From hciss at HCIWS.COM Tue Oct 1 01:05:53 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:48 2006 Subject: V4 Rpm Message-ID: <001b01c268de$521ac630$6401a8c0@matthewmpqowmc> Sorry to be a pain but are we getting close to a v4 rpm? Matt From mike at CAMAROSS.NET Tue Oct 1 01:29:40 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:48 2006 Subject: V4 Rpm In-Reply-To: <001b01c268de$521ac630$6401a8c0@matthewmpqowmc> Message-ID: <003501c268e1$a3b03680$6501a8c0@mikedesk> Julian said earlier: I'm also shortly going to be giving the RPMs of V4 to a few selected people for testing. If you want to be included in the test, then please drop me a line with "RPM testing" in the subject line. Please only ask if you are happy playing with RPM, know how it all works, how to force RPM into doing things it doesn't want to, and are generally happy if the RPM install/uninstall scripts don't quite work properly. If my test RPMs break your system, don't come running to me for help :-) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matt Sent: Monday, September 30, 2002 7:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: V4 Rpm Sorry to be a pain but are we getting close to a v4 rpm? Matt From hciss at HCIWS.COM Tue Oct 1 02:13:14 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:48 2006 Subject: V4 Rpm References: <003501c268e1$a3b03680$6501a8c0@mikedesk> Message-ID: <001201c268e7$badb6630$6401a8c0@matthewmpqowmc> > I'm also shortly going to be giving the RPMs of V4 to a few selected > people for testing. If you want to be included in the test, then please > drop me a line with "RPM testing" in the subject line. Please only ask > if you are happy playing with RPM, know how it all works, how to force > RPM into doing things it doesn't want to, and are generally happy if the > RPM install/uninstall scripts don't quite work properly. If my test RPMs Thats not me. ;<) Sounds like we will have an RPM release soon though. Matt > break your system, don't come running to me for help :-) > Sorry to be a pain but are we getting close to a v4 rpm? > > Matt From mike at CAMAROSS.NET Tue Oct 1 02:23:59 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:48 2006 Subject: V4 Rpm In-Reply-To: <001201c268e7$badb6630$6401a8c0@matthewmpqowmc> Message-ID: The tarball download is vedry easy. If you don't like it, then you can go back to the 3.x version which will still be installed. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Sent: Monday, September 30, 2002 8:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: V4 Rpm > I'm also shortly going to be giving the RPMs of V4 to a few selected > people for testing. If you want to be included in the test, then please > drop me a line with "RPM testing" in the subject line. Please only ask > if you are happy playing with RPM, know how it all works, how to force > RPM into doing things it doesn't want to, and are generally happy if the > RPM install/uninstall scripts don't quite work properly. If my test RPMs Thats not me. ;<) Sounds like we will have an RPM release soon though. Matt > break your system, don't come running to me for help :-) > Sorry to be a pain but are we getting close to a v4 rpm? > > Matt From mike at CAMAROSS.NET Tue Oct 1 05:36:59 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:48 2006 Subject: MRTG In-Reply-To: Message-ID: Ok...I've been jacking with sendmail.logs.pl now for hours and since I can only spell 'perl', I'm stumped! For the virus counters, I need to find '>>> Virus' to increment the counter, but nothing I put on the line seems to work. $TotalViruses += $1 if />>> Virus/; $TotalViruses += $1 if /Rescan/; $TotalViruses += $1 if /Rescan/i; Can a perl guru shed some light? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Monday, September 30, 2002 5:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Oops yeh I forgot about that one. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 30, 2002 5:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG I found one problem: The process changed from 'mailscanner' to 'MailScanner', so now my spams are being picked up. Viruses are not however. One thing I noticed in grepping the log is that Viruses that are detected are being listed twice: [root@redline bin]# cat /var/log/maillog |grep ">>> Virus" Sep 30 11:10:39 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file ./g8UGAXv19493/install.exe Sep 30 11:10:42 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file ./g8UGAXv19493/install.exe Sep 30 14:21:15 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 14:21:18 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 16:17:15 redline MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr Sep 30 16:17:17 redline MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr Will that not throw the count off by a multiple of 2? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher Sent: Monday, September 30, 2002 4:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Hrm...that doesn't seem to be working for me... chomp; if (/sendmail/) { $TotalMails += $1 if /nrcpts=(\d+),/; next; } if (/mailscanner/) { $TotalViruses += $1 if />>> Virus/i; $TotalSpam++ if /actions are deliver/i; } } close LOG; } Does that look like what you have? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Monday, September 30, 2002 4:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG The logging has changed so you need to change string used to the regex the sendmail.logs.pl script. I'm currently using /actions are deliver/I for Spam and />>> Virus/I for Viruses. So far that seems to be correct. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 30, 2002 5:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG They used to be before I upgraded to 4.00 When I have some time, I'll try to figure out why it's not working anymore. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matt Sent: Monday, September 30, 2002 3:59 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG > I have it running at http://bladeware.com/ I haven't tweaked it since > moving to v4.00 so for some reason, my Spam and Virus stats are out of > date. The mail is working though :) I think it would be neat to have the SPAM and virus stats in the same graph. Kind of like a T1 is graphed with upstream in one color and downstream in another. Matt From dave at ESI.COM.AU Tue Oct 1 06:08:06 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:48 2006 Subject: MRTG In-Reply-To: Message-ID: On Mon, 30 Sep 2002, Mike Kercher wrote: > Ok...I've been jacking with sendmail.logs.pl now for hours and since I can only spell 'perl', I'm stumped! For the virus counters, > I need to find '>>> Virus' to increment the counter, but nothing I put on the line seems to work. > > $TotalViruses += $1 if />>> Virus/; > $TotalViruses += $1 if /Rescan/; > $TotalViruses += $1 if /Rescan/i; > > Can a perl guru shed some light? Lose the "$" in front of "1". Better: $TotalViruses++ if ... -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From kris at JUMPOUT.ORG Tue Oct 1 06:39:30 2002 From: kris at JUMPOUT.ORG (Kris Stumpner) Date: Thu Jan 12 21:15:48 2006 Subject: MRTG In-Reply-To: Message-ID: Here's what I came up with tonight. It uses the many extra log file entries that v4 offers now. It also catches the viruses that are found via Filename Checks. if (/MailScanner/) { $TotalViruses += $1 if /Virus Scanning: Found (\d+) viruses/i; $TotalViruses++ if /Filename Checks: \S* virus/i; $TotalSpam += $1 if /Spam Checks: Found (\d+) spam messages/i; } The problem I see with the '$TotalViruses ++ if />>> Virus/;' ccommand is that when MailScanner does a Virus Rescan, it catches it again, so the figures are skewed 2-fold (as mike pointed out earlier). Also, '$TotalSpam++ if /actions are deliver/i;' will not work if the server is not delivering spam marked mail. This seems to be working good for me thus far. Kris -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: Monday, September 30, 2002 11:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] MRTG Ok...I've been jacking with sendmail.logs.pl now for hours and since I can only spell 'perl', I'm stumped! For the virus counters, I need to find '>>> Virus' to increment the counter, but nothing I put on the line seems to work. $TotalViruses += $1 if />>> Virus/; $TotalViruses += $1 if /Rescan/; $TotalViruses += $1 if /Rescan/i; Can a perl guru shed some light? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Monday, September 30, 2002 5:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Oops yeh I forgot about that one. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 30, 2002 5:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG I found one problem: The process changed from 'mailscanner' to 'MailScanner', so now my spams are being picked up. Viruses are not however. One thing I noticed in grepping the log is that Viruses that are detected are being listed twice: [root@redline bin]# cat /var/log/maillog |grep ">>> Virus" Sep 30 11:10:39 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file ./g8UGAXv19493/install.exe Sep 30 11:10:42 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file ./g8UGAXv19493/install.exe Sep 30 14:21:15 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 14:21:18 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 16:17:15 redline MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr Sep 30 16:17:17 redline MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr Will that not throw the count off by a multiple of 2? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher Sent: Monday, September 30, 2002 4:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Hrm...that doesn't seem to be working for me... chomp; if (/sendmail/) { $TotalMails += $1 if /nrcpts=(\d+),/; next; } if (/mailscanner/) { $TotalViruses += $1 if />>> Virus/i; $TotalSpam++ if /actions are deliver/i; } } close LOG; } Does that look like what you have? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Monday, September 30, 2002 4:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG The logging has changed so you need to change string used to the regex the sendmail.logs.pl script. I'm currently using /actions are deliver/I for Spam and />>> Virus/I for Viruses. So far that seems to be correct. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 30, 2002 5:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG They used to be before I upgraded to 4.00 When I have some time, I'll try to figure out why it's not working anymore. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matt Sent: Monday, September 30, 2002 3:59 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG > I have it running at http://bladeware.com/ I haven't tweaked it since > moving to v4.00 so for some reason, my Spam and Virus stats are out of > date. The mail is working though :) I think it would be neat to have the SPAM and virus stats in the same graph. Kind of like a T1 is graphed with upstream in one color and downstream in another. Matt From dbird at SGHMS.AC.UK Tue Oct 1 10:55:11 2002 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:15:48 2006 Subject: RRD Tool - Was MRTG References: Message-ID: <3D9970FF.5050400@sghms.ac.uk> Just a thought, is any one using RRD Tool (also from Tobias) for monitoring of in/out messages/spam/viruses?..Since you can plot multiple graphs along the same time axis. rgrds Dan Rose, Bobby wrote: >Oops yeh I forgot about that one. > >-----Original Message----- >From: Mike Kercher [mailto:mike@CAMAROSS.NET] >Sent: Monday, September 30, 2002 5:56 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MRTG > > >I found one problem: The process changed from 'mailscanner' to >'MailScanner', so now my spams are being picked up. Viruses are not >however. One thing I noticed in grepping the log is that Viruses that >are detected are being listed twice: > >[root@redline bin]# cat /var/log/maillog |grep ">>> Virus" >Sep 30 11:10:39 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found >in file ./g8UGAXv19493/install.exe Sep 30 11:10:42 redline >MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file >./g8UGAXv19493/install.exe Sep 30 14:21:15 redline MailScanner[18225]: > > >>>>Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe >>>> >>>> >Sep 30 14:21:18 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' >found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 16:17:15 redline >MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file >./g8ULH5v28971/CAYRKX0V.scr Sep 30 16:17:17 redline MailScanner[28976]: > > >>>>Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr >>>> >>>> > >Will that not throw the count off by a multiple of 2? > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Mike Kercher >Sent: Monday, September 30, 2002 4:39 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MRTG > > >Hrm...that doesn't seem to be working for me... > > chomp; > if (/sendmail/) { > $TotalMails += $1 if /nrcpts=(\d+),/; > next; > } > if (/mailscanner/) { > $TotalViruses += $1 if />>> Virus/i; > $TotalSpam++ if /actions are deliver/i; > } > } > close LOG; >} > >Does that look like what you have? > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Rose, Bobby >Sent: Monday, September 30, 2002 4:24 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MRTG > > >The logging has changed so you need to change string used to the regex >the sendmail.logs.pl script. I'm currently using > >/actions are deliver/I for Spam and />>> Virus/I for Viruses. So far >that seems to be correct. > >-----Original Message----- >From: Mike Kercher [mailto:mike@CAMAROSS.NET] >Sent: Monday, September 30, 2002 5:06 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MRTG > > >They used to be before I upgraded to 4.00 When I have some time, I'll >try to figure out why it's not working anymore. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Matt >Sent: Monday, September 30, 2002 3:59 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MRTG > > > > >>I have it running at http://bladeware.com/ I haven't tweaked it since >> >> > > > >>moving to v4.00 so for some reason, my Spam and Virus stats are out of >> >> > > > >>date. The mail is working though :) >> >> > >I think it would be neat to have the SPAM and virus stats in the same >graph. Kind of like a T1 is graphed with upstream in one color and >downstream in another. > >Matt > > > From LISTSERV at JISCMAIL.AC.UK Tue Oct 1 03:25:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:48 2006 Subject: MAILSCANNER: fizz@BOMB.NET left the list Message-ID: <200210010225.DAA28475@magpie.ecs.soton.ac.uk> Tue, 1 Oct 2002 03:25:16 Kelly Hamlin has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- X-LSVMFlags: 16 Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Tue, 1 Oct 2002 03:25:16 +0100 Received: from webmail.bomb.net (IDENT:1006@webmail.bomb.net [66.216.60.1]) by ori.rl.ac.uk (8.11.1/8.11.1) with SMTP id g912PEX14021 for ; Tue, 1 Oct 2002 03:25:14 +0100 Received: (qmail 10077 invoked by uid 1009); 1 Oct 2002 02:45:56 -0000 Received: from unknown (HELO socks) (66.216.62.189) by webmail.bomb.net with SMTP; 1 Oct 2002 02:45:56 -0000 Message-ID: <015201c268f1$c3dc58c0$523fd842@socks> From: "Kelly Hamlin" To: Subject: unsubscribe mailscanner Date: Mon, 30 Sep 2002 22:25:09 -0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-LSVline1: unsubscribe mailscanner From paulo at turnpike.com Tue Oct 1 12:45:09 2002 From: paulo at turnpike.com (Dave English) Date: Thu Jan 12 21:15:48 2006 Subject: Problem with Sys::Syslog In-Reply-To: <3D889721.D2F0D2A0@di.unito.it> References: <3D889721.D2F0D2A0@di.unito.it> Message-ID: In message <3D889721.D2F0D2A0@di.unito.it>, Rabellino Sergio writes >Dave English wrote: >> >> When I try to run my mailscanner on Solaris 8 with Perl 5.6.1, it fails >> with this message: >> >> # ./check_mailscanner >> Starting virus scanner... >> connect: No such file or directory (SOCK_DGRAM after trying SOCK_STREAM) >> at /opt/mailscanner/bin/logger.pl line 75 >> # >> Does anyone have any idea where I should start? >> >Try to change "unix" to "inet" on line 44 inside logger.pl > >It's an old problem of solaris syslog, where is not defined the path >for the syslog unix socket (unused for a normal solaris >installation...as I know...) Thanks, that did indeed do the job. In message <5.1.0.14.2.20020918161232.02c70560@imap.ecs.soton.ac.uk>, Julian Field writes >At 15:45 18/09/2002, you wrote: >Start by getting h2ph to run, to ensure all your .ph files are up to date >(and exist). > cd /usr/include; h2ph -r -l . >though you will probably have to find your copy of h2ph first and put the >full pathname in the command above. Don't forget the "." on the end of the >command. > >If that doesn't fix it, then > perl -MCPAN -e shell > install Sys::Syslog >and see if it finds a newer Syslog module for you. If it starts upgrading >perl (loads and loads of cc commands) then stop it doing it. Not to say that one of those might not have been better. Regards -- Dave English, Client Software Development, Thus PLC, Dorking Business Park, DORKING, Surrey, UK. RH4 1HJ http://www.thus.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 177 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021001/06268937/signature.bin From LISTSERV at JISCMAIL.AC.UK Tue Oct 1 13:57:34 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:48 2006 Subject: MAILSCANNER: dwokfur@DC.SOTE.HU left the list Message-ID: <200210011257.NAA04641@magpie.ecs.soton.ac.uk> Tue, 1 Oct 2002 13:57:34 T?th Attila has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Tue, 1 Oct 2002 13:57:34 +0100 Received: from dc.sote.hu (mail@dc.sote.hu [193.225.82.157]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g91CvVX09321 for ; Tue, 1 Oct 2002 13:57:31 +0100 Received: from localhost ([127.0.0.1] helo=dc.sote.hu ident=www-data) by dc.sote.hu with smtp (Exim 3.35 #1 (Debian)) id 17wMag-0000Xp-00 for ; Tue, 01 Oct 2002 14:57:30 +0200 Received: from 193.225.82.130 (SquirrelMail authenticated user dwokfur) by dc.sote.hu with HTTP; Tue, 1 Oct 2002 14:57:30 +0200 (CEST) Message-ID: <1200.193.225.82.130.1033477050.squirrel@dc.sote.hu> Date: Tue, 1 Oct 2002 14:57:30 +0200 (CEST) Subject: From: To: In-Reply-To: <200206301331.g5UDV6b03242@pallas.sote.hu> References: <200206301331.g5UDV6b03242@pallas.sote.hu> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit From thomas_duvally at BROWN.EDU Tue Oct 1 14:18:56 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:48 2006 Subject: Vfind In-Reply-To: <002f01c268cb$397601c0$32012c0a@Gavin> References: <002f01c268cb$397601c0$32012c0a@Gavin> Message-ID: <1033478335.1644.13.camel@toms> >From what I've seen, Vfind isn't supported, but... I have used Vfind in the past, and since I've mucked around inside the sweep.pl code a bit and gotten MailScanner to work with Symantec Carrier Scan, I can tell you with confidence that it should be easily do-able.. I know that Cybersoft has worked hard to make VFind very parsable and commandline accessable. In fact I had considered using it before I found out we had platinum support with Symantec and almost everything was free from them. VFind is a good product. I think it would be great is MailScanner supported it. Heck, I might even break out my old version and see if I can get it working (probably not too soon though). On Mon, 2002-09-30 at 17:49, Gavin Nelmes-Crocker wrote: > Has anyone tried to use CyberSofts Vfind with mailscanner I didn't see > it on the list or was it the thirteenth that nobody wanted to do! - I > only ask as it is another product that is priced on a server basis > rather than per user. > > Regards > > Gavin -- Tom DuVally Lead Sys. Programmer CIS, Brown University From matthew.richard at COCC.COM Tue Oct 1 16:06:31 2002 From: matthew.richard at COCC.COM (Richard, Matt) Date: Thu Jan 12 21:15:48 2006 Subject: Spam whitelist problem Message-ID: I am having a recurring problem with one domain that I cannot get properly tagged as spam. I have tried adding this domain to the blacklist, which correctly shows in the score, but all mail from email-publisher.com still shows as whitelisted. The domain email-publisher is not listed in my spam.whitelist.conf. Can anyone give me some ideas where to look to fix this problem? To: matthew.richard@cocc.com From: INCOME GENERATOR Subject: Matthew, you don't know me I realize... Date: Tue, 01 Oct 2002 07:07:53 -0700 Message-ID: <93313.5121.341852221-1463792126-1033481273@topica.com> Errors-To: Reply-To: perf-remove.5121.93313.1927738.0.0.4@boing.topica.com X-Topica-Id: <1033480824.svc001.10094.1000108> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="TEP-1223929379.1463793406.1033480809" X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=111.3, required 7, AWL, BIG_FONT, CLICK_BELOW, CLICK_HERE_LINK, DEAR_SOMEBODY, EXCUSE_1, HTML_FONT_COLOR_GRAY, HTML_FONT_COLOR_RED, HTML_FONT_FACE_ODD, HTML_WITH_BGCOLOR, HTTP_USERNAME_USED, SPAM_PHRASE_34_55, TABLE_THICK_BORDER, USER_IN_BLACKLIST) Matthew Richard LAN Specialist matthew.richard@cocc.com 860-678-0444x449 Connecticut Online Computer Center Avon, CT 06001 From mailscanner at ecs.soton.ac.uk Tue Oct 1 16:19:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:48 2006 Subject: Spam whitelist problem In-Reply-To: Message-ID: <5.1.0.14.2.20021001161901.043bc0c0@imap.ecs.soton.ac.uk> What version are you running? What do your spam white and black lists contain? At 16:06 01/10/2002, you wrote: >I am having a recurring problem with one domain that I cannot get properly >tagged as spam. I have tried adding this domain to the blacklist, which >correctly shows in the score, but all mail from email-publisher.com still >shows as whitelisted. The domain email-publisher is not listed in my >spam.whitelist.conf. Can anyone give me some ideas where to look to fix >this problem? > >To: matthew.richard@cocc.com >From: INCOME GENERATOR >Subject: Matthew, you don't know me I realize... >Date: Tue, 01 Oct 2002 07:07:53 -0700 >Message-ID: <93313.5121.341852221-1463792126-1033481273@topica.com> >Errors-To: >Reply-To: perf-remove.5121.93313.1927738.0.0.4@boing.topica.com >X-Topica-Id: <1033480824.svc001.10094.1000108> >Mime-Version: 1.0 >Content-Type: multipart/alternative; > boundary="TEP-1223929379.1463793406.1033480809" >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=111.3, > required 7, AWL, BIG_FONT, CLICK_BELOW, CLICK_HERE_LINK, > DEAR_SOMEBODY, EXCUSE_1, HTML_FONT_COLOR_GRAY, HTML_FONT_COLOR_RED, > HTML_FONT_FACE_ODD, HTML_WITH_BGCOLOR, HTTP_USERNAME_USED, > SPAM_PHRASE_34_55, TABLE_THICK_BORDER, USER_IN_BLACKLIST) > > >Matthew Richard >LAN Specialist >matthew.richard@cocc.com >860-678-0444x449 >Connecticut Online Computer Center >Avon, CT 06001 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Tue Oct 1 16:23:17 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:48 2006 Subject: Is Redhat 8.0 Compatible? Message-ID: <51484.129.80.22.133.1033485797.squirrel@tiger.dorfam.ca> I noticed that the new release of Redhat comes with Perl 5.8 and the latest version of sendmail. Will there be compatibility problems using MailScanner and SpamAssassin with this release? Gerry From bill at DISTMIRR.COM Tue Oct 1 16:43:22 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:48 2006 Subject: Deleting infected messages being sent through MailScanner Message-ID: <000b01c26961$492dfcd0$5d751542@billslaptop> I'm trying to figure out a way to make MailScanner not deliver messages that are being sent through it that contain viruses. I guess I'm missing something, because I've yet to been able to make this functionality work. I'm currently using the new 4.0 version of MailScanner, with sendmail 8.12 and Kaspersky antivirus. As a test, I'm sending Pretty_Park.exe to another address on a separate server (on a separate network), and the email and the file are both delivered. Any help on this would be much appreciated. Regards, Bill Omer From mailscanner at ecs.soton.ac.uk Tue Oct 1 16:46:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:48 2006 Subject: Is Redhat 8.0 Compatible? In-Reply-To: <51484.129.80.22.133.1033485797.squirrel@tiger.dorfam.ca> Message-ID: <5.1.0.14.2.20021001164132.043f96a0@imap.ecs.soton.ac.uk> At 16:23 01/10/2002, you wrote: >I noticed that the new release of Redhat comes with Perl 5.8 and the >latest version of sendmail. Will there be compatibility problems using >MailScanner and SpamAssassin with this release? Once I have managed to get hold of a copy of RedHat 8, I will try it out. It will take me a couple of days... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Tue Oct 1 16:54:44 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:48 2006 Subject: Spam whitelist problem In-Reply-To: References: Message-ID: <1033487684.1469.39.camel@wilowisp.dynetics.com> On Tue, 2002-10-01 at 10:06, Richard, Matt wrote: > I am having a recurring problem with one domain that I cannot get properly > tagged as spam. I have tried adding this domain to the blacklist, which > correctly shows in the score, but all mail from email-publisher.com still > shows as whitelisted. The domain email-publisher is not listed in my > spam.whitelist.conf. Can anyone give me some ideas where to look to fix > this problem? > > To: matthew.richard@cocc.com > From: INCOME GENERATOR > Subject: Matthew, you don't know me I realize... > Date: Tue, 01 Oct 2002 07:07:53 -0700 > Message-ID: <93313.5121.341852221-1463792126-1033481273@topica.com> > Errors-To: > Reply-To: perf-remove.5121.93313.1927738.0.0.4@boing.topica.com > X-Topica-Id: <1033480824.svc001.10094.1000108> > Mime-Version: 1.0 > Content-Type: multipart/alternative; > boundary="TEP-1223929379.1463793406.1033480809" > X-MailScanner: Found to be clean > X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=111.3, > required 7, AWL, BIG_FONT, CLICK_BELOW, CLICK_HERE_LINK, > DEAR_SOMEBODY, EXCUSE_1, HTML_FONT_COLOR_GRAY, HTML_FONT_COLOR_RED, > HTML_FONT_FACE_ODD, HTML_WITH_BGCOLOR, HTTP_USERNAME_USED, > SPAM_PHRASE_34_55, TABLE_THICK_BORDER, USER_IN_BLACKLIST) > What do the full headers show as the the MTA that relayed the message to your server? It might be that the relaying MTA is white listed and the mail isn't coming from where your think it is (email-publisher.com). -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From mailscanner at ecs.soton.ac.uk Tue Oct 1 16:58:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:48 2006 Subject: Deleting infected messages being sent through MailScanner In-Reply-To: <000b01c26961$492dfcd0$5d751542@billslaptop> Message-ID: <5.1.0.14.2.20021001165348.04448210@imap.ecs.soton.ac.uk> # Do you want to deliver messages once they have been cleaned of any # viruses? # By making this a ruleset, you can re-create the "Deliver From Local" # facility of previous versions. Deliver Cleaned Messages = yes At 16:43 01/10/2002, you wrote: >I'm trying to figure out a way to make MailScanner not deliver messages >that are being sent through it that contain viruses. I guess I'm >missing something, because I've yet to been able to make this >functionality work. > >I'm currently using the new 4.0 version of MailScanner, with sendmail >8.12 and Kaspersky antivirus. As a test, I'm sending Pretty_Park.exe to >another address on a separate server (on a separate network), and the >email and the file are both delivered. Any help on this would be much >appreciated. > >Regards, >Bill Omer -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Oct 1 17:15:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:48 2006 Subject: Is Redhat 8.0 Compatible? In-Reply-To: <1033487813.1469.42.camel@wilowisp.dynetics.com> References: <5.1.0.14.2.20021001164132.043f96a0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021001164132.043f96a0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021001171418.044f80a8@imap.ecs.soton.ac.uk> At 16:56 01/10/2002, you wrote: >On Tue, 2002-10-01 at 10:46, Julian Field wrote: > > At 16:23 01/10/2002, you wrote: > > >I noticed that the new release of Redhat comes with Perl 5.8 and the > > >latest version of sendmail. Will there be compatibility problems using > > >MailScanner and SpamAssassin with this release? > > > > Once I have managed to get hold of a copy of RedHat 8, I will try it out. > > It will take me a couple of days... > > -- >I should be able to tell you if there's a problem with either the V3 or >V4 code by this evening. I have almost every thing set up to be able to >test both versions against 8.0 right now. Brilliant. Thanks a lot! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bill at DISTMIRR.COM Tue Oct 1 17:22:14 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:48 2006 Subject: Deleting infected messages being sent through MailScanner In-Reply-To: <5.1.0.14.2.20021001165348.04448210@imap.ecs.soton.ac.uk> Message-ID: <000f01c26966$b40a4db0$5d751542@billslaptop> Pleas excuse my lack of coffee and smokes (aka fags). I can't believe I kept missing that option ..... all this frustration for nothing > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Tuesday, October 01, 2002 10:59 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Deleting infected messages being sent through MailScanner > > # Do you want to deliver messages once they have been cleaned of any > # viruses? > # By making this a ruleset, you can re-create the "Deliver From Local" > # facility of previous versions. > Deliver Cleaned Messages = yes > > At 16:43 01/10/2002, you wrote: > >I'm trying to figure out a way to make MailScanner not deliver messages > >that are being sent through it that contain viruses. I guess I'm > >missing something, because I've yet to been able to make this > >functionality work. > > > >I'm currently using the new 4.0 version of MailScanner, with sendmail > >8.12 and Kaspersky antivirus. As a test, I'm sending Pretty_Park.exe to > >another address on a separate server (on a separate network), and the > >email and the file are both delivered. Any help on this would be much > >appreciated. > > > >Regards, > >Bill Omer > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Tue Oct 1 16:56:52 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:48 2006 Subject: Is Redhat 8.0 Compatible? In-Reply-To: <5.1.0.14.2.20021001164132.043f96a0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021001164132.043f96a0@imap.ecs.soton.ac.uk> Message-ID: <1033487813.1469.42.camel@wilowisp.dynetics.com> On Tue, 2002-10-01 at 10:46, Julian Field wrote: > At 16:23 01/10/2002, you wrote: > >I noticed that the new release of Redhat comes with Perl 5.8 and the > >latest version of sendmail. Will there be compatibility problems using > >MailScanner and SpamAssassin with this release? > > Once I have managed to get hold of a copy of RedHat 8, I will try it out. > It will take me a couple of days... > -- I should be able to tell you if there's a problem with either the V3 or V4 code by this evening. I have almost every thing set up to be able to test both versions against 8.0 right now. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From matthew.richard at COCC.COM Tue Oct 1 18:15:59 2002 From: matthew.richard at COCC.COM (Richard, Matt) Date: Thu Jan 12 21:15:48 2006 Subject: Spam whitelist problem Message-ID: I am running v3.23-4. In spam.assassin.prefs blacklist_from *@daily-promotions.com *@dailydealdepot.com *@*.email-publisher.com *@*.specialmailoffers.com In spam.whitelist.conf # This is a list of email addresses (with an @ sign in them) or entire email # domains (without an @ sign in them) from which you will accept mail without # ever marking it as spam. *.snet.net *.visaonline.com *.americanbanker.com *.bridger.com *.ca.com *.cocc.com *.cocci.com corpnews.netiq.com *.cramsession.com lists.techtarget.com *.lockergnome.com *.mcafee.com members.techrepublic.com *.monster.com newsfeed.osdn.com peach.ease.lsoft.com *.ziffdavis.com *.schwab.com *.ingrammicro.com *.s1.com newsletter.online.com *.m0.net *.ciscomessage.com *.weather.com *.novell.com *.compaq.com *.gonzobanker.com *.igc.com *.cruise-club.com *.ips-sendero.com *.newsletter.hrcomply.com Matthew Richard LAN Specialist matthew.richard@cocc.com 860-678-0444x449 Connecticut Online Computer Center Avon, CT 06001 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, October 01, 2002 11:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam whitelist problem What version are you running? What do your spam white and black lists contain? At 16:06 01/10/2002, you wrote: >I am having a recurring problem with one domain that I cannot get >properly tagged as spam. I have tried adding this domain to the >blacklist, which correctly shows in the score, but all mail from >email-publisher.com still shows as whitelisted. The domain >email-publisher is not listed in my spam.whitelist.conf. Can anyone >give me some ideas where to look to fix this problem? > >To: matthew.richard@cocc.com >From: INCOME GENERATOR >Subject: Matthew, you don't know me I realize... >Date: Tue, 01 Oct 2002 07:07:53 -0700 >Message-ID: <93313.5121.341852221-1463792126-1033481273@topica.com> >Errors-To: >Reply-To: perf-remove.5121.93313.1927738.0.0.4@boing.topica.com >X-Topica-Id: <1033480824.svc001.10094.1000108> >Mime-Version: 1.0 >Content-Type: multipart/alternative; > boundary="TEP-1223929379.1463793406.1033480809" >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=111.3, > required 7, AWL, BIG_FONT, CLICK_BELOW, CLICK_HERE_LINK, > DEAR_SOMEBODY, EXCUSE_1, HTML_FONT_COLOR_GRAY, HTML_FONT_COLOR_RED, > HTML_FONT_FACE_ODD, HTML_WITH_BGCOLOR, HTTP_USERNAME_USED, > SPAM_PHRASE_34_55, TABLE_THICK_BORDER, USER_IN_BLACKLIST) > > >Matthew Richard >LAN Specialist >matthew.richard@cocc.com >860-678-0444x449 >Connecticut Online Computer Center >Avon, CT 06001 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Tue Oct 1 18:19:39 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:48 2006 Subject: V40 and IFRAME and Silent Viruses Message-ID: Can someone watch an confirm this. I've seen some Klez viruses trip both the IFRAME and the Klez and report get sent back to the sender. -=Bobby From brose at MED.WAYNE.EDU Tue Oct 1 21:09:58 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:48 2006 Subject: GFI tests Message-ID: Is it possible for these to be in the filename rules file? I've had some people ask about the IFRAME and I wanted to update it's report message, but it looks like it's hard-coded to SweepOther.pm. I was planning on either adding a URL to http://www.gfi.com/emailsecuritytest/ or http://www.zzee.com/email_security/ where they could read the info for themselves. -=B From jim at ENTROPHY-FREE.NET Tue Oct 1 21:02:09 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:48 2006 Subject: Is Redhat 8.0 Compatible? In-Reply-To: <5.1.0.14.2.20021001171418.044f80a8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021001164132.043f96a0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021001164132.043f96a0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021001171418.044f80a8@imap.ecs.soton.ac.uk> Message-ID: <1033502532.1417.84.camel@wilowisp.dynetics.com> On Tue, 2002-10-01 at 11:15, Julian Field wrote: > At 16:56 01/10/2002, you wrote: > >On Tue, 2002-10-01 at 10:46, Julian Field wrote: > > > At 16:23 01/10/2002, you wrote: > > > >I noticed that the new release of Redhat comes with Perl 5.8 and the > > > >latest version of sendmail. Will there be compatibility problems using > > > >MailScanner and SpamAssassin with this release? > > > > > > Once I have managed to get hold of a copy of RedHat 8, I will try it out. > > > It will take me a couple of days... > > > -- > >I should be able to tell you if there's a problem with either the V3 or > >V4 code by this evening. I have almost every thing set up to be able to > >test both versions against 8.0 right now. > The first batch of results are in. The first test is against 3.23-4 w/SpamAssassin-2.41 & Sophos. DNS checks are off in SpamAssassin, but on for ORDB-RBL & MAPS-RSS+. I'm on the same hardware that I've run my test set before and the speed seems equivalent to when the OS was RH 7.3. As far as I can tell without deploying to a live server everything appears to be normal. I'll try 4.00.0a7 later today. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From mike at CAMAROSS.NET Tue Oct 1 21:36:02 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:48 2006 Subject: MRTG In-Reply-To: Message-ID: Kris got this worked out today. If anyone wants a copy of the sendmail.logs.pl script we are using with v4.00, grab it here: http://CamaroSS.net/sendmail.logs.pl Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kris Stumpner Sent: Tuesday, October 01, 2002 12:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Here's what I came up with tonight. It uses the many extra log file entries that v4 offers now. It also catches the viruses that are found via Filename Checks. if (/MailScanner/) { $TotalViruses += $1 if /Virus Scanning: Found (\d+) viruses/i; $TotalViruses++ if /Filename Checks: \S* virus/i; $TotalSpam += $1 if /Spam Checks: Found (\d+) spam messages/i; } The problem I see with the '$TotalViruses ++ if />>> Virus/;' ccommand is that when MailScanner does a Virus Rescan, it catches it again, so the figures are skewed 2-fold (as mike pointed out earlier). Also, '$TotalSpam++ if /actions are deliver/i;' will not work if the server is not delivering spam marked mail. This seems to be working good for me thus far. Kris -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: Monday, September 30, 2002 11:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] MRTG Ok...I've been jacking with sendmail.logs.pl now for hours and since I can only spell 'perl', I'm stumped! For the virus counters, I need to find '>>> Virus' to increment the counter, but nothing I put on the line seems to work. $TotalViruses += $1 if />>> Virus/; $TotalViruses += $1 if /Rescan/; $TotalViruses += $1 if /Rescan/i; Can a perl guru shed some light? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Monday, September 30, 2002 5:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Oops yeh I forgot about that one. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 30, 2002 5:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG I found one problem: The process changed from 'mailscanner' to 'MailScanner', so now my spams are being picked up. Viruses are not however. One thing I noticed in grepping the log is that Viruses that are detected are being listed twice: [root@redline bin]# cat /var/log/maillog |grep ">>> Virus" Sep 30 11:10:39 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file ./g8UGAXv19493/install.exe Sep 30 11:10:42 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file ./g8UGAXv19493/install.exe Sep 30 14:21:15 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 14:21:18 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 16:17:15 redline MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr Sep 30 16:17:17 redline MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr Will that not throw the count off by a multiple of 2? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher Sent: Monday, September 30, 2002 4:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Hrm...that doesn't seem to be working for me... chomp; if (/sendmail/) { $TotalMails += $1 if /nrcpts=(\d+),/; next; } if (/mailscanner/) { $TotalViruses += $1 if />>> Virus/i; $TotalSpam++ if /actions are deliver/i; } } close LOG; } Does that look like what you have? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Monday, September 30, 2002 4:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG The logging has changed so you need to change string used to the regex the sendmail.logs.pl script. I'm currently using /actions are deliver/I for Spam and />>> Virus/I for Viruses. So far that seems to be correct. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 30, 2002 5:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG They used to be before I upgraded to 4.00 When I have some time, I'll try to figure out why it's not working anymore. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matt Sent: Monday, September 30, 2002 3:59 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG > I have it running at http://bladeware.com/ I haven't tweaked it since > moving to v4.00 so for some reason, my Spam and Virus stats are out of > date. The mail is working though :) I think it would be neat to have the SPAM and virus stats in the same graph. Kind of like a T1 is graphed with upstream in one color and downstream in another. Matt From kris at JUMPOUT.ORG Tue Oct 1 21:35:08 2002 From: kris at JUMPOUT.ORG (Kris Stumpner) Date: Thu Jan 12 21:15:48 2006 Subject: MRTG In-Reply-To: Message-ID: This revision of the script will also tally up the RBL check at the MTA level. Kris -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: Tuesday, October 01, 2002 3:36 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] MRTG Kris got this worked out today. If anyone wants a copy of the sendmail.logs.pl script we are using with v4.00, grab it here: http://CamaroSS.net/sendmail.logs.pl Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kris Stumpner Sent: Tuesday, October 01, 2002 12:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Here's what I came up with tonight. It uses the many extra log file entries that v4 offers now. It also catches the viruses that are found via Filename Checks. if (/MailScanner/) { $TotalViruses += $1 if /Virus Scanning: Found (\d+) viruses/i; $TotalViruses++ if /Filename Checks: \S* virus/i; $TotalSpam += $1 if /Spam Checks: Found (\d+) spam messages/i; } The problem I see with the '$TotalViruses ++ if />>> Virus/;' ccommand is that when MailScanner does a Virus Rescan, it catches it again, so the figures are skewed 2-fold (as mike pointed out earlier). Also, '$TotalSpam++ if /actions are deliver/i;' will not work if the server is not delivering spam marked mail. This seems to be working good for me thus far. Kris -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: Monday, September 30, 2002 11:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] MRTG Ok...I've been jacking with sendmail.logs.pl now for hours and since I can only spell 'perl', I'm stumped! For the virus counters, I need to find '>>> Virus' to increment the counter, but nothing I put on the line seems to work. $TotalViruses += $1 if />>> Virus/; $TotalViruses += $1 if /Rescan/; $TotalViruses += $1 if /Rescan/i; Can a perl guru shed some light? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Monday, September 30, 2002 5:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Oops yeh I forgot about that one. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 30, 2002 5:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG I found one problem: The process changed from 'mailscanner' to 'MailScanner', so now my spams are being picked up. Viruses are not however. One thing I noticed in grepping the log is that Viruses that are detected are being listed twice: [root@redline bin]# cat /var/log/maillog |grep ">>> Virus" Sep 30 11:10:39 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file ./g8UGAXv19493/install.exe Sep 30 11:10:42 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file ./g8UGAXv19493/install.exe Sep 30 14:21:15 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 14:21:18 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 16:17:15 redline MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr Sep 30 16:17:17 redline MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr Will that not throw the count off by a multiple of 2? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher Sent: Monday, September 30, 2002 4:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Hrm...that doesn't seem to be working for me... chomp; if (/sendmail/) { $TotalMails += $1 if /nrcpts=(\d+),/; next; } if (/mailscanner/) { $TotalViruses += $1 if />>> Virus/i; $TotalSpam++ if /actions are deliver/i; } } close LOG; } Does that look like what you have? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Monday, September 30, 2002 4:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG The logging has changed so you need to change string used to the regex the sendmail.logs.pl script. I'm currently using /actions are deliver/I for Spam and />>> Virus/I for Viruses. So far that seems to be correct. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 30, 2002 5:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG They used to be before I upgraded to 4.00 When I have some time, I'll try to figure out why it's not working anymore. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matt Sent: Monday, September 30, 2002 3:59 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG > I have it running at http://bladeware.com/ I haven't tweaked it since > moving to v4.00 so for some reason, my Spam and Virus stats are out of > date. The mail is working though :) I think it would be neat to have the SPAM and virus stats in the same graph. Kind of like a T1 is graphed with upstream in one color and downstream in another. Matt From mike at CAMAROSS.NET Tue Oct 1 21:42:13 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:49 2006 Subject: MRTG In-Reply-To: Message-ID: I forgot to mention, this script is counting connections that are rejected at the MTA (either via /etc/mail/access.db or dnsbl) as spam or at least attempted spam. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: Tuesday, October 01, 2002 3:36 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Kris got this worked out today. If anyone wants a copy of the sendmail.logs.pl script we are using with v4.00, grab it here: http://CamaroSS.net/sendmail.logs.pl Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kris Stumpner Sent: Tuesday, October 01, 2002 12:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Here's what I came up with tonight. It uses the many extra log file entries that v4 offers now. It also catches the viruses that are found via Filename Checks. if (/MailScanner/) { $TotalViruses += $1 if /Virus Scanning: Found (\d+) viruses/i; $TotalViruses++ if /Filename Checks: \S* virus/i; $TotalSpam += $1 if /Spam Checks: Found (\d+) spam messages/i; } The problem I see with the '$TotalViruses ++ if />>> Virus/;' ccommand is that when MailScanner does a Virus Rescan, it catches it again, so the figures are skewed 2-fold (as mike pointed out earlier). Also, '$TotalSpam++ if /actions are deliver/i;' will not work if the server is not delivering spam marked mail. This seems to be working good for me thus far. Kris -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: Monday, September 30, 2002 11:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] MRTG Ok...I've been jacking with sendmail.logs.pl now for hours and since I can only spell 'perl', I'm stumped! For the virus counters, I need to find '>>> Virus' to increment the counter, but nothing I put on the line seems to work. $TotalViruses += $1 if />>> Virus/; $TotalViruses += $1 if /Rescan/; $TotalViruses += $1 if /Rescan/i; Can a perl guru shed some light? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Monday, September 30, 2002 5:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Oops yeh I forgot about that one. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 30, 2002 5:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG I found one problem: The process changed from 'mailscanner' to 'MailScanner', so now my spams are being picked up. Viruses are not however. One thing I noticed in grepping the log is that Viruses that are detected are being listed twice: [root@redline bin]# cat /var/log/maillog |grep ">>> Virus" Sep 30 11:10:39 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file ./g8UGAXv19493/install.exe Sep 30 11:10:42 redline MailScanner[18225]: >>> Virus 'W32/Klez-H' found in file ./g8UGAXv19493/install.exe Sep 30 14:21:15 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 14:21:18 redline MailScanner[18225]: >>> Virus 'W32/Bugbear-A' found in file ./g8UJLBv25275/BIRTHDAYS.xls.exe Sep 30 16:17:15 redline MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr Sep 30 16:17:17 redline MailScanner[28976]: >>> Virus 'W32/Klez-H' found in file ./g8ULH5v28971/CAYRKX0V.scr Will that not throw the count off by a multiple of 2? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher Sent: Monday, September 30, 2002 4:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG Hrm...that doesn't seem to be working for me... chomp; if (/sendmail/) { $TotalMails += $1 if /nrcpts=(\d+),/; next; } if (/mailscanner/) { $TotalViruses += $1 if />>> Virus/i; $TotalSpam++ if /actions are deliver/i; } } close LOG; } Does that look like what you have? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Monday, September 30, 2002 4:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG The logging has changed so you need to change string used to the regex the sendmail.logs.pl script. I'm currently using /actions are deliver/I for Spam and />>> Virus/I for Viruses. So far that seems to be correct. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 30, 2002 5:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG They used to be before I upgraded to 4.00 When I have some time, I'll try to figure out why it's not working anymore. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matt Sent: Monday, September 30, 2002 3:59 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MRTG > I have it running at http://bladeware.com/ I haven't tweaked it since > moving to v4.00 so for some reason, my Spam and Virus stats are out of > date. The mail is working though :) I think it would be neat to have the SPAM and virus stats in the same graph. Kind of like a T1 is graphed with upstream in one color and downstream in another. Matt From hciss at HCIWS.COM Wed Oct 2 00:51:47 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:49 2006 Subject: F-Prot Autoupdate References: <5.1.0.14.2.20020923230722.02296478@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020924170947.068f5df8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020925104135.0242c5b8@imap.ecs.soton.ac.uk> Message-ID: <00a001c269a5$8499fdc0$6801a8c0@matthew> > >I just took the autoupdate file you put in the F-Prot directory when > >Mailscanner installed and put it in the cron.daily directory renamed > >"autoupdate.pl". Will that work? > > Yes, that will work okay, It does not appear to work. I just looked at the dates and even though new definitions came out on the 30th mine are still dated the 23rd. Any idea what is wrong? Matt > but it's better to put the little wrapper around > it that you will find in the other scripts in that directory. > And there's not point renaming it, it won't make any difference. From tiger at EBS.AU.COM Wed Oct 2 01:47:00 2002 From: tiger at EBS.AU.COM (David Woodfield) Date: Thu Jan 12 21:15:49 2006 Subject: F-Prot Autoupdate In-Reply-To: <00a001c269a5$8499fdc0$6801a8c0@matthew> Message-ID: <001401c269ad$3798ba90$2a01000a@tiger> Hi, fairly new to this but this is what I have done and it's working perfectly. I have placed this in the cron.daily directory. #!/bin/bash /path/to/f-prot/autoupdate exit 0 the latest definitions are for the 1st of October, and I would advise updating it as our system is being hammered by the new W32/Bugbear.A@mm worm. It started yesterday and has been building every since. God bless you Julian :) Kind regards, David Woodfield Technical Manager EBS Computer Services -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matt Sent: Wednesday, 2 October 2002 9:52 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: F-Prot Autoupdate > >I just took the autoupdate file you put in the F-Prot directory when > >Mailscanner installed and put it in the cron.daily directory renamed > >"autoupdate.pl". Will that work? > > Yes, that will work okay, It does not appear to work. I just looked at the dates and even though new definitions came out on the 30th mine are still dated the 23rd. Any idea what is wrong? Matt > but it's better to put the little wrapper around > it that you will find in the other scripts in that directory. > And there's not point renaming it, it won't make any difference. *********************** PRIVACY, CONFIDENTIALITY & LIABILITY NOTICE *********************** This e-mail is intended for use of the individual or entity above and may contain information that is confidential and privileged. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please notify us immediately and destroy the While this e-mail and any attachments have been scanned for common computer viruses and dangerous content and is believed to be clean, we recommend you also perform your own virus checking processes before opening any attachments. The Company accepts no liability for any loss, damage or consequence, whether caused by our own negligence or not, resulting directly or indirectly from the use of any attached files. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the Company. ******************************************************************************************* From hciss at HCIWS.COM Wed Oct 2 02:30:34 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:49 2006 Subject: F-Prot Autoupdate References: <001401c269ad$3798ba90$2a01000a@tiger> Message-ID: <000701c269b3$50c27960$6401a8c0@matthewmpqowmc> > #!/bin/bash > > /path/to/f-prot/autoupdate > exit 0 Is there a way to get it to email admin if it finds updates so as to verify it is working? Matt From tiger at EBS.AU.COM Wed Oct 2 03:11:52 2002 From: tiger at EBS.AU.COM (David Woodfield) Date: Thu Jan 12 21:15:49 2006 Subject: F-Prot Autoupdate In-Reply-To: <000701c269b3$50c27960$6401a8c0@matthewmpqowmc> Message-ID: <001701c269b9$133baf20$2a01000a@tiger> >> Is there a way to get it to email admin if it finds updates so as to >> verify >> it is working? >> >> Matt Way out of my league that one. The way I check is just by grep autoupdate /path/to/maillog which returns this message. Oct 1 04:03:50 server F-Prot autoupdate[6302]: F-Prot successfully updated. Dave *********************** PRIVACY, CONFIDENTIALITY & LIABILITY NOTICE *********************** This e-mail is intended for use of the individual or entity above and may contain information that is confidential and privileged. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please notify us immediately and destroy the While this e-mail and any attachments have been scanned for common computer viruses and dangerous content and is believed to be clean, we recommend you also perform your own virus checking processes before opening any attachments. The Company accepts no liability for any loss, damage or consequence, whether caused by our own negligence or not, resulting directly or indirectly from the use of any attached files. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the Company. ******************************************************************************************* From LISTSERV at JISCMAIL.AC.UK Tue Oct 1 21:16:40 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:49 2006 Subject: MAILSCANNER: jharnish@CI.GRAND-RAPIDS.MI.US requested to join Message-ID: <200210012016.VAA08140@magpie.ecs.soton.ac.uk> Tue, 1 Oct 2002 21:16:40 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Joseph Harnish . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER jharnish@CI.GRAND-RAPIDS.MI.US Joseph Harnish The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+jharnish%40CI.GRAND-RAPIDS.MI.US+Joseph+Harnish&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From gerry at dorfam.ca Wed Oct 2 14:01:14 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:49 2006 Subject: F-Prot Autoupdate In-Reply-To: <001701c269b9$133baf20$2a01000a@tiger> References: <000701c269b3$50c27960$6401a8c0@matthewmpqowmc> <001701c269b9$133baf20$2a01000a@tiger> Message-ID: <62449.129.80.22.133.1033563674.squirrel@tiger.dorfam.ca> >>> Is there a way to get it to email admin if it finds updates so as to >>> verify >>> it is working? >>> >>> Matt > > Way out of my league that one. The way I check is just by > grep autoupdate /path/to/maillog > which returns this message. > > Oct 1 04:03:50 server F-Prot autoupdate[6302]: F-Prot successfully > updated. > > Dave I run a program called logcheck that automatically sends any "strange" log entries as an email to root. It's configurable on what it bothers with and how often it checks. Works very well. Gerry From marc.perea at ELECTRONIC-GROUP.COM Wed Oct 2 14:52:31 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:15:49 2006 Subject: Virus download site ? Message-ID: <20021002155231.5c8c99ce.marc.perea@electronic-group.com> Hi guys, Does anybody knows any website in which you can download different viruses and their variants ? I want some real viruses to do some tests (the EICAR is not enough) Thanks in advance, Cheers. Marc. From support at rl.ac.uk Wed Oct 2 14:55:46 2002 From: support at rl.ac.uk (CLRC_Support) Date: Thu Jan 12 21:15:49 2006 Subject: Fwd: FW: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK (UQ000011 0479) Message-ID: <350DC7048372D31197F200902773DF4C02CF84C1@exchange11.rl.ac.uk> This is a partial response to your enquiry(UQ0000110479) . Further information will be sent to you shortly. Thank you Submitter Email : Julian Field Problem Classification : JISCmail General Response to user : Julian It looks like this user only subscribed today. Could he have sent the original posting before subscribing? We can of course tell this by looking at the logs and 'll get back to you later. Regards Philippa Strange JISCmail Support Problem Description : I've got a user who can't post to the MailScanner list despite his address appearing in the list of members. Here is the error message and the headers, etc. Can you take a look please? Thanks! Jules. From: "Harnish, Joe" To: "'mailscanner@ecs.soton.ac.uk'" Subject: FW: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK Date: Wed, 2 Oct 2002 08:32:59 -0400 X-Mailer: Internet Mail Service (5.5.2653.19) X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.9, required 5, MIME_NULL_BLOCK, DOUBLE_CAPSWORD, MAILTO_LINK) X-ECS-MailScanner: Found to be clean, Found to be clean -----Original Message----- From: L-Soft list server at JISCMAIL (1.8e) [ mailto:LISTSERV@JISCMAIL.AC.UK] Sent: Tuesday, October 01, 2002 5:15 PM To: Joseph Harnish Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK You are not authorized to send mail to the MAILSCANNER list from your jharnish@CI.GRAND-RAPIDS.MI.US account. You might be authorized to send to the list from another of your accounts, or perhaps when using another mail program which generates slightly different addresses, but LISTSERV has no way to associate this other account or address with yours. If you need assistance or if you have any question regarding the policy of the MAILSCANNER list, please contact the list owners: MAILSCANNER-request@JISCMAIL.AC.UK. Message-ID: <221C759285B78647AEE6181FD6AF36A703A8DF7A@bambi.grand-rapids.mi.us> From: "Harnish, Joe" To: "'mailscanner@jiscmail.ac.uk'" Subject: domains to scan Date: Tue, 1 Oct 2002 17:14:07 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_002_01C26A0F.D7E2E4A0" Hello, I am working on setting up a test group for mailscanner/SpamAssassin so that certain people can see how it is going to work without implementing it to everyone right away. So what I am doing is I added my account to domains.to.scan.conf file. Which now looks like this: jharnish@* and set "Scanning By Domain = yes" and I have "Spam Checks = yes" do I need to do something special to only scan my address? Thanks Joe -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ Service type : Fwd: FW: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK Service type : Fwd: FW: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK From g.tranelli at INARCASSA.IT Wed Oct 2 15:08:11 2002 From: g.tranelli at INARCASSA.IT (G. Tranelli) Date: Thu Jan 12 21:15:49 2006 Subject: Virus download site ? References: <20021002155231.5c8c99ce.marc.perea@electronic-group.com> Message-ID: <000e01c26a1d$248e0c00$1c00010a@ANONYMOUS> You can look here http://www.idg.net/virus ----- Original Message ----- From: "Marc Perea" To: Sent: Wednesday, October 02, 2002 3:52 PM Subject: Virus download site ? > Hi guys, > > Does anybody knows any website in which you can download different viruses > and their variants ? > I want some real viruses to do some tests (the EICAR is not enough) > > Thanks in advance, > Cheers. > > Marc. From lbergman at abi.tconline.net Wed Oct 2 15:27:47 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:49 2006 Subject: F-Prot Autoupdate In-Reply-To: <000701c269b3$50c27960$6401a8c0@matthewmpqowmc> References: <001401c269ad$3798ba90$2a01000a@tiger> <000701c269b3$50c27960$6401a8c0@matthewmpqowmc> Message-ID: <200210020927.47286.lbergman@abi.tconline.net> On Tuesday 01 October 2002 08:30 pm, Matt wrote: > > #!/bin/bash > > > > /path/to/f-prot/autoupdate > > exit 0 > > Is there a way to get it to email admin if it finds updates so as to verify > it is working? > > Matt I have aliased root on my mail server to an admin alias so that all sys admins get a copy of anything that is mailed to root. Works pretty good for me and is only a one line change in sendmail config -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From jharnish at CI.GRAND-RAPIDS.MI.US Wed Oct 2 15:25:29 2002 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:15:49 2006 Subject: domains to scan Message-ID: <221C759285B78647AEE6181FD6AF36A703A8DF7F@bambi.grand-rapids.mi.us> Hello, I am working on setting up a test group for mailscanner/SpamAssassin so that certain people can see how it is going to work without implementing it to everyone right away. So what I am doing is I added my account to domains.to.scan.conf file. Which now looks like this: # This file lists all the domains for which you want to scan mail # for viruses and spam, if the "Scanning By Domain" feature is set to "yes". jharnish@* and set "Scanning By Domain = yes" and I have "Spam Checks = yes" do I need to do something special to only scan my address? Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021002/ce3d7716/attachment.html From bill at DISTMIRR.COM Wed Oct 2 15:47:01 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:49 2006 Subject: No Message Collected Message-ID: <000401c26a22$91a1fd60$5d751542@billslaptop> Since upgrading to version 4, I'm having lots of complains about duplicate messages being delivered, with one of the copies containing only the following in the message body: <<< No Message Collected >>> >From what I understand, this is caused when the DATA connection is terminated during the communication to sendmail. However, I'm not sure why two copies of the same message would be sent, with only failing and the other not. Has anyone noticed this before? Any ideas what could be causing this or how to work around it? Regards, Bill Omer From bovati at MONDADORI.COM Wed Oct 2 18:53:42 2002 From: bovati at MONDADORI.COM (Mirko Bovati) Date: Thu Jan 12 21:15:49 2006 Subject: Possible Microsoft security vulnerability attack. Message-ID: <200210021653.42081.bovati@mondadori.com> Hi all, I need to disable the control that generate the message in subject. My I disable this feature? thanks. -- Mirko Bovati Mondadori.com System and Network Administration Tel: 070 2028533; 02 26937270 Cell: 328 0512344 From howard at harper-adams.ac.uk Wed Oct 2 16:14:41 2002 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:15:49 2006 Subject: Odd directory size Message-ID: <200210021507.g92F7Oq10701@blackhole.harper-adams.ac.uk> This is possibly a silly question but here goes. The following is the two entries /var/spool for the mailscanner queues. drwxr-xr-x 2 root mail 1220608 Oct 2 15:56 mqueue drwxr-xr-x 2 root mail 24576 Oct 2 15:56 mqueue.in All the other directories here and a random selection of other directories seem to have a size of 4096. Is this a sign of an error or has it something to do with the volume of files it once held? Currently mqueue.in has 1 or 2 files waiting to be scanned and mqueue had about ~100 files all small. Also the date changes, does this reflect the last time the directory was used? In NT and WS2000 the date & time reflect when it was created. Is this a Redhat Linux feature? Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From mailscanner at ecs.soton.ac.uk Wed Oct 2 16:29:38 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:49 2006 Subject: No Message Collected In-Reply-To: <000401c26a22$91a1fd60$5d751542@billslaptop> Message-ID: <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> Can you check your mqueue and mqueue.in directories are on the same filesystem? sounds like the message body isn't linking across to the outgoing queue. The other test you can do is change the delivery mode to "queue" instead of batch. Kill the sendmail process that is handling the outgoing queue (the one you started like "sendmail -q15m"). Then all the processed messages should just collect in the outgoing mqueue directory. Make sure there is a df file and a qf file for each message in that directory. Is your mqueue.in directory just a flat directory with no sub-dirs off it? Like wise for mqueue? At 15:47 02/10/2002, you wrote: >Since upgrading to version 4, I'm having lots of complains about >duplicate messages being delivered, with one of the copies containing >only the following in the message body: ><<< No Message Collected >>> > > >From what I understand, this is caused when the DATA connection is >terminated during the communication to sendmail. However, I'm not sure >why two copies of the same message would be sent, with only failing and >the other not. > >Has anyone noticed this before? Any ideas what could be causing this or >how to work around it? > >Regards, >Bill Omer -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Oct 2 16:30:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:49 2006 Subject: domains to scan In-Reply-To: <221C759285B78647AEE6181FD6AF36A703A8DF7F@bambi.grand-rapid s.mi.us> Message-ID: <5.1.0.14.2.20021002162941.04530548@imap.ecs.soton.ac.uk> At 15:25 02/10/2002, you wrote: >Hello, > >I am working on setting up a test group for mailscanner/SpamAssassin so >that certain people can see how it is going to work without implementing >it to everyone right away. So what I am doing is I added my account to >domains.to.scan.conf file. Which now looks like this: > ># This file lists all the domains for which you want to scan mail ># for viruses and spam, if the "Scanning By Domain" feature is set to "yes". > >jharnish@* > >and set "Scanning By Domain = yes" >and I have "Spam Checks = yes" > >do I need to do something special to only scan my address? No, that should do it if I remember rightly. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Oct 2 16:31:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:49 2006 Subject: Odd directory size In-Reply-To: <200210021507.g92F7Oq10701@blackhole.harper-adams.ac.uk> Message-ID: <5.1.0.14.2.20021002163022.042d9050@imap.ecs.soton.ac.uk> At 16:14 02/10/2002, you wrote: >This is possibly a silly question but here goes. >The following is the two entries /var/spool for the mailscanner >queues. >drwxr-xr-x 2 root mail 1220608 Oct 2 15:56 mqueue >drwxr-xr-x 2 root mail 24576 Oct 2 15:56 mqueue.in >All the other directories here and a random selection of other >directories seem to have a size of 4096. This merely shows that at some point in history, the "mqueue" directory had a lot of files in it. >Is this a sign of an error or has it something to do with the >volume of files it once held? Currently mqueue.in has 1 or 2 files >waiting to be scanned and mqueue had about ~100 files all small. >Also the date changes, does this reflect the last time the >directory was used? In NT and WS2000 the date & time reflect >when it was created. Is this a Redhat Linux feature? Unix will always give you the last-modification time by default. It appears that Samba is feeding Windows the creation time instead. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Oct 2 16:32:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:49 2006 Subject: Possible Microsoft security vulnerability attack. In-Reply-To: <200210021653.42081.bovati@mondadori.com> Message-ID: <5.1.0.14.2.20021002163154.04840818@imap.ecs.soton.ac.uk> You want to disable this in mailscanner.conf: # Do you want to put some text on the front of the subject line when # it contained a virus which has been removed Virus Modify Subject = yes At 18:53 02/10/2002, you wrote: >Hi all, > >I need to disable the control that generate the message >in subject. My I disable this feature? > >thanks. > >-- >Mirko Bovati >Mondadori.com >System and Network Administration >Tel: 070 2028533; 02 26937270 Cell: 328 0512344 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jskala at JASONSKALA.COM Wed Oct 2 16:13:00 2002 From: jskala at JASONSKALA.COM (Skala Jason) Date: Thu Jan 12 21:15:49 2006 Subject: Virus download site ? References: <20021002155231.5c8c99ce.marc.perea@electronic-group.com> Message-ID: <20021002151301.40B57A796D@mail.jasonskala.com> Check out www.phreak.org They have a virus library there with source code and everything else you can think of. This is the best place I have found on the net to get them for testing. Hope this helps > Hi guys, > > Does anybody knows any website in which you can download different viruses > and their variants ? > I want some real viruses to do some tests (the EICAR is not enough) > > Thanks in advance, > Cheers. > > Marc. > -- From rvitoria at CI.UCP.PT Wed Oct 2 16:44:18 2002 From: rvitoria at CI.UCP.PT (Rui Vit=?ISO-8859-1?Q?=F3ria?=) Date: Thu Jan 12 21:15:49 2006 Subject: error form my desktop server Message-ID: <200210021544.g92FiIX30150@ori.rl.ac.uk> Hi Anybody can help me about this "ignoring text in character set `WINDOWS-1252' at /usr/lib/perl5/site_perl/5.6.1/MIME/Parser/Filer.pm line 646" Regards From bovati at MONDADORI.COM Wed Oct 2 19:49:09 2002 From: bovati at MONDADORI.COM (Mirko Bovati) Date: Thu Jan 12 21:15:49 2006 Subject: Possible Microsoft security vulnerability attack. In-Reply-To: <5.1.0.14.2.20021002163154.04840818@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021002163154.04840818@imap.ecs.soton.ac.uk> Message-ID: <200210021749.09419.bovati@mondadori.com> On Wednesday 02 October 2002 02:32 pm, you wrote: > You want to disable this in mailscanner.conf: > > # Do you want to put some text on the front of the subject line when > # it contained a virus which has been removed > Virus Modify Subject = yes Sorry, I meant allow user to receive IFrame tags. I found it: Allow IFrame Tags = yes > > At 18:53 02/10/2002, you wrote: > >Hi all, > > > >I need to disable the control that generate the message > >in subject. My I disable this feature? > > > >thanks. > > Mirko Bovati From mailscanner at ecs.soton.ac.uk Wed Oct 2 16:46:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:49 2006 Subject: error form my desktop server In-Reply-To: <200210021544.g92FiIX30150@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20021002164528.044ab2e0@imap.ecs.soton.ac.uk> At 16:44 02/10/2002, you wrote: >Hi > >Anybody can help me about this > >"ignoring text in character set `WINDOWS-1252' > at /usr/lib/perl5/site_perl/5.6.1/MIME/Parser/Filer.pm line 646" I've been trying to find a solution to this one for ages. If anyone out there reckons they are pretty good at Perl and fancies working out how the Parser/Filer stuff in MIME-tools works, and come up with a fix for this, I would be most grateful! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From munafo at PREZZEMOLO.POLITO.IT Wed Oct 2 16:53:31 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:49 2006 Subject: Possible Microsoft security vulnerability attack. In-Reply-To: <5.1.0.14.2.20021002163154.04840818@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021002163154.04840818@imap.ecs.soton.ac.uk> Message-ID: <02100217533101.30949@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 02 October 2002 17:32, Julian Field wrote: > You want to disable this in mailscanner.conf: > > # Do you want to put some text on the front of the subject line when > # it contained a virus which has been removed > Virus Modify Subject = yes > > At 18:53 02/10/2002, you wrote: > >Hi all, > > > >I need to disable the control that generate the message > >in subject. My I disable this feature? > > I think he wants to permit messages with Microsoft security vulnerabilities. So it should at least be: Allow IFrame Tags = yes or, if he wants to permit OBJECT/CODEBASE, he should modify the source code (not suggested). Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9mxZ7tgCCNnfQWWkRAnhbAJ4s7ZTSlb+CIdqD6Dx2TH+is7+SvwCfWTZi e6fLasplhUS0vaJjgYJdY8M= =9yNy -----END PGP SIGNATURE----- From marc.perea at ELECTRONIC-GROUP.COM Wed Oct 2 17:12:50 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:15:49 2006 Subject: Virus download site ? In-Reply-To: <20021002151301.40B57A796D@mail.jasonskala.com> References: <20021002155231.5c8c99ce.marc.perea@electronic-group.com> <20021002151301.40B57A796D@mail.jasonskala.com> Message-ID: <20021002181250.18ce4bb9.marc.perea@electronic-group.com> On Wed, 2 Oct 2002 11:13:00 -0400 Skala Jason wrote: > Check out www.phreak.org > They have a virus library there with source code and everything else you > can think of. This is the best place I have found on the net to get them > for testing. Hope this helps It's a bit old live virus database, but thanks a lot anyway. For future help, another user recommended me this URL : http://vx.netlux.org/ Very good one, without a doubt. > > > Hi guys, > > > > Does anybody knows any website in which you can download different > > viruses and their variants ? > > I want some real viruses to do some tests (the EICAR is not enough) > > > > Thanks in advance, > > Cheers. > > > > Marc. > > > -- From raymond at PROLOCATION.NET Wed Oct 2 17:16:48 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:15:49 2006 Subject: Virus download site ? In-Reply-To: <20021002155231.5c8c99ce.marc.perea@electronic-group.com> Message-ID: Hi! > Does anybody knows any website in which you can download different viruses > and their variants ? > I want some real viruses to do some tests (the EICAR is not enough) Most of the people on this list should have a pretty large amount of various virusses by now, the ones MailScanner collected :) I do. If you like i can send a few hundered to test with. Bye, Raymond. From garyp at COAM.NET Wed Oct 2 18:26:53 2002 From: garyp at COAM.NET (GaryP) Date: Thu Jan 12 21:15:49 2006 Subject: Stopping MailScanner on a per user basis ... In-Reply-To: <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> References: <000401c26a22$91a1fd60$5d751542@billslaptop> <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> Message-ID: <20021002172653.M32165@coam.net> Is there a way to have MailScanner skip users that have requested that none of their emails be checked for viruses or spam? Thanks, Gary P... -- Vegetarian Recipes! (http://www.vegipes.com) From mailscanner at ecs.soton.ac.uk Wed Oct 2 19:04:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:49 2006 Subject: Stopping MailScanner on a per user basis ... In-Reply-To: <20021002172653.M32165@coam.net> References: <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <000401c26a22$91a1fd60$5d751542@billslaptop> <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021002185621.02303438@imap.ecs.soton.ac.uk> At 18:26 02/10/2002, you wrote: >Is there a way to have MailScanner skip users that have requested that none of >their emails be checked for viruses or spam? The best to solve this problem is by making an institution policy that all email will be scanned. It's all very well, but how do you know that the people who are not having their mail scanned are not forwarding mail internally to other people? It's about the easiest way to let viruses in to your organisation! Once people are used to their mail being scanned, they tend to get more relaxed about the safety of mail coming to them. After all, every bit of mail entering the site has already been checked anyway, hasn't it? I had a couple of people who didn't want their mail scanned, including a member of senior management. I held my ground and refused. Within about 3 months both had thanked me for saving them from virus/spam attacks. I should write a faq on this... P.S. If you really must do this, it is easy in V4. But my advice is DON'T!!! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Wed Oct 2 19:08:48 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:49 2006 Subject: MAILSCANNER: mariw@ACM.ORG left the list Message-ID: <200210021808.TAA27076@magpie.ecs.soton.ac.uk> Wed, 2 Oct 2002 19:08:48 Mari Wang has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From garyp at COAM.NET Wed Oct 2 20:02:38 2002 From: garyp at COAM.NET (GaryP) Date: Thu Jan 12 21:15:49 2006 Subject: Stopping MailScanner on a per user basis ... In-Reply-To: <5.1.0.14.2.20021002185621.02303438@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <000401c26a22$91a1fd60$5d751542@billslaptop> <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021002185621.02303438@imap.ecs.soton.ac.uk> Message-ID: <20021002190238.M83179@coam.net> We have made the policy. Every piece of email coming and going through our systems is scanned. There's always one in the crowd that is not going to like it. I value your advise, however, in version 4.00.07a to please this one hardheaded user, how? > At 18:26 02/10/2002, you wrote: > >Is there a way to have MailScanner skip users that have requested that none of > >their emails be checked for viruses or spam? > > The best to solve this problem is by making an institution policy > that all email will be scanned. It's all very well, but how do you > know that the people who are not having their mail scanned are not > forwarding mail internally to other people? It's about the easiest > way to let viruses in to your organisation! > > Once people are used to their mail being scanned, they tend to get more > relaxed about the safety of mail coming to them. After all, every > bit of mail entering the site has already been checked anyway, > hasn't it? > > I had a couple of people who didn't want their mail scanned, > including a member of senior management. I held my ground and > refused. Within about 3 months both had thanked me for saving them > from virus/spam attacks. > > I should write a faq on this... > > P.S. If you really must do this, it is easy in V4. But my advice is DON'T!!! > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Vegetarian Recipes! (http://www.vegipes.com) From gerry at dorfam.ca Wed Oct 2 20:14:00 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:49 2006 Subject: Stopping MailScanner on a per user basis ... In-Reply-To: <20021002190238.M83179@coam.net> References: <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <000401c26a22$91a1fd60$5d751542@billslaptop> <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021002185621.02303438@imap.ecs.soton.ac.uk> <20021002190238.M83179@coam.net> Message-ID: <64672.129.80.22.133.1033586040.squirrel@tiger.dorfam.ca> I can maybe understand some folks being shy about having their mail scanned for spam (but don't agree with it). Afterall, this would only affect them. However, I really don't understand how one or two individuals in an organization can rationalize allowing their mail to enter complete with virii. This affects everyone in the organization. It sort of negates the whole idea behind scanning for virii in the first place if you intentionally leave a hole for them to enter?? Gerry > We have made the policy. Every piece of email coming and going through > our systems is scanned. There's always one in the crowd that is not > going to like it. I value your advise, however, in version 4.00.07a to > please this one hardheaded user, how? > >> At 18:26 02/10/2002, you wrote: >> >Is there a way to have MailScanner skip users that have requested >> that none of their emails be checked for viruses or spam? >> >> The best to solve this problem is by making an institution policy that >> all email will be scanned. It's all very well, but how do you know >> that the people who are not having their mail scanned are not >> forwarding mail internally to other people? It's about the easiest way >> to let viruses in to your organisation! >> >> Once people are used to their mail being scanned, they tend to get >> more relaxed about the safety of mail coming to them. After all, every >> bit of mail entering the site has already been checked anyway, >> hasn't it? >> >> I had a couple of people who didn't want their mail scanned, >> including a member of senior management. I held my ground and >> refused. Within about 3 months both had thanked me for saving them >> from virus/spam attacks. >> >> I should write a faq on this... >> >> P.S. If you really must do this, it is easy in V4. But my advice is >> DON'T!!! -- >> Julian Field Teaching Systems Manager >> jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> Tel. 023 8059 2817 University of Southampton >> Southampton SO17 1BJ > > > -- > Vegetarian Recipes! (http://www.vegipes.com) From mailscanner at ecs.soton.ac.uk Wed Oct 2 20:16:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:49 2006 Subject: Stopping MailScanner on a per user basis ... In-Reply-To: <20021002190238.M83179@coam.net> References: <5.1.0.14.2.20021002185621.02303438@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <000401c26a22$91a1fd60$5d751542@billslaptop> <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021002185621.02303438@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20021002200455.023bc370@imap.ecs.soton.ac.uk> At 20:02 02/10/2002, you wrote: >We have made the policy. Every piece of email coming and going through our >systems is scanned. There's always one in the crowd that is not going to like >it. I value your advise, however, in version 4.00.07a to please this one >hardheaded user, how? Set virus scanning to be a rules file in mailscanner.conf: Virus Scanning = /opt/MailScanner/etc/rules/virus.scanning.rules Then create the rules file itself, containing something like this To nuisance@your.domain.com no fromto default yes So all mail; will be scanned, except messages to nuisance@your.domain.com. Note that mail *from* the nuisance user will still be scanned :-) If you don't want to scan mail from him either, then use "fromto" instead of "To". Note that when it is compiling rules files, MailScanner is really lax about what it allows and recognises, so you can use anything that contains "from" and/or "to". If you want to match both the recipients and the sender at the same time, anything with "and" in it will do. You can use this, for example, to only sign mail entering/leaving your site, so FromAndTo your.domain.com no fromorto default yes will always be "yes", except when *all* the addresses in the message are within your.domain.com. The rules system I have created can do loads of things like this, most of which haven't even occurred to me yet. :-) Jules. > > At 18:26 02/10/2002, you wrote: > > >Is there a way to have MailScanner skip users that have requested that > none of > > >their emails be checked for viruses or spam? > > > > The best to solve this problem is by making an institution policy > > that all email will be scanned. It's all very well, but how do you > > know that the people who are not having their mail scanned are not > > forwarding mail internally to other people? It's about the easiest > > way to let viruses in to your organisation! > > > > Once people are used to their mail being scanned, they tend to get more > > relaxed about the safety of mail coming to them. After all, every > > bit of mail entering the site has already been checked anyway, > > hasn't it? > > > > I had a couple of people who didn't want their mail scanned, > > including a member of senior management. I held my ground and > > refused. Within about 3 months both had thanked me for saving them > > from virus/spam attacks. > > > > I should write a faq on this... > > > > P.S. If you really must do this, it is easy in V4. But my advice is > DON'T!!! > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > >-- >Vegetarian Recipes! (http://www.vegipes.com) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From garyp at COAM.NET Wed Oct 2 21:11:37 2002 From: garyp at COAM.NET (GaryP) Date: Thu Jan 12 21:15:49 2006 Subject: Stopping MailScanner on a per user basis ... In-Reply-To: <5.1.0.14.2.20021002200455.023bc370@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021002185621.02303438@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <000401c26a22$91a1fd60$5d751542@billslaptop> <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021002185621.02303438@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021002200455.023bc370@imap.ecs.soton.ac.uk> Message-ID: <20021002201137.M58351@coam.net> You're good Julian, how did you know my user's email address? Thank you ... > At 20:02 02/10/2002, you wrote: > >We have made the policy. Every piece of email coming and going through our > >systems is scanned. There's always one in the crowd that is not going to like > >it. I value your advise, however, in version 4.00.07a to please this one > >hardheaded user, how? > > Set virus scanning to be a rules file in mailscanner.conf: > Virus Scanning = /opt/MailScanner/etc/rules/virus.scanning.rules > > Then create the rules file itself, containing something like this > > To nuisance@your.domain.com no > fromto default yes > > So all mail; will be scanned, except messages to nuisance@your.domain.com. > Note that mail *from* the nuisance user will still be scanned :-) If > you don't want to scan mail from him either, then use "fromto" > instead of "To". > > Note that when it is compiling rules files, MailScanner is really > lax about what it allows and recognises, so you can use anything > that contains "from" and/or "to". If you want to match both the > recipients and the sender at the same time, anything with "and" in > it will do. You can use this, for example, to only sign mail > entering/leaving your site, so FromAndTo your.domain.com no > fromorto default yes will always be "yes", > except when *all* the addresses in the message are within your.domain.com. > > The rules system I have created can do loads of things like this, > most of which haven't even occurred to me yet. :-) > > Jules. > > > > At 18:26 02/10/2002, you wrote: > > > >Is there a way to have MailScanner skip users that have requested that > > none of > > > >their emails be checked for viruses or spam? > > > > > > The best to solve this problem is by making an institution policy > > > that all email will be scanned. It's all very well, but how do you > > > know that the people who are not having their mail scanned are not > > > forwarding mail internally to other people? It's about the easiest > > > way to let viruses in to your organisation! > > > > > > Once people are used to their mail being scanned, they tend to get more > > > relaxed about the safety of mail coming to them. After all, every > > > bit of mail entering the site has already been checked anyway, > > > hasn't it? > > > > > > I had a couple of people who didn't want their mail scanned, > > > including a member of senior management. I held my ground and > > > refused. Within about 3 months both had thanked me for saving them > > > from virus/spam attacks. > > > > > > I should write a faq on this... > > > > > > P.S. If you really must do this, it is easy in V4. But my advice is > > DON'T!!! > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > >-- > >Vegetarian Recipes! (http://www.vegipes.com) > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Vegetarian Recipes! (http://www.vegipes.com) From craig at WEBFARM.CO.NZ Wed Oct 2 21:29:06 2002 From: craig at WEBFARM.CO.NZ (craig) Date: Thu Jan 12 21:15:49 2006 Subject: Stopping MailScanner on a per user basis ... In-Reply-To: <20021002172653.M32165@coam.net> Message-ID: > Is there a way to have MailScanner skip users that have requested that none of > their emails be checked for viruses or spam? > Hi I also had this need I found that you can only set domains to scan with the current version not domains not to scan so I turned this on then made the domains to scan form a copy of the /etc/sendmail.cw or /etc/mail/local-host-names and then removed the ones that did not want scanning Regards From Denis.Beauchemin at USHERBROOKE.CA Wed Oct 2 21:42:12 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:49 2006 Subject: Error with Content-Type Message-ID: <1033591333.2412.270.camel@dbeauchemin.si.usherb.ca> Hi, One of my users (using Outlook) just noticed that whenever a virus is quarantined the attachment with the contents of the stored.virus.message.txt file uses a charset="us-ascii" making it look like it has a parity problem. Since I use accented characters, a charset=ISO-8859-1 would be more appropriate. Could this be done? I'm using mailscanner-3.22-14 on RH 7.3 and McAfee Stored Virus Message Report = /usr/local/MailScanner/etc/stored.virus.message.txt MTA = sendmail Attachment Warning Filename = AlerteVirus.txt Warning Is Attachment = no BTW, shouldn't the "Warning Is Attachment = no" make this warning part of the message body? Here is an piece of the source of such a message: ------------------------------------- --=-Aazr6az/KhvLs6qFFLrD Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable ATTENTION !!! Au moins une pi=E8ce jointe =E0 ce message ne vous a pas =E9t=E9 transmise. SVP lire la pi=E8ce jointe =ABAlerteVirus.txt=BB pour plus d'informations. --=-Aazr6az/KhvLs6qFFLrD Content-Type: text/plain; charset="us-ascii"; name="AlerteVirus.txt" Content-Disposition: inline; filename="AlerteVirus.txt" Content-Transfer-Encoding: quoted-printable Avertissement de la passerelle antivirus de l'Universit=E9 de Sherbrooke ---------------------------------------------------------------------- La pi=E8ce jointe "bugbear.virus" contient probablement un virus. Elle a =E9t=E9 remplac=E9e par cet avertis= sement. ------------------------------------- Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From davidclosson at MSN.COM Wed Oct 2 23:58:46 2002 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:15:49 2006 Subject: Possible Microsoft security vulnerability attack Message-ID: Using Mailscanner 3.23-4 (with McAfee AV) -Upgraded from 3.22-14 -Install method: RPM I am getting quite a few users that are reporting false virus reports: "Possible Microsoft security vulnerability attack" The messages are common mail list HTML messages that may or may not be pulling content from another location. _________ Sincerely, David Closson 209-728-8199 _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com From dave at ESI.COM.AU Thu Oct 3 00:43:26 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:49 2006 Subject: Odd directory size In-Reply-To: <5.1.0.14.2.20021002163022.042d9050@imap.ecs.soton.ac.uk> Message-ID: On Wed, 2 Oct 2002, Julian Field wrote: > >This is possibly a silly question but here goes. > >The following is the two entries /var/spool for the mailscanner > >queues. > >drwxr-xr-x 2 root mail 1220608 Oct 2 15:56 mqueue > >drwxr-xr-x 2 root mail 24576 Oct 2 15:56 mqueue.in > >All the other directories here and a random selection of other > >directories seem to have a size of 4096. > > This merely shows that at some point in history, the "mqueue" directory had > a lot of files in it. By my calculations, it once had nearly 100,000 files in it... That Is Not Normal, and could be a sign of having been relay-raped in the past. It's also quite inefficient; it should be recreated. > >Is this a sign of an error or has it something to do with the > >volume of files it once held? Currently mqueue.in has 1 or 2 files > >waiting to be scanned and mqueue had about ~100 files all small. > >Also the date changes, does this reflect the last time the > >directory was used? In NT and WS2000 the date & time reflect > >when it was created. Is this a Redhat Linux feature? > > Unix will always give you the last-modification time by default. It appears > that Samba is feeding Windows the creation time instead. On a directory, it is the last time a file was added or removed to/from it. There is no such thing as a creation time in Unix/Linux. -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From bill at DISTMIRR.COM Thu Oct 3 00:36:29 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:49 2006 Subject: No Message Collected In-Reply-To: <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> Message-ID: <000f01c26a6c$8991ef50$d49dd7d1@billslaptop> Both the mqueue and mqueue.in directories are on the same file system, and neither of them contain any sub directories. One thing that I don't think I made clear was that this is a random problem. Out of 50K pieces of mail that are delivered to my mail server, I've only had a couple handful of complaints about this problem (that's not to say that it hasn't happened more than what we are aware of though). I changed from 'batch' to 'queue' processing, we'll see how that works for us and I'll let you know if it happens again. Thanks for the help, Bill > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Wednesday, October 02, 2002 10:30 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: No Message Collected > > Can you check your mqueue and mqueue.in directories are on the same > filesystem? sounds like the message body isn't linking across to the > outgoing queue. > > The other test you can do is change the delivery mode to "queue" instead > of > batch. Kill the sendmail process that is handling the outgoing queue (the > one you started like "sendmail -q15m"). Then all the processed messages > should just collect in the outgoing mqueue directory. Make sure there is a > df file and a qf file for each message in that directory. > > Is your mqueue.in directory just a flat directory with no sub-dirs off it? > Like wise for mqueue? > > At 15:47 02/10/2002, you wrote: > >Since upgrading to version 4, I'm having lots of complains about > >duplicate messages being delivered, with one of the copies containing > >only the following in the message body: > ><<< No Message Collected >>> > > > > >From what I understand, this is caused when the DATA connection is > >terminated during the communication to sendmail. However, I'm not sure > >why two copies of the same message would be sent, with only failing and > >the other not. > > > >Has anyone noticed this before? Any ideas what could be causing this or > >how to work around it? > > > >Regards, > >Bill Omer > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From barnaby_brown at PACIFIC.NET.AU Thu Oct 3 01:12:17 2002 From: barnaby_brown at PACIFIC.NET.AU (Barnaby Brown) Date: Thu Jan 12 21:15:49 2006 Subject: Stopping MailScanner on a per user basis ... In-Reply-To: <5.1.0.14.2.20021002185621.02303438@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <000401c26a22$91a1fd60$5d751542@billslaptop> <5.1.0.14.2.20021002162740.04635b30@imap.ecs.soton.ac.uk> <5.1.0.14.2.20021002185621.02303438@imap.ecs.soton.ac.uk> Message-ID: <20021003001217.GU3004@pacific.net.au> On Wed, Oct 02, 2002 at 07:04:46PM +0100, Julian Field wrote: > At 18:26 02/10/2002, you wrote: > >Is there a way to have MailScanner skip users that have requested that > >none of > >their emails be checked for viruses or spam? > > The best to solve this problem is by making an institution policy that all > email will be scanned. > It's all very well, but how do you know that the people who are not having > their mail scanned are not forwarding mail internally to other people? It's > about the easiest way to let viruses in to your organisation! Depends on your whole definition of 'organisation', really. As an ISP, we have a fair few users, and only extend scanning to some of them - it's a feature for them, not our responsibility to keep their systems clean (however, we will mandate it for all staff accounts). I do it with external logic - only mail for users that want scanning gets sent through the mailscanner (I use sendmail with an external data source to look this up). I can't see a problem with us declaring that all our users get virus scanning, no option (it'd make our servers much happier about losing all the new Bugbear crap), but the spam blocking is the sticking part - many users are paranoid about losing any mail at all, and I don't think a flat-file spam.actions.conf scales to 50,000+ mailboxes. Potentially I may have to decouple the two functions, and run with a standalone spamassassin utility. A pity, I'm really enjoying the ease of mailscanner so far. Barnaby -- Barnaby Brown - Systems Engineer Pacific Internet (Australia) Pty Ltd - http://www.pacific.net.au From mkettler at EVI-INC.COM Thu Oct 3 02:13:50 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:49 2006 Subject: Possible Microsoft security vulnerability attack In-Reply-To: Message-ID: <5.1.1.6.0.20021002211155.01c01218@192.168.50.2> Very rapidly this is becoming a FAQ.. Your most likely candidate is Iframe tags: Allow IFrame Tags = yes There are two other causes of this message, but they shouldn't occur and you'd have to modify the mailscanner code to allow em thru. Search the list archives. there's lots of instances of this question. At 03:58 PM 10/2/2002 -0700, David Closson wrote: >Using Mailscanner 3.23-4 (with McAfee AV) >-Upgraded from 3.22-14 >-Install method: RPM > >I am getting quite a few users that are reporting false virus reports: >"Possible Microsoft security vulnerability attack" > >The messages are common mail list HTML messages that may or may not be >pulling content from another location. > > >_________ >Sincerely, >David Closson >209-728-8199 From support at rl.ac.uk Thu Oct 3 09:11:51 2002 From: support at rl.ac.uk (CLRC_Support) Date: Thu Jan 12 21:15:49 2006 Subject: (UQ0000110479)Fwd: FW: Rejected posting to MAILSCANNER@JISCMAIL.A C.UK Message-ID: <350DC7048372D31197F200902773DF4C02CF85A6@exchange11.rl.ac.uk> A response to enquiry (UQ0000110479) has been provided for you below. Thank you. Response to user : Julian Further to Phillipa's note, your list member did try to subscribe before he posted on 1 Oct but did not follow the confirmation request . He did not actual become a member until 2 Oct Pam - JISCmail Support Problem Description : I've got a user who can't post to the MailScanner list despite his address appearing in the list of members. Here is the error message and the headers, etc. Can you take a look please? Thanks! Jules. From: "Harnish, Joe" To: "'mailscanner@ecs.soton.ac.uk'" Subject: FW: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK Date: Wed, 2 Oct 2002 08:32:59 -0400 X-Mailer: Internet Mail Service (5.5.2653.19) X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.9, required 5, MIME_NULL_BLOCK, DOUBLE_CAPSWORD, MAILTO_LINK) X-ECS-MailScanner: Found to be clean, Found to be clean -----Original Message----- From: L-Soft list server at JISCMAIL (1.8e) [ mailto:LISTSERV@JISCMAIL.AC.UK] Sent: Tuesday, October 01, 2002 5:15 PM To: Joseph Harnish Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK You are not authorized to send mail to the MAILSCANNER list from your jharnish@CI.GRAND-RAPIDS.MI.US account. You might be authorized to send to the list from another of your accounts, or perhaps when using another mail program which generates slightly different addresses, but LISTSERV has no way to associate this other account or address with yours. If you need assistance or if you have any question regarding the policy of the MAILSCANNER list, please contact the list owners: MAILSCANNER-request@JISCMAIL.AC.UK. Message-ID: <221C759285B78647AEE6181FD6AF36A703A8DF7A@bambi.grand-rapids.mi.us> From: "Harnish, Joe" To: "'mailscanner@jiscmail.ac.uk'" Subject: domains to scan Date: Tue, 1 Oct 2002 17:14:07 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_002_01C26A0F.D7E2E4A0" Hello, I am working on setting up a test group for mailscanner/SpamAssassin so that certain people can see how it is going to work without implementing it to everyone right away. So what I am doing is I added my account to domains.to.scan.conf file. Which now looks like this: jharnish@* and set "Scanning By Domain = yes" and I have "Spam Checks = yes" do I need to do something special to only scan my address? Thanks Joe -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ ity of Southampton Southampton SO17 1BJ From S.R.Patterson at SOTON.AC.UK Thu Oct 3 09:55:35 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:49 2006 Subject: Odd directory size Message-ID: > -----Original Message----- > From: Dave Horsfall [mailto:dave@ESI.COM.AU] > Sent: 03 October 2002 00:43 > > On a directory, it is the last time a file was added or > removed to/from it. > There is no such thing as a creation time in Unix/Linux. In fact, the "ctime" field often referred to as creation time is the last time the inode information was updated. Fascinating and completely off topic now though :) -- Steven Patterson MSci OCP. Tel: +44 (0)2380 595810 Primary Information Services Support and Development Information Systems Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc From t.d.lee at DURHAM.AC.UK Thu Oct 3 10:23:04 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:15:50 2006 Subject: Delivering spam into a folder Message-ID: We have been running MailScanner (MS) for about a year with great success in virus-blocking (and elementary spam-marking using ORDB). We now wish to make bigger efforts in spam detection, and it would seem natural to introduce SpamAssassin (SA) into our sendmail/MS system, as this combination seems well-known and well-liked on this mailscanner list. One feature which management is requesting (and it seems reasonable) is the ability to divert spam (probably above a certain SA 'score') into a user's folder (of fixed name). For a user 'userid' whose mail would normally be delivered via Mlocal to 'userid': Mlocal P=/usr/sbin/tmail ... A=tmail $u instead deliver it to 'userid+spamfolder': Mlocal P=/usr/sbin/tmail ... A=tmail $u+$h It is sendmail's ruleset 5 which handles the "+" syntax glue here. But I'm stuck. Given a message, which SA (aided by MS) determines to be spam of high enough score, how can the envelope "userid" be persauded, under these circumstances, to become "userid+spamfolder" by the time it reaches sendmail's ruleset 5? Can SA/MS adjust the envelope before the delivery sendmail is invoked? Or can the delivery sendmail somehow detect the SA/MS headers and use that to adjust the envelope being processed? -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From bovati at MONDADORI.COM Thu Oct 3 14:59:13 2002 From: bovati at MONDADORI.COM (Mirko Bovati) Date: Thu Jan 12 21:15:50 2006 Subject: Possible Microsoft security vulnerability attack. In-Reply-To: <02100217533101.30949@prezzemolo.polito.it> References: <5.1.0.14.2.20021002163154.04840818@imap.ecs.soton.ac.uk> <02100217533101.30949@prezzemolo.polito.it> Message-ID: <200210031259.13263.bovati@mondadori.com> On Wednesday 02 October 2002 02:53 pm, you wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wednesday 02 October 2002 17:32, Julian Field wrote: > > You want to disable this in mailscanner.conf: > > > > # Do you want to put some text on the front of the subject line when > > # it contained a virus which has been removed > > Virus Modify Subject = yes > > > > At 18:53 02/10/2002, you wrote: > > >Hi all, > > > > > >I need to disable the control that generate the message > > >in subject. My I disable this feature? > > I think he wants to permit messages with Microsoft security > vulnerabilities. So it should at least be: > Allow IFrame Tags = yes I want permit messages with Microsoft security vulnerability, I set: Allow IFrame Tags = yes but a receive still message with: Possible Microsoft security vulnerability attack. Is there any other switch to set up? thanks. > > or, if he wants to permit OBJECT/CODEBASE, he should modify the source code > (not suggested). > > Maurizio > > - -- -- Mirko Bovati From mike at ZANKER.ORG Thu Oct 3 12:06:08 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:15:50 2006 Subject: Possible Microsoft security vulnerability attack. In-Reply-To: <200210031259.13263.bovati@mondadori.com> References: <200210031259.13263.bovati@mondadori.com> Message-ID: <11441609.1033646767@mallard.open.ac.uk> On 03 October 2002 12:59 -0100 Mirko Bovati wrote: > I want permit messages with Microsoft security vulnerability, > I set: Allow IFrame Tags = yes > but a receive still message with: > Possible Microsoft security vulnerability attack. > Is there any other switch to set up? Same here. I have set Allow IFrame Tags = yes because my users are all using mail clients that are not vulnerable to these attacks. I'm still getting a number of mails caught, though. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From LISTSERV at JISCMAIL.AC.UK Thu Oct 3 04:15:10 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:50 2006 Subject: MAILSCANNER: rubensb@ITEXTRON.COM requested to join Message-ID: <200210030315.EAA19063@magpie.ecs.soton.ac.uk> Thu, 3 Oct 2002 04:15:10 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Ruben San Buenaventura . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER rubensb@ITEXTRON.COM Ruben San Buenaventura The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+rubensb%40ITEXTRON.COM+Ruben+San+Buenaventura&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Thu Oct 3 11:42:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:50 2006 Subject: MAILSCANNER: anjana.patel@CRANFIELD.AC.UK requested to join Message-ID: <200210031042.LAA28583@magpie.ecs.soton.ac.uk> Thu, 3 Oct 2002 11:42:13 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Anj Patel . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER anjana.patel@CRANFIELD.AC.UK Anj Patel The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+anjana.patel%40CRANFIELD.AC.UK+Anj+Patel&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From munafo at PREZZEMOLO.POLITO.IT Thu Oct 3 12:12:00 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:50 2006 Subject: Possible Microsoft security vulnerability attack. In-Reply-To: <200210031259.13263.bovati@mondadori.com> References: <5.1.0.14.2.20021002163154.04840818@imap.ecs.soton.ac.uk> <02100217533101.30949@prezzemolo.polito.it> <200210031259.13263.bovati@mondadori.com> Message-ID: <02100313120001.03920@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 03 October 2002 15:59, Mirko Bovati wrote: > On Wednesday 02 October 2002 02:53 pm, you wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Wednesday 02 October 2002 17:32, Julian Field wrote: > > > You want to disable this in mailscanner.conf: > > > > > > # Do you want to put some text on the front of the subject line when > > > # it contained a virus which has been removed > > > Virus Modify Subject = yes > > > > > > At 18:53 02/10/2002, you wrote: > > > >Hi all, > > > > > > > >I need to disable the control that generate the message > > > >in subject. My I disable this feature? > > > > I think he wants to permit messages with Microsoft security > > vulnerabilities. So it should at least be: > > Allow IFrame Tags = yes > > I want permit messages with Microsoft security vulnerability, > I set: Allow IFrame Tags = yes > but a receive still message with: > Possible Microsoft security vulnerability attack. > Is there any other switch to set up? > > thanks. > As far as I know, there is no other switch. You should look in the source code for 'Microsoft security' and figure which how to comment out the tests you do not want. The other test triggering the security message is for HTML mail containing an OBJECT tag with a CODEBASE attribute. In my environment such messages are triggered by in mailing list HTML posts containing a ShockWave banner, not the most orthodox content for an e-mail message. Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9nCYEtgCCNnfQWWkRAhdOAJ9RiJl2DKOzo0Z7QNfn5uwFwaUDXgCfVv97 ntmvIhxKz9jOzvrvwZL6mDk= =KzW3 -----END PGP SIGNATURE----- From mark at vevers.net Thu Oct 3 11:23:50 2002 From: mark at vevers.net (Mark Vevers) Date: Thu Jan 12 21:15:50 2006 Subject: Delivering spam into a folder In-Reply-To: References: Message-ID: <200210031123.57136.mark@vevers.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 03 Oct 2002 10:23, you wrote: > One feature which management is requesting (and it seems reasonable) is > the ability to divert spam (probably above a certain SA 'score') into a > user's folder (of fixed name). For a user 'userid' whose mail would > normally be delivered via Mlocal to 'userid': > Mlocal P=/usr/sbin/tmail ... A=tmail $u > > instead deliver it to 'userid+spamfolder': > Mlocal P=/usr/sbin/tmail ... A=tmail $u+$h > > It is sendmail's ruleset 5 which handles the "+" syntax glue here. > > > But I'm stuck. Given a message, which SA (aided by MS) determines to be > spam of high enough score, how can the envelope "userid" be persauded, > under these circumstances, to become "userid+spamfolder" by the time it > reaches sendmail's ruleset 5? The easiest way of handling this is to use either a procmail recipe or use Maildrop (part of the Courier MTA but can also be used as a sendmail delivery agent). The nice thing about maildrop is you can then create a default delivery 'filter' and then let users override that if they wish. I actually use SendMail + MailScanner + MailDrop + LDAP (virtual mail users) + Courier IMAP - creating the delivery DIR and shoving the user into LDAP and hey presto new mail user with no entry in /etc/passwd. - -- Mark Vevers. mark@ifl.net / mark@vevers.net Principal Internet Engineer, Internet for Learning, Research Machines Plc. (AS5503) - -- GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB08F3CA3 Fingerprint: 85BA 30C4 9EC8 1792 4C8C C31E 58B5 3D1C B08F 3CA3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9nBq3WLU9HLCPPKMRAh2mAJwL0y0aUWFlr1rDfk9fN2E4wFTBlgCfYe9B /k148CFCUSTAnxRHpYyYLHk= =3efL -----END PGP SIGNATURE----- From tal at MUSICGENOME.COM Thu Oct 3 12:19:21 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:50 2006 Subject: Possible Microsoft security vulnerability attack. In-Reply-To: <11441609.1033646767@mallard.open.ac.uk> References: <200210031259.13263.bovati@mondadori.com> <11441609.1033646767@mallard.open.ac.uk> Message-ID: <1033643965.15503.8.camel@johnny5> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021003/26b4b413/attachment.bin From henrik at LEWANDER.COM Thu Oct 3 12:41:28 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:50 2006 Subject: Possible Microsoft security vulnerability attack References: <5.1.1.6.0.20021002211155.01c01218@192.168.50.2> Message-ID: <046201c26ad1$d0377640$05c6a8c0@gbg.bluelabs.se> I have "Allow IFrame Tags = yes" already but Mailscanner still catches quite a few legitimate mails with this report. What can I do? BR Henrik From: "Matt Kettler": > Very rapidly this is becoming a FAQ.. > > Your most likely candidate is Iframe tags: > > Allow IFrame Tags = yes > > There are two other causes of this message, but they shouldn't occur and > you'd have to modify the mailscanner code to allow em thru. > > Search the list archives. there's lots of instances of this question. > > At 03:58 PM 10/2/2002 -0700, David Closson wrote: > >Using Mailscanner 3.23-4 (with McAfee AV) > >-Upgraded from 3.22-14 > >-Install method: RPM > > > >I am getting quite a few users that are reporting false virus reports: > >"Possible Microsoft security vulnerability attack" > > > >The messages are common mail list HTML messages that may or may not be > >pulling content from another location. > > > > > >_________ > >Sincerely, > >David Closson > >209-728-8199 > From munafo at PREZZEMOLO.POLITO.IT Thu Oct 3 12:43:52 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:50 2006 Subject: External Body Message-ID: <02100313435200.05952@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At the moment messages with external body are completely blocked. What is the plan for V4.00? To mantain the complete block or to just block the 'Message/External-body' sections and pass all the rest of the message? I'm asking just because I discovered IETF sends its announcements for new Internet Drafts with a format containing both the plain announcement and the pointers to the documents. Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9nC19tgCCNnfQWWkRAvZyAJ9vEgWzBQt3UfHPVC/ks8SegLU+KwCgxiqE ItRRgeEiT9/ovR5Z6OnbBbI= =z4x1 -----END PGP SIGNATURE----- From Denis.Beauchemin at USHERBROOKE.CA Thu Oct 3 13:24:31 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:50 2006 Subject: Error with Content-Type In-Reply-To: <20021003075108.GC31955@hoiho.nz.lemon-computing.com> References: <1033591333.2412.270.camel@dbeauchemin.si.usherb.ca> <20021003075108.GC31955@hoiho.nz.lemon-computing.com> Message-ID: <1033647871.2412.273.camel@dbeauchemin.si.usherb.ca> On Thu, 2002-10-03 at 03:51, Nick Phillips wrote: > On Wed, Oct 02, 2002 at 04:42:12PM -0400, Denis Beauchemin wrote: > > > > One of my users (using Outlook) just noticed that whenever a virus is > > quarantined the attachment with the contents of the > > stored.virus.message.txt file uses a charset="us-ascii" making it look > > like it has a parity problem. > > > > Since I use accented characters, a charset=ISO-8859-1 would be more > > appropriate. > > I guess the most portable option would be to specify that the > messages be UTF-8, and set the content-type appropriately. How would you do it? Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From bill at DISTMIRR.COM Thu Oct 3 13:24:09 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:50 2006 Subject: No Message Collected In-Reply-To: <20021003075349.GD31955@hoiho.nz.lemon-computing.com> Message-ID: <000001c26ad7$c6e00c00$5d751542@billslaptop> > On Wed, Oct 02, 2002 at 06:36:29PM -0500, Bill Omer wrote: > > Both the mqueue and mqueue.in directories are on the same file system, > > and neither of them contain any sub directories. One thing that I don't > > think I made clear was that this is a random problem. Out of 50K pieces > > of mail that are delivered to my mail server, I've only had a couple > > handful of complaints about this problem (that's not to say that it > > hasn't happened more than what we are aware of though). > > I'll bet you're running two mailscanners. Probably still got v3 running. > No, only one and its on v4. Bill From mailscanner at ecs.soton.ac.uk Thu Oct 3 14:36:38 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:50 2006 Subject: External Body In-Reply-To: <02100313435200.05952@prezzemolo.polito.it> Message-ID: <5.1.0.14.2.20021003143600.055d6c20@imap.ecs.soton.ac.uk> At 12:43 03/10/2002, you wrote: >At the moment messages with external body are completely blocked. >What is the plan for V4.00? To mantain the complete block or to just block >the 'Message/External-body' sections and pass all the rest of the message? It will stop the external-body section and deliver the rest of the message. >I'm asking just because I discovered IETF sends its announcements for new >Internet Drafts with a format containing both the plain announcement and the >pointers to the documents. Apparently they are about the only people who do :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Oct 3 14:33:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:50 2006 Subject: Delivering spam into a folder In-Reply-To: Message-ID: <5.1.0.14.2.20021003143152.02be5e40@imap.ecs.soton.ac.uk> One way of achieving this would be to use procmail as the delivery agent, and use the "Spam Score" header in MailScanner V4. Then you could have a per-user rule that filed the mail into a different folder if the score was above a certain value that each user could choose if they wanted to. Yes, the envelope could be messed around with, to alter the recipient's address. But don't forget that a message can/will have multiple recipients, so you've got to cope with all of them, some of which will be on your site, some of them not. At 10:23 03/10/2002, you wrote: >We have been running MailScanner (MS) for about a year with great success >in virus-blocking (and elementary spam-marking using ORDB). > >We now wish to make bigger efforts in spam detection, and it would seem >natural to introduce SpamAssassin (SA) into our sendmail/MS system, as >this combination seems well-known and well-liked on this mailscanner list. > >One feature which management is requesting (and it seems reasonable) is >the ability to divert spam (probably above a certain SA 'score') into a >user's folder (of fixed name). For a user 'userid' whose mail would >normally be delivered via Mlocal to 'userid': > Mlocal P=/usr/sbin/tmail ... A=tmail $u > >instead deliver it to 'userid+spamfolder': > Mlocal P=/usr/sbin/tmail ... A=tmail $u+$h > >It is sendmail's ruleset 5 which handles the "+" syntax glue here. > > >But I'm stuck. Given a message, which SA (aided by MS) determines to be >spam of high enough score, how can the envelope "userid" be persauded, >under these circumstances, to become "userid+spamfolder" by the time it >reaches sendmail's ruleset 5? > >Can SA/MS adjust the envelope before the delivery sendmail is invoked? Or >can the delivery sendmail somehow detect the SA/MS headers and use that to >adjust the envelope being processed? > >-- > >: David Lee I.T. Service : >: Systems Programmer Computer Centre : >: University of Durham : >: http://www.dur.ac.uk/t.d.lee/ South Road : >: Durham : >: Phone: +44 191 374 2882 U.K. : -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Oct 3 14:30:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:50 2006 Subject: Possible Microsoft security vulnerability attack. In-Reply-To: <200210031331.54323.bovati@mondadori.com> References: <02100313120001.03920@prezzemolo.polito.it> <5.1.0.14.2.20021002163154.04840818@imap.ecs.soton.ac.uk> <200210031259.13263.bovati@mondadori.com> <02100313120001.03920@prezzemolo.polito.it> Message-ID: <5.1.0.14.2.20021003142441.055ba8a0@imap.ecs.soton.ac.uk> What would people like me to do about this? I really can't see any point have tags are obviously causing people problems. I went for the simple solution of not allowing any iframe tags as that dispenses with the problem completely, and protects against future iframe exploits. There are quite a few of these already, and I can't see why there won't be any more. Parsing out specific attributes from iframe tags is really hard to do in a robust reliable way, which is also why I didn't bother. I see little point in having a trap that the bad guys can get round once they have seen the code. The commercial guys may think they can have security by obscurity, but I don't. As it stands at the moment, there is a partial solution in V4, as you can specify addresses from which you will accept