalda.pert.com.ar> Message-ID: <5.2.0.9.2.20021119164345.04802e68@imap.ecs.soton.ac.uk> At 21:01 18/11/2002, you wrote: >It has too many too short phrases that I fear you intend to glue together at >message generation time... the point is that Spanish (and all latin >languages, including at least French and Italian) have quite a different >sentence order than English... I'm so worried that the results look like >those automatic translations you see in the web... They are phrases and words that are just used as they are given, they are not glued together at all. They are just for things such as the SpamCheck header which can contain "not spam" at the start of the report when it has been told to always include the header even when the message isn't spam. That's why I included a line of explanation above each one that tells you where it is used. I agree that sticking these phrases together would be a very bad idea. >Regretfully I'm stuck with lots of work and couldn't yet put my hands on MS >(I have a pending ZMailer implementation)... Maybe if you could put the >complete phrases in context in a comment before the config line, I could be >more brave in translating... I also hope that Luis Peromarta is still around, >'cause he did a great job reviewing my previous translation and making it >much better overall.. > >El 17 Nov 2002 a las 11:51, Julian Field escribi?: > > > I have moved all the output strings into a configuration file so they > > can > > be translated into different languages, so MailScanner hopefully doesn't > > output much to a user that has to be in English. > > > > I have attached the file, and would be grateful if people could > > translate > > it into other languages for me. > > > > Thanks folks! > > Jules. > > > > > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >What is a "free" gift ? Aren't all gifts free? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 19 17:01:48 2002 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:29 2006 Subject: Header change format Message-ID: <4E7026FF8A422749B1553FE508E00680053D8B@message.intern.akctech.de> Hi Julian, > Is the outcome of all this that you would like the > "SpamScore" header to be empty (or maybe not even exist?) > when the message is whitelisted? This would be one solution. > Empty? Or not exist? I do not care to be honest. > Any contributions or thoughts most welcome... The most simple and most flexible solution though would be to generate a definate SPAM or NOT SPAM within the header. Examples for "real" spam: X-MailScanner-SpamCheck: spam, SpamAssasin (SCORE=....) X-MailScanner-SpamCheck: spam, spamcop.net, SpamAssasin (SCORE=....) Example for a whitelisted which triggers SpamAssassin: X-MailScanner-SpamCheck: not spam, whitelisted, SpamAssasin (SCORE=....) If you implement this you could tell the mail client to only handle mails with "X-MailScanner-SpamCheck: spam" in the header. If possible one should be able to configure whether or not "not spam" messages should show the SpamAssassin score with "X-MailScanner-Spamscore: sssss" or not. Regards, JP From billa at STERLING.NET Tue Nov 19 17:10:45 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:29 2006 Subject: Best way to use blacklists? In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D8A@message.intern.akctech.de> Message-ID: Thanks for the pointer. I found the following entry in the spam.assassin.prefs.conf file: skip_rbl_checks 1 > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jan-Peter Koopmann > Sent: Tuesday, November 19, 2002 8:52 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Best way to use blacklists? > > > > Is it fairly simple to turn off all blacklist checking in SA? > > If so how? I want to avoid checking the blacklists twice. > > I would say simply give SA no blacklist entry/filename in the > spam.assassing.prefs file. Just a wild guess. But if SpamAssassin has no > blacklist associated, what list does it use? :-) > > Regards, > JP > From mailscanner at ecs.soton.ac.uk Tue Nov 19 17:14:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Best way to use blacklists? In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D8A@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021119171340.01eae790@imap.ecs.soton.ac.uk> At 16:52 19/11/2002, you wrote: > > Is it fairly simple to turn off all blacklist checking in SA? > > If so how? I want to avoid checking the blacklists twice. > >I would say simply give SA no blacklist entry/filename in the >spam.assassing.prefs file. Just a wild guess. But if SpamAssassin has no >blacklist associated, what list does it use? :-) In your spam.assassin.prefs.conf file, there is a line that says # ignore_rbl_checks 1 Just un-comment it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 19 17:17:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Header change format In-Reply-To: <4E7026FF8A422749B1553FE508E00680053D8B@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20021119171526.08dad878@imap.ecs.soton.ac.uk> At 17:01 19/11/2002, you wrote: >Hi Julian, > > > Is the outcome of all this that you would like the > > "SpamScore" header to be empty (or maybe not even exist?) > > when the message is whitelisted? > >This would be one solution. > > > Empty? Or not exist? > >I do not care to be honest. > > > Any contributions or thoughts most welcome... > >The most simple and most flexible solution though would be to generate a >definate SPAM or NOT SPAM within the header. But I should only add "spam" when they have requested to always add the header, as people can currently do spam filtering based on just the presence of the SpamCheck header. It all gets a bit murky, unfortunately, as I need to retain backward compatibility for all the previous users, while providing a whizzy neat solution that is simple for you. The SpamScore proposal above is simple and doesn't create compatibility problems. But does it do enough of what you want? If not, I don't want to do it. But if yes, then that will probably be my chosen solution. >Examples for "real" spam: >X-MailScanner-SpamCheck: spam, SpamAssasin (SCORE=....) >X-MailScanner-SpamCheck: spam, spamcop.net, SpamAssasin (SCORE=....) > >Example for a whitelisted which triggers SpamAssassin: > >X-MailScanner-SpamCheck: not spam, whitelisted, SpamAssasin (SCORE=....) > >If you implement this you could tell the mail client to only handle >mails with "X-MailScanner-SpamCheck: spam" in the header. If possible >one should be able to configure whether or not "not spam" messages >should show the SpamAssassin score with "X-MailScanner-Spamscore: sssss" >or not. > >Regards, > JP -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ts247 at CORNELL.EDU Tue Nov 19 17:24:37 2002 From: ts247 at CORNELL.EDU (Tom Shannon) Date: Thu Jan 12 21:16:29 2006 Subject: RBL error Message-ID: <200211191724.gAJHOdX30327@ori.rl.ac.uk> Hello all, I'm running a solaris 7 email server with sendmail 8.12.4. I'm using most of the default mailscanner settings. Spamassassin is ON. Everything works fine for serveral hours then the following messages appears in my maillog... Nov 16 17:09:06 astrosun.astro.cornell.edu MailScanner[4800]: RBL Checks failed with real error: Can't use an undefined value as a symbol reference at /opt/MailScanner/bin/MailScanner/RBLs.pm line 159, line 27. At this point mailscanner stops processing the mail in the mqueue.in. Looking thru the logs I don't see any particular incident that causes this error. Any ideas? Thanks! From mailscanner at ecs.soton.ac.uk Tue Nov 19 18:41:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: RBL error In-Reply-To: <200211191724.gAJHOdX30327@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20021119184030.02353308@imap.ecs.soton.ac.uk> At 17:24 19/11/2002, you wrote: >Hello all, I'm running a solaris 7 email server with sendmail 8.12.4. > >I'm using most of the default mailscanner settings. Spamassassin is ON. > >Everything works fine for serveral hours then the following messages appears >in my maillog... > >Nov 16 17:09:06 astrosun.astro.cornell.edu MailScanner[4800]: RBL Checks >failed with real error: Can't use an undefined value as a symbol reference >at /opt/MailScanner/bin/MailScanner/RBLs.pm line 159, line 27. > >At this point mailscanner stops processing the mail in the mqueue.in. > >Looking thru the logs I don't see any particular incident that causes this >error. I have re-written the pipe code in RBLs.pm and SA.pm as 1 other user was having the same problem but in a different place. I can't reproduce the problem myself, but I hope my tweaks will help. If you want a copy of the new code to try out, drop me a line privately and I'll send it to you. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dlovelace at HOTELS.COM Tue Nov 19 18:46:03 2002 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: <95DD6F026D9C5C459E262B9C385C478E59819D@h-file04.180096hotel.com> Hello, I have MailScanner configured to use the RBL's ORDB-RBL and Infinite-Monkeys, and SpamAssassin configure to skip_rbl_checks. When MailScanner marks a message as spam because it is in the RBL, does it log this? If so, what does the log entry look like? Is there a way to test to make sure MailScanner is marking mail that is from an RBL'ed site as spam? Thanks, Dale Lovelace -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021119/a1c93419/attachment.html From mbowman at UDCOM.COM Tue Nov 19 18:47:08 2002 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: Check your /var/spool/maillog it should indicate which RBL was mentioned in the detection Regards, Matthew K Bowman, Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Dale Lovelace cc: Sent by: Subject: Logging mailed marked as spam by RBL MailScanner mailing list 11/19/2002 01:46 PM Please respond to MailScanner mailing list Hello, I have MailScanner configured to use the RBL's ORDB-RBL and Infinite-Monkeys, and SpamAssassin configure to skip_rbl_checks. When MailScanner marks a message as spam because it is in the RBL, does it log this? If so, what does the log entry look like? Is there a way to test to make sure MailScanner is marking mail that is from an RBL'ed site as spam? Thanks, Dale Lovelace From dlovelace at HOTELS.COM Tue Nov 19 19:06:53 2002 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: <95DD6F026D9C5C459E262B9C385C478E327DB7@h-file04.180096hotel.com> I don't have any entries in /var/log/maillog that would lead me to believe that MailScanner has blocked any messages from an RBL'ed site... That's why I wanted to make sure that MailScanner logged this, and to find out what the log entry would look like when it did. Perhaps I should have been a bit more clear :-) Could you copy one of your RBL'ed log entries into an email so I would know what they were supposed to look like if I were getting them? Thanks! Dale Lovelace -----Original Message----- From: Matthew Bowman [mailto:mbowman@UDCOM.COM] Sent: Tuesday, November 19, 2002 12:47 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Logging mailed marked as spam by RBL Check your /var/spool/maillog it should indicate which RBL was mentioned in the detection Regards, Matthew K Bowman, Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Dale Lovelace cc: Sent by: Subject: Logging mailed marked as spam by RBL MailScanner mailing list 11/19/2002 01:46 PM Please respond to MailScanner mailing list Hello, I have MailScanner configured to use the RBL's ORDB-RBL and Infinite-Monkeys, and SpamAssassin configure to skip_rbl_checks. When MailScanner marks a message as spam because it is in the RBL, does it log this? If so, what does the log entry look like? Is there a way to test to make sure MailScanner is marking mail that is from an RBL'ed site as spam? Thanks, Dale Lovelace From mailscanner at ecs.soton.ac.uk Tue Nov 19 18:54:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL In-Reply-To: <95DD6F026D9C5C459E262B9C385C478E59819D@h-file04.180096hote l.com> Message-ID: <5.2.0.9.2.20021119185239.02e60270@imap.ecs.soton.ac.uk> At 18:46 19/11/2002, you wrote: > When MailScanner marks a message as spam because it is in the RBL, does > it log this? If so, what does the log entry look like? Set Log Spam = yes and you'll see. > Is there a way to test to make sure MailScanner is marking mail that is > from an RBLed site as spam? Relay a message through it, i.e. send yourself some mail using the open relay as your smtp server. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Harish.Amin at DEG.STATE.WI.US Tue Nov 19 19:45:21 2002 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C66FE@doamail04> Dale Check /var/log/syslog if you don't have maillog # grep RBL /var/log/syslog Nov 18 04:14:46 badger MailScanner[8264]: RBL checks: gAIAEdQ09660 found in ORDB-RBL Nov 18 04:14:47 badger MailScanner[8264]: Message gAIAEdQ09660 from 218.44.224.250 (tm-net.co.jp) is spam according to ORDB-RBL Nov 18 15:59:56 badger MailScanner[15941]: RBL checks: gAILxqQ19320 found in ORDB-RBL Nov 18 15:59:57 badger MailScanner[15941]: Message gAILxqQ19320 from 204.86.126.102 () is spam according to ORDB-RBL -----Original Message----- From: Dale Lovelace [mailto:dlovelace@HOTELS.COM] Sent: Tuesday, November 19, 2002 1:07 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Logging mailed marked as spam by RBL I don't have any entries in /var/log/maillog that would lead me to believe that MailScanner has blocked any messages from an RBL'ed site... That's why I wanted to make sure that MailScanner logged this, and to find out what the log entry would look like when it did. Perhaps I should have been a bit more clear :-) Could you copy one of your RBL'ed log entries into an email so I would know what they were supposed to look like if I were getting them? Thanks! Dale Lovelace -----Original Message----- From: Matthew Bowman [mailto:mbowman@UDCOM.COM] Sent: Tuesday, November 19, 2002 12:47 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Logging mailed marked as spam by RBL Check your /var/spool/maillog it should indicate which RBL was mentioned in the detection Regards, Matthew K Bowman, Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Dale Lovelace cc: Sent by: Subject: Logging mailed marked as spam by RBL MailScanner mailing list 11/19/2002 01:46 PM Please respond to MailScanner mailing list Hello, I have MailScanner configured to use the RBL's ORDB-RBL and Infinite-Monkeys, and SpamAssassin configure to skip_rbl_checks. When MailScanner marks a message as spam because it is in the RBL, does it log this? If so, what does the log entry look like? Is there a way to test to make sure MailScanner is marking mail that is from an RBL'ed site as spam? Thanks, Dale Lovelace From dlovelace at HOTELS.COM Tue Nov 19 19:53:55 2002 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: <95DD6F026D9C5C459E262B9C385C478E59819E@h-file04.180096hotel.com> Ok, I finally got some spam from a RBL'ed site so I could see the log entry. I noticed a strange entry: Nov 19 13:13:25 relay-01 MailScanner[24780]: Spam Actions: (RBL) Bounce To And that's it. Shouldn't the $from be at the end of the line? I noticed that SpamAssassin bounce lines were similar in that they left off the $from. Bug? Thanks, Dale Lovelace -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, November 19, 2002 12:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Logging mailed marked as spam by RBL At 18:46 19/11/2002, you wrote: > When MailScanner marks a message as spam because it is in the RBL, does > it log this? If so, what does the log entry look like? Set Log Spam = yes and you'll see. > Is there a way to test to make sure MailScanner is marking mail that is > from an RBLed site as spam? Relay a message through it, i.e. send yourself some mail using the open relay as your smtp server. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mbest at JET2.NET Tue Nov 19 19:42:26 2002 From: mbest at JET2.NET (Matt) Date: Thu Jan 12 21:16:29 2006 Subject: red hat 8 weirdness Message-ID: <036301c29003$c9ca1180$0201a8c0@RADIUS> Hello, Just a couple problems I am having here with Red Hat 8.0 and MailScanner 4.05-3: Mailscanner is restarting itself every 10 seconds, regardless of what I have set in the /etc/MailScanner.conf. Is there a way in the new mailscanner to turn off the Virus Scanning but still use the attachment scanning? I was able to do this in previous versions. I am having some problems getting it to read the sophos IDE files, and just wanted to test it out without using the virus scanner. Can anyone steer me in the right direction here? Thanks.. Regards, Matt From mailscanner at ecs.soton.ac.uk Tue Nov 19 20:16:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL In-Reply-To: <95DD6F026D9C5C459E262B9C385C478E59819E@h-file04.180096hote l.com> Message-ID: <5.2.0.9.2.20021119201539.022a9b28@imap.ecs.soton.ac.uk> At 19:53 19/11/2002, you wrote: > Ok, I finally got some spam from a RBL'ed site so I could see the log >entry. I noticed a strange entry: > >Nov 19 13:13:25 relay-01 MailScanner[24780]: Spam Actions: (RBL) Bounce >To > > And that's it. Shouldn't the $from be at the end of the line? I >noticed that SpamAssassin bounce lines were similar in that they left >off the $from. > > Bug? Indeed. Fixed. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 19 20:18:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: red hat 8 weirdness In-Reply-To: <036301c29003$c9ca1180$0201a8c0@RADIUS> Message-ID: <5.2.0.9.2.20021119201719.022efce8@imap.ecs.soton.ac.uk> At 19:42 19/11/2002, you wrote: >Just a couple problems I am having here with Red Hat 8.0 and MailScanner >4.05-3: > >Mailscanner is restarting itself every 10 seconds, regardless of what I have >set in the /etc/MailScanner.conf. What does the maillog say? >Is there a way in the new mailscanner to turn off the Virus Scanning but >still use the attachment scanning? I was able to do this in previous >versions. I am having some problems getting it to read the sophos IDE >files, and just wanted to test it out without using the virus scanner. Set Virus Scanners = none -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mbest at JET2.NET Tue Nov 19 20:08:32 2002 From: mbest at JET2.NET (Matt) Date: Thu Jan 12 21:16:29 2006 Subject: red hat 8 weirdness References: <5.2.0.9.2.20021119201719.022efce8@imap.ecs.soton.ac.uk> Message-ID: <039801c29007$6f7c67b0$0201a8c0@RADIUS> ----- Original Message ----- From: "Julian Field" To: Sent: November 19, 2002 3:18 PM Subject: Re: red hat 8 weirdness > At 19:42 19/11/2002, you wrote: > >Just a couple problems I am having here with Red Hat 8.0 and MailScanner > >4.05-3: > > > >Mailscanner is restarting itself every 10 seconds, regardless of what I have > >set in the /etc/MailScanner.conf. > > What does the maillog say? Hi Julian, Great program btw, I use it on a handful of linux servers and got my colleague in Toronto to use it on his Cobalt RaQ. We both love it. Here's my maillog: --- snip --- Nov 19 14:39:13 worm sendmail[1400]: alias database /etc/aliases rebuilt by mbest Nov 19 14:39:13 worm sendmail[1400]: /etc/aliases: 64 aliases, longest 10 bytes, 636 bytes total Nov 19 14:39:13 worm sendmail[1409]: starting daemon (8.12.5): SMTP Nov 19 14:39:13 worm sendmail[1414]: starting daemon (8.12.5): queueing@00:15:00 Nov 19 14:39:14 worm MailScanner[1426]: MailScanner Nov 19 14:39:14 worm MailScanner[1426]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 19 14:39:14 worm MailScanner[1426]: Using locktype = flock Nov 19 14:39:24 worm MailScanner[1428]: MailScanner Nov 19 14:39:24 worm MailScanner[1428]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 19 14:39:24 worm MailScanner[1428]: Using locktype = flock Nov 19 14:39:34 worm MailScanner[1430]: MailScanner Nov 19 14:39:34 worm MailScanner[1430]: MailScanner E-Mail Virus Scanner version 4.05-3 starting... Nov 19 14:39:34 worm MailScanner[1430]: Using locktype = flock --- snip --- > Set > Virus Scanners = none > Doh, should have seen that one. Thanks! --Matt > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 19 20:33:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: red hat 8 weirdness In-Reply-To: <039801c29007$6f7c67b0$0201a8c0@RADIUS> References: <5.2.0.9.2.20021119201719.022efce8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20021119203018.022eae78@imap.ecs.soton.ac.uk> At 20:08 19/11/2002, you wrote: > > At 19:42 19/11/2002, you wrote: > > >Just a couple problems I am having here with Red Hat 8.0 and MailScanner > > >4.05-3: > > > > > >Mailscanner is restarting itself every 10 seconds, regardless of what I >have > > >set in the /etc/MailScanner.conf. > > > > What does the maillog say? > >Hi Julian, > >Great program btw, I use it on a handful of linux servers and got my >colleague in Toronto to use it on his Cobalt RaQ. We both love it. Glad you like it! Have you added a comment in the "guest book" on the website yet? >Here's my maillog: > >--- snip --- >Nov 19 14:39:13 worm sendmail[1400]: alias database /etc/aliases rebuilt by >mbest >Nov 19 14:39:13 worm sendmail[1400]: /etc/aliases: 64 aliases, longest 10 >bytes, 636 bytes total >Nov 19 14:39:13 worm sendmail[1409]: starting daemon (8.12.5): SMTP >Nov 19 14:39:13 worm sendmail[1414]: starting daemon (8.12.5): >queueing@00:15:00 >Nov 19 14:39:14 worm MailScanner[1426]: MailScanner >Nov 19 14:39:14 worm MailScanner[1426]: MailScanner E-Mail Virus Scanner >version 4.05-3 starting... >Nov 19 14:39:14 worm MailScanner[1426]: Using locktype = flock >Nov 19 14:39:24 worm MailScanner[1428]: MailScanner >Nov 19 14:39:24 worm MailScanner[1428]: MailScanner E-Mail Virus Scanner >version 4.05-3 starting... >Nov 19 14:39:24 worm MailScanner[1428]: Using locktype = flock >Nov 19 14:39:34 worm MailScanner[1430]: MailScanner >Nov 19 14:39:34 worm MailScanner[1430]: MailScanner E-Mail Virus Scanner >version 4.05-3 starting... >Nov 19 14:39:34 worm MailScanner[1430]: Using locktype = flock >--- snip --- That's normal. It will start up the parent plus as many child processes as you've got configured in Max Children in MailScanner.conf. By default this is 5. There is a 10 second skew between starting up each MailScanner in order to avoid the "herd of elephants" problem that can plague parallel-processing systems. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dlovelace at HOTELS.COM Tue Nov 19 20:53:34 2002 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL Message-ID: <95DD6F026D9C5C459E262B9C385C478E327DBA@h-file04.180096hotel.com> Thanks! Would you mind if I asked a stupid perl question? In the file /usr/lib/MailScanner/MailScanner/Config.pm you use "new FileHandle" quite a few times. Where does the object "FileHandle" come from? I am trying to steal from your Config.pm to read in the config file for the MailScanner log analyzer I am writing :-) Thanks, Dale -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, November 19, 2002 2:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Logging mailed marked as spam by RBL At 19:53 19/11/2002, you wrote: > Ok, I finally got some spam from a RBL'ed site so I could see the log >entry. I noticed a strange entry: > >Nov 19 13:13:25 relay-01 MailScanner[24780]: Spam Actions: (RBL) Bounce >To > > And that's it. Shouldn't the $from be at the end of the line? I >noticed that SpamAssassin bounce lines were similar in that they left >off the $from. > > Bug? Indeed. Fixed. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Nov 19 20:58:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:29 2006 Subject: Logging mailed marked as spam by RBL In-Reply-To: <95DD6F026D9C5C459E262B9C385C478E327DBA@h-file04.180096hote l.com> Message-ID: <5.2.0.9.2.20021119205656.02293ea8@imap.ec