From sanjay.patel at REXWIRE.COM Fri Aug 1 00:27:47 2003 From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel) Date: Thu Jan 12 21:19:07 2006 Subject: Unknown string error Message-ID: <014601c357bb$5dd755c0$6f01a8c0@Laptop1> After upgrading MailScanner I have started getting the following error on every e-mail that gets scanned. Looked up unknown string spamassassin in language translation file /etc/MailScanner/reports/en/languages.conf What is causing it? SKP From raymond at PROLOCATION.NET Fri Aug 1 00:33:31 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:07 2006 Subject: Unknown string error In-Reply-To: <014601c357bb$5dd755c0$6f01a8c0@Laptop1> Message-ID: Hi! > After upgrading MailScanner I have started getting the following error on > every e-mail that gets scanned. > > Looked up unknown string spamassassin in language translation file > /etc/MailScanner/reports/en/languages.conf Most likely there is a /etc/MailScanner/reports/en/languages.conf.rpmnew on your system > Bye, Raymond. From sanjay.patel at REXWIRE.COM Fri Aug 1 00:37:11 2003 From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel) Date: Thu Jan 12 21:19:07 2006 Subject: Unknown string error In-Reply-To: Message-ID: <014801c357bc$aaa0a9f0$6f01a8c0@Laptop1> There is do I replace it with the languages.conf? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Thursday, July 31, 2003 7:34 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Unknown string error Hi! > After upgrading MailScanner I have started getting the following error on > every e-mail that gets scanned. > > Looked up unknown string spamassassin in language translation file > /etc/MailScanner/reports/en/languages.conf Most likely there is a /etc/MailScanner/reports/en/languages.conf.rpmnew on your system > Bye, Raymond. From raymond at PROLOCATION.NET Fri Aug 1 00:46:23 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:07 2006 Subject: Unknown string error In-Reply-To: <014801c357bc$aaa0a9f0$6f01a8c0@Laptop1> Message-ID: Hi! > There is do I replace it with the languages.conf? > Most likely there is a > /etc/MailScanner/reports/en/languages.conf.rpmnew on your system > Yes... mv /etc/MailScanner/reports/en/languages.conf.rpmnew /etc/MailScanner/reports/en/languages.conf And also check the other dirs for rpmnew files please to avoid more trouble :) Didnt you get this pasted on your screen once you upgraded also? Bye, Raymond. From mikea at MIKEA.ATH.CX Fri Aug 1 01:13:17 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:07 2006 Subject: Unknown string error In-Reply-To: ; from raymond@PROLOCATION.NET on Fri, Aug 01, 2003 at 01:46:23AM +0200 References: <014801c357bc$aaa0a9f0$6f01a8c0@Laptop1> Message-ID: <20030731191317.A7793@mikea.ath.cx> On Fri, Aug 01, 2003 at 01:46:23AM +0200, Raymond Dijkxhoorn wrote: > Hi! > > > There is do I replace it with the languages.conf? > > > Most likely there is a > > /etc/MailScanner/reports/en/languages.conf.rpmnew on your system > > > Yes... > > mv /etc/MailScanner/reports/en/languages.conf.rpmnew /etc/MailScanner/reports/en/languages.conf > > And also check the other dirs for rpmnew files please to avoid more > trouble :) > > Didnt you get this pasted on your screen once you upgraded also? And for those who don't use RPM because they run FreeBSD, but who also have that message after a fresh install? What sage advice do the gurus offer? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mike at CAMAROSS.NET Fri Aug 1 01:25:40 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:07 2006 Subject: Unknown string error In-Reply-To: <20030731191317.A7793@mikea.ath.cx> Message-ID: <000601c357c3$707634a0$9c01a8c0@home.middlefinger.net> I added: SpamAssassin = SpamAssassin to mine and the problem went away. This was suggested by someone on the list. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of mikea Sent: Thursday, July 31, 2003 7:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Unknown string error On Fri, Aug 01, 2003 at 01:46:23AM +0200, Raymond Dijkxhoorn wrote: > Hi! > > > There is do I replace it with the languages.conf? > > > Most likely there is a > > /etc/MailScanner/reports/en/languages.conf.rpmnew on your system > > > Yes... > > mv /etc/MailScanner/reports/en/languages.conf.rpmnew > /etc/MailScanner/reports/en/languages.conf > > And also check the other dirs for rpmnew files please to avoid more > trouble :) > > Didnt you get this pasted on your screen once you upgraded also? And for those who don't use RPM because they run FreeBSD, but who also have that message after a fresh install? What sage advice do the gurus offer? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mailscanner at ELKNET.NET Fri Aug 1 06:21:13 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:07 2006 Subject: spam.whitelist.rules Message-ID: <200308010417.h714HDs07450@custmail0.corp.aus.wayport.net> I'm sorry for my ignorance, but if this is an answer to my question, I sure don't understand it: >Hash: SHA1 > >On Thursday 31 July 2003 10:11 am, Kris Zabriskie wrote: > To: | From: | FromTo: *@domain-name.com | user@domainname.com >Don't forget >FromorTo: >- -- >Lewis Bergman >Texas Communications My question: >As I understand the spam whitelist rules, I can whitelist a given sender, or a given recepient. > >Is there a means to whitelist a given sender/recepient pair? > >I have a number of customers who request to receive emailings from a given company. But not everyone wants the 'mail' being sent by this company. > >If I whitelist the sender, then all my customers are open to their 'junk mail' messages. >If I whitelist the customer who wants this company's mail, then they get all spam and no filtering. > >What I need is the ability to create a rule that says mail from THIS sender to THIS recepient is whitelisted. > >Can this be done now? >Could it be done? > >Thanks, >-Alan From ka at PACIFIC.NET Fri Aug 1 06:10:53 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:07 2006 Subject: spam.whitelist.rules In-Reply-To: <200308010417.h714HDs07450@custmail0.corp.aus.wayport.net> References: <200308010417.h714HDs07450@custmail0.corp.aus.wayport.net> Message-ID: <3F29F65D.30006@pacific.net> See CustomConfig.pm for an example of how per-domain or per-user whitelists can be implemented. Ken A. Alan Fiebig wrote: > I'm sorry for my ignorance, but if this is an answer to my question, I sure don't understand it: > > >>Hash: SHA1 >> >>On Thursday 31 July 2003 10:11 am, Kris Zabriskie wrote: >>To: | From: | FromTo: *@domain-name.com | user@domainname.com >>Don't forget >>FromorTo: >>- -- >>Lewis Bergman >>Texas Communications > > > > My question: > > > >>As I understand the spam whitelist rules, I can whitelist a given sender, or a given recepient. >> >>Is there a means to whitelist a given sender/recepient pair? >> >>I have a number of customers who request to receive emailings from a given company. But not everyone wants the 'mail' being sent by this company. >> >>If I whitelist the sender, then all my customers are open to their 'junk mail' messages. >>If I whitelist the customer who wants this company's mail, then they get all spam and no filtering. >> >>What I need is the ability to create a rule that says mail from THIS sender to THIS recepient is whitelisted. >> >>Can this be done now? >>Could it be done? >> >>Thanks, >>-Alan > > > From jrudd at UCSC.EDU Fri Aug 1 07:21:05 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:07 2006 Subject: spam.whitelist.rules In-Reply-To: <3F29F65D.30006@pacific.net> Message-ID: <54CD329C-C3E8-11D7-8C50-003065F939FE@ucsc.edu> What does mailscanner do if a message has multiple recipients, and their per-user settings don't agree with each other? On Thursday, Jul 31, 2003, at 22:10 US/Pacific, Ken Anderson wrote: > > See CustomConfig.pm for an example of how per-domain or per-user > whitelists can be implemented. > Ken A. > > > Alan Fiebig wrote: > >> I'm sorry for my ignorance, but if this is an answer to my question, >> I sure don't understand it: >> >> >>> Hash: SHA1 >>> >>> On Thursday 31 July 2003 10:11 am, Kris Zabriskie wrote: >>> To: | From: | FromTo: *@domain-name.com | user@domainname.com >>> Don't forget >>> FromorTo: >>> - -- >>> Lewis Bergman >>> Texas Communications >> >> >> >> My question: >> >> >> >>> As I understand the spam whitelist rules, I can whitelist a given >>> sender, or a given recepient. >>> >>> Is there a means to whitelist a given sender/recepient pair? >>> >>> I have a number of customers who request to receive emailings from a >>> given company. But not everyone wants the 'mail' being sent by this >>> company. >>> >>> If I whitelist the sender, then all my customers are open to their >>> 'junk mail' messages. >>> If I whitelist the customer who wants this company's mail, then they >>> get all spam and no filtering. >>> >>> What I need is the ability to create a rule that says mail from THIS >>> sender to THIS recepient is whitelisted. >>> >>> Can this be done now? >>> Could it be done? >>> >>> Thanks, >>> -Alan >> >> >> From Antony at SOFT-SOLUTIONS.CO.UK Fri Aug 1 08:53:24 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:07 2006 Subject: spam.whitelist.rules In-Reply-To: <54CD329C-C3E8-11D7-8C50-003065F939FE@ucsc.edu> References: <54CD329C-C3E8-11D7-8C50-003065F939FE@ucsc.edu> Message-ID: <200308010753.h717rS019775@agate.rockstone.co.uk> On Friday 01 August 2003 7:21 am, John Rudd wrote: > What does mailscanner do if a message has multiple recipients, and > their per-user settings don't agree with each other? Messages don't have multiple recipients - no, really. There is only one "Rcpt to:" envelope address, and it is this which MailScanner uses in evaluating its rules. Anything in various "To:" , "Cc:" or "Bcc:" headers inside the email itself is irrelevant. Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac From mailscanner at ecs.soton.ac.uk Fri Aug 1 09:44:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:07 2006 Subject: new mcafee-autoupdate In-Reply-To: <20030731185501.GT20675@chiark.greenend.org.uk> Message-ID: <5.2.0.9.2.20030801094450.044ff2f0@imap.ecs.soton.ac.uk> Thanks Tony. Will be in the next release. At 19:55 31/07/2003, you wrote: >I've added a couple of features to the McAfee dat file update script. >It now puts the datfiles in a subdirectory of the uvscan install >directory, so that a non-privileged user can be given write access to the >subdirectory, i.e. you don't have to be root to do datfile updates. I've >also added a -d delete old files option, which someone asked for on this >list recently. Enjoy. > >Tony. >-- >f.a.n.finch http://dotat.at/ >NORTH FITZROY: SOUTHWEST VEERING NORTHWEST 4 OR 5, BECOMING VARIABLE 3. >DRIZZLE AT FIRST. MODERATE BECOMING GOOD. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 1 09:32:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:07 2006 Subject: Allow Form Tags ?? In-Reply-To: Message-ID: <5.2.0.9.2.20030801093237.044ec868@imap.ecs.soton.ac.uk> At 17:25 31/07/2003, you wrote: >On Fri, 4 Jul 2003 11:00:27 +0100, Julian Field > wrote: > > >At 10:33 04/07/2003, you wrote: > >>Since the upgrade to the latest version of MailScanner I seem to be > >>getting some legitimate messages from customers that use HTML Form Tags > >>which are now being blocked. > >> > >>Rather than opening up everything to these form tags wouldn't it be > >>possible to convert the form tags to a 'normal' html message > >>thereby 'cleaning' the message of any unwanted crap? > > > >Allow the Form tags but set "Strip Dangerous HTML". > >Does this just strip the
tags or strip tags from the entire html? All the HTML tags. >If the later, is it possible to strip 'just' the form tag leaving the rest >of the HTML intact? Not at the moment, no. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 1 09:29:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:07 2006 Subject: MailWatch.pm (was RE: SQL Redux) In-Reply-To: <67D9E7698329D411936E00508B6590B902773A50@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030801092905.04289da0@imap.ecs.soton.ac.uk> Probably not a bad idea. Current MailWatch traffic level isn't a great problem. We've always got the official OT list to go to anyway if needed. At 16:10 31/07/2003, you wrote: >As an aside - I'm concerned that MailWatch has been taking up a fair bit of >bandwidth on the MailScanner list at times and don't want to get on anyones >nerves with off-topic posts, so I'll be setting it up as a project on >Sourceforge at the weekend and I'll create the necessary mailing-lists to >move the traffic there. > >Cheers, >Steve. > >-----Original Message----- >From: Julian Field >To: Steve Freegard >Cc: mailscanner@jiscmail.ac.uk >Sent: 31/07/03 15:45 >Subject: RE: SQL Redux > >At 15:43 31/07/2003, you wrote: > >Hi Julian, > > > >Thanks very much for this. > > > >I'm 99.9% sure that I kept the code below - the only changes I made to >your > >original code was to log directly to MySQL bypassing the temporary >files. > > > >I'm presuming that the NULL mapping code was added recently (which is >why I > >don't have it in my patches)?? > >Yes, I added it this morning. > > >Do you think it would be easier as there are now two branches of this >code > >for me to distribute a MailWatch.pm instead of patches to >CustomConfig.pm > >and call the MailWatch logging routine something different (something >like > >&MailWatchSQLLogging) - then all that would need to be done is to >include > >the MailWatch.pm from CustomConfig.pm. > > > >That would save on the confusion between the two versions at least - >does > >this sound like a good idea?? > >This sounds like a great idea. Having 2 branches of the code is a >nightmare >to maintain. This way all your bugs remain yours, and all mine remain >mine :-) >That way you can just distribute your extra file and give a very simple >modification that people need to make to CustomConfig.pm when installing > >MailWatch, e.g. > require MailWatch.pm; > > > >-----Original Message----- > >From: Julian Field > >To: MAILSCANNER@JISCMAIL.AC.UK > >Sent: 31/07/03 11:47 > >Subject: Re: SQL Redux > > > >You also need to make sure he does the > > @fields = map { s/\'/\\'/g } @fields; > >line as otherwise people could inject SQL code using malicious email > >addresses. > > > >At 11:42 31/07/2003, you wrote: > > >aha > > > > > >I think the > > > > > >@fields = map { ($_ eq '')?'NULL':"$_" } @fields; > > > > > >bit is missing from Steve's patch. I'll try and plop a line or two in > >to > > >check the potential NULL's and mark the value correctly.. > > > > > >-- > > >Martin > > > > > >Julian Field wrote: > > > > > >>At 11:04 31/07/2003, you wrote: > > >> > > >>>Chris Trudeau wrote: > > >>> > > >>>>>this is exactly the problem I'm seeing with 4.22.5 on FreeBSD. > > >>>> > > >>>> > > >>>> > > >>>>CT: OK, there seems to be a common thread...I haven't expanded >test > >to > > >>>>anything other than 4.22-5 or 4.22.1, but the older version I have > > >>>>working > > >>>>beatifully, so either the logging function in 4.22-1 doesn't have > >the > > >>>>NULL > > >>>>value problem or its addressed differently. Perhaps I will try > > >>>>installing > > >>>>4.22-1 or a between version to try and pinpoint where it breaks! > > >>> > > >>>Chris > > >>> > > >>>looking at the 4.22.1 code there's quite a big change on the whole > >SQL > > >>>logging setup. Infact the code is radically different. > > >>> > > >>>in 4.22.1 it reads the logfile to get the info required. Slow... > > >>> > > >>>in 4.22.5 it's using the values from the currently processed email >to > > >>>drive the insert. It's a lot faster, but seems not to translate >NULLs > > >>>etc very well. > > >> > > >> > > >>This goes in CustomConfig.pm around line 373. > > >>It goes in just before the "prepare" statement that inserts @fields > >into > > >>the database table. > > >>Note the additional bugfix when replacing ' with \' > > >> > > >> while(<$logfile1>) { > > >> chomp; > > >> @fields = split(/\t/); > > >> # Work through each field protecting any special characters >such > >as ' > > >> # The line below replaces ' with \' > > >> @fields = map { s/\'/\\'/g } @fields; > > >> > > >> # Set any empty strings to NULL so the SQL insert works >correctly > > >> @fields = map { ($_ eq '')?'NULL':"$_" } @fields; > > >> > > >> > > >>-- > > >>Julian Field > > >>www.MailScanner.info > > >>MailScanner thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >-- > >This email and any files transmitted with it are confidential and > >intended solely for the use of the individual or entity to whom they > >are addressed. If you have received this email in error please notify > >the sender and delete the message from your mailbox. > > > >This footnote also confirms that this email message has been swept by > >MailScanner (www.mailscanner.info) for the presence of computer >viruses. > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 1 09:47:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:08 2006 Subject: Unknown string error In-Reply-To: <000601c357c3$707634a0$9c01a8c0@home.middlefinger.net> References: <20030731191317.A7793@mikea.ath.cx> Message-ID: <5.2.0.9.2.20030801094615.044ff9e0@imap.ecs.soton.ac.uk> I do have to add new strings to the languages.conf file from time to time. So if you use an old one, rather than the one that came with that release, you are likely to see this problem. In this case it is indeed very easy as the translation of "SpamAssassin" is of course "SpamAssassin" :-) At 01:25 01/08/2003, you wrote: >I added: > >SpamAssassin = SpamAssassin > >to mine and the problem went away. This was suggested by someone on the >list. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of mikea >Sent: Thursday, July 31, 2003 7:13 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Unknown string error > > >On Fri, Aug 01, 2003 at 01:46:23AM +0200, Raymond Dijkxhoorn wrote: > > Hi! > > > > > There is do I replace it with the languages.conf? > > > > > Most likely there is a > > > /etc/MailScanner/reports/en/languages.conf.rpmnew on your system > > > > > Yes... > > > > mv /etc/MailScanner/reports/en/languages.conf.rpmnew > > /etc/MailScanner/reports/en/languages.conf > > > > And also check the other dirs for rpmnew files please to avoid more > > trouble :) > > > > Didnt you get this pasted on your screen once you upgraded also? > >And for those who don't use RPM because they run FreeBSD, but who also have >that message after a fresh install? What sage advice do the gurus offer? > >-- >Mike Andrews >mikea@mikea.ath.cx >Tired old sysadmin since 1964 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 1 09:40:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:08 2006 Subject: spam.whitelist.rules In-Reply-To: <200308010753.h717rS019775@agate.rockstone.co.uk> References: <54CD329C-C3E8-11D7-8C50-003065F939FE@ucsc.edu> <54CD329C-C3E8-11D7-8C50-003065F939FE@ucsc.edu> Message-ID: <5.2.0.9.2.20030801093355.04510928@imap.ecs.soton.ac.uk> At 08:53 01/08/2003, you wrote: >On Friday 01 August 2003 7:21 am, John Rudd wrote: > > > What does mailscanner do if a message has multiple recipients, and > > their per-user settings don't agree with each other? > >Messages don't have multiple recipients - no, really. Oh yes they do. >There is only one "Rcpt to:" envelope address, and it is this which >MailScanner uses in evaluating its rules. Wrong. There can be many envelope recipients. The behaviour you get depends on the configuration variable being evaluated. In some cases it uses the first recipient for which it finds a matching rule. For other cases it adds together all the resulting values for all matching rules and does all of them (e.g. Spam Actions). This is an area which may improve shortly. What I'm thinking of is a variable Use Defaults When Matching Multiple Recipients If this was "yes", then it would work like this: 1. If there is only 1 recipient, then do as before. 2. If there are multiple recipients all in the same domain (domain.com), then look up *@domain.com and use that value (which may in turn use the *@* default value in the ruleset). 3. If there are multiple recipients in multiple domains, then look up *@* and use that value. (*@* may of course be expressed as the string 'default' just like now). This would give 100% predictable behaviour when messages have multiple recipients. One possible tweak to the above behaviour might be 1a. If all the values for all the recipients are the same, then use them. But that would be more awkward to implement as the entire ruleset would have to be evaluated once to check the results, then gone through again for the *@domain.com or *@* addresses. Would definitely be slower. Let me know what you think of either of these possibilities. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From rscarano at targetsis.com.br Fri Aug 1 12:09:35 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:19:08 2006 Subject: RES: new mcafee-autoupdate In-Reply-To: <20030731185501.GT20675@chiark.greenend.org.uk> Message-ID: <000701c3581d$64f0bba0$6900000a@targetsis.com.br> Thanks Tony. I guess was me that asked for the delete option. Regards, Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br -----Mensagem original----- De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] Em nome de Tony Finch Enviada em: Quinta-feira, 31 de Julho de 2003 15:55 Para: MAILSCANNER@JISCMAIL.AC.UK Assunto: new mcafee-autoupdate << Arquivo: uvscan-update.txt >> I've added a couple of features to the McAfee dat file update script. It now puts the datfiles in a subdirectory of the uvscan install directory, so that a non-privileged user can be given write access to the subdirectory, i.e. you don't have to be root to do datfile updates. I've also added a -d delete old files option, which someone asked for on this list recently. Enjoy. Tony. -- f.a.n.finch http://dotat.at/ NORTH FITZROY: SOUTHWEST VEERING NORTHWEST 4 OR 5, BECOMING VARIABLE 3. DRIZZLE AT FIRST. MODERATE BECOMING GOOD. From jrudd at UCSC.EDU Fri Aug 1 14:22:46 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:08 2006 Subject: spam.whitelist.rules In-Reply-To: <5.2.0.9.2.20030801093355.04510928@imap.ecs.soton.ac.uk> Message-ID: <3D64865D-C423-11D7-8C50-003065F939FE@ucsc.edu> On Friday, Aug 1, 2003, at 01:40 US/Pacific, Julian Field wrote: > > This would give 100% predictable behaviour when messages have multiple > recipients. > One possible tweak to the above behaviour might be > 1a. If all the values for all the recipients are the same, then use > them. > But that would be more awkward to implement as the entire ruleset would > have to be evaluated once to check the results, then gone through > again for > the *@domain.com or *@* addresses. Would definitely be slower. > > Let me know what you think of either of these possibilities. > I think slow would be bad, so I'm against that. I think the method you give might be interesting, but I think it might also be interesting to give the option to have the message replicated for each rcpt address. So, if the message is going to 3 users and 1 mailing list, mailscanner would make it into 4 messages. The question is, would this be a general mailscanner preference, or would it be something within the ruleset? In the first case, messages would always get split. In the second case, the ruleset would have a keyword that says "split the message if it has multiple recipients". Or, perhaps, the keyword would say "If you have multiple recipients, and they end up matching different rules, then split them", but that probably gets back to the slow approach (perhaps if you build an array of "rule matches" for that rule and that message, then you'd make one pass to build the array, then your second pass of evaluations would only be done against the array, and you would only split the message if the keyword was in that rule and the array had more than one element). What I'm planning to do under CommuniGate Pro is this: With CGP, there are 3 levels of "rule" processing: "Site Wide" (happens before any sort of expansion), "Domain" (happens after expansion for both mailing lists and multiple individual recipients, but before user rules), "User" (rules created by/for individual users, and controllable by them, mostly for procmail type things, but could also be used to spawn external programs). Domain rules are new to the current version, so I haven't tried that yet... but I'm planning to move my "CGP-to-MailScanner" gateway into the domain rules. That means there will only ever be 1 recipient to each message that MailScanner sees. I'll combine that with putting the user's settings into LDAP and building my custom module around extracting their settings from LDAP. From Q.G.Campbell at NEWCASTLE.AC.UK Fri Aug 1 14:36:18 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:19:08 2006 Subject: FW: Striphtml VS attachment and related issues Message-ID: <74BC2BBF06470148911E64E2B48FE139049A5A@pinewood.ncl.ac.uk> Julian QUESTION: If you have "deliver attachment" set for spam, what determines when the message body of a tagged message is placed in an attachment and when it is not? BACKGROUND: Until I installed MS 4.22-5 we had been using "deliver striphtml" as the action to take for messages tagged as spam. Some users were unhappy with this when they received false positives because they lost most of the original (HTML) message. However recipients of real spam messages are universally happy with "deliver striphtml". To address the problems with some false positive messages I am trying "deliver attachment" as an alternative, initially for a small group of our 20,000+ users. This works fine for the few false positives they receive which also happen to be HTML. However it is not very nice nor necessary when the false positive contains no HTML. In this case the message should be delivered as-is and not in an attachment. I notice that some of my tagged messages are not put in an attachment before delivery. That is fine since they contain no HTML. This is my preferred behaviour in that situation. However I have examples of spam (see appended message) which although not appearing to contain any HTML *are* put in an attachment before delivery. Why? I cannot see what the essential difference is between the two sorts of tagged messages! Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." -----Original Message----- From: Denis Russell [mailto:Denis.Russell@ncl.ac.uk] Sent: 01 August 2003 10:43 To: Quentin Campbell >Subject: Fwd: SP? BUSINESS PROPOSAL Quentin, I'm still getting spam messages put into an attachment, even though I can see no hint of HTML in the message. Denis. >Received: from cheviot2.ncl.ac.uk (cheviot2.ncl.ac.uk [128.240.229.35]) > by burnmoor.ncl.ac.uk (8.9.3/8.9.3) with ESMTP id KAA23866 > for ; Fri, 1 Aug 2003 10:19:25 +0100 (BST) >From: mbanakaka@send-mail.co.uk >Received: from netmail01.eng.net (netmail01.eng.net [213.130.128.38]) > by cheviot2.ncl.ac.uk (8.10.1/8.10.1) with ESMTP id h719J9B27765; > Fri, 1 Aug 2003 10:19:09 +0100 >Received: from send-mail.co.uk (netmail01.eng.net [127.0.0.1]) > by netmail01.eng.net (8.11.3/8.11.3) with SMTP id h719DEx03690; > Fri, 1 Aug 2003 10:13:14 +0100 >Received: from 192.116.107.67 > (SquirrelMail authenticated user mbanakakasendmail) > by mail.send-mail.co.uk with HTTP; > Fri, 1 Aug 2003 10:14:08 +0100 (BST) >Message-ID: ><1308.192.116.107.67.1059729248.squirrel@mail.send-mail.co.uk> >Date: Fri, 1 Aug 2003 10:14:08 +0100 (BST) >Subject: SP? BUSINESS PROPOSAL >To: >X-Mailer: SquirrelMail (version 1.1.1) >MIME-Version: 1.0 >Content-type: multipart/digest; boundary="======24934==61103======" >X-Newcastle-MailScanner-Information: Please contact >Postmaster@newcastle.ac.uk for more information >X-Newcastle-MailScanner: Found to be clean >X-Newcastle-MailScanner-SpamCheck: spam, SpamAssassin (score=15.5, > required 5, BAYES_90 3.00, FROM_AND_TO_SAME 1.70, NIGERIAN_BODY 2.69, > NO_REAL_NAME 1.15, SUBJ_ALL_CAPS 0.49, UPPERCASE_75_100 0.00, > US_DOLLARS 1.14, US_DOLLARS_3 0.92, US_DOLLAR_6 4.50) >X-Newcastle-MailScanner-SpamScore: sssssssssssssss >X-UIDL: ed9a1cce8f31e51ff8261f1a6425c1a7 > >--======24934==61103====== >Our MailScanner believes that the attachment to this message sent to >you > > From: mbanakaka@send-mail.co.uk > Subject: BUSINESS PROPOSAL > >is Unsolicited Commercial Email (spam). Unless you are sure that this >message is incorrectly thought to be spam, please delete this message >without opening it. Opening spam messages might allow the spammer to >verify your email address and thus result in even more spam being >received. > >If you believe that this message has been incorrectly marked as spam, >please forward this email to Postmaster@newcastle.ac.uk. > > >--======24934==61103====== >Return-Path: >Received: from netmail01.eng.net (netmail01.eng.net [213.130.128.38]) > by cheviot2.ncl.ac.uk (8.10.1/8.10.1) with ESMTP id h719J9B27765; > Fri, 1 Aug 2003 10:19:09 +0100 >Received: from send-mail.co.uk (netmail01.eng.net [127.0.0.1]) > by netmail01.eng.net (8.11.3/8.11.3) with SMTP id h719DEx03690; > Fri, 1 Aug 2003 10:13:14 +0100 >From: mbanakaka@send-mail.co.uk >Received: from 192.116.107.67 > (SquirrelMail authenticated user mbanakakasendmail) > by mail.send-mail.co.uk with HTTP; > Fri, 1 Aug 2003 10:14:08 +0100 (BST) >Message-ID: ><1308.192.116.107.67.1059729248.squirrel@mail.send-mail.co.uk> >Date: Fri, 1 Aug 2003 10:14:08 +0100 (BST) >Subject: BUSINESS PROPOSAL >To: >X-Mailer: SquirrelMail (version 1.1.1) >MIME-Version: 1.0 >Content-Type: text/plain >Content-Transfer-Encoding: 8bit > >FROM: BARRISTER KAKA MBANA ESQ. > KAKA MBANA & CO > ATTORNEYS/LEGAL PRACTITIONER > NIGERIA. > > >REPLY TO:kakambana@tiscali.co.uk >DEAR FRIEND, > >COMPLIMENTS OF THE SEASON. GRACE AND PEACE AND LOVE >FROM THIS PART OF THE ATLANTIC TO YOU. I HOPE MY >LETTER DOES NOT CAUSE YOU TOO MUCH EMBARRASSMENT AS I >WRITE TO YOU IN GOOD FAITH BASED ON THE CONTACT >ADDRESS GIVEN TO ME BY A FRIEND WHO WORKS AT THE >NIGERIAN EMBASSY IN YOUR COUNTRY. PLEASE EXCUSE MY >INTRUSION INTO YOUR PRIVATE LIFE. > > >I AM BARRISTER KAKA MBANA ESQ. I REPRESENT MOHAMMED >ABACHA, SON OF THE LATE GEN.SANI ABACHA, WHO WAS THE >FORMER MILITARY HEAD OF STATE IN NIGERIA. HE DIED IN >1998. SINCE HIS DEATH, THE FAMILY HAS BEEN LOSING A >LOT OF MONEY DUE TO VINDICTIVE GOVERNMENT OFFICIALS >WHO ARE BENT ON DEALING WITH THE FAMILY. BASED ON THIS THEREFORE, THE >FAMILY HAS ASKED ME TO SEEK FOR A FOREIGN PARTNER WHO CAN WORK WITH US >AS TO MOVE OUT THE TOTAL SUM OF US$75,000,000.00 ( SEVENTY FIVE >MILLION UNITED STATES DOLLARS ), PRESENTLY IN THEIR >POSSESSION. THIS MONEY WAS OF COURSE, ACQUIRED BY THE >LATE PRESIDENT AND IS NOW KEPT SECRETLY BY THE FAMILY. >THE SWISS GOVERNMENT HAS ALREADY FROZEN ALL THE >ACCOUNTS OF THE FAMILY IN SWITZERLAND, AND SOME OTHER >COUNTRIES WOULD SOON FOLLOW TO DO THE SAME. THIS BID >BY SOME GOVERNMENT OFFICIALS TO DEAL WITH THIS FAMILY >HAS MADE IT NECESSARY THAT WE SEEK YOUR ASSISITANCE IN >RECEIVING THIS MONEY AND IN INVESTING IT ON BEHALF >OFTHE FAMILY. > >THIS MUST BE A JOINT VENTURE TRANSACTION AND WE MUST >ALL WORK TOGETHER. SINCE THIS MONEY IS STILL CASH, >EXTRA SECURITY MEASURES HAVE BEEN TAKEN TO PROTECT IT >FROM THEFT OR SEIZURE, PENDING WHEN AGREEMENT IS >REACHED ON WHEN AND HOW TO MOVE IT INTO ANY OF YOUR >NOMINATED BANK ACCOUNTS. I HAVE PERSONALLY WORKED OUT >ALL MODALITIES FOR THE PEACEFUL CONCLUSION OF THIS TRANSACTION. THE >TRANSACTION DEFINITELY WOULD BE HANDLED IN PHASES AND THE FIRST PHASE >WILL INVOLVE THE MOVING OF US$25,000,000.00( TWENTY FIVE MILLION >UNITEDSTATES DOLLARS ). > > >MY CLIENTS ARE WILLING TO GIVE YOU A REASONABLE >PERCENTAGE OF THIS MONEY AS SOON AS THE TRANSACTIONIS CONCLUDED. I >WILL, HOWEVER, BASED ON THE GROUNDS THAT YOU ARE WILLING TO WORK WITH >US AND ALSO ALL CONTENTIOUS ISSUES DISCUSSED BEFORE THE COMMENCEMENT >OF THIS TRANSACTION. YOU MAY ALSO DISCUSS YOUR >PERCENTAGE BEFORE WE START TO WORK. AS SOON AS I HEAR >FROM YOU, I WILL GIVE YOU ALL NECESSARY DETAILS AS TO >HOW WE INTEND TO CARRY OUT THE WHOLE TRANSACTION. >PLEASE, DO NOT ENTERTAIN ANY FEARS,AS ALL NECESSARY >MODALITIES ARE IN PLACE, AND I ASSURE YOU OF ALL >SUCCESS AND SAFETY IN THIS TRANSACTION. > >PLEASE, THIS TRANSACTION REQUIRES ABSOLUTE >CONFIDENTIALITY AND YOU WOULD BE EXPECTED TO TREAT IT >AS SUCH UNTIL THE FUNDS ARE MOVED OUT OF THIS COUNTRY. > >PLEASE, YOU WILL ALSO IGNORE THIS LETTER AND RESPECT >OUR TRUST IN YOU BY NOT EXPOSING THIS TRANSACTION, >EVEN IF YOU ARE NOT INTERESTED.LOOK FORWARD TO WORKING >WITH YOU. THANK YOU. > >TRULY YOURS, > >BARRISTER KAKA MBANA ESQ. > > > > > >--======24934==61103======-- From ka at PACIFIC.NET Fri Aug 1 14:58:59 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:08 2006 Subject: spam.whitelist.rules In-Reply-To: <54CD329C-C3E8-11D7-8C50-003065F939FE@ucsc.edu> References: <54CD329C-C3E8-11D7-8C50-003065F939FE@ucsc.edu> Message-ID: <3F2A7223.2020600@pacific.net> MailScanner looks at the first To address and evaluates the message based on that. That's not good for per-user whitelists in MailScanner. I went through this same process of "how do I really use per user whitelists?", and ended up using sendmail to split all messages with more than 1 recip into x messages with 1 recipient, so MailScanner only sees 1 recip per message. NOTE: This raises the load on your server substantially, since x recipients means x messages now, but it works, and that's what I needed. :-) CustomConfig.pm can give you whitelisting per user, and sendmail can split messages into 1 recip per message to make the whitelists work as they should. To make sendmail 8.12.x split the messages, you do this: 1) Start the incoming sendmail with a different config file. Changes to /etc/rc.d/init.d/MailScanner (from rpm install on redhat) make this change to the incoming sendmail command line: ------ snip ------- $SENDMAIL -bd -OPrivacyOptions=noetrn \ -ODeliveryMode=queueonly \ -OQueueDirectory=$INQDIR \ -OPidFile=$INPID \ -C/etc/mail/sendmail_in.cf -------- snip -------- 2) Make changes to the new sendmail config: cp /etc/mail/sendmail /etc/mail/sendmail_in.cf In sendmail_in.cf, add the following: The comment header "QUEUE GROUP DEFINITIONS" should be there already. Just add the single line under it. ------- snip -------- ############################ # QUEUE GROUP DEFINITIONS # ############################ Qmqueue, P=/var/spool/mqueue.in, F=f, r=1, R=8, I=2m ------- snip -------- AND, just above the "Ruleset 3" comment header, add the following: (not sure if both lines are required or not...) --------- snip -------- # LOCAL_RULESETS Squeuegroup R$* @ $* $# mqueue R$* $# mqueue ############################################ ### Ruleset 3 -- Name Canonicalization ### ############################################ --------- snip ---------- Restart sendmail, and things like this start showing up in the log when messages with multiple recipients come in: Jul 17 08:14:31 host sendmail[7183]: h6HFDop8007183: split: maxrcpts=1, rcpts=3, count=2, ids=h6HFDop9007183; h6HFDopA007183 Ken A Pacific.Net John Rudd wrote: > What does mailscanner do if a message has multiple recipients, and > their per-user settings don't agree with each other? > > > On Thursday, Jul 31, 2003, at 22:10 US/Pacific, Ken Anderson wrote: > >> >> See CustomConfig.pm for an example of how per-domain or per-user >> whitelists can be implemented. >> Ken A. >> >> >> Alan Fiebig wrote: >> >>> I'm sorry for my ignorance, but if this is an answer to my question, >>> I sure don't understand it: >>> >>> >>>> Hash: SHA1 >>>> >>>> On Thursday 31 July 2003 10:11 am, Kris Zabriskie wrote: >>>> To: | From: | FromTo: *@domain-name.com | user@domainname.com >>>> Don't forget >>>> FromorTo: >>>> - -- >>>> Lewis Bergman >>>> Texas Communications >>> >>> >>> >>> >>> My question: >>> >>> >>> >>>> As I understand the spam whitelist rules, I can whitelist a given >>>> sender, or a given recepient. >>>> >>>> Is there a means to whitelist a given sender/recepient pair? >>>> >>>> I have a number of customers who request to receive emailings from a >>>> given company. But not everyone wants the 'mail' being sent by this >>>> company. >>>> >>>> If I whitelist the sender, then all my customers are open to their >>>> 'junk mail' messages. >>>> If I whitelist the customer who wants this company's mail, then they >>>> get all spam and no filtering. >>>> >>>> What I need is the ability to create a rule that says mail from THIS >>>> sender to THIS recepient is whitelisted. >>>> >>>> Can this be done now? >>>> Could it be done? >>>> >>>> Thanks, >>>> -Alan >>> >>> >>> >>> > > From jrudd at UCSC.EDU Fri Aug 1 14:57:38 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:08 2006 Subject: Feature Requests Message-ID: <1C63CB6C-C428-11D7-8C50-003065F939FE@ucsc.edu> 1) new action type: Ham Actions or Not Spam Actions Similar to "Spam Actions" and "High Spam Actions", what to do if the message isn't spam. It may seem like you'd always want to "deliver", but maybe not. For one, you might want to strip-html even for ham. For two, some of the new actions I'm going to propose might fit. 2) perhaps also a "Low Ham Actions" or "Low Not Spam Actions" and "Low Ham Score"/"Low Not Spam Score" If the message's spam assassin score is lower than "Low Ham Score", then use these actions instead of the Ham Actions. 3) "Actions Log File" and action "log" If you specify an action of log, then then 5 things will be put into the log file (or log facility? perhaps something like (FILE|SYSLOG):(PATH|FACILITY) ) you specify: a) From: sender b) "Mail From" sender and $_ (the qf relay) c) Recipient list d) Subject e) the DNSBLs and Spam Assassin score (like of the SpamCheck header, without the individual spam assassin scores, though just putting the SpamCheck header would probably work) 4) new actions: bayes-ham, bayes-spam, auto-whitelist, auto-blacklist bayes-* will submit the message to sa-learn as either of those types auto-* will submit the message to sa-learn so that its addresses will be added to the auto-whitelist with either a -100 score (auto-whitelisting) or +100 score (auto-blacklisting) These actions would use the same files that had been used in the spam check. So, I might have (I might be misremembering score vs threshold, and delete vs discard): Low Ham Score = 0 High Spam Score = 10 Action Log = SYSLOG:local1 Low Ham Actions = bayes-ham auto-whitelist deliver Ham Actions = deliver Spam Actions = strip-html deliver High Spam Actions = bayes-spam auto-blacklist log delete (this counters the conventional wisdom of "don't auto-delete" because you will have a record of who sent you that message, and the subject ... so you can manually whitelist them and ask them to resend if you see something that looks like it might have been a false-positive) (that's similar to what my procmail rules do now, except that I do more of a permanent quarantine of spam messages than delete) Then I might process the action log nightly/weekly/monthly to see if there's a common sender or relay that is sending me the most spam, and create an entry in my sendmail access db if they exceed a certain threshold. From slwatts at WINCKWORTHS.CO.UK Fri Aug 1 15:18:03 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:08 2006 Subject: Which is better for use with MS? Sendmail, postfix, exim....... Message-ID: Hi All, Just a quick question and I hope it doesn't cause too much traffic to the list but I was wandering which MTA is best for use with MS and SpamAssassin? I would also like to config and log using mysql if possible. I have setup a trial system using Postfix (but not using the sql logging or configs yet) and this has run fine with few problems in the setup stages so before I go ahead and use it I just wandered if the others may be better? Cheers, Sam From Jan-Peter.Koopmann at SECEIDOS.DE Fri Aug 1 16:22:08 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:19:08 2006 Subject: Feature Requests Message-ID: > 1) new action type: Ham Actions or Not Spam Actions > > Similar to "Spam Actions" and "High Spam Actions", what > to do if the message isn't spam. It may seem like you'd > always want to "deliver", but maybe not. For one, you might > want to strip-html even for ham. You can do this already with the "Convert HTML To Text" option. > 2) perhaps also a "Low Ham Actions" or "Low Not Spam Actions" > and "Low Ham Score"/"Low Not Spam Score" > > If the message's spam assassin score is lower than "Low > Ham Score", then use these actions instead of the Ham Actions. What good would that do? Just curious. > 3) "Actions Log File" and action "log" > > If you specify an action of log, then then 5 things will > be put into the log file (or log facility? perhaps something like > (FILE|SYSLOG):(PATH|FACILITY) ) you specify: > > a) From: sender > b) "Mail From" sender and $_ (the qf relay) > c) Recipient list > d) Subject > e) the DNSBLs and Spam Assassin score (like of the > SpamCheck header, without the individual spam assassin > scores, though just putting the SpamCheck header would probably work) Have you had a look at Mailwatch for MailScanner? It will put this kind of information in a MySQL database. > auto-* will submit the message to sa-learn so that its > addresses will be added to the auto-whitelist with either a -100 score > (auto-whitelisting) or +100 score (auto-blacklisting) Why not use the auto-thresholds in SpamAssassin itself? > Then I might process the action log nightly/weekly/monthly to > see if there's a common sender or relay that is sending me > the most spam, and create an entry in my sendmail access db > if they exceed a certain threshold. This would be the first time in months that spam is coming through a common sender or relay. Common sender is close to impossible. Only some viruses (big@boss.com) are dumb enough to do this. And common relay would most automatically mean that this relay is an open relay and it will probably be put into the RBL lists. So why bother? Regards, JP From pages at ntin.net Fri Aug 1 16:18:26 2003 From: pages at ntin.net (NTIN Page Guy) Date: Thu Jan 12 21:19:08 2006 Subject: MailScanner and BlackList Message-ID: <1168981328.20030801101826@ntin.net> Hello MailScanner, We have an outside Spam and Virus filtering service from Postini.com as well as server side. With this outside filter all email messages come from postini servers. The headers do contain the original 'received' lines which does include the orignal senders IP address. Does the BlackList feature in MailScanner look at all the 'received' lines and their the IP's? Best regards, Robert B, NTIN mailto:pages@ntin.net From ka at PACIFIC.NET Fri Aug 1 16:47:08 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:08 2006 Subject: MailScanner and BlackList In-Reply-To: <1168981328.20030801101826@ntin.net> References: <1168981328.20030801101826@ntin.net> Message-ID: <3F2A8B7C.6070306@pacific.net> Everything will be tested on postini's ips. AFAIK, you can't depend on IP based checks in MS or SA when using a 3rd party relay, though I could be wrong. That's not to say that MS/SA isn't still a good idea. We get about 80% of our mail relayed through Postini, though only a small percentage of our users actually use Postini; MS/SA do a great job filtering even without the IP based rules & rbl stuff. Ken A NTIN Page Guy wrote: > Hello MailScanner, > > We have an outside Spam and Virus filtering > service from Postini.com as well as server side. With this > outside filter all email messages come from postini servers. > > The headers do contain the original 'received' lines which does > include the orignal senders IP address. > > Does the BlackList feature in MailScanner look at all the 'received' > lines and their the IP's? > > > Best regards, > Robert B, NTIN mailto:pages@ntin.net > > From pages at ntin.net Fri Aug 1 16:56:04 2003 From: pages at ntin.net (NTIN Page Guy) Date: Thu Jan 12 21:19:08 2006 Subject: MailScanner and BlackList In-Reply-To: <3F2A8B7C.6070306@pacific.net> References: <1168981328.20030801101826@ntin.net> <3F2A8B7C.6070306@pacific.net> Message-ID: <1911237187.20030801105604@ntin.net> Hello Ken, RAV had an option to check all the received lines, if an IP address in any of the received lines appeared in a DNS blacklist the message was rejected. This is a feature I loved. Then any message that got thru Postini from a known spammer source would be killed by RAV. I wonder why other programs such as Communigate own built in RBL routines or MailScanner's does not check the IP in every 'received' line? Friday, August 01, 2003, you wrote: KA> Everything will be tested on postini's ips. AFAIK, you can't depend on KA> IP based checks in MS or SA when using a 3rd party relay, though I could KA> be wrong. That's not to say that MS/SA isn't still a good idea. We get KA> about 80% of our mail relayed through Postini, though only a small KA> percentage of our users actually use Postini; MS/SA do a great job KA> filtering even without the IP based rules & rbl stuff. KA> Ken A KA> NTIN Page Guy wrote: >> Hello MailScanner, >> >> We have an outside Spam and Virus filtering >> service from Postini.com as well as server side. With this >> outside filter all email messages come from postini servers. >> >> The headers do contain the original 'received' lines which does >> include the orignal senders IP address. >> >> Does the BlackList feature in MailScanner look at all the 'received' >> lines and their the IP's? >> >> >> Best regards, >> Robert B, NTIN mailto:pages@ntin.net >> >> Best regards, Robert B, NTIN mailto:pages@ntin.net From jase at SENSIS.COM Fri Aug 1 17:08:55 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:08 2006 Subject: FW: Striphtml VS attachment and related issues Message-ID: I prefer to have spam put in an attachment, even if it is not HTML. Many non-HTML spams can still contain offensive text. Jason > > Julian > > QUESTION: If you have "deliver attachment" set for spam, what > determines > when the message body of a tagged message is placed in an > attachment and > when it is not? [snip] From ka at PACIFIC.NET Fri Aug 1 17:34:03 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:08 2006 Subject: FW: Striphtml VS attachment and related issues In-Reply-To: References: Message-ID: <3F2A967B.7010707@pacific.net> It's always placed in an attachment. Browsers may display attachments inline though, so it's not terribly effective. With the new panic about the direct x midi vulnerability, maybe we need to add: deny \.mid$ Possible directx/directshow attack But that will break those awful greeting cards... It would be nice if there was a "zip" option to the Spam Action. Then you could do "deliver zip" for some spam? Ken Desai, Jason wrote: > I prefer to have spam put in an attachment, even if it is not HTML. Many > non-HTML spams can still contain offensive text. > > Jason > > >>Julian >> >>QUESTION: If you have "deliver attachment" set for spam, what >>determines >>when the message body of a tagged message is placed in an >>attachment and >>when it is not? > > > [snip] > > From jrudd at UCSC.EDU Fri Aug 1 18:03:52 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:08 2006 Subject: Feature Requests In-Reply-To: Message-ID: <20BC1F0E-C442-11D7-8C50-003065F939FE@ucsc.edu> On Friday, Aug 1, 2003, at 08:22 US/Pacific, Jan-Peter Koopmann wrote: >> 1) new action type: Ham Actions or Not Spam Actions >> >> [snip] > > You can do this already with the "Convert HTML To Text" option. You can do that one exact action with that option. You can't do all of the "Actions" options. >> 2) perhaps also a "Low Ham Actions" or "Low Not Spam Actions" >> and "Low Ham Score"/"Low Not Spam Score" >> [snip] > What good would that do? Just curious. What good is the High Spam category? It gives you more ranges of options, as the example I gave indicates. >> 3) "Actions Log File" and action "log" >> >> [snip] > > Have you had a look at Mailwatch for MailScanner? It will put this kind > of information in a MySQL database. I don't want nor use SQL for this. I want (and via procmail's logs, already use) log files. >> auto-* will submit the message to sa-learn so that its >> addresses will be added to the auto-whitelist with either a -100 score >> (auto-whitelisting) or +100 score (auto-blacklisting) > > Why not use the auto-thresholds in SpamAssassin itself? They don't set the scores to -100 and/or +100. They average in the score of the current message. Forcing the sender of a message to a +100 doesn't just ratchet up their score by a little bit, it sets it high enough that they'll probably never come back down unless I take direct action. It's almost, but not exactly, like having an automatic way to set and manage the non-automatic whitelist/blacklist facilities in Spam Assassin (it's not exactly the same, but it's close enough that it works). >> Then I might process the action log nightly/weekly/monthly to >> see if there's a common sender or relay that is sending me >> the most spam, and create an entry in my sendmail access db >> if they exceed a certain threshold. > > This would be the first time in months that spam is coming through a > common sender or relay. Common sender is close to impossible. Only some > viruses (big@boss.com) are dumb enough to do this. And common relay > would most automatically mean that this relay is an open relay and it > will probably be put into the RBL lists. So why bother? Why bother? Because, IME, you're completely wrong. Most of the spam I get does tend to come from common senders. Monthly would probably be too long, I'll give you that, but daily and weekly patterns do tend to hold up fairly well. For example, lately I've been getting a ton of spam from buy.com, coming straight from buy.com. Adding them to my access db cut out a good chunk of spam traffic for my site. Also, I don't tend to use DNSBLs. They're slow, I have yet to find one whose accuracy wasn't more of a liability than a feature, and I prefer to keep those sorts of controls local instead of remote. From DHarding at GILATLA.COM Fri Aug 1 19:56:41 2003 From: DHarding at GILATLA.COM (Devon Harding - GTHLA) Date: Thu Jan 12 21:19:08 2006 Subject: OpenSource VirusScan Message-ID: <97D0DDFA3C2F5B44AAC0960B99E9621302637D@VMX.gilatla.com> Is any of the MailScanner supported anti-virus packages opensource or free? If so, which one? _____________________ Devon Harding System Administrator Gilat Latin America 954-858-1600 dharding@gilatla.com This e-mail is intended for the above named addressee(s), and may contain information which is confidential or privileged. If you are not the intended recipient, please inform us immediately: you should not copy or use this e-mail for any purpose nor disclose its contents to any person. From denis at CROOMBS.ORG Fri Aug 1 19:59:09 2003 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:19:08 2006 Subject: Spamassassin not working except when called manually. Perl problem ? References: <009201c357a8$50b669c0$9c01a8c0@home.middlefinger.net> Message-ID: <00ed01c3585e$fdb53ff0$85b8fea9@Laptop> Thanks for that, that showed that only 1 version was installed from rpm, I think the other one was an attempt at upgrading perl from cpam ! I have renamed the second perl in /usr/local/lib/perl5 & uninstalled spamassassin, but even that does not allow me fully un-install the spamassassin as uninstalling the rpm does not delete it from perl ? Are there any perl experts out there who can give me a clue to solving this problem ? Denis Croombs > I'd do: > > rpm -qa |grep perl > > And then remove the perl version you don't want. Be careful though...you > may break something if it is pointed to /usr/bin/perl and that perl gets > uninstalled. > > Mike From denis at CROOMBS.ORG Fri Aug 1 20:00:33 2003 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:19:08 2006 Subject: OpenSource VirusScan References: <97D0DDFA3C2F5B44AAC0960B99E9621302637D@VMX.gilatla.com> Message-ID: <00f501c3585f$2f5123d0$85b8fea9@Laptop> Use clamav it is free & open source & good but the updates on viruses can take a few days Denis Croombs . ----- Original Message ----- From: "Devon Harding - GTHLA" To: Sent: Friday, August 01, 2003 7:56 PM Subject: OpenSource VirusScan > Is any of the MailScanner supported anti-virus packages opensource or > free? If so, which one? > > _____________________ > Devon Harding > System Administrator > Gilat Latin America > 954-858-1600 > dharding@gilatla.com > > This e-mail is intended for the above named addressee(s), and may > contain information which is confidential or privileged. If you are not > the intended recipient, please inform us immediately: you should not > copy or use this e-mail for any purpose nor disclose its contents to any > person. From rabollinger at COMCAST.NET Fri Aug 1 20:02:20 2003 From: rabollinger at COMCAST.NET (Richard Bollinger) Date: Thu Jan 12 21:19:08 2006 Subject: Wrong options for McAfee uvscan? Message-ID: <01ba01c3585f$75374640$8b030180@elliottturbo.com> In SweepViruses.pm, the code snippet which specifies the options used to invoke uvscan is as follows: mcafee => { Name => 'McAfee', Lock => 'McAfeeBusy.lock', CommonOptions => '--recursive --ignore-links --analyze --mime ' . '--secure --noboot', DisinfectOptions => '--clean', ScanOptions => '', InitParser => \&InitMcAfeeParser, ProcessOutput => \&ProcessMcAfeeOutput, SupportScanning => $S_SUPPORTED, SupportDisinfect => $S_SUPPORTED, }, Apparently, when you include the "--mime" option, uvscan misses certain viruses embedded in zip files... specifically, what they McAfee calls the "Exploit-CodeBase trojan". I have a sample zip file I can send off list if you need proof. I'm considering dropping --mime... we shouldn't need it because we already break down attachments into individual files before running the scanner, right? Also, per the manual page, --secure includes --analyse, so --analyze can be dropped as well... yeilding the following trial patch: --- SweepViruses.pm.FCS Wed May 14 15:46:21 2003 +++ SweepViruses.pm Fri Aug 1 14:59:18 2003 @@ -96,7 +96,7 @@ mcafee => { Name => 'McAfee', Lock => 'McAfeeBusy.lock', - CommonOptions => '--recursive --ignore-links --analyze --mime ' . + CommonOptions => '--recursive --ignore-links ' . '--secure --noboot', DisinfectOptions => '--clean', ScanOptions => '', Any reason why this shouldn't be OK? Rich B From ctrudeau at BELLSOUTH.NET Fri Aug 1 20:29:33 2003 From: ctrudeau at BELLSOUTH.NET (Chris-Bellsouth) Date: Thu Jan 12 21:19:08 2006 Subject: OpenSource VirusScan References: <97D0DDFA3C2F5B44AAC0960B99E9621302637D@VMX.gilatla.com> Message-ID: <001a01c35863$3e68ad80$5702010a@mscore.trusecure.net> Check out clamav http://clamav.com CT ----- Original Message ----- From: "Devon Harding - GTHLA" To: Sent: Friday, August 01, 2003 2:56 PM Subject: OpenSource VirusScan Is any of the MailScanner supported anti-virus packages opensource or free? If so, which one? _____________________ Devon Harding System Administrator Gilat Latin America 954-858-1600 dharding@gilatla.com This e-mail is intended for the above named addressee(s), and may contain information which is confidential or privileged. If you are not the intended recipient, please inform us immediately: you should not copy or use this e-mail for any purpose nor disclose its contents to any person. From TGFurnish at HERFF-JONES.COM Fri Aug 1 20:32:23 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:08 2006 Subject: SQL Redux Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C074F@inex1.herffjones.hj-int> Ok, so um, for those of us who aren't keeping several patchset branches in our heads but who now want to start sql logging, what are the options? Could someone do a quick round-up? I need to provide a web interface that provides plenty of detail about each message by middle of next week and I'm wondering whether I should do my own thing with a flat file log (since I have little time) or configure in support for one of the existing sql logging mechanisms. "Mailwatch for Mailscanner" seems to be at version 0.2 but I recall mentions of patches for bugs post 0.2. Is there a later version available? There's the sql logging code already in CustomConfig.pm, but is there a web interface for built yet for the tables it creates? And I'm assuming I'll need the latest version of mailscanner to get the fixes listed in this thread. "David While's Mailstats" looks nice (though I'm not doing virus scanning and don't particularly care about geo-locating stuff), but I need a per-message interface, and mailstats seems to be more for performance reporting than for log analysis. The mailscanner-mrtg package again is for performance reporting, not log analysis. ...So... What's my best bet for a web interface to logged data that includes such things as subject, recipients, spam tests, etc in the short term? -t. >-----Original Message----- >From: Kearney, Rob [mailto:RKearney@AZERTY.COM] >Sent: Thursday, July 31, 2003 10:47 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: SQL Redux > > >oh.. and yes.. > >thanks for the code tippets.. I'll have to change this. as I'm >not good with >perl either. > >-rob > >-----Original Message----- >From: Steve Freegard [mailto:steve.freegard@lbsltd.co.uk] >Sent: Thursday, July 31, 2003 11:19 AM >To: 'Kearney, Rob '; 'MAILSCANNER@JISCMAIL.AC.UK ' >Subject: RE: SQL Redux > > >Hi Rob, > >I'm not really much good with Perl (maybe Julian can back me >up on this) - >but my understanding is that in calling your SQLRTLogging >procedure without >the Init & End procedures will mean that the >connection/disconnection/prepare and execution of the SQL will >happen for >every message batch processed by MailScanner which would slow things up >quite considerably depending on the volume of messages you processes. > >The most expensive processes are connecting and preparing the >statement, so >it's better only to do this once (per child), then running the prepared >statements once per message batch. > >A better way is to have: > >InitSQLRTLogging: (this is done once per MailScanner child) > - Connect to the database > - Prepare each SQL statement required > >SQLRTLogging: (done once for each message batch) > - Tidy-up the data to make it suitable for SQL > - Execute the prepared statements > >EndSQLRTLogging: (done once as each child dies) > - Disconnect from the database > >Cheers, >Steve. > >-----Original Message----- >From: Kearney, Rob >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: 31/07/03 15:56 >Subject: Re: SQL Redux > >here is what we did for SQL logging, to bypass temp-file stuff. > >Just took the SQLLogging and made SQLRTLogging, to write >directly to DB, >We >have not noticed any degradation in performance >Basically, we took the functions of SQLLogging and >EndSQLLogging and put >them together. >(dont forget Init and End scripts also > >--- >sub SQLRTLogging { > my($message) = @_; > my($dbh); > $dbh = >DBI->connect("DBI:mysql:mailscanner:localhost:mysql_socket=/var >/database >/mys >ql/mysql.sock", > "mailscanner", "mailscanner", > {'PrintError' => 0}) > or MailScanner::Log::DieLog("Cannot connect to the database: %s", > $DBI::errstr); > > my $id = $message->{id}; > my $size = $message->{size}; > my $from = $message->{from}; > my ($from_user, $from_domain); > > # split the from address into user and domain bits. > # This may be unnecessary for you; we use it to more easily determine > # inbound vs outbound email in a multi-domain environment. > # HINT: refine queries using SQL 'join' with a table containing local > # domains. > > ($from_user, $from_domain) = split /\@/, $from; > > my @to = @{$message->{to}}; > my $subject = $message->{subject}; > my $clientip = $message->{clientip}; > my $archives = join(',', @{$message->{archiveplaces}}); > my $isspam = $message->{isspam}; > my $ishighspam = $message->{ishigh}; > my $sascore = $message->{sascore}; > my $spamreport = $message->{spamreport}; > > # Get rid of control chars and tidy-up SpamAssassin report > $spamreport =~ s/\n/ /g; > $spamreport =~ s/\t//g; > > # Get timestamp, and format it so it is suitable to use with MySQL > my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = >localtime(); > my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", > $year+1900,$mon+1,$mday,$hour,$min,$sec); > ># maillog_mail insert > my @fields=($timestamp, $id, $size, $from_user, $from_domain, > $subject, $clientip, $archives, $isspam, $ishighspam, > $sascore, $spamreport); > map { s/\'/\\'/g } @fields; > > # Insert @fields into a database table > my($sth) = $dbh->prepare("INSERT INTO maillog_mail (time, msg_id, >size, >from_user, from_domain, subject, clientip, archives, isspam, >ishighspam, >sascore, spamreport) VALUES (?,?,?,?,?,?,?,?,?,?,?,?)"); > >$sth->execute($fields[0],$fields[1],$fields[2],$fields[3],$fiel >ds[4],$fi >elds >[5],$fields[6],$fields[7],$fields[8],$fields[9],$fields[10],$fi >elds[11]) >or >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > my($file, $text); > while(($file, $text) = each %{$message->{allreports}}) { > $file = "the entire message" if $file eq ""; > # Use the sanitised filename to avoid problems caused by people >forcing > # logging of attachment filenames which contain nasty SQL >instructions. > $file = $message->{file2safefile}{$file} or $file; > $text =~ s/\n/ /; # Make sure text report only contains 1 line > $text =~ s/\t/ /; # and no tab characters > > my @fields = ($id, $file, $text); > map { s/\'/\\'/g } @fields; > > my($sth) = $dbh->prepare("INSERT INTO maillog_report (msg_id, >filename, >filereport) VALUES (?,?,?)"); > $sth->execute($fields[0],$fields[1],$fields[2]) or >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > } > > for (@to) { > # again, split the recipient's email into user and domain halves >first. > # see comment above about splitting the email like this. > > my ($to_user, $to_domain); > ($to_user, $to_domain) = split /\@/, $_; > my @fields = ($id, $to_user, $to_domain); > map { s/\'/\\'/g } @fields; > my($sth) = $dbh->prepare("INSERT INTO maillog_recipient (msg_id, >to_user, to_domain) VALUES (?,?,?)"); > $sth->execute($fields[0],$fields[1],$fields[2]) or >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > } > > # Close database connection > $dbh->disconnect(); > >} > > MailScanner::Log::InfoLog("Ending SQL Real-Time Logging"); >} > >1; > > > >-rob > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of >computer viruses. > From jase at SENSIS.COM Fri Aug 1 20:34:24 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:08 2006 Subject: Wrong options for McAfee uvscan? Message-ID: Hi Richard. I don't know if this is ok, but I just received an email with an attachment zip file too, and had the same problem. And I too narrowed it down to the "--mime" option. I'm not sure if it's needed or not, but I can confirm the problem, and I too have a sample .zip file if someone wants it. I would guess that this is a mcafee problem though, right? I'm running: $ uvscan --version Virus Scan for Linux v4.16.0 Copyright (c) 1992-2001 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Nov 13 2001 Scan engine v4.1.60 for Linux. Virus data file v4281 created Jul 30 2003 Scanning for 77468 viruses, trojans and variants. Jason > -----Original Message----- > From: Richard Bollinger [mailto:rabollinger@COMCAST.NET] > Sent: Friday, August 01, 2003 3:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Wrong options for McAfee uvscan? > > > In SweepViruses.pm, the code snippet which specifies the > options used to invoke uvscan is as > follows: > > mcafee => { > Name => 'McAfee', > Lock => 'McAfeeBusy.lock', > CommonOptions => '--recursive --ignore-links --analyze --mime ' . > '--secure --noboot', > DisinfectOptions => '--clean', > ScanOptions => '', > InitParser => \&InitMcAfeeParser, > ProcessOutput => \&ProcessMcAfeeOutput, > SupportScanning => $S_SUPPORTED, > SupportDisinfect => $S_SUPPORTED, > }, > > Apparently, when you include the "--mime" option, uvscan > misses certain viruses embedded in zip > files... specifically, what they McAfee calls the > "Exploit-CodeBase trojan". I have a sample zip > file I can send off list if you need proof. > > I'm considering dropping --mime... we shouldn't need it > because we already break down attachments > into individual files before running the scanner, right? > > Also, per the manual page, --secure includes --analyse, so > --analyze can be dropped as well... > yeilding the following trial patch: > > --- SweepViruses.pm.FCS Wed May 14 15:46:21 2003 > +++ SweepViruses.pm Fri Aug 1 14:59:18 2003 > @@ -96,7 +96,7 @@ > mcafee => { > Name => 'McAfee', > Lock => 'McAfeeBusy.lock', > - CommonOptions => '--recursive --ignore-links --analyze --mime ' . > + CommonOptions => '--recursive --ignore-links ' . > '--secure --noboot', > DisinfectOptions => '--clean', > ScanOptions => '', > > Any reason why this shouldn't be OK? > > Rich B > From jase at SENSIS.COM Fri Aug 1 20:48:01 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:08 2006 Subject: Wrong options for McAfee uvscan? Message-ID: (Replying to my own post ...) It also seems to get by McAfee version 4.24.0, which I think it the latest available. $ uvscan --version Virus Scan for Linux v4.24.0 Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Jan 27 2003 Scan engine v4.2.40 for Linux. Virus data file v4281 created Jul 30 2003 Scanning for 77468 viruses, trojans and variants. Jason > > Hi Richard. I don't know if this is ok, but I just received > an email with > an attachment zip file too, and had the same problem. And I > too narrowed it > down to the "--mime" option. I'm not sure if it's needed or > not, but I can > confirm the problem, and I too have a sample .zip file if > someone wants it. > > I would guess that this is a mcafee problem though, right? > > I'm running: > > $ uvscan --version > Virus Scan for Linux v4.16.0 > Copyright (c) 1992-2001 Networks Associates Technology Inc. All rights > reserved. > (408) 988-3832 LICENSED COPY - Nov 13 2001 > > Scan engine v4.1.60 for Linux. > Virus data file v4281 created Jul 30 2003 > Scanning for 77468 viruses, trojans and variants. > > Jason > > > -----Original Message----- > > From: Richard Bollinger [mailto:rabollinger@COMCAST.NET] > > Sent: Friday, August 01, 2003 3:02 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: [MAILSCANNER] Wrong options for McAfee uvscan? > > > > > > In SweepViruses.pm, the code snippet which specifies the > > options used to invoke uvscan is as > > follows: > > > > mcafee => { > > Name => 'McAfee', > > Lock => 'McAfeeBusy.lock', > > CommonOptions => '--recursive --ignore-links --analyze > --mime ' . > > '--secure --noboot', > > DisinfectOptions => '--clean', > > ScanOptions => '', > > InitParser => \&InitMcAfeeParser, > > ProcessOutput => \&ProcessMcAfeeOutput, > > SupportScanning => $S_SUPPORTED, > > SupportDisinfect => $S_SUPPORTED, > > }, > > > > Apparently, when you include the "--mime" option, uvscan > > misses certain viruses embedded in zip > > files... specifically, what they McAfee calls the > > "Exploit-CodeBase trojan". I have a sample zip > > file I can send off list if you need proof. > > > > I'm considering dropping --mime... we shouldn't need it > > because we already break down attachments > > into individual files before running the scanner, right? > > > > Also, per the manual page, --secure includes --analyse, so > > --analyze can be dropped as well... > > yeilding the following trial patch: > > > > --- SweepViruses.pm.FCS Wed May 14 15:46:21 2003 > > +++ SweepViruses.pm Fri Aug 1 14:59:18 2003 > > @@ -96,7 +96,7 @@ > > mcafee => { > > Name => 'McAfee', > > Lock => 'McAfeeBusy.lock', > > - CommonOptions => '--recursive --ignore-links --analyze > --mime ' . > > + CommonOptions => '--recursive --ignore-links ' . > > '--secure --noboot', > > DisinfectOptions => '--clean', > > ScanOptions => '', > > > > Any reason why this shouldn't be OK? > > > > Rich B > > > From raymond at PROLOCATION.NET Fri Aug 1 20:50:27 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:08 2006 Subject: Wrong options for McAfee uvscan? In-Reply-To: Message-ID: Hi! > (Replying to my own post ...) It also seems to get by McAfee version > 4.24.0, which I think it the latest available. > > $ uvscan --version > Virus Scan for Linux v4.24.0 > Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights > reserved. > (408) 988-3832 LICENSED COPY - Jan 27 2003 Ohw well, f-prot doesnt detect it at all (yet). Bye, Raymond. From TGFurnish at HERFF-JONES.COM Fri Aug 1 20:54:14 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:08 2006 Subject: spam.whitelist.rules Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0750@inex1.herffjones.hj-int> Ken, I saved the earlier thread about this and am just getting ready to attempt it here, but I'm also looking to add detailed log processing and a web interface for the logs. Are you by any chance using sql logging and Mailwatch with this set-up? I was wondering whether the modified queue-ids cause any problem for mailwatch... -- Trever >-----Original Message----- >From: Ken Anderson [mailto:ka@PACIFIC.NET] >Sent: Friday, August 01, 2003 8:59 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: spam.whitelist.rules > > >MailScanner looks at the first To address and evaluates the message >based on that. That's not good for per-user whitelists in MailScanner. > >I went through this same process of "how do I really use per user >whitelists?", and ended up using sendmail to split all messages with >more than 1 recip into x messages with 1 recipient, so MailScanner only >sees 1 recip per message. NOTE: This raises the load on your server >substantially, since x recipients means x messages now, but it works, >and that's what I needed. :-) > >CustomConfig.pm can give you whitelisting per user, and sendmail can >split messages into 1 recip per message to make the whitelists work as >they should. > >To make sendmail 8.12.x split the messages, you do this: > >1) Start the incoming sendmail with a different config file. >Changes to /etc/rc.d/init.d/MailScanner (from rpm install on redhat) >make this change to the incoming sendmail command line: > >------ snip ------- > > $SENDMAIL -bd -OPrivacyOptions=noetrn \ > -ODeliveryMode=queueonly \ > -OQueueDirectory=$INQDIR \ > -OPidFile=$INPID \ > -C/etc/mail/sendmail_in.cf > >-------- snip -------- > >2) Make changes to the new sendmail config: >cp /etc/mail/sendmail /etc/mail/sendmail_in.cf > >In sendmail_in.cf, add the following: >The comment header "QUEUE GROUP DEFINITIONS" should be there already. >Just add the single line under it. > >------- snip -------- >############################ ># QUEUE GROUP DEFINITIONS # >############################ > >Qmqueue, P=/var/spool/mqueue.in, F=f, r=1, R=8, I=2m > >------- snip -------- > > >AND, just above the "Ruleset 3" comment header, add the following: >(not sure if both lines are required or not...) > >--------- snip -------- > ># LOCAL_RULESETS >Squeuegroup >R$* @ $* $# mqueue >R$* $# mqueue > >############################################ >### Ruleset 3 -- Name Canonicalization ### >############################################ > > >--------- snip ---------- > > >Restart sendmail, and things like this start showing up in the log when >messages with multiple recipients come in: > >Jul 17 08:14:31 host sendmail[7183]: h6HFDop8007183: split: maxrcpts=1, >rcpts=3, count=2, ids=h6HFDop9007183; h6HFDopA007183 > > >Ken A >Pacific.Net > > > > >John Rudd wrote: > >> What does mailscanner do if a message has multiple recipients, and >> their per-user settings don't agree with each other? >> >> >> On Thursday, Jul 31, 2003, at 22:10 US/Pacific, Ken Anderson wrote: >> >>> >>> See CustomConfig.pm for an example of how per-domain or per-user >>> whitelists can be implemented. >>> Ken A. >>> >>> >>> Alan Fiebig wrote: >>> >>>> I'm sorry for my ignorance, but if this is an answer to >my question, >>>> I sure don't understand it: >>>> >>>> >>>>> Hash: SHA1 >>>>> >>>>> On Thursday 31 July 2003 10:11 am, Kris Zabriskie wrote: >>>>> To: | From: | FromTo: *@domain-name.com | user@domainname.com >>>>> Don't forget >>>>> FromorTo: >>>>> - -- >>>>> Lewis Bergman >>>>> Texas Communications >>>> >>>> >>>> >>>> >>>> My question: >>>> >>>> >>>> >>>>> As I understand the spam whitelist rules, I can whitelist a given >>>>> sender, or a given recepient. >>>>> >>>>> Is there a means to whitelist a given sender/recepient pair? >>>>> >>>>> I have a number of customers who request to receive >emailings from a >>>>> given company. But not everyone wants the 'mail' being >sent by this >>>>> company. >>>>> >>>>> If I whitelist the sender, then all my customers are open to their >>>>> 'junk mail' messages. >>>>> If I whitelist the customer who wants this company's >mail, then they >>>>> get all spam and no filtering. >>>>> >>>>> What I need is the ability to create a rule that says >mail from THIS >>>>> sender to THIS recepient is whitelisted. >>>>> >>>>> Can this be done now? >>>>> Could it be done? >>>>> >>>>> Thanks, >>>>> -Alan >>>> >>>> >>>> >>>> >> >> > From eja at urbakken.dk Fri Aug 1 21:19:54 2003 From: eja at urbakken.dk (Erik Jakobsen) Date: Thu Jan 12 21:19:08 2006 Subject: MailScanner problem. Message-ID: <20030801221954.06cf1fb6.eja@urbakken.dk> Hi. I'm very new to this list, and need help for the MailScanner that I installed today on my SuSE Linnux 8.2 system. SuSE 8.2 uses the postfix MTA, and I have set this in the /etc/MailScanner/MailScanner.conf file. But I get this if running rcMailScanner start: 192:/var/log # rcMailScanner start Initializing sendmail and MailScannersendmail: invalid option -- O sendmail: fatal: usage: sendmail [options] failed Of course its fatal since I don't use sendmail. What can I have forgotten ??. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From raymond at PROLOCATION.NET Fri Aug 1 21:34:11 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:08 2006 Subject: MailScanner problem. In-Reply-To: <20030801221954.06cf1fb6.eja@urbakken.dk> Message-ID: Hi! > I'm very new to this list, and need help for the MailScanner that I installed > today on my SuSE Linnux 8.2 system. > > SuSE 8.2 uses the postfix MTA, and I have set this in the > /etc/MailScanner/MailScanner.conf file. > > But I get this if running rcMailScanner start: > > 192:/var/log # rcMailScanner start > Initializing sendmail and MailScannersendmail: invalid option -- O > sendmail: fatal: usage: sendmail [options] Whats inside your mailscaner.conf ? Bye, Raymond. From rabollinger at COMCAST.NET Fri Aug 1 22:02:51 2003 From: rabollinger at COMCAST.NET (Richard Bollinger) Date: Thu Jan 12 21:19:08 2006 Subject: Wrong options for McAfee uvscan? References: Message-ID: <027b01c35870$4786bda0$8b030180@elliottturbo.com> Looks like McAfee has provided an "extra.dat" file which allows the virus to be detected as W32/Mimail@MM (ED). Options presented to uvscan don't seem to affect it one way or the other. I still wonder if we need that --mime option. Does anyone have a case where a virus isn't detected by MS without it? Thanks, Rich B From MailScanner at NEATOTORPEDO.COM Fri Aug 1 21:58:04 2003 From: MailScanner at NEATOTORPEDO.COM (Dave Schwinn) Date: Thu Jan 12 21:19:08 2006 Subject: MailScanner problem. Message-ID: On Fri, 1 Aug 2003 22:19:54 +0200, Erik Jakobsen wrote: >Hi. > >I'm very new to this list, and need help for the MailScanner that I installed >today on my SuSE Linnux 8.2 system. > >SuSE 8.2 uses the postfix MTA, and I have set this in the >/etc/MailScanner/MailScanner.conf file. > >But I get this if running rcMailScanner start: > >192:/var/log # rcMailScanner start >Initializing sendmail and MailScannersendmail: invalid option -- O >sendmail: fatal: usage: sendmail [options] > > failed > >Of course its fatal since I don't use sendmail. > >What can I have forgotten ??. > >-- >Med venlig hilsen - Best regards. >Erik Jakobsen - eja@urbakken.dk. >Licensed radioamateur with the callsign OZ4KK. >SuSE Linux 8.2 Proff. >Registered as user #319488 with the Linux Counter, http://counter.li.org. I am installing MailScanner for the first time on a RedHat 9.0 system using oistfix instead of sendmail. Here is the page from the MailScanner web site describing the problem as it pertains to RedHat. I assume this translates to your system as well. http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml see bottom of page From jase at SENSIS.COM Fri Aug 1 22:14:53 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:08 2006 Subject: Wrong options for McAfee uvscan? Message-ID: For now, I have put the following in my filename.rules.conf. (One line separated with tabs) deny message.zip Possible Mimail worm Possible Mimail worm Is the filename match case insensitive? Jason > > Looks like McAfee has provided an "extra.dat" file which > allows the virus to be detected as > W32/Mimail@MM (ED). > > Options presented to uvscan don't seem to affect it one way > or the other. > > I still wonder if we need that --mime option. Does anyone > have a case where a virus isn't detected > by MS without it? > > Thanks, Rich B > From rzewnickie at RFA.ORG Fri Aug 1 22:51:49 2003 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:19:08 2006 Subject: testing MS with copies from postfix Message-ID: <20030801215149.GH14954@rfa.org> I have configured a test box with MS and postfix. How can I get our existing mailserver to copy all received messages to the test box? The existing mailserver runs postfix as MTA with amavisd doing virus scanning. Is there a way to tell postfix to send a copy of each message received for foo@domain.org to foo@testserver.domain.org before amavis gets it and before aliases are expanded without affecting normal delivery on the existing server? When testing amavis a year ago I set up a simple procmail recipe on our existing non-virus-scanning server that did a simple copy of every message delivered to any user@domain.org to a single testaccount@testserver.domain.org. This time I don't want to do that, because I want the MS box to get a copy of each original mail, virus(es) and all, without having aliases expanded. I've looked at the transport map, but that seems to be only for redirecting mail, not copying it. Thanks in advance for any suggestion, Eric Rzewnicki From rscarano at targetsis.com.br Fri Aug 1 23:01:02 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:19:08 2006 Subject: RES: Wrong options for McAfee uvscan? In-Reply-To: Message-ID: <000f01c35878$66fa37e0$6900000a@targetsis.com.br> Jason, I thinking to put this line on my filename.rules.conf to. Do you have to restart MailScanner after this change ??? Regards, Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br -----Mensagem original----- De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] Em nome de Desai, Jason Enviada em: Sexta-feira, 1 de Agosto de 2003 18:15 Para: MAILSCANNER@JISCMAIL.AC.UK Assunto: Re: Wrong options for McAfee uvscan? For now, I have put the following in my filename.rules.conf. (One line separated with tabs) deny message.zip Possible Mimail worm Possible Mimail worm Is the filename match case insensitive? Jason > > Looks like McAfee has provided an "extra.dat" file which > allows the virus to be detected as > W32/Mimail@MM (ED). > > Options presented to uvscan don't seem to affect it one way > or the other. > > I still wonder if we need that --mime option. Does anyone > have a case where a virus isn't detected > by MS without it? > > Thanks, Rich B > From rscarano at targetsis.com.br Fri Aug 1 23:06:27 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:19:08 2006 Subject: Wrong options for McAfee uvscan? Message-ID: <001001c35879$280047e0$6900000a@targetsis.com.br> Nai already put this dat file on the ftp. Anybody knows if it's solve the problem discussed on the list ? Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br -----Mensagem original----- De: avert_advisory@avertlabs.com [mailto:avert_advisory@avertlabs.com] Enviada em: Sexta-feira, 1 de Agosto de 2003 14:57 Para: rscarano@targetsis.com.br Assunto: AVERT Virus Advisory: W32/Mimail@MM - Update The 4282 Dat files will be releasing today, 8/1/2003, instead of 8/6/2003 as mentioned in the previous message. Further testing has shown that proactive detection has been available since the 4192 dat files. AVERT From TGFurnish at HERFF-JONES.COM Fri Aug 1 23:38:19 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:08 2006 Subject: Whitelisted Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1A68@inex1.herffjones.hj-int> >-----Original Message----- >From: Ken Anderson [mailto:ka@PACIFIC.NET] >Sent: Monday, July 28, 2003 10:18 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Whitelisted > >2. Mount /var/spool/MailScanner/incoming as tmpfs Huh? I am probably just at a disadvantage here because redhat doesn't ship a man page for mount that documents the tmpfs option, but I thought the incoming spool had to be on the same mount point as the outgoing spool or MS would gag. Doesn't that mean that we would instead want to mount /var/spool/MailScanner, not only the incoming dir? And besides, if tmpfs is good enough for incoming, why wouldn't we also want to use it for outgoing? >4. Sendmail's MaxRecipients = x is also a major factor, since each >message is cloned x times. I believe the default is 100 or >128... That's >probably too high if you are splitting all incoming mail into 1 recip >per message! Lost me here too - sorry if I'm showing extreme ignorance. I'm getting ready to implement this, trying to understand thoroughly first. I thought MaxRecipients was getting set to 1, meaning "any message with more than 1 recipient, split into separate messages with at most 1 recipient." So if I have maxrecipients set to 1 and a msg comes in with ten recipients, I've cloned it 9 times, correct, not 1 time (maxrecipient being 1)? -t. From ka at PACIFIC.NET Fri Aug 1 23:56:16 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:08 2006 Subject: Whitelisted In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1A68@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF8E1A68@inex1.herffjones.hj-int> Message-ID: <3F2AF010.3060400@pacific.net> Furnish, Trever G wrote: >>-----Original Message----- >>From: Ken Anderson [mailto:ka@PACIFIC.NET] >>Sent: Monday, July 28, 2003 10:18 AM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Whitelisted >> >>2. Mount /var/spool/MailScanner/incoming as tmpfs > > > Huh? I am probably just at a disadvantage here because redhat doesn't ship > a man page for mount that documents the tmpfs option, but I thought the > incoming spool had to be on the same mount point as the outgoing spool or MS > would gag. Doesn't that mean that we would instead want to mount > /var/spool/MailScanner, not only the incoming dir? And besides, if tmpfs is > good enough for incoming, why wouldn't we also want to use it for outgoing? /var/spool/MailScanner/incoming is the only safe thing to mount in memory. If the machine dies you don't lose anything. Julian explained why this is the case.. I can't recall exactly how mailscanner handles this though, sorry. in /etc/fstab: none /var/spool/MailScanner/incoming/ tmpfs defaults 0 0 > >>4. Sendmail's MaxRecipients = x is also a major factor, since each >>message is cloned x times. I believe the default is 100 or >>128... That's >>probably too high if you are splitting all incoming mail into 1 recip >>per message! > In sendmail.cf MaxRecipients is the maximum number of recipients for a message that sendmail will accept. Using queue groups, we break messages up _after_ we accept them. If you set MaxRecipients=1, you'll be denying all mail entering your system with more than one recip, you won't be splitting it up - Senders will see "Too many recipients" errors. :-( Ken > Lost me here too - sorry if I'm showing extreme ignorance. I'm getting > ready to implement this, trying to understand thoroughly first. I thought > MaxRecipients was getting set to 1, meaning "any message with more than 1 > recipient, split into separate messages with at most 1 recipient." So if I > have maxrecipients set to 1 and a msg comes in with ten recipients, I've > cloned it 9 times, correct, not 1 time (maxrecipient being 1)? > > -t. > > From kchong at UCI.EDU Fri Aug 1 23:52:57 2003 From: kchong at UCI.EDU (Keith Chong) Date: Thu Jan 12 21:19:08 2006 Subject: Zip files not getting checked? Message-ID: Hi all, I am running Mailscanner 3.21 with sophos and it seems to me that zip attachments are not getting scanned. I had problems with Sobig.E and had to add rules to filename.rules.conf to block it. Today we were hit with Mimail.A and even after I updated the IDE from Sophos it still was getting through. I installed all the MIME-Tools patches but that did not help. Anyone have any idea what i am missing? I am running Solaris 8 and sendmail. Thanks Keith From lists at STHOMAS.NET Sat Aug 2 00:21:38 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:08 2006 Subject: Zip files not getting checked? In-Reply-To: ; from kchong@UCI.EDU on Fri, Aug 01, 2003 at 03:52:57PM -0700 References: Message-ID: <20030801162138.A30734@sthomas.net> On Fri, Aug 01, 2003 at 03:52:57PM -0700, Keith Chong is rumored to have said: > > Today we were hit with Mimail.A and even after I updated > the IDE from Sophos it still was getting through. I > installed all the MIME-Tools patches but that did not help. > We're using MS 4.14-9 with Sophos Sweep and MS started catching it as soon as SIDEFIRE (http://sthomas.net/perl/scripts/sidefire.php - shameless plug) installed it. I also had to add it to the Silent Viruses list as it was sending an email to admin@example.com (s/example/ourdomain/) every time it caught one. -- " The best way to predict the future is to invent it." - Alan Kay From lists at STHOMAS.NET Sat Aug 2 00:30:19 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:08 2006 Subject: Zip files not getting checked? In-Reply-To: <20030801162138.A30734@sthomas.net>; from lists@STHOMAS.NET on Fri, Aug 01, 2003 at 04:21:38PM -0700 References: <20030801162138.A30734@sthomas.net> Message-ID: <20030801163019.C30734@sthomas.net> On Fri, Aug 01, 2003 at 04:21:38PM -0700, Steve Thomas is rumored to have said: > > MS started catching it as soon as SIDEFIRE ... installed it. > I should clarify - I was talking about the IDE file - my script doesn't install viruses. ;) -- "God, please save me from your followers!" - Bumper Sticker From mailscanner at LISTS.COM.AR Sat Aug 2 01:21:12 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:08 2006 Subject: strange behaviour detected with W32/Mimail@MM Message-ID: <3F2AD9C8.27437.CB0B8FD@localhost> Hi, I received a couple of hours ago a copy of W32/Mimail@MM in an unprotected mail account. I opened it cautiously, since it had a very virus-like content and discovered the ugly trick it uses. Just for fun, I resent it to an account protected by MailScanner... to my dismay, it passed thru... but the strangest thing is that McAfee detected it, nonetheless, MailScanner let it thru. On to the details: I'm running MailScanner 4.20-3 with McAfee Virus Scan for Linux v4.24.0, with dat file version 4282 (this is updated hourly with Tony's script, this was the dat file version when I did the test and it does detect W32/Mimail@MM). The machine is a RedHat Linux 7.3 with some stuff from 8.0 (notably, perl 5.8.0 - all the perl modules are configured with perl 5.8.0). It uses ZMailer 2.99.56-pre4 for the mail delivery. Here's some relevant info from MailScanner.conf: ====================================MailScanner.conf==================== Virus Scanning = yes Virus Scanners = mcafee Deliver Disinfected Files = no Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Still Deliver Silent Viruses = yes Filename Rules = /app/MailScanner/etc/filename.rules.conf Quarantine Infections = no Quarantine Whole Message = no Quarantine Whole Messages As Queue Files = no Include Scanner Name In Reports = yes Mail Header = X-Alerce: Spam Header = X-Alerce-SpamAnalisis: Spam Score Header = X-Alerce-PuntajeSpam: Spam Score Character = A Clean Header Value = Se encontro limpio Infected Header Value = Se encontro infectado Disinfected Header Value = Fue desinfectado Detailed Spam Report = yes Sign Clean Messages = no Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = No ha sido revisado en busqueda de virus. Deliver Cleaned Messages = yes Notify Senders = no Never Notify Senders Of Precedence = list bulk Scanned Modify Subject = no Scanned Subject Text = {Revisado} Virus Modify Subject = yes Virus Subject Text = {Virus identificado} Filename Modify Subject = no Filename Subject Text = {Nombre de archivo prohibido} Spam Modify Subject = yes Spam Subject Text = {Posible Spam} High Scoring Spam Modify Subject = yes High Scoring Spam Subject Text = {***Spam!!!***} Warning Is Attachment = yes Attachment Warning Filename = AvisoDeVirus.txt Send Notices = no Spam Checks = yes Spam List = Spam Domain List = Use SpamAssassin = yes Max SpamAssassin Size = 250_000 Required SpamAssassin Score = 6 High SpamAssassin Score = 40 SpamAssassin Auto Whitelist = no Check SpamAssassin If On Spam List = yes Always Include SpamAssassin Report = yes Spam Score = yes Spam Actions = deliver High Scoring Spam Actions = deliver Syslog Facility = local3 Log Spam = yes Log Permitted Filenames = yes Always Looked Up Last = &AlerceLogging Delivery Method = queue ====================================MailScanner.conf==================== Testing: After seeing how the virus happily passed thru, I did a few simple tests. Test 1: bounced an original message containing a W32/Mimail@MM virus. Test 2: bounced an original message containing a W32/Hybris.gen@MM virus. Test 3: sent a fresh message containing a zipfile including a W32/Hybris.gen@MM virus. Test 4: sent a fresh message containing a zipfile including a W32/Mimail@MM virus. I'm enclosing a text file with results from everyone of these tests. For every test I put the relevant log lines from syslog (luckily enough, the trafic was so low, that every test message passed thru mailscanner as a complete batch). Following it there are 2 or 3 lines (MSG: / TO : / RPT:) that are equivalent to the mysql log (generated by &AlerceLogging, that is a modified version of SQLLogging that doesn't do any SQL). Finally, the relevant MailScanner header lines in the received message. As you can see, everytime, McAfee detected all viruses, however, both W32/Mimail@MM passed thru, and both W32/Hybris.gen@MM were cleaned. However the two cleaned mails worked differently. In Test 2, I got the VirusWarning.txt attachment and its content only referred to the invalid filename (.exe, blocked in filename.rules.conf). In Test 3, I got a text attachment named "Replaced Infected File.txt" with this content: =======================Replaced Infected File.txt========================= ******** McAfee GroupShield Exchange ********** ******** Alert generated at: Viernes, Agosto 01, 2003 08:11:30 p. SA Eastern Standard Time ********************************************************************** The item virus.zip has been replaced because it was infected by the W32/Hybris.gen@MM virus. =======================Replaced Infected File.txt========================= The attachment didn't have a closing newline. >From this, I understand that if a file matches a filename rule _and_ a virus is detected, it only informs the user about the filename... it'd be nice if I also got the virus report. But I still don't know why the messages with W32/Mimail@MM virus passed thru, whenever they _were_ actually detected by the virus scanner. If you got this far in the message, let me know I _really_ thank your patience... If you give me a clue about what's happening, I'll be _really_ _really_ _really_ thankful!!!! :-) -- Mariano Absatz El Baby ---------------------------------------------------------- A lack of planning on your part does not constitute an emergency on my part. -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner-log-excerpts Type: application/octet-stream Size: 7554 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030801/b2c6a089/mailscanner-log-excerpts.obj From mailscanner at LISTS.COM.AR Sat Aug 2 01:26:28 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:08 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <3F2AD9C8.27437.CB0B8FD@localhost> Message-ID: <3F2ADB04.22094.CB58959@localhost> I know, I know... my mailer decide to use base64 no matter I told it otherwise... well, the log excerpts are at http://baby.com.ar/MailScanner/mailscanner-log-excerpts Thanx. El 1 Aug 2003 a las 21:21, Mariano Absatz escribi?: > > I'm enclosing a text file with results from everyone of these tests. > > For every test I put the relevant log lines from syslog (luckily enough, the > trafic was so low, that every test message passed thru mailscanner as a > complete batch). > > Following it there are 2 or 3 lines (MSG: / TO : / RPT:) that are equivalent > to the mysql log (generated by &AlerceLogging, that is a modified version of > SQLLogging that doesn't do any SQL). > > Finally, the relevant MailScanner header lines in the received message. > -- Mariano Absatz El Baby ---------------------------------------------------------- Always remember you're unique, just like everyone else. From marc at CALIBREDIGITAL.COM Fri Aug 1 21:23:25 2003 From: marc at CALIBREDIGITAL.COM (=?ISO-8859-1?Q?Marc Anthony P. Barrette=20?=) Date: Thu Jan 12 21:19:08 2006 Subject: =?ISO-8859-1?Q?Automated Reply from Marc Anthony P. Barrette ?= Message-ID: <200308020023.h720NPm12214@co.calibre-dd.com> I will be away from the studio attending SIGGRAPH Conference from July 26th. I will be returning August 6th. Please direct your immediate concerns to Pete Denomme peted@calibredigital.com for business needs and Technical to Greg Whynott gregw@calibredigital.com Thanks in advance, From wpc4 at DODGETHIS.ORG Sat Aug 2 02:24:25 2003 From: wpc4 at DODGETHIS.ORG (William Curley) Date: Thu Jan 12 21:19:08 2006 Subject: Striphtml VS attachment and related issues References: <74BC2BBF06470148911E64E2B48FE139049A5A@pinewood.ncl.ac.uk> Message-ID: <001a01c35894$cf774490$0600a8c0@dejour> Lol, by leaving the Nigerian information in there many people probably won't see this email. Scored 7.3 points on my spamassassin system. ----- Original Message ----- From: "Quentin Campbell" To: Sent: Friday, August 01, 2003 6:36 AM Subject: FW: Striphtml VS attachment and related issues Julian QUESTION: If you have "deliver attachment" set for spam, what determines when the message body of a tagged message is placed in an attachment and when it is not? BACKGROUND: Until I installed MS 4.22-5 we had been using "deliver striphtml" as the action to take for messages tagged as spam. Some users were unhappy with this when they received false positives because they lost most of the original (HTML) message. However recipients of real spam messages are universally happy with "deliver striphtml". To address the problems with some false positive messages I am trying "deliver attachment" as an alternative, initially for a small group of our 20,000+ users. This works fine for the few false positives they receive which also happen to be HTML. However it is not very nice nor necessary when the false positive contains no HTML. In this case the message should be delivered as-is and not in an attachment. I notice that some of my tagged messages are not put in an attachment before delivery. That is fine since they contain no HTML. This is my preferred behaviour in that situation. However I have examples of spam (see appended message) which although not appearing to contain any HTML *are* put in an attachment before delivery. Why? I cannot see what the essential difference is between the two sorts of tagged messages! Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." -----Original Message----- From: Denis Russell [mailto:Denis.Russell@ncl.ac.uk] Sent: 01 August 2003 10:43 To: Quentin Campbell >Subject: Fwd: SP? BUSINESS PROPOSAL Quentin, I'm still getting spam messages put into an attachment, even though I can see no hint of HTML in the message. Denis. >Received: from cheviot2.ncl.ac.uk (cheviot2.ncl.ac.uk [128.240.229.35]) > by burnmoor.ncl.ac.uk (8.9.3/8.9.3) with ESMTP id KAA23866 > for ; Fri, 1 Aug 2003 10:19:25 +0100 (BST) >From: mbanakaka@send-mail.co.uk >Received: from netmail01.eng.net (netmail01.eng.net [213.130.128.38]) > by cheviot2.ncl.ac.uk (8.10.1/8.10.1) with ESMTP id h719J9B27765; > Fri, 1 Aug 2003 10:19:09 +0100 >Received: from send-mail.co.uk (netmail01.eng.net [127.0.0.1]) > by netmail01.eng.net (8.11.3/8.11.3) with SMTP id h719DEx03690; > Fri, 1 Aug 2003 10:13:14 +0100 >Received: from 192.116.107.67 > (SquirrelMail authenticated user mbanakakasendmail) > by mail.send-mail.co.uk with HTTP; > Fri, 1 Aug 2003 10:14:08 +0100 (BST) >Message-ID: ><1308.192.116.107.67.1059729248.squirrel@mail.send-mail.co.uk> >Date: Fri, 1 Aug 2003 10:14:08 +0100 (BST) >Subject: SP? BUSINESS PROPOSAL >To: >X-Mailer: SquirrelMail (version 1.1.1) >MIME-Version: 1.0 >Content-type: multipart/digest; boundary="======24934==61103======" >X-Newcastle-MailScanner-Information: Please contact >Postmaster@newcastle.ac.uk for more information >X-Newcastle-MailScanner: Found to be clean >X-Newcastle-MailScanner-SpamCheck: spam, SpamAssassin (score=15.5, > required 5, BAYES_90 3.00, FROM_AND_TO_SAME 1.70, NIGERIAN_BODY 2.69, > NO_REAL_NAME 1.15, SUBJ_ALL_CAPS 0.49, UPPERCASE_75_100 0.00, > US_DOLLARS 1.14, US_DOLLARS_3 0.92, US_DOLLAR_6 4.50) >X-Newcastle-MailScanner-SpamScore: sssssssssssssss >X-UIDL: ed9a1cce8f31e51ff8261f1a6425c1a7 > >--======24934==61103====== >Our MailScanner believes that the attachment to this message sent to >you > > From: mbanakaka@send-mail.co.uk > Subject: BUSINESS PROPOSAL > >is Unsolicited Commercial Email (spam). Unless you are sure that this >message is incorrectly thought to be spam, please delete this message >without opening it. Opening spam messages might allow the spammer to >verify your email address and thus result in even more spam being >received. > >If you believe that this message has been incorrectly marked as spam, >please forward this email to Postmaster@newcastle.ac.uk. > > >--======24934==61103====== >Return-Path: >Received: from netmail01.eng.net (netmail01.eng.net [213.130.128.38]) > by cheviot2.ncl.ac.uk (8.10.1/8.10.1) with ESMTP id h719J9B27765; > Fri, 1 Aug 2003 10:19:09 +0100 >Received: from send-mail.co.uk (netmail01.eng.net [127.0.0.1]) > by netmail01.eng.net (8.11.3/8.11.3) with SMTP id h719DEx03690; > Fri, 1 Aug 2003 10:13:14 +0100 >From: mbanakaka@send-mail.co.uk >Received: from 192.116.107.67 > (SquirrelMail authenticated user mbanakakasendmail) > by mail.send-mail.co.uk with HTTP; > Fri, 1 Aug 2003 10:14:08 +0100 (BST) >Message-ID: ><1308.192.116.107.67.1059729248.squirrel@mail.send-mail.co.uk> >Date: Fri, 1 Aug 2003 10:14:08 +0100 (BST) >Subject: BUSINESS PROPOSAL >To: >X-Mailer: SquirrelMail (version 1.1.1) >MIME-Version: 1.0 >Content-Type: text/plain >Content-Transfer-Encoding: 8bit From mailscanner at ELKNET.NET Sat Aug 2 03:33:45 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:08 2006 Subject: Spamassassin timeout results in MS 100% CPU and server lockup (correction) Message-ID: <200308020132.h721WKS17409@ori.rl.ac.uk> Julian, I replied back on this earlier this week (the answer was version 2.60-cvs). Any closer to an answer? I'd like to turn bayes back on... Remember, I'd be happy to temporarily re-enable bayes and gather any stats/info you might wish to see. -Alan >Are you running SA 2.55? Sounds like it's a Perl bug somewhere. I don't >think there's any MS code that could loop in this situation... > >At 04:23 28/07/2003, you wrote: >>A possible correction. I may have been wrong in my conclusion that it was >>a group of email sthat came in last night that caused this problem to manifest. >>After running through the logs, I was quite surprised at how many SA >>timeout assasinations had started taking place in the early hours of the >>morning, right about the time of the first crash I described. Tonight I >>finished sanitizing the in queue, and started everything up again... >> >>The problem came right back. I could not believe that it was more of the >>type of messages that came in last night, so perhaps my first conclusion >>was flawed. I started looking for what else might have changed on my >>server about the time all this started. I found it... >> >>My Bayes finally hit 200 hams, and started working at 1:56 AM this >>morning. Prior to that time, my auto-learn had not accumulated enough hams >>for Bayes to start functioning. So, I just disabled Bayes, and viola! No >>more SA timeouts and deaths. >> >>So, it wasn't some mysterious evil messages that caused the timeouts, but >>Bayes kicking in. >> >>HOWEVER! Even with the cause of the timeouts figured out, I still have my >>PRIMARY concern: Why are MS children that encounter an SA timeout and >>death taking over my server with extrememly high ram and cpu usage, that >>eventually crowd out every other process and crash the server? THAT is my >>primary issue. >> >>All help and insight is sure appreciated! >>-Alan >> >> >> >> >Last night I got a number of emails into my MS/SA server that caused it >> to crash. >> > >> >In my testing, here is what I discovered: >> > >> > Everything runs fine up until the maillog reports 'spamassassin timed >> out and was killed'. >> > >> > Using the PID in that error message, I check all the children of that >> parent process. >> > >> > One of the children will suddenly start climbing in memory size above >> the typical 22M, and likewise will start climbing in CPU usage. >> > >> > As memory and CPU continue to increase, all the other MS parents and >> their children get swapped out and go to sleep. >> > >> > Before too long, the child causing the problem will reach around 380+M >> of memory and 99% CPU. No other MS instances are running at all. >> > >> > Accordingly, the maillog no longer shows any processing of the >> incoming queue. >> > >> > If left alone, the machine eventually comes to its knees, and even the >> nic stops responding (can't ping the server) and the console is locked. >> > >> > If the bad child is reniced to a negative value (everything else is at >> 0), then everything else, including the other MS instances, start back up. >> > >> > If the bad child is killed, everything goes back to normal. >> > >> > >> > ...that is of course until another one of the bad messages is picked >> up for scanning. >> > >> > >> > My major concern here is not so much what was in the bad message that >> caused this, but more critically, why does the time out killing of a >> spamassassin instance cause its calling MS child to go ape and eat the server? >> > >> >-Alan > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Sat Aug 2 06:42:12 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:08 2006 Subject: Zip files not getting checked? In-Reply-To: <20030801163019.C30734@sthomas.net> Message-ID: <000801c358b8$d32e9ce0$9c01a8c0@home.middlefinger.net> What does your script do differently than the update_virus_scanners script? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Thomas Sent: Friday, August 01, 2003 6:30 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Zip files not getting checked? On Fri, Aug 01, 2003 at 04:21:38PM -0700, Steve Thomas is rumored to have said: > > MS started catching it as soon as SIDEFIRE ... installed it. > I should clarify - I was talking about the IDE file - my script doesn't install viruses. ;) -- "God, please save me from your followers!" - Bumper Sticker From lists at STHOMAS.NET Sat Aug 2 06:57:33 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:08 2006 Subject: Zip files not getting checked? In-Reply-To: <000801c358b8$d32e9ce0$9c01a8c0@home.middlefinger.net>; from mike@CAMAROSS.NET on Sat, Aug 02, 2003 at 12:42:12AM -0500 References: <20030801163019.C30734@sthomas.net> <000801c358b8$d32e9ce0$9c01a8c0@home.middlefinger.net> Message-ID: <20030801225733.A11446@sthomas.net> On Sat, Aug 02, 2003 at 12:42:12AM -0500, Mike Kercher is rumored to have said: > > What does your script do differently than the update_virus_scanners script? > I wrote that long before I was using MS, or I probably wouldn't have bothered. I don't use the update_virus_scanners script, so I'm not sure *exactly* what it does, but my understanding is that it runs (via cron?) periodically, and pulls down the entire zip file of IDEs. My script pulls just the single IDE as soon as the notification e-mail comes in. No wasted hits against the Sophos server, no wasted bandwidth (not like it's a lot) and no letting viruses through while you're asleep and the update_virus_scanners script is waiting for it's next run. Today was a good example - one copy of the virus got through before the new IDE was in place and two more were caught within minutes after it was installed. -- "I've just learned about his illness. Let's hope it's nothing trivial." - Irvin S. Cobb From raymond at PROLOCATION.NET Sat Aug 2 10:57:49 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:08 2006 Subject: Warning: E-mail viruses detected (fwd) Message-ID: Hi! I have opened a ticket by FRISK (F-PROT), even the free Clam scanner does a better job lately with adding new virusses: Our virus detector has just been triggered by a message you sent:- To: raymond@prolocation.net Subject: VIRUS TEST Date: Sat Aug 2 11:22:29 2003 Any infected parts of the message (message.zip) have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: ClamAV: message.zip contains Trojan.Dropper.C Lets hope also f-prot gets it in. Bye, Raymond. From eja at urbakken.dk Sat Aug 2 11:02:35 2003 From: eja at urbakken.dk (Erik Jakobsen) Date: Thu Jan 12 21:19:08 2006 Subject: MailScanner. Message-ID: <20030802120235.03449f5e.eja@urbakken.dk> @Raymond. Did you read my file ??. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From raymond at PROLOCATION.NET Sat Aug 2 11:04:40 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:08 2006 Subject: MailScanner. In-Reply-To: <20030802120235.03449f5e.eja@urbakken.dk> Message-ID: Hi! > @Raymond. > > Did you read my file ??. Better post to the list next time. I have received it and will have a look at it... Bye, Raymond. From eja at urbakken.dk Sat Aug 2 11:26:06 2003 From: eja at urbakken.dk (Erik Jakobsen) Date: Thu Jan 12 21:19:08 2006 Subject: MailScanner. In-Reply-To: References: <20030802120235.03449f5e.eja@urbakken.dk> Message-ID: <20030802122606.7d2ad22b.eja@urbakken.dk> > Better post to the list next time. I have received it and will have a > look at it... I will, but I was not quite sure how to do it, but am now. Good I look forward to your report. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From eja at urbakken.dk Sat Aug 2 11:34:00 2003 From: eja at urbakken.dk (Erik Jakobsen) Date: Thu Jan 12 21:19:08 2006 Subject: chroot jail. Message-ID: <20030802123400.7452da56.eja@urbakken.dk> Hi. How is chroot jail to be used ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From mailscanner at ecs.soton.ac.uk Sat Aug 2 12:07:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:08 2006 Subject: Feature Requests In-Reply-To: <20BC1F0E-C442-11D7-8C50-003065F939FE@ucsc.edu> References: <20BC1F0E-C442-11D7-8C50-003065F939FE@ucsc.edu> Message-ID: <1059822439.3f2b9b6773a68@secure.ecs.soton.ac.uk> Quoting John Rudd : > On Friday, Aug 1, 2003, at 08:22 US/Pacific, Jan-Peter Koopmann wrote: > > >> 1) new action type: Ham Actions or Not Spam Actions > >> > >> [snip] > > > > You can do this already with the "Convert HTML To Text" option. > > You can do that one exact action with that option. You can't do all of > the "Actions" options. Try reading the docs :-) # This is just like the "Spam Actions" option above, except that it applies # to messages that are *NOT* spam. # The available options are the same as for "Spam Actions" except that it # makes no sense to bounce non-spam. # deliver - deliver the message as normal # delete - delete the message # store - store the message in the quarantine # forward user@domain.com - forward a copy of the message to user@domain.com # striphtml - convert all in-line HTML content to plain text # # This can also be the filename of a ruleset. Non Spam Actions = deliver -- Jules mailscanner@ecs.soton.ac.uk From eja at urbakken.dk Sat Aug 2 15:53:24 2003 From: eja at urbakken.dk (Erik Jakobsen) Date: Thu Jan 12 21:19:08 2006 Subject: MailScanner. In-Reply-To: References: <20030802120235.03449f5e.eja@urbakken.dk> Message-ID: <20030802165324.0c805ca4.eja@urbakken.dk> I have gone through my /etc/mailscanner/mailscanner.con file, and have commented all the lines containing the word sendmail. I use postfix in my SuSE 8.2 linux OS. Still the sendmail is trying to start. I can see, that in the MailScanner file in /etc/init.d/rc.3d there are lots of sendmail lines. What about them using postfix ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From SJCJonker at SJC.NL Sat Aug 2 16:11:15 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:19:08 2006 Subject: Silent Virus & Notify Senders Message-ID: <3F2BD493.5070008@SJC.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I'm trying to fine tune the virus reporting to the senders of email, Initially I had an rule where for all local domains reporting was on, and the default was off. Recently people have tried to transfer exe files, they where legit, as they where updates from the official vendor of an piece of software. (This user isn't very technical, so it was send as an self exec zip archive). MailScanner nicely intercepted the email, but off course didn't notify the sender, as the rules dictate. I'm looking for a way to do sender notification as mentioned below: Disallowed filename && !Virus yes Disallowed filetype && !Virus yes Virus no HTML-Form yes HTML-Codebase no HTML-IFrame yes If this isn't possible with the current code, maybe an option for silent viruses in the area of: Silent Viruses = HTML-Codebase ALLViruses If the above change is required, i'll dive into the perl code, and see if i can manage to make a patch to do this.. Julian, are you willing to add this, when and if I provide the patch? - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- iD8DBQE/K9STjU9r45tKnOARAh4KAKDxFSo0USEL9nkQCevuDrumF9Hi+QCg9RHw HCXeSkZBCbeF3bcmgM6IdHo= =rY0j -----END PGP SIGNATURE----- From mike at CAMAROSS.NET Sat Aug 2 17:18:28 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:09 2006 Subject: Zip files not getting checked? In-Reply-To: <20030801225733.A11446@sthomas.net> Message-ID: <001601c35911$b58abb70$9c01a8c0@home.middlefinger.net> Gotcha. I just installed your script on one of my mail servers to see how it does. I too had MiMail slip through yesterday before I got the notification from Sophos. Luckily, (if I read the advisory correctly) MiMail exploits a vulnerability in Windows which M$ has a patch for. I keep all of my Windows boxes updated as much as I can. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Thomas Sent: Saturday, August 02, 2003 12:58 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Zip files not getting checked? On Sat, Aug 02, 2003 at 12:42:12AM -0500, Mike Kercher is rumored to have said: > > What does your script do differently than the update_virus_scanners > script? > I wrote that long before I was using MS, or I probably wouldn't have bothered. I don't use the update_virus_scanners script, so I'm not sure *exactly* what it does, but my understanding is that it runs (via cron?) periodically, and pulls down the entire zip file of IDEs. My script pulls just the single IDE as soon as the notification e-mail comes in. No wasted hits against the Sophos server, no wasted bandwidth (not like it's a lot) and no letting viruses through while you're asleep and the update_virus_scanners script is waiting for it's next run. Today was a good example - one copy of the virus got through before the new IDE was in place and two more were caught within minutes after it was installed. -- "I've just learned about his illness. Let's hope it's nothing trivial." - Irvin S. Cobb From mailscanner at ecs.soton.ac.uk Sat Aug 2 17:54:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: Zip files not getting checked? In-Reply-To: <001601c35911$b58abb70$9c01a8c0@home.middlefinger.net> References: <001601c35911$b58abb70$9c01a8c0@home.middlefinger.net> Message-ID: <1059843288.3f2becd89124b@secure.ecs.soton.ac.uk> I haven't had a chance to see his script yet, but I basically know how it will work. Anyone fancy writing instructions for each MTA detailing how you go about installing it? I would happily add it to the distribution as it's a very useful tool for Sophos customers. Be warned that I will probably re-write the script in my own style, but analyse his code carefully to make sure I don't miss any tricks he is doing. As people using this will be using it instead of the hourly global updater, it needs to be absolutely right and tolerant of all sorts of changes that Sophos might choose to make to the format of the email message they send out. The last thing you want is for Sophos to re-write their standard email message and everyone's updates to stop working completely. It needs to (a) be very tolerant of lousy input, and (b) capable of noticing it hasn't had an update in a few days and start screaming very loudly about it. The only difficulty with it will be producing the installation instructions for it, as a lot of MailScanner admins don't really know enough to be able to use something like this without quite a bit of help. But I definitely like the idea! Quoting Mike Kercher : > Gotcha. I just installed your script on one of my mail servers to see how > it does. I too had MiMail slip through yesterday before I got the > notification from Sophos. Luckily, (if I read the advisory correctly) > MiMail exploits a vulnerability in Windows which M$ has a patch for. I > keep > all of my Windows boxes updated as much as I can. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf > Of Steve Thomas > Sent: Saturday, August 02, 2003 12:58 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Zip files not getting checked? > > > On Sat, Aug 02, 2003 at 12:42:12AM -0500, Mike Kercher is rumored to have > said: > > > > What does your script do differently than the update_virus_scanners > > script? > > > > I wrote that long before I was using MS, or I probably wouldn't have > bothered. I don't use the update_virus_scanners script, so I'm not sure > *exactly* what it does, but my understanding is that it runs (via cron?) > periodically, and pulls down the entire zip file of IDEs. My script pulls > just the single IDE as soon as the notification e-mail comes in. No wasted > hits against the Sophos server, no wasted bandwidth (not like it's a lot) > and no letting viruses through while you're asleep and the > update_virus_scanners script is waiting for it's next run. Today was a > good > example - one copy of the virus got through before the new IDE was in > place > and two more were caught within minutes after it was installed. > > -- > "I've just learned about his illness. Let's hope it's nothing trivial." > - Irvin S. Cobb > > -- Jules jkf@ecs.soton.ac.uk mailscanner@ecs.soton.ac.uk From mailscanner at ecs.soton.ac.uk Sat Aug 2 18:02:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: MailScanner. In-Reply-To: <20030802165324.0c805ca4.eja@urbakken.dk> References: <20030802120235.03449f5e.eja@urbakken.dk> <20030802165324.0c805ca4.eja@urbakken.dk> Message-ID: <1059843765.3f2beeb540f67@secure.ecs.soton.ac.uk> For starters, read the docs on the website about installing it with Postfix, as you need to make a small change or two to the postfix configuration files and you need to setup /etc/postfix.in. http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml One of the things I need to do a.s.a.p. is get the SuSE init.d script as good as the RedHat one. Currently it only handles sendmail setups properly, whereas the RedHat one supports just about everything. You will need to edit the script at the moment, I'm afraid. The most important bit to write (obviously) is the code to start MailScanner and the 2 postfix processes. It doesn't matter too much about the stop code as you can always do that by hand with ps and kill anyway. You need to start 1) incoming postfix, 2) outgoing postfix, 3) MailScanner itself. /usr/sbin/postfix -c /etc/postfix.in start /usr/sbin/postfix -c /etc/postfix start /usr/sbin/check_mailscanner Quoting Erik Jakobsen : > I have gone through my /etc/mailscanner/mailscanner.con file, and have > commented > all the lines containing the word sendmail. > > I use postfix in my SuSE 8.2 linux OS. > > > Still the sendmail is trying to start. I can see, that in the MailScanner > file > in /etc/init.d/rc.3d there are lots of sendmail lines. > > What about them using postfix ?. > > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. > -- Jules jkf@ecs.soton.ac.uk mailscanner@ecs.soton.ac.uk From mailscanner at ecs.soton.ac.uk Sat Aug 2 18:28:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: Silent Virus & Notify Senders In-Reply-To: <3F2BD493.5070008@SJC.nl> References: <3F2BD493.5070008@SJC.nl> Message-ID: <1059845299.3f2bf4b3d3b6c@secure.ecs.soton.ac.uk> Quoting Stijn Jonker : > I'm trying to fine tune the virus reporting to the senders of email, > > Initially I had an rule where for all local domains reporting was on, > and the default was off. > > Recently people have tried to transfer exe files, they where legit, as > they where updates from the official vendor of an piece of software. > (This user isn't very technical, so it was send as an self exec zip > archive). > > MailScanner nicely intercepted the email, but off course didn't notify > the sender, as the rules dictate. > > I'm looking for a way to do sender notification as mentioned below: > > Disallowed filename && !Virus yes > Disallowed filetype && !Virus yes > Virus no > HTML-Form yes > HTML-Codebase no > HTML-IFrame yes > > If this isn't possible with the current code, maybe an option for silent > viruses in the area of: > > Silent Viruses = HTML-Codebase ALLViruses The "HTML-Codebase" in that line already works, I've done that. The "ALLViruses" doesn't work yet, but should be pretty easy to implement. I probably won't call it exactly that, but something close to that ("All-Viruses" perhaps). Please try the attached patch to /usr/lib/MailScanner/MailScanner/SweepViruses.pm as it should do what you want. The magic keyword is indeed "All-Viruses" (but it doesn't matter about upper/lower case. > > If the above change is required, i'll dive into the perl code, and see > if i can manage to make a patch to do this.. > > Julian, are you willing to add this, when and if I provide the patch? -- Jules jkf@ecs.soton.ac.uk mailscanner@ecs.soton.ac.uk -------------- next part -------------- --- SweepViruses.pm 2003-06-01 12:34:20.000000000 +0100 +++ SweepViruses.pm.new 2003-08-02 18:24:30.000000000 +0100 @@ -490,18 +490,36 @@ # Merge all the virus reports and types into the properties of the # messages in the batch. Doing this separately saves me changing # the code of all the parsers to support the new OO structure. +# If we have at least 1 report for a message, and the "silent viruses" list +# includes the special keyword "All-Viruses" then mark the message as silent +# right now. sub MergeReports { my($Reports, $Types, $batch) = @_; my($id, $reports, $attachment, $text); + my($cachedid, $cachedsilentflag); # Let's do all the reports first... + $cachedid = 'uninitialised'; while (($id, $reports) = each %$Reports) { #print STDERR "Report merging for \"$id\" and \"$reports\"\n"; next unless $id && $reports; my $message = $batch->{messages}{"$id"}; #print STDERR "Message is $message\n"; $message->{virusinfected} = 1; + + # If the cached message id matches the current one, we are working on + # the same message as last time, so don't re-fetch the silent viruses + # list for this message. + if ($cachedid ne $id) { + my $silentlist = ' ' . MailScanner::Config::Value('silentviruses', + $message) . ' '; + $cachedsilentflag = ($silentlist =~ / all-viruses /i)?1:0; + $cachedid = $id; + } + # We can't be here unless there was a virus report for this message + $message->{silent} = 1 if $cachedsilentflag; + while (($attachment, $text) = each %$reports) { #print STDERR "\tattachment \"$attachment\" has text \"$text\"\n"; next unless $text; From ucs_rat at SHSU.EDU Sat Aug 2 18:40:52 2003 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:19:09 2006 Subject: gmame Message-ID: <1059846052.31982.45.camel@ra.thethompsonhoust.com> Would there be any objections (Julian?) to me requesting this list put on gmame.org? I've began using that to monitor the vast number of security lists that I have to watch and found it quite helpful. After just a week of using it I feel like I'm missing a whole lot less important information. --Robert From SJCJonker at SJC.nl Sat Aug 2 18:54:52 2003 From: SJCJonker at SJC.nl (Stijn Jonker) Date: Thu Jan 12 21:19:09 2006 Subject: Silent Virus & Notify Senders In-Reply-To: <1059845299.3f2bf4b3d3b6c@secure.ecs.soton.ac.uk> References: <3F2BD493.5070008@SJC.nl> <1059845299.3f2bf4b3d3b6c@secure.ecs.soton.ac.uk> Message-ID: <3F2BFAEC.2020404@SJC.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian, I didn't try the patch yet, but I want to thank you, I currently work with 2 commercial vendors that I would like to have the ordering consitent in the web interface. They are both looking at my patches for over an week now... With MS, the initial reply is after a little over 2 hours, and this reply ALLREADY includes a patch. Julian Field said the following on 08/02/2003 07:28 PM: | Quoting Stijn Jonker : | |>I'm trying to fine tune the virus reporting to the senders of email, |> |>Initially I had an rule where for all local domains reporting was on, |>and the default was off. |> |>Recently people have tried to transfer exe files, they where legit, as |>they where updates from the official vendor of an piece of software. |>(This user isn't very technical, so it was send as an self exec zip |>archive). |> |>MailScanner nicely intercepted the email, but off course didn't notify |>the sender, as the rules dictate. |> |>I'm looking for a way to do sender notification as mentioned below: |> |>Disallowed filename && !Virus yes |>Disallowed filetype && !Virus yes |>Virus no |>HTML-Form yes |>HTML-Codebase no |>HTML-IFrame yes |> |>If this isn't possible with the current code, maybe an option for silent |>viruses in the area of: |> |>Silent Viruses = HTML-Codebase ALLViruses | | | The "HTML-Codebase" in that line already works, I've done that. | The "ALLViruses" doesn't work yet, but should be pretty easy to implement. I | probably won't call it exactly that, but something close to that | ("All-Viruses" perhaps). | | Please try the attached patch | to /usr/lib/MailScanner/MailScanner/SweepViruses.pm as it should do what you | want. The magic keyword is indeed "All-Viruses" (but it doesn't matter about | upper/lower case. | | |>If the above change is required, i'll dive into the perl code, and see |>if i can manage to make a patch to do this.. |> |>Julian, are you willing to add this, when and if I provide the patch? | | | -- | Jules | jkf@ecs.soton.ac.uk | mailscanner@ecs.soton.ac.uk - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- iD8DBQE/K/rrjU9r45tKnOARAnCVAJ0Rvg2FhtgW8bzAkX8x2HPrLJgnjACgoVbd PASBOpQDDhCJb9NGG/gQyp0= =95Lw -----END PGP SIGNATURE----- From kevins at BMRB.CO.UK Sat Aug 2 20:51:13 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:09 2006 Subject: Zip files not getting checked? In-Reply-To: <001601c35911$b58abb70$9c01a8c0@home.middlefinger.net> References: <001601c35911$b58abb70$9c01a8c0@home.middlefinger.net> Message-ID: <1059853877.11075.8.camel@bach.kevinspicer.co.uk> > My script pulls > just the single IDE as soon as the notification e-mail comes in. No wasted > hits against the Sophos server, no wasted bandwidth (not like it's a lot) > and no letting viruses through while you're asleep and the > update_virus_scanners script is waiting for it's next run. Today was a good > example - one copy of the virus got through before the new IDE was in place > and two more were caught within minutes after it was installed. Before putting this in the distribution it might be worth doing a side by side comparison of the two approaches. I've certainly seen times when the notification has been a couple of hours after the IDE was available, I've not checked with a substantial number of notifications (or very recently, maybe things are better now) but its possible (if there is a lag before the emails get sent) that this could in fact make updates lag behind more than the hourly updates. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mdlaney at morehouse.edu Sun Aug 3 03:37:47 2003 From: mdlaney at morehouse.edu (Matt Laney) Date: Thu Jan 12 21:19:09 2006 Subject: Zip files not getting checked? In-Reply-To: <1059853877.11075.8.camel@bach.kevinspicer.co.uk> from "Kevin Spicer" at Aug 02, 2003 08:51:13 PM Message-ID: <200308030237.WAA22363@earl.morehouse.edu> > > My script pulls > > just the single IDE as soon as the notification e-mail comes in. > > Before putting this in the distribution it might be worth doing a side > by side comparison of the two approaches. I've certainly seen times > when the notification has been a couple of hours after the IDE was > available... Perhaps this is a foolish suggestion, but wouldn't it be possible to take pieces of both approaches? I don't get the Sophos update emails (must talk to them about that), but if I did, I think I'd be tempted to aim them at some special address (sophos-notices@my-domain), then do something like this in /etc/aliases (sendmail): sophos-notices:me,|/opt/MailScanner/bin/update_virus_scanners Since the existing script ignores stdin, that -should- just cause it to run every time I get mail to that address. Granted, there are some file ownership issues to work out (the update would run as user mailnull, in most out-of-box sendmail setups), but that's going to be a concern with any email-triggered action, and it's not impossible to overcome. Cron can run the thing hourly or whatever regardless of what the email piece is doing. This discards the coolness associated with only getting the single virus definition that has changed, but it also sounds simpler. Further, updates are grabbed either as they happen OR every hour, whatever's first. -Matt -- Matt Laney, mdlaney@morehouse.edu Network and Unix Systems Engineer Morehouse College --- Atlanta, GA From mailscanner at ecs.soton.ac.uk Sun Aug 3 21:53:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <3F2ADB04.22094.CB58959@localhost> References: <3F2AD9C8.27437.CB0B8FD@localhost> Message-ID: <5.2.1.1.2.20030803214820.02521008@imap.ecs.soton.ac.uk> Can you confirm that this is still a problem with the latest MailScanner please? I can't immediately see why it would do this. If this is still a problem, then it's obviously something I need to take a look at urgently. At 01:26 02/08/2003, you wrote: >I know, I know... my mailer decide to use base64 no matter I told it >otherwise... well, the log excerpts are at >http://baby.com.ar/MailScanner/mailscanner-log-excerpts > >Thanx. > >El 1 Aug 2003 a las 21:21, Mariano Absatz escribi?: > > > > > I'm enclosing a text file with results from everyone of these tests. > > > > For every test I put the relevant log lines from syslog (luckily > enough, the > > trafic was so low, that every test message passed thru mailscanner as a > > complete batch). > > > > Following it there are 2 or 3 lines (MSG: / TO : / RPT:) that are > equivalent > > to the mysql log (generated by &AlerceLogging, that is a modified > version of > > SQLLogging that doesn't do any SQL). > > > > Finally, the relevant MailScanner header lines in the received message. > > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Always remember you're unique, just like everyone else. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Aug 3 21:35:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: MailScanner and BlackList In-Reply-To: <1168981328.20030801101826@ntin.net> Message-ID: <5.2.1.1.2.20030803213331.02686d38@imap.ecs.soton.ac.uk> MailScanner on its own just looks at the first one (well, it looks at the real SMTP client IP which *should* be the same as the first one). But it doesn't look at any others. However, SpamAssassin does check them all and assign an appropriate score if it finds any in a blacklist. That's why I didn't bother implementing "check them all" in MailScanner as there was already a way of doing it anyway. At 16:18 01/08/2003, you wrote: >Hello MailScanner, > >We have an outside Spam and Virus filtering >service from Postini.com as well as server side. With this >outside filter all email messages come from postini servers. > >The headers do contain the original 'received' lines which does >include the orignal senders IP address. > >Does the BlackList feature in MailScanner look at all the 'received' >lines and their the IP's? > > >Best regards, >Robert B, NTIN mailto:pages@ntin.net -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Aug 3 20:25:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: gmame In-Reply-To: <1059846052.31982.45.camel@ra.thethompsonhoust.com> Message-ID: <5.2.1.1.2.20030803202407.0376a1a8@imap.ecs.soton.ac.uk> I prefer to know the real list of subscribers, rather than just knowing that some third party is re-distributing it. But the list of subscribers includes enough countries now that it's pretty much world-wide anyway (about 47 countries on 6 continents, and mail to the 7th is filtered by it remotely). So go ahead. At 18:40 02/08/2003, you wrote: >Would there be any objections (Julian?) to me requesting this list put >on gmame.org? I've began using that to monitor the vast number of >security lists that I have to watch and found it quite helpful. After >just a week of using it I feel like I'm missing a whole lot less >important information. > >--Robert -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Aug 3 21:41:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: MailScanner problem. In-Reply-To: Message-ID: <5.2.1.1.2.20030803213953.037a37b8@imap.ecs.soton.ac.uk> At 21:58 01/08/2003, you wrote: >On Fri, 1 Aug 2003 22:19:54 +0200, Erik Jakobsen wrote: > > >Hi. > > > >I'm very new to this list, and need help for the MailScanner that I >installed > >today on my SuSE Linnux 8.2 system. > > > >SuSE 8.2 uses the postfix MTA, and I have set this in the > >/etc/MailScanner/MailScanner.conf file. > > > >But I get this if running rcMailScanner start: > > > >192:/var/log # rcMailScanner start > >Initializing sendmail and MailScannersendmail: invalid option -- O > >sendmail: fatal: usage: sendmail [options] > > > > >failed > > > >Of course its fatal since I don't use sendmail. > > > >What can I have forgotten ??. > > > >-- > >Med venlig hilsen - Best regards. > >Erik Jakobsen - eja@urbakken.dk. > >Licensed radioamateur with the callsign OZ4KK. > >SuSE Linux 8.2 Proff. > >Registered as user #319488 with the Linux Counter, http://counter.li.org. > >I am installing MailScanner for the first time on a RedHat 9.0 system using >oistfix instead of sendmail. Here is the page from the MailScanner web >site describing the problem as it pertains to RedHat. On RedHat all you need do is edit /etc/sysconfig/MailScanner and set your MTA in there (as well as the MailScanner.conf settings of course). On SuSE things are a little more complcated as my init.d script for SuSE doesn't yet support all MTAs. > I assume this >translates to your system as well. > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml > >see bottom of page -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Aug 3 21:38:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: SQL Redux In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C074F@inex1.herffjones.hj -int> Message-ID: <5.2.1.1.2.20030803213800.02686e78@imap.ecs.soton.ac.uk> You want MailWatch. Hopefully someone else can comment on its exact current state. At 20:32 01/08/2003, you wrote: >Ok, so um, for those of us who aren't keeping several patchset branches in >our heads but who now want to start sql logging, what are the options? >Could someone do a quick round-up? > >I need to provide a web interface that provides plenty of detail about each >message by middle of next week and I'm wondering whether I should do my own >thing with a flat file log (since I have little time) or configure in >support for one of the existing sql logging mechanisms. > >"Mailwatch for Mailscanner" seems to be at version 0.2 but I recall mentions >of patches for bugs post 0.2. Is there a later version available? > >There's the sql logging code already in CustomConfig.pm, but is there a web >interface for built yet for the tables it creates? And I'm assuming I'll >need the latest version of mailscanner to get the fixes listed in this >thread. > >"David While's Mailstats" looks nice (though I'm not doing virus scanning >and don't particularly care about geo-locating stuff), but I need a >per-message interface, and mailstats seems to be more for performance >reporting than for log analysis. > >The mailscanner-mrtg package again is for performance reporting, not log >analysis. > >...So... > >What's my best bet for a web interface to logged data that includes such >things as subject, recipients, spam tests, etc in the short term? > >-t. > > > >-----Original Message----- > >From: Kearney, Rob [mailto:RKearney@AZERTY.COM] > >Sent: Thursday, July 31, 2003 10:47 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: SQL Redux > > > > > >oh.. and yes.. > > > >thanks for the code tippets.. I'll have to change this. as I'm > >not good with > >perl either. > > > >-rob > > > >-----Original Message----- > >From: Steve Freegard [mailto:steve.freegard@lbsltd.co.uk] > >Sent: Thursday, July 31, 2003 11:19 AM > >To: 'Kearney, Rob '; 'MAILSCANNER@JISCMAIL.AC.UK ' > >Subject: RE: SQL Redux > > > > > >Hi Rob, > > > >I'm not really much good with Perl (maybe Julian can back me > >up on this) - > >but my understanding is that in calling your SQLRTLogging > >procedure without > >the Init & End procedures will mean that the > >connection/disconnection/prepare and execution of the SQL will > >happen for > >every message batch processed by MailScanner which would slow things up > >quite considerably depending on the volume of messages you processes. > > > >The most expensive processes are connecting and preparing the > >statement, so > >it's better only to do this once (per child), then running the prepared > >statements once per message batch. > > > >A better way is to have: > > > >InitSQLRTLogging: (this is done once per MailScanner child) > > - Connect to the database > > - Prepare each SQL statement required > > > >SQLRTLogging: (done once for each message batch) > > - Tidy-up the data to make it suitable for SQL > > - Execute the prepared statements > > > >EndSQLRTLogging: (done once as each child dies) > > - Disconnect from the database > > > >Cheers, > >Steve. > > > >-----Original Message----- > >From: Kearney, Rob > >To: MAILSCANNER@JISCMAIL.AC.UK > >Sent: 31/07/03 15:56 > >Subject: Re: SQL Redux > > > >here is what we did for SQL logging, to bypass temp-file stuff. > > > >Just took the SQLLogging and made SQLRTLogging, to write > >directly to DB, > >We > >have not noticed any degradation in performance > >Basically, we took the functions of SQLLogging and > >EndSQLLogging and put > >them together. > >(dont forget Init and End scripts also > > > >--- > >sub SQLRTLogging { > > my($message) = @_; > > my($dbh); > > $dbh = > >DBI->connect("DBI:mysql:mailscanner:localhost:mysql_socket=/var > >/database > >/mys > >ql/mysql.sock", > > "mailscanner", "mailscanner", > > {'PrintError' => 0}) > > or MailScanner::Log::DieLog("Cannot connect to the database: %s", > > $DBI::errstr); > > > > my $id = $message->{id}; > > my $size = $message->{size}; > > my $from = $message->{from}; > > my ($from_user, $from_domain); > > > > # split the from address into user and domain bits. > > # This may be unnecessary for you; we use it to more easily determine > > # inbound vs outbound email in a multi-domain environment. > > # HINT: refine queries using SQL 'join' with a table containing local > > # domains. > > > > ($from_user, $from_domain) = split /\@/, $from; > > > > my @to = @{$message->{to}}; > > my $subject = $message->{subject}; > > my $clientip = $message->{clientip}; > > my $archives = join(',', @{$message->{archiveplaces}}); > > my $isspam = $message->{isspam}; > > my $ishighspam = $message->{ishigh}; > > my $sascore = $message->{sascore}; > > my $spamreport = $message->{spamreport}; > > > > # Get rid of control chars and tidy-up SpamAssassin report > > $spamreport =~ s/\n/ /g; > > $spamreport =~ s/\t//g; > > > > # Get timestamp, and format it so it is suitable to use with MySQL > > my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = > >localtime(); > > my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", > > $year+1900,$mon+1,$mday,$hour,$min,$sec); > > > ># maillog_mail insert > > my @fields=($timestamp, $id, $size, $from_user, $from_domain, > > $subject, $clientip, $archives, $isspam, $ishighspam, > > $sascore, $spamreport); > > map { s/\'/\\'/g } @fields; > > > > # Insert @fields into a database table > > my($sth) = $dbh->prepare("INSERT INTO maillog_mail (time, msg_id, > >size, > >from_user, from_domain, subject, clientip, archives, isspam, > >ishighspam, > >sascore, spamreport) VALUES (?,?,?,?,?,?,?,?,?,?,?,?)"); > > > >$sth->execute($fields[0],$fields[1],$fields[2],$fields[3],$fiel > >ds[4],$fi > >elds > >[5],$fields[6],$fields[7],$fields[8],$fields[9],$fields[10],$fi > >elds[11]) > >or > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > > > > my($file, $text); > > while(($file, $text) = each %{$message->{allreports}}) { > > $file = "the entire message" if $file eq ""; > > # Use the sanitised filename to avoid problems caused by people > >forcing > > # logging of attachment filenames which contain nasty SQL > >instructions. > > $file = $message->{file2safefile}{$file} or $file; > > $text =~ s/\n/ /; # Make sure text report only contains 1 line > > $text =~ s/\t/ /; # and no tab characters > > > > my @fields = ($id, $file, $text); > > map { s/\'/\\'/g } @fields; > > > > my($sth) = $dbh->prepare("INSERT INTO maillog_report (msg_id, > >filename, > >filereport) VALUES (?,?,?)"); > > $sth->execute($fields[0],$fields[1],$fields[2]) or > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > > } > > > > for (@to) { > > # again, split the recipient's email into user and domain halves > >first. > > # see comment above about splitting the email like this. > > > > my ($to_user, $to_domain); > > ($to_user, $to_domain) = split /\@/, $_; > > my @fields = ($id, $to_user, $to_domain); > > map { s/\'/\\'/g } @fields; > > my($sth) = $dbh->prepare("INSERT INTO maillog_recipient (msg_id, > >to_user, to_domain) VALUES (?,?,?)"); > > $sth->execute($fields[0],$fields[1],$fields[2]) or > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > } > > > > # Close database connection > > $dbh->disconnect(); > > > >} > > > > MailScanner::Log::InfoLog("Ending SQL Real-Time Logging"); > >} > > > >1; > > > > > > > >-rob > > > >-- > >This email and any files transmitted with it are confidential and > >intended solely for the use of the individual or entity to whom they > >are addressed. If you have received this email in error please notify > >the sender and delete the message from your mailbox. > > > >This footnote also confirms that this email message has been swept by > >MailScanner (www.mailscanner.info) for the presence of > >computer viruses. > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Aug 3 20:26:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: Silent Virus & Notify Senders In-Reply-To: <3F2BFAEC.2020404@SJC.nl> References: <1059845299.3f2bf4b3d3b6c@secure.ecs.soton.ac.uk> <3F2BD493.5070008@SJC.nl> <1059845299.3f2bf4b3d3b6c@secure.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030803202546.0254f198@imap.ecs.soton.ac.uk> Does anyone have any problems with me replacing Silent Viruses = with No Sender Warnings In Response To = as with all the special keywords that can be added to the list, it isn't exactly just virus names any more. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Sun Aug 3 22:32:40 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:09 2006 Subject: gmame In-Reply-To: <5.2.1.1.2.20030803202407.0376a1a8@imap.ecs.soton.ac.uk> Message-ID: <000501c35a06$c5116120$9c01a8c0@home.middlefinger.net> I can't resolve gmame.org Is that the real domain name? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Sunday, August 03, 2003 2:26 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: gmame I prefer to know the real list of subscribers, rather than just knowing that some third party is re-distributing it. But the list of subscribers includes enough countries now that it's pretty much world-wide anyway (about 47 countries on 6 continents, and mail to the 7th is filtered by it remotely). So go ahead. At 18:40 02/08/2003, you wrote: >Would there be any objections (Julian?) to me requesting this list put >on gmame.org? I've began using that to monitor the vast number of >security lists that I have to watch and found it quite helpful. After >just a week of using it I feel like I'm missing a whole lot less >important information. > >--Robert -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ucs_rat at SHSU.EDU Sun Aug 3 23:12:04 2003 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:19:09 2006 Subject: gmame In-Reply-To: <000501c35a06$c5116120$9c01a8c0@home.middlefinger.net> References: <000501c35a06$c5116120$9c01a8c0@home.middlefinger.net> Message-ID: <1059948724.5856.67.camel@ra.thethompsonhoust.com> It is a type-o. That should be gmane.org _n_ not _m_ --Robert On Sun, 2003-08-03 at 16:32, Mike Kercher wrote: > I can't resolve gmame.org Is that the real domain name? > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Julian Field > Sent: Sunday, August 03, 2003 2:26 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: gmame > > > I prefer to know the real list of subscribers, rather than just knowing that > some third party is re-distributing it. But the list of subscribers includes > enough countries now that it's pretty much world-wide anyway (about 47 > countries on 6 continents, and mail to the 7th is filtered by it remotely). > So go ahead. > > At 18:40 02/08/2003, you wrote: > >Would there be any objections (Julian?) to me requesting this list put > >on gmame.org? I've began using that to monitor the vast number of > >security lists that I have to watch and found it quite helpful. After > >just a week of using it I feel like I'm missing a whole lot less > >important information. > > > >--Robert > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz MailScanner thanks > transtec Computers for their support From ucs_rat at SHSU.EDU Sun Aug 3 23:15:32 2003 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:19:09 2006 Subject: gmame In-Reply-To: <5.2.1.1.2.20030803202407.0376a1a8@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030803202407.0376a1a8@imap.ecs.soton.ac.uk> Message-ID: <1059948932.5856.72.camel@ra.thethompsonhoust.com> well I wasn't trying to undermine, that is mostly why I asked. I'm basically just a silent listener on the list mostly to keep up with changes, updates, & problems. Gmane is just a mailing list to nntp gateway and allows for easy reading of the list with an nntp reader as opposed to filtering in your inbox. They also don't expire posts. If you would rather it not be subscribed there then I won't, however if you don't mind it would make my life easier. Once again, I don't want to undermine anything you are doing, as MailScanner has saved my tail a lot. Gmane is just an easier way for me to deal with the massive amounts of info I have to stay up with. --Robert On Sun, 2003-08-03 at 14:25, Julian Field wrote: > I prefer to know the real list of subscribers, rather than just knowing > that some third party is re-distributing it. > But the list of subscribers includes enough countries now that it's pretty > much world-wide anyway (about 47 countries on 6 continents, and mail to the > 7th is filtered by it remotely). So go ahead. > > At 18:40 02/08/2003, you wrote: > >Would there be any objections (Julian?) to me requesting this list put > >on gmame.org? I've began using that to monitor the vast number of > >security lists that I have to watch and found it quite helpful. After > >just a week of using it I feel like I'm missing a whole lot less > >important information. > > > >--Robert > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From gobi at BLOOMCOUNTY.ORG Mon Aug 4 01:37:48 2003 From: gobi at BLOOMCOUNTY.ORG (gobi) Date: Thu Jan 12 21:19:09 2006 Subject: Allow File Extension/E-Mail Address Message-ID: <20030803173638.F92399@localhost> Hello, I just installed Mailscanner yesterday. In my /usr/mailscanner/etc/filenamerules.conf file I need for it to allow the two extensions: .map .atr I have added the two lines towards the top of the file: allow \.map$ - - allow \.atr$ - - However, when I kill all the PID.s for Mailscanner and run /usr/mailscanner/bin/check_mailscanner to restart, I.m still getting it filtered (see bellow). Any help you can give would be appreciated! Jul 31 00:16:33 srv01 MailScanner[7674]: Filetype Checks: No executables (FritoLay.atr) Jul 31 00:16:33 srv01 MailScanner[7674]: Filetype Checks: No executables (FritoLay.atr) Jul 31 00:16:33 srv01 MailScanner[7674]: Saved infected "FritoLay.atr" to /var/spool/MailScanner/quarantine/20030731/19i5nf-0001zl-FE Jul 31 00:16:33 srv01 MailScanner[7674]: Saved infected "FritoLay.atr" to /var/spool/MailScanner/quarantine/20030731/19i5nf-0001zl-FE Also, is there a way to allow E-Mail's from a certain address not to be scanned? Thanks, Kyle Pinkley From danielk at AVALONPUB.COM Mon Aug 4 05:46:04 2003 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:19:09 2006 Subject: MailScanner and BlackList In-Reply-To: <5.2.1.1.2.20030803213331.02686d38@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030803213331.02686d38@imap.ecs.soton.ac.uk> Message-ID: <3F2DE50C.3020408@avalonpub.com> If you wanted to improve it slightly, a feature I was looking for when I used MS for blacklists (I let SA do it now) was the ability to include lists of trusted MX servers (like the secondary MX for a domain, or a free email forwarding type server) that MS would look one step past in its blacklist checks. For example, I have an account at myrealbox that forwards to my main email account which is protected by MS. If I understand how it works now, MS only checked myrealbox's server on the blacklists. It would have been cool if I could have told MS to "trust" myrealbox which would then make it look at the SMTP server before myrealbox's. Seems like it would be a pretty simple change. As far as I can tell, it would give you most of the utility of checking every received header, but still just requiring a single check. Any received header not from a local/trusted SMTP server could be forged anyway. Daniel Julian Field wrote: > MailScanner on its own just looks at the first one (well, it looks at the > real SMTP client IP which *should* be the same as the first one). But it > doesn't look at any others. > > However, SpamAssassin does check them all and assign an appropriate score > if it finds any in a blacklist. > That's why I didn't bother implementing "check them all" in > MailScanner as > there was already a way of doing it anyway. > > At 16:18 01/08/2003, you wrote: > >> Hello MailScanner, >> >> We have an outside Spam and Virus filtering >> service from Postini.com as well as server side. With this >> outside filter all email messages come from postini servers. >> >> The headers do contain the original 'received' lines which does >> include the orignal senders IP address. >> >> Does the BlackList feature in MailScanner look at all the 'received' >> lines and their the IP's? >> >> >> Best regards, >> Robert B, NTIN mailto:pages@ntin.net > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Mon Aug 4 08:23:22 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:09 2006 Subject: MailScanner and BlackList In-Reply-To: <3F2DE50C.3020408@avalonpub.com> Message-ID: <8756836E-C64C-11D7-8C50-003065F939FE@ucsc.edu> On Sunday, Aug 3, 2003, at 21:46 US/Pacific, Daniel Kleinsinger wrote: > > If you wanted to improve it slightly, a feature I was looking for when > I > used MS for blacklists (I let SA do it now) was the ability to include > lists of trusted MX servers (like the secondary MX for a domain, or a > free email forwarding type server) that MS would look one step past in > its blacklist checks. For example, I have an account at myrealbox that > forwards to my main email account which is protected by MS. If I > understand how it works now, MS only checked myrealbox's server on the > blacklists. It would have been cool if I could have told MS to "trust" > myrealbox which would then make it look at the SMTP server before > myrealbox's. Seems like it would be a pretty simple change. As far as > I can tell, it would give you most of the utility of checking every > received header, but still just requiring a single check. Any received > header not from a local/trusted SMTP server could be forged anyway. > > It's not as simple a change as you might think. MailScaner isn't checking the 1st Received header. It's checking the SMTP relay (the $_ line in the sendmail qf file). It just so happens that, unless something is very wrong, the SMTP relay will also be listed within the message as the first Received header. Adding what you're talking about wouldn't just be a matter of having it check the 2nd instead of 1st received header, or checking received headers 1 through N. It would be a matter of adding support for parsing out the received headers at all, which gets complicated because some MTAs and forged mails have some weird received headers. Plus, there's messages with interruptions in their received headers. I think Julian's probably right in just saying "SA already does this, so why should I bother?" No point in re-inventing the wheel. From gml at ADVANCEVPN.COM Mon Aug 4 08:48:41 2003 From: gml at ADVANCEVPN.COM (=?iso-8859-1?Q?Mikael_L=F6nnroth?=) Date: Thu Jan 12 21:19:09 2006 Subject: Blacklist header scanning Message-ID: <01c401c35a5c$d377ca00$121b7d0a@MIKAELHOME> Hello, It seems to me that blacklist checking is done only for the MAIL FROM address and not the optional From: in the message header. Is there any way to do that? Our practical problem is that messages with blacklisted from-addresses get through when the (different) SMTP from is not blacklisted... Regards, Mikael L?nnroth gml@advancevpn.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030804/8125c0b1/attachment.html From steve.freegard at LBSLTD.CO.UK Mon Aug 4 10:03:46 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:09 2006 Subject: SQL Redux Message-ID: <67D9E7698329D411936E00508B6590B902773A54@neelix.lbsltd.co.uk> Hi Trevor, >Could someone do a quick round-up? Certainly - there are two current methods for SQL Logging: 1) The code included in recent MailScanner CustomConfig.pm code Originally written by Julian with the SQL bits from me, laterly changed by someone else (not sure who though!). This version uses temporary files to log the data and loads the data into MySQL every time MailScanner is restarted, or when it auto-restarts. It splits the data into three SQL tables - maillog_mail, maillog_recipient and maillog_report. Currently - I know of no interface that uses this schema. 2) The code included (as a patch to CustomConfig.pm) with MailWatch As Julian's original code, except that the temporary files have been removed so that the data is inserted per message batch processed by MailScanner. This puts all data into a table called maillog which is then used by MailWatch for display and reporting. You can get MailWatch from http://www.smf.f2s.com/mailscanner/ which is currently at version 0.2 - there haven't been later patches for bugs - but there were a couple of files missed from the tarball when I created it (create.sql and CustomConfig.pm). Several people have had a problem when trying to use MailWatch with FreeBSD - but the problem seems to be with Perl DBI and MySQL, and this is still under investigation. I'm currently awaiting for approval for a Sourceforge project for MailWatch - which I should get in the next couple of days. I'll release 0.3 shortly after which will contain the new MailWatch.pm file containing the SQL Logging routines making it easier to install (and easier for me and Julian to work out which code people are using!) and a couple of fixes. Kind regards, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 03 August 2003 21:38 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SQL Redux You want MailWatch. Hopefully someone else can comment on its exact current state. At 20:32 01/08/2003, you wrote: >Ok, so um, for those of us who aren't keeping several patchset branches in >our heads but who now want to start sql logging, what are the options? >Could someone do a quick round-up? > >I need to provide a web interface that provides plenty of detail about each >message by middle of next week and I'm wondering whether I should do my own >thing with a flat file log (since I have little time) or configure in >support for one of the existing sql logging mechanisms. > >"Mailwatch for Mailscanner" seems to be at version 0.2 but I recall mentions >of patches for bugs post 0.2. Is there a later version available? > >There's the sql logging code already in CustomConfig.pm, but is there a web >interface for built yet for the tables it creates? And I'm assuming I'll >need the latest version of mailscanner to get the fixes listed in this >thread. > >"David While's Mailstats" looks nice (though I'm not doing virus scanning >and don't particularly care about geo-locating stuff), but I need a >per-message interface, and mailstats seems to be more for performance >reporting than for log analysis. > >The mailscanner-mrtg package again is for performance reporting, not log >analysis. > >...So... > >What's my best bet for a web interface to logged data that includes such >things as subject, recipients, spam tests, etc in the short term? > >-t. > > > >-----Original Message----- > >From: Kearney, Rob [mailto:RKearney@AZERTY.COM] > >Sent: Thursday, July 31, 2003 10:47 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: SQL Redux > > > > > >oh.. and yes.. > > > >thanks for the code tippets.. I'll have to change this. as I'm > >not good with > >perl either. > > > >-rob > > > >-----Original Message----- > >From: Steve Freegard [mailto:steve.freegard@lbsltd.co.uk] > >Sent: Thursday, July 31, 2003 11:19 AM > >To: 'Kearney, Rob '; 'MAILSCANNER@JISCMAIL.AC.UK ' > >Subject: RE: SQL Redux > > > > > >Hi Rob, > > > >I'm not really much good with Perl (maybe Julian can back me > >up on this) - > >but my understanding is that in calling your SQLRTLogging > >procedure without > >the Init & End procedures will mean that the > >connection/disconnection/prepare and execution of the SQL will > >happen for > >every message batch processed by MailScanner which would slow things up > >quite considerably depending on the volume of messages you processes. > > > >The most expensive processes are connecting and preparing the > >statement, so > >it's better only to do this once (per child), then running the prepared > >statements once per message batch. > > > >A better way is to have: > > > >InitSQLRTLogging: (this is done once per MailScanner child) > > - Connect to the database > > - Prepare each SQL statement required > > > >SQLRTLogging: (done once for each message batch) > > - Tidy-up the data to make it suitable for SQL > > - Execute the prepared statements > > > >EndSQLRTLogging: (done once as each child dies) > > - Disconnect from the database > > > >Cheers, > >Steve. > > > >-----Original Message----- > >From: Kearney, Rob > >To: MAILSCANNER@JISCMAIL.AC.UK > >Sent: 31/07/03 15:56 > >Subject: Re: SQL Redux > > > >here is what we did for SQL logging, to bypass temp-file stuff. > > > >Just took the SQLLogging and made SQLRTLogging, to write > >directly to DB, > >We > >have not noticed any degradation in performance > >Basically, we took the functions of SQLLogging and > >EndSQLLogging and put > >them together. > >(dont forget Init and End scripts also > > > >--- > >sub SQLRTLogging { > > my($message) = @_; > > my($dbh); > > $dbh = > >DBI->connect("DBI:mysql:mailscanner:localhost:mysql_socket=/var > >/database > >/mys > >ql/mysql.sock", > > "mailscanner", "mailscanner", > > {'PrintError' => 0}) > > or MailScanner::Log::DieLog("Cannot connect to the database: %s", > > $DBI::errstr); > > > > my $id = $message->{id}; > > my $size = $message->{size}; > > my $from = $message->{from}; > > my ($from_user, $from_domain); > > > > # split the from address into user and domain bits. > > # This may be unnecessary for you; we use it to more easily determine > > # inbound vs outbound email in a multi-domain environment. > > # HINT: refine queries using SQL 'join' with a table containing local > > # domains. > > > > ($from_user, $from_domain) = split /\@/, $from; > > > > my @to = @{$message->{to}}; > > my $subject = $message->{subject}; > > my $clientip = $message->{clientip}; > > my $archives = join(',', @{$message->{archiveplaces}}); > > my $isspam = $message->{isspam}; > > my $ishighspam = $message->{ishigh}; > > my $sascore = $message->{sascore}; > > my $spamreport = $message->{spamreport}; > > > > # Get rid of control chars and tidy-up SpamAssassin report > > $spamreport =~ s/\n/ /g; > > $spamreport =~ s/\t//g; > > > > # Get timestamp, and format it so it is suitable to use with MySQL > > my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = > >localtime(); > > my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", > > $year+1900,$mon+1,$mday,$hour,$min,$sec); > > > ># maillog_mail insert > > my @fields=($timestamp, $id, $size, $from_user, $from_domain, > > $subject, $clientip, $archives, $isspam, $ishighspam, > > $sascore, $spamreport); > > map { s/\'/\\'/g } @fields; > > > > # Insert @fields into a database table > > my($sth) = $dbh->prepare("INSERT INTO maillog_mail (time, msg_id, > >size, > >from_user, from_domain, subject, clientip, archives, isspam, > >ishighspam, > >sascore, spamreport) VALUES (?,?,?,?,?,?,?,?,?,?,?,?)"); > > > >$sth->execute($fields[0],$fields[1],$fields[2],$fields[3],$fiel > >ds[4],$fi > >elds > >[5],$fields[6],$fields[7],$fields[8],$fields[9],$fields[10],$fi > >elds[11]) > >or > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > > > > my($file, $text); > > while(($file, $text) = each %{$message->{allreports}}) { > > $file = "the entire message" if $file eq ""; > > # Use the sanitised filename to avoid problems caused by people > >forcing > > # logging of attachment filenames which contain nasty SQL > >instructions. > > $file = $message->{file2safefile}{$file} or $file; > > $text =~ s/\n/ /; # Make sure text report only contains 1 line > > $text =~ s/\t/ /; # and no tab characters > > > > my @fields = ($id, $file, $text); > > map { s/\'/\\'/g } @fields; > > > > my($sth) = $dbh->prepare("INSERT INTO maillog_report (msg_id, > >filename, > >filereport) VALUES (?,?,?)"); > > $sth->execute($fields[0],$fields[1],$fields[2]) or > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > > } > > > > for (@to) { > > # again, split the recipient's email into user and domain halves > >first. > > # see comment above about splitting the email like this. > > > > my ($to_user, $to_domain); > > ($to_user, $to_domain) = split /\@/, $_; > > my @fields = ($id, $to_user, $to_domain); > > map { s/\'/\\'/g } @fields; > > my($sth) = $dbh->prepare("INSERT INTO maillog_recipient (msg_id, > >to_user, to_domain) VALUES (?,?,?)"); > > $sth->execute($fields[0],$fields[1],$fields[2]) or > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > } > > > > # Close database connection > > $dbh->disconnect(); > > > >} > > > > MailScanner::Log::InfoLog("Ending SQL Real-Time Logging"); > >} > > > >1; > > > > > > > >-rob > > > >-- > >This email and any files transmitted with it are confidential and > >intended solely for the use of the individual or entity to whom they > >are addressed. If you have received this email in error please notify > >the sender and delete the message from your mailbox. > > > >This footnote also confirms that this email message has been swept by > >MailScanner (www.mailscanner.info) for the presence of > >computer viruses. > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From denis at CROOMBS.ORG Mon Aug 4 10:41:54 2003 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:19:09 2006 Subject: Spamassassin not working except when called manually. Perl problem ? References: <009201c357a8$50b669c0$9c01a8c0@home.middlefinger.net> <00ed01c3585e$fdb53ff0$85b8fea9@Laptop> Message-ID: <007801c35a6c$a43db0a0$85b8fea9@Laptop> After further checking, I believe SpamAssassin is being called on each e-mail as the bayers is being updated, but even with "detailed report=yes" and "multiple headers = append" in MailScanner.conf all I get is the following Spamassassin entry in the header X-MailScanner: Found to be clean, Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0, required 3.91), not spam, SpamAssassin (score=0, required 3.91) I have check the logs and can find NO entries for Bayers in any of the logs. Any clues as this is driving me mad, but I have other servers that I look after for people and these work perfectly, I am trying to work through comparing this system to my system to find the problem for a friend of mine Thanks Denis > Thanks for that, that showed that only 1 version was installed from rpm, I > think the other one was an attempt at upgrading perl from cpam ! > I have renamed the second perl in /usr/local/lib/perl5 & uninstalled > spamassassin, but even that does not allow me fully un-install the > spamassassin as uninstalling the rpm does not delete it from perl ? > Are there any perl experts out there who can give me a clue to solving this > problem ? > > Denis Croombs > > > I'd do: > > > > rpm -qa |grep perl > > > > And then remove the perl version you don't want. Be careful though...you > > may break something if it is pointed to /usr/bin/perl and that perl gets > > uninstalled. > > > > Mike From mailscanner at ecs.soton.ac.uk Mon Aug 4 11:23:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: Allow File Extension/E-Mail Address In-Reply-To: <20030803173638.F92399@localhost> Message-ID: <5.2.1.1.2.20030804112300.025a5fe0@imap.ecs.soton.ac.uk> At 01:37 04/08/2003, you wrote: >Hello, > >I just installed Mailscanner yesterday. In my >/usr/mailscanner/etc/filenamerules.conf file I need for it to allow the >two extensions: > >.map >.atr > >I have added the two lines towards the top of the file: > >allow \.map$ - - >allow \.atr$ - - > >However, when I kill all the PID.s for Mailscanner and run >/usr/mailscanner/bin/check_mailscanner to restart, I.m still getting it >filtered (see bellow). Any help you can give would be appreciated! > >Jul 31 00:16:33 srv01 MailScanner[7674]: Filetype Checks: No executables >(FritoLay.atr) > >Jul 31 00:16:33 srv01 MailScanner[7674]: Filetype Checks: No executables >(FritoLay.atr) > >Jul 31 00:16:33 srv01 MailScanner[7674]: Saved infected "FritoLay.atr" to >/var/spool/MailScanner/quarantine/20030731/19i5nf-0001zl-FE > >Jul 31 00:16:33 srv01 MailScanner[7674]: Saved infected "FritoLay.atr" to >/var/spool/MailScanner/quarantine/20030731/19i5nf-0001zl-FE Take a look in filetype.rules.conf as you are currently banning all executables, regardless of their name. >Also, is there a way to allow E-Mail's from a certain address not to be >scanned? Read up on rulesets in /etc/MailScanner/rules. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Aug 4 11:27:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:09 2006 Subject: Blacklist header scanning In-Reply-To: <01c401c35a5c$d377ca00$121b7d0a@MIKAELHOME> Message-ID: <5.2.1.1.2.20030804112605.025d6ec8@imap.ecs.soton.ac.uk> MailScanner always uses the envelope information, not whatever someone happens to have put in the headers. It will continue to operate that way unless *lots* of people want any other solution. At 08:48 04/08/2003, you wrote: >Hello, > >It seems to me that blacklist checking is done only for the MAIL FROM >address and not the optional From: in the message header. Is there any way >to do that? > >Our practical problem is that messages with blacklisted from-addresses get >through when the (different) SMTP from is not blacklisted... > >Regards, >Mikael L?nnroth >gml@advancevpn.com > > > > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030804/ee6478a5/attachment.html From gml at ADVANCEVPN.COM Mon Aug 4 11:46:43 2003 From: gml at ADVANCEVPN.COM (=?iso-8859-1?Q?Mikael_L=F6nnroth?=) Date: Thu Jan 12 21:19:09 2006 Subject: Blacklist header scanning References: <5.2.1.1.2.20030804112605.025d6ec8@imap.ecs.soton.ac.uk> Message-ID: <024f01c35a75$b1d84500$121b7d0a@MIKAELHOME> >MailScanner always uses the envelope information, not whatever someone > happens to have put in the headers. It will continue to operate that way > unless *lots* of people want any other solution. Clients like Outlook Express use header information only so it gets a bit confusing for the blacklist admin. Looks like I have to look at the code myself then :-) Regards, Mikael From Q.G.Campbell at NEWCASTLE.AC.UK Mon Aug 4 11:49:57 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:19:09 2006 Subject: Striphtml VS attachment and related issues Message-ID: <74BC2BBF06470148911E64E2B48FE139049A75@pinewood.ncl.ac.uk> > -----Original Message----- > From: William Curley [mailto:wpc4@DODGETHIS.ORG] > Sent: 02 August 2003 02:24 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Striphtml VS attachment and related issues > > > Lol, by leaving the Nigerian information in there many people > probably won't see this email. Scored 7.3 points on my > spamassassin system. > [snip] "Lol" - why? The actual (spam) message was relevant when reporting a possible bug. In any case I would have thought it sensible to whitelist mail from this list precisely for that reason. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From rscarano at targetsis.com.br Mon Aug 4 12:19:07 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:19:09 2006 Subject: Restart MailScanner Message-ID: <000e01c35a7a$390bf220$6900000a@targetsis.com.br> Hello list, I've just a simple question: How is the best way to restart MailScanner after a change in some configuration file (ex: filename_rules.conf or MailScanner.conf). I don't know the diference between the commands (and what is the best): - service MailScanner stop - service MailScanner start; - service MailScanner restart; - check_mailscanner. Thanks, Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br From Kevin.Spicer at BMRB.CO.UK Mon Aug 4 12:23:31 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:09 2006 Subject: Restart MailScanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF76C@pascal.priv.bmrb.co.uk> > - service MailScanner stop - service MailScanner start; > - service MailScanner restart; Are the same (restart just stops and starts) If you've just changed the configuration files just do a service MailScanner reload this avoids stopping and starting the MTA BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From nejc.skoberne at guest.arnes.si Mon Aug 4 13:51:24 2003 From: nejc.skoberne at guest.arnes.si (Nejc Skoberne) Date: Thu Jan 12 21:19:09 2006 Subject: How to let through innocent messages Message-ID: <17510418806.20030804145124@guest.arnes.si> Hi, list. I am running Postfix+MS+SA, all the latest stable versions. I grepped "Subject" from quarantine directory and I noticed some message weren't spam. How can I elegantly forward those messages where they belong? Thanks. -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si From jkoetsier at CORP.HOME.NL Mon Aug 4 13:55:59 2003 From: jkoetsier at CORP.HOME.NL (Jeffrey Koetsier) Date: Thu Jan 12 21:19:09 2006 Subject: How to let through innocent messages In-Reply-To: <17510418806.20030804145124@guest.arnes.si> References: <17510418806.20030804145124@guest.arnes.si> Message-ID: <3F2E57DF.10403@corp.home.nl> Nejc Skoberne wrote: >Hi, list. > >I am running Postfix+MS+SA, all the latest stable versions. I grepped >"Subject" from quarantine directory and I noticed some message weren't >spam. How can I elegantly forward those messages where they belong? > In the MailScanner.conf is an option to save the quarantined messages as queue files: "Quarantine Whole Messages As Queue Files = yes" If this option is set to yes, you should be able to just move those save queue files into you postfix queue (I'm not very familiar with postfix) and they should be re-delivered! Be aware that the mail doesn't go trough you spam checking again :) -- Jeffrey Koetsier Unix Administrator "I don't believe UNIX is Utopia. It's just the best set of tools around." -- Dick Haight, Unix Review, Jan. 1985, pg. 117 From andersjk at SOL-INVICTUS.ORG Mon Aug 4 14:01:44 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:19:09 2006 Subject: question In-Reply-To: <107DE25EC0216C45AEF670016024245F6EE8@exchangea.staff.uce.ac.uk> Message-ID: I did a clone of a machine, minimum install of 100mb on a mandrake box, then did an rsync of all the partitions, i have mailscanner set to bounce, now the bounce message gets setup to be queued, but doesn't get mailed, and all the mqueue directories are empty... now when i set to forward to spam@ and bounce the bounce works... can someone give me a pointer as to where the bounce message went?? (just curious) thanks, kevin -- @ _____________________________________________ chaos, panic and disorder... my job is done... From Andrew.Magnusson at COCC.COM Mon Aug 4 14:29:34 2003 From: Andrew.Magnusson at COCC.COM (Magnusson, Andrew) Date: Thu Jan 12 21:19:09 2006 Subject: SQL Redux Message-ID: Brief note: I'm the one who modified the code to split the data into three tables, in order to make it easier and more consistent for our internal reporting and analysis scripts. (Once they're complete, I'll see what I can do about getting them released to you folks if anyone's interested. The focus is on email usage reports for a large number of email domains that pass through our servers.) If there's really no performance hit to logging after every email instead of in batches, I'll see about changing my code to do it that way too. Nothing worse than having to wait for all of the children to finish logging before I can do a full restart of MailScanner. Andrew Magnusson Internet Product Analyst COCC 1-877-678-0444 extension 640 -----Original Message----- From: Steve Freegard [mailto:steve.freegard@LBSLTD.CO.UK] Sent: Monday, August 04, 2003 5:04 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SQL Redux Hi Trevor, >Could someone do a quick round-up? Certainly - there are two current methods for SQL Logging: 1) The code included in recent MailScanner CustomConfig.pm code Originally written by Julian with the SQL bits from me, laterly changed by someone else (not sure who though!). This version uses temporary files to log the data and loads the data into MySQL every time MailScanner is restarted, or when it auto-restarts. It splits the data into three SQL tables - maillog_mail, maillog_recipient and maillog_report. Currently - I know of no interface that uses this schema. 2) The code included (as a patch to CustomConfig.pm) with MailWatch As Julian's original code, except that the temporary files have been removed so that the data is inserted per message batch processed by MailScanner. This puts all data into a table called maillog which is then used by MailWatch for display and reporting. You can get MailWatch from http://www.smf.f2s.com/mailscanner/ which is currently at version 0.2 - there haven't been later patches for bugs - but there were a couple of files missed from the tarball when I created it (create.sql and CustomConfig.pm). Several people have had a problem when trying to use MailWatch with FreeBSD - but the problem seems to be with Perl DBI and MySQL, and this is still under investigation. I'm currently awaiting for approval for a Sourceforge project for MailWatch - which I should get in the next couple of days. I'll release 0.3 shortly after which will contain the new MailWatch.pm file containing the SQL Logging routines making it easier to install (and easier for me and Julian to work out which code people are using!) and a couple of fixes. Kind regards, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 03 August 2003 21:38 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SQL Redux You want MailWatch. Hopefully someone else can comment on its exact current state. At 20:32 01/08/2003, you wrote: >Ok, so um, for those of us who aren't keeping several patchset branches in >our heads but who now want to start sql logging, what are the options? >Could someone do a quick round-up? > >I need to provide a web interface that provides plenty of detail about each >message by middle of next week and I'm wondering whether I should do my own >thing with a flat file log (since I have little time) or configure in >support for one of the existing sql logging mechanisms. > >"Mailwatch for Mailscanner" seems to be at version 0.2 but I recall mentions >of patches for bugs post 0.2. Is there a later version available? > >There's the sql logging code already in CustomConfig.pm, but is there a web >interface for built yet for the tables it creates? And I'm assuming I'll >need the latest version of mailscanner to get the fixes listed in this >thread. > >"David While's Mailstats" looks nice (though I'm not doing virus scanning >and don't particularly care about geo-locating stuff), but I need a >per-message interface, and mailstats seems to be more for performance >reporting than for log analysis. > >The mailscanner-mrtg package again is for performance reporting, not log >analysis. > >...So... > >What's my best bet for a web interface to logged data that includes such >things as subject, recipients, spam tests, etc in the short term? > >-t. > > > >-----Original Message----- > >From: Kearney, Rob [mailto:RKearney@AZERTY.COM] > >Sent: Thursday, July 31, 2003 10:47 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: SQL Redux > > > > > >oh.. and yes.. > > > >thanks for the code tippets.. I'll have to change this. as I'm > >not good with > >perl either. > > > >-rob > > > >-----Original Message----- > >From: Steve Freegard [mailto:steve.freegard@lbsltd.co.uk] > >Sent: Thursday, July 31, 2003 11:19 AM > >To: 'Kearney, Rob '; 'MAILSCANNER@JISCMAIL.AC.UK ' > >Subject: RE: SQL Redux > > > > > >Hi Rob, > > > >I'm not really much good with Perl (maybe Julian can back me > >up on this) - > >but my understanding is that in calling your SQLRTLogging > >procedure without > >the Init & End procedures will mean that the > >connection/disconnection/prepare and execution of the SQL will > >happen for > >every message batch processed by MailScanner which would slow things up > >quite considerably depending on the volume of messages you processes. > > > >The most expensive processes are connecting and preparing the > >statement, so > >it's better only to do this once (per child), then running the prepared > >statements once per message batch. > > > >A better way is to have: > > > >InitSQLRTLogging: (this is done once per MailScanner child) > > - Connect to the database > > - Prepare each SQL statement required > > > >SQLRTLogging: (done once for each message batch) > > - Tidy-up the data to make it suitable for SQL > > - Execute the prepared statements > > > >EndSQLRTLogging: (done once as each child dies) > > - Disconnect from the database > > > >Cheers, > >Steve. > > > >-----Original Message----- > >From: Kearney, Rob > >To: MAILSCANNER@JISCMAIL.AC.UK > >Sent: 31/07/03 15:56 > >Subject: Re: SQL Redux > > > >here is what we did for SQL logging, to bypass temp-file stuff. > > > >Just took the SQLLogging and made SQLRTLogging, to write > >directly to DB, > >We > >have not noticed any degradation in performance > >Basically, we took the functions of SQLLogging and > >EndSQLLogging and put > >them together. > >(dont forget Init and End scripts also > > > >--- > >sub SQLRTLogging { > > my($message) = @_; > > my($dbh); > > $dbh = > >DBI->connect("DBI:mysql:mailscanner:localhost:mysql_socket=/var > >/database > >/mys > >ql/mysql.sock", > > "mailscanner", "mailscanner", > > {'PrintError' => 0}) > > or MailScanner::Log::DieLog("Cannot connect to the database: %s", > > $DBI::errstr); > > > > my $id = $message->{id}; > > my $size = $message->{size}; > > my $from = $message->{from}; > > my ($from_user, $from_domain); > > > > # split the from address into user and domain bits. > > # This may be unnecessary for you; we use it to more easily determine > > # inbound vs outbound email in a multi-domain environment. > > # HINT: refine queries using SQL 'join' with a table containing local > > # domains. > > > > ($from_user, $from_domain) = split /\@/, $from; > > > > my @to = @{$message->{to}}; > > my $subject = $message->{subject}; > > my $clientip = $message->{clientip}; > > my $archives = join(',', @{$message->{archiveplaces}}); > > my $isspam = $message->{isspam}; > > my $ishighspam = $message->{ishigh}; > > my $sascore = $message->{sascore}; > > my $spamreport = $message->{spamreport}; > > > > # Get rid of control chars and tidy-up SpamAssassin report > > $spamreport =~ s/\n/ /g; > > $spamreport =~ s/\t//g; > > > > # Get timestamp, and format it so it is suitable to use with MySQL > > my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = > >localtime(); > > my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", > > $year+1900,$mon+1,$mday,$hour,$min,$sec); > > > ># maillog_mail insert > > my @fields=($timestamp, $id, $size, $from_user, $from_domain, > > $subject, $clientip, $archives, $isspam, $ishighspam, > > $sascore, $spamreport); > > map { s/\'/\\'/g } @fields; > > > > # Insert @fields into a database table > > my($sth) = $dbh->prepare("INSERT INTO maillog_mail (time, msg_id, > >size, > >from_user, from_domain, subject, clientip, archives, isspam, > >ishighspam, > >sascore, spamreport) VALUES (?,?,?,?,?,?,?,?,?,?,?,?)"); > > > >$sth->execute($fields[0],$fields[1],$fields[2],$fields[3],$fiel > >ds[4],$fi > >elds > >[5],$fields[6],$fields[7],$fields[8],$fields[9],$fields[10],$fi > >elds[11]) > >or > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > > > > my($file, $text); > > while(($file, $text) = each %{$message->{allreports}}) { > > $file = "the entire message" if $file eq ""; > > # Use the sanitised filename to avoid problems caused by people > >forcing > > # logging of attachment filenames which contain nasty SQL > >instructions. > > $file = $message->{file2safefile}{$file} or $file; > > $text =~ s/\n/ /; # Make sure text report only contains 1 line > > $text =~ s/\t/ /; # and no tab characters > > > > my @fields = ($id, $file, $text); > > map { s/\'/\\'/g } @fields; > > > > my($sth) = $dbh->prepare("INSERT INTO maillog_report (msg_id, > >filename, > >filereport) VALUES (?,?,?)"); > > $sth->execute($fields[0],$fields[1],$fields[2]) or > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > > } > > > > for (@to) { > > # again, split the recipient's email into user and domain halves > >first. > > # see comment above about splitting the email like this. > > > > my ($to_user, $to_domain); > > ($to_user, $to_domain) = split /\@/, $_; > > my @fields = ($id, $to_user, $to_domain); > > map { s/\'/\\'/g } @fields; > > my($sth) = $dbh->prepare("INSERT INTO maillog_recipient (msg_id, > >to_user, to_domain) VALUES (?,?,?)"); > > $sth->execute($fields[0],$fields[1],$fields[2]) or > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > } > > > > # Close database connection > > $dbh->disconnect(); > > > >} > > > > MailScanner::Log::InfoLog("Ending SQL Real-Time Logging"); > >} > > > >1; > > > > > > > >-rob > > > >-- > >This email and any files transmitted with it are confidential and > >intended solely for the use of the individual or entity to whom they > >are addressed. If you have received this email in error please notify > >the sender and delete the message from your mailbox. > > > >This footnote also confirms that this email message has been swept by > >MailScanner (www.mailscanner.info) for the presence of > >computer viruses. > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -- *** This message originates from COCC, Inc. If the reader of this message, regardless of the address or routing, is not an intended recipient, you are hereby notified that you have received this transmittal in error and any review; use, distribution, dissemination or copying is strictly prohibited. If you have received this message in error, please delete this e-mail and all files transmitted with it from your system and immediately notify COCC, Inc. by sending reply e-mail to the sender of this message. Thank you. *** From mailscanner at LISTS.COM.AR Mon Aug 4 14:33:44 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:09 2006 Subject: strange behaviour detected with W32/Mimail@MM In-Reply-To: <5.2.1.1.2.20030803214820.02521008@imap.ecs.soton.ac.uk> References: <3F2ADB04.22094.CB58959@localhost> Message-ID: <3F2E3688.31037.1E036E@localhost> These are a couple of production servers, I'll see if I can find a spare machine, set everything up and tell you later today. El 3 Aug 2003 a las 21:53, Julian Field escribi?: > Can you confirm that this is still a problem with the latest MailScanner > please? > > I can't immediately see why it would do this. > > If this is still a problem, then it's obviously something I need to take a > look at urgently. > > At 01:26 02/08/2003, you wrote: > >I know, I know... my mailer decide to use base64 no matter I told it > >otherwise... well, the log excerpts are at > >http://baby.com.ar/MailScanner/mailscanner-log-excerpts > > > >Thanx. > > > >El 1 Aug 2003 a las 21:21, Mariano Absatz escribi?: > > > > > > > > I'm enclosing a text file with results from everyone of these tests. > > > > > > For every test I put the relevant log lines from syslog (luckily > > enough, the > > > trafic was so low, that every test message passed thru mailscanner as a > > > complete batch). > > > > > > Following it there are 2 or 3 lines (MSG: / TO : / RPT:) that are > > equivalent > > > to the mysql log (generated by &AlerceLogging, that is a modified > > version of > > > SQLLogging that doesn't do any SQL). > > > > > > Finally, the relevant MailScanner header lines in the received message. > > > > > > >-- > >Mariano Absatz > >El Baby > >---------------------------------------------------------- > >Always remember you're unique, just like everyone else. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support -- Mariano Absatz El Baby ---------------------------------------------------------- The instructions said to use Windows 98 or better, so I installed GNU/Linux 2.4. From ka at PACIFIC.NET Mon Aug 4 15:04:35 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:09 2006 Subject: Blacklist header scanning In-Reply-To: <024f01c35a75$b1d84500$121b7d0a@MIKAELHOME> References: <5.2.1.1.2.20030804112605.025d6ec8@imap.ecs.soton.ac.uk> <024f01c35a75$b1d84500$121b7d0a@MIKAELHOME> Message-ID: <3F2E67F3.6070100@pacific.net> Mikael L?nnroth wrote: >>MailScanner always uses the envelope information, not whatever someone >>happens to have put in the headers. It will continue to operate that way >>unless *lots* of people want any other solution. > > > Clients like Outlook Express use header information only so it gets a bit > confusing for the blacklist admin. Looks like I have to look at the code > myself then :-) > > Regards, > Mikael > This is also somewhat true for whitelists, since the To in the headers isn't the same as the To envelope for some lists. But, blacklists on email addresses really only work on legitimate email. Spammers don't use _real_ email addresses, nor do they use the same email address every time (remember the days when spammers were honest?). The result is that user entered whitelists are usually correct, except for some list email, and user entered blacklists are misleading and useless. It's really a joke that Outlook clients have built in 'blacklist sender' as a feature before adding any _real_ help for spam like a bayes filter (+1 for Mozilla/Thunderbird). If you really want to use blacklists for spam protection, you'd probably need to create a system so that a user could simply forward an email to a script or a human that could determine the original envelope FROM, based on the mail log. Ken A. From ctrudeau at BELLSOUTH.NET Mon Aug 4 15:07:20 2003 From: ctrudeau at BELLSOUTH.NET (Chris-Bellsouth) Date: Thu Jan 12 21:19:09 2006 Subject: SQL Redux References: Message-ID: <013c01c35a91$bb7cc560$5702010a@mscore.trusecure.net> I for one am interested in seeing this....as I have sort of a similar requirement... Are you comfortable with the process that performs the INSERTS only executing when a child dies? Or have you modified this so that the data in the temp logfiles is INSERTed in more of a real-time fashion. CT ----- Original Message ----- From: "Magnusson, Andrew" To: Sent: Monday, August 04, 2003 9:29 AM Subject: Re: SQL Redux > Brief note: I'm the one who modified the code to split the data into three > tables, in order to make it easier and more consistent for our internal > reporting and analysis scripts. (Once they're complete, I'll see what I can > do about getting them released to you folks if anyone's interested. The > focus is on email usage reports for a large number of email domains that > pass through our servers.) > > If there's really no performance hit to logging after every email instead of > in batches, I'll see about changing my code to do it that way too. Nothing > worse than having to wait for all of the children to finish logging before I > can do a full restart of MailScanner. > > Andrew Magnusson > Internet Product Analyst > COCC > 1-877-678-0444 extension 640 > > > > -----Original Message----- > From: Steve Freegard [mailto:steve.freegard@LBSLTD.CO.UK] > Sent: Monday, August 04, 2003 5:04 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SQL Redux > > > Hi Trevor, > > >Could someone do a quick round-up? > > Certainly - there are two current methods for SQL Logging: > > 1) The code included in recent MailScanner CustomConfig.pm code > > Originally written by Julian with the SQL bits from me, laterly changed by > someone else (not sure who though!). This version uses temporary files to > log the data and loads the data into MySQL every time MailScanner is > restarted, or when it auto-restarts. > > It splits the data into three SQL tables - maillog_mail, maillog_recipient > and maillog_report. > > Currently - I know of no interface that uses this schema. > > 2) The code included (as a patch to CustomConfig.pm) with MailWatch > > As Julian's original code, except that the temporary files have been removed > so that the data is inserted per message batch processed by MailScanner. > > This puts all data into a table called maillog which is then used by > MailWatch for display and reporting. > > You can get MailWatch from http://www.smf.f2s.com/mailscanner/ which is > currently at version 0.2 - there haven't been later patches for bugs - but > there were a couple of files missed from the tarball when I created it > (create.sql and CustomConfig.pm). > > Several people have had a problem when trying to use MailWatch with FreeBSD > - but the problem seems to be with Perl DBI and MySQL, and this is still > under investigation. > > I'm currently awaiting for approval for a Sourceforge project for MailWatch > - which I should get in the next couple of days. I'll release 0.3 shortly > after which will contain the new MailWatch.pm file containing the SQL > Logging routines making it easier to install (and easier for me and Julian > to work out which code people are using!) and a couple of fixes. > > Kind regards, > Steve. > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 03 August 2003 21:38 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SQL Redux > > > You want MailWatch. > Hopefully someone else can comment on its exact current state. > > At 20:32 01/08/2003, you wrote: > >Ok, so um, for those of us who aren't keeping several patchset branches in > >our heads but who now want to start sql logging, what are the options? > >Could someone do a quick round-up? > > > >I need to provide a web interface that provides plenty of detail about each > >message by middle of next week and I'm wondering whether I should do my own > >thing with a flat file log (since I have little time) or configure in > >support for one of the existing sql logging mechanisms. > > > >"Mailwatch for Mailscanner" seems to be at version 0.2 but I recall > mentions > >of patches for bugs post 0.2. Is there a later version available? > > > >There's the sql logging code already in CustomConfig.pm, but is there a web > >interface for built yet for the tables it creates? And I'm assuming I'll > >need the latest version of mailscanner to get the fixes listed in this > >thread. > > > >"David While's Mailstats" looks nice (though I'm not doing virus scanning > >and don't particularly care about geo-locating stuff), but I need a > >per-message interface, and mailstats seems to be more for performance > >reporting than for log analysis. > > > >The mailscanner-mrtg package again is for performance reporting, not log > >analysis. > > > >...So... > > > >What's my best bet for a web interface to logged data that includes such > >things as subject, recipients, spam tests, etc in the short term? > > > >-t. > > > > > > >-----Original Message----- > > >From: Kearney, Rob [mailto:RKearney@AZERTY.COM] > > >Sent: Thursday, July 31, 2003 10:47 AM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: SQL Redux > > > > > > > > >oh.. and yes.. > > > > > >thanks for the code tippets.. I'll have to change this. as I'm > > >not good with > > >perl either. > > > > > >-rob > > > > > >-----Original Message----- > > >From: Steve Freegard [mailto:steve.freegard@lbsltd.co.uk] > > >Sent: Thursday, July 31, 2003 11:19 AM > > >To: 'Kearney, Rob '; 'MAILSCANNER@JISCMAIL.AC.UK ' > > >Subject: RE: SQL Redux > > > > > > > > >Hi Rob, > > > > > >I'm not really much good with Perl (maybe Julian can back me > > >up on this) - > > >but my understanding is that in calling your SQLRTLogging > > >procedure without > > >the Init & End procedures will mean that the > > >connection/disconnection/prepare and execution of the SQL will > > >happen for > > >every message batch processed by MailScanner which would slow things up > > >quite considerably depending on the volume of messages you processes. > > > > > >The most expensive processes are connecting and preparing the > > >statement, so > > >it's better only to do this once (per child), then running the prepared > > >statements once per message batch. > > > > > >A better way is to have: > > > > > >InitSQLRTLogging: (this is done once per MailScanner child) > > > - Connect to the database > > > - Prepare each SQL statement required > > > > > >SQLRTLogging: (done once for each message batch) > > > - Tidy-up the data to make it suitable for SQL > > > - Execute the prepared statements > > > > > >EndSQLRTLogging: (done once as each child dies) > > > - Disconnect from the database > > > > > >Cheers, > > >Steve. > > > > > >-----Original Message----- > > >From: Kearney, Rob > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Sent: 31/07/03 15:56 > > >Subject: Re: SQL Redux > > > > > >here is what we did for SQL logging, to bypass temp-file stuff. > > > > > >Just took the SQLLogging and made SQLRTLogging, to write > > >directly to DB, > > >We > > >have not noticed any degradation in performance > > >Basically, we took the functions of SQLLogging and > > >EndSQLLogging and put > > >them together. > > >(dont forget Init and End scripts also > > > > > >--- > > >sub SQLRTLogging { > > > my($message) = @_; > > > my($dbh); > > > $dbh = > > >DBI->connect("DBI:mysql:mailscanner:localhost:mysql_socket=/var > > >/database > > >/mys > > >ql/mysql.sock", > > > "mailscanner", "mailscanner", > > > {'PrintError' => 0}) > > > or MailScanner::Log::DieLog("Cannot connect to the database: %s", > > > $DBI::errstr); > > > > > > my $id = $message->{id}; > > > my $size = $message->{size}; > > > my $from = $message->{from}; > > > my ($from_user, $from_domain); > > > > > > # split the from address into user and domain bits. > > > # This may be unnecessary for you; we use it to more easily determine > > > # inbound vs outbound email in a multi-domain environment. > > > # HINT: refine queries using SQL 'join' with a table containing local > > > # domains. > > > > > > ($from_user, $from_domain) = split /\@/, $from; > > > > > > my @to = @{$message->{to}}; > > > my $subject = $message->{subject}; > > > my $clientip = $message->{clientip}; > > > my $archives = join(',', @{$message->{archiveplaces}}); > > > my $isspam = $message->{isspam}; > > > my $ishighspam = $message->{ishigh}; > > > my $sascore = $message->{sascore}; > > > my $spamreport = $message->{spamreport}; > > > > > > # Get rid of control chars and tidy-up SpamAssassin report > > > $spamreport =~ s/\n/ /g; > > > $spamreport =~ s/\t//g; > > > > > > # Get timestamp, and format it so it is suitable to use with MySQL > > > my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = > > >localtime(); > > > my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", > > > $year+1900,$mon+1,$mday,$hour,$min,$sec); > > > > > ># maillog_mail insert > > > my @fields=($timestamp, $id, $size, $from_user, $from_domain, > > > $subject, $clientip, $archives, $isspam, $ishighspam, > > > $sascore, $spamreport); > > > map { s/\'/\\'/g } @fields; > > > > > > # Insert @fields into a database table > > > my($sth) = $dbh->prepare("INSERT INTO maillog_mail (time, msg_id, > > >size, > > >from_user, from_domain, subject, clientip, archives, isspam, > > >ishighspam, > > >sascore, spamreport) VALUES (?,?,?,?,?,?,?,?,?,?,?,?)"); > > > > > >$sth->execute($fields[0],$fields[1],$fields[2],$fields[3],$fiel > > >ds[4],$fi > > >elds > > >[5],$fields[6],$fields[7],$fields[8],$fields[9],$fields[10],$fi > > >elds[11]) > > >or > > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > > > > > > > my($file, $text); > > > while(($file, $text) = each %{$message->{allreports}}) { > > > $file = "the entire message" if $file eq ""; > > > # Use the sanitised filename to avoid problems caused by people > > >forcing > > > # logging of attachment filenames which contain nasty SQL > > >instructions. > > > $file = $message->{file2safefile}{$file} or $file; > > > $text =~ s/\n/ /; # Make sure text report only contains 1 line > > > $text =~ s/\t/ /; # and no tab characters > > > > > > my @fields = ($id, $file, $text); > > > map { s/\'/\\'/g } @fields; > > > > > > my($sth) = $dbh->prepare("INSERT INTO maillog_report (msg_id, > > >filename, > > >filereport) VALUES (?,?,?)"); > > > $sth->execute($fields[0],$fields[1],$fields[2]) or > > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > > > > } > > > > > > for (@to) { > > > # again, split the recipient's email into user and domain halves > > >first. > > > # see comment above about splitting the email like this. > > > > > > my ($to_user, $to_domain); > > > ($to_user, $to_domain) = split /\@/, $_; > > > my @fields = ($id, $to_user, $to_domain); > > > map { s/\'/\\'/g } @fields; > > > my($sth) = $dbh->prepare("INSERT INTO maillog_recipient (msg_id, > > >to_user, to_domain) VALUES (?,?,?)"); > > > $sth->execute($fields[0],$fields[1],$fields[2]) or > > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > } > > > > > > # Close database connection > > > $dbh->disconnect(); > > > > > >} > > > > > > MailScanner::Log::InfoLog("Ending SQL Real-Time Logging"); > > >} > > > > > >1; > > > > > > > > > > > >-rob > > > > > >-- > > >This email and any files transmitted with it are confidential and > > >intended solely for the use of the individual or entity to whom they > > >are addressed. If you have received this email in error please notify > > >the sender and delete the message from your mailbox. > > > > > >This footnote also confirms that this email message has been swept by > > >MailScanner (www.mailscanner.info) for the presence of > > >computer viruses. > > > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. > > -- > *** This message originates from COCC, Inc. > > If the reader of this message, regardless of the address or routing, is not an intended recipient, you are hereby notified that you have received this transmittal in error and any review; use, distribution, dissemination or copying is strictly prohibited. If you have received this message in error, please delete this e-mail and all files transmitted with it from your system and immediately notify COCC, Inc. by sending reply e-mail to the sender of this message. > > Thank you. *** From SJCJonker at SJC.nl Mon Aug 4 15:10:24 2003 From: SJCJonker at SJC.nl (Stijn Jonker) Date: Thu Jan 12 21:19:09 2006 Subject: Silent Virus & Notify Senders In-Reply-To: <5.2.1.1.2.20030803202546.0254f198@imap.ecs.soton.ac.uk> References: <1059845299.3f2bf4b3d3b6c@secure.ecs.soton.ac.uk> <3F2BD493.5070008@SJC.nl> <1059845299.3f2bf4b3d3b6c@secure.ecs.soton.ac.uk> <5.2.1.1.2.20030803202546.0254f198@imap.ecs.soton.ac.uk> Message-ID: <3F2E6950.3050601@SJC.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian, I'm currently testing the All-Viruses option on the test server, and it seems to work just fine. Offcourse the renaming is ok with me also ;-)) Julian Field said the following on 08/03/2003 09:26 PM: | Does anyone have any problems with me replacing | Silent Viruses = | with | No Sender Warnings In Response To = | as with all the special keywords that can be added to the list, it isn't | exactly just virus names any more. | -- | Julian Field | www.MailScanner.info | Professional Support Services at www.MailScanner.biz | MailScanner thanks transtec Computers for their support - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- iD8DBQE/LmlQjU9r45tKnOARAq7pAKC/RyR0YbY6C0rZQ586HD9Gpi1dfgCeJCWC lYDmlyuz2/LgIiW365RHL3A= =SIJx -----END PGP SIGNATURE----- From SJCJonker at SJC.NL Mon Aug 4 15:10:24 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:19:09 2006 Subject: Silent Virus & Notify Senders In-Reply-To: <5.2.1.1.2.20030803202546.0254f198@imap.ecs.soton.ac.uk> References: <1059845299.3f2bf4b3d3b6c@secure.ecs.soton.ac.uk> <3F2BD493.5070008@SJC.nl> <1059845299.3f2bf4b3d3b6c@secure.ecs.soton.ac.uk> <5.2.1.1.2.20030803202546.0254f198@imap.ecs.soton.ac.uk> Message-ID: <3F2E6950.3050601@SJC.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian, I'm currently testing the All-Viruses option on the test server, and it seems to work just fine. Offcourse the renaming is ok with me also ;-)) Julian Field said the following on 08/03/2003 09:26 PM: | Does anyone have any problems with me replacing | Silent Viruses = | with | No Sender Warnings In Response To = | as with all the special keywords that can be added to the list, it isn't | exactly just virus names any more. | -- | Julian Field | www.MailScanner.info | Professional Support Services at www.MailScanner.biz | MailScanner thanks transtec Computers for their support - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- iD8DBQE/LmlQjU9r45tKnOARAq7pAKC/RyR0YbY6C0rZQ586HD9Gpi1dfgCeJCWC lYDmlyuz2/LgIiW365RHL3A= =SIJx -----END PGP SIGNATURE----- From Andrew.Magnusson at COCC.COM Mon Aug 4 15:14:17 2003 From: Andrew.Magnusson at COCC.COM (Magnusson, Andrew) Date: Thu Jan 12 21:19:09 2006 Subject: SQL Redux Message-ID: I've got it as the default, inserting when the child dies (which of course happens fairly regularly per the config file, so there's usually no more than a 3- or 4-hour lag before any given email is entered into the database). Andrew Magnusson Internet Product Analyst COCC 1-877-678-0444 extension 640 -----Original Message----- From: Chris-Bellsouth [mailto:ctrudeau@BELLSOUTH.NET] Sent: Monday, August 04, 2003 10:07 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SQL Redux I for one am interested in seeing this....as I have sort of a similar requirement... Are you comfortable with the process that performs the INSERTS only executing when a child dies? Or have you modified this so that the data in the temp logfiles is INSERTed in more of a real-time fashion. CT ----- Original Message ----- From: "Magnusson, Andrew" To: Sent: Monday, August 04, 2003 9:29 AM Subject: Re: SQL Redux > Brief note: I'm the one who modified the code to split the data into three > tables, in order to make it easier and more consistent for our internal > reporting and analysis scripts. (Once they're complete, I'll see what I can > do about getting them released to you folks if anyone's interested. The > focus is on email usage reports for a large number of email domains that > pass through our servers.) > > If there's really no performance hit to logging after every email instead of > in batches, I'll see about changing my code to do it that way too. Nothing > worse than having to wait for all of the children to finish logging before I > can do a full restart of MailScanner. > > Andrew Magnusson > Internet Product Analyst > COCC > 1-877-678-0444 extension 640 > > > > -----Original Message----- > From: Steve Freegard [mailto:steve.freegard@LBSLTD.CO.UK] > Sent: Monday, August 04, 2003 5:04 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SQL Redux > > > Hi Trevor, > > >Could someone do a quick round-up? > > Certainly - there are two current methods for SQL Logging: > > 1) The code included in recent MailScanner CustomConfig.pm code > > Originally written by Julian with the SQL bits from me, laterly changed by > someone else (not sure who though!). This version uses temporary files to > log the data and loads the data into MySQL every time MailScanner is > restarted, or when it auto-restarts. > > It splits the data into three SQL tables - maillog_mail, maillog_recipient > and maillog_report. > > Currently - I know of no interface that uses this schema. > > 2) The code included (as a patch to CustomConfig.pm) with MailWatch > > As Julian's original code, except that the temporary files have been removed > so that the data is inserted per message batch processed by MailScanner. > > This puts all data into a table called maillog which is then used by > MailWatch for display and reporting. > > You can get MailWatch from http://www.smf.f2s.com/mailscanner/ which is > currently at version 0.2 - there haven't been later patches for bugs - but > there were a couple of files missed from the tarball when I created it > (create.sql and CustomConfig.pm). > > Several people have had a problem when trying to use MailWatch with FreeBSD > - but the problem seems to be with Perl DBI and MySQL, and this is still > under investigation. > > I'm currently awaiting for approval for a Sourceforge project for MailWatch > - which I should get in the next couple of days. I'll release 0.3 shortly > after which will contain the new MailWatch.pm file containing the SQL > Logging routines making it easier to install (and easier for me and Julian > to work out which code people are using!) and a couple of fixes. > > Kind regards, > Steve. > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 03 August 2003 21:38 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SQL Redux > > > You want MailWatch. > Hopefully someone else can comment on its exact current state. > > At 20:32 01/08/2003, you wrote: > >Ok, so um, for those of us who aren't keeping several patchset branches in > >our heads but who now want to start sql logging, what are the options? > >Could someone do a quick round-up? > > > >I need to provide a web interface that provides plenty of detail about each > >message by middle of next week and I'm wondering whether I should do my own > >thing with a flat file log (since I have little time) or configure in > >support for one of the existing sql logging mechanisms. > > > >"Mailwatch for Mailscanner" seems to be at version 0.2 but I recall > mentions > >of patches for bugs post 0.2. Is there a later version available? > > > >There's the sql logging code already in CustomConfig.pm, but is there a web > >interface for built yet for the tables it creates? And I'm assuming I'll > >need the latest version of mailscanner to get the fixes listed in this > >thread. > > > >"David While's Mailstats" looks nice (though I'm not doing virus scanning > >and don't particularly care about geo-locating stuff), but I need a > >per-message interface, and mailstats seems to be more for performance > >reporting than for log analysis. > > > >The mailscanner-mrtg package again is for performance reporting, not log > >analysis. > > > >...So... > > > >What's my best bet for a web interface to logged data that includes such > >things as subject, recipients, spam tests, etc in the short term? > > > >-t. > > > > > > >-----Original Message----- > > >From: Kearney, Rob [mailto:RKearney@AZERTY.COM] > > >Sent: Thursday, July 31, 2003 10:47 AM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: SQL Redux > > > > > > > > >oh.. and yes.. > > > > > >thanks for the code tippets.. I'll have to change this. as I'm > > >not good with > > >perl either. > > > > > >-rob > > > > > >-----Original Message----- > > >From: Steve Freegard [mailto:steve.freegard@lbsltd.co.uk] > > >Sent: Thursday, July 31, 2003 11:19 AM > > >To: 'Kearney, Rob '; 'MAILSCANNER@JISCMAIL.AC.UK ' > > >Subject: RE: SQL Redux > > > > > > > > >Hi Rob, > > > > > >I'm not really much good with Perl (maybe Julian can back me > > >up on this) - > > >but my understanding is that in calling your SQLRTLogging > > >procedure without > > >the Init & End procedures will mean that the > > >connection/disconnection/prepare and execution of the SQL will > > >happen for > > >every message batch processed by MailScanner which would slow things up > > >quite considerably depending on the volume of messages you processes. > > > > > >The most expensive processes are connecting and preparing the > > >statement, so > > >it's better only to do this once (per child), then running the prepared > > >statements once per message batch. > > > > > >A better way is to have: > > > > > >InitSQLRTLogging: (this is done once per MailScanner child) > > > - Connect to the database > > > - Prepare each SQL statement required > > > > > >SQLRTLogging: (done once for each message batch) > > > - Tidy-up the data to make it suitable for SQL > > > - Execute the prepared statements > > > > > >EndSQLRTLogging: (done once as each child dies) > > > - Disconnect from the database > > > > > >Cheers, > > >Steve. > > > > > >-----Original Message----- > > >From: Kearney, Rob > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Sent: 31/07/03 15:56 > > >Subject: Re: SQL Redux > > > > > >here is what we did for SQL logging, to bypass temp-file stuff. > > > > > >Just took the SQLLogging and made SQLRTLogging, to write > > >directly to DB, > > >We > > >have not noticed any degradation in performance > > >Basically, we took the functions of SQLLogging and > > >EndSQLLogging and put > > >them together. > > >(dont forget Init and End scripts also > > > > > >--- > > >sub SQLRTLogging { > > > my($message) = @_; > > > my($dbh); > > > $dbh = > > >DBI->connect("DBI:mysql:mailscanner:localhost:mysql_socket=/var > > >/database > > >/mys > > >ql/mysql.sock", > > > "mailscanner", "mailscanner", > > > {'PrintError' => 0}) > > > or MailScanner::Log::DieLog("Cannot connect to the database: %s", > > > $DBI::errstr); > > > > > > my $id = $message->{id}; > > > my $size = $message->{size}; > > > my $from = $message->{from}; > > > my ($from_user, $from_domain); > > > > > > # split the from address into user and domain bits. > > > # This may be unnecessary for you; we use it to more easily determine > > > # inbound vs outbound email in a multi-domain environment. > > > # HINT: refine queries using SQL 'join' with a table containing local > > > # domains. > > > > > > ($from_user, $from_domain) = split /\@/, $from; > > > > > > my @to = @{$message->{to}}; > > > my $subject = $message->{subject}; > > > my $clientip = $message->{clientip}; > > > my $archives = join(',', @{$message->{archiveplaces}}); > > > my $isspam = $message->{isspam}; > > > my $ishighspam = $message->{ishigh}; > > > my $sascore = $message->{sascore}; > > > my $spamreport = $message->{spamreport}; > > > > > > # Get rid of control chars and tidy-up SpamAssassin report > > > $spamreport =~ s/\n/ /g; > > > $spamreport =~ s/\t//g; > > > > > > # Get timestamp, and format it so it is suitable to use with MySQL > > > my($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = > > >localtime(); > > > my($timestamp) = sprintf("%d-%02d-%02d %02d:%02d:%02d", > > > $year+1900,$mon+1,$mday,$hour,$min,$sec); > > > > > ># maillog_mail insert > > > my @fields=($timestamp, $id, $size, $from_user, $from_domain, > > > $subject, $clientip, $archives, $isspam, $ishighspam, > > > $sascore, $spamreport); > > > map { s/\'/\\'/g } @fields; > > > > > > # Insert @fields into a database table > > > my($sth) = $dbh->prepare("INSERT INTO maillog_mail (time, msg_id, > > >size, > > >from_user, from_domain, subject, clientip, archives, isspam, > > >ishighspam, > > >sascore, spamreport) VALUES (?,?,?,?,?,?,?,?,?,?,?,?)"); > > > > > >$sth->execute($fields[0],$fields[1],$fields[2],$fields[3],$fiel > > >ds[4],$fi > > >elds > > >[5],$fields[6],$fields[7],$fields[8],$fields[9],$fields[10],$fi > > >elds[11]) > > >or > > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > > > > > > > my($file, $text); > > > while(($file, $text) = each %{$message->{allreports}}) { > > > $file = "the entire message" if $file eq ""; > > > # Use the sanitised filename to avoid problems caused by people > > >forcing > > > # logging of attachment filenames which contain nasty SQL > > >instructions. > > > $file = $message->{file2safefile}{$file} or $file; > > > $text =~ s/\n/ /; # Make sure text report only contains 1 line > > > $text =~ s/\t/ /; # and no tab characters > > > > > > my @fields = ($id, $file, $text); > > > map { s/\'/\\'/g } @fields; > > > > > > my($sth) = $dbh->prepare("INSERT INTO maillog_report (msg_id, > > >filename, > > >filereport) VALUES (?,?,?)"); > > > $sth->execute($fields[0],$fields[1],$fields[2]) or > > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > > > > } > > > > > > for (@to) { > > > # again, split the recipient's email into user and domain halves > > >first. > > > # see comment above about splitting the email like this. > > > > > > my ($to_user, $to_domain); > > > ($to_user, $to_domain) = split /\@/, $_; > > > my @fields = ($id, $to_user, $to_domain); > > > map { s/\'/\\'/g } @fields; > > > my($sth) = $dbh->prepare("INSERT INTO maillog_recipient (msg_id, > > >to_user, to_domain) VALUES (?,?,?)"); > > > $sth->execute($fields[0],$fields[1],$fields[2]) or > > >MailScanner::Log::DieLog("Cannot insert row: %s", $DBI::errstr); > > > } > > > > > > # Close database connection > > > $dbh->disconnect(); > > > > > >} > > > > > > MailScanner::Log::InfoLog("Ending SQL Real-Time Logging"); > > >} > > > > > >1; > > > > > > > > > > > >-rob > > > > > >-- > > >This email and any files transmitted with it are confidential and > > >intended solely for the use of the individual or entity to whom they > > >are addressed. If you have received this email in error please notify > > >the sender and delete the message from your mailbox. > > > > > >This footnote also confirms that this email message has been swept by > > >MailScanner (www.mailscanner.info) for the presence of > > >computer viruses. > > > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. > > -- > *** This message originates from COCC, Inc. > > If the reader of this message, regardless of the address or routing, is not an intended recipient, you are hereby notified that you have received this transmittal in error and any review; use, distribution, dissemination or copying is strictly prohibited. If you have received this message in error, please delete this e-mail and all files transmitted with it from your system and immediately notify COCC, Inc. by sending reply e-mail to the sender of this message. > > Thank you. *** -- *** This message originates from COCC, Inc. If the reader of this message, regardless of the address or routing, is not an intended recipient, you are hereby notified that you have received this transmittal in error and any review; use, distribution, dissemination or copying is strictly prohibited. If you have received this message in error, please delete this e-mail and all files transmitted with it from your system and immediately notify COCC, Inc. by sending reply e-mail to the sender of this message. Thank you. *** From mbowman at UDCOM.COM Mon Aug 4 16:36:37 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:09 2006 Subject: mimail slipping through Message-ID: Hi, Some of our clients want all filenames, regardless of extension to be passed through. I setup a ruleset for filenames and filetypes accordingly. As I understand it these attachments do still get scanned for viruses? If so mimail isn't being detected. I'm using f-prot sith SIGN/SIGN2.DEF dated August 2nd and MACRO.DEF dated July 28th - I think these are up to date? Any thoughts? Thanks Matthew From raymond at PROLOCATION.NET Mon Aug 4 16:43:31 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:09 2006 Subject: mimail slipping through In-Reply-To: Message-ID: Hi! > Some of our clients want all filenames, regardless of extension to be > passed through. I setup a ruleset for filenames and filetypes accordingly. > As I understand it these attachments do still get scanned for viruses? If > so mimail isn't being detected. > > I'm using f-prot sith SIGN/SIGN2.DEF dated August 2nd and MACRO.DEF dated > July 28th - I think these are up to date? F-Prot is not catching this! I have a open ticket but they didnt respond at all. For me its time to switch to another virus product, i really cant live with the fact they take 4 days to fix something like this. Even ClamAV outperforms them with virus updates. My suggestion, scan with Clam also for some time, use two scanners... Bye, Raymond. From robert at WEBTENT.COM Mon Aug 4 16:52:18 2003 From: robert at WEBTENT.COM (Robert Fitzpatrick) Date: Thu Jan 12 21:19:09 2006 Subject: Filename rules Message-ID: <001901c35aa0$62900a20$0b01a8c0@columbus> Does sendmail have to be restarted in order to get changes to the filename.rules.conf file to take affect. I added an allow statement that did not work in allowing a certain extension to be allowed. I put it in the allow section atop the file prior to any deny statements. I then tried to comment out (# in front of the line) the deny statement found in the VirusWarning.txt file indicating the rule that intercepted the attachment. Again, same response, the file attachment was replaced. I am only restarted Mailscanner after making changes and curious to know if sendmail needs to be restarted. If that is the case, I'll just restart tonight after hours. If not, here is my allow statement: allow \.icx$ - - The files being replaced have this extension (is it case sensitive?). However, like I said above, I tried to comment out the following line and it still intercepted the file: # deny \.[a-z][a-z0-9]{2,3}\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension The VirusWarning.txt file indicates this is the rule intercepting the message: Attempt to hide real filename extension in ABH_CORRECTIONS_080403.PDF.ICX -- Robert From jrudd at UCSC.EDU Mon Aug 4 17:03:41 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:09 2006 Subject: Feature Requests In-Reply-To: <1059822439.3f2b9b6773a68@secure.ecs.soton.ac.uk> Message-ID: <374789DE-C695-11D7-8C50-003065F939FE@ucsc.edu> On Saturday, Aug 2, 2003, at 04:07 US/Pacific, Julian Field wrote: > Quoting John Rudd : >>>> 1) new action type: Ham Actions or Not Spam Actions >>>> >> > > Try reading the docs :-) > > # This is just like the "Spam Actions" option above, except that it > applies > # to messages that are *NOT* spam. > heh. That must be relatively new ... and that's what I get for lagging behind by a few versions :-} From steinkel at PA.NET Mon Aug 4 17:32:03 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:19:09 2006 Subject: mimail slipping through References: Message-ID: <3F2E8A83.4050405@pa.net> Raymond Dijkxhoorn wrote: > > F-Prot is not catching this! I have a open ticket but they didnt respond > at all. For me its time to switch to another virus product, i really cant > live with the fact they take 4 days to fix something like this. Even > ClamAV outperforms them with virus updates. > > My suggestion, scan with Clam also for some time, use two scanners... > This is what we are doing. Since f-prot has been caught doing what might be worse than nothing, that is, doing it half-assed^h^h^h^h^hway. It is very strange. The Mimail.A message I intercepted, via a message bounce, and dissected was a ZIP of a message.html file which had MIME-like headers in front that told the mail client to execute the following binary data. When I removed the headers, f-prot identified the binary code as W32/Mimail.A@mm. Leland From raymond at PROLOCATION.NET Mon Aug 4 17:38:38 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:09 2006 Subject: mimail slipping through In-Reply-To: <3F2E8A83.4050405@pa.net> Message-ID: Hi! > It is very strange. The Mimail.A message I intercepted, via a message bounce, > and dissected was a ZIP of a message.html file which had MIME-like headers in > front that told the mail client to execute the following binary data. When I > removed the headers, f-prot identified the binary code as W32/Mimail.A@mm. I sended in the copy i received Friday, so far they didnt even respond to the ticket I opened. Exactly the same we had with a Sobig variant. Their support close the ticket with 'we support it allready' i had to re-open it twice to get their attention. If they dont know their buisiness, and dont even take the time to simply scan the files customer send in i have serious doubts they are doing ok. They used to do better. Bye, Raymond. From mkipness at GENIANT.COM Mon Aug 4 18:02:30 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:09 2006 Subject: Unexpected Error? Message-ID: <036A6BCC9FD10749AD3CE32255AF49A60170A02D@dalsxc01.geniant.net> I've got an employee who has been sending docs all morning and then suddenly has a problem with one doc getting corrupt/unexpected errors. Does this just mean that MailScanner thinks it's corrupt and then had an error trying to check it? Here is the log: Aug 4 11:47:53 xxxxxxxxx sendmail[29123]: h74GklL1029123: from=, size=1015025, class=0, nrcpts=1, msgid=<036A6BCC9FD10749AD3CE32255AF49A601702857@dalsxc01.geniant.net>, proto=ESMTP, daemon=MTA, relay=adsl-64-217-212-137.dsl.rcsntx.swbell.net [64.217.212.137] Aug 4 11:47:53 xxxxxxxxx sendmail[29123]: h74GklL1029123: to=, delay=00:01:05, mailer=esmtp, pri=30639, stat=queued Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx AD Design - DRAFT.doc (corrupt) Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx AD Design - DRAFT.doc (unexpected error [0x80040202]) Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx AD Design - DRAFT.doc (unexpected error [0x80040202]) Aug 4 11:47:57 xxxxxxxxx MailScanner[20684]: Saved infected "winmail.dat" to /var/spool/MailScanner/quarantine/20030804/h74GklL1029123 Aug 4 11:48:05 xxxxxxxxx sendmail[29165]: h74GklL1029123: to=, delay=00:01:17, xdelay=00:00:08, mailer=esmtp, pri=120639, relay=houmail.companyx.com. [204.194.96.13], dsn=2.0.0, stat=Sent (h74GlvRp028965 Message accepted for delivery) Thanks, Max From dbaker at dkburnap.com Mon Aug 4 17:54:33 2003 From: dbaker at dkburnap.com (David Baker) Date: Thu Jan 12 21:19:09 2006 Subject: Sweep and .zip Message-ID: <20030804165456.2BB715A28D@mail01.nap.dkbhosting.net> In order to have Sophos sweep scan and get inside of .zip files, you have to run sweep -zip filename.zip How do you have sweep scan .zip and other compressed files when called from Mailscanner? Thank you, David -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030804/c1dbaec6/attachment.html From lists at STHOMAS.NET Mon Aug 4 18:39:37 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:09 2006 Subject: Zip files not getting checked? In-Reply-To: <1059843288.3f2becd89124b@secure.ecs.soton.ac.uk>; from mailscanner@ECS.SOTON.AC.UK on Sat, Aug 02, 2003 at 05:54:48PM +0100 References: <001601c35911$b58abb70$9c01a8c0@home.middlefinger.net> <1059843288.3f2becd89124b@secure.ecs.soton.ac.uk> Message-ID: <20030804103937.A18753@sthomas.net> On Sat, Aug 02, 2003 at 05:54:48PM +0100, Julian Field is rumored to have said: > > Be warned that I will probably re-write the script in my own style, but > analyse his code carefully to make sure I don't miss any tricks he is doing. I'd hope that you'd rewrite it - I'm not a perl guru by any stretch of the imagination and I KNOW it could be cleaner/safer/faster. There's nothing special going on in there. I wrote it a couple of years ago when I was using the amavis shell script for virus scanning. It takes the message on stdin, scans it for lines containing nothing but an authentic IDE url and pulls them down with wget or a similar tool. Once it's got the file, it checks the first line to make sure that it's an IDE (easy since they're text files) and then writes it to disk. When it's done, it send an e-mail detailing what happened. > As people using this will be using it instead of the hourly global updater, > it needs to be absolutely right and tolerant of all sorts of changes that > Sophos might choose to make to the format of the email message they send > out. The last thing you want is for Sophos to re-write their standard email > message and everyone's updates to stop working completely. It needs to (a) > be very tolerant of lousy input, and (b) capable of noticing it hasn't had > an update in a few days and start screaming very loudly about it. I don't claim that it's bulletproof, but it's worked for me so far. At our office, I've made a couple of changes to it to fit our environment. I added a section that uploads it via ftp to our two file servers which run as SAV central servers, then run "setup.exe /update /ni" on the remote servers so when the clients check in, they'll know to update. With this setup I only have to do the monthly updates on the central and mail servers. It doesn't keep any kind of state information, so it won't complain if it's been a day/week/year since it was last run. It's pretty straightforward and simple. > The only difficulty with it will be producing the installation instructions > for it, as a lot of MailScanner admins don't really know enough to be able > to use something like this without quite a bit of help. The instructions included were written while I was using sendmail, but should work fine with exim, too (I switched over to exim and didn't have to change a thing). Installation should be pretty easy, even for most novices. It's been downloaded 400 times and counting, and I haven't had anyone email me with installation issues. -- "Well done is better than well said." - Benjamin Franklin (1706-1790) From ctrudeau at BELLSOUTH.NET Mon Aug 4 19:01:44 2003 From: ctrudeau at BELLSOUTH.NET (Chris-Bellsouth) Date: Thu Jan 12 21:19:09 2006 Subject: virus flexibility? References: Message-ID: <019901c35ab2$77b62490$5702010a@mscore.trusecure.net> I have sophos and clamav installed on my MS system which is performing duties for several domains. I have "Virus Scanning = rulesfile.conf" In the rules file I have this file currently set to reflect: To example.com yes To example.net yes then I have "Virus Scanners = sophossavi clamav" What I'm wondering is, if I wanted example.com to use both scanners and example.net to use only one could I use a rules file for "Virus Scanners" like the following: To example.com sophossavi clamav To example.net clamav ??? Thanks in advance! CT From jase at SENSIS.COM Mon Aug 4 20:00:37 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:09 2006 Subject: FW: Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning Message-ID: FYI - I saw this on bugtraq, and thought that the postfix users here may be interested. -----Original Message----- From: Michal Zalewski [mailto:lcamtuf@ghettot.org] Sent: Sunday, August 03, 2003 3:13 PM To: bugtraq@securityfocus.com Subject: Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning Good morning list, ,--. ,--. \ /-~-\ / ======================================================= )' a a `( ======== 1. Posfix 1.1.12 remote DoS (CAN-2003-0540) .( ,---. ), ========================================================`(_o_o_)'========= There is a remotely exploitable denial of service vulnerability in Postfix up to and including 1.1.12. The vulnerability does not affect the most current version, 2.0, due to a major overhaul of the address parsing code. Releases prior to 1.1.9 are not vulnerable by default, but will be exposed if append_dot_mydomain is turned off in the configuration file (see section 3 for more details). Recent 1.1 releases, having no publicly disclosed security problems, are still commonly used and shipped in several popular Linux distributions, including Red Hat 9 or Debian 3.0 (woody) - those distributions both ship 1.1.11. The vulnerability lies in the address parser code. By supplying a remote SMTP listener with a malformed envelope address, it is possible to, depending on the method, either: - Cause the queue manager, nqmgr, to lock up permanently, effectively stopping any queue processing - all mail traffic supressed. Restarting the service has no effect - a specific entry has to be removed from the queue to fix the problem. For that reason, a builtin watchdog that restarts nqmgr after a period of nonresponsive behavior, is not able to cause a recovery from this condition. The attack can be performed by forcing the service to queue a mail to an address that would generate a bounce - depending on the configuration, it can be , or, if user names are being checked, . The "mail from" or "Errors-To" address should be set to "<.!>" or "<.!@local-server-name>". An attempt to parse and rewrite the latter address when preparing a bounce will lock up the service. ...or... - Lock up a single instance of the smtp listener in a unusable state that persists after the client disconnects. By repeating this, it is possible to DoS the service (or entire system, depending on the configuration) in a very effective manner. This can be achieved by providing any valid "MAIL FROM" in a SMTP conversation, and then supplying a "RCPT TO" similar to "MAIL FROM" in the previous example. If the server is vulnerable, the session should freeze at this point. The latter approach, since it only creates a single stalled process, is a less intrusive method of testing your systems for this issue remotely. The attack can be detected by looking for "resolve_clnt_query: null recipient" in your maillog. It is then necessary to find the problematic entry in the queue and remove it manually, then restart the service. It should be noted that it is often possible to attack instances that do not have port 25 reachable from the Internet - envelope addresses and certain headers such as Errors-To may very well be preserved when a message is relayed via another system or service. ========================================================================== 2. Postfix 1.1.11 Bounce scan / DDoS agent issue (CAN-2003-0468) ========================================================================== There is a remotely exploitable vulnerability in Postfix 1.1.11 (and earlier versions). Postfix 1.1.12 and 2.0 is NOT affected. The problem was apparently spotted and fixed in 1.1.12 (note 200221121 in HISTORY file), although it has been tagged as a change preventing bogus log entries, and not described as a security issue; there was no public information or discussion about its implications on security forums, not prompting users to upgrade. It might be that the significance of this problem was simply overlooked. Since the issue has been rediscovered during the analysis of the previous issue, I decided it's worth mentioning here, especially since 1.1.11 is shipped all over the place. The problem enables an attacker to use Postfix 1.1.11 as a DDoS agent or for bounce scans of other hosts on the Internet, or probing firewalled internal networks. The problem is triggered by an attempt to deliver to: <[server_ip]:service!@local-host-name> This address will cause Postfix to connect an arbitrary IP at an arbitrary port and attempt to talk SMTP. The conversation will likely fail before any user-dependent data is sent to the remote party, which limits the exposure, but is sufficient to bounce-scan. The address can be either sent in "RCPT TO" (the attacker would have the right to relay to this system - which makes it a viable method of bounce-scanning your ISP/mail account provider), in which case the sender would then look for bounces stating the problem (SMTP conversation error, connection timeout or connection refused), or in "MAIL FROM" / Errors-To, in which case, the attacker can likely perform a queue timing attack to detect whether a port is open by inserting control messages that are intended to bounce. When a port is open, SMTP greeting timeout occurs after a longer while, pausing queue processing. When a port is closed, the entry is immediately marked as deferred and queue processing continues. It is also possible to use this problem to stage a DDoS attack, by making a number of Postfix hosts around the world attempt to connect services on a particular machine over and over again, until each queue entry finally expires and is discarded or delivered to postmaster. ========================================================================== 3. Vendor status / fix and workardound information ========================================================================== Wietse Venema has been contacted on July 27 regarding the first issue, confirmed the problem described in #1 and released a patch to address it. The information was then passed down to vendor-sec. Below is a detailed fix and workaround info from the author: To find out your Postfix version, use the command "postconf mail_version". Versions prior to 1.1 show a date instead of a version number (e.g., Postfix-20010228-pl08). Versions 1.1 and later may show a date in addition to the version number (e.g., 2.0.14-20030717). Postfix versions 2.0 and later: Not vulnerable, because the trivial-rewrite code was completely restructured. The current Postfix version is 2.0.13. A not vulnerable Postfix version can protect vulnerable Postfix systems as described in the workarounds section below. Postfix versions 1.1.9 .. 1.1.12: These are vulnerable, and are fixed by upgrading to version 1.1.13 which will be made available via http://www.postfix.org/ and via individual vendors, or by applying the patch below. The workarounds section below has instructions for sites that cannot upgrade Postfix immediately. Postfix versions prior to 1.1.9: These become vulnerable only when the append_dot_mydomain feature is set to "no" (you can verify this with the command "postconf append_dot_mydomain"). Use the command "postconf -e append_dot_mydomain=yes" to update the setting if necessary. Sites that must use "append_dot_mydomain=no" should either upgrade to a fixed Postfix version, or should apply the one-line patch at the end of this text. This patch has been tested with Postfix versions back to 19991231. Workarounds for Postfix versions 1.1.9 - 1.1.12: Verify that the append_dot_mydomain feature is set to "yes" by using the command "postconf append_dot_mydomain". Use the command "postconf -e append_dot_mydomain=yes" to update the setting if necessary. Sites that must use "append_dot_mydomain=no" should either upgrade to a fixed Postfix version, or should apply the one-line patch at the end of this text. Specify "resolve_dequoted_address=no" in main.cf. An additional workaround is needed for hosts that must forward mail from the Internet to, for example, primary MX hosts or to internal hosts. This is because with resolve_dequoted_address=no, Postfix no longer recognizes user@bad.domain@good.domain as a mail relaying attempt. To close this loophole, use a regular expression to block sender-specified routing in SMTP recipient addresses: /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access regexp:/etc/postfix/recipient_regexp ...other restrictions... check_relay_domains /etc/postfix/recipient_regexp: /[%!@].*[%!@]/ 550 Sender-specified routing rejected Workarounds to protect vulnerable down-stream Postfix systems: Reject Errors-To: message headers with multiple routing operators: /etc/postfix/main.cf: header_checks = regexp:/etc/postfix/header_checks /etc/postfix/header_checks: /^errors-to:.*[%!@].*[%!@]/ reject Reject SMTP sender addresses with multiple routing operators: /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/sender_regexp ...other restrictions... /etc/postfix/sender_regexp: /[%!@].*[%!@]/ 550 Sender-specified routing rejected diff -cr /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c src/trivial-rewrite/resolve.c *** /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c Fri Nov 22 12:32:33 2002 --- src/trivial-rewrite/resolve.c Mon Jul 28 11:36:49 2003 *************** *** 148,153 **** --- 148,154 ---- if (saved_domain) tok822_free_tree(saved_domain); saved_domain = domain; + domain = 0; } /* -- Did you know that clones never use mirrors? http://lcamtuf.coredump.cx/photo/current/ From mike at CAMAROSS.NET Mon Aug 4 20:06:20 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:09 2006 Subject: Filename rules In-Reply-To: <001901c35aa0$62900a20$0b01a8c0@columbus> Message-ID: <005e01c35abb$7dd3e9d0$9c01a8c0@home.middlefinger.net> Issuing a 'service MailScanner reload' should make MailScanner reread all of its configurations. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Robert Fitzpatrick Sent: Monday, August 04, 2003 10:52 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Filename rules Does sendmail have to be restarted in order to get changes to the filename.rules.conf file to take affect. I added an allow statement that did not work in allowing a certain extension to be allowed. I put it in the allow section atop the file prior to any deny statements. I then tried to comment out (# in front of the line) the deny statement found in the VirusWarning.txt file indicating the rule that intercepted the attachment. Again, same response, the file attachment was replaced. I am only restarted Mailscanner after making changes and curious to know if sendmail needs to be restarted. If that is the case, I'll just restart tonight after hours. If not, here is my allow statement: allow \.icx$ - - The files being replaced have this extension (is it case sensitive?). However, like I said above, I tried to comment out the following line and it still intercepted the file: # deny \.[a-z][a-z0-9]{2,3}\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension The VirusWarning.txt file indicates this is the rule intercepting the message: Attempt to hide real filename extension in ABH_CORRECTIONS_080403.PDF.ICX -- Robert From mike at CAMAROSS.NET Mon Aug 4 20:07:10 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:10 2006 Subject: Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning In-Reply-To: Message-ID: <005f01c35abb$9b0e0f80$9c01a8c0@home.middlefinger.net> SuSE released a patch for this DoS this morning. I have installed it on both of my OpenExchange servers. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Desai, Jason Sent: Monday, August 04, 2003 2:01 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: FW: Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning FYI - I saw this on bugtraq, and thought that the postfix users here may be interested. -----Original Message----- From: Michal Zalewski [mailto:lcamtuf@ghettot.org] Sent: Sunday, August 03, 2003 3:13 PM To: bugtraq@securityfocus.com Subject: Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning Good morning list, ,--. ,--. \ /-~-\ / ======================================================= )' a a `( ======== 1. Posfix 1.1.12 remote DoS (CAN-2003-0540) .( ,---. ), ========================================================`(_o_o_)'========= There is a remotely exploitable denial of service vulnerability in Postfix up to and including 1.1.12. The vulnerability does not affect the most current version, 2.0, due to a major overhaul of the address parsing code. Releases prior to 1.1.9 are not vulnerable by default, but will be exposed if append_dot_mydomain is turned off in the configuration file (see section 3 for more details). Recent 1.1 releases, having no publicly disclosed security problems, are still commonly used and shipped in several popular Linux distributions, including Red Hat 9 or Debian 3.0 (woody) - those distributions both ship 1.1.11. The vulnerability lies in the address parser code. By supplying a remote SMTP listener with a malformed envelope address, it is possible to, depending on the method, either: - Cause the queue manager, nqmgr, to lock up permanently, effectively stopping any queue processing - all mail traffic supressed. Restarting the service has no effect - a specific entry has to be removed from the queue to fix the problem. For that reason, a builtin watchdog that restarts nqmgr after a period of nonresponsive behavior, is not able to cause a recovery from this condition. The attack can be performed by forcing the service to queue a mail to an address that would generate a bounce - depending on the configuration, it can be , or, if user names are being checked, . The "mail from" or "Errors-To" address should be set to "<.!>" or "<.!@local-server-name>". An attempt to parse and rewrite the latter address when preparing a bounce will lock up the service. ...or... - Lock up a single instance of the smtp listener in a unusable state that persists after the client disconnects. By repeating this, it is possible to DoS the service (or entire system, depending on the configuration) in a very effective manner. This can be achieved by providing any valid "MAIL FROM" in a SMTP conversation, and then supplying a "RCPT TO" similar to "MAIL FROM" in the previous example. If the server is vulnerable, the session should freeze at this point. The latter approach, since it only creates a single stalled process, is a less intrusive method of testing your systems for this issue remotely. The attack can be detected by looking for "resolve_clnt_query: null recipient" in your maillog. It is then necessary to find the problematic entry in the queue and remove it manually, then restart the service. It should be noted that it is often possible to attack instances that do not have port 25 reachable from the Internet - envelope addresses and certain headers such as Errors-To may very well be preserved when a message is relayed via another system or service. ========================================================================== 2. Postfix 1.1.11 Bounce scan / DDoS agent issue (CAN-2003-0468) ========================================================================== There is a remotely exploitable vulnerability in Postfix 1.1.11 (and earlier versions). Postfix 1.1.12 and 2.0 is NOT affected. The problem was apparently spotted and fixed in 1.1.12 (note 200221121 in HISTORY file), although it has been tagged as a change preventing bogus log entries, and not described as a security issue; there was no public information or discussion about its implications on security forums, not prompting users to upgrade. It might be that the significance of this problem was simply overlooked. Since the issue has been rediscovered during the analysis of the previous issue, I decided it's worth mentioning here, especially since 1.1.11 is shipped all over the place. The problem enables an attacker to use Postfix 1.1.11 as a DDoS agent or for bounce scans of other hosts on the Internet, or probing firewalled internal networks. The problem is triggered by an attempt to deliver to: <[server_ip]:service!@local-host-name> This address will cause Postfix to connect an arbitrary IP at an arbitrary port and attempt to talk SMTP. The conversation will likely fail before any user-dependent data is sent to the remote party, which limits the exposure, but is sufficient to bounce-scan. The address can be either sent in "RCPT TO" (the attacker would have the right to relay to this system - which makes it a viable method of bounce-scanning your ISP/mail account provider), in which case the sender would then look for bounces stating the problem (SMTP conversation error, connection timeout or connection refused), or in "MAIL FROM" / Errors-To, in which case, the attacker can likely perform a queue timing attack to detect whether a port is open by inserting control messages that are intended to bounce. When a port is open, SMTP greeting timeout occurs after a longer while, pausing queue processing. When a port is closed, the entry is immediately marked as deferred and queue processing continues. It is also possible to use this problem to stage a DDoS attack, by making a number of Postfix hosts around the world attempt to connect services on a particular machine over and over again, until each queue entry finally expires and is discarded or delivered to postmaster. ========================================================================== 3. Vendor status / fix and workardound information ========================================================================== Wietse Venema has been contacted on July 27 regarding the first issue, confirmed the problem described in #1 and released a patch to address it. The information was then passed down to vendor-sec. Below is a detailed fix and workaround info from the author: To find out your Postfix version, use the command "postconf mail_version". Versions prior to 1.1 show a date instead of a version number (e.g., Postfix-20010228-pl08). Versions 1.1 and later may show a date in addition to the version number (e.g., 2.0.14-20030717). Postfix versions 2.0 and later: Not vulnerable, because the trivial-rewrite code was completely restructured. The current Postfix version is 2.0.13. A not vulnerable Postfix version can protect vulnerable Postfix systems as described in the workarounds section below. Postfix versions 1.1.9 .. 1.1.12: These are vulnerable, and are fixed by upgrading to version 1.1.13 which will be made available via http://www.postfix.org/ and via individual vendors, or by applying the patch below. The workarounds section below has instructions for sites that cannot upgrade Postfix immediately. Postfix versions prior to 1.1.9: These become vulnerable only when the append_dot_mydomain feature is set to "no" (you can verify this with the command "postconf append_dot_mydomain"). Use the command "postconf -e append_dot_mydomain=yes" to update the setting if necessary. Sites that must use "append_dot_mydomain=no" should either upgrade to a fixed Postfix version, or should apply the one-line patch at the end of this text. This patch has been tested with Postfix versions back to 19991231. Workarounds for Postfix versions 1.1.9 - 1.1.12: Verify that the append_dot_mydomain feature is set to "yes" by using the command "postconf append_dot_mydomain". Use the command "postconf -e append_dot_mydomain=yes" to update the setting if necessary. Sites that must use "append_dot_mydomain=no" should either upgrade to a fixed Postfix version, or should apply the one-line patch at the end of this text. Specify "resolve_dequoted_address=no" in main.cf. An additional workaround is needed for hosts that must forward mail from the Internet to, for example, primary MX hosts or to internal hosts. This is because with resolve_dequoted_address=no, Postfix no longer recognizes user@bad.domain@good.domain as a mail relaying attempt. To close this loophole, use a regular expression to block sender-specified routing in SMTP recipient addresses: /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access regexp:/etc/postfix/recipient_regexp ...other restrictions... check_relay_domains /etc/postfix/recipient_regexp: /[%!@].*[%!@]/ 550 Sender-specified routing rejected Workarounds to protect vulnerable down-stream Postfix systems: Reject Errors-To: message headers with multiple routing operators: /etc/postfix/main.cf: header_checks = regexp:/etc/postfix/header_checks /etc/postfix/header_checks: /^errors-to:.*[%!@].*[%!@]/ reject Reject SMTP sender addresses with multiple routing operators: /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/sender_regexp ...other restrictions... /etc/postfix/sender_regexp: /[%!@].*[%!@]/ 550 Sender-specified routing rejected diff -cr /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c src/trivial-rewrite/resolve.c *** /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c Fri Nov 22 12:32:33 2002 --- src/trivial-rewrite/resolve.c Mon Jul 28 11:36:49 2003 *************** *** 148,153 **** --- 148,154 ---- if (saved_domain) tok822_free_tree(saved_domain); saved_domain = domain; + domain = 0; } /* -- Did you know that clones never use mirrors? http://lcamtuf.coredump.cx/photo/current/ From mailscanner at ecs.soton.ac.uk Mon Aug 4 19:54:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Filename rules In-Reply-To: <001901c35aa0$62900a20$0b01a8c0@columbus> Message-ID: <5.2.1.1.2.20030804195125.026a1e38@imap.ecs.soton.ac.uk> No, you can just do a "reload". Check you have tabs between each of the 4 fields in the filename.rules.conf file. At 16:52 04/08/2003, you wrote: >Does sendmail have to be restarted in order to get changes to the >filename.rules.conf file to take affect. I added an allow statement that >did not work in allowing a certain extension to be allowed. I put it in >the allow section atop the file prior to any deny statements. I then >tried to comment out (# in front of the line) the deny statement found >in the VirusWarning.txt file indicating the rule that intercepted the >attachment. Again, same response, the file attachment was replaced. I am >only restarted Mailscanner after making changes and curious to know if >sendmail needs to be restarted. If that is the case, I'll just restart >tonight after hours. If not, here is my allow statement: > >allow \.icx$ - - > >The files being replaced have this extension (is it case sensitive?). No. >However, like I said above, I tried to comment out the following line >and it still intercepted the file: > ># deny \.[a-z][a-z0-9]{2,3}\.[a-z0-9]{3}$ Found possible filename >hiding Attempt to hide real filename extension > >The VirusWarning.txt file indicates this is the rule intercepting the >message: > >Attempt to hide real filename extension in >ABH_CORRECTIONS_080403.PDF.ICX > >-- >Robert -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Aug 4 19:47:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: SQL Redux In-Reply-To: Message-ID: <5.2.1.1.2.20030804194622.02652cf8@imap.ecs.soton.ac.uk> At 14:29 04/08/2003, you wrote: >If there's really no performance hit to logging after every email instead of >in batches, I'll see about changing my code to do it that way too. Nothing >worse than having to wait for all of the children to finish logging before I >can do a full restart of MailScanner. There must be a significant performance hit. In one case you are just appending a line to a file. In the other case you are adding a record to a database table and updating various indices. This *has* to be a much bigger operation than just adding 1 line to a file. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Aug 4 20:00:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Unexpected Error? In-Reply-To: <036A6BCC9FD10749AD3CE32255AF49A60170A02D@dalsxc01.geniant. net> Message-ID: <5.2.1.1.2.20030804195930.039fae38@imap.ecs.soton.ac.uk> Check that this document isn't actually corrupt first, and if it's okay then lodge a tech support call with Sophos. At 18:02 04/08/2003, you wrote: >I've got an employee who has been sending docs all morning and then >suddenly has a problem with one doc getting corrupt/unexpected errors. >Does this just mean that MailScanner thinks it's corrupt and then had an >error trying to check it? Here is the log: > >Aug 4 11:47:53 xxxxxxxxx sendmail[29123]: h74GklL1029123: >from=, size=1015025, class=0, nrcpts=1, >msgid=<036A6BCC9FD10749AD3CE32255AF49A601702857@dalsxc01.geniant.net>, >proto=ESMTP, daemon=MTA, relay=adsl-64-217-212-137.dsl.rcsntx.swbell.net >[64.217.212.137] >Aug 4 11:47:53 xxxxxxxxx sendmail[29123]: h74GklL1029123: >to=, delay=00:01:05, mailer=esmtp, pri=30639, >stat=queued >Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check >./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx >AD Design - DRAFT.doc (corrupt) >Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check >./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx >AD Design - DRAFT.doc (unexpected error [0x80040202]) >Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check >./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx >AD Design - DRAFT.doc (unexpected error [0x80040202]) >Aug 4 11:47:57 xxxxxxxxx MailScanner[20684]: Saved infected >"winmail.dat" to >/var/spool/MailScanner/quarantine/20030804/h74GklL1029123 >Aug 4 11:48:05 xxxxxxxxx sendmail[29165]: h74GklL1029123: >to=, delay=00:01:17, xdelay=00:00:08, mailer=esmtp, >pri=120639, relay=houmail.companyx.com. [204.194.96.13], dsn=2.0.0, >stat=Sent (h74GlvRp028965 Message accepted for delivery) > >Thanks, >Max -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Aug 4 19:58:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Sweep and .zip In-Reply-To: <20030804165456.2BB715A28D@mail01.nap.dkbhosting.net> Message-ID: <5.2.1.1.2.20030804195801.0267be60@imap.ecs.soton.ac.uk> Yes, it adds the "-archive" switch which tells it to scan all archive files. At 17:54 04/08/2003, you wrote: >In order to have Sophos sweep scan and get inside of .zip files, you have >to run > >sweep -zip filename.zip > > >How do you have sweep scan .zip and other compressed files when called >from Mailscanner? > > > >Thank you, > >David > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030804/181226ca/attachment.html From mailscanner at ecs.soton.ac.uk Mon Aug 4 20:04:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: virus flexibility? In-Reply-To: <019901c35ab2$77b62490$5702010a@mscore.trusecure.net> References: Message-ID: <5.2.1.1.2.20030804200253.039fc898@imap.ecs.soton.ac.uk> IIRC, the Virus Scanners parameter can only be a simple value, not a ruleset. Because messages are scanned in batches, there are potentially messages to/from all sorts of domains in the batch, so working out what scanners to use is nigh impossible. At 19:01 04/08/2003, you wrote: >I have sophos and clamav installed on my MS system which is performing >duties for several domains. > >I have "Virus Scanning = rulesfile.conf" > >In the rules file I have this file currently set to reflect: > >To example.com yes >To example.net yes > >then I have "Virus Scanners = sophossavi clamav" > >What I'm wondering is, if I wanted example.com to use both scanners and >example.net to use only one could I use a rules file for "Virus Scanners" >like the following: > >To example.com sophossavi clamav >To example.net clamav > > >??? > >Thanks in advance! > >CT -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From rzewnickie at RFA.ORG Mon Aug 4 20:27:44 2003 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:19:10 2006 Subject: Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning In-Reply-To: <005f01c35abb$9b0e0f80$9c01a8c0@home.middlefinger.net> References: <005f01c35abb$9b0e0f80$9c01a8c0@home.middlefinger.net> Message-ID: <20030804192743.GF16796@rfa.org> Debian has patches available, as well. On Mon 04/08/2003 14:07:10, Mike Kercher wrote: > SuSE released a patch for this DoS this morning. I have installed it on > both of my OpenExchange servers. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Desai, Jason > Sent: Monday, August 04, 2003 2:01 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: FW: Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning > > > FYI - I saw this on bugtraq, and thought that the postfix users here may be > interested. > > -----Original Message----- > From: Michal Zalewski [mailto:lcamtuf@ghettot.org] > Sent: Sunday, August 03, 2003 3:13 PM > To: bugtraq@securityfocus.com > Subject: Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning > > > > Good morning list, ,--. ,--. > \ /-~-\ / > ======================================================= )' a a `( ======== > 1. Posfix 1.1.12 remote DoS (CAN-2003-0540) .( ,---. ), > ========================================================`(_o_o_)'========= > > There is a remotely exploitable denial of service vulnerability in Postfix > up to and including 1.1.12. The vulnerability does not affect the most > current version, 2.0, due to a major overhaul of the address parsing code. > Releases prior to 1.1.9 are not vulnerable by default, but will be exposed > if append_dot_mydomain is turned off in the configuration file (see section > 3 for more details). > > Recent 1.1 releases, having no publicly disclosed security problems, are > still commonly used and shipped in several popular Linux distributions, > including Red Hat 9 or Debian 3.0 (woody) - those distributions both ship > 1.1.11. > > The vulnerability lies in the address parser code. By supplying a remote > SMTP listener with a malformed envelope address, it is possible to, > depending on the method, either: > > - Cause the queue manager, nqmgr, to lock up permanently, effectively > stopping any queue processing - all mail traffic supressed. Restarting > the service has no effect - a specific entry has to be removed from > the queue to fix the problem. For that reason, a builtin watchdog > that restarts nqmgr after a period of nonresponsive behavior, is > not able to cause a recovery from this condition. > > The attack can be performed by forcing the service to queue a mail > to an address that would generate a bounce - depending on the > configuration, it can be , or, if user > names are being checked, . The "mail from" or > "Errors-To" address should be set to "<.!>" or > "<.!@local-server-name>". An attempt to parse and rewrite the latter > address when preparing a bounce will lock up the service. > > ...or... > > - Lock up a single instance of the smtp listener in a unusable state > that persists after the client disconnects. By repeating this, > it is possible to DoS the service (or entire system, depending > on the configuration) in a very effective manner. > > This can be achieved by providing any valid "MAIL FROM" in a SMTP > conversation, and then supplying a "RCPT TO" similar to "MAIL FROM" > in the previous example. If the server is vulnerable, the session > should freeze at this point. > > The latter approach, since it only creates a single stalled process, is a > less intrusive method of testing your systems for this issue remotely. > > The attack can be detected by looking for "resolve_clnt_query: null > recipient" in your maillog. It is then necessary to find the problematic > entry in the queue and remove it manually, then restart the service. > > It should be noted that it is often possible to attack instances that do not > have port 25 reachable from the Internet - envelope addresses and certain > headers such as Errors-To may very well be preserved when a message is > relayed via another system or service. > > > ========================================================================== > 2. Postfix 1.1.11 Bounce scan / DDoS agent issue (CAN-2003-0468) > ========================================================================== > > There is a remotely exploitable vulnerability in Postfix 1.1.11 (and earlier > versions). Postfix 1.1.12 and 2.0 is NOT affected. The problem was > apparently spotted and fixed in 1.1.12 (note 200221121 in HISTORY file), > although it has been tagged as a change preventing bogus log entries, and > not described as a security issue; there was no public information or > discussion about its implications on security forums, not prompting users to > upgrade. It might be that the significance of this problem was simply > overlooked. > > Since the issue has been rediscovered during the analysis of the previous > issue, I decided it's worth mentioning here, especially since 1.1.11 is > shipped all over the place. > > The problem enables an attacker to use Postfix 1.1.11 as a DDoS agent or for > bounce scans of other hosts on the Internet, or probing firewalled internal > networks. The problem is triggered by an attempt to deliver to: > > <[server_ip]:service!@local-host-name> > > This address will cause Postfix to connect an arbitrary IP at an arbitrary > port and attempt to talk SMTP. The conversation will likely fail before any > user-dependent data is sent to the remote party, which limits the exposure, > but is sufficient to bounce-scan. > > The address can be either sent in "RCPT TO" (the attacker would have the > right to relay to this system - which makes it a viable method of > bounce-scanning your ISP/mail account provider), in which case the sender > would then look for bounces stating the problem (SMTP conversation error, > connection timeout or connection refused), or in "MAIL FROM" / Errors-To, in > which case, the attacker can likely perform a queue timing attack to detect > whether a port is open by inserting control messages that are intended to > bounce. > > When a port is open, SMTP greeting timeout occurs after a longer while, > pausing queue processing. When a port is closed, the entry is immediately > marked as deferred and queue processing continues. > > It is also possible to use this problem to stage a DDoS attack, by making a > number of Postfix hosts around the world attempt to connect services on a > particular machine over and over again, until each queue entry finally > expires and is discarded or delivered to postmaster. > > > ========================================================================== > 3. Vendor status / fix and workardound information > ========================================================================== > > Wietse Venema has been contacted on July 27 regarding the first issue, > confirmed the problem described in #1 and released a patch to address it. > The information was then passed down to vendor-sec. > > Below is a detailed fix and workaround info from the author: > > To find out your Postfix version, use the command "postconf > mail_version". Versions prior to 1.1 show a date instead of a > version number (e.g., Postfix-20010228-pl08). Versions 1.1 and > later may show a date in addition to the version number (e.g., > 2.0.14-20030717). > > Postfix versions 2.0 and later: > > Not vulnerable, because the trivial-rewrite code was completely > restructured. The current Postfix version is 2.0.13. > > A not vulnerable Postfix version can protect vulnerable Postfix > systems as described in the workarounds section below. > > Postfix versions 1.1.9 .. 1.1.12: > > These are vulnerable, and are fixed by upgrading to version > 1.1.13 which will be made available via http://www.postfix.org/ > and via individual vendors, or by applying the patch below. > The workarounds section below has instructions for sites that > cannot upgrade Postfix immediately. > > Postfix versions prior to 1.1.9: > > These become vulnerable only when the append_dot_mydomain > feature is set to "no" (you can verify this with the command > "postconf append_dot_mydomain"). Use the command "postconf -e > append_dot_mydomain=yes" to update the setting if necessary. > > Sites that must use "append_dot_mydomain=no" should either > upgrade to a fixed Postfix version, or should apply the one-line > patch at the end of this text. This patch has been tested with > Postfix versions back to 19991231. > > Workarounds for Postfix versions 1.1.9 - 1.1.12: > > Verify that the append_dot_mydomain feature is set to "yes" by > using the command "postconf append_dot_mydomain". Use the > command "postconf -e append_dot_mydomain=yes" to update the > setting if necessary. > > Sites that must use "append_dot_mydomain=no" should either > upgrade to a fixed Postfix version, or should apply the one-line > patch at the end of this text. > > Specify "resolve_dequoted_address=no" in main.cf. > > An additional workaround is needed for hosts that must forward > mail from the Internet to, for example, primary MX hosts or to > internal hosts. This is because with resolve_dequoted_address=no, > Postfix no longer recognizes user@bad.domain@good.domain as a > mail relaying attempt. To close this loophole, use a regular > expression to block sender-specified routing in SMTP recipient > addresses: > > /etc/postfix/main.cf: > smtpd_recipient_restrictions = > permit_mynetworks, > check_recipient_access regexp:/etc/postfix/recipient_regexp > ...other restrictions... > check_relay_domains > > /etc/postfix/recipient_regexp: > /[%!@].*[%!@]/ 550 Sender-specified routing rejected > > Workarounds to protect vulnerable down-stream Postfix systems: > > Reject Errors-To: message headers with multiple routing > operators: > > /etc/postfix/main.cf: > header_checks = regexp:/etc/postfix/header_checks > > /etc/postfix/header_checks: > /^errors-to:.*[%!@].*[%!@]/ reject > > Reject SMTP sender addresses with multiple routing operators: > > /etc/postfix/main.cf: > smtpd_sender_restrictions = > check_sender_access regexp:/etc/postfix/sender_regexp > ...other restrictions... > > /etc/postfix/sender_regexp: > /[%!@].*[%!@]/ 550 Sender-specified routing rejected > > diff -cr /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c > src/trivial-rewrite/resolve.c > *** /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c Fri Nov 22 12:32:33 > 2002 > --- src/trivial-rewrite/resolve.c Mon Jul 28 11:36:49 2003 > *************** > *** 148,153 **** > --- 148,154 ---- > if (saved_domain) > tok822_free_tree(saved_domain); > saved_domain = domain; > + domain = 0; > } > > /* > > -- > Did you know that clones never use mirrors? > http://lcamtuf.coredump.cx/photo/current/ From moliveri at UTI.COM Mon Aug 4 20:51:14 2003 From: moliveri at UTI.COM (Mike Oliveri) Date: Thu Jan 12 21:19:10 2006 Subject: Exim makefile question Message-ID: <5.2.0.9.0.20030804144148.00a81ee8@mail211.pair.com> I've got yet another Exim question for the Exim gurus out there. Rather than continue to wrestle with the current Exim config and version I inherited, I'm starting from scratch with version 4.20. I've got the new book on the way and will consult it for most questions, but I do have a quick one related to setting up the Local/Makefile for use with Mailscanner: 1) I see under creating the configure file that I can create a colon-separated list. Would it be best to create that second configure file for Mailscanner here, or should I just copy it over per the Mailscanner instructions? The Makefile comments are somewhat vague as to whether this second file will really be created. 2) Same as above regarding the exim spool. If I need two spool directories, particulary with one (or both) a split spool, am I also able to put a colon-separated list of spool directories here? I understand Mailscanner needs to have the spool and split directories created before it gets fired up for the first time -- are those directories created by what's found in this makefile? Or is there another script to be run later that will create the second spool and split directories, say following the initial make and make install? 3) I've also offloaded the logfiles from the Exim spool directory to their own log directory. Is that wise with two separate config files or is it best to just leave them be? In other words, will instances of Exim run by the respective configure files write to their own logs, or will they play nice and all Exim logs just write to the same place? Thanks! Take care, Mike Oliveri UTI Systems, Inc moliveri@uti.com From splee at PLEXIO.COM Mon Aug 4 21:04:54 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:19:10 2006 Subject: Sweep and .zip In-Reply-To: <5.2.1.1.2.20030804195801.0267be60@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030804195801.0267be60@imap.ecs.soton.ac.uk> Message-ID: <1060027493.6574.65.camel@ralph.plexio.private> I believe MS/Sophos has been able to do this for quite a while. You can test this with the test viruses eicar.zip and eicar2.zip. Stephen On Mon, 2003-08-04 at 11:58, Julian Field wrote: > Yes, it adds the "-archive" switch which tells it to scan all archive > files. > > At 17:54 04/08/2003, you wrote: > > In order to have Sophos sweep scan and get inside of .zip files, you > > have to run > > > > sweep -zip filename.zip > > > > > > How do you have sweep scan .zip and other compressed files when > > called from Mailscanner? > > > > > > > > Thank you, > > > > David > > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From dbaker at dkburnap.com Mon Aug 4 21:08:27 2003 From: dbaker at dkburnap.com (David Baker) Date: Thu Jan 12 21:19:10 2006 Subject: Sweep and .zip In-Reply-To: <1060027493.6574.65.camel@ralph.plexio.private> Message-ID: <20030804200849.BC7FD5A335@mail01.nap.dkbhosting.net> In my older version of Mailscanner (3.x) I had to edit the mailscanner.conf line to have sweep -archive and in the newer version (4.x) I edited /usr/local/lib/Mailscanner/sophos-wrapper.pl file to contain $prog -archive in the bottom exec call. Once I did that and restarted Mailscanner, both versions are now detecting any compressed file format. Thanks, David -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Stephen Lee Sent: Monday, August 04, 2003 4:05 PM To: MAILSCANNER@JISCMAIL.AC.UK I believe MS/Sophos has been able to do this for quite a while. You can test this with the test viruses eicar.zip and eicar2.zip. Stephen On Mon, 2003-08-04 at 11:58, Julian Field wrote: > Yes, it adds the "-archive" switch which tells it to scan all archive > files. > > At 17:54 04/08/2003, you wrote: > > In order to have Sophos sweep scan and get inside of .zip files, you > > have to run > > > > sweep -zip filename.zip > > > > > > How do you have sweep scan .zip and other compressed files when > > called from Mailscanner? > > > > > > > > Thank you, > > > > David > > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz MailScanner > thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content From brent at MIRABITO.COM Mon Aug 4 21:15:07 2003 From: brent at MIRABITO.COM (Brent Strignano) Date: Thu Jan 12 21:19:10 2006 Subject: SQL Redux Message-ID: <62E46E0C3CB8024C807447814E1B20A501CCAC@granitemail.mirabito.com> If the end result is to get the items into an SQL database I think each method would be very similar overall, as long as the database connection isn't closed at the end of each message logging operation. The batch method would need to do an extra operation at the end to parse the log and do an insert per line when the child process shuts down. The real-time method would have more to at message arrival, but since the operation needs to be performed anyway it seems to me to be a matter of procrastination, do a little now or a LOT later. Again as long as the database connection doesn't have to be reestablished for each message. Just a thought... Brent Strignano System Administrator Granite Capital Holdings Sidney, NY USA -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, August 04, 2003 2:48 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SQL Redux At 14:29 04/08/2003, you wrote: >If there's really no performance hit to logging after every email >instead of in batches, I'll see about changing my code to do it that >way too. Nothing worse than having to wait for all of the children to >finish logging before I can do a full restart of MailScanner. There must be a significant performance hit. In one case you are just appending a line to a file. In the other case you are adding a record to a database table and updating various indices. This *has* to be a much bigger operation than just adding 1 line to a file. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From gml at ADVANCEVPN.COM Mon Aug 4 21:19:31 2003 From: gml at ADVANCEVPN.COM (=?iso-8859-1?Q?Mikael_L=F6nnroth?=) Date: Thu Jan 12 21:19:10 2006 Subject: Blacklist header scanning References: <5.2.1.1.2.20030804112605.025d6ec8@imap.ecs.soton.ac.uk> <024f01c35a75$b1d84500$121b7d0a@MIKAELHOME> <3F2E67F3.6070100@pacific.net> Message-ID: <044e01c35ac5$b6d0f2f0$121b7d0a@MIKAELHOME> From: "Ken Anderson" > Mikael L?nnroth wrote: > > Clients like Outlook Express use header information only so it gets a bit > > confusing for the blacklist admin. Looks like I have to look at the code > > myself then :-) > If you really want to use blacklists for spam protection, you'd probably > need to create a system so that a user could simply forward an email to > a script or a human that could determine the original envelope FROM, > based on the mail log. Here is an easier way actually (which probably is in no way within the guidelines of either perl or MailScanner coding). It includes the real from as a part of the information header value. Information Header Value = Real from is: %f Message.pm patch (4.13-3): 620a621 > $infovalue =~ s/%f/$this->{from}/; 1508a1510 > $infovalue =~ s/%f/$this->{from}/; 1623a1626 > $infovalue =~ s/%f/$this->{from}/; Regards, Mikael L?nnroth From richard at HELPPLC.COM Mon Aug 4 21:53:39 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update Message-ID: <002101c35aca$7e7c12e0$0b01a8c0@rich> I have just downloaded and installed the latest Sophos engine from their website. When I ran the install, I got the following error: Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos installation may be too old. Please install the latest release of Sophos Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error return 1 Any ideas anyone? Richard -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From raymond at PROLOCATION.NET Mon Aug 4 22:01:26 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <002101c35aca$7e7c12e0$0b01a8c0@rich> Message-ID: Hi! > I have just downloaded and installed the latest Sophos engine from their > website. When I ran the install, I got the following error: > > Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos installation > may be too old. Please install the latest release of Sophos > Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error > return 1 Do you actually have lynx installed ? Bye, Raymond. From richard at HELPPLC.COM Mon Aug 4 22:06:05 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: Message-ID: <002701c35acc$3800ca70$0b01a8c0@rich> >Subject: Re: Sophos Update > > >Hi! > >> I have just downloaded and installed the latest Sophos engine from >> their website. When I ran the install, I got the following error: >> >> Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos >installation >> may be too old. Please install the latest release of Sophos Aug 4 >> 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error return 1 > >Do you actually have lynx installed ? > >Bye, >Raymond. > Is this something new? Richard -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From mailscanner at ecs.soton.ac.uk Mon Aug 4 22:07:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <002101c35aca$7e7c12e0$0b01a8c0@rich> Message-ID: <5.2.1.1.2.20030804220638.03a29cf0@imap.ecs.soton.ac.uk> At 21:53 04/08/2003, you wrote: >I have just downloaded and installed the latest Sophos engine from their >website. When I ran the install, I got the following error: > >Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos installation >may be too old. Please install the latest release of Sophos >Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error >return 1 Works okay for me, so they haven't changed anything drastic in 3.72. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Steve at swaney.com Mon Aug 4 22:07:58 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <002101c35aca$7e7c12e0$0b01a8c0@rich> References: <002101c35aca$7e7c12e0$0b01a8c0@rich> Message-ID: <1060031278.8968.5.camel@speedy> Richard, I believe that after about 3 months, you need to download the full Sophos Distribution. Julian has provided a script to do this: /usr/sbin/MajorSophos.sh You'll need to modify this script to add your Sophos username and password. Steve Steve@Swaney.com On Mon, 2003-08-04 at 16:53, Richard Sidlin wrote:Richard, > I have just downloaded and installed the latest Sophos engine from their > website. When I ran the install, I got the following error: > > Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos installation > may be too old. Please install the latest release of Sophos > Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error > return 1 > > Any ideas anyone? > > > Richard > > > > -- > This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is > believed to be clean. For details on having your email scanned email support@helpinternet.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Postmaster@FSL.com Fortress Systems, Ltd. Email Gateways info@FSL.com www.FSL.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030804/4aaf06a5/attachment.html From raymond at PROLOCATION.NET Mon Aug 4 22:11:04 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <002701c35acc$3800ca70$0b01a8c0@rich> Message-ID: Hi! > >> may be too old. Please install the latest release of Sophos Aug 4 > >> 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error return 1 > >Do you actually have lynx installed ? > Is this something new? Type: which lynx Or simply: lynx To see if you have it installed. Bye, Raymond. From richard at HELPPLC.COM Mon Aug 4 22:13:02 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <1060031278.8968.5.camel@speedy> Message-ID: <002b01c35acd$34f28390$0b01a8c0@rich> Isn't that the linux.intel.libc6.tar.Z file? Richard -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Stephen Swaney Sent: 04 August 2003 22:08 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos Update Richard, I believe that after about 3 months, you need to download the full Sophos Distribution. Julian has provided a script to do this: /usr/sbin/MajorSophos.sh You'll need to modify this script to add your Sophos username and password. Steve Steve@Swaney.com On Mon, 2003-08-04 at 16:53, Richard Sidlin wrote:Richard, I have just downloaded and installed the latest Sophos engine from their website. When I ran the install, I got the following error: Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos installation may be too old. Please install the latest release of Sophos Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error return 1 Any ideas anyone? Richard -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk -- This message has been scanned for viruses and dangerous content by Fortress Systems, Ltd., and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030804/79e23623/attachment.html From richard at HELPPLC.COM Mon Aug 4 22:15:05 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: Message-ID: <003201c35acd$7cc8dd40$0b01a8c0@rich> Can't Access `file://localhost/usr/doc/HTML/index.html' Alert!: Unable to access document. lynx: Can't access startfile Richard >-----Original Message----- >From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn >Sent: 04 August 2003 22:11 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos Update > > >Hi! > >> >> may be too old. Please install the latest release of >Sophos Aug 4 >> >> 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with >error return >> >> 1 > >> >Do you actually have lynx installed ? > >> Is this something new? > >Type: which lynx > >Or simply: lynx > >To see if you have it installed. > >Bye, >Raymond. > >-- >This message has been scanned for viruses and dangerous >content by the Help Internet Virus Spam Defence, and is >believed to be clean. For details on having your email scanned >email support@helpinternet.co.uk > > -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From mailscanner at ecs.soton.ac.uk Mon Aug 4 22:16:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <002b01c35acd$34f28390$0b01a8c0@rich> References: <1060031278.8968.5.camel@speedy> Message-ID: <5.2.1.1.2.20030804221549.03bab590@imap.ecs.soton.ac.uk> At 22:13 04/08/2003, you wrote: >Isn't that the linux.intel.libc6.tar.Z file? Yes. If you have downloaded that file to, say, /tmp, then you need to do cd /tmp Sophos.install and it will install and update that version. >Richard > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Stephen Swaney >Sent: 04 August 2003 22:08 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos Update > >Richard, > >I believe that after about 3 months, you need to download the full Sophos >Distribution. Julian has provided a script to do this: >/usr/sbin/MajorSophos.sh > >You'll need to modify this script to add your Sophos username and password. > >Steve >Steve@Swaney.com > >On Mon, 2003-08-04 at 16:53, Richard Sidlin wrote:Richard, >> >>I have just downloaded and installed the latest Sophos engine from their >>website. When I ran the install, I got the following error: >> >>Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos installation >>may be too old. Please install the latest release of Sophos >>Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error >>return 1 >> >>Any ideas anyone? >> >> >>Richard >> >> >> >>-- >>This message has been scanned for viruses and dangerous content by the >>Help Internet Virus Spam Defence, and is >>believed to be clean. For details on having your email scanned email >>support@helpinternet.co.uk > >-- >This message has been scanned for viruses and >dangerous content by Fortress Systems, Ltd., and is >believed to be clean. > > >-- >This message has been scanned for viruses and dangerous content by the >Help Internet Virus Spam Defence, and is >believed to be clean. For details on having your email scanned email >support@helpinternet.co.uk -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030804/fc4b0076/attachment.html From mike at CAMAROSS.NET Mon Aug 4 22:20:11 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <002101c35aca$7e7c12e0$0b01a8c0@rich> Message-ID: <000801c35ace$311246b0$9c01a8c0@home.middlefinger.net> Did you install Sophos using Julian's installation script? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Richard Sidlin Sent: Monday, August 04, 2003 3:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sophos Update I have just downloaded and installed the latest Sophos engine from their website. When I ran the install, I got the following error: Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos installation may be too old. Please install the latest release of Sophos Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error return 1 Any ideas anyone? Richard -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From mailscanner at ecs.soton.ac.uk Mon Aug 4 22:18:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <003201c35acd$7cc8dd40$0b01a8c0@rich> References: Message-ID: <5.2.1.1.2.20030804221745.039e1eb0@imap.ecs.soton.ac.uk> At 22:15 04/08/2003, you wrote: >Can't Access `file://localhost/usr/doc/HTML/index.html' >Alert!: Unable to access document. > >lynx: Can't access startfile In which case it's installed. You should be able to do lynx www.sophos.co.uk quite happily. >Richard > > >-----Original Message----- > >From: MailScanner mailing list > >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn > >Sent: 04 August 2003 22:11 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Sophos Update > > > > > >Hi! > > > >> >> may be too old. Please install the latest release of > >Sophos Aug 4 > >> >> 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with > >error return > >> >> 1 > > > >> >Do you actually have lynx installed ? > > > >> Is this something new? > > > >Type: which lynx > > > >Or simply: lynx > > > >To see if you have it installed. > > > >Bye, > >Raymond. > > > >-- > >This message has been scanned for viruses and dangerous > >content by the Help Internet Virus Spam Defence, and is > >believed to be clean. For details on having your email scanned > >email support@helpinternet.co.uk > > > > > > > >-- >This message has been scanned for viruses and dangerous content by the >Help Internet Virus Spam Defence, and is >believed to be clean. For details on having your email scanned email >support@helpinternet.co.uk -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Mon Aug 4 22:19:58 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <5.2.1.1.2.20030804221745.039e1eb0@imap.ecs.soton.ac.uk> Message-ID: Hi! > >lynx: Can't access startfile > > In which case it's installed. You should be able to do > lynx www.sophos.co.uk > quite happily. Exactly, only strange the error level thats reported... Bye, Raymond. From richard at HELPPLC.COM Mon Aug 4 23:06:52 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <5.2.1.1.2.20030804221549.03bab590@imap.ecs.soton.ac.uk> Message-ID: <003501c35ad4$ba04cff0$0b01a8c0@rich> I downloaded the file again. I had a look inside the archive and most of the files are dated mid July. This is what happened when I run the script: [root /root]# cd /tmp [root /tmp]# /usr/sbin/Sophos.install Clearing out old default Sophos installation libraries Uncompressing Sophos distribution /usr/sbin/Sophos.install: uncompress: command not found Installing Sophos for MailScanner Sophos Anti-Virus installation utility [Linux/Intel] Copyright (c) 1998,2001 Sophos Plc, Oxford, England Binaries will be installed in '/usr/local/Sophos/bin' Libraries will be installed in '/usr/local/Sophos/lib' Manual pages will be installed in '/usr/local/Sophos/man' Virus data will be installed in '/usr/local/Sophos/lib' SWEEP will be installed InterCheck will not be installed ===> Installing binaries sweep copied to /usr/local/Sophos/bin/sweep ===> Installing shared library libsavi.so.2.2.03.098 copied to /usr/local/Sophos/lib/libsavi.so.2.2.03.098 libsavi.so.2.2.03.098 symlinked to /usr/local/Sophos/lib/libsavi.so.2 ldconfig /usr/local/Sophos/lib ===> Installing virus data vdl-3.66.dat copied to /usr/local/Sophos/lib/vdl-3.66.dat vdl-3.66.dat symlinked to /usr/local/Sophos/lib/vdl.dat Adjusting /etc/sav.conf ===> Installing manual pages sweep.1 copied to /usr/local/Sophos/man/man1/sweep.1 ===> Checking paths are accessible Warning: $PATH does not include /usr/local/Sophos/bin To run Sophos Anti-Virus you need to set environment variable $PATH so that it includes /usr/local/Sophos/bin. Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include /usr/local/Sophos/lib. You need to either include an entry for /usr/local/Sophos/lib in /etc/ld.so.conf, or set environment variable $LD_LIBRARY_PATH to include /usr/local/Sophos/lib or you will not be able to use Sophos Anti-Virus. Manual path is OK Some environment variables may need to be set on your system. To make these settings permanent, add them to your login script or profile; to make these settings systemwide, amend /etc/login or /etc/profile. ===> Installation complete <=== Creating links so Perl-SAVI module compiles Fetching latest IDE virus identities from www.sophos.com Your Sophos installation may be too old. Please install the latest release of SophosLynx failed with error return 1 , Bad file descriptor at /usr/lib/MailScanner/sophos-autoupdate line 94. Done. Richard -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: 04 August 2003 22:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos Update At 22:13 04/08/2003, you wrote: Isn't that the linux.intel.libc6.tar.Z file? Yes. If you have downloaded that file to, say, /tmp, then you need to do cd /tmp Sophos.install and it will install and update that version. Richard -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Stephen Swaney Sent: 04 August 2003 22:08 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos Update Richard, I believe that after about 3 months, you need to download the full Sophos Distribution. Julian has provided a script to do this: /usr/sbin/MajorSophos.sh You'll need to modify this script to add your Sophos username and password. Steve Steve@Swaney.com On Mon, 2003-08-04 at 16:53, Richard Sidlin wrote:Richard, I have just downloaded and installed the latest Sophos engine from their website. When I ran the install, I got the following error: Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos installation may be too old. Please install the latest release of Sophos Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error return 1 Any ideas anyone? Richard -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk -- This message has been scanned for viruses and dangerous content by Fortress Systems, Ltd., and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030804/6b8fa8c1/attachment.html From ka at PACIFIC.NET Tue Aug 5 00:22:39 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:10 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C0754@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF0C0754@inex1.herffjones.hj-int> Message-ID: <3F2EEABF.8020002@pacific.net> Furnish, Trever G wrote: > This is probably a bit off-topic, and I hope it's not a faq somewhere > already - feel free to yell at me constructively if so. :-) > > Is there a way to configure sendmail (or whatever) such that "address > probes" are less effective and intrusive? I could imagine how the process > might work, but I've never coded a milter and am hoping someone else has > done this or will tell me why it would be a bad idea. > > By address probe, I mean connections that either: > 1. Ask the receiving mta to accept a message for one invalid address > after another despite repeated negative responses from the receiving mta. > Something that amounts to "Is bob valid?" ... "no" ... "Well, what about > tom?" ... "no" ... "Frank?" ... etc. See http://www.sendmail.org/m4/tweaking_config.html#confBAD_RCPT_THROTTLE > 2. Send a message with many recipients at the same server, learning > those that don't bounce. > > Completely blocking "no such user" responses seems like a bad idea, but > ignoring someone who attempted delivery to X number of invalid addresses > within Y seconds seems like a good idea. But how can the first-line MTA > know whether or not an address is invalid? You have to tell it. Use access db with blacklist recipients. See: http://www.sendmail.org/m4/features.html#blacklist_recipients Ken > Has anyone set up or read of such a system? Perhaps a sendmail milter that > looks up recipient addresses in a flat file or via ldap before accepting the > message? > > -- > Trever > > From lists at STHOMAS.NET Tue Aug 5 00:28:20 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:10 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C0754@inex1.herffjones.hj-int>; from TGFurnish@HERFF-JONES.COM on Mon, Aug 04, 2003 at 06:08:28PM -0500 References: <8FFC76593085ED4A80D3601BC41EFCDF0C0754@inex1.herffjones.hj-int> Message-ID: <20030804162820.A32056@sthomas.net> On Mon, Aug 04, 2003 at 06:08:28PM -0500, Furnish, Trever G is rumored to have said: > > Is there a way to configure sendmail (or whatever) such that "address > probes" are less effective and intrusive? I could imagine how the process > ... > By address probe, I mean connections that either: > 1. Ask the receiving mta to accept a message for one invalid address > after another despite repeated negative responses from the receiving mta. > Something that amounts to "Is bob valid?" ... "no" ... "Well, what about > tom?" ... "no" ... "Frank?" ... etc. In your sendmail.mc, put: define(`confBAD_RCPT_THROTTLE',`5') Replace the 5 with the number of bad RCPT TOs you'd like to start throttling at. For instance, in my setup, it'll start throttling the connection if 5 invalid recipients are specified in the same SMTP session. This works by delaying one second before issuing the unknown user response. I wasn't happy with that, as the spamware just kept banging away at it anyway, so I dug around in the source and upped the delay to 15 seconds . The dictionary attacks have all but stopped now. I used to get thousands of "unknown user" lines in my log each day - now I have about 10-15. :) -- "Reality is merely an illusion, albeit a very persistent one." - Albert Einstein (1879-1955) From raymond at PROLOCATION.NET Tue Aug 5 00:32:35 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:10 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: <20030804162820.A32056@sthomas.net> Message-ID: Hi! > This works by delaying one second before issuing the unknown user > response. I wasn't happy with that, as the spamware just kept banging > away at it anyway, so I dug around in the source and upped the delay to > 15 seconds . The dictionary attacks have all but stopped now. I used > to get thousands of "unknown user" lines in my log each day - now I have > about 10-15. :) I had a dictionary attack today that was somehow smarter. It seems they were using a distributed system, there were 612 different hosts involved. Aargl. Bye, Raymond. From lists at STHOMAS.NET Tue Aug 5 00:41:12 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:10 2006 Subject: A bit OT: Cut off address probes? Message-ID: <20030804164112.B32415@sthomas.net> On Tue, Aug 05, 2003 at 01:32:35AM +0200, Raymond Dijkxhoorn is rumored to have said: > > I had a dictionary attack today that was somehow smarter. It seems they > were using a distributed system, there were 612 different hosts involved. > Oy vey. -- "We don't like their sound, and guitar music is on the way out." - Decca Recording Co. rejecting the Beatles, 1962 From raymond at PROLOCATION.NET Tue Aug 5 00:47:21 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:10 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: <20030804164112.B32415@sthomas.net> Message-ID: Hi! > > I had a dictionary attack today that was somehow smarter. It seems they > > were using a distributed system, there were 612 different hosts involved. > > > > Oy vey. If people want to have the list with Ip's used i can post them. To avoid simmilar issues on your own server. The servers i checked out, tried 50 or so were either hacked or open relayed, so i dont expect any regular mail from them anyway. I simply blocked them. Bye, Raymond From mike at CAMAROSS.NET Tue Aug 5 01:25:10 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <003501c35ad4$ba04cff0$0b01a8c0@rich> Message-ID: <001601c35ae8$082daef0$9c01a8c0@home.middlefinger.net> Is unzip installed? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Richard Sidlin Sent: Monday, August 04, 2003 5:07 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos Update I downloaded the file again. I had a look inside the archive and most of the files are dated mid July. This is what happened when I run the script: [root /root]# cd /tmp [root /tmp]# /usr/sbin/Sophos.install Clearing out old default Sophos installation libraries Uncompressing Sophos distribution /usr/sbin/Sophos.install: uncompress: command not found Installing Sophos for MailScanner Sophos Anti-Virus installation utility [Linux/Intel] Copyright (c) 1998,2001 Sophos Plc, Oxford, England Binaries will be installed in '/usr/local/Sophos/bin' Libraries will be installed in '/usr/local/Sophos/lib' Manual pages will be installed in '/usr/local/Sophos/man' Virus data will be installed in '/usr/local/Sophos/lib' SWEEP will be installed InterCheck will not be installed ===> Installing binaries sweep copied to /usr/local/Sophos/bin/sweep ===> Installing shared library libsavi.so.2.2.03.098 copied to /usr/local/Sophos/lib/libsavi.so.2.2.03.098 libsavi.so.2.2.03.098 symlinked to /usr/local/Sophos/lib/libsavi.so.2 ldconfig /usr/local/Sophos/lib ===> Installing virus data vdl-3.66.dat copied to /usr/local/Sophos/lib/vdl-3.66.dat vdl-3.66.dat symlinked to /usr/local/Sophos/lib/vdl.dat Adjusting /etc/sav.conf ===> Installing manual pages sweep.1 copied to /usr/local/Sophos/man/man1/sweep.1 ===> Checking paths are accessible Warning: $PATH does not include /usr/local/Sophos/bin To run Sophos Anti-Virus you need to set environment variable $PATH so that it includes /usr/local/Sophos/bin. Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include /usr/local/Sophos/lib. You need to either include an entry for /usr/local/Sophos/lib in /etc/ld.so.conf, or set environment variable $LD_LIBRARY_PATH to include /usr/local/Sophos/lib or you will not be able to use Sophos Anti-Virus. Manual path is OK Some environment variables may need to be set on your system. To make these settings permanent, add them to your login script or profile; to make these settings systemwide, amend /etc/login or /etc/profile. ===> Installation complete <=== Creating links so Perl-SAVI module compiles Fetching latest IDE virus identities from www.sophos.com Your Sophos installation may be too old. Please install the latest release of SophosLynx failed with error return 1 , Bad file descriptor at /usr/lib/MailScanner/sophos-autoupdate line 94. Done. Richard -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: 04 August 2003 22:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos Update At 22:13 04/08/2003, you wrote: Isn't that the linux.intel.libc6.tar.Z file? Yes. If you have downloaded that file to, say, /tmp, then you need to do cd /tmp Sophos.install and it will install and update that version. Richard -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Stephen Swaney Sent: 04 August 2003 22:08 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos Update Richard, I believe that after about 3 months, you need to download the full Sophos Distribution. Julian has provided a script to do this: /usr/sbin/MajorSophos.sh You'll need to modify this script to add your Sophos username and password. Steve Steve@Swaney.com On Mon, 2003-08-04 at 16:53, Richard Sidlin wrote:Richard, I have just downloaded and installed the latest Sophos engine from their website. When I ran the install, I got the following error: Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos installation may be too old. Please install the latest release of Sophos Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with error return 1 Any ideas anyone? Richard -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk -- This message has been scanned for viruses and dangerous content by Fortress Systems, Ltd., and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From lists at STHOMAS.NET Tue Aug 5 02:04:14 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:10 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: ; from raymond@PROLOCATION.NET on Tue, Aug 05, 2003 at 01:47:21AM +0200 References: <20030804164112.B32415@sthomas.net> Message-ID: <20030804180414.B2187@sthomas.net> On Tue, Aug 05, 2003 at 01:47:21AM +0200, Raymond Dijkxhoorn is rumored to have said: > > If people want to have the list with Ip's used i can post them. To avoid I'd like to have that list. You can send it offlist if you like. Thanks! -- "People demand freedom of speech to make up for the freedom of thought which they avoid." - Soren Aabye Kierkegaard (1813-1855) From lyons at DIGITALVOODOO.ORG Tue Aug 5 02:28:30 2003 From: lyons at DIGITALVOODOO.ORG (Timothy M. Lyons) Date: Thu Jan 12 21:19:10 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: Message-ID: Did you submit the open relays to ORDB or one of the other blacklists for further testing / listing? ORDB is probably the easiest as it allows for batch submissions. --Tim On Tue, 5 Aug 2003 at 01:47 +0200 Raymond Dijkxhoorn was heard to utter: RD> If people want to have the list with Ip's used i can post them. To avoid RD> simmilar issues on your own server. The servers i checked out, tried 50 RD> or so were either hacked or open relayed, so i dont expect any regular RD> mail from them anyway. I simply blocked them. RD> -- This message has been scanned for viruses and dangerous content by MailScanner/Sophos on mail.digitalvoodoo.org and is believed to be clean. -- From mkipness at GENIANT.COM Tue Aug 5 03:31:21 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:10 2006 Subject: Admin email Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CF82A@dalsxc01.geniant.net> Hello - My company hosts quite a few domains, and last Friday we started getting emails admin@ourdomains.com with an attachment: message.zip. The attached seems to make it through Fprot and Sophos ok, and I haven't even bother to open it and see what it is. My question is whether I could add a rule in spam.blacklist.rules like: admin@* Will this work without issue? Thanks, Max From Steve at swaney.com Tue Aug 5 03:48:35 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:19:10 2006 Subject: Admin email In-Reply-To: <036A6BCC9FD10749AD3CE32255AF49A6017CF82A@dalsxc01.geniant.net> References: <036A6BCC9FD10749AD3CE32255AF49A6017CF82A@dalsxc01.geniant.net> Message-ID: <1060051715.8968.18.camel@speedy> Max, Sophos picked it up fine here. I believe the relevant Sophos file came in 8/2: 2 Aug 1 16:34 maila.ide What version of MailScanner are you running? There was a thread on the list today regarding the flags passed to Sophos. Newer versions of MailScanner pass the -archive to sweep. This appears to fix the problem. You can check the list archives for "-archive". You are running sophossavi - right? Hope this helps, Steve Steve@Swaney.com On Mon, 2003-08-04 at 22:31, Max Kipness wrote: > Hello - > > My company hosts quite a few domains, and last Friday we started getting > emails admin@ourdomains.com with an attachment: message.zip. The > attached seems to make it through Fprot and Sophos ok, and I haven't > even bother to open it and see what it is. My question is whether I > could add a rule in spam.blacklist.rules like: > > admin@* > > Will this work without issue? > > Thanks, > Max -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Postmaster@FSL.com Fortress Systems, Ltd. Email Gateways info@FSL.com www.FSL.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030804/a0293268/attachment.html From TGFurnish at HERFF-JONES.COM Tue Aug 5 00:08:28 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:10 2006 Subject: A bit OT: Cut off address probes? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0754@inex1.herffjones.hj-int> This is probably a bit off-topic, and I hope it's not a faq somewhere already - feel free to yell at me constructively if so. :-) Is there a way to configure sendmail (or whatever) such that "address probes" are less effective and intrusive? I could imagine how the process might work, but I've never coded a milter and am hoping someone else has done this or will tell me why it would be a bad idea. By address probe, I mean connections that either: 1. Ask the receiving mta to accept a message for one invalid address after another despite repeated negative responses from the receiving mta. Something that amounts to "Is bob valid?" ... "no" ... "Well, what about tom?" ... "no" ... "Frank?" ... etc. 2. Send a message with many recipients at the same server, learning those that don't bounce. Completely blocking "no such user" responses seems like a bad idea, but ignoring someone who attempted delivery to X number of invalid addresses within Y seconds seems like a good idea. But how can the first-line MTA know whether or not an address is invalid? Has anyone set up or read of such a system? Perhaps a sendmail milter that looks up recipient addresses in a flat file or via ldap before accepting the message? -- Trever From lists at STHOMAS.NET Tue Aug 5 04:22:50 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:10 2006 Subject: Admin email In-Reply-To: <036A6BCC9FD10749AD3CE32255AF49A6017CF82A@dalsxc01.geniant.net>; from mkipness@GENIANT.COM on Mon, Aug 04, 2003 at 09:31:21PM -0500 References: <036A6BCC9FD10749AD3CE32255AF49A6017CF82A@dalsxc01.geniant.net> Message-ID: <20030804202250.A4499@sthomas.net> On Mon, Aug 04, 2003 at 09:31:21PM -0500, Max Kipness is rumored to have said: > > My company hosts quite a few domains, and last Friday we started getting > emails admin@ourdomains.com with an attachment: message.zip. The > attached seems to make it through Fprot and Sophos ok, and I haven't > even bother to open it and see what it is. My question is whether I > could add a rule in spam.blacklist.rules like: Sophos should be picking it up - it's the latest and greatest virus and it's spreading pretty quick - make sure you've got sophos updated and email all your users (or just the ones that received it) and tell them not to open it. -- "Plato was a bore." - Friedrich Nietzsche (1844-1900) From mkipness at GENIANT.COM Tue Aug 5 04:30:46 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:10 2006 Subject: Admin email Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CF82C@dalsxc01.geniant.net> What about a file rule for message.zip? Has anybody tried that? Everytime I try one of these I end up with a syntax error in the logs. I will look for the Sophos update and the version of MailScanner based on another reply to this. Thanks, Max > -----Original Message----- > From: Steve Thomas [mailto:lists@STHOMAS.NET] > Sent: Monday, August 04, 2003 10:23 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Admin email > > > On Mon, Aug 04, 2003 at 09:31:21PM -0500, Max Kipness is > rumored to have said: > > > > My company hosts quite a few domains, and last Friday we started > > getting emails admin@ourdomains.com with an attachment: > message.zip. > > The attached seems to make it through Fprot and Sophos ok, and I > > haven't even bother to open it and see what it is. My question is > > whether I could add a rule in spam.blacklist.rules like: > > Sophos should be picking it up - it's the latest and greatest > virus and it's spreading pretty quick - make sure you've got > sophos updated and email all your users (or just the ones > that received it) and tell them not to open it. > > > -- > "Plato was a bore." > - Friedrich Nietzsche (1844-1900) > From mailscanner at ecs.soton.ac.uk Tue Aug 5 04:20:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Sophos Update In-Reply-To: <001601c35ae8$082daef0$9c01a8c0@home.middlefinger.net> References: <003501c35ad4$ba04cff0$0b01a8c0@rich> Message-ID: <5.2.1.1.2.20030805041926.026aec60@imap.ecs.soton.ac.uk> You need "uncompress" as well as "unzip". RPMs for both of these will be on your RedHat CD's. They are also available from any RedHat FTP server mirror. At 01:25 05/08/2003, you wrote: >Is unzip installed? > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Richard Sidlin >Sent: Monday, August 04, 2003 5:07 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos Update > > >I downloaded the file again. I had a look inside the archive and most of the >files are dated mid July. This is what happened when I run the script: > >[root /root]# cd /tmp >[root /tmp]# /usr/sbin/Sophos.install >Clearing out old default Sophos installation libraries >Uncompressing Sophos distribution >/usr/sbin/Sophos.install: uncompress: command not found >Installing Sophos for MailScanner >Sophos Anti-Virus installation utility [Linux/Intel] >Copyright (c) 1998,2001 Sophos Plc, Oxford, England > >Binaries will be installed in '/usr/local/Sophos/bin' >Libraries will be installed in '/usr/local/Sophos/lib' >Manual pages will be installed in '/usr/local/Sophos/man' >Virus data will be installed in '/usr/local/Sophos/lib' > >SWEEP will be installed >InterCheck will not be installed > >===> Installing binaries >sweep copied to /usr/local/Sophos/bin/sweep > >===> Installing shared library >libsavi.so.2.2.03.098 copied to /usr/local/Sophos/lib/libsavi.so.2.2.03.098 >libsavi.so.2.2.03.098 symlinked to /usr/local/Sophos/lib/libsavi.so.2 >ldconfig /usr/local/Sophos/lib > >===> Installing virus data >vdl-3.66.dat copied to /usr/local/Sophos/lib/vdl-3.66.dat >vdl-3.66.dat symlinked to /usr/local/Sophos/lib/vdl.dat >Adjusting /etc/sav.conf > >===> Installing manual pages >sweep.1 copied to /usr/local/Sophos/man/man1/sweep.1 > >===> Checking paths are accessible >Warning: $PATH does not include /usr/local/Sophos/bin > To run Sophos Anti-Virus you need to set environment variable $PATH >so > that it includes /usr/local/Sophos/bin. > >Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include > /usr/local/Sophos/lib. > You need to either include an entry for /usr/local/Sophos/lib in > /etc/ld.so.conf, or set environment variable $LD_LIBRARY_PATH to > include /usr/local/Sophos/lib or you will not be able to use Sophos > Anti-Virus. > > Manual path is OK >Some environment variables may need to be set on your system. To make these >settings permanent, add them to your login script or profile; to make these >settings systemwide, amend /etc/login or /etc/profile. >===> Installation complete <=== >Creating links so Perl-SAVI module compiles > >Fetching latest IDE virus identities from www.sophos.com >Your Sophos installation may be too old. Please install the latest release >of SophosLynx failed with error return 1 >, Bad file descriptor at /usr/lib/MailScanner/sophos-autoupdate line 94. >Done. > >Richard >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: 04 August 2003 22:17 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos Update > > >At 22:13 04/08/2003, you wrote: > >Isn't that the linux.intel.libc6.tar.Z file? > >Yes. If you have downloaded that file to, say, /tmp, then you need to do > cd /tmp > Sophos.install >and it will install and update that version. > > > >Richard > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Stephen Swaney >Sent: 04 August 2003 22:08 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos Update > > >Richard, > > >I believe that after about 3 months, you need to download the full Sophos >Distribution. Julian has provided a script to do this: > >/usr/sbin/MajorSophos.sh > > >You'll need to modify this script to add your Sophos username and password. > >Steve >Steve@Swaney.com > >On Mon, 2003-08-04 at 16:53, Richard Sidlin wrote:Richard, > > > >I have just >downloaded and installed the latest Sophos engine from their >website. When I ran the install, I got the following error: > >Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Your Sophos >installation >may be too old. Please install the latest release of Sophos >Aug 4 21:01:02 ns2 Sophos-autoupdate[6540]: Lynx failed with >error >return 1 > >Any ideas anyone? > > >Richard > > > >-- >This message has been scanned for viruses and dangerous content by the >Help Internet Virus Spam Defence, and is >believed to be clean. For details on having your email scanned email >support@helpinternet.co.uk > >-- >This message has been scanned for viruses and >dangerous content by Fortress Systems, Ltd., and is >believed to be clean. > > >-- >This message has been scanned for viruses and dangerous content by the Help >Internet Virus Spam Defence, and is >believed to be clean. For details on having your email scanned email >support@helpinternet.co.uk > > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >-- >This message has been scanned for viruses and dangerous content by the Help >Internet Virus Spam Defence, and is >believed to be clean. For details on having your email scanned email >support@helpinternet.co.uk > >-- >This message has been scanned for viruses and dangerous content by the Help >Internet Virus Spam Defence, and is >believed to be clean. For details on having your email scanned email >support@helpinternet.co.uk -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Aug 5 04:28:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Admin email In-Reply-To: <036A6BCC9FD10749AD3CE32255AF49A6017CF82A@dalsxc01.geniant. net> Message-ID: <5.2.1.1.2.20030805042510.0254bd20@imap.ecs.soton.ac.uk> At 03:31 05/08/2003, you wrote: >Hello - > >My company hosts quite a few domains, and last Friday we started getting >emails admin@ourdomains.com with an attachment: message.zip. The >attached seems to make it through Fprot and Sophos ok, In which case your virus scanners aren't up to date. This is the mimail virus which Sophos can certainly detect, F-Prot appears to be having some problems with this virus. Make sure you have the files /usr/local/Sophos/ide/mimail-a.ide and /usr/local/Sophos/ide/maila.ide If you are missing either of these files, your Sophos is out of date and needs to be replaced with the latest version so that the autoupdates work. > and I haven't >even bother to open it and see what it is. My question is whether I >could add a rule in spam.blacklist.rules like: > >admin@* > >Will this work without issue? From: admin@* yes is what the line should look like, if you want to do this. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From chicks at CHICKS.NET Tue Aug 5 06:47:46 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:19:10 2006 Subject: SQL Redux In-Reply-To: <5.2.1.1.2.20030804194622.02652cf8@imap.ecs.soton.ac.uk> Message-ID: I haven't been following this discussion so if this has already been mentioned please accept my apologies. On Mon, 4 Aug 2003, Julian Field wrote: > At 14:29 04/08/2003, you wrote: > >If there's really no performance hit to logging after every email instead of > >in batches, I'll see about changing my code to do it that way too. Nothing > >worse than having to wait for all of the children to finish logging before I > >can do a full restart of MailScanner. > > There must be a significant performance hit. In one case you are just > appending a line to a file. In the other case you are adding a record to a > database table and updating various indices. This *has* to be a much bigger > operation than just adding 1 line to a file. By doing an "insert delayed" you let MySQL batch things up for when it's convenient to do it. I'm sure there's still some overhead beyond simply writing to a file, but maybe it's not so bad. We use this for web logging and haven't noticed any problems. Keeping only a few indexes in the current logging table and periodically moving that into a fully indexed historic data set table would let that extra index processing be done in off times. -- The death of democracy is not likely to be an assassination from ambush. It will be a slow extinction from apathy, indifference, and undernourishment. -Robert Maynard Hutchins, educator (1899-1977) From chicks at CHICKS.NET Tue Aug 5 06:49:23 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:19:10 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: Message-ID: On Tue, 5 Aug 2003, Raymond Dijkxhoorn wrote: > I had a dictionary attack today that was somehow smarter. It seems they > were using a distributed system, there were 612 different hosts involved. They've probably rooted 612 boxes. E-mail the admins of those blocks. :) -- The death of democracy is not likely to be an assassination from ambush. It will be a slow extinction from apathy, indifference, and undernourishment. -Robert Maynard Hutchins, educator (1899-1977) From mailscanner at CARLO65.DE Tue Aug 5 06:54:31 2003 From: mailscanner at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:19:10 2006 Subject: Wildcard in blacklist Message-ID: <3F2F4697.7070801@carlo65.de> Hi, I recently receive a lot of spam from different senders and the mails getting through, due to not enough points from SpamAssassin. The sender domains are like 3762cup.net oder 328cupnet.com. I wonder, it it is possible to have them included in the blacklist in a way like *cup.net. Roland From jtwatson at datakota.com Tue Aug 5 06:54:22 2003 From: jtwatson at datakota.com (Joseph Watson) Date: Thu Jan 12 21:19:10 2006 Subject: Rav Anti Virus Message-ID: <200308050154.22072.jtwatson@datakota.com> Hello, I have been trying to use mailscanner with Rav Antivirus but there seems to be a problem. Mandrake Linux 9.1 MailScanner version 4.22-5 Rav Scan engine 8.11 I have command antivirus installed and it works as expected. But when I put rav as the only virus scanner, MailScanner does not pick up infected files. If I run ravav from the command line, it does detect the infections. It seems to be a problem with the return code, but I am quite lost trying to trace it down. So, has anyone else experienced this? I looked through the archives but nothing came up. Also, how can I debug a little more. If I turn on debug mode, it only scans one batch and exits, but I don't see any extra reporting in the log files. Any suggestions would be great. -- Regards Joseph Watson From mailscanner at ecs.soton.ac.uk Tue Aug 5 07:03:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Wildcard in blacklist In-Reply-To: <3F2F4697.7070801@carlo65.de> Message-ID: <5.2.0.9.2.20030805070301.038c6830@imap.ecs.soton.ac.uk> At 06:54 05/08/2003, you wrote: >Hi, > >I recently receive a lot of spam from different senders and the mails >getting through, due to not enough points from SpamAssassin. > >The sender domains are like 3762cup.net oder 328cupnet.com. >I wonder, it it is possible to have them included in the blacklist in a >way like *cup.net. Yes. From: *cup.net yes From: *cupnet.com yes should do the trick nicely. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From splee at PLEXIO.COM Tue Aug 5 07:10:30 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:19:10 2006 Subject: Admin email In-Reply-To: <036A6BCC9FD10749AD3CE32255AF49A6017CF82C@dalsxc01.geniant.net> References: <036A6BCC9FD10749AD3CE32255AF49A6017CF82C@dalsxc01.geniant.net> Message-ID: <1060063830.6751.72.camel@ralph.plexio.private> Will the following work? deny message.zip$ "mimaila" virus "mimaila" virus Make sure each part is separated with tabs. Stephen On Mon, 2003-08-04 at 20:30, Max Kipness wrote: > What about a file rule for message.zip? Has anybody tried that? > Everytime I try one of these I end up with a syntax error in the logs. > > I will look for the Sophos update and the version of MailScanner based > on another reply to this. > > Thanks, > Max > > > -----Original Message----- > > From: Steve Thomas [mailto:lists@STHOMAS.NET] > > Sent: Monday, August 04, 2003 10:23 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Admin email > > > > > > On Mon, Aug 04, 2003 at 09:31:21PM -0500, Max Kipness is > > rumored to have said: > > > > > > My company hosts quite a few domains, and last Friday we started > > > getting emails admin@ourdomains.com with an attachment: > > message.zip. > > > The attached seems to make it through Fprot and Sophos ok, and I > > > haven't even bother to open it and see what it is. My question is > > > whether I could add a rule in spam.blacklist.rules like: > > > > Sophos should be picking it up - it's the latest and greatest > > virus and it's spreading pretty quick - make sure you've got > > sophos updated and email all your users (or just the ones > > that received it) and tell them not to open it. > > > > > > -- > > "Plato was a bore." > > - Friedrich Nietzsche (1844-1900) > > From mailscanner at ecs.soton.ac.uk Tue Aug 5 07:07:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Rav Anti Virus In-Reply-To: <200308050154.22072.jtwatson@datakota.com> Message-ID: <5.2.0.9.2.20030805070653.06387d30@imap.ecs.soton.ac.uk> At 06:54 05/08/2003, you wrote: >Hello, > >I have been trying to use mailscanner with Rav Antivirus but there seems to be >a problem. > >Mandrake Linux 9.1 >MailScanner version 4.22-5 >Rav Scan engine 8.11 > >I have command antivirus installed and it works as expected. But when I put >rav as the only virus scanner, MailScanner does not pick up infected files. Do you get anything in the logs? If so, what? >If I run ravav from the command line, it does detect the infections. It >seems to be a problem with the return code, but I am quite lost trying to >trace it down. Did you install RAV in its default location? If not, you will need to tell MailScanner the path in /usr/lib/MailScanner/rav-wrapper and /usr/lib/MailScanner/rav-autoupdate. >So, has anyone else experienced this? I looked through the archives but >nothing came up. > >Also, how can I debug a little more. If I turn on debug mode, it only scans >one batch and exits, but I don't see any extra reporting in the log files. > >Any suggestions would be great. > >-- >Regards > >Joseph Watson -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Aug 5 07:17:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Admin email In-Reply-To: <1060063830.6751.72.camel@ralph.plexio.private> References: <036A6BCC9FD10749AD3CE32255AF49A6017CF82C@dalsxc01.geniant.net> <036A6BCC9FD10749AD3CE32255AF49A6017CF82C@dalsxc01.geniant.net> Message-ID: <5.2.0.9.2.20030805071654.064debe0@imap.ecs.soton.ac.uk> At 07:10 05/08/2003, you wrote: >Will the following work? > >deny message.zip$ "mimaila" virus "mimaila" virus I would replace . with \. as you really mean "the character dot" and not "any single character". >Make sure each part is separated with tabs. > >Stephen > >On Mon, 2003-08-04 at 20:30, Max Kipness wrote: > > What about a file rule for message.zip? Has anybody tried that? > > Everytime I try one of these I end up with a syntax error in the logs. > > > > I will look for the Sophos update and the version of MailScanner based > > on another reply to this. > > > > Thanks, > > Max > > > > > -----Original Message----- > > > From: Steve Thomas [mailto:lists@STHOMAS.NET] > > > Sent: Monday, August 04, 2003 10:23 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Admin email > > > > > > > > > On Mon, Aug 04, 2003 at 09:31:21PM -0500, Max Kipness is > > > rumored to have said: > > > > > > > > My company hosts quite a few domains, and last Friday we started > > > > getting emails admin@ourdomains.com with an attachment: > > > message.zip. > > > > The attached seems to make it through Fprot and Sophos ok, and I > > > > haven't even bother to open it and see what it is. My question is > > > > whether I could add a rule in spam.blacklist.rules like: > > > > > > Sophos should be picking it up - it's the latest and greatest > > > virus and it's spreading pretty quick - make sure you've got > > > sophos updated and email all your users (or just the ones > > > that received it) and tell them not to open it. > > > > > > > > > -- > > > "Plato was a bore." > > > - Friedrich Nietzsche (1844-1900) > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Tue Aug 5 07:27:39 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:10 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: Message-ID: Hi! > Did you submit the open relays to ORDB or one of the other blacklists for > further testing / listing? ORDB is probably the easiest as it allows for > batch submissions. Nope, never submitted on ORDB before. Do they accept 612 mailservers and start testing theirselve ? Bye, Raymond. From mailscanner at ecs.soton.ac.uk Tue Aug 5 08:27:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Spam Action rules: first match vs. all match? In-Reply-To: Message-ID: <5.2.0.9.2.20030805082626.036d43a8@imap.ecs.soton.ac.uk> What was the general consensus on this subject? Is it worth my implementing this "stop" keyword? It will cause a couple of extra "if" statements inside a function that is called a few dozen times for each message, so I don't want to add it unless quite a few people will find it useful. At 18:37 28/07/2003, you wrote: >On Mon, 28 Jul 2003 18:02:33 +0100, Julian Field > wrote: > > >What I thought about doing was adding a "STOP" entry in any of the "all > >matches" rules, so that evaluation of the rules for that recipient/sender > >would stop at that point and not carry on trying to match other rules in > >the ruleset. > > > >The rules would still be evaluated for all of the recipient(s) and the > >sender, but this would enable you to stop the rule checking when you had > >matched a previous rule. > > > >Would that solve the problem, or indeed help at all? > >How would that work? If you mean something like this: > >FromAndTo: *@primary.domain forward zzz@yyy >STOP >To: *@primary.domain bounce forward zzz@yyy >FromOrTo: default deliver forward zzz@yyy > >meaning that when the STOP line is encountered, rule matching should >stop if any above rules had matched, that would work for me and would >actually add quite a bit of flexibility. It would make it possible to >do things like have a specific list of users or subdomains in a domain >that get special treatment. For example: > >From: user1@domain.com deliver >From: user2@domain.com deliver >From: user3@one.domain.com deliver >From: user4@two.domain.com deliver >From: *@two.domain.com forward zzz@yyy >STOP >From: *@one.domain.com forward zzz@yyy >STOP >From: *@*.domain.com bounce forward zzz@yyy >From: *@domain.com bounce forward zzz@yyy > >Semantics such as what would result from the above could be tricky to >achieve with either all or first rules. If it weren't for user4, then >the above without STOP would be the same as if it were interpreted as >first match, but with the above as all with STOP implemented, >user4@two.domain.com's actions would be "deliver forward zzz@yyy". >(Okay, this example would be easy to make work with first, but >still...) > >Another option I had been thinking about would be to able to mark a >single rule as exclusive, but I think the above is better. > >-- >Jay Berkenbilt >http://www.ql.org/q/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Aug 5 10:08:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Spam Action rules: first match vs. all match? (2) In-Reply-To: <5.2.0.9.2.20030805082626.036d43a8@imap.ecs.soton.ac.uk> References: Message-ID: <5.2.0.9.2.20030805100525.09a7a6e0@imap.ecs.soton.ac.uk> The other thing I have just implemented helps solve the problem of not being able to predict the result of a ruleset when there are lots of recipients which have conflicting results. This is to save you always having to split the message so that there is only 1 recipient per message. It doesn't solve the problem of multiple conflicting rules completely, but it does mean you can predict exactly what will happen for any given message, which has got to be a good thing :-) # When trying to work out the value of configuration parameters which are # using a ruleset, this controls the behaviour when a rule is checking the # "To:" addresses. # If this option is set to "yes", then the following happens when checking # the ruleset: # a) 1 recipient. Same behaviour as normal. # b) Several recipients, but all in the same domain (domain.com for example). # The rules are checked for one that matches the string "*@domain.com". # c) Several recipients, not all in the same domain. # The rules are checked for one that matches the string "*@*". # # If this option is set to "no", then some rules will use the result they # get from the first matching rule for any of the recipients of a message, # so the exact value cannot be predicted for messages with more than 1 # recipient. # # This value *cannot* be the filename of a ruleset. Use Default Rules With Multiple Recipients = no At 08:27 05/08/2003, you wrote: >What was the general consensus on this subject? > >Is it worth my implementing this "stop" keyword? It will cause a couple of >extra "if" statements inside a function that is called a few dozen times >for each message, so I don't want to add it unless quite a few people will >find it useful. > >At 18:37 28/07/2003, you wrote: >>On Mon, 28 Jul 2003 18:02:33 +0100, Julian Field >> wrote: >> >> >What I thought about doing was adding a "STOP" entry in any of the "all >> >matches" rules, so that evaluation of the rules for that recipient/sender >> >would stop at that point and not carry on trying to match other rules in >> >the ruleset. >> > >> >The rules would still be evaluated for all of the recipient(s) and the >> >sender, but this would enable you to stop the rule checking when you had >> >matched a previous rule. >> > >> >Would that solve the problem, or indeed help at all? >> >>How would that work? If you mean something like this: >> >>FromAndTo: *@primary.domain forward zzz@yyy >>STOP >>To: *@primary.domain bounce forward zzz@yyy >>FromOrTo: default deliver forward zzz@yyy >> >>meaning that when the STOP line is encountered, rule matching should >>stop if any above rules had matched, that would work for me and would >>actually add quite a bit of flexibility. It would make it possible to >>do things like have a specific list of users or subdomains in a domain >>that get special treatment. For example: >> >>From: user1@domain.com deliver >>From: user2@domain.com deliver >>From: user3@one.domain.com deliver >>From: user4@two.domain.com deliver >>From: *@two.domain.com forward zzz@yyy >>STOP >>From: *@one.domain.com forward zzz@yyy >>STOP >>From: *@*.domain.com bounce forward zzz@yyy >>From: *@domain.com bounce forward zzz@yyy >> >>Semantics such as what would result from the above could be tricky to >>achieve with either all or first rules. If it weren't for user4, then >>the above without STOP would be the same as if it were interpreted as >>first match, but with the above as all with STOP implemented, >>user4@two.domain.com's actions would be "deliver forward zzz@yyy". >>(Okay, this example would be easy to make work with first, but >>still...) >> >>Another option I had been thinking about would be to able to mark a >>single rule as exclusive, but I think the above is better. >> >>-- >>Jay Berkenbilt >>http://www.ql.org/q/ > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Tue Aug 5 10:18:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:10 2006 Subject: Spam Action rules: first match vs. all match? (2) In-Reply-To: <5.2.0.9.2.20030805100525.09a7a6e0@imap.ecs.soton.ac.uk> Message-ID: Julian, > The other thing I have just implemented helps solve the problem of not > being able to predict the result of a ruleset when there are lots of > it does mean you can predict exactly what will happen for any given > message, which has got to be a good thing :-) > > # When trying to work out the value of configuration parameters which are > # using a ruleset, this controls the behaviour when a rule is checking the > # "To:" addresses. > # If this option is set to "yes", then the following happens when checking > # the ruleset: > # a) 1 recipient. Same behaviour as normal. > # b) Several recipients, but all in the same domain (domain.com for example). > # The rules are checked for one that matches the string "*@domain.com". > # c) Several recipients, not all in the same domain. > # The rules are checked for one that matches the string "*@*". What about if you have per user settings on the same domain ? So user1@domain1.com and user2@domain2.com ? Do i still need to split messages for that ? whats the impact on performance ? Thanks, Raymond. From mailscanner at ecs.soton.ac.uk Tue Aug 5 11:46:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:10 2006 Subject: Spam Action rules: first match vs. all match? (2) In-Reply-To: References: <5.2.0.9.2.20030805100525.09a7a6e0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030805114120.03bde680@imap.ecs.soton.ac.uk> At 10:18 05/08/2003, you wrote: >Julian, > > > The other thing I have just implemented helps solve the problem of not > > being able to predict the result of a ruleset when there are lots of > > it does mean you can predict exactly what will happen for any given > > message, which has got to be a good thing :-) > > > > # When trying to work out the value of configuration parameters which are > > # using a ruleset, this controls the behaviour when a rule is checking the > > # "To:" addresses. > > # If this option is set to "yes", then the following happens when checking > > # the ruleset: > > # a) 1 recipient. Same behaviour as normal. > > # b) Several recipients, but all in the same domain (domain.com for > example). > > # The rules are checked for one that matches the string > "*@domain.com". > > # c) Several recipients, not all in the same domain. > > # The rules are checked for one that matches the string "*@*". > >What about if you have per user settings on the same domain ? > >So user1@domain1.com and user2@domain2.com ? In that case, it would look up the rule for "*@*". >Do i still need to split messages for that ? If you want per-user settings to work 100% of the time across multiple domains like this, you will still need to split messages. >whats the impact on performance ? Minimal. If you aren't using this option at all or there is only 1 recipient, it causes 3 "if" conditions to be checked every time an "all matches" value is looked up that has a ruleset attached to it. If you are using it then it might actually work faster than it did before as it doesn't bother running through all the recipient addresses if it knows it just needs to look up "*@domain.com" or "*@*". I've written it as efficiently as I can, it even pre-compiles the regexps. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From ctrudeau at BELLSOUTH.NET Tue Aug 5 12:53:58 2003 From: ctrudeau at BELLSOUTH.NET (Chris-Bellsouth) Date: Thu Jan 12 21:19:10 2006 Subject: SpamAssassin domain rules References: <5.2.0.9.2.20030805100525.09a7a6e0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030805114120.03bde680@imap.ecs.soton.ac.uk> Message-ID: <003f01c35b48$41b500a0$5702010a@mscore.trusecure.net> I looked around in the archives and I am unable to find any references to this... I want to have different sa_user_prefs for each domain so that one domain can have a dedicated SA configuration that is seperate from another domain being scanned on the same MS system. Is this possible? Could I include a rules pointer here: SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.rules That pointed to a rules file like this: To example.com /etc/MailScanner/rules/example_sa_prefs.conf where /etc/MailScanner/rules/example_sa_prefs.conf was a SA prefs file specific to example.com? CT From mkipness at GENIANT.COM Tue Aug 5 13:33:11 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:10 2006 Subject: SpamAssassin domain rules Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CF831@dalsxc01.geniant.net> > I want to have different sa_user_prefs for each domain so > that one domain can have a dedicated SA configuration that is > seperate from another domain being scanned on the same MS > system. Is this possible? Or what about per user SpamAssassin rules? Something I've been wanting to look into. I have some people that want all spam deleted, period. And some others that don't consider every solicitation spam. Max From ctrudeau at BELLSOUTH.NET Tue Aug 5 13:38:23 2003 From: ctrudeau at BELLSOUTH.NET (Chris-Bellsouth) Date: Thu Jan 12 21:19:10 2006 Subject: SpamAssassin domain rules References: <036A6BCC9FD10749AD3CE32255AF49A6017CF831@dalsxc01.geniant.net> Message-ID: <006501c35b4e$76106af0$5702010a@mscore.trusecure.net> Only one problem with that...I believe to take advantage of per user spam rules with SA you need to have a mailstore for the user prefs to be maintained in...I believe you can do that with SA. I may have forgotten to add, I am a relay and have NO mail store locally, so I gateway several domains through my MS/SA system. Everything is working I am just curious about the configuration parameter. Otherwise, I may have to sue a single Bayes corpus for all domains (which is OK, just not the preferred method). CT ----- Original Message ----- From: "Max Kipness" To: Sent: Tuesday, August 05, 2003 8:33 AM Subject: Re: SpamAssassin domain rules > I want to have different sa_user_prefs for each domain so > that one domain can have a dedicated SA configuration that is > seperate from another domain being scanned on the same MS > system. Is this possible? Or what about per user SpamAssassin rules? Something I've been wanting to look into. I have some people that want all spam deleted, period. And some others that don't consider every solicitation spam. Max From mbowman at UDCOM.COM Tue Aug 5 13:52:13 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:11 2006 Subject: Using wildcards in spam.blacklist.rules/spam.actions.conf Message-ID: Hi, MS 4.22-5 SA 2.55 Redhat 7.3 sendmail 8.11.6-25.72 Is it possible to blacklist or block on domains that begin with fuzzy witty fabulous mighty We get a lot of junk from these domains e.g. fabulousroberts.us, and its causing havoc with the mail processing. Can this be done vi /etc/mail/access e.g. fabulous*.us DENY ? Any tips, suggestions are welcome. --- Matthew K Bowman Systems Administrator, UDCom 174 Park Avenue West, Mansfield. Ohio 44902 Tel : 419-524-4330 Fax : 419-524-8757 Email : mbowman@udcom.com Web: http://www.udcom.com/ From robert at WEBTENT.COM Tue Aug 5 13:56:41 2003 From: robert at WEBTENT.COM (Robert Fitzpatrick) Date: Thu Jan 12 21:19:11 2006 Subject: Filename rules Message-ID: <002601c35b51$074ea8e0$0b01a8c0@columbus> I'm trying to understand what it takes to have changes to the file name rules file take affect. Yesterday, I made an adjustment to allow a certain extension and restarted MailScanner, but when I attached a file with the extension, it kept replacing it with the virus warning. Now, this morning, it works. Does something else need to be restarted? As far as I know, sendmail is not restarted at night. -- Robert From mkipness at GENIANT.COM Tue Aug 5 14:32:59 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CF83E@dalsxc01.geniant.net> It's strange but I've tried both: deny message.zip$ "mimaila" virus "mimaila" virus deny message\.zip$ "mimaila" virus "mimaila" virus I've done both a reload and restart and they keep coming through during tests. Logs say: Filename Checks: Allowing message.zip Should there be one tab between seperating each piece? It seems like on some of the default settings in this file there are 6 tabs between the two names of the virus. Thanks, Max > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, August 05, 2003 1:18 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Admin email > > > At 07:10 05/08/2003, you wrote: > >Will the following work? > > > >deny message.zip$ "mimaila" virus > "mimaila" virus > > I would replace . with \. as you really mean "the character > dot" and not "any single character". > > > >Make sure each part is separated with tabs. > > > >Stephen > > > >On Mon, 2003-08-04 at 20:30, Max Kipness wrote: > > > What about a file rule for message.zip? Has anybody tried that? > > > Everytime I try one of these I end up with a syntax error in the > > > logs. > > > > > > I will look for the Sophos update and the version of MailScanner > > > based on another reply to this. > > > > > > Thanks, > > > Max > > > > > > > -----Original Message----- > > > > From: Steve Thomas [mailto:lists@STHOMAS.NET] > > > > Sent: Monday, August 04, 2003 10:23 PM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Admin email > > > > > > > > > > > > On Mon, Aug 04, 2003 at 09:31:21PM -0500, Max Kipness > is rumored > > > > to have said: > > > > > > > > > > My company hosts quite a few domains, and last Friday > we started > > > > > getting emails admin@ourdomains.com with an attachment: > > > > message.zip. > > > > > The attached seems to make it through Fprot and > Sophos ok, and I > > > > > haven't even bother to open it and see what it is. My > question > > > > > is whether I could add a rule in spam.blacklist.rules like: > > > > > > > > Sophos should be picking it up - it's the latest and greatest > > > > virus and it's spreading pretty quick - make sure you've got > > > > sophos updated and email all your users (or just the ones that > > > > received it) and tell them not to open it. > > > > > > > > > > > > -- > > > > "Plato was a bore." > > > > - Friedrich Nietzsche (1844-1900) > > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From Kevin.Spicer at BMRB.CO.UK Tue Aug 5 14:38:48 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF773@pascal.priv.bmrb.co.uk> Max Kipness wrote: > It's strange but I've tried both: > > deny message.zip$ "mimaila" virus > "mimaila" virus > > deny message\.zip$ "mimaila" virus > "mimaila" virus > Where have you placed these lines in the file, they need to be above the line which allows zips through, probably best at the top (you need the second form not the first - a further refinement would be to make the regex ^message\.zip$ ) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mkipness at GENIANT.COM Tue Aug 5 14:39:58 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CF840@dalsxc01.geniant.net> Thanks, I'm sure that's the problem. I just figured out why Sophos isn't catching message.zip. It seems that when I ran the sophos-autoupdate, the script failed. I know it was working a few months ago because I had to modify it then as well... Max > -----Original Message----- > From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > Sent: Tuesday, August 05, 2003 8:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Admin email > > > Max Kipness wrote: > > It's strange but I've tried both: > > > > deny message.zip$ "mimaila" virus > > "mimaila" virus > > > > deny message\.zip$ "mimaila" virus > > "mimaila" virus > > > > Where have you placed these lines in the file, they need to > be above the line which allows zips through, probably best at > the top (you need the second form not the first - a further > refinement would be to make the regex ^message\.zip$ ) > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From mkipness at GENIANT.COM Tue Aug 5 14:49:58 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CF845@dalsxc01.geniant.net> Well, it still doesn't work. I've got it at the top now. Any other suggestions. Log still reports: allowing message.zip Max > -----Original Message----- > From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > Sent: Tuesday, August 05, 2003 8:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Admin email > > > Max Kipness wrote: > > It's strange but I've tried both: > > > > deny message.zip$ "mimaila" virus > > "mimaila" virus > > > > deny message\.zip$ "mimaila" virus > > "mimaila" virus > > > > Where have you placed these lines in the file, they need to > be above the line which allows zips through, probably best at > the top (you need the second form not the first - a further > refinement would be to make the regex ^message\.zip$ ) > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From Kevin.Spicer at BMRB.CO.UK Tue Aug 5 14:54:29 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF774@pascal.priv.bmrb.co.uk> Max Kipness wrote: > Well, it still doesn't work. I've got it at the top now. Any other > suggestions. Log still reports: allowing message.zip do a reload then check the maillog to see if it reports any errors whilst parsing filename.rules.conf BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Aug 5 14:49:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email In-Reply-To: <036A6BCC9FD10749AD3CE32255AF49A6017CF845@dalsxc01.geniant. net> Message-ID: <5.2.0.9.2.20030805144835.0642b798@imap.ecs.soton.ac.uk> And after editing the filename.rules.conf file, you've done a service MailScanner reload (if you're on RedHat) or /etc/rc.d/init.d/MailScanner reload (if you're on something related to RedHat). At 14:49 05/08/2003, you wrote: >Well, it still doesn't work. I've got it at the top now. Any other >suggestions. Log still reports: allowing message.zip > >Max > > > -----Original Message----- > > From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > > Sent: Tuesday, August 05, 2003 8:39 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Admin email > > > > > > Max Kipness wrote: > > > It's strange but I've tried both: > > > > > > deny message.zip$ "mimaila" virus > > > "mimaila" virus > > > > > > deny message\.zip$ "mimaila" virus > > > "mimaila" virus > > > > > > > Where have you placed these lines in the file, they need to > > be above the line which allows zips through, probably best at > > the top (you need the second form not the first - a further > > refinement would be to make the regex ^message\.zip$ ) > > > > > > > > BMRB International > > http://www.bmrb.co.uk > > +44 (0)20 8566 5000 > > _________________________________________________________________ > > This message (and any attachment) is intended only for the > > recipient and may contain confidential and/or privileged > > material. If you have received this in error, please contact the > > sender and delete this message immediately. Disclosure, copying > > or other action taken in respect of this email or in > > reliance on it is prohibited. BMRB International Limited > > accepts no liability in relation to any personal emails, or > > content of any email which does not directly relate to our > > business. > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Aug 5 14:22:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:11 2006 Subject: SpamAssassin domain rules In-Reply-To: <003f01c35b48$41b500a0$5702010a@mscore.trusecure.net> References: <5.2.0.9.2.20030805100525.09a7a6e0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030805114120.03bde680@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030805135856.09ac7348@imap.ecs.soton.ac.uk> You can set the SpamAssassin threshold score and the spam actions on a per-user or per-domain (or per-anything-else for that matter) basis using rulesets in MailScanner. You can also have per-user and per-domain spam whitelists and blacklists. Between them, they implement just about all the SpamAssassin things people ever want to change in reality. So some people can have a different threshold score to others, and some (a different "some") can have their spam deleted or delivered or whatever, just as they want. And they can each have their own whitelist and/or blacklist if they want, too. At 12:53 05/08/2003, you wrote: >I looked around in the archives and I am unable to find any references to >this... > >I want to have different sa_user_prefs for each domain so that one domain >can have a dedicated SA configuration that is seperate from another domain >being scanned on the same MS system. Is this possible? > >Could I include a rules pointer here: > >SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.rules > > >That pointed to a rules file like this: > >To example.com /etc/MailScanner/rules/example_sa_prefs.conf > > >where /etc/MailScanner/rules/example_sa_prefs.conf was a SA prefs file >specific to example.com? > >CT -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mkipness at GENIANT.COM Tue Aug 5 14:56:33 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CF847@dalsxc01.geniant.net> Yes, I'm even doing a restart. There are no errors in the log pertaining to syntax. Max > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, August 05, 2003 8:49 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Admin email > > > And after editing the filename.rules.conf file, you've done a > service MailScanner reload > (if you're on RedHat) > or > /etc/rc.d/init.d/MailScanner reload > (if you're on something related to RedHat). > > At 14:49 05/08/2003, you wrote: > >Well, it still doesn't work. I've got it at the top now. Any other > >suggestions. Log still reports: allowing message.zip > > > >Max > > > > > -----Original Message----- > > > From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > > > Sent: Tuesday, August 05, 2003 8:39 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Admin email > > > > > > > > > Max Kipness wrote: > > > > It's strange but I've tried both: > > > > > > > > deny message.zip$ "mimaila" virus > > > > "mimaila" virus > > > > > > > > deny message\.zip$ "mimaila" virus > > > > "mimaila" virus > > > > > > > > > > Where have you placed these lines in the file, they need > to be above > > > the line which allows zips through, probably best at the top (you > > > need the second form not the first - a further refinement > would be > > > to make the regex ^message\.zip$ ) > > > > > > > > > > > > BMRB International > > > http://www.bmrb.co.uk > > > +44 (0)20 8566 5000 > > > _________________________________________________________________ > > > This message (and any attachment) is intended only for > the recipient > > > and may contain confidential and/or privileged material. If you > > > have received this in error, please contact the sender and delete > > > this message immediately. Disclosure, copying or other > action taken > > > in respect of this email or in reliance on it is > prohibited. BMRB > > > International Limited accepts no liability in relation to any > > > personal emails, or content of any email which does not directly > > > relate to our business. > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From Andrew.Magnusson at COCC.COM Tue Aug 5 14:53:08 2003 From: Andrew.Magnusson at COCC.COM (Magnusson, Andrew) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: Have you checked that you're using tabs to separate the fields in the line? Andrew Magnusson Internet Product Analyst COCC 1-877-678-0444 extension 640 -----Original Message----- From: Max Kipness [mailto:mkipness@GENIANT.COM] Sent: Tuesday, August 05, 2003 9:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Admin email Well, it still doesn't work. I've got it at the top now. Any other suggestions. Log still reports: allowing message.zip Max > -----Original Message----- > From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > Sent: Tuesday, August 05, 2003 8:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Admin email > > > Max Kipness wrote: > > It's strange but I've tried both: > > > > deny message.zip$ "mimaila" virus > > "mimaila" virus > > > > deny message\.zip$ "mimaila" virus > > "mimaila" virus > > > > Where have you placed these lines in the file, they need to > be above the line which allows zips through, probably best at > the top (you need the second form not the first - a further > refinement would be to make the regex ^message\.zip$ ) > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > -- *** This message originates from COCC, Inc. If the reader of this message, regardless of the address or routing, is not an intended recipient, you are hereby notified that you have received this transmittal in error and any review; use, distribution, dissemination or copying is strictly prohibited. If you have received this message in error, please delete this e-mail and all files transmitted with it from your system and immediately notify COCC, Inc. by sending reply e-mail to the sender of this message. Thank you. *** From andersan at LTKALMAR.SE Tue Aug 5 15:01:33 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:11 2006 Subject: Need file with mimaila Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE6BB@lkl63.ltkalmar.se> HI Searched my logs and cant find any evidence that we have recieved the mimaila-virus. Could somone please send me copy so I can make sure it will be catched but AV progs... Kind regards /Anders From Kevin.Spicer at BMRB.CO.UK Tue Aug 5 15:04:54 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF775@pascal.priv.bmrb.co.uk> Max Kipness wrote: > Yes, I'm even doing a restart. There are no errors in the log > pertaining to syntax. > Perhaps you could post your filename.rules.conf as an attachment... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From andersan at LTKALMAR.SE Tue Aug 5 15:21:28 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:11 2006 Subject: SV: Need file with mimaila Update - I'm safe :) Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE6BE@lkl63.ltkalmar.se> But as Ive read only one of my AV progs catching it.... Thanks for helping me test.... guess its not so bad in sweden yet > -----Ursprungligt meddelande----- > Fr?n: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] > Skickat: den 5 augusti 2003 16:02 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Need file with mimaila > > > HI > Searched my logs and cant find any evidence that we have > recieved the mimaila-virus. Could somone please send me copy > so I can make sure it will be catched but AV progs... > > Kind regards > > /Anders > From Ulysees at ULYSEES.COM Tue Aug 5 15:18:37 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:19:11 2006 Subject: Need file with mimaila References: <9F18B7DDBA88E544AB1F1995148916661CE6BB@lkl63.ltkalmar.se> Message-ID: <000401c35b5d$756f2410$3201010a@nimitz> Great so I'm not the only one who isn't seeing it. Is this virus as widespread as people claim ? I've checked the logs on all my gateways and I have yet to receive 1 message.zip Uly ----- Original Message ----- From: "Anders Andersson, IT" To: Sent: Tuesday, August 05, 2003 3:01 PM Subject: [MAILSCANNER] Need file with mimaila > HI > Searched my logs and cant find any evidence that we have recieved the > mimaila-virus. > Could somone please send me copy so I can make sure it will be catched but > AV progs... > > Kind regards > > /Anders > From mkipness at GENIANT.COM Tue Aug 5 15:28:12 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CF84E@dalsxc01.geniant.net> Here it is, I appreciate it. Max > -----Original Message----- > From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > Sent: Tuesday, August 05, 2003 9:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Admin email > > > Max Kipness wrote: > > Yes, I'm even doing a restart. There are no errors in the log > > pertaining to syntax. > > > Perhaps you could post your filename.rules.conf as an attachment... > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > -------------- next part -------------- A non-text attachment was scrubbed... Name: filename.rules.conf Type: application/octet-stream Size: 4597 bytes Desc: filename.rules.conf Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030805/758f96bd/filename.rules.obj From andersan at LTKALMAR.SE Tue Aug 5 15:29:21 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:11 2006 Subject: SV: Need file with mimaila Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE6C0@lkl63.ltkalmar.se> According to Trend is only in first place in Africa and Australia... the rest is rond 4-5th place > -----Ursprungligt meddelande----- > Fr?n: Ulysees [mailto:Ulysees@ULYSEES.COM] > Skickat: den 5 augusti 2003 16:19 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Need file with mimaila > > > Great so I'm not the only one who isn't seeing it. > Is this virus as widespread as people claim ? > > I've checked the logs on all my gateways and I have yet to > receive 1 message.zip > > Uly > > ----- Original Message ----- > From: "Anders Andersson, IT" > To: > Sent: Tuesday, August 05, 2003 3:01 PM > Subject: [MAILSCANNER] Need file with mimaila > > > > HI > > Searched my logs and cant find any evidence that we have > recieved the > > mimaila-virus. Could somone please send me copy so I can > make sure it > > will be catched but AV progs... > > > > Kind regards > > > > /Anders > > > From Kevin.Spicer at BMRB.CO.UK Tue Aug 5 15:36:31 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF776@pascal.priv.bmrb.co.uk> Max Kipness wrote: > Here it is, I appreciate it. And heres the problem (I think) message.\zip$ should be message\.zip$ or better ^message\.zip$ You don't need to quote the virus name either (although I don't think this matters). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mkipness at GENIANT.COM Tue Aug 5 15:43:57 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:11 2006 Subject: Admin email Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CF850@dalsxc01.geniant.net> > And heres the problem (I think) > > message.\zip$ > > should be > > message\.zip$ > > or better > > ^message\.zip$ Thanks a lot! That worked. That was really a simple mistake to overlook. I had the escaping wrong. I'd been trying so many things this morning and am barely on my first cup of coffee. Thanks again. From steve.freegard at LBSLTD.CO.UK Tue Aug 5 15:49:33 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:11 2006 Subject: SQL Redux Message-ID: <67D9E7698329D411936E00508B6590B902773A5D@neelix.lbsltd.co.uk> Hi Chris, Thanks very much for offering this to the list - I hadn't realised that this was available as it's a MySQL extension to SQL (and I usually use Oracle or Postgres). To quote from the docs: 'When you use INSERT DELAYED, the client will get an OK at once and the row will be inserted when the table is not in use by any other thread.' So it looks like by using this it will make the SQL logging routines as cheap as writing to the temporary file - I'll give it a try on my production box soon and if I don't get any problems I'll include this in the next release of MailWatch. Cheers, Steve. -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -----Original Message----- From: Christopher Hicks [mailto:chicks@CHICKS.NET] Sent: 05 August 2003 06:48 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SQL Redux I haven't been following this discussion so if this has already been mentioned please accept my apologies. On Mon, 4 Aug 2003, Julian Field wrote: > At 14:29 04/08/2003, you wrote: > >If there's really no performance hit to logging after every email instead of > >in batches, I'll see about changing my code to do it that way too. Nothing > >worse than having to wait for all of the children to finish logging before I > >can do a full restart of MailScanner. > > There must be a significant performance hit. In one case you are just > appending a line to a file. In the other case you are adding a record to a > database table and updating various indices. This *has* to be a much bigger > operation than just adding 1 line to a file. By doing an "insert delayed" you let MySQL batch things up for when it's convenient to do it. I'm sure there's still some overhead beyond simply writing to a file, but maybe it's not so bad. We use this for web logging and haven't noticed any problems. Keeping only a few indexes in the current logging table and periodically moving that into a fully indexed historic data set table would let that extra index processing be done in off times. -- The death of democracy is not likely to be an assassination from ambush. It will be a slow extinction from apathy, indifference, and undernourishment. -Robert Maynard Hutchins, educator (1899-1977) -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From splee at PLEXIO.COM Tue Aug 5 15:52:50 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:19:11 2006 Subject: Need file with mimaila In-Reply-To: <000401c35b5d$756f2410$3201010a@nimitz> References: <9F18B7DDBA88E544AB1F1995148916661CE6BB@lkl63.ltkalmar.se> <000401c35b5d$756f2410$3201010a@nimitz> Message-ID: <1060095169.6522.79.camel@ralph.plexio.private> This morning one of my servers received 6 (Sophos 3.71 and most current IDEs). Here's an example of the MS warning message: The following e-mail messages were found to have viruses in them: Sender: admin@qtcraft.ca IP Address: 67.127.101.48.39172 Recipient: john@qtcraft.ca Subject: your account ibeieiwe MessageID: 19k2l2-0002QE-00 Report: >>> Virus 'W32/Mimail-A' found in file ./19k2l2-0002QE-00/message.zip/message.html Stephen On Tue, 2003-08-05 at 07:18, Ulysees wrote: > Great so I'm not the only one who isn't seeing it. > Is this virus as widespread as people claim ? > > I've checked the logs on all my gateways and I have yet to receive 1 > message.zip > > Uly > > ----- Original Message ----- > From: "Anders Andersson, IT" > To: > Sent: Tuesday, August 05, 2003 3:01 PM > Subject: [MAILSCANNER] Need file with mimaila > > > > HI > > Searched my logs and cant find any evidence that we have recieved the > > mimaila-virus. > > Could somone please send me copy so I can make sure it will be catched but > > AV progs... > > > > Kind regards > > > > /Anders > > From maxsec at TOTALISE.CO.UK Tue Aug 5 15:04:07 2003 From: maxsec at TOTALISE.CO.UK (Martin Hepworth) Date: Thu Jan 12 21:19:11 2006 Subject: mimaila & Sophos In-Reply-To: <1060095169.6522.79.camel@ralph.plexio.private> References: <9F18B7DDBA88E544AB1F1995148916661CE6BB@lkl63.ltkalmar.se> <000401c35b5d$756f2410$3201010a@nimitz> <1060095169.6522.79.camel@ralph.plexio.private> Message-ID: <3F2FB957.1060206@totalise.co.uk> All just had an email update about a new IDE from Sophos that 'detects MiMail-A better'.... man your downloads incase you haven't already got it. -- Martin From TGFurnish at HERFF-JONES.COM Tue Aug 5 16:14:12 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:11 2006 Subject: A bit OT: Cut off address probes? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0755@inex1.herffjones.hj-int> >-----Original Message----- >From: Ken Anderson [mailto:ka@PACIFIC.NET] >Sent: Monday, August 04, 2003 6:23 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: A bit OT: Cut off address probes? > >See >http://www.sendmail.org/m4/tweaking_config.html#confBAD_RCPT_THROTTLE Well, that's close I guess but I'd rather use a longer delay and I'd also rather not keep connections open all that long. Am I wrong in my estimation that it would not adversely affect legitimate mail to just issue a tcp rst and close the connection? Ideally I'd like to close the connection and then reject future connections from such a server for a while (an hour or more). That would also go a long way towards limiting the effectiveness of using many compromised hosts to do these dictionary attacks. At present using a distributed set of hosts for such checking is a means of speeding up the probe, since the target system can't afford to up its delay significantly if it means keeping open too many connections. By cutting off the connection and rejecting traffic from the sender entirely for a while, the speed of the probe could be slowed without leaving open connections to the local sendmail. I'm probably thinking too far out though - I'll start here and see if I actually run into problems. >Use access db with blacklist recipients. >See: >http://www.sendmail.org/m4/features.html#blacklist_recipients >Ken It hadn't clicked yet that I could block a domain and still allow individual addresses within the domain. :-) Thanks. Anyone reading this ever written a milter? I'm thinking this would be pretty straightforward, wondering whether it's worth trying. I would think a milter that just lets you run an arbitrary external command after the bad rcpt threshhold has been exceeded would be enough. The command could write the sender's ip address to a file that was checked periodicly by a cronjob that takes care of blocking the address in iptables for an hour. Would there be problems with such an approach? -t. From gerry at dorfam.ca Tue Aug 5 16:15:31 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:11 2006 Subject: Need file with mimaila In-Reply-To: <000401c35b5d$756f2410$3201010a@nimitz> References: <9F18B7DDBA88E544AB1F1995148916661CE6BB@lkl63.ltkalmar.se> <000401c35b5d$756f2410$3201010a@nimitz> Message-ID: <57064.129.80.22.143.1060096531.squirrel@tiger.dorfam.ca> > Great so I'm not the only one who isn't seeing it. > Is this virus as widespread as people claim ? > > I've checked the logs on all my gateways and I have yet to receive 1 > message.zip > > Uly > When I came into work this morning I must have had 20-30 cleaned messages in my mailbox...along with a message from our sysadmin warning of email processing delays. And that is just me! Everyone had about the same in their mail. It sounds like it got inside before the scanners were updated last Friday. The IT group have been tracking down all the infected systems. Everything appears to be running normally now though. Gerry From dot at DOTAT.AT Tue Aug 5 16:33:31 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:11 2006 Subject: Spamassassin not working except when called manually. Perl problem ? In-Reply-To: References: <009201c357a8$50b669c0$9c01a8c0@home.middlefinger.net> <00ed01c3585e$fdb53ff0$85b8fea9@Laptop> Message-ID: Denis Croombs wrote: > >Any clues as this is driving me mad, but I have other servers that I look >after for people and these work perfectly, I am trying to work through >comparing this system to my system to find the problem for a friend of mine Run MailScanner with the Debug and Debug SpamAssassin options set to Yes. Look at the self-tests that SpamAssassin does at start-up and check that it's finding its rules directories OK. If it isn't you'll need to set the paths in the various advanced SpamAssassin options in the MailScanner.conf appropriately. Tony. -- f.a.n.finch http://dotat.at/ ROCKALL: VARIABLE 3 OR 4. DRIZZLE AT FIRST. MODERATE OR POOR. From dot at DOTAT.AT Tue Aug 5 17:00:50 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:11 2006 Subject: Exim makefile question In-Reply-To: Message-ID: Mike Oliveri wrote: > >1) I see under creating the configure file that I can create a >colon-separated list. Would it be best to create that second configure file >for Mailscanner here, or should I just copy it over per the Mailscanner >instructions? The Makefile comments are somewhat vague as to whether this >second file will really be created. Although Exim's installation script will install a template configuration file if there isn't one already there, the option you are looking at is to do with where Exim looks for its configuration file when it is run. You DO NOT want to add both of the dual configuration files that MailScanner requires to this list, because dire confusion will result. >2) Same as above regarding the exim spool. If I need two spool directories, >particulary with one (or both) a split spool, am I also able to put a >colon-separated list of spool directories here? You don't want to do that, and indeed you can't. Exim will create its spool directory when it is first run, which needs to be done (for both instances of Exim) before MailScanner is started (because MailScanner requires directories to exist before it is started). If you are using split spool directories you must create the subdirectories yourself because Exim creates them lazily, which is not fast enough for MailScanner. >3) I've also offloaded the logfiles from the Exim spool directory to their >own log directory. Is that wise with two separate config files or is it >best to just leave them be? In other words, will instances of Exim run by >the respective configure files write to their own logs, or will they play >nice and all Exim logs just write to the same place? It's best to have both of the Exim instances logging to the same place, as explained in the MailScanner Exim installation guide. Tony. -- f.a.n.finch http://dotat.at/ ROCKALL: VARIABLE 3 OR 4. DRIZZLE AT FIRST. MODERATE OR POOR. From rscarano at targetsis.com.br Tue Aug 5 17:18:32 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:19:11 2006 Subject: RES: Need file with mimaila In-Reply-To: <000401c35b5d$756f2410$3201010a@nimitz> Message-ID: <000201c35b6d$385715a0$6900000a@targetsis.com.br> Me too (haven't receive yet). Regards, Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br -----Mensagem original----- De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] Em nome de Ulysees Enviada em: Ter?a-feira, 5 de Agosto de 2003 11:19 Para: MAILSCANNER@JISCMAIL.AC.UK Assunto: Re: Need file with mimaila Great so I'm not the only one who isn't seeing it. Is this virus as widespread as people claim ? I've checked the logs on all my gateways and I have yet to receive 1 message.zip Uly ----- Original Message ----- From: "Anders Andersson, IT" To: Sent: Tuesday, August 05, 2003 3:01 PM Subject: [MAILSCANNER] Need file with mimaila > HI > Searched my logs and cant find any evidence that we have recieved the > mimaila-virus. > Could somone please send me copy so I can make sure it will be catched but > AV progs... > > Kind regards > > /Anders > From dot at DOTAT.AT Tue Aug 5 17:31:57 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:11 2006 Subject: Spam Action rules: first match vs. all match? (2) In-Reply-To: References: <5.2.0.9.2.20030805082626.036d43a8@imap.ecs.soton.ac.uk> Message-ID: Julian Field wrote: > >The other thing I have just implemented helps solve the problem of not >being able to predict the result of a ruleset when there are lots of >recipients which have conflicting results. > >Use Default Rules With Multiple Recipients = no That isn't enough to get the behaviour we want. In particular, one of the things I do quite a lot in my postmaster role is to send email to a user and to postmaster@ (for our records), which should not be scanned because postmaster is special. However in many (but not all) other cases we want messages with multiple recipients to be scanned. Apart from my soft rules idea, I have had very vague thoughts of cascading rulesets, i.e. where the third field of a ruleset can be another ruleset that is applied if an address matches the rule instead of the rest of the current ruleset. If might also be necessary to have negated rules, e.g. To: !*@dotat.at no matches if any of the destination addresses is not in my domain. Tony. -- f.a.n.finch http://dotat.at/ SOUTHEAST ICELAND: VARIABLE 3 OR 4. MAINLY FAIR. MODERATE OR GOOD. From dot at DOTAT.AT Tue Aug 5 17:36:15 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:11 2006 Subject: Which is better for use with MS? Sendmail, postfix, exim....... In-Reply-To: Message-ID: Samuel Luxford-Watts wrote: > >Just a quick question and I hope it doesn't cause too much traffic to the >list but I was wandering which MTA is best for use with MS and SpamAssassin? >I would also like to config and log using mysql if possible. I recommend Exim, because its ACL system allows you to be as strict as you wish about which messages are accepted by your system before they even get as far as MailScanner. This means you have less difficulty dealing with forged email and double bounces etc. Tony. -- f.a.n.finch http://dotat.at/ WIGHT: EASTERLY 5 OR 6 BECOMING VARIABLE THEN WESTERLY 3 OR 4. THUNDERY SHOWERS LATER. MODERATE, WITH FOG PATCHES DEVELOPING. From dot at DOTAT.AT Tue Aug 5 17:45:46 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:11 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: References: <8FFC76593085ED4A80D3601BC41EFCDF0C0754@inex1.herffjones.hj-int> <8FFC76593085ED4A80D3601BC41EFCDF0C0754@inex1.herffjones.hj-int> Message-ID: Steve Thomas wrote: > >In your sendmail.mc, put: >define(`confBAD_RCPT_THROTTLE',`5') In Exim you can configure any kind of bad RCPT throttling you like, including delays, discarding the message, dropping the connection, and any combination thereof, using the ACL system. Tony. -- f.a.n.finch http://dotat.at/ LOUGH FOYLE TO CARLINGFORD LOUGH: MAINLY EAST TO SOUTHEAST 3 OR 4 BECOMING MAINLY NORTHEAST 2 OR 3 OVERNIGHT THEN VARIABLE MAINLY NORTH OR NORTHWEST 2 OR 3 ON WEDNESDAY . THUNDERY SHOWERS CLEARING BUT HAZY, WITH MIST AND FOG PATCHES DEVELOPING. GOOD OR MODERATE BECOMING MODERATE OR POOR. SLIGHT TO MODERATE BECOMING SLIGHT. From mailscanner at ecs.soton.ac.uk Tue Aug 5 18:05:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:11 2006 Subject: Which is better for use with MS? Sendmail, postfix, exim....... In-Reply-To: References: Message-ID: <5.2.1.1.2.20030805180323.0271fac0@imap.ecs.soton.ac.uk> At 17:36 05/08/2003, you wrote: >Samuel Luxford-Watts wrote: > > > >Just a quick question and I hope it doesn't cause too much traffic to the > >list but I was wandering which MTA is best for use with MS and SpamAssassin? > >I would also like to config and log using mysql if possible. > >I recommend Exim, because its ACL system allows you to be as strict as >you wish about which messages are accepted by your system before they >even get as far as MailScanner. This means you have less difficulty >dealing with forged email and double bounces etc. Out of sendmail, Exim and Postfix, Exim is the fastest too when used in conjunction with MailScanner. I virtually always use Exim when speed-testing. Postfix itself is fast, but due to its internal design causes a lot more I/O with MailScanner than sendmail or Exim. Sendmail can approach the speed of Exim, but I have yet to make it beat it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jurik at AFX.CZ Tue Aug 5 17:59:58 2003 From: jurik at AFX.CZ (Kamil jurik) Date: Thu Jan 12 21:19:11 2006 Subject: Not scaned .zip files Message-ID: Hi all, scanned MS inside zip files and blocked for viruses? I can send mail with eicar.com file so to me arrived mail vith text: One or more of the attachments (eicar.com) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files or putting them into a "zip" file to avoid '-------> this constraint. Can I do off?? It comes to this thet pass virus inside zip? I'm sorry for my bad English. Thanks for answer Kamil Jurik From mailscanner at ecs.soton.ac.uk Tue Aug 5 18:20:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:11 2006 Subject: Not scaned .zip files In-Reply-To: Message-ID: <5.2.1.1.2.20030805181856.03595780@imap.ecs.soton.ac.uk> At 17:59 05/08/2003, you wrote: >Hi all, > >scanned MS inside zip files and blocked for viruses? I can send mail with >eicar.com file so to me arrived mail vith text: > >One or more of the attachments (eicar.com) are on >the list of unacceptable attachments for this site and will not have >been delivered. > >Consider renaming the files or putting them into a "zip" file to avoid > '-------> >this constraint. >Can I do off?? > >It comes to this thet pass virus inside zip? If you put the file inside a zip file, then it will avoid the attachment filename checks (filename.rules.conf) and the attachment filetype checks (filetype.rules.conf). But it will still be scanned for viruses. >I'm sorry for my bad English. Your English is a lot better than my Czech! :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mark at TIPPINGMAR.COM Tue Aug 5 18:22:15 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:19:11 2006 Subject: Unexpected Error? In-Reply-To: <036A6BCC9FD10749AD3CE32255AF49A60170A02D@dalsxc01.geniant.net> Message-ID: <3F2F8557.5456.13FE0EF2@localhost> I'm seeing this too, with Sophos 3.72. I have some PDF files that 3.71 scans successfully, but 3.72 chokes on with the "unexpected error". I sent a sample file to Sophos. My MailScanner is still using 3.71, so I think I'll postpone the update to 3.72 on this machine. Mark Nienberg On 4 Aug 2003 at 12:02, Max Kipness wrote: > I've got an employee who has been sending docs all morning and then > suddenly has a problem with one doc getting corrupt/unexpected errors. > Does this just mean that MailScanner thinks it's corrupt and then had an > error trying to check it? Here is the log: > > Aug 4 11:47:53 xxxxxxxxx sendmail[29123]: h74GklL1029123: > from=, size=1015025, class=0, nrcpts=1, > msgid=<036A6BCC9FD10749AD3CE32255AF49A601702857@dalsxc01.geniant.net>, > proto=ESMTP, daemon=MTA, relay=adsl-64-217-212-137.dsl.rcsntx.swbell.net > [64.217.212.137] > Aug 4 11:47:53 xxxxxxxxx sendmail[29123]: h74GklL1029123: > to=, delay=00:01:05, mailer=esmtp, pri=30639, > stat=queued > Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check > ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx > AD Design - DRAFT.doc (corrupt) > Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check > ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx > AD Design - DRAFT.doc (unexpected error [0x80040202]) > Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check > ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx > AD Design - DRAFT.doc (unexpected error [0x80040202]) > Aug 4 11:47:57 xxxxxxxxx MailScanner[20684]: Saved infected > "winmail.dat" to > /var/spool/MailScanner/quarantine/20030804/h74GklL1029123 > Aug 4 11:48:05 xxxxxxxxx sendmail[29165]: h74GklL1029123: > to=, delay=00:01:17, xdelay=00:00:08, mailer=esmtp, > pri=120639, relay=houmail.companyx.com. [204.194.96.13], dsn=2.0.0, > stat=Sent (h74GlvRp028965 Message accepted for delivery) > > Thanks, > Max From mkipness at GENIANT.COM Tue Aug 5 18:25:12 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:19:11 2006 Subject: Send attachment that got caught as virus Message-ID: <036A6BCC9FD10749AD3CE32255AF49A6017CF85C@dalsxc01.geniant.net> I've got another .doc file that got caught as a virus because it claimed it was corrupt. Still haven't had time to look at why Sophos is doing this. Anyway, how can I send this attachment on through. I've found it and I tried: uuencode file.zip file.zip |sendmail email@email.com But this just sends it right back through MailScanner and it gets caught again. Thanks, Max From mailscanner at ecs.soton.ac.uk Tue Aug 5 18:32:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:12 2006 Subject: Send attachment that got caught as virus In-Reply-To: <036A6BCC9FD10749AD3CE32255AF49A6017CF85C@dalsxc01.geniant. net> Message-ID: <5.2.1.1.2.20030805183050.025ec290@imap.ecs.soton.ac.uk> At 18:25 05/08/2003, you wrote: >I've got another .doc file that got caught as a virus because it claimed >it was corrupt. Still haven't had time to look at why Sophos is doing >this. Anyway, how can I send this attachment on through. Make sure you have at least version 4.13 and set Allowed Sophos Error Messages = corrupt > I've found it >and I tried: > >uuencode file.zip file.zip |sendmail email@email.com > >But this just sends it right back through MailScanner and it gets caught >again. > >Thanks, >Max -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jurik at afx.cz Tue Aug 5 18:59:07 2003 From: jurik at afx.cz (=?windows-1252?Q?Kamil_Jur=28=EDk_-_AFX?=) Date: Thu Jan 12 21:19:12 2006 Subject: Not scaned .zip files In-Reply-To: <5.2.1.1.2.20030805181856.03595780@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030805181856.03595780@imap.ecs.soton.ac.uk> Message-ID: <3F2FF06B.2090302@afx.cz> A lot for your fast answer (Julian Field). It's OK (zip). I'm fake up script SweepViruses.pm In funktion sub ProcessBitdefenderOutput adapt funktion ProcessRavOutput Bitdefender=RAV :-) it's beter a part script -------------------------------------------------------------------- sub ProcessBitdefenderOutput { my($line, $infections, $types, $BaseDir, $Name) = @_; my($report, $infected, $dot, $id, $part, @rest); my($logout); chomp $line; $report = $line; if ($line =~ /\t+(infected|suspicious): /i) { $logout = $line; $logout =~ s/%/%%/g; MailScanner::Log::InfoLog($logout); # Get to relevant filename in a reasonably but not # totally robust manner (*impossible* to be totally robust # if we have slashes, spaces and "->" in filenames) # Strip the infection report off the end, leaves us with the path # and the archive element name $line =~ s/\t(infected|suspicious): \S+$//; # Strip any archive elements so we should just have the path and filename $line =~ s/^(.*?)\-\>.*$/$1/; $line =~ /\-\>/ and MailScanner::Log::DieLog("Dodgy things going on in Bitdefender " . "output:\n%s\n", $report); #print STDERR "**$line\n"; ($dot,$id,$part,@rest) = split(/\//, $line); $report = $Name . ': ' . $report if $Name; $infections->{"$id"}{"$part"} .= $report . "\n"; $types->{"$id"}{"$part"} .= "v"; # so we know what to tell sender return 1; } return 0; } ------------------------------------------------------------------------- Kamil Jurik Julian Field napsal(a): > At 17:59 05/08/2003, you wrote: > >> Hi all, >> >> scanned MS inside zip files and blocked for viruses? I can send mail >> with >> eicar.com file so to me arrived mail vith text: >> >> One or more of the attachments (eicar.com) are on >> the list of unacceptable attachments for this site and will not have >> been delivered. >> >> Consider renaming the files or putting them into a "zip" file to avoid >> '-------> >> this constraint. >> Can I do off?? >> >> It comes to this thet pass virus inside zip? > > > If you put the file inside a zip file, then it will avoid the attachment > filename checks (filename.rules.conf) and the attachment filetype checks > (filetype.rules.conf). But it will still be scanned for viruses. > > >> I'm sorry for my bad English. > > > Your English is a lot better than my Czech! :-) > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > Tento e-mail byl zkontrolovan na postovnim serveru AFX From TGFurnish at HERFF-JONES.COM Tue Aug 5 19:29:38 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:12 2006 Subject: Which is better for use with MS? Sendmail, postfix, exim..... .. Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1A7F@inex1.herffjones.hj-int> >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Tuesday, August 05, 2003 12:05 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Which is better for use with MS? Sendmail, postfix, >exim....... >>> [ ...snip... ] >> [ ...snip... ] > >Out of sendmail, Exim and Postfix, Exim is the fastest too when used in >conjunction with MailScanner. I virtually always use Exim when >speed-testing. > >Postfix itself is fast, but due to its internal design causes >a lot more >I/O with MailScanner than sendmail or Exim. > >Sendmail can approach the speed of Exim, but I have yet to >make it beat it. Any thoughts on qmail? Besides sendmail it's the only other mta on *nix I've run (so far). Haven't attempted it with MS though. From DHarding at GILATLA.COM Tue Aug 5 19:29:24 2003 From: DHarding at GILATLA.COM (Devon Harding - GTHLA) Date: Thu Jan 12 21:19:12 2006 Subject: Authentication Message-ID: <97D0DDFA3C2F5B44AAC0960B99E96213C9780D@VMX.gilatla.com> Is it possible to allow MailScanner/Sendmail to authenticate incoming SMTP connection via a Windows 2000 AD server? Just as in Microsoft SMTP server. _____________________ Devon Harding System Administrator Gilat Latin America 954-858-1600 dharding@gilatla.com This e-mail is intended for the above named addressee(s), and may contain information which is confidential or privileged. If you are not the intended recipient, please inform us immediately: you should not copy or use this e-mail for any purpose nor disclose its contents to any person. From mailscanner at ecs.soton.ac.uk Tue Aug 5 19:34:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:12 2006 Subject: Which is better for use with MS? Sendmail, postfix, exim..... .. In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1A7F@inex1.herffjones.hj -int> Message-ID: <5.2.1.1.2.20030805193304.026c9468@imap.ecs.soton.ac.uk> At 19:29 05/08/2003, you wrote: > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: Tuesday, August 05, 2003 12:05 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Which is better for use with MS? Sendmail, postfix, > >exim....... > > >>> [ ...snip... ] > >> [ ...snip... ] > > > >Out of sendmail, Exim and Postfix, Exim is the fastest too when used in > >conjunction with MailScanner. I virtually always use Exim when > >speed-testing. > > > >Postfix itself is fast, but due to its internal design causes > >a lot more > >I/O with MailScanner than sendmail or Exim. > > > >Sendmail can approach the speed of Exim, but I have yet to > >make it beat it. > >Any thoughts on qmail? Besides sendmail it's the only other mta on *nix >I've run (so far). Haven't attempted it with MS though. Don't. It's not supported (yet). I don't like it much as it's "patch city" of which I fundamentally disapprove. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Aug 5 19:37:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:12 2006 Subject: Authentication In-Reply-To: <97D0DDFA3C2F5B44AAC0960B99E96213C9780D@VMX.gilatla.com> Message-ID: <5.2.1.1.2.20030805193714.037ccbe0@imap.ecs.soton.ac.uk> At 19:29 05/08/2003, you wrote: >Is it possible to allow MailScanner/Sendmail to authenticate incoming >SMTP connection via a Windows 2000 AD server? Just as in Microsoft SMTP >server. MailScanner does not get involved with SMTP service at all, so this "ain't my problem" :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Tue Aug 5 20:43:21 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:12 2006 Subject: Update on F-prot issue In-Reply-To: Message-ID: Hi! After a long converation in mail and calling them voice they understood something was broken =) F-Prot finally fixed the problem with Mimail, its now catching up BUT! you have to upgrade BOTH engine and signature files before it will pick Mimail up... Only updating signature files wont help, it will not pick it up, verified that ... :) > Dear Raymond, There was a slight delay on the update, but you should now be able to download the latest version of the new F-Prot for Linux version. We apologize for the inconvenience. > And New versions of F-Prot Antivirus products have been released today, 5 August 2003. These version include a new scanning engine, offering enhanced handling of e-mail messages and updated protection against future unknown threats. These enhancements are vital to the computer's protection and users of F-Prot Antivirus products are therefore urged to update their program as soon as possible. Please visit http://subscription.f-prot.com/download.html to update your program now. The new versions of F-Prot Antivirus products FRISK Software International is releasing today are: F-Prot Antivirus for Windows 3.14a F-Prot Antivirus for Exchange 1.0.2 F-Prot Antivirus for DOS 3.14a F-Prot Antivirus for Linux, all versions 4.1.2 F-Prot Antivirus for BSD, all versions 4.1.1 F-Prot Antivirus for AIX 4.2.1 F-Prot Antivirus for Solaris, Intel and Sparc 4.2.1-beta-1 F-Prot Antivirus for Linux on S/390 4.2.1-beta-1 > So go get a fresh copy =) Again, it will only pick up Mimail when you also upgrade the engine. Aug 5 21:35:46 vmx10 MailScanner[3438]: /var/spool/MailScanner/incoming/3438/h75JZOLs006661/message.zip->message.html Infection: W32/Mimail.A@mm You might want to put Mimail in your silent list also right away... Bye, Raymond. From mbowman at UDCOM.COM Tue Aug 5 20:51:25 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:12 2006 Subject: Updated f-prot not detecting mimail... Message-ID: Thanks. I have the updated f-prot and clamav running on my installation, however neither are detecting MiMail Aug 5 10:17:22 smithers MailScanner[1688]: Saved infected "message.zip" to /var/spool/MailScanner/quarantine/20030805/h75EHLv07503 f-prot: f-prot /var/spool/MailScanner/quarantine/20030805/h75EHLv07503/ Virus scanning report - 5 August 2003 @ 15:49 F-PROT ANTIVIRUS Program version: 4.1.2 Engine version: 3.13.4 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 4 August 2003 MACRO.DEF created 4 August 2003 Search: /var/spool/MailScanner/quarantine/20030805/h75EHLv07503/ Action: Report only Files: Attempt to identify files Switches: Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 0 Time: 0:00 No viruses or suspicious files/boot sectors were found. clamscan: clamscan /var/spool/MailScanner/quarantine/20030805/h75EHLv07503 /var/spool/MailScanner/quarantine/20030805/h75EHLv07503/message.zip: OK ----------- SCAN SUMMARY ----------- Known viruses: 7846 Scanned directories: 1 Scanned files: 1 Infected files: 0 Data scanned: 0.02 Mb I/O buffer size: 131072 bytes Time: 0.199 sec (0 m 0 s) It was quarantied as I had a rule to deny message.zip$ but still why didn't either AV detect MiMail.. Any ideas? Matthew From mailscanner at ELKNET.NET Tue Aug 5 20:56:24 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:12 2006 Subject: Followup on July Etrust discussion Message-ID: <200308051956.h75JuRS20420@ori.rl.ac.uk> Julian, Just as a gentle reminder now that your vacation is over, here are a couple of posts regarding the good pricing offered to us to use Etrust Inoculate. Right before you left on vacation you felt you might work on supporting (wrapper and update) for this product. Just wondering if its still on track, I'm very interested in this solution. Thanks! -Alan ########################## Julian posted on June 30th: Have just been sent this, may be interesting reading for many people: >A CA sales representative called and asked how the evaluation was going. I >explained our setup with 15.000+ accounts beeing protected by MailScanner >and how we used f-prot today. After a little questions/answers back and >forth to make sure he fully understood our setup I asked how much it would >be to use CA eTrust along with f-prot. > >Apparently their licensing policy is a bit different from others. He claimed >they aim to take a "large portion" of the market so they are very aggressive >with their prices. > >For us it would be about $55 for two servers. Each "node" is licensed as >just a node, they dont care how many it serves (citrix beeing the only >exception to the rule) >1-99 nodes is approx $28 per node > >There is no limitation on availability for antivirus signatures either, not >in time or product version. It is "for life" he claimed. Julian posted on July 1st: Sorry I haven't had a chance to look at this. It's unlikely to happen before August now as I am going to have to live without bandwidth for most of July (on "holiday", whatever one of those is...). I guess it's a bit like being in hospital and hence not having a PC, but there again I had a laptop then and our local hospital has networked workstation rooms in it. This "holiday" thing is going to be a very strange experience :-) From raymond at PROLOCATION.NET Tue Aug 5 20:58:34 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:12 2006 Subject: Updated f-prot not detecting mimail... In-Reply-To: Message-ID: Hi! > Aug 5 10:17:22 smithers MailScanner[1688]: Saved infected "message.zip" > to /var/spool/MailScanner/quarantine/20030805/h75EHLv07503 > > f-prot: > > f-prot /var/spool/MailScanner/quarantine/20030805/h75EHLv07503/ > Virus scanning report - 5 August 2003 @ 15:49 Most likely this is either a new variant or not a virus at all, can you look inside the zip ? It works ok on my box currently. I can send you a Mimail zip if you like so you know your setup is working. Clam did catch it all the time allready. Bye, Raymond. From mbowman at UDCOM.COM Tue Aug 5 20:56:54 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:12 2006 Subject: Updated f-prot not detecting mimail... Message-ID: Raymond, Yes the file is a virus as my Symantec Anti Virus client detected it... Mind you I did send the e-mail to me from the server as root using pine. Please send me that mimail.zip file to see if my install detects it Thank you Raymond Dijkxhoorn Sent by: MailScanner mailing list 08/05/2003 03:58 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Updated f-prot not detecting mimail... Hi! > Aug 5 10:17:22 smithers MailScanner[1688]: Saved infected "message.zip" > to /var/spool/MailScanner/quarantine/20030805/h75EHLv07503 > > f-prot: > > f-prot /var/spool/MailScanner/quarantine/20030805/h75EHLv07503/ > Virus scanning report - 5 August 2003 @ 15:49 Most likely this is either a new variant or not a virus at all, can you look inside the zip ? It works ok on my box currently. I can send you a Mimail zip if you like so you know your setup is working. Clam did catch it all the time allready. Bye, Raymond. From raymond at PROLOCATION.NET Tue Aug 5 21:02:02 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:12 2006 Subject: Updated f-prot not detecting mimail... In-Reply-To: Message-ID: Hi! > Yes the file is a virus as my Symantec Anti Virus client detected it... > Mind you I did send the e-mail to me from the server as root using pine. > Please send me that mimail.zip file to see if my install detects it Then it most likely wont be scanned, since pine is not delivering to the mailqueue.in Try sending from 'outside' I also sended in a mail, to your addy, to see if you can catch that one. Bye, Raymond. From raymond at PROLOCATION.NET Tue Aug 5 21:11:25 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:12 2006 Subject: {VIRUS?} Re: Updated f-prot not detecting mimail... Message-ID: Yep It detected it fine.. hmm. I'm wondering if my clamav isn't working either... when I reload/restart Mailscanner i only see f-prot in the maillog not clamav. Virus scanners = f-prot clamav --- Matthew K Bowman Systems Administrator, UDCom 174 Park Avenue West, Mansfield. Ohio 44902 Tel : 419-524-4330 Fax : 419-524-8757 Email : mbowman@udcom.com Web: http://www.udcom.com/ From raymond at PROLOCATION.NET Tue Aug 5 21:11:40 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:12 2006 Subject: {VIRUS?} Re: Updated f-prot not detecting mimail... In-Reply-To: Message-ID: Hi! > I'm wondering if my clamav isn't working either... when I reload/restart > Mailscanner i only see f-prot in the maillog not clamav. > > Virus scanners = f-prot clamav What Clam version are you running ? And what date are the databases from ? drwxrwxr-x 2 clamav clamav 4096 Aug 5 22:01 . drwxr-xr-x 5 root root 4096 Apr 29 01:26 .. -rw-rw-r-- 1 clamav clamav 86 Jun 21 13:38 mirrors.txt -rw-r--r-- 1 clamav clamav 1222321 Jul 7 21:02 viruses.db -rw-r--r-- 1 clamav clamav 31724 Aug 5 22:01 viruses.db2 Clam is detecting it different btw: Two variants: Aug 5 01:30:34 vmx10 MailScanner[27280]: /var/spool/MailScanner/incoming/27280/./h74NUTSL019087/message.zip: Trojan.Dropper.B FOUND Aug 5 01:12:48 vmx10 MailScanner[27124]: /var/spool/MailScanner/incoming/27124/./h74NCjSL004095/message.zip: Trojan.Dropper.C FOUND Bye, Raymond. From mbowman at UDCOM.COM Tue Aug 5 21:10:27 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:12 2006 Subject: {VIRUS?} Re: Updated f-prot not detecting mimail... Message-ID: I am running 0.60 /usr/local/share/clamav [root@smithers clamav]# ls -l total 1236 -rw-rw-r-- 1 clamav clamav 86 Aug 4 12:09 mirrors.txt -rw-r--r-- 1 clamav clamav 1222321 Aug 5 16:04 viruses.db -rw-r--r-- 1 clamav clamav 31724 Aug 5 16:04 viruses.db2 Regards, Matthew Raymond Dijkxhoorn Sent by: MailScanner mailing list 08/05/2003 04:11 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: {VIRUS?} Re: Updated f-prot not detecting mimail... Hi! > I'm wondering if my clamav isn't working either... when I reload/restart > Mailscanner i only see f-prot in the maillog not clamav. > > Virus scanners = f-prot clamav What Clam version are you running ? And what date are the databases from ? drwxrwxr-x 2 clamav clamav 4096 Aug 5 22:01 . drwxr-xr-x 5 root root 4096 Apr 29 01:26 .. -rw-rw-r-- 1 clamav clamav 86 Jun 21 13:38 mirrors.txt -rw-r--r-- 1 clamav clamav 1222321 Jul 7 21:02 viruses.db -rw-r--r-- 1 clamav clamav 31724 Aug 5 22:01 viruses.db2 Clam is detecting it different btw: Two variants: Aug 5 01:30:34 vmx10 MailScanner[27280]: /var/spool/MailScanner/incoming/27280/./h74NUTSL019087/message.zip: Trojan.Dropper.B FOUND Aug 5 01:12:48 vmx10 MailScanner[27124]: /var/spool/MailScanner/incoming/27124/./h74NCjSL004095/message.zip: Trojan.Dropper.C FOUND Bye, Raymond. From raymond at PROLOCATION.NET Tue Aug 5 21:16:50 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:12 2006 Subject: {VIRUS?} Re: Updated f-prot not detecting mimail... In-Reply-To: Message-ID: Hi! > [root@smithers clamav]# ls -l > total 1236 > -rw-rw-r-- 1 clamav clamav 86 Aug 4 12:09 mirrors.txt > -rw-r--r-- 1 clamav clamav 1222321 Aug 5 16:04 viruses.db > -rw-r--r-- 1 clamav clamav 31724 Aug 5 16:04 viruses.db2 > -rw-rw-r-- 1 clamav clamav 86 Jun 21 13:38 mirrors.txt > -rw-r--r-- 1 clamav clamav 1222321 Jul 7 21:02 viruses.db > -rw-r--r-- 1 clamav clamav 31724 Aug 5 22:01 viruses.db2 Strange, same size but different dates. An i update it hourly. Might that be the problem ? PErhaps a virusses.db outdated ? > Aug 5 01:30:34 vmx10 MailScanner[27280]: > /var/spool/MailScanner/incoming/27280/./h74NUTSL019087/message.zip: > Trojan.Dropper.B FOUND > > Aug 5 01:12:48 vmx10 MailScanner[27124]: > /var/spool/MailScanner/incoming/27124/./h74NCjSL004095/message.zip: > Trojan.Dropper.C FOUND In my logs i see loads of the above, do you see clam at all in your logs? Do: grep Clam /var/log/maillog Bye, Raymond. From mbowman at UDCOM.COM Tue Aug 5 21:22:12 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:12 2006 Subject: {VIRUS?} Re: Updated f-prot not detecting mimail... Message-ID: That grep returned blank. However I did a clamscan -r in my /var/spool/MailScanner/quarantine and it did fine some. Again though I'm wondering why I am not getting entries in maillog. I wonder though Given that I have Virus Scanners = f-prot clamav Minimum Code Status = supported Should this be unsupported as per the faq? Should I switch the scanners? Matthew From TGFurnish at HERFF-JONES.COM Tue Aug 5 21:31:58 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:12 2006 Subject: Which is better for use with MS? Sendmail, postfix, exim..... .. Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1A84@inex1.herffjones.hj-int> >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Tuesday, August 05, 2003 12:05 PM Tony Finch had written: >> I recommend Exim, because its ACL system allows you to be as strict as >> you wish about which messages are accepted by your system before they >> even get as far as MailScanner. This means you have less difficulty >> dealing with forged email and double bounces etc. Julian Fields responded: > Out of sendmail, Exim and Postfix, Exim is the fastest too when used in > conjunction with MailScanner. I virtually always use Exim when > speed-testing. > > Postfix itself is fast, but due to its internal design causes > a lot more I/O with MailScanner than sendmail or Exim. > > Sendmail can approach the speed of Exim, but I have yet to > make it beat it. So... Just wondering, does Exim still provide unique message IDs and more importantly does it offer a way to split messages with multiple recipients into one message per recipient, like the recently suggested usage of sendmail queue groups? From mikea at MIKEA.ATH.CX Tue Aug 5 21:33:45 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:12 2006 Subject: Help! SA timing out, mail undelivered Message-ID: <20030805153345.A32992@mikea.ath.cx> The subject pretty much says it all. It appears to have started about 0600 this morning, and I'm having trouble figuring out just what is causing the timeout. To get mail to flow, I have to disable SA, which means I have to do without the rules I need for catching some particularly nasty things. Here is debug output with debug turned on for MS and SA both: : isdmon2# sh rc.M*er start : sendmail incoming outgoing MailScanner Starting MailScanner... : In Debugging mode, not forking... : debug: Score set 0 chosen. : debug: ignore: test message to precompile patterns and load modules : debug: using "/usr/local/share/spamassassin" for default rules dir : debug: using "/etc/mail/spamassassin" for site rules dir : debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file : debug: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks : debug: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen : debug: Score set 3 chosen. : debug: Initialising learner : debug: is Net::DNS::Resolver available? no : debug: is DNS available? 0 : debug: running header regexp tests; score so far=0 : debug: running body-text per-line regexp tests; score so far=1.3 : debug: bayes corpus size: nspam = 4448, nham = 9521 : debug: tokenize: header tokens for *F = "ignore@compiling.spamassassin.taint.org" : debug: tokenize: header tokens for *m = " 1060115123 spamassassin_spamd_init " : debug: cannot use bayes on this message; db not initialised yet : debug: bayes: not scoring message, returning 0.5 : debug: entering helper-app run mode : debug: running in taint mode? no : razor2 check skipped: No such file or directory Can't locate Razor2/Client/Agent.pm in @INC (@INC contains: /opt/MailScanner/bin /opt/MailScanner/bin/MailScanner /opt/MailScanner/lib /usr/local/lib/perl5/5.6.1/i386-freebsd /usr/local/lib/perl5/5.6.1 /usr/local/lib/perl5/site_perl/5.6.1/i386-freebsd /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl/5.005/i386-freebsd /usr/local/lib/perl5/site_perl/5.005 /usr/local/lib/perl5/site_perl . /opt/MailScanner/lib) at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Dns.pm line 377. : debug: leaving helper-app run mode : debug: Razor2 results: spam? 0 highest cf score: 0 : debug: running raw-body-text per-line regexp tests; score so far=1.3 : debug: running uri tests; score so far=1.3 : debug: uri tests: Done uriRE : debug: running full-text regexp tests; score so far=1.3 : debug: Razor2 is not available : debug: DCC is not available: dccproc not found : debug: Current PATH is: /sbin:/bin:/usr/sbin:/usr/bin : debug: Pyzor is not available: pyzor not found : debug: all '*To' addrs: : debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org : debug: running meta tests; score so far=1.3 : debug: is spam? score=1.3 required=5 tests=DATE_MISSING,NO_REAL_NAME : debug: running header regexp tests; score so far=0 : debug: running body-text per-line regexp tests; score so far=0.7 : debug: bayes corpus size: nspam = 4448, nham = 9521 : debug: tokenize: header tokens for *p = "" : debug: tokenize: header tokens for *M = " tb2hg v2h2a 7 8e 4046 2e 624 ovl2dynrl " : debug: tokenize: header tokens for *F = ""Amber Mcfadden" " : debug: tokenize: header tokens for To = "cbleeker@odot.okladot.state.ok.us" : debug: tokenize: header tokens for *x = "Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)" : debug: tokenize: header tokens for MIME-Version = "" : debug: tokenize: header tokens for *c = "multipart/alternative; HH _ HHHHH . HHHH _ HHHHHHHH" : debug: tokenize: header tokens for X-Priority = "3" : debug: tokenize: header tokens for X-MSMail-Priority = "Normal" : debug: tokenize: header tokens for *r = " kmj.ya3lx.org (HELO ry1) ([34.131.233]) by 200-206-162-110.dsl.telesp.net.br ; " : debug: tokenize: header tokens for *r = " kmj.ya3lx.org (HELO ry1) ([34.131.233]) by 200-206-162-110.dsl.telesp.net.br ; 200-206-162-110.dsl.telesp.net.br (200-206-162-110.dsl.telesp.net.br [200.206.162]) by odot.okladot.state.ok.us (AIX4.3/8.9.3/8.9.2) ; " : debug: bayes token 'optout.php' => 0.991061452513966 : debug: bayes token 'sk:t_bone_' => 0.0444444444444444 : debug: bayes token 'HTo:sk:cbleeke' => 0.950272483866148 : debug: bayes token 'H*r:sk:cbleeke' => 0.950272483866148 : debug: bayes: score = 0.627485986917155 : debug: expiration is due: expiring old tokens now... : debug: lock: 34757 created /root/.spamassassin/bayes.lock.isdmon2.okladot.state.ok.us.34757 : debug: lock: 34757 trying to get lock on /root/.spamassassin/bayes with 0 retries : debug: lock: 34757 link to /root/.spamassassin/bayes.lock: link ok : debug: bayes: tie-ing to DB file R/W /root/.spamassassin/bayes_toks : debug: bayes: tie-ing to DB file R/W /root/.spamassassin/bayes_seen : debug: bayes: untie-ing : debug: bayes: untie-ing db_toks : debug: bayes: untie-ing db_seen : debug: bayes: files locked, now unlocking lock : debug: unlock: 34757 unlink /root/.spamassassin/bayes.lock : debug: synced Bayes databases from journal in 0 seconds: 4 entries : debug: lock: 34757 created /root/.spamassassin/bayes.lock.isdmon2.okladot.state.ok.us.34757 : debug: lock: 34757 trying to get lock on /root/.spamassassin/bayes with 0 retries : debug: lock: 34757 link to /root/.spamassassin/bayes.lock: link ok : debug: bayes: tie-ing to DB file R/W /root/.spamassassin/bayes_toks : debug: bayes: tie-ing to DB file R/W /root/.spamassassin/bayes_seen I've done tcpdumps and tried to see what rbl queries were hanging, in case one or more of the usual suspects might be under DDOS, but it all seemed to be working OK. Meanwhile, SA is timing out: Aug 5 15:23:23 isdmon2 MailScanner[34303]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Aug 5 15:23:37 isdmon2 MailScanner[34312]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Aug 5 15:23:52 isdmon2 MailScanner[34353]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Aug 5 15:24:09 isdmon2 MailScanner[34391]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Aug 5 15:24:21 isdmon2 MailScanner[34397]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Aug 5 15:26:09 isdmon2 MailScanner[34740]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Suggestions? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mailscanner at ecs.soton.ac.uk Tue Aug 5 21:20:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:12 2006 Subject: Followup on July Etrust discussion In-Reply-To: <200308051956.h75JuRS20420@ori.rl.ac.uk> Message-ID: <5.2.1.1.2.20030805211946.03a4c398@imap.ecs.soton.ac.uk> Can someone send me a fully licensed copy of it please, so that I can work on it? At 20:56 05/08/2003, you wrote: >Julian, > >Just as a gentle reminder now that your vacation is over, here are a >couple of posts regarding the good pricing offered to us to use Etrust >Inoculate. Right before you left on vacation you felt you might work on >supporting (wrapper and update) for this product. Just wondering if its >still on track, I'm very interested in this solution. Thanks! > >-Alan > >########################## > >Julian posted on June 30th: >Have just been sent this, may be interesting reading for many people: > > >A CA sales representative called and asked how the evaluation was going. I > >explained our setup with 15.000+ accounts beeing protected by MailScanner > >and how we used f-prot today. After a little questions/answers back and > >forth to make sure he fully understood our setup I asked how much it would > >be to use CA eTrust along with f-prot. > > > >Apparently their licensing policy is a bit different from others. He claimed > >they aim to take a "large portion" of the market so they are very aggressive > >with their prices. > > > >For us it would be about $55 for two servers. Each "node" is licensed as > >just a node, they dont care how many it serves (citrix beeing the only > >exception to the rule) > >1-99 nodes is approx $28 per node > > > >There is no limitation on availability for antivirus signatures either, not > >in time or product version. It is "for life" he claimed. > > >Julian posted on July 1st: >Sorry I haven't had a chance to look at this. It's unlikely to happen >before August now as I am going to have to live without bandwidth for most >of July (on "holiday", whatever one of those is...). I guess it's a bit >like being in hospital and hence not having a PC, but there again I had a >laptop then and our local hospital has networked workstation rooms in it. >This "holiday" thing is going to be a very strange experience :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From TGFurnish at HERFF-JONES.COM Tue Aug 5 21:48:24 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:12 2006 Subject: A bit OT: Cut off address probes? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1A85@inex1.herffjones.hj-int> /me wonders what version of sendmail the BadRcptThrottle setting appeared in, since it doesn't seem to be present in my m4/mc/cf files. :-( > -----Original Message----- > From: Ken Anderson [mailto:ka@PACIFIC.NET] > Sent: Monday, August 04, 2003 6:23 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: A bit OT: Cut off address probes? > > > Furnish, Trever G wrote: > > > This is probably a bit off-topic, and I hope it's not a faq > somewhere > > already - feel free to yell at me constructively if so. :-) > > > > Is there a way to configure sendmail (or whatever) such > that "address > > probes" are less effective and intrusive? I could imagine > how the process > > might work, but I've never coded a milter and am hoping > someone else has > > done this or will tell me why it would be a bad idea. > > > > By address probe, I mean connections that either: > > 1. Ask the receiving mta to accept a message for > one invalid address > > after another despite repeated negative responses from the > receiving mta. > > Something that amounts to "Is bob valid?" ... "no" ... > "Well, what about > > tom?" ... "no" ... "Frank?" ... etc. > > See > http://www.sendmail.org/m4/tweaking_config.html#confBAD_RCPT_THROTTLE > > > 2. Send a message with many recipients at the same > server, learning > > those that don't bounce. > > > > Completely blocking "no such user" responses seems like a > bad idea, but > > ignoring someone who attempted delivery to X number of > invalid addresses > > within Y seconds seems like a good idea. But how can the > first-line MTA > > know whether or not an address is invalid? > > You have to tell it. > Use access db with blacklist recipients. > See: > http://www.sendmail.org/m4/features.html#blacklist_recipients > Ken > > > Has anyone set up or read of such a system? Perhaps a > sendmail milter that > > looks up recipient addresses in a flat file or via ldap > before accepting the > > message? > > > > -- > > Trever > > > > > From mailscanner at ecs.soton.ac.uk Tue Aug 5 21:47:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:12 2006 Subject: {VIRUS?} Re: Updated f-prot not detecting mimail... In-Reply-To: Message-ID: <5.2.1.1.2.20030805214719.037f8a90@imap.ecs.soton.ac.uk> What does cd /tmp /usr/lib/MailScanner/clamav-wrapper . produce? (Don't forget the . on the end of the line) At 21:22 05/08/2003, you wrote: >That grep returned blank. > >However I did a clamscan -r in my /var/spool/MailScanner/quarantine and it >did fine some. Again though I'm wondering why I am not getting entries in >maillog. > >I wonder though > >Given that I have >Virus Scanners = f-prot clamav >Minimum Code Status = supported > >Should this be unsupported as per the faq? >Should I switch the scanners? > > >Matthew -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Tue Aug 5 21:52:49 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:12 2006 Subject: {VIRUS?} Re: Updated f-prot not detecting mimail... Message-ID: Julian The path was set to /usr/bin. My clamscan executable is in /usr/local/bin so I changed the wrapper and restarted mailscanner... Anything else I should do? Thanks --- Matthew K Bowman Systems Administrator, UDCom 174 Park Avenue West, Mansfield. Ohio 44902 Tel : 419-524-4330 Fax : 419-524-8757 Email : mbowman@udcom.com Web: http://www.udcom.com/ Julian Field Sent by: MailScanner mailing list 08/05/2003 04:47 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: {VIRUS?} Re: Updated f-prot not detecting mimail... What does cd /tmp /usr/lib/MailScanner/clamav-wrapper . produce? (Don't forget the . on the end of the line) At 21:22 05/08/2003, you wrote: >That grep returned blank. > >However I did a clamscan -r in my /var/spool/MailScanner/quarantine and it >did fine some. Again though I'm wondering why I am not getting entries in >maillog. > >I wonder though > >Given that I have >Virus Scanners = f-prot clamav >Minimum Code Status = supported > >Should this be unsupported as per the faq? >Should I switch the scanners? > > >Matthew -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Tue Aug 5 22:00:22 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:12 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1A85@inex1.herffjones.hj-int> Message-ID: Hi! > /me wonders what version of sendmail the BadRcptThrottle setting appeared > in, since it doesn't seem to be present in my m4/mc/cf files. :-( Most likely 8.12.x, in my 8.12.8 its available O BadRcptThrottle=20 Bye, Raymond. From TGFurnish at HERFF-JONES.COM Tue Aug 5 22:05:45 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:12 2006 Subject: A bit OT: Cut off address probes? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1A86@inex1.herffjones.hj-int> > Most likely 8.12.x, in my 8.12.8 its available Thanks. ...and now /me feels silly for not just checking the complete sendmail changelog: http://www.sendmail.org/ftp/RELEASE_NOTES Looks like it showed up in 8.12.0 way back on 2001/09/08. Guess that's what I get for still using redhat 7.2's packages instead of compiling it myself. :-) From mailscanner at ecs.soton.ac.uk Tue Aug 5 22:06:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:12 2006 Subject: {VIRUS?} Re: Updated f-prot not detecting mimail... In-Reply-To: Message-ID: <5.2.1.1.2.20030805220528.02652a70@imap.ecs.soton.ac.uk> At 21:52 05/08/2003, you wrote: >Julian > >The path was set to /usr/bin. My clamscan executable is in /usr/local/bin >so I changed the wrapper and restarted mailscanner... > >Anything else I should do? Change the path in clamav-autoupdate as well. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Tue Aug 5 22:09:26 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:12 2006 Subject: A bit OT: Cut off address probes? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1A86@inex1.herffjones.hj-int> Message-ID: Hi! > ...and now /me feels silly for not just checking the complete sendmail > changelog: > http://www.sendmail.org/ftp/RELEASE_NOTES > > Looks like it showed up in 8.12.0 way back on 2001/09/08. Guess that's what > I get for still using redhat 7.2's packages instead of compiling it myself. > :-) Simply upgrade to RH9, runs just fine and includes a 8.12.x version. Bye, Raymond.> From marco at MUW.EDU Tue Aug 5 22:28:25 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:19:12 2006 Subject: Weired Spam In-Reply-To: <5.2.0.9.2.20030313190023.0204b008@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030313190023.0204b008@imap.ecs.soton.ac.uk> Message-ID: <1060118905.3f30217972bc5@webmail.MUW.Edu> Hi all, Could someone tell me how this spam is getting through? I am having to block IP ranges to stop it. But, I am just curious if anyone of you knows how this spammer is tricking MS to not run spam checks. Or, if there is anything that I can tweak to stop it from slipping through. Here is the spam: Note: Avsmtp01 is mail gatway sunmuw1 is my mailserver ***************************** Return-Path: Received: from avsmtp01.muw.edu (avsmtp01.MUW.Edu [192.231.29.4]) by sunmuw1.muw.edu (8.11.6/8.11.6) with ESMTP id h75LAXD31167; Tue, 5 Aug 2003 16:10:33 -0500 Received: from x ([61.93.74.68]) by avsmtp01.muw.edu (8.12.8/8.12.8) with SMTP id h75KnOcO023594; Tue, 5 Aug 2003 15:49:26 -0500 Date: Tue, 5 Aug 2003 15:49:24 -0500 Received: from mail by saturn.seed.net.tw with SMTP id flr7ms0YXcutjJe2HdAA; Wed, 06 Aug 2003 04:53:54 +0800 Message-ID: From: hkew2002@yahoo.com.hk To: \HK033.TXT@avsmtp01.muw.edu, \HK001.TXT@avsmtp01.muw.edu, \HK002.TXT@avsmtp01.muw.edu, \HK003.TXT@avsmtp01.muw.edu, \HK004.TXT@avsmtp01.muw.edu, \HK005.TXT@avsmtp01.muw.edu, \HK006.TXT@avsmtp01.muw.edu, \HK007.TXT@avsmtp01.muw.edu, \HK008.TXT@avsmtp01.muw.edu, \HK009.TXT@avsmtp01.muw.edu, \HK010.TXT@avsmtp01.muw.edu, \HK011.TXT@avsmtp01.muw.edu, \HK012.TXT@avsmtp01.muw.edu, \HK013.TXT@avsmtp01.muw.edu, \HK014.TXT@avsmtp01.muw.edu, \HK015.TXT@avsmtp01.muw.edu, \HK016.TXT@avsmtp01.muw.edu, \HK017.TXT@avsmtp01.muw.edu, \HK018.TXT@avsmtp01.muw.edu, \HK019.TXT@avsmtp01.muw.edu, \HK020.TXT@avsmtp01.muw.edu, \HK021.TXT@avsmtp01.muw.edu, \HK022.TXT@avsmtp01.muw.edu, \HK023.TXT@avsmtp01.muw.edu, \HK024.TXT@avsmtp01.muw.edu, \HK025.TXT@avsmtp01.muw.edu, \HK026.TXT@avsmtp01.muw.edu, \HK027.TXT@avsmtp01.muw.edu, \HK028.TXT@avsmtp01.muw.edu, \HK029.TXT@avsmtp01.muw.edu, \HK030.TXT@avsmtp01.muw.edu, \HK031.TXT@avsmtp01.muw.edu, \HK032.TXT@avsmtp01.muw.edu Subject: =?big5?Q?=A5~=B6=D7=A1B=B6=C0=AA=F7=A1B=A5=D5=BB=C8=A1B=AA=D1=B2=BC=A7=DE=B3N=A8=AB=B6=D5=A7=EB=B8=EA=A5=FE=A7=F0=B2=A4 =B6g=A4@=B0]=B8g=AEy=BD=CD=B7|?= MIME-Version: 1.0 Content-type: multipart/mixed; boundary="__MailScanner_found_Cyrus_boundary_substring_problem__" X-Mailer: swFfgvA2gSn0ZvjbBqECkw55zHSfr X-Priority: 3 X-MSMail-Priority: Normal X-MailScanner: Found to be clean, Not scanned: please contact your Internet E-Mail Service Provider for details X-MailScanner-Information: Please contact the ISP for more information This is a multi-part message in MIME format. --__MailScanner_found_Cyrus_boundary_substring_problem__ Content-Type: multipart/alternative; boundary="----=_NextPart_83t8Wg3xbHcq9PFxhaAA" ------=_NextPart_83t8Wg3xbHcq9PFxhaAA Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable =AD^=AC=D3=AA=F7=BF=C4=B6=B0=B9=CE(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q-=A5~= =B6=D7=A5=E6=A9=F6=B0=D3=B5P=B7=D3:FXT000040 =AD^=AC=D3=AA=F7=B7~=A7=EB=B8=EA=A6=B3=AD=AD=A4=BD=A5q-(=AD^=AC=D3=B6=B0=B9= =CE=A6=A8=AD=FB) =A5~=B6=D7=A1B=B6=C0=AA=F7=A1B=A5=D5=BB=C8=A1B=AA=D1=B2=BC=A7=DE=B3N=A8=AB= =B6=D5=A7=EB=B8=EA=A5=FE=A7=F0=B2=A4 =B6g=A4@=B0]=B8g=AEy=BD=CD=B7|=09 =B6g=A4@=AEy=BD=CD=B7|=A9l=B3=D0=A9=F31997=A6~7=A4=EB=A1A=B6W=B9L270=B3=F5= =C1=BF=AEy=A1A=B3=F5=B3=F5=BA=A1=AEy=A1C=BCs=B5=B2=A8}=BDt=A1A=AC=B0=A7=EB= =B8=EA=AA=CC=AB=FC=C2I=B0g=ACz=A1A=B9=F0=B3=D0=A8=CE=C1Z=A1C=BD=F1=A4J6=B6g= =A6~=A1A=A5[=B1j=B0}=AEe=A1A=B4=A3=A4=C9=A7=EB=B8=EA=A6^=B3=F8=B2v=A1A=AC= =B0=A7K=A6V=B6=A8=A1A=B1q=B3t=ADq=AEy=A1C =A9=B9=C1Z=A6^=C5U=A1G 1997=A6~=A6=A8=A5\=B9w=B4=FA=AA=F7=BF=C4=AD=B7=BC=C9=A8=D3=C1{=A1A=B7=ED=A6= ~=B9w=B4=FA=AA=D1=A5=AB=A4=CE=BC=D3=A5=AB=B7|=A4U=B6^30%=A1C 1998=A6~=AB=D8=C4=B3=AB=C8=A4=E1=F9=DA=AB=FC7000=C2I=B6R=A4J=F9=DA=A5=CD=BB= =C8=A6=E6=A1B=A9M=B6=C0=A1B=A4=A4=ABH=AE=F5=B4I=A1C 1999=A6~=AB=D8=C4=B3=AB=C8=A4=E1=AA=F8=B4=C1=B6R=A4J=B6=C0=AA=F7=A1A=B6R=A4= J=ABa=ADx=AC=EC=A7=DE=A1B=B3=D0=AC=EC=B9=EA=B7~=A1B=AAF=A4=E8=A4=E9=B3=F8= =A1C 2000=A6~=A6=A8=A5\=B9w=B4=FA=AC=FC=B0=EA=AC=EC=BA=F4=AA=D1=AAw=AAj=C3z=AF}= =A1C 2001=A6~=AB=D8=C4=B3=AB=C8=A4=E1=AA=F8=BDu=B6R=A4J=BFD=A4=B8=A4=CE=AF=C3=A4= =B8=A1B=A5=D5=BB=C8=A1C 2002=A6~=AB=D8=C4=B3=AB=C8=A4=E1=A4j=A4=E2=A7l=A4J=B6=C0=AA=F7=A4=CE=BC=DA= =C3=B9=A1C 2003=A6~1=A4=EB=AE=C9=BFW=AEa=B1=C0=A4=B6=A4=D3=A5j=ACv=A6=E6A=A1B=A4E=C0s= =AD=DC=A1B=A5[=A4=B8=A1B=A5=D5=BB=C8=A1B=BC=DA=C3=B9=B7=E7=A4h=A5=E6=A4e=BD= L=A1B=BFD=ACw=A4=E9=A4=B8=A4e=BDL=A1C =A5=BC=A8=D3=B1=B4=AF=C1=A1G 1.=B1=D0=A7A=A6p=A6=F3=A7Q=A5=CE=A4Q=A6~=AE=C9=B6=A1=A1A=A7=EB=B8=EA=A6^=B3= =F8=B2v=B0=AA=B9F1000=AD=BF=AA=BA=A7=EB=B8=EA=B5=A6=B2=A4=A1C 2.=AD=E5=AAR=C1=C8=BF=FA=A4=A7=AF=AB=A1A=C1=C8=BF=FA=A4=DF=AAk=A1A=B2=B4=A5= =FA=A1A=AD@=A9=CA=A1A=AE=C9=BE=F7=A4=A7=B4x=B4=A4=A1C 3.=B1M=AEa=B1=D0=A7A=A1A=A4=FB=A5=D6=A4W=B8=A8=A5=AB=AA=A3=AAi=B4T=A1A=A8C= =ACP=B4=C1=C1=C8=A8=FA=B9s=A5=CE=BF=FA=A1C 4.=A6p=A6=F3=A7Q=A5=CE=B3f=B9=F4=A9=CE=AA=D1=B2=BC=B1=BE=B3=A8=C1=C8=A8=FA= =B0=AA=AE=A7=A1C 5.=A6p=A6=F3=A7Q=A5=CE=F9=DA=AB=FC=BB{=AAf=BD=FC=A4=CE=BB{=C1=CA=BD=FC=A1A= =A4M=A5J=BF=F7=A4j=BE=F0=A1C 6.=B6R1 3=B8=B9=A9M=B6=C0=A1A=A7=F5=B9=C5=B8=DB=A5=FD=A5=CD=BE=CC=A7=C0=B9B= =A6=A8=A5@=AC=C9=AD=BA=B4I=A1C 7.=B6=C0=AA=F7=A4=FB=A5=AB=A4v=B1=D2=B0=CA=A1A=B6R=AA=F7=A5i=ABO=AD=C8=A1C 8.=B0=B5=A8=AC=B7=C7=B3=C6=A5\=A4=D2=A1A=AA=EF=B1=B5=A5=D5=BB=C8=A4j=A4=FB= =A5=AB=A1A=C1=C8=A8=FA3=AD=BF=A7Q=BF=FA=A1C 9.=B1M=B7~=A4=C0=AAR=BC=DA=C3=B9=A1B=A4=E9=A4=B8=A1B=AD^=C2=E9=A1B=B7=E7=A4= h=AAk=AD=A6=A1B=BFD=A4=B8=A1B=AF=C3=A4=B8=A1B=A5[=A4=B8=A1B=B6=C0=AA=F7=A1B= =A5=D5=BB=C8=A1A=A8C=B6g=A5=AB=B3=F5=A8=AB=B6=D5=A1A=A7=D6=A4H=A4@=A8B=A1A= =AC}=B1x=A5=FD=BE=F7=A1C =C1=BF=AA=CC=A1G=B1i=B7=D8=ACu=A5=FD=A5=CD=A1i=AD^=AC=D3=AA=F7=BF=C4=B6=B0= =B9=CE(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q=C1`=B5=F4=A1j=AD=DD=A1i=B8=EA=B2= `=A7=EB=B8=EA=B5=FB=BD=D7=AD=FB=A1j=A4w=B1q=A8=C6=A5~=B6=D7=A1B=B6=C0=AA=F7= =A5=E6=A9=F6=A4G=A4Q=A6~=B8g=C5=E7 =A4=FD=B2=D0=A4=E5=A5=FD=A5=CD=A1i=AD^=AC=D3=AA=F7=BF=C4=B6=B0= =B9=CE(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q=B0=AA=AF=C5=B0=C6=C1`=B5=F4=A1j= =AD=DD=A1i=AD^=AC=D3=C3=D2=A8=E9(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q=C0=E7= =B7~=B8g=B2z=A1j=A4w=B1q=A8=C6=A5~=B6=D7=A1B=AA=D1=B2=BC=A5=E6=A9=F6=A4Q=BE= l=A6~=B8g=C5=E7 =A4=E9=B4=C1=A1G2003=A6~8=A4=EB13=A4=E9=B3{=ACP=B4=C1=A4@=B1=DF=A4W(=B0=B2= =B4=C1=B0=A3=A5~) =AE=C9=B6=A1=A1G=B1=DF=A4W=A4C=AE=C9=A4T=A4Q=A4=C0=A6=DC=A4E=AE=C9=A4T=A4Q= =A4=C0 =A6a=C2I=A1G=AD=BB=B4=E4=C6W=A5J=B0a=A5=A7=B8=D6=B9D288=B8=B9=AD^=AC=D3=B6= =B0=B9=CE=A4=A4=A4=DF23=BC=D3 =B6O=A5=CE=A1G=A8C=B0=F3=B4=E4=B9=F440=A4=B8=A5=BF =AFd=AEy=B9q=B8=DC=A1G8105 8580=B6=C0=A5=FD=A5=CD =AD=B7=C0I=C1n=A9=FA=A1G=A7=EB=B8=EA=AA=CC=C0=B3=A9=FA=A5=D5=A8=EC=A5~=B6= =D7=A5=AB=B3=F5=AA=BA=AC=D5=C1=AB=AD=B7=C0I=A1A=A9=D2=AD=B1=B9=EF=AA=BA=B7l= =A5=A2=A5i=AF=E0=B7|=B0=AA=A9=F3=A5I=A5X=AA=BA=ABO=C3=D2=AA=F7=C3B=A1A=A5= =AB=B3=F5=AD=B7=C0I=A4=A3=A4@=A9w=AF=E0=A6b=B9w=ADp=A4=A7=A4=BA=A1A=BAb=B1= =EC=A6=A1=A5~=B6=D7=A5=E6=A9=F6=B0=D3=A8=C3=A4=A3=AF=E0=B9=EF=A7=EB=B8=EA= =AA=CC=A9=D2=AD=B1=B9=EF=AA=BA=AD=B7=C0I=A7@=A5X=ABO=C3=D2=A1C ------=_NextPart_83t8Wg3xbHcq9PFxhaAA-- --__MailScanner_found_Cyrus_boundary_substring_problem__ Content-Type: application/octet-stream; name="C:\Documents and Settings\Administrator\????\?g?@?]?g?y???|.DOC" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="?g?@?]?g?y???|.DOC" ********************************************** What in the world is HK*.TXT@ ...? There are not such users. Thanks for any insights Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From mailscanner at ELKNET.NET Tue Aug 5 22:21:36 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:12 2006 Subject: Followup on July Etrust discussion Message-ID: <200308052121.h75LLgS28725@ori.rl.ac.uk> Julian, You can't download the Linux version from CA, so I just ordered it from CDW. Once I receive it, I'll figure out a means to get it to you for development. Hopefully this can be made to work... Thanks! -Alan >Can someone send me a fully licensed copy of it please, so that I can work >on it? From mailscanner at ecs.soton.ac.uk Tue Aug 5 22:23:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:12 2006 Subject: Weired Spam In-Reply-To: <1060118905.3f30217972bc5@webmail.MUW.Edu> References: <5.2.0.9.2.20030313190023.0204b008@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030313190023.0204b008@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030805222225.03a45700@imap.ecs.soton.ac.uk> It's not running the virus checks either. What setting do you have for "Virus Scanning" in MailScanner.conf (+ any related rulesets of course, please). Also, what is "Spam Checks" set to? At 22:28 05/08/2003, you wrote: >Hi all, > >Could someone tell me how this spam is getting through? >I am having to block IP ranges to stop it. But, I am just curious if anyone of >you knows how this spammer is tricking MS to not run spam checks. Or, if there >is anything that I can tweak to stop it from slipping through. > >Here is the spam: > >Note: Avsmtp01 is mail gatway > sunmuw1 is my mailserver > >***************************** > >Return-Path: >Received: from avsmtp01.muw.edu (avsmtp01.MUW.Edu [192.231.29.4]) > by sunmuw1.muw.edu (8.11.6/8.11.6) with ESMTP id h75LAXD31167; > Tue, 5 Aug 2003 16:10:33 -0500 >Received: from x ([61.93.74.68]) > by avsmtp01.muw.edu (8.12.8/8.12.8) with SMTP id h75KnOcO023594; > Tue, 5 Aug 2003 15:49:26 -0500 >Date: Tue, 5 Aug 2003 15:49:24 -0500 >Received: from mail > by saturn.seed.net.tw with SMTP id flr7ms0YXcutjJe2HdAA; > Wed, 06 Aug 2003 04:53:54 +0800 >Message-ID: >From: hkew2002@yahoo.com.hk >To: \HK033.TXT@avsmtp01.muw.edu, \HK001.TXT@avsmtp01.muw.edu, > \HK002.TXT@avsmtp01.muw.edu, \HK003.TXT@avsmtp01.muw.edu, > \HK004.TXT@avsmtp01.muw.edu, \HK005.TXT@avsmtp01.muw.edu, > \HK006.TXT@avsmtp01.muw.edu, \HK007.TXT@avsmtp01.muw.edu, > \HK008.TXT@avsmtp01.muw.edu, \HK009.TXT@avsmtp01.muw.edu, > \HK010.TXT@avsmtp01.muw.edu, \HK011.TXT@avsmtp01.muw.edu, > \HK012.TXT@avsmtp01.muw.edu, \HK013.TXT@avsmtp01.muw.edu, > \HK014.TXT@avsmtp01.muw.edu, \HK015.TXT@avsmtp01.muw.edu, > \HK016.TXT@avsmtp01.muw.edu, \HK017.TXT@avsmtp01.muw.edu, > \HK018.TXT@avsmtp01.muw.edu, \HK019.TXT@avsmtp01.muw.edu, > \HK020.TXT@avsmtp01.muw.edu, \HK021.TXT@avsmtp01.muw.edu, > \HK022.TXT@avsmtp01.muw.edu, \HK023.TXT@avsmtp01.muw.edu, > \HK024.TXT@avsmtp01.muw.edu, \HK025.TXT@avsmtp01.muw.edu, > \HK026.TXT@avsmtp01.muw.edu, \HK027.TXT@avsmtp01.muw.edu, > \HK028.TXT@avsmtp01.muw.edu, \HK029.TXT@avsmtp01.muw.edu, > \HK030.TXT@avsmtp01.muw.edu, \HK031.TXT@avsmtp01.muw.edu, > \HK032.TXT@avsmtp01.muw.edu >Subject: >=?big5?Q?=A5~=B6=D7=A1B=B6=C0=AA=F7=A1B=A5=D5=BB=C8=A1B=AA=D1=B2=BC=A7=DE=B3N=A8=AB=B6=D5=A7=EB=B8=EA=A5=FE=A7=F0=B2=A4 > =B6g=A4@=B0]=B8g=AEy=BD=CD=B7|?= >MIME-Version: 1.0 >Content-type: multipart/mixed; >boundary="__MailScanner_found_Cyrus_boundary_substring_problem__" >X-Mailer: swFfgvA2gSn0ZvjbBqECkw55zHSfr >X-Priority: 3 >X-MSMail-Priority: Normal >X-MailScanner: Found to be clean, Not scanned: please contact your Internet >E-Mail Service Provider for details >X-MailScanner-Information: Please contact the ISP for more information > > >This is a multi-part message in MIME format. > >--__MailScanner_found_Cyrus_boundary_substring_problem__ >Content-Type: multipart/alternative; > boundary="----=_NextPart_83t8Wg3xbHcq9PFxhaAA" > >------=_NextPart_83t8Wg3xbHcq9PFxhaAA >Content-Type: text/plain; >Content-Transfer-Encoding: quoted-printable > >=AD^=AC=D3=AA=F7=BF=C4=B6=B0=B9=CE(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q-=A5~= >=B6=D7=A5=E6=A9=F6=B0=D3=B5P=B7=D3:FXT000040 >=AD^=AC=D3=AA=F7=B7~=A7=EB=B8=EA=A6=B3=AD=AD=A4=BD=A5q-(=AD^=AC=D3=B6=B0=B9= >=CE=A6=A8=AD=FB) > >=A5~=B6=D7=A1B=B6=C0=AA=F7=A1B=A5=D5=BB=C8=A1B=AA=D1=B2=BC=A7=DE=B3N=A8=AB= >=B6=D5=A7=EB=B8=EA=A5=FE=A7=F0=B2=A4 =B6g=A4@=B0]=B8g=AEy=BD=CD=B7|=09 > >=B6g=A4@=AEy=BD=CD=B7|=A9l=B3=D0=A9=F31997=A6~7=A4=EB=A1A=B6W=B9L270=B3=F5= >=C1=BF=AEy=A1A=B3=F5=B3=F5=BA=A1=AEy=A1C=BCs=B5=B2=A8}=BDt=A1A=AC=B0=A7=EB= >=B8=EA=AA=CC=AB=FC=C2I=B0g=ACz=A1A=B9=F0=B3=D0=A8=CE=C1Z=A1C=BD=F1=A4J6=B6g= >=A6~=A1A=A5[=B1j=B0}=AEe=A1A=B4=A3=A4=C9=A7=EB=B8=EA=A6^=B3=F8=B2v=A1A=AC= >=B0=A7K=A6V=B6=A8=A1A=B1q=B3t=ADq=AEy=A1C > >=A9=B9=C1Z=A6^=C5U=A1G >1997=A6~=A6=A8=A5\=B9w=B4=FA=AA=F7=BF=C4=AD=B7=BC=C9=A8=D3=C1{=A1A=B7=ED=A6= >~=B9w=B4=FA=AA=D1=A5=AB=A4=CE=BC=D3=A5=AB=B7|=A4U=B6^30%=A1C >1998=A6~=AB=D8=C4=B3=AB=C8=A4=E1=F9=DA=AB=FC7000=C2I=B6R=A4J=F9=DA=A5=CD=BB= >=C8=A6=E6=A1B=A9M=B6=C0=A1B=A4=A4=ABH=AE=F5=B4I=A1C >1999=A6~=AB=D8=C4=B3=AB=C8=A4=E1=AA=F8=B4=C1=B6R=A4J=B6=C0=AA=F7=A1A=B6R=A4= >J=ABa=ADx=AC=EC=A7=DE=A1B=B3=D0=AC=EC=B9=EA=B7~=A1B=AAF=A4=E8=A4=E9=B3=F8= >=A1C >2000=A6~=A6=A8=A5\=B9w=B4=FA=AC=FC=B0=EA=AC=EC=BA=F4=AA=D1=AAw=AAj=C3z=AF}= >=A1C >2001=A6~=AB=D8=C4=B3=AB=C8=A4=E1=AA=F8=BDu=B6R=A4J=BFD=A4=B8=A4=CE=AF=C3=A4= >=B8=A1B=A5=D5=BB=C8=A1C >2002=A6~=AB=D8=C4=B3=AB=C8=A4=E1=A4j=A4=E2=A7l=A4J=B6=C0=AA=F7=A4=CE=BC=DA= >=C3=B9=A1C >2003=A6~1=A4=EB=AE=C9=BFW=AEa=B1=C0=A4=B6=A4=D3=A5j=ACv=A6=E6A=A1B=A4E=C0s= >=AD=DC=A1B=A5[=A4=B8=A1B=A5=D5=BB=C8=A1B=BC=DA=C3=B9=B7=E7=A4h=A5=E6=A4e=BD= >L=A1B=BFD=ACw=A4=E9=A4=B8=A4e=BDL=A1C > >=A5=BC=A8=D3=B1=B4=AF=C1=A1G >1.=B1=D0=A7A=A6p=A6=F3=A7Q=A5=CE=A4Q=A6~=AE=C9=B6=A1=A1A=A7=EB=B8=EA=A6^=B3= >=F8=B2v=B0=AA=B9F1000=AD=BF=AA=BA=A7=EB=B8=EA=B5=A6=B2=A4=A1C >2.=AD=E5=AAR=C1=C8=BF=FA=A4=A7=AF=AB=A1A=C1=C8=BF=FA=A4=DF=AAk=A1A=B2=B4=A5= >=FA=A1A=AD@=A9=CA=A1A=AE=C9=BE=F7=A4=A7=B4x=B4=A4=A1C >3.=B1M=AEa=B1=D0=A7A=A1A=A4=FB=A5=D6=A4W=B8=A8=A5=AB=AA=A3=AAi=B4T=A1A=A8C= >=ACP=B4=C1=C1=C8=A8=FA=B9s=A5=CE=BF=FA=A1C >4.=A6p=A6=F3=A7Q=A5=CE=B3f=B9=F4=A9=CE=AA=D1=B2=BC=B1=BE=B3=A8=C1=C8=A8=FA= >=B0=AA=AE=A7=A1C >5.=A6p=A6=F3=A7Q=A5=CE=F9=DA=AB=FC=BB{=AAf=BD=FC=A4=CE=BB{=C1=CA=BD=FC=A1A= >=A4M=A5J=BF=F7=A4j=BE=F0=A1C >6.=B6R1 3=B8=B9=A9M=B6=C0=A1A=A7=F5=B9=C5=B8=DB=A5=FD=A5=CD=BE=CC=A7=C0=B9B= >=A6=A8=A5@=AC=C9=AD=BA=B4I=A1C >7.=B6=C0=AA=F7=A4=FB=A5=AB=A4v=B1=D2=B0=CA=A1A=B6R=AA=F7=A5i=ABO=AD=C8=A1C >8.=B0=B5=A8=AC=B7=C7=B3=C6=A5\=A4=D2=A1A=AA=EF=B1=B5=A5=D5=BB=C8=A4j=A4=FB= >=A5=AB=A1A=C1=C8=A8=FA3=AD=BF=A7Q=BF=FA=A1C >9.=B1M=B7~=A4=C0=AAR=BC=DA=C3=B9=A1B=A4=E9=A4=B8=A1B=AD^=C2=E9=A1B=B7=E7=A4= >h=AAk=AD=A6=A1B=BFD=A4=B8=A1B=AF=C3=A4=B8=A1B=A5[=A4=B8=A1B=B6=C0=AA=F7=A1B= >=A5=D5=BB=C8=A1A=A8C=B6g=A5=AB=B3=F5=A8=AB=B6=D5=A1A=A7=D6=A4H=A4@=A8B=A1A= >=AC}=B1x=A5=FD=BE=F7=A1C > >=C1=BF=AA=CC=A1G=B1i=B7=D8=ACu=A5=FD=A5=CD=A1i=AD^=AC=D3=AA=F7=BF=C4=B6=B0= >=B9=CE(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q=C1`=B5=F4=A1j=AD=DD=A1i=B8=EA=B2= >`=A7=EB=B8=EA=B5=FB=BD=D7=AD=FB=A1j=A4w=B1q=A8=C6=A5~=B6=D7=A1B=B6=C0=AA=F7= >=A5=E6=A9=F6=A4G=A4Q=A6~=B8g=C5=E7 > =A4=FD=B2=D0=A4=E5=A5=FD=A5=CD=A1i=AD^=AC=D3=AA=F7=BF=C4=B6=B0= >=B9=CE(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q=B0=AA=AF=C5=B0=C6=C1`=B5=F4=A1j= >=AD=DD=A1i=AD^=AC=D3=C3=D2=A8=E9(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q=C0=E7= >=B7~=B8g=B2z=A1j=A4w=B1q=A8=C6=A5~=B6=D7=A1B=AA=D1=B2=BC=A5=E6=A9=F6=A4Q=BE= >l=A6~=B8g=C5=E7 >=A4=E9=B4=C1=A1G2003=A6~8=A4=EB13=A4=E9=B3{=ACP=B4=C1=A4@=B1=DF=A4W(=B0=B2= >=B4=C1=B0=A3=A5~) >=AE=C9=B6=A1=A1G=B1=DF=A4W=A4C=AE=C9=A4T=A4Q=A4=C0=A6=DC=A4E=AE=C9=A4T=A4Q= >=A4=C0 >=A6a=C2I=A1G=AD=BB=B4=E4=C6W=A5J=B0a=A5=A7=B8=D6=B9D288=B8=B9=AD^=AC=D3=B6= >=B0=B9=CE=A4=A4=A4=DF23=BC=D3 >=B6O=A5=CE=A1G=A8C=B0=F3=B4=E4=B9=F440=A4=B8=A5=BF >=AFd=AEy=B9q=B8=DC=A1G8105 8580=B6=C0=A5=FD=A5=CD > >=AD=B7=C0I=C1n=A9=FA=A1G=A7=EB=B8=EA=AA=CC=C0=B3=A9=FA=A5=D5=A8=EC=A5~=B6= >=D7=A5=AB=B3=F5=AA=BA=AC=D5=C1=AB=AD=B7=C0I=A1A=A9=D2=AD=B1=B9=EF=AA=BA=B7l= >=A5=A2=A5i=AF=E0=B7|=B0=AA=A9=F3=A5I=A5X=AA=BA=ABO=C3=D2=AA=F7=C3B=A1A=A5= >=AB=B3=F5=AD=B7=C0I=A4=A3=A4@=A9w=AF=E0=A6b=B9w=ADp=A4=A7=A4=BA=A1A=BAb=B1= >=EC=A6=A1=A5~=B6=D7=A5=E6=A9=F6=B0=D3=A8=C3=A4=A3=AF=E0=B9=EF=A7=EB=B8=EA= >=AA=CC=A9=D2=AD=B1=B9=EF=AA=BA=AD=B7=C0I=A7@=A5X=ABO=C3=D2=A1C > >------=_NextPart_83t8Wg3xbHcq9PFxhaAA-- > >--__MailScanner_found_Cyrus_boundary_substring_problem__ >Content-Type: application/octet-stream; > name="C:\Documents and > Settings\Administrator\????\?g?@?]?g?y???|.DOC" >Content-Transfer-Encoding: base64 >Content-Disposition: attachment; > filename="?g?@?]?g?y???|.DOC" > >********************************************** > >What in the world is HK*.TXT@ ...? There are not such users. > >Thanks for any insights >Marco > >_________________________________________________________________ >This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >For the latest MUW Events, visit http://www.MUW.Edu/calendar -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From TGFurnish at HERFF-JONES.COM Tue Aug 5 22:24:33 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:12 2006 Subject: Help! SA timing out, mail undelivered Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1A87@inex1.herffjones.hj-int> This is the first time I've looked at ms/sa debug output, so maybe this is a red herring (especially since you say rbl's seem to be working), but why does it seem to think dns is unavailable? Also, I'm a little confused about why a SA timeout that MS properly kills would be responsible for stopped mail-flow - when I see messages like that, I still get the message delivered, just not scanned by SA. ...at least I think I still get it. Maybe I need to verify that. :-) When you say "disable SA" you mean setting "use spamassassin = no" in the MailScanner.conf file, right? -t. > -----Original Message----- > From: mikea [mailto:mikea@MIKEA.ATH.CX] > Sent: Tuesday, August 05, 2003 3:34 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Help! SA timing out, mail undelivered > Meanwhile, SA is timing out: > [...snip...] > Aug 5 15:23:23 isdmon2 MailScanner[34303]: SpamAssassin > timed out and was killed, consecutive failure 1 of 20 > Aug 5 15:23:37 isdmon2 MailScanner[34312]: SpamAssassin > timed out and was killed, consecutive failure 1 of 20 > Aug 5 15:23:52 isdmon2 MailScanner[34353]: SpamAssassin > timed out and was killed, consecutive failure 1 of 20 > Aug 5 15:24:09 isdmon2 MailScanner[34391]: SpamAssassin > timed out and was killed, consecutive failure 1 of 20 > Aug 5 15:24:21 isdmon2 MailScanner[34397]: SpamAssassin > timed out and was killed, consecutive failure 1 of 20 > Aug 5 15:26:09 isdmon2 MailScanner[34740]: SpamAssassin > timed out and was killed, consecutive failure 1 of 20 > > Suggestions? > > -- > Mike Andrews > mikea@mikea.ath.cx > Tired old sysadmin since 1964 > From mailscanner at ELKNET.NET Tue Aug 5 22:51:35 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:12 2006 Subject: Followup on July Etrust discussion Message-ID: <200308052151.h75LpZS29930@ori.rl.ac.uk> Just got off the phone with CDW. It appears that there is only one product offered by CA licensed in the 1-99 range, and that is an upgrade version that requires you to already have InoculateIT. If you want the stand alone product, the lowest license is a 5 user version, which is $109, so that's what I'm ordering. At that price, lets hope you can make it work. :) -Alan >> >For us it would be about $55 for two servers. Each "node" is licensed as >> >just a node, they dont care how many it serves (citrix beeing the only >> >exception to the rule) >> >1-99 nodes is approx $28 per node From Kevin_Miller at CI.JUNEAU.AK.US Tue Aug 5 23:03:45 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:12 2006 Subject: Update on F-prot issue Message-ID: <08146035CA49D6119A36009027AC822A0264E64D@CITY-EXCH-NTS> Thanks for the update Raymond. I just downloaded: fp-linux-ms-4.1.2.tar.gz - F-Prot Antivirus for Linux Mail Servers (TAR) I presume that's the right one - last spring I got the small business version, but now they've renamed their products so I'm guessing that the mail server version is what I'm after. If someone knows differently, please let me know. TIA... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] >Sent: Tuesday, August 05, 2003 11:43 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Update on F-prot issue > > >Hi! > >After a long converation in mail and calling them voice they understood >something was broken =) > >F-Prot finally fixed the problem with Mimail, its now catching >up BUT! you >have to upgrade BOTH engine and signature files before it will >pick Mimail >up... Only updating signature files wont help, it will not pick it up, >verified that ... :) > >> > >Dear Raymond, > >There was a slight delay on the update, but you should now be able to >download the latest version of the new F-Prot for Linux version. > >We apologize for the inconvenience. > >> > >And > >New versions of F-Prot Antivirus products have been released >today, 5 August 2003. > >These version include a new scanning engine, offering >enhanced handling of e-mail messages and updated protection >against future unknown threats. > >These enhancements are vital to the computer's protection and >users of F-Prot Antivirus products are therefore urged to >update their program as soon as possible. > >Please visit http://subscription.f-prot.com/download.html to >update your program now. > >The new versions of F-Prot Antivirus products FRISK Software >International is releasing today are: > >F-Prot Antivirus for Windows 3.14a >F-Prot Antivirus for Exchange 1.0.2 >F-Prot Antivirus for DOS 3.14a >F-Prot Antivirus for Linux, all versions 4.1.2 >F-Prot Antivirus for BSD, all versions 4.1.1 >F-Prot Antivirus for AIX 4.2.1 >F-Prot Antivirus for Solaris, Intel and Sparc 4.2.1-beta-1 >F-Prot Antivirus for Linux on S/390 4.2.1-beta-1 > >> > >So go get a fresh copy =) Again, it will only pick up Mimail >when you also >upgrade the engine. > >Aug 5 21:35:46 vmx10 MailScanner[3438]: >/var/spool/MailScanner/incoming/3438/h75JZOLs006661/message.zip >->message.html >Infection: W32/Mimail.A@mm > >You might want to put Mimail in your silent list also right away... > >Bye, >Raymond. > From raymond at PROLOCATION.NET Tue Aug 5 23:10:49 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:12 2006 Subject: Update on F-prot issue In-Reply-To: <08146035CA49D6119A36009027AC822A0264E64D@CITY-EXCH-NTS> Message-ID: Hi! > fp-linux-ms-4.1.2.tar.gz - F-Prot Antivirus for Linux Mail Servers > (TAR) > > I presume that's the right one - last spring I got the small business > version, but now they've renamed their products so I'm guessing that the > mail server version is what I'm after. No. > If someone knows differently, please let me know. You downloaded the version for mailservers, you need the workstation version. So download: fp-linux-ws-4.1.2.tar.gz Bye, Raymond. From mailscanner at ecs.soton.ac.uk Tue Aug 5 23:18:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:12 2006 Subject: Update on F-prot issue In-Reply-To: <08146035CA49D6119A36009027AC822A0264E64D@CITY-EXCH-NTS> Message-ID: <5.2.1.1.2.20030805231605.025f7d18@imap.ecs.soton.ac.uk> At 23:03 05/08/2003, you wrote: >Thanks for the update Raymond. I just downloaded: > > fp-linux-ms-4.1.2.tar.gz - F-Prot Antivirus for Linux Mail Servers >(TAR) > >I presume that's the right one - last spring I got the small business >version, but now they've renamed their products so I'm guessing that the >mail server version is what I'm after. > >If someone knows differently, please let me know. All you need is the Desktop edition. The only thing you need is the command-line-based scanner, which is included in all versions. None of the extra facilities in the "server" or "mail server" versions will be used. And as their software licence fails to define the terms "workstation", "server" or "mail server", they can hardly hold you in breach of their licence. However, if you can afford it, you might like to buy the "server" version. It doesn't offer any extra facilities that you will need, but none of us really want F-Prot going bankrupt. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From steve.douglas at SBIINCORPORATED.COM Tue Aug 5 23:22:55 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:12 2006 Subject: Spam Action rules: first match vs. all match? Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FB3D@mail.gardenbotanika.com> I don't find the bounce of much use as long as MS catches the SPAM. I had this same scenario with 22-9. The aggravation wasn't worth it nor the questions from the users. SD :-) > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, August 05, 2003 2:28 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Spam Action rules: first match vs. all match? > > What was the general consensus on this subject? > > Is it worth my implementing this "stop" keyword? It will cause a couple of > extra "if" statements inside a function that is called a few dozen times > for each message, so I don't want to add it unless quite a few people will > find it useful. > > At 18:37 28/07/2003, you wrote: > >On Mon, 28 Jul 2003 18:02:33 +0100, Julian Field > > wrote: > > > > >What I thought about doing was adding a "STOP" entry in any of the "all > > >matches" rules, so that evaluation of the rules for that > recipient/sender > > >would stop at that point and not carry on trying to match other rules > in > > >the ruleset. > > > > > >The rules would still be evaluated for all of the recipient(s) and the > > >sender, but this would enable you to stop the rule checking when you > had > > >matched a previous rule. > > > > > >Would that solve the problem, or indeed help at all? > > > >How would that work? If you mean something like this: > > > >FromAndTo: *@primary.domain forward zzz@yyy > >STOP > >To: *@primary.domain bounce forward zzz@yyy > >FromOrTo: default deliver forward zzz@yyy > > > >meaning that when the STOP line is encountered, rule matching should > >stop if any above rules had matched, that would work for me and would > >actually add quite a bit of flexibility. It would make it possible to > >do things like have a specific list of users or subdomains in a domain > >that get special treatment. For example: > > > >From: user1@domain.com deliver > >From: user2@domain.com deliver > >From: user3@one.domain.com deliver > >From: user4@two.domain.com deliver > >From: *@two.domain.com forward zzz@yyy > >STOP > >From: *@one.domain.com forward zzz@yyy > >STOP > >From: *@*.domain.com bounce forward zzz@yyy > >From: *@domain.com bounce forward zzz@yyy > > > >Semantics such as what would result from the above could be tricky to > >achieve with either all or first rules. If it weren't for user4, then > >the above without STOP would be the same as if it were interpreted as > >first match, but with the above as all with STOP implemented, > >user4@two.domain.com's actions would be "deliver forward zzz@yyy". > >(Okay, this example would be easy to make work with first, but > >still...) > > > >Another option I had been thinking about would be to able to mark a > >single rule as exclusive, but I think the above is better. > > > >-- > >Jay Berkenbilt > >http://www.ql.org/q/ > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From marco at MUW.EDU Tue Aug 5 23:50:45 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:19:13 2006 Subject: Weired Spam In-Reply-To: <5.2.1.1.2.20030805222225.03a45700@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030313190023.0204b008@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030313190023.0204b008@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030805222225.03a45700@imap.ecs.soton.ac.uk> Message-ID: <1060123845.3f3034c52bee3@webmail.MUW.Edu> Hi Julian, > It's not running the virus checks either. What setting do you have for > "Virus Scanning" in MailScanner.conf (+ any related rulesets of course, > please). Also, what is "Spam Checks" set to? I attached my MailScanner.conf. Quicky, here is what you asked for: Virus Scanning = /etc/MailScanner/rules/virus.scanning.rules Spam Checks = yes # more /etc/MailScanner/rules/virus.scanning.rules FromOrTo: default yes Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules # more /etc/MailScanner/rules/spam.whitelist.rules From: rshenkman@* yes From: 208.147.208. yes From: 208.147.211. yes From: 192.231.29. yes FromOrTo: default no I don't have any other rules other than the above. Thanks you so much Marco >Here is the spam: > >Note: Avsmtp01 is mail gatway > sunmuw1 is my mailserver > >***************************** > >Return-Path: >Received: from avsmtp01.muw.edu (avsmtp01.MUW.Edu [192.231.29.4]) > by sunmuw1.muw.edu (8.11.6/8.11.6) with ESMTP id h75LAXD31167; > Tue, 5 Aug 2003 16:10:33 -0500 >Received: from x ([61.93.74.68]) > by avsmtp01.muw.edu (8.12.8/8.12.8) with SMTP id h75KnOcO023594; > Tue, 5 Aug 2003 15:49:26 -0500 >Date: Tue, 5 Aug 2003 15:49:24 -0500 >Received: from mail > by saturn.seed.net.tw with SMTP id flr7ms0YXcutjJe2HdAA; > Wed, 06 Aug 2003 04:53:54 +0800 >Message-ID: >From: hkew2002@yahoo.com.hk >To: \HK033.TXT@avsmtp01.muw.edu, \HK001.TXT@avsmtp01.muw.edu, > \HK002.TXT@avsmtp01.muw.edu, \HK003.TXT@avsmtp01.muw.edu, > \HK004.TXT@avsmtp01.muw.edu, \HK005.TXT@avsmtp01.muw.edu, > \HK006.TXT@avsmtp01.muw.edu, \HK007.TXT@avsmtp01.muw.edu, > \HK008.TXT@avsmtp01.muw.edu, \HK009.TXT@avsmtp01.muw.edu, > \HK010.TXT@avsmtp01.muw.edu, \HK011.TXT@avsmtp01.muw.edu, > \HK012.TXT@avsmtp01.muw.edu, \HK013.TXT@avsmtp01.muw.edu, > \HK014.TXT@avsmtp01.muw.edu, \HK015.TXT@avsmtp01.muw.edu, > \HK016.TXT@avsmtp01.muw.edu, \HK017.TXT@avsmtp01.muw.edu, > \HK018.TXT@avsmtp01.muw.edu, \HK019.TXT@avsmtp01.muw.edu, > \HK020.TXT@avsmtp01.muw.edu, \HK021.TXT@avsmtp01.muw.edu, > \HK022.TXT@avsmtp01.muw.edu, \HK023.TXT@avsmtp01.muw.edu, > \HK024.TXT@avsmtp01.muw.edu, \HK025.TXT@avsmtp01.muw.edu, > \HK026.TXT@avsmtp01.muw.edu, \HK027.TXT@avsmtp01.muw.edu, > \HK028.TXT@avsmtp01.muw.edu, \HK029.TXT@avsmtp01.muw.edu, > \HK030.TXT@avsmtp01.muw.edu, \HK031.TXT@avsmtp01.muw.edu, > \HK032.TXT@avsmtp01.muw.edu >Subject: >=?big5?Q?=A5~=B6=D7=A1B=B6=C0=AA=F7=A1B=A5=D5=BB=C8=A1B=AA=D1=B2=BC=A7=DE=B3N=A8=AB=B6=D5=A7=EB=B8=EA=A5=FE=A7=F0=B2=A4 > =B6g=A4@=B0]=B8g=AEy=BD=CD=B7|?= >MIME-Version: 1.0 >Content-type: multipart/mixed; >boundary="__MailScanner_found_Cyrus_boundary_substring_problem__" >X-Mailer: swFfgvA2gSn0ZvjbBqECkw55zHSfr >X-Priority: 3 >X-MSMail-Priority: Normal >X-MailScanner: Found to be clean, Not scanned: please contact your Internet >E-Mail Service Provider for details >X-MailScanner-Information: Please contact the ISP for more information > > >This is a multi-part message in MIME format. > >--__MailScanner_found_Cyrus_boundary_substring_problem__ >Content-Type: multipart/alternative; > boundary="----=_NextPart_83t8Wg3xbHcq9PFxhaAA" > >------=_NextPart_83t8Wg3xbHcq9PFxhaAA >Content-Type: text/plain; >Content-Transfer-Encoding: quoted-printable > >=AD^=AC=D3=AA=F7=BF=C4=B6=B0=B9=CE(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q-=A5~= >=B6=D7=A5=E6=A9=F6=B0=D3=B5P=B7=D3:FXT000040 >=AD^=AC=D3=AA=F7=B7~=A7=EB=B8=EA=A6=B3=AD=AD=A4=BD=A5q-(=AD^=AC=D3=B6=B0=B9= >=CE=A6=A8=AD=FB) > >=A5~=B6=D7=A1B=B6=C0=AA=F7=A1B=A5=D5=BB=C8=A1B=AA=D1=B2=BC=A7=DE=B3N=A8=AB= >=B6=D5=A7=EB=B8=EA=A5=FE=A7=F0=B2=A4 =B6g=A4@=B0]=B8g=AEy=BD=CD=B7|=09 > >=B6g=A4@=AEy=BD=CD=B7|=A9l=B3=D0=A9=F31997=A6~7=A4=EB=A1A=B6W=B9L270=B3=F5= >=C1=BF=AEy=A1A=B3=F5=B3=F5=BA=A1=AEy=A1C=BCs=B5=B2=A8}=BDt=A1A=AC=B0=A7=EB= >=B8=EA=AA=CC=AB=FC=C2I=B0g=ACz=A1A=B9=F0=B3=D0=A8=CE=C1Z=A1C=BD=F1=A4J6=B6g= >=A6~=A1A=A5[=B1j=B0}=AEe=A1A=B4=A3=A4=C9=A7=EB=B8=EA=A6^=B3=F8=B2v=A1A=AC= >=B0=A7K=A6V=B6=A8=A1A=B1q=B3t=ADq=AEy=A1C > >=A9=B9=C1Z=A6^=C5U=A1G >1997=A6~=A6=A8=A5\=B9w=B4=FA=AA=F7=BF=C4=AD=B7=BC=C9=A8=D3=C1{=A1A=B7=ED=A6= >~=B9w=B4=FA=AA=D1=A5=AB=A4=CE=BC=D3=A5=AB=B7|=A4U=B6^30%=A1C >1998=A6~=AB=D8=C4=B3=AB=C8=A4=E1=F9=DA=AB=FC7000=C2I=B6R=A4J=F9=DA=A5=CD=BB= >=C8=A6=E6=A1B=A9M=B6=C0=A1B=A4=A4=ABH=AE=F5=B4I=A1C >1999=A6~=AB=D8=C4=B3=AB=C8=A4=E1=AA=F8=B4=C1=B6R=A4J=B6=C0=AA=F7=A1A=B6R=A4= >J=ABa=ADx=AC=EC=A7=DE=A1B=B3=D0=AC=EC=B9=EA=B7~=A1B=AAF=A4=E8=A4=E9=B3=F8= >=A1C >2000=A6~=A6=A8=A5\=B9w=B4=FA=AC=FC=B0=EA=AC=EC=BA=F4=AA=D1=AAw=AAj=C3z=AF}= >=A1C >2001=A6~=AB=D8=C4=B3=AB=C8=A4=E1=AA=F8=BDu=B6R=A4J=BFD=A4=B8=A4=CE=AF=C3=A4= >=B8=A1B=A5=D5=BB=C8=A1C >2002=A6~=AB=D8=C4=B3=AB=C8=A4=E1=A4j=A4=E2=A7l=A4J=B6=C0=AA=F7=A4=CE=BC=DA= >=C3=B9=A1C >2003=A6~1=A4=EB=AE=C9=BFW=AEa=B1=C0=A4=B6=A4=D3=A5j=ACv=A6=E6A=A1B=A4E=C0s= >=AD=DC=A1B=A5[=A4=B8=A1B=A5=D5=BB=C8=A1B=BC=DA=C3=B9=B7=E7=A4h=A5=E6=A4e=BD= >L=A1B=BFD=ACw=A4=E9=A4=B8=A4e=BDL=A1C > >=A5=BC=A8=D3=B1=B4=AF=C1=A1G >1.=B1=D0=A7A=A6p=A6=F3=A7Q=A5=CE=A4Q=A6~=AE=C9=B6=A1=A1A=A7=EB=B8=EA=A6^=B3= >=F8=B2v=B0=AA=B9F1000=AD=BF=AA=BA=A7=EB=B8=EA=B5=A6=B2=A4=A1C >2.=AD=E5=AAR=C1=C8=BF=FA=A4=A7=AF=AB=A1A=C1=C8=BF=FA=A4=DF=AAk=A1A=B2=B4=A5= >=FA=A1A=AD@=A9=CA=A1A=AE=C9=BE=F7=A4=A7=B4x=B4=A4=A1C >3.=B1M=AEa=B1=D0=A7A=A1A=A4=FB=A5=D6=A4W=B8=A8=A5=AB=AA=A3=AAi=B4T=A1A=A8C= >=ACP=B4=C1=C1=C8=A8=FA=B9s=A5=CE=BF=FA=A1C >4.=A6p=A6=F3=A7Q=A5=CE=B3f=B9=F4=A9=CE=AA=D1=B2=BC=B1=BE=B3=A8=C1=C8=A8=FA= >=B0=AA=AE=A7=A1C >5.=A6p=A6=F3=A7Q=A5=CE=F9=DA=AB=FC=BB{=AAf=BD=FC=A4=CE=BB{=C1=CA=BD=FC=A1A= >=A4M=A5J=BF=F7=A4j=BE=F0=A1C >6.=B6R1 3=B8=B9=A9M=B6=C0=A1A=A7=F5=B9=C5=B8=DB=A5=FD=A5=CD=BE=CC=A7=C0=B9B= >=A6=A8=A5@=AC=C9=AD=BA=B4I=A1C >7.=B6=C0=AA=F7=A4=FB=A5=AB=A4v=B1=D2=B0=CA=A1A=B6R=AA=F7=A5i=ABO=AD=C8=A1C >8.=B0=B5=A8=AC=B7=C7=B3=C6=A5\=A4=D2=A1A=AA=EF=B1=B5=A5=D5=BB=C8=A4j=A4=FB= >=A5=AB=A1A=C1=C8=A8=FA3=AD=BF=A7Q=BF=FA=A1C >9.=B1M=B7~=A4=C0=AAR=BC=DA=C3=B9=A1B=A4=E9=A4=B8=A1B=AD^=C2=E9=A1B=B7=E7=A4= >h=AAk=AD=A6=A1B=BFD=A4=B8=A1B=AF=C3=A4=B8=A1B=A5[=A4=B8=A1B=B6=C0=AA=F7=A1B= >=A5=D5=BB=C8=A1A=A8C=B6g=A5=AB=B3=F5=A8=AB=B6=D5=A1A=A7=D6=A4H=A4@=A8B=A1A= >=AC}=B1x=A5=FD=BE=F7=A1C > >=C1=BF=AA=CC=A1G=B1i=B7=D8=ACu=A5=FD=A5=CD=A1i=AD^=AC=D3=AA=F7=BF=C4=B6=B0= >=B9=CE(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q=C1`=B5=F4=A1j=AD=DD=A1i=B8=EA=B2= >`=A7=EB=B8=EA=B5=FB=BD=D7=AD=FB=A1j=A4w=B1q=A8=C6=A5~=B6=D7=A1B=B6=C0=AA=F7= >=A5=E6=A9=F6=A4G=A4Q=A6~=B8g=C5=E7 > =A4=FD=B2=D0=A4=E5=A5=FD=A5=CD=A1i=AD^=AC=D3=AA=F7=BF=C4=B6=B0= >=B9=CE(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q=B0=AA=AF=C5=B0=C6=C1`=B5=F4=A1j= >=AD=DD=A1i=AD^=AC=D3=C3=D2=A8=E9(=AD=BB=B4=E4)=A6=B3=AD=AD=A4=BD=A5q=C0=E7= >=B7~=B8g=B2z=A1j=A4w=B1q=A8=C6=A5~=B6=D7=A1B=AA=D1=B2=BC=A5=E6=A9=F6=A4Q=BE= >l=A6~=B8g=C5=E7 >=A4=E9=B4=C1=A1G2003=A6~8=A4=EB13=A4=E9=B3{=ACP=B4=C1=A4@=B1=DF=A4W(=B0=B2= >=B4=C1=B0=A3=A5~) >=AE=C9=B6=A1=A1G=B1=DF=A4W=A4C=AE=C9=A4T=A4Q=A4=C0=A6=DC=A4E=AE=C9=A4T=A4Q= >=A4=C0 >=A6a=C2I=A1G=AD=BB=B4=E4=C6W=A5J=B0a=A5=A7=B8=D6=B9D288=B8=B9=AD^=AC=D3=B6= >=B0=B9=CE=A4=A4=A4=DF23=BC=D3 >=B6O=A5=CE=A1G=A8C=B0=F3=B4=E4=B9=F440=A4=B8=A5=BF >=AFd=AEy=B9q=B8=DC=A1G8105 8580=B6=C0=A5=FD=A5=CD > >=AD=B7=C0I=C1n=A9=FA=A1G=A7=EB=B8=EA=AA=CC=C0=B3=A9=FA=A5=D5=A8=EC=A5~=B6= >=D7=A5=AB=B3=F5=AA=BA=AC=D5=C1=AB=AD=B7=C0I=A1A=A9=D2=AD=B1=B9=EF=AA=BA=B7l= >=A5=A2=A5i=AF=E0=B7|=B0=AA=A9=F3=A5I=A5X=AA=BA=ABO=C3=D2=AA=F7=C3B=A1A=A5= >=AB=B3=F5=AD=B7=C0I=A4=A3=A4@=A9w=AF=E0=A6b=B9w=ADp=A4=A7=A4=BA=A1A=BAb=B1= >=EC=A6=A1=A5~=B6=D7=A5=E6=A9=F6=B0=D3=A8=C3=A4=A3=AF=E0=B9=EF=A7=EB=B8=EA= >=AA=CC=A9=D2=AD=B1=B9=EF=AA=BA=AD=B7=C0I=A7@=A5X=ABO=C3=D2=A1C > >------=_NextPart_83t8Wg3xbHcq9PFxhaAA-- > >--__MailScanner_found_Cyrus_boundary_substring_problem__ >Content-Type: application/octet-stream; > name="C:\Documents and > Settings\Administrator\????\?g?@?]?g?y???|.DOC" >Content-Transfer-Encoding: base64 >Content-Disposition: attachment; > filename="?g?@?]?g?y???|.DOC" > >********************************************** _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.conf Type: application/octet-stream Size: 49114 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030805/3091d36c/MailScanner.obj From Kevin_Miller at CI.JUNEAU.AK.US Tue Aug 5 23:52:47 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:13 2006 Subject: Update on F-prot issue Message-ID: <08146035CA49D6119A36009027AC822A0264E64F@CITY-EXCH-NTS> I bought the Small business version in April, so my dues are paid up for another 8 or 9 months. I'll figure out next spring what I want to do regarding renewal. I don't want them to go out of business, but think their definition of mail server is pretty clear, if not explicit. I've described how I use it to them, and they said that was a mail server as far as they were concerned. So OK, they made the rules and have to compete by them. FWIW, on the secondary mail server I'm building I *didn't* go w/F-prot. They get to make the rules & I get to decide where I'm getting best value. In this case it was f-secure, although Command Antivirus made me a very competitive offer too. F-Prot priced themselves out of the market. Interestingly, their web site asks for a customer number, and when I enter it, they only display the various server versions of the software. Go figure. But I can pull it down from the home user section of their web site... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Tuesday, August 05, 2003 2:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Update on F-prot issue > > >At 23:03 05/08/2003, you wrote: >>Thanks for the update Raymond. I just downloaded: >> >> fp-linux-ms-4.1.2.tar.gz - F-Prot Antivirus for >Linux Mail Servers >>(TAR) >> >>I presume that's the right one - last spring I got the small business >>version, but now they've renamed their products so I'm >guessing that the >>mail server version is what I'm after. >> >>If someone knows differently, please let me know. > >All you need is the Desktop edition. The only thing you need is the >command-line-based scanner, which is included in all versions. >None of the >extra facilities in the "server" or "mail server" versions >will be used. > >And as their software licence fails to define the terms "workstation", >"server" or "mail server", they can hardly hold you in breach >of their licence. >However, if you can afford it, you might like to buy the >"server" version. >It doesn't offer any extra facilities that you will need, but >none of us >really want F-Prot going bankrupt. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support > From jtwatson at datakota.com Tue Aug 5 23:58:37 2003 From: jtwatson at datakota.com (Joseph Watson) Date: Thu Jan 12 21:19:13 2006 Subject: Rav Anti Virus In-Reply-To: <5.2.0.9.2.20030805070653.06387d30@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030805070653.06387d30@imap.ecs.soton.ac.uk> Message-ID: <200308051858.37939.jtwatson@datakota.com> On Tuesday August 5 2003 02:07 am, you wrote: > Do you get anything in the logs? If so, what? The only thing that shows up is the normal MailScanner[24973]: Virus and Content Scanning: Starting MailScanner[24973]: Uninfected: Delivered 1 messages MailScanner[24972]: New Batch: Scanning 1 messages, 6245 bytes MailScanner[24972]: Spam Checks: Found 1 spam messages MailScanner[24972]: Virus and Content Scanning: Starting MailScanner[24972]: Uninfected: Delivered 1 messages Nothing in error or warning logs. > Did you install RAV in its default location? If not, you will need to tell > MailScanner the path in /usr/lib/MailScanner/rav-wrapper and > /usr/lib/MailScanner/rav-autoupdate. I installed from a rpm provided by Rav AntiVirus: /usr/local/bin/ravav -> /usr/local/rav8/bin/ravav Here is what I think is the root of the problem: [root@ns]# /usr/lib/MailScanner/rav-wrapper --all --mail --archive /tmp RAV AntiVirus command line for Linux i686. Version: 8.3.1. Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved. Scan engine 8.11 for i386. Last update: Tue Aug 5 09:11:08 2003 Scanning for 80318 malwares (viruses, trojans and worms). Scan started on Tue Aug 5 17:34:11 2003 /tmp/80.->(part0001:bad_virus.zip)->bad_virus.txt Infected: Win32/Hybris.D@mm Scan ended on Tue Aug 5 17:34:11 2003 Scan results: Time: 0 second(s). Objects scanned: 17. New objects: 17 Infected: 1. Different virus bodies: 1. Files: 14. Directories: 14. Archives: 1. Packed: 0. Mail files: 1. Warnings: 0. [root@ns]# echo $? 0 [root@ns]# For some reason the wrapper does not return the correct return status. It should return "2". See below [root@ns]# ravav --all --mail --archive /tmp RAV AntiVirus command line for Linux i686. Version: 8.3.1. Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved. Searching for the engine in '/usr/local/rav8'... Registered version. Scan engine 8.11 for i386. Last update: Tue Aug 5 09:11:08 2003 Scanning for 80318 malwares (viruses, trojans and worms). Scanning with following configuration: * checking all files! * checking inside archive files! * also checking mail files! * heuristic scanning is activated! * integrity check is enabled! * don't use report file! /tmp/80.->(part0001:bad_virus.zip)->bad_virus.txt Infected: Win32/Hybris.D@mm Scan results: Time: 0 second(s). Objects scanned: 17. New objects: 17 Infected: 1. Different virus bodies: 1. Files: 14. Directories: 14. Archives: 1. Packed: 0. Mail files: 1. Warnings: 0. [root@ns]# echo $? 2 [root@ns]# If I modify the wrapper to always return 2, MailScanner still does not detect a virus. It seems that if the wrapper always returns 2, every message should trigger a warning. Am I right? So it appears that there is also something wrong in the code in MailScanner that is specific to Rav. It looks to me that it may be in SweepViruses.pm, but I haven't been able to figure it out yet. Maybe someone out there can point me in the right direction, or give me some pointers to figuring this out. -- Regards Joseph Watson From mailscanner at ecs.soton.ac.uk Tue Aug 5 23:57:45 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:13 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200308052257.h75Mvj88031850@seer.ecs.soton.ac.uk> New Guestbook-Entry from Eugene Humphrey What a jam I was in; our MIS person on vacation and I had no clue how to change a command line in MailScanner. Thank a Million Julian for your expert, easy to follow instructions. FABULOUS SUPPORT From mailscanner at ELKNET.NET Wed Aug 6 00:04:58 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:13 2006 Subject: Update on F-prot issue Message-ID: <200308052305.h75N53S04863@ori.rl.ac.uk> We may be arguing semantics here, and while I'm not a lawyer, nor do I play one on television, I am of the opinion that F-Prot spells out the license issues clearly enough on their website that we are asking for trouble by using their workstation version, especially those of us in a commercial situation. F-Prot make it pretty obvious that if you are using their product for scanning e-mail, even if there are no inboxes on the computer you are running F-Prot on, you MUST use their mailserver version. The product description for the workstation version explicitly states that it is ONLY to be used to protect the specific user and their files on THAT single workstation, and NOT any networked files, such as on a mail server. As the pricing is based on the number of mailboxes, even if those mailboxes are located on a different server, it makes it very expensive on an annual basis, considering that I have around 7,000 mailboxes ($5,000 per year). I agree that the actual license that ships with the product is ambiguious, and that our case could probably be won in a court of law, but I'm not inclined to want to spend the time and cost to fight them in court. There is such a thing as the 'spirit' of the issue vs. the 'letter' of the issue. That is the entire reason I'm eager to see CA's Etrust up and working. Here are some of the places F-Prot spells out that for our purposes, we MUST use the mailserver license even if all we actual implement is the command line scanner portion of the product: FAQ (http://www.f-prot.com/support/unix_faq/9.html) >Q: Can I use F-Prot Antivirus for Sendmail/Qmail/Postfix? >A: If you are using the freely available version, you can find a whole host of third-party applications for scanning e-mail using F-Prot Antivirus. >If you are a commercial user, you need to invest in F-Prot Antivirus for Linux Mail Servers. FAQ (http://www.f-prot.com/support/unix_faq/22.html) >Q:What license will best suit my needs? >A: For information on which license will be best suited for your needs, please read the following: > >F-Prot Antivirus for Linux/BSD Workstations: >____________________________________________ > >A Workstation license is intended for usage on a single-user workstation, protecting the user and systems on that same workstation. >If the computer provides networked services, e.g., is a file sharing server e.g., Samba), web server or mail server, then a File Server >or a Mail Server license would be required. The Workstation version is licensed per workstation. Julian posted: >And as their software licence fails to define the terms "workstation", >"server" or "mail server", they can hardly hold you in breach of their licence. >However, if you can afford it, you might like to buy the "server" version. >It doesn't offer any extra facilities that you will need, but none of us >really want F-Prot going bankrupt. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support From mikea at MIKEA.ATH.CX Wed Aug 6 01:06:16 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:13 2006 Subject: Help! SA timing out, mail undelivered In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1A87@inex1.herffjones.hj-int>; from TGFurnish@HERFF-JONES.COM on Tue, Aug 05, 2003 at 04:24:33PM -0500 References: <8FFC76593085ED4A80D3601BC41EFCDF8E1A87@inex1.herffjones.hj-int> Message-ID: <20030805190616.A34168@mikea.ath.cx> On Tue, Aug 05, 2003 at 04:24:33PM -0500, Furnish, Trever G wrote: > This is the first time I've looked at ms/sa debug output, so maybe this is a > red herring (especially since you say rbl's seem to be working), but why > does it seem to think dns is unavailable? > > Also, I'm a little confused about why a SA timeout that MS properly kills > would be responsible for stopped mail-flow - when I see messages like that, > I still get the message delivered, just not scanned by SA. ...at least I > think I still get it. Maybe I need to verify that. :-) > > When you say "disable SA" you mean setting "use spamassassin = no" in the > MailScanner.conf file, right? Exactly. The only SA code that runs is the SA code started inside the various MS processes. I also am looking at the DNS stuff -- or will tomorrow. Thanks! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From jtwatson at datakota.com Wed Aug 6 01:11:42 2003 From: jtwatson at datakota.com (Joseph Watson) Date: Thu Jan 12 21:19:13 2006 Subject: Rav Anti Virus In-Reply-To: <200308051858.37939.jtwatson@datakota.com> References: <5.2.0.9.2.20030805070653.06387d30@imap.ecs.soton.ac.uk> <200308051858.37939.jtwatson@datakota.com> Message-ID: <200308052011.42359.jtwatson@datakota.com> I have been studying SweepViruses.pm, and it appears that the output from Rav Antivirus has changed. So ProcessRavOutput sub in SweepViruses.pm may need to be changed to fix this. But then this would brake old Rav Antiviruses, so we would have to check the version and do different things. SweepViruses.pm seems to be just a little over my perl skill level, but maybe if someone could explain what ProcessRavOutput sub is given required to return, I could make some headway. Also, it is not clear to me if the return code from the scanner is even used?? If it isn't, using it would make this more reliable. Then if the output changes, the reporting may be in error, but the detection should continue to work. -- Regards Joseph Watson From rich at MAIL.WVNET.EDU Wed Aug 6 01:29:44 2003 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:19:13 2006 Subject: Update on F-prot issue In-Reply-To: <200308052305.h75N53S04863@ori.rl.ac.uk> References: <200308052305.h75N53S04863@ori.rl.ac.uk> Message-ID: <1060129784.3338.58.camel@localhost.localdomain> I'm not a lawyer either and perhaps it's just wishful and naive thinking on my part but I disagree. I do not think we "must" license the mail server version because we are not using the functionality that that product provides. I do agree that using the workstation version would be inappropriate. From my perspective the file server version is the correct one. I don't need the functionality of the mail server version. It includes software that decodes mail files and scans the attachments. That's what you're paying for and I don't need it or have any intention of using it. What I need is the file server version which scans files for multiple people. Where the files come from is irrelevant. They are still just files on a file server. What if my operation were like this. All users are required to save their e-mail attachments to disk and put them on our file server. We periodically scan the checked in files and notify the users that they are clean and can be safely used. Should such an operation license the file server version or the mail server version? How is using MS to automate the process any different? Keep in mind that with MS I'm not scanning e-mail attachments I'm just scanning files. I wrote the software that decodes the attachments and puts them on the file server (that's a rhetorical I which really means Julian :) ) and that has nothing to do with the virus scanning vendor. In this case I'm just using their software to scan files on my file server. What's wrong with my thinking on this? -- Richard Lynch From jbazo at EMAPE.GOB.PE Wed Aug 6 01:27:44 2003 From: jbazo at EMAPE.GOB.PE (Jose Bazo) Date: Thu Jan 12 21:19:13 2006 Subject: newbie - no external mail allowed to some users Message-ID: Hi, i want to know how i can restrict some users to just send and receive emails from one domain (my domain).. right now I am restricting the outgoing emails (with the InternalActions), but they can receive emails from all around the world.... so there is any way to restrict also the incoming messages??? please help me! From mailscanner at ELKNET.NET Wed Aug 6 02:35:56 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:13 2006 Subject: Update on F-prot issue Message-ID: If you are comfortable with your rationalization, and care to take the risk of possibly having to use such a defense in court, and feel it is an ethical position, then who am I to try and dissuade you? If the fact that the computer you are doing the scanning on received the files being scanned via the SMTP protocol, and the fact that the program handing off the files to be scanned is named 'MAILscanner', and the fact that the files are passed off the computer again using the SMTP protocol, if all those issues are irrelavant to you, then so be it. I only know that I, personally, would not put my job and company in such a position. This isn't an argument, only a position. Thanks for the opportunity to reply to your thoughts, but as I'm not on a soapbox on this, I'm not planning on making any further defense of my opinion. -Alan >I'm not a lawyer either and perhaps it's just wishful and naive thinking >on my part but I disagree. I do not think we "must" license the mail >server version because we are not using the functionality that that >product provides. I do agree that using the workstation version would be >inappropriate. From my perspective the file server version is the >correct one. > >I don't need the functionality of the mail server version. It includes >software that decodes mail files and scans the attachments. That's what >you're paying for and I don't need it or have any intention of using >it. What I need is the file server version which scans files for >multiple people. Where the files come from is irrelevant. They are >still just files on a file server. > >What if my operation were like this. All users are required to save >their e-mail attachments to disk and put them on our file server. We >periodically scan the checked in files and notify the users that they >are clean and can be safely used. Should such an operation license the >file server version or the mail server version? How is using MS to >automate the process any different? Keep in mind that with MS I'm not >scanning e-mail attachments I'm just scanning files. I wrote the >software that decodes the attachments and puts them on the file server >(that's a rhetorical I which really means Julian :) ) and that has >nothing to do with the virus scanning vendor. In this case I'm just >using their software to scan files on my file server. > >What's wrong with my thinking on this? > >-- >Richard Lynch From smohan at VSNL.COM Wed Aug 6 04:04:21 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:19:13 2006 Subject: newbie - no external mail allowed to some users In-Reply-To: Message-ID: if it is sendmail, you can use access and deny mails from exterbal domains. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jose Bazo Sent: Wednesday, August 06, 2003 5:58 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: newbie - no external mail allowed to some users Hi, i want to know how i can restrict some users to just send and receive emails from one domain (my domain).. right now I am restricting the outgoing emails (with the InternalActions), but they can receive emails from all around the world.... so there is any way to restrict also the incoming messages??? please help me! From eja at URBAKKEN.DK Wed Aug 6 10:12:00 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:13 2006 Subject: Update on F-prot issue In-Reply-To: References: Message-ID: <3F30C660.2060606@urbakken.dk> Hi. On the f-prot homepage, I cannot find an updated version for Linux Workstations on the home user page. Is it to be found in another place ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From dean.plant at ROKE.CO.UK Wed Aug 6 10:15:39 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:19:13 2006 Subject: Update on F-prot issue Message-ID: I just ftp'd to ftp.f-prot.com its under /pub/linux Dean -----Original Message----- From: Erik Jakobsen [mailto:eja@URBAKKEN.DK] Sent: 06 August 2003 10:12 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Update on F-prot issue Hi. On the f-prot homepage, I cannot find an updated version for Linux Workstations on the home user page. Is it to be found in another place ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From eja at URBAKKEN.DK Wed Aug 6 10:21:02 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:13 2006 Subject: Update on F-prot issue In-Reply-To: References: Message-ID: <3F30C87E.7000205@urbakken.dk> Plant, Dean wrote: > I just ftp'd to ftp.f-prot.com its under /pub/linux Thanks Dean, and that ftp site also worked ok here :-) > Dean -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From dot at DOTAT.AT Wed Aug 6 10:45:48 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:13 2006 Subject: Which is better for use with MS? Sendmail, postfix, exim..... .. In-Reply-To: Message-ID: "Furnish, Trever G" wrote: > >So... Just wondering, does Exim still provide unique message IDs That's a sine qua non. >importantly does it offer a way to split messages with multiple recipients >into one message per recipient, like the recently suggested usage of >sendmail queue groups? Yes, though the setup would be rather intricate: you'd have to have three Exims, a listening daemon that does the single recipient splitting, a MailScanner incoming daemon, and an outgoing daemon. This is because MailScanner looks at a message before Exim does routing and delivery, which is when it would normally split a message per recipient -- and even then the message remains a single queue item, i.e. a single message from MailScanner's point of view. Tony. -- f.a.n.finch http://dotat.at/ MULL OF KINTYRE TO ARDNAMURCHAN POINT: VARIABLE 3, PERHAPS 4 ON-SHORE SEA-BREEZES. MORNING SHOWERS, PERHAPS THUNDERY, OTHERWISE BECOMING MISTY. GOOD BECOMING MODERATE OR POOR WITH FOG. SLIGHT. From nejc.skoberne at guest.arnes.si Wed Aug 6 11:13:26 2003 From: nejc.skoberne at guest.arnes.si (Nejc Skoberne) Date: Thu Jan 12 21:19:13 2006 Subject: Strange behaviour with ClamAV Message-ID: <1568655976.20030806121326@guest.arnes.si> Hi, list. Today I installed InnoculateIT Advanced Edition and tried to use it with MS (to help ClamAV which was already in action). It started to flood my log with those lines you can see down there. OK, I said, let's turn it off (inoculatedIT) again. I did that, but cycling reappeared. I flushed Postfix' defer and deferred folders (is this OK?) and then restarted whole mailsystem a few times. Also I turned Spam checks off. At the end, I also turned off Virus scanning and when I did that, the cycling disappeared. I am using ClamAV as my default virus scanner with MS and it looks that he is the problem. It is strange because everything worked fine till today. Of course, if I try to enable virusscanning (with ClamAV) again, the cycling is there again. MailScanner-4.22-5, Postfix 2.0.13, ClamAV 0.60, Slackware 8.0, Linux 2.4.21. Any ideas? Thanks! --/var/log/messages-- Aug 6 11:51:50 Adiemus postfix/smtpd[10294]: connect from illusion.skoberne.net[193.77.156.141] Aug 6 11:51:50 Adiemus postfix/smtpd[10294]: 7ACC916FB46: client=illusion.skoberne.net[193.77.156.141] Aug 6 11:51:50 Adiemus postfix/cleanup[10296]: 7ACC916FB46: message-id=<3F30CFB6.mail7NS111K51@Illusion.skoberne.net> Aug 6 11:51:50 Adiemus postfix/qmgr[10273]: 7ACC916FB46: from=, size=614, nrcpt=1 (queue active) Aug 6 11:51:50 Adiemus postfix/smtpd[10294]: disconnect from illusion.skoberne.net[193.77.156.141] Aug 6 11:51:50 Adiemus postfix/qmgr[10273]: 7ACC916FB46: to=, relay=none, delay=0, status=deferred (deferred transport) Aug 6 11:51:51 Adiemus MailScanner[10292]: Postfix queue structure is depth 1 Aug 6 11:51:52 Adiemus MailScanner[10292]: New Batch: Scanning 1 messages, 944 bytes Aug 6 11:51:52 Adiemus MailScanner[10291]: Postfix queue structure is depth 1 Aug 6 11:51:52 Adiemus MailScanner[10292]: Spam Checks: Starting Aug 6 11:51:52 Adiemus MailScanner[10289]: Postfix queue structure is depth 1 Aug 6 11:51:52 Adiemus MailScanner[10289]: New Batch: Scanning 1 messages, 944 bytes Aug 6 11:51:52 Adiemus MailScanner[10289]: Spam Checks: Starting Aug 6 11:51:52 Adiemus MailScanner[10303]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Aug 6 11:51:52 Adiemus MailScanner[10303]: Using locktype = flock Aug 6 11:51:52 Adiemus MailScanner[10303]: Postfix queue structure is depth 1 Aug 6 11:51:52 Adiemus MailScanner[10303]: New Batch: Scanning 1 messages, 944 bytes Aug 6 11:51:52 Adiemus MailScanner[10303]: Spam Checks: Starting Aug 6 11:51:57 Adiemus MailScanner[10291]: New Batch: Scanning 1 messages, 944 bytes Aug 6 11:51:57 Adiemus MailScanner[10291]: Spam Checks: Starting Aug 6 11:52:02 Adiemus MailScanner[10306]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Aug 6 11:52:02 Adiemus MailScanner[10306]: Using locktype = flock Aug 6 11:52:02 Adiemus MailScanner[10306]: Postfix queue structure is depth 1 Aug 6 11:52:02 Adiemus MailScanner[10306]: New Batch: Scanning 1 messages, 944 bytes Aug 6 11:52:02 Adiemus MailScanner[10306]: Spam Checks: Starting Aug 6 11:52:12 Adiemus MailScanner[10308]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Aug 6 11:52:12 Adiemus MailScanner[10308]: Using locktype = flock Aug 6 11:52:12 Adiemus MailScanner[10308]: Postfix queue structure is depth 1 Aug 6 11:52:12 Adiemus MailScanner[10308]: New Batch: Scanning 1 messages, 944 bytes Aug 6 11:52:12 Adiemus MailScanner[10308]: Spam Checks: Starting -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si From P.G.M.Peters at utwente.nl Wed Aug 6 11:31:55 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:19:13 2006 Subject: Mimail silent? Message-ID: Shouldn't Mimail be considered a virus I would have to put in the list of silent virusses? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From raymond at PROLOCATION.NET Wed Aug 6 11:44:55 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:13 2006 Subject: Mimail silent? In-Reply-To: Message-ID: Hi! > Shouldn't Mimail be considered a virus I would have to put in the list > of silent virusses? Yes, as i also suggested earlier this week on the list. Bye, Raymond. From lbergman at wtxs.net Wed Aug 6 14:34:57 2003 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning Message-ID: <200308060834.58090.lbergman@wtxs.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Currently the settings invoked by the various dangerous HTML settings send the {?virus} text. Would anyone else be helped by a separate warning? I have had several people say that they have scanned their computers and found nothing and I have to explain that "If you read the attachment it says...". I wonder if a more appropriate warning like {?dangerous format} or something much better might help. - -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/MQQBpT00mQjG01gRAnMpAJ9EWC6Re5p+1rf9kb1nQ1xX0pr0MgCfUDWB s7crmcxeD9Tnz1HUj6TFyxc= =tiJn -----END PGP SIGNATURE----- From raymond at PROLOCATION.NET Wed Aug 6 14:39:33 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning In-Reply-To: <200308060834.58090.lbergman@wtxs.net> Message-ID: Hi! > Currently the settings invoked by the various dangerous HTML settings > {?virus} text. Would anyone else be helped by a separate warning? I have had > several people say that they have scanned their computers and found nothing > and I have to explain that "If you read the attachment it says...". > > I wonder if a more appropriate warning like {?dangerous format} or something > much better might help. Same here, a lot of people send in mail like, your scanner sucks since my own scanner didnt find anything. They dont understand it was for example a reject based on filename filters. Would it be possible to have a seperate identifier for that ? Something like {?rejected} ? Bye, Raymond. From JFalgout at CO.JEFFERSON.CO.US Wed Aug 6 15:06:50 2003 From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning Message-ID: >> Currently the settings invoked by the various dangerous HTML settings >> {?virus} text. Would anyone else be helped by a separate warning? I have had >> several people say that they have scanned their computers and found nothing >> and I have to explain that "If you read the attachment it says...". >> >> I wonder if a more appropriate warning like {?dangerous format} or something >> much better might help. I agree that a different label for the html and codebase stuff would be helpful. >Same here, a lot of people send in mail like, your scanner sucks since my >own scanner didnt find anything. They dont understand it was for example >a reject based on filename filters. >Would it be possible to have a seperate identifier for that ? >Something like {?rejected} ? In addition to that, also allow notification to be sent to both sender and recipient of the file rejection - completely separate from the virus warning config. In other words - allow the notify senders for virus warning to be turned off (recipients still get it), but notify sender (and recipient) for rejected filename is turned on. Jeff From slwatts at WINCKWORTHS.CO.UK Wed Aug 6 15:09:00 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning Message-ID: I am just setting up our operational MailScanner server and have come up against this one. I too would like more sepparation for the messages that get sent out if the attachment is either one of: a banned filetype (or extension), corrupt attachment, virus. Also is it possible to configure MS to behave differently for incoming and outgoing emails? Ie: Notify both sender and recipient of an infected email attachment (and strip it from message) when the email is inbound. But if the email is outbound, block the message and bouce it back to the sender with the virus report and infected attachment stripped? The may be a way of doing this - but I cant find it (YET)! Cheers, Sam -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: 06 August 2003 14:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: dangerous html warning Hi! > Currently the settings invoked by the various dangerous HTML settings > {?virus} text. Would anyone else be helped by a separate warning? I > have had several people say that they have scanned their computers and > found nothing and I have to explain that "If you read the attachment > it says...". > > I wonder if a more appropriate warning like {?dangerous format} or > something much better might help. Same here, a lot of people send in mail like, your scanner sucks since my own scanner didnt find anything. They dont understand it was for example a reject based on filename filters. Would it be possible to have a seperate identifier for that ? Something like {?rejected} ? Bye, Raymond. From slwatts at WINCKWORTHS.CO.UK Wed Aug 6 15:13:09 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning Message-ID: Sorry - missed off dangerous HTML from the list :-) -----Original Message----- From: Samuel Luxford-Watts [mailto:slwatts@WINCKWORTHS.CO.UK] Sent: 06 August 2003 15:09 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: dangerous html warning I am just setting up our operational MailScanner server and have come up against this one. I too would like more sepparation for the messages that get sent out if the attachment is either one of: a banned filetype (or extension), corrupt attachment, virus. Also is it possible to configure MS to behave differently for incoming and outgoing emails? Ie: Notify both sender and recipient of an infected email attachment (and strip it from message) when the email is inbound. But if the email is outbound, block the message and bouce it back to the sender with the virus report and infected attachment stripped? The may be a way of doing this - but I cant find it (YET)! Cheers, Sam -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: 06 August 2003 14:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: dangerous html warning Hi! > Currently the settings invoked by the various dangerous HTML settings > {?virus} text. Would anyone else be helped by a separate warning? I > have had several people say that they have scanned their computers and > found nothing and I have to explain that "If you read the attachment > it says...". > > I wonder if a more appropriate warning like {?dangerous format} or > something much better might help. Same here, a lot of people send in mail like, your scanner sucks since my own scanner didnt find anything. They dont understand it was for example a reject based on filename filters. Would it be possible to have a seperate identifier for that ? Something like {?rejected} ? Bye, Raymond. From jbazo at EMAPE.GOB.PE Wed Aug 6 15:15:09 2003 From: jbazo at EMAPE.GOB.PE (Jose Luis Bazo) Date: Thu Jan 12 21:19:13 2006 Subject: newbie - no external mail allowed to some users In-Reply-To: Message-ID: <000b01c35c25$24dfd4e0$020a10ac@bluebird> Yes, it is sendmail...... Where can I look for that option?? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of S Mohan Sent: Tuesday, August 05, 2003 10:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: newbie - no external mail allowed to some users if it is sendmail, you can use access and deny mails from exterbal domains. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jose Bazo Sent: Wednesday, August 06, 2003 5:58 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: newbie - no external mail allowed to some users Hi, i want to know how i can restrict some users to just send and receive emails from one domain (my domain).. right now I am restricting the outgoing emails (with the InternalActions), but they can receive emails from all around the world.... so there is any way to restrict also the incoming messages??? please help me! From P.G.M.Peters at utwente.nl Wed Aug 6 15:18:44 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning In-Reply-To: References: <200308060834.58090.lbergman@wtxs.net> Message-ID: On Wed, 6 Aug 2003 15:39:33 +0200, you wrote: >> Currently the settings invoked by the various dangerous HTML settings >> {?virus} text. Would anyone else be helped by a separate warning? I have had >> several people say that they have scanned their computers and found nothing >> and I have to explain that "If you read the attachment it says...". I asked Julian a few months ago about Subject changes for dangerous html. It would be a major rewrite of some code. >> I wonder if a more appropriate warning like {?dangerous format} or something >> much better might help. > >Same here, a lot of people send in mail like, your scanner sucks since my >own scanner didnt find anything. They dont understand it was for example >a reject based on filename filters. > >Would it be possible to have a seperate identifier for that ? >Something like {?rejected} ? For filenames there is allready: |# If an attachment triggered a filename check, but there was nothing |# else wrong with the message, do you want to modify the subject line? |# This makes filtering in Outlook very easy. |# This can also be the filename of a ruleset. |Filename Modify Subject = yes | |# This is the text to add to the start of the subject if the |# "Filename Modify Subject" option is set. |# You might want to change this so your users can see at a glance |# whether it just was just the filename that MailScanner rejected. |# This can also be the filename of a ruleset. |Filename Subject Text = {Filename?} -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mbowman at UDCOM.COM Wed Aug 6 15:18:16 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:13 2006 Subject: Virus Warnings Message-ID: Hi Me thinks my Clam and F-prot are working good now Wed Aug 6 10:12:10 2003 the virus scanner said: message.zip->message.html Infection: W32/Mimail.A@mm message.zip contains Trojan.Dropper.C Is this the correct message from 2 virus scanners running? Thanks --- Matthew K Bowman Systems Administrator, UDCom From TGFurnish at HERFF-JONES.COM Wed Aug 6 15:29:40 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:13 2006 Subject: Which is better for use with MS? Sendmail, postfix, exim..... .. Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1A8E@inex1.herffjones.hj-int> > -----Original Message----- > From: Tony Finch [mailto:dot@DOTAT.AT] > Sent: Wednesday, August 06, 2003 4:46 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Which is better for use with MS? Sendmail, postfix, > exim..... .. > > Yes, though the setup would be rather intricate: you'd have > to have three > Exims, a listening daemon that does the single recipient splitting, a > MailScanner incoming daemon, and an outgoing daemon. This is because > MailScanner looks at a message before Exim does routing and delivery, > which is when it would normally split a message per recipient > -- and even > then the message remains a single queue item, i.e. a single > message from > MailScanner's point of view. > > Tony. Lost me, sorry. Are you saying MS would still see a single message with multiple recipients? My interest in sendmail queue groups is solely to allow MS' whitelisting to be applied to a single user rather than a single message based on multiple recipients. -t. From gerry at dorfam.ca Wed Aug 6 15:31:55 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:13 2006 Subject: Interesting Article - Swollen Orders Show Spam's Allure Message-ID: <63818.129.80.22.133.1060180315.squirrel@tiger.dorfam.ca> I've often wondered who in their right mind would respond to spam...well, there's lots of people who will. About 6000 people spent around $100 each in a four week period to buy penis enlargement pills at just one website!!! The pills cost $5 and they paid the spammer $10/order. The website didn't even have SSL encryption. The customers sent their names, addresses and credit card #'s in the clear. Obviously, there wasn't any record security either since anyone could access the database. The website didn't have any email address, telephone # or street address. Incredible!!! No wonder these spam are jamming the servers. I'm beginning to think I may get into the business too. Afterall, someone needs to help these idiots spend their $$$. http://www.wired.com/news/business/0%2C1367%2C59907%2C00.html Gerry From raymond at PROLOCATION.NET Wed Aug 6 15:32:30 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:13 2006 Subject: Virus Warnings In-Reply-To: Message-ID: Hi! > Me thinks my Clam and F-prot are working good now > > Wed Aug 6 10:12:10 2003 the virus scanner said: > message.zip->message.html Infection: W32/Mimail.A@mm > message.zip contains Trojan.Dropper.C > > Is this the correct message from 2 virus scanners running? Looks ok to me. Bye, Raymond. From dot at DOTAT.AT Wed Aug 6 15:35:59 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:13 2006 Subject: Which is better for use with MS? Sendmail, postfix, exim..... .. In-Reply-To: Message-ID: "Furnish, Trever G" wrote: > >Lost me, sorry. Are you saying MS would still see a single message with >multiple recipients? Yes, unless you do something weird. Tony. -- f.a.n.finch http://dotat.at/ THE MULL OF GALLOWAY TO MULL OF KINTYRE INCLUDING THE FIRTH OF CLYDE AND THE NORTH CHANNEL: VARIABLE 3, PERHAPS 4 NORTH CHANNEL.LATER. HAZE OR MIST, PERHAPS DRIZZLE IN WEST LATER. GOOD BECOMING MODERATE OR POOR WITH RISK FOG PATCHES. SLIGHT. From ka at PACIFIC.NET Wed Aug 6 15:52:55 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:13 2006 Subject: Authentication - OT In-Reply-To: <97D0DDFA3C2F5B44AAC0960B99E96213C9780D@VMX.gilatla.com> References: <97D0DDFA3C2F5B44AAC0960B99E96213C9780D@VMX.gilatla.com> Message-ID: <3F311647.604@pacific.net> sendmail supports authenticating via ldap, but AD may not be as ldap as it needs to be to work with sendmail. Ask on a sendmail list. Ken Devon Harding - GTHLA wrote: > Is it possible to allow MailScanner/Sendmail to authenticate incoming > SMTP connection via a Windows 2000 AD server? Just as in Microsoft SMTP > server. > > _____________________ > Devon Harding > System Administrator > Gilat Latin America > 954-858-1600 > dharding@gilatla.com > > This e-mail is intended for the above named addressee(s), and may > contain information which is confidential or privileged. If you are not > the intended recipient, please inform us immediately: you should not > copy or use this e-mail for any purpose nor disclose its contents to any > person. > > From mailscanner at ecs.soton.ac.uk Wed Aug 6 16:50:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:13 2006 Subject: Virus Warnings In-Reply-To: Message-ID: <5.2.0.9.2.20030806165039.05d8ddc0@imap.ecs.soton.ac.uk> You can add the name of the scanner to the report lines, so you can see exactly which scanner said what. # Include the name of the virus scanner in each of the scanner reports. # Very useful if you use several virus scanners, but a bad idea if you # don't want to let your customers know which scanners you use. Include Scanner Name In Reports = no At 15:18 06/08/2003, you wrote: >Hi > >Me thinks my Clam and F-prot are working good now > > Wed Aug 6 10:12:10 2003 the virus scanner said: > message.zip->message.html Infection: W32/Mimail.A@mm > message.zip contains Trojan.Dropper.C > >Is this the correct message from 2 virus scanners running? > >Thanks > >--- >Matthew K Bowman Systems Administrator, UDCom -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Aug 6 16:49:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:13 2006 Subject: newbie - no external mail allowed to some users In-Reply-To: <000b01c35c25$24dfd4e0$020a10ac@bluebird> References: Message-ID: <5.2.0.9.2.20030806164933.05e14560@imap.ecs.soton.ac.uk> Take a look at http://www.sendmail.org/m4/readme.html It is pretty well organised. At 15:15 06/08/2003, you wrote: >Yes, it is sendmail...... >Where can I look for that option?? > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of S Mohan >Sent: Tuesday, August 05, 2003 10:04 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: newbie - no external mail allowed to some users > >if it is sendmail, you can use access and deny mails from exterbal >domains. > >Mohan > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Jose Bazo >Sent: Wednesday, August 06, 2003 5:58 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: newbie - no external mail allowed to some users > > >Hi, > >i want to know how i can restrict some users to just send and receive >emails from one domain (my domain).. > >right now I am restricting the outgoing emails (with the >InternalActions), >but they can receive emails from all around the world.... > >so there is any way to restrict also the incoming messages??? > >please help me! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Aug 6 16:48:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning In-Reply-To: References: <200308060834.58090.lbergman@wtxs.net> Message-ID: <5.2.0.9.2.20030806164733.05d84a58@imap.ecs.soton.ac.uk> At 15:18 06/08/2003, you wrote: >On Wed, 6 Aug 2003 15:39:33 +0200, you wrote: > >Same here, a lot of people send in mail like, your scanner sucks since my > >own scanner didnt find anything. They dont understand it was for example > >a reject based on filename filters. > > > >Would it be possible to have a seperate identifier for that ? > >Something like {?rejected} ? > >For filenames there is allready: Yay! Someone actually read the docs! This option has been in the conf file for absolutely ages, just no-one ever uses it :) >|# If an attachment triggered a filename check, but there was nothing >|# else wrong with the message, do you want to modify the subject line? >|# This makes filtering in Outlook very easy. >|# This can also be the filename of a ruleset. >|Filename Modify Subject = yes >| >|# This is the text to add to the start of the subject if the >|# "Filename Modify Subject" option is set. >|# You might want to change this so your users can see at a glance >|# whether it just was just the filename that MailScanner rejected. >|# This can also be the filename of a ruleset. >|Filename Subject Text = {Filename?} > >-- >Peter Peters, senior netwerkbeheerder >Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) >Universiteit Twente, Postbus 217, 7500 AE Enschede >telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From DHarding at GILATLA.COM Wed Aug 6 17:05:06 2003 From: DHarding at GILATLA.COM (Devon Harding - GTHLA) Date: Thu Jan 12 21:19:13 2006 Subject: Authentication - OT Message-ID: <97D0DDFA3C2F5B44AAC0960B99E96213C9781F@VMX.gilatla.com> What about Radius authentication? Does Sendmail support this? -Devon -----Original Message----- From: Ken Anderson [mailto:ka@PACIFIC.NET] Sent: Wednesday, August 06, 2003 10:53 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Authentication - OT sendmail supports authenticating via ldap, but AD may not be as ldap as it needs to be to work with sendmail. Ask on a sendmail list. Ken Devon Harding - GTHLA wrote: > Is it possible to allow MailScanner/Sendmail to authenticate incoming > SMTP connection via a Windows 2000 AD server? Just as in Microsoft SMTP > server. > > _____________________ > Devon Harding > System Administrator > Gilat Latin America > 954-858-1600 > dharding@gilatla.com > > This e-mail is intended for the above named addressee(s), and may > contain information which is confidential or privileged. If you are not > the intended recipient, please inform us immediately: you should not > copy or use this e-mail for any purpose nor disclose its contents to any > person. > > From jurik at afx.cz Wed Aug 6 17:09:36 2003 From: jurik at afx.cz (=?windows-1250?Q?Kamil_Ju=F8=EDk_-_AFX?=) Date: Thu Jan 12 21:19:13 2006 Subject: Can't parse virus log Message-ID: <3F312840.4010805@afx.cz> Hi, I've got a problem described below. I tried to repair regexp but it didn't work. I'm sending you a log made by ProcessBitDefenderOutput, printed $line: Kamil Jurik Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............^[[1;36;40mBDC/Linux-Console v7.0 (build 2420) (i386) (Feb 27 2003 13:55:18) Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved.^[[0;37;40m Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Last updated Mon Jan 20 15:35:29 2003 Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............CORE v1.0.2 i386 (Feb 27 2003 13:48:20) Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............ Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............^[[0;37;40m/var/spool/MailScanner/incoming/12168/./E0612C0DC/eicar_com.zip=>eicar.com ^[[1;31;40minfected: EICAR-Test-File (not a virus)^[[0;37;40m <------------| Why is there ^[[1;31;40m instead of '\t'??? Parser can't found infection because it search for \tinfected: Original antivirus log contains all lines with \t and no ^[[1;31;40m and nothing similar. Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............^[[1;37;40m Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............ Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Results: Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Folders :4 Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Files :8 Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Packed :0 Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Archives :1 Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Infected files :1 Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Suspect files :0 Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Warnings :0 Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............Identified viruses:1 Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............I/O errors :0 Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............ Aug 6 17:00:59 itest MailScanner[12168]: Variable Line............^[[0;37;40m^[[0;37;40m Tento e-mail byl zkontrolovan na postovnim serveru AFX From steve.douglas at SBIINCORPORATED.COM Wed Aug 6 17:57:25 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:13 2006 Subject: spam.blacklist.rules, spam.whitelist.rules, and spam.checks.rules Message-ID: <3963522F0E71474CB14C0FF54A6914F70142FB59@mail.gardenbotanika.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: Steve Douglas.vcf Type: application/octet-stream Size: 380 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030806/6e8ecf82/SteveDouglas.obj From smohan at VSNL.COM Wed Aug 6 18:15:22 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:19:13 2006 Subject: newbie - no external mail allowed to some users In-Reply-To: <000b01c35c25$24dfd4e0$020a10ac@bluebird> Message-ID: /etc/mail/access is the file. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jose Luis Bazo Sent: Wednesday, August 06, 2003 7:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: newbie - no external mail allowed to some users Yes, it is sendmail...... Where can I look for that option?? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of S Mohan Sent: Tuesday, August 05, 2003 10:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: newbie - no external mail allowed to some users if it is sendmail, you can use access and deny mails from exterbal domains. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jose Bazo Sent: Wednesday, August 06, 2003 5:58 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: newbie - no external mail allowed to some users Hi, i want to know how i can restrict some users to just send and receive emails from one domain (my domain).. right now I am restricting the outgoing emails (with the InternalActions), but they can receive emails from all around the world.... so there is any way to restrict also the incoming messages??? please help me! From skalaj at JASONSKALA.COM Wed Aug 6 18:04:30 2003 From: skalaj at JASONSKALA.COM (Jason Skala) Date: Thu Jan 12 21:19:13 2006 Subject: Mailscanner With TMDA (Tagged Message Delivery Agent) Message-ID: <200308061703.h76H3Lpe014325@jasonskala.com> Has one used Mailscanner with TMDA before? Or currently? TMDA is a spamassasin replacement that gives users more control with what gets whitelisted and blacklisted on the system. here is a link for anyone that hasn't heard of it. http://www.us.tmda.net/. ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. From Kevin_Miller at CI.JUNEAU.AK.US Wed Aug 6 18:29:01 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:13 2006 Subject: newbie - no external mail allowed to some users Message-ID: <08146035CA49D6119A36009027AC822A0264E657@CITY-EXCH-NTS> But you can't just edit it. After you put in your entries you'll have to turn it into a "database"; on my system I use the following command: makemap hash access < access as root in the /etc/mail directory. I think that's a pretty stock command, but some systems may use something other than hash. My understanding of what it's doing is taking a text file in which the entries may be randomly inserted, and turning it into an indexed file which can be parsed much faster. If you have a big system w/a gazillion entries in the access file, you don't want your MTA to have to parse it with brute force by starting at the top and trundling on through for each mail. Making it indexable (Is that a word? Guess it is now ) speeds up the processing. This also holds for other files; mailertable comes to mind and I think there's others. S'later... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: S Mohan [mailto:smohan@VSNL.COM] >Sent: Wednesday, August 06, 2003 9:15 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: newbie - no external mail allowed to some users > > >/etc/mail/access is the file. > >Mohan > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Jose Luis Bazo >Sent: Wednesday, August 06, 2003 7:45 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: newbie - no external mail allowed to some users > > >Yes, it is sendmail...... >Where can I look for that option?? > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of S Mohan >Sent: Tuesday, August 05, 2003 10:04 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: newbie - no external mail allowed to some users > >if it is sendmail, you can use access and deny mails from exterbal >domains. > >Mohan > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Jose Bazo >Sent: Wednesday, August 06, 2003 5:58 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: newbie - no external mail allowed to some users > > >Hi, > >i want to know how i can restrict some users to just send and receive >emails from one domain (my domain).. > >right now I am restricting the outgoing emails (with the >InternalActions), >but they can receive emails from all around the world.... > >so there is any way to restrict also the incoming messages??? > >please help me! > From Janssen at RZ.UNI-FRANKFURT.DE Wed Aug 6 18:42:59 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:19:13 2006 Subject: Can't parse virus log In-Reply-To: <3F312840.4010805@afx.cz> Message-ID: On Wed, 6 Aug 2003, [windows-1250] Kamil Ju??k - AFX wrote: > Hi, > I've got a problem described below. I tried to repair regexp but it > didn't work. > > I'm sending you a log made by ProcessBitDefenderOutput, printed $line: > Aug 6 17:00:59 itest MailScanner[12168]: Variable > Line............^[[0;37;40m/var/spool/MailScanner/incoming/12168/./E0612C0DC/eicar_com.zip=>eicar.com > ^[[1;31;40minfected: EICAR-Test-File (not a virus)^[[0;37;40m > <------------| Why is there ^[[1;31;40m instead of '\t'??? Parser > can't found infection because it search for \tinfected: Original > antivirus log contains all lines with \t and > no ^[[1;31;40m and nothing similar. I can't tell you from where this code comes, but it seems to me like broken ansi colordefinitions. Try: echo -e "\033[1;36;40mHello\033[0;37;40m World\033[0m" to see how it works. \033 is one way to express "now comes ansi color". ^[ is possibly broken (OTOH ansi TERM color is broken, when written into a file ;-). 1m is bold, 36m is bluish, 40m is black background. 0m sets back to normal. You should turn color off in whatever writes into your log. cheers Michael From raymond at PROLOCATION.NET Wed Aug 6 18:56:59 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning In-Reply-To: <5.2.0.9.2.20030806164733.05d84a58@imap.ecs.soton.ac.uk> Message-ID: Hi! > > >Would it be possible to have a seperate identifier for that ? > > >Something like {?rejected} ? > >For filenames there is allready: > > Yay! Someone actually read the docs! This option has been in the conf file > for absolutely ages, just no-one ever uses it :) Cough cough, sorry =) Bye, Raymond. From campbell at CNPAPERS.COM Wed Aug 6 19:09:22 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:19:13 2006 Subject: Can't see the difference Message-ID: <001801c35c45$dcd43760$bc01a8c0@cnpapers.net> Could someone possibly explain how these two messages differ, one is blacklisted as I expected, the other passed. This account is receiving multiple virus attachments. The log is as follows: Aug 6 10:40:52 kanawha sendmail[18822]: h76EeqG18822: from=, size=995, class=0, nrcpts=1, msgid=<200308061440.h76EeqG18822@kanawha.cnpapers.net>, proto=SMTP, daemon=Daemon0, relay=mailgw2.cnpapers.net [216.30.205.19] Aug 6 10:40:52 kanawha sendmail[18822]: h76EeqG18822: to=, delay=00:00:00, mailer=virtual, pri=30995, stat=queued Aug 6 10:40:54 kanawha MailScanner[8083]: Message h76EeqG18822 from 216.30.205.19 (admin@dailymail.com) to dailymail.com is spam (blacklisted) Aug 6 10:40:56 kanawha sendmail[18839]: h76Eet918839: from=admin@dailymail.com, size=1532, class=0, nrcpts=1, msgid=<200308061440.h76EeqG18822@kanawha.cnpapers.net>, relay=root@localhost Aug 6 10:40:56 kanawha sendmail[18843]: h76Eeue18843: from=admin@dailymail.com, size=1532, class=0, nrcpts=1, msgid=<200308061440.h76EeqG18822@kanawha.cnpapers.net>, relay=root@localhost Aug 6 10:40:56 kanawha sendmail[18834]: h76EeqG18822: to=, delay=00:00:04, xdelay=00:00:01, mailer=virtual, pri=120995, relay=dailymail.com, dsn=2.0.0, stat=Sent Aug 6 10:40:56 kanawha sendmail[18839]: h76Eet918839: from=admin@dailymail.com, size=1532, class=0, nrcpts=1, msgid=<200308061440.h76EeqG18822@kanawha.cnpapers.net>, relay=root@localhost Aug 6 10:40:56 kanawha sendmail[18842]: h76Eet918839: to=chrisd@dailymail.com, ctladdr=admin@dailymail.com (0/0), delay=00:00:01, xdelay=00:00:00, mailer=virtual, pri=31532, relay=dailymail.com, dsn=2.0.0, stat=Sent FromOrTo: admin@dailymail.com yes in my blacklist file. Anyone see what the difference is? Thanks for any help. Steve Campbell campbell@cnpapers.com Charleston Newspapers From Ulysees at ULYSEES.COM Wed Aug 6 19:40:08 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:19:13 2006 Subject: Hide Quarantine Work Dir = maybe ? References: <036A6BCC9FD10749AD3CE32255AF49A6017CF840@dalsxc01.geniant.net> Message-ID: <000401c35c4a$296fe480$3201010a@nimitz> Maybe I've just missed something in a conf file somewhere but is there a way to mask the path to where the quarantine is ? so as instead of saying: Note to Help Desk: Look on $hostname in /var/spool/MailScanner/quarantine/20030806 (message h77IN3O45475). which gives the path away it just says something like: Note to Help Desk: Mailscanner quarantine on $hostname 20030806 (message h77IN3O45475). Uly From mailscanner at ecs.soton.ac.uk Wed Aug 6 19:44:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:13 2006 Subject: Hide Quarantine Work Dir = maybe ? In-Reply-To: <000401c35c4a$296fe480$3201010a@nimitz> References: <036A6BCC9FD10749AD3CE32255AF49A6017CF840@dalsxc01.geniant.net> Message-ID: <5.2.1.1.2.20030806194419.0373bc98@imap.ecs.soton.ac.uk> # Hide the directory path from all virus scanner reports sent to users. # The extra directory paths give away information about your setup, and # tend to just confuse users. # This can also be the filename of a ruleset. Hide Incoming Work Dir = yes At 19:40 06/08/2003, you wrote: >Maybe I've just missed something in a conf file somewhere but is there a way >to mask the path to where the quarantine is ? >so as instead of saying: >Note to Help Desk: Look on $hostname in >/var/spool/MailScanner/quarantine/20030806 (message h77IN3O45475). >which gives the path away it just says something like: >Note to Help Desk: Mailscanner quarantine on $hostname 20030806 (message >h77IN3O45475). > >Uly -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Antony at SOFT-SOLUTIONS.CO.UK Wed Aug 6 19:46:50 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:13 2006 Subject: Hide Quarantine Work Dir = maybe ? In-Reply-To: <000401c35c4a$296fe480$3201010a@nimitz> References: <036A6BCC9FD10749AD3CE32255AF49A6017CF840@dalsxc01.geniant.net> <000401c35c4a$296fe480$3201010a@nimitz> Message-ID: <200308061846.h76IkrD12436@onyx.rockstone.co.uk> On Wednesday 06 August 2003 7:40 pm, Ulysees wrote: > Maybe I've just missed something in a conf file somewhere but is there a > way to mask the path to where the quarantine is ? > so as instead of saying: > Note to Help Desk: Look on $hostname in > /var/spool/MailScanner/quarantine/20030806 (message h77IN3O45475). > which gives the path away it just says something like: > Note to Help Desk: Mailscanner quarantine on $hostname 20030806 (message > h77IN3O45475). Hide Incoming Work Dir = yes Regards. Antony. -- 90% of network problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. From Antony at SOFT-SOLUTIONS.CO.UK Wed Aug 6 19:49:24 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:13 2006 Subject: Hide Quarantine Work Dir = maybe ? References: <036A6BCC9FD10749AD3CE32255AF49A6017CF840@dalsxc01.geniant.net> <000401c35c4a$296fe480$3201010a@nimitz> Message-ID: <200308061849.h76InSD12440@onyx.rockstone.co.uk> On Wednesday 06 August 2003 7:46 pm, Antony Stone wrote: > On Wednesday 06 August 2003 7:40 pm, Ulysees wrote: > > Maybe I've just missed something in a conf file somewhere but is there a > > way to mask the path to where the quarantine is ? > > so as instead of saying: > > Note to Help Desk: Look on $hostname in > > /var/spool/MailScanner/quarantine/20030806 (message h77IN3O45475). > > which gives the path away it just says something like: > > Note to Help Desk: Mailscanner quarantine on $hostname 20030806 (message > > h77IN3O45475). > > Hide Incoming Work Dir = yes Sorry - I think I meant to say: Hide Incoming Work Dir in Notices = yes Antony. -- The first ninety percent of an engineering project takes ninety percent of the time, and the last ten percent takes the remaining ninety percent. From mailscanner at ecs.soton.ac.uk Wed Aug 6 19:49:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:13 2006 Subject: Hide Quarantine Work Dir = maybe ? In-Reply-To: <5.2.1.1.2.20030806194419.0373bc98@imap.ecs.soton.ac.uk> References: <000401c35c4a$296fe480$3201010a@nimitz> <036A6BCC9FD10749AD3CE32255AF49A6017CF840@dalsxc01.geniant.net> Message-ID: <5.2.1.1.2.20030806194833.0372e9e0@imap.ecs.soton.ac.uk> Look in /etc/MailScanner/reports/en/stored.virus.message.txt and its relations. You will find the default file I supply includes this: Note to Help Desk: Look on $hostname in $quarantinedir/$datenumber (message $id). Try this instead: Note to Help Desk: Look on $hostname in $datenumber (message $id). At 19:44 06/08/2003, you wrote: ># Hide the directory path from all virus scanner reports sent to users. ># The extra directory paths give away information about your setup, and ># tend to just confuse users. ># This can also be the filename of a ruleset. >Hide Incoming Work Dir = yes > >At 19:40 06/08/2003, you wrote: >>Maybe I've just missed something in a conf file somewhere but is there a way >>to mask the path to where the quarantine is ? >>so as instead of saying: >>Note to Help Desk: Look on $hostname in >>/var/spool/MailScanner/quarantine/20030806 (message h77IN3O45475). >>which gives the path away it just says something like: >>Note to Help Desk: Mailscanner quarantine on $hostname 20030806 (message >>h77IN3O45475). >> >>Uly > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jurik at afx.cz Wed Aug 6 19:57:49 2003 From: jurik at afx.cz (=?windows-1252?Q?Kamil_Jur=28=EDk_-_AFX?=) Date: Thu Jan 12 21:19:13 2006 Subject: Can't parse virus log In-Reply-To: References: Message-ID: <3F314FAD.3070704@afx.cz> Hi, you heve true.Thanks for good a path... This Bitdefender scanner it have such output. It comes to this, thet function sub ProcessBitdefenderOutput coach direct output from Bitdefender program bdc. I don't know as dispense. It's chnce parse from LogFile=/tmp/log.bdc.$$? Kamil Jurik Michael Janssen napsal(a): >On Wed, 6 Aug 2003, [windows-1250] Kamil Ju??k - AFX wrote: > > > >>Hi, >> >I can't tell you from where this code comes, but it seems to me like >broken ansi colordefinitions. Try: > >echo -e "\033[1;36;40mHello\033[0;37;40m World\033[0m" > >to see how it works. \033 is one way to express "now comes ansi >color". ^[ is possibly broken (OTOH ansi TERM color is broken, when >written into a file ;-). 1m is bold, 36m is bluish, 40m is >black background. 0m sets back to normal. > >You should turn color off in whatever writes into your log. > >cheers >Michael > > > From Ulysees at ULYSEES.COM Wed Aug 6 19:59:42 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:19:13 2006 Subject: Hide Quarantine Work Dir = maybe ? References: <000401c35c4a$296fe480$3201010a@nimitz> <036A6BCC9FD10749AD3CE32255AF49A6017CF840@dalsxc01.geniant.net> <5.2.1.1.2.20030806194833.0372e9e0@imap.ecs.soton.ac.uk> Message-ID: <001201c35c4c$e5510d30$3201010a@nimitz> That did the trick, just don't show $quarantinedir anymore :) If I'd bothered to read the report myself I'd have copped it, oops so Hide Incoming Work Dir = yes != Hide Quarantine Dir = yes Thanks Uly > Look in /etc/MailScanner/reports/en/stored.virus.message.txt and its relations. > You will find the default file I supply includes this: > > Note to Help Desk: Look on $hostname in $quarantinedir/$datenumber (message > $id). > > Try this instead: > > Note to Help Desk: Look on $hostname in $datenumber (message $id). > > At 19:44 06/08/2003, you wrote: > ># Hide the directory path from all virus scanner reports sent to users. > ># The extra directory paths give away information about your setup, and > ># tend to just confuse users. > ># This can also be the filename of a ruleset. > >Hide Incoming Work Dir = yes > > > >At 19:40 06/08/2003, you wrote: > >>Maybe I've just missed something in a conf file somewhere but is there a way > >>to mask the path to where the quarantine is ? > >>so as instead of saying: > >>Note to Help Desk: Look on $hostname in > >>/var/spool/MailScanner/quarantine/20030806 (message h77IN3O45475). > >>which gives the path away it just says something like: > >>Note to Help Desk: Mailscanner quarantine on $hostname 20030806 (message > >>h77IN3O45475). > >> > >>Uly > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From raymond at PROLOCATION.NET Wed Aug 6 20:01:38 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:13 2006 Subject: Hide Quarantine Work Dir = maybe ? In-Reply-To: <5.2.1.1.2.20030806194833.0372e9e0@imap.ecs.soton.ac.uk> Message-ID: Julian, > Look in /etc/MailScanner/reports/en/stored.virus.message.txt and its > relations. You will find the default file I supply includes this: > > Note to Help Desk: Look on $hostname in $quarantinedir/$datenumber (message > $id). > > Try this instead: > > Note to Help Desk: Look on $hostname in $datenumber (message $id). Might be wise to put that in the config as option ? Its really confusing for most people and its not the first time it pops up on the list. Bye, Raymond. From richard_cipher at YAHOO.COM Wed Aug 6 20:21:34 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:19:13 2006 Subject: Can't see the difference In-Reply-To: <001801c35c45$dcd43760$bc01a8c0@cnpapers.net> Message-ID: the only difference i see is that the one that doesn't get blacklisted doesn't have brackets around it vs. admin@dailymail.com in your log file I don't know if it will help, but you might try FromOrTo: /admin@dailymail\.com/ yes in your blacklist rules file. Evert Ford Westone Laboratories --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From raymond at PROLOCATION.NET Wed Aug 6 20:28:00 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:13 2006 Subject: SBL soon only from sbl.spamhaus.org (fwd) Message-ID: FYI ---------- Forwarded message ---------- Date: Wed, 6 Aug 2003 18:42:07 +0100 From: Steve Linford To: nanog@merit.edu Subject: SBL soon only from sbl.spamhaus.org If you currently use the SBL by querying the master zone sbl.spamhaus.org then you can ignore this message. If you are using the SBL via 3rd party composite DNSBLs and not directly from sbl.spamhaus.org, then please read this as the following change affects your DNSBL setup. For a long time the SBL has been available either directly from Spamhaus (as sbl.spamhaus.org) or via 3rd party composite zones such as relays.osirusoft.com (as spamhaus.relays.osirusoft.com) and blackholes.easynet.nl which import SBL data from Spamhaus. This distribution is now changing. In order to better manage SBL logistics, DNSBL zone and query traffic, from Monday 11 August 2003 the SBL should only be available from sbl.spamhaus.org. The fact the SBL was available from multiple DNSBLs was causing some confusion, plus other small factors (such as the different zones having different build times - which for example meant that we'd tell someone an IP had been removed, but they'd contact us a few hours later to say it was still blocked), plus the likely emergence of further composite lists which may add confusion, meant that it was time to make a change now rather than in a year or two. So, if you are not using sbl.spamhaus.org but would like to continue using the SBL, please add sbl.spamhaus.org to your mail server's DNSBL list. -- Steve Linford The Spamhaus Project http://www.spamhaus.org From Denis.Beauchemin at USHERBROOKE.CA Wed Aug 6 20:55:08 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning In-Reply-To: <5.2.0.9.2.20030806164733.05d84a58@imap.ecs.soton.ac.uk> References: <200308060834.58090.lbergman@wtxs.net> <5.2.0.9.2.20030806164733.05d84a58@imap.ecs.soton.ac.uk> Message-ID: <1060199708.2859.51.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 06/08/2003 ? 11:48, Julian Field a ?crit : > At 15:18 06/08/2003, you wrote: > >On Wed, 6 Aug 2003 15:39:33 +0200, you wrote: > > >Same here, a lot of people send in mail like, your scanner sucks since my > > >own scanner didnt find anything. They dont understand it was for example > > >a reject based on filename filters. > > > > > >Would it be possible to have a seperate identifier for that ? > > >Something like {?rejected} ? > > > >For filenames there is allready: > > Yay! Someone actually read the docs! This option has been in the conf file > for absolutely ages, just no-one ever uses it :) I've been using it from the beginning to differentiate between virus infected emails {VIRUS} and the potentially dangerous ones {VIRUS?}. BUT I would also like to be able to use a different message template for IFRAME and OBJECT CODEBASE because it confuses people the way it is now. I had to write (translated to English): if the output of the virus scanner below says virus found, then the attachment was infected; otherwise, the attachment was quarantined because it could cause damage to some users... People don't read the whole message and call/write us because they believe their computer is infected... Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mkettler at EVI-INC.COM Wed Aug 6 21:19:34 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:13 2006 Subject: [OT] Mailscanner With TMDA (Tagged Message Delivery Agent) In-Reply-To: <200308061703.h76H3Lpe014325@jasonskala.com> Message-ID: <5.2.1.1.0.20030806161621.017e2c60@xanadu.evi-inc.com> At 01:04 PM 8/6/2003 -0400, Jason Skala wrote: >Has one used Mailscanner with TMDA before? Or currently? >TMDA is a spamassasin replacement that gives users more control >with what gets whitelisted and blacklisted on the system. here >is a link for anyone that hasn't heard of it. http://www.us.tmda.net/. As a side note, I generally refuse to reply to TMDA generated messages unless I am starting a conversation. I simply trash them if someone posts a question to a mailing list and my reply gets TMDA'ed. Personally I find that TMDA "solves" your spam problem by making it harder for people who you do want mail from to get in touch with you. While it's not a massive inconvenience, I feel it's a wrong-way approach to the problem. From Antony at SOFT-SOLUTIONS.CO.UK Wed Aug 6 21:41:36 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:13 2006 Subject: [OT] Mailscanner With TMDA (Tagged Message Delivery Agent) In-Reply-To: <5.2.1.1.0.20030806161621.017e2c60@xanadu.evi-inc.com> References: <5.2.1.1.0.20030806161621.017e2c60@xanadu.evi-inc.com> Message-ID: <200308062041.h76KfdD12566@onyx.rockstone.co.uk> On Wednesday 06 August 2003 9:19 pm, Matt Kettler wrote: > Personally I find that TMDA "solves" your spam problem by making it harder > for people who you do want mail from to get in touch with you. While it's > not a massive inconvenience, I feel it's a wrong-way approach to the > problem. I too agree with this. The major "feature" of TMDA is the bulding up of whitelists for "known, trusted users" (with the corresponding blacklists of unknown, untrusted users). I believe that this approach to blocking spam will only push the spammers towards spreading their messages by means of worms which harvest address books (in the well-established manner of many viruses), and therefore may change the nature of the problem, but certainly won't make it go away. If the article http://www.wired.com/news/business/0,1367,59907,00.html posted by Gerry Doris is at all accurate, then it's clear that there's a big financial incentive for these spammers to keep doing what they do, and I don't believe the answer is to make it more difficult for *everyone* to send email. Just my 2p, Antony. -- Anyone that's normal doesn't really achieve much. - Mark Blair, Australian rocket engineer From mailscanner at ecs.soton.ac.uk Wed Aug 6 21:43:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning In-Reply-To: <1060199708.2859.51.camel@dbeauchemin.sti.usherbrooke.ca> References: <5.2.0.9.2.20030806164733.05d84a58@imap.ecs.soton.ac.uk> <200308060834.58090.lbergman@wtxs.net> <5.2.0.9.2.20030806164733.05d84a58@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030806213918.025e2ca0@imap.ecs.soton.ac.uk> I need to test what I've written first, but I hope to get time for that either tonight (expecting minimum 70F tonight with no air-con) if I don't sleep, or tomorrow if I do. I hope to get a beta-release out to you all tomorrow which will do what you want. If you can tell me what you would like to see in the "deleted" and the "stored" reports, it would help me write them. At 20:55 06/08/2003, you wrote: >Le mer 06/08/2003 ? 11:48, Julian Field a ?crit : > > At 15:18 06/08/2003, you wrote: > > >On Wed, 6 Aug 2003 15:39:33 +0200, you wrote: > > > >Same here, a lot of people send in mail like, your scanner sucks > since my > > > >own scanner didnt find anything. They dont understand it was for example > > > >a reject based on filename filters. > > > > > > > >Would it be possible to have a seperate identifier for that ? > > > >Something like {?rejected} ? > > > > > >For filenames there is allready: > > > > Yay! Someone actually read the docs! This option has been in the conf file > > for absolutely ages, just no-one ever uses it :) > >I've been using it from the beginning to differentiate between virus >infected emails {VIRUS} and the potentially dangerous ones {VIRUS?}. > >BUT I would also like to be able to use a different message template for >IFRAME and OBJECT CODEBASE because it confuses people the way it is now. > >I had to write (translated to English): if the output of the virus >scanner below says virus found, then the attachment was infected; >otherwise, the attachment was quarantined because it could cause damage >to some users... > >People don't read the whole message and call/write us because they >believe their computer is infected... > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Aug 6 21:49:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:13 2006 Subject: [OT] Mailscanner With TMDA (Tagged Message Delivery Agent) In-Reply-To: <5.2.1.1.0.20030806161621.017e2c60@xanadu.evi-inc.com> References: <200308061703.h76H3Lpe014325@jasonskala.com> Message-ID: <5.2.1.1.2.20030806214419.03799000@imap.ecs.soton.ac.uk> At 21:19 06/08/2003, you wrote: >At 01:04 PM 8/6/2003 -0400, Jason Skala wrote: >>Has one used Mailscanner with TMDA before? Or currently? >>TMDA is a spamassasin replacement that gives users more control >>with what gets whitelisted and blacklisted on the system. here >>is a link for anyone that hasn't heard of it. http://www.us.tmda.net/. > > >As a side note, I generally refuse to reply to TMDA generated messages >unless I am starting a conversation. I simply trash them if someone posts a >question to a mailing list and my reply gets TMDA'ed. > >Personally I find that TMDA "solves" your spam problem by making it harder >for people who you do want mail from to get in touch with you. While it's >not a massive inconvenience, I feel it's a wrong-way approach to the problem. I have a simple policy of not replying to challenge/response systems at all. I *very* rarely communicate with people who have not contacted me first (or who I have communicated with before). If someone mails me and wants a response, it is up to them to configure their mail system so that it accepts mail from me. If they request help from me and can't be bothered to allow mail from me in reply, then I can't be bothered to help them. Fortunately not many people use these systems, but it pisses me off royally when I have spent my time and effort writing a reply to their problem, only to have it rejected by their mail system. They tend to get put to the back of the queue if they ask for help again, too. Just my 2p worth on the subject... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lbergman at wtxs.net Wed Aug 6 21:56:43 2003 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning In-Reply-To: <5.2.1.1.2.20030806213918.025e2ca0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030806164733.05d84a58@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030806213918.025e2ca0@imap.ecs.soton.ac.uk> Message-ID: <200308061556.49302.lbergman@wtxs.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > If you can tell me what you would like to see in the "deleted" and the > "stored" reports, it would help me write them. The usual. Or maybe "Run away!! Run Away!!" - -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/MWuQpT00mQjG01gRAgpNAJ9ZckRBOEFqej4rlYrcqVeBjB6IdQCeKc4B 81k+sSEjOo5OoyshaxpaSyY= =pyJo -----END PGP SIGNATURE----- From Antony at SOFT-SOLUTIONS.CO.UK Wed Aug 6 21:57:09 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:13 2006 Subject: [OT] Mailscanner With TMDA (Tagged Message Delivery Agent) In-Reply-To: <5.2.1.1.2.20030806214419.03799000@imap.ecs.soton.ac.uk> References: <200308061703.h76H3Lpe014325@jasonskala.com> <5.2.1.1.2.20030806214419.03799000@imap.ecs.soton.ac.uk> Message-ID: <200308062057.h76KvDD12580@onyx.rockstone.co.uk> On Wednesday 06 August 2003 9:49 pm, Julian Field wrote: > If someone mails me and wants a > response, it is up to them to configure their mail system so that it > accepts mail from me. > > Fortunately not many people use these systems, but it pisses me off royally > when I have spent my time and effort writing a reply to their problem, only > to have it rejected by their mail system. Indeed. I think it is a pretty major design flaw of the systems if they don't automatically add the addresses to whom the user of such a system sends email to the white list, so that the reply can come back again without interference. Antony. -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery From lbergman at wtxs.net Wed Aug 6 21:58:06 2003 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning In-Reply-To: <5.2.1.1.2.20030806213918.025e2ca0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030806164733.05d84a58@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030806213918.025e2ca0@imap.ecs.soton.ac.uk> Message-ID: <200308061558.07220.lbergman@wtxs.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > If you can tell me what you would like to see in the "deleted" and the > "stored" reports, it would help me write them. Seriously. Something that states that no infection was found but the mail had content that might be used to hack your computer or gain personal information. - -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/MWvfpT00mQjG01gRAlspAKCAGRcR2gWH9vSjaHN4ez/a/ki/JwCfcji5 LV0b2jqeZrj9CXRJ76wsm3o= =q3B3 -----END PGP SIGNATURE----- From DHarding at GILATLA.COM Wed Aug 6 22:00:46 2003 From: DHarding at GILATLA.COM (Devon Harding - GTHLA) Date: Thu Jan 12 21:19:13 2006 Subject: spam.blacklist.rules, spam.whitelist.rules, and spam.checks.rules Message-ID: <97D0DDFA3C2F5B44AAC0960B99E96213C97823@VMX.gilatla.com> /etc/MailScanner/rules/README /etc/MailScanner/rules/EXAMPLES -----Original Message----- From: Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM] Sent: Wednesday, August 06, 2003 12:57 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: spam.blacklist.rules, spam.whitelist.rules, and spam.checks.rules Hello, I have attempted for weeks to get a handle on these three files and their associated function, but nothing seems to sink in.? Is there a place someone can direct me that might expand on the issue of white-listing and black-listing?? I have gone round and round the www.mailscanner.info sight.? I think my brain has just farted on this whole concept. ? Thanks for your help.? Otherwise, MS is awesome! ? ? ? ? From Antony at SOFT-SOLUTIONS.CO.UK Wed Aug 6 22:08:01 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning In-Reply-To: <200308061558.07220.lbergman@wtxs.net> References: <5.2.0.9.2.20030806164733.05d84a58@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030806213918.025e2ca0@imap.ecs.soton.ac.uk> <200308061558.07220.lbergman@wtxs.net> Message-ID: <200308062108.h76L84D12592@onyx.rockstone.co.uk> On Wednesday 06 August 2003 9:58 pm, Lewis Bergman wrote: > > If you can tell me what you would like to see in the "deleted" and the > > "stored" reports, it would help me write them. > > Seriously. Something that states that no infection was found but the mail > had content that might be used to hack your computer or gain personal > information. "We took this opportunity to block an email which was addressed to you and may have caused harm to your computer or your data, because of the suspiciously dangerous nature of its contents. You may contact your local system administrator and ask them for message $id from $hostname (ref: $quarantinedir/$datenumber) if you really want to know what nasties some people are sending you. The contents of the message were so nasty that we deleted the message instead of delivering it to you. If you would prefer this not to happen in future please contact you mail system adminstrator and ask for "more malicious content." But, don't say we didn't warn you first..." Regards, Antony (trying diligently to remove tongue from cheek at this very moment). -- Never write it in Perl if you can do it in Awk. Never do it in Awk if sed can handle it. Never use sed when tr can do the job. Never invoke tr when cat is sufficient. Avoid using cat whenever possible. From Ulysees at ULYSEES.COM Wed Aug 6 22:10:20 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:19:13 2006 Subject: dangerous html warning References: <5.2.0.9.2.20030806164733.05d84a58@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030806213918.025e2ca0@imap.ecs.soton.ac.uk> <200308061558.07220.lbergman@wtxs.net> Message-ID: <000f01c35c5f$24a29870$3201010a@nimitz> Why over complicate things. "This message contained potentially dangerous content which has been removed" and for the inline subject {Neutered !} > > If you can tell me what you would like to see in the "deleted" and the > > "stored" reports, it would help me write them. > Seriously. Something that states that no infection was found but the mail had > content that might be used to hack your computer or gain personal > information. From cparker at SWATGEAR.COM Wed Aug 6 22:29:52 2003 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:19:13 2006 Subject: anyway to whitelist based on subject? Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE2B7E96@ati-ex-01.ati.local> Hi. I hope I'm not glossing over something obvious in the config file somewhere, but is there a way to whitelist based on subject and not just To/From? My boss wants to whitelist anything with a certain keyword in the subject of his emails. Anyway to do that? Thanks, Chris. From sanjay.patel at REXWIRE.COM Wed Aug 6 22:53:35 2003 From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel) Date: Thu Jan 12 21:19:13 2006 Subject: Forwarding all ham to a mailbox Message-ID: <006d01c35c65$305cdb70$6f01a8c0@Laptop1> Is it possible to send a copy of all good mail to a mailbox by default? This is for bayes. Or do I have to have users forward e-mail to the mailbox? SKP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030806/981b55bf/attachment.html From robert at WEBTENT.COM Wed Aug 6 23:14:35 2003 From: robert at WEBTENT.COM (Robert Fitzpatrick) Date: Thu Jan 12 21:19:13 2006 Subject: Lots of MAILER-DAEMON messages Message-ID: <002d01c35c68$1f0066a0$0b01a8c0@columbus> I installed MailScanner 3.21 a couple of days ago on my Cobalt RaQ4r (Linux) and it has been working fine, however, ever since I have been receiving a lot of messages generated only to me and not any users (thank you). I'm sure I am getting the messages because they all seem to be related to undeliverable messages after trying the local host name for delivery, which is my mailboxes. Anyway, there are basically two messages that get generated constantly throughout the day. The first tells me that I have sent a virus, which I haven't: ========================START MESSAGE From: "MailScanner" To: Subject: Warning: E-mail viruses detected Our virus detector has just been triggered by a message you sent:- To: Subject: (On many systems, the PPP Adapter is Date: Wed Aug 6 18:00:46 2003 Any infected parts of the message have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: /home/spool/MailScanner/incoming/h76M0Df02980/has.bat Infection: W32/Klez.H@mm Batch files are often mailicious in has.bat MailScanner Email Virus Scanner www.mailscanner.info ========================END MESSAGE The second is a non-delivery message from MAILER-DAEMON: ========================START MESSAGE From: Mail Delivery Subsystem To: postmaster Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) The original message was received at Wed, 6 Aug 2003 18:03:40 -0400 from Stinson39@Stinson.cpe.abrn.al.charter.com [68.119.76.158] ----- The following addresses had permanent fatal errors ----- (reason: system config error) ----- Transcript of session follows ----- 553 5.3.5 hre.e.example.com. config error: mail loops back to me (MX problem?) 554 5.3.5 ... Local configuration error ========================END MESSAGE Can anyone point me the direction of finding out how to stop these messages? Thanks, -- Robert From rich at MAIL.WVNET.EDU Wed Aug 6 23:16:30 2003 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:19:14 2006 Subject: anyway to whitelist based on subject? In-Reply-To: <001BD19C96E6E64E8750D72C2EA0ECEE2B7E96@ati-ex-01.ati.local> References: <001BD19C96E6E64E8750D72C2EA0ECEE2B7E96@ati-ex-01.ati.local> Message-ID: <1060208189.3491.10.camel@localhost.localdomain> On Wed, 2003-08-06 at 17:29, Chris W. Parker wrote: > Hi. > > I hope I'm not glossing over something obvious in the config file > somewhere, but is there a way to whitelist based on subject and not just > To/From? > > My boss wants to whitelist anything with a certain keyword in the > subject of his emails. Anyway to do that? > > > Thanks, > Chris. I believe you could code a spamassassin rule to assign a high negative score to achieve roughly the same thing. For example... In /etc/MailScanner/spam.assassin.prefs.conf ... header CW1 Subject =~ /keyword/i describe CW1 Custom Whitelist 1 score CW1 -100.0 There may be a better way that I don't know about. -- Richard Lynch From cparker at SWATGEAR.COM Wed Aug 6 23:23:01 2003 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:19:14 2006 Subject: anyway to whitelist based on subject? Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE2B7E9B@ati-ex-01.ati.local> Richard Lynch on Wednesday, August 06, 2003 3:17 PM said: > I believe you could code a spamassassin rule to assign a high negative > score to achieve roughly the same thing. For example... [snip] > There may be a better way that I don't know about. Sounds like a good idea to me. I'll give it a shot. Thanks, Chris. From mailscanner at ecs.soton.ac.uk Wed Aug 6 23:50:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: Forwarding all ham to a mailbox In-Reply-To: <006d01c35c65$305cdb70$6f01a8c0@Laptop1> Message-ID: <5.2.1.1.2.20030806234654.026dc710@imap.ecs.soton.ac.uk> At 22:53 06/08/2003, you wrote: >Is it possible to send a copy of all good mail to a mailbox by default? >This is for bayes. Or do I have to have users forward e-mail to the mailbox? SpamAssassin automatically learns from mail which its other rules say is definitely ham. So most of this is happening for you already. Just blindly putting what you think is probably ham back into bayes is a bad idea, you only want to use what is *definitely* ham. This is either judged using extremely low (negative) spam scores (which is what SpamAssassin is already doing for you anyway), or it's judged by human beings. If you really want to copy all ham to a mailbox somewhere for any reason, take a look at the "Non Spam Actions" configuration parameter. You could set this to "deliver store" for example. You can also do it with the "Archive Mail" configuration parameter. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Aug 6 23:55:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: Lots of MAILER-DAEMON messages In-Reply-To: <002d01c35c68$1f0066a0$0b01a8c0@columbus> Message-ID: <5.2.1.1.2.20030806235123.037bc598@imap.ecs.soton.ac.uk> At 23:14 06/08/2003, you wrote: >I installed MailScanner 3.21 3.21 has got to be over a year old, and is no longer actively supported. There is an installation guide for version 4 on www.mailscanner.info and I would recommend you remove version 3 and install version 4 instead, unless you really have put a lot of time into it and are prepared to run with a very old version. > a couple of days ago on my Cobalt RaQ4r >(Linux) and it has been working fine, however, ever since I have been >receiving a lot of messages generated only to me and not any users >(thank you). I'm sure I am getting the messages because they all seem to >be related to undeliverable messages after trying the local host name >for delivery, which is my mailboxes. > >Anyway, there are basically two messages that get generated constantly >throughout the day. The first tells me that I have sent a virus, which I >haven't: > >========================START MESSAGE >From: "MailScanner" >To: >Subject: Warning: E-mail viruses detected >Our virus detector has just been triggered by a message you sent:- > To: > Subject: (On many systems, the PPP Adapter is > Date: Wed Aug 6 18:00:46 2003 >Any infected parts of the message have not been delivered. > >This message is simply to warn you that your computer system may have a >virus present and should be checked. > >The virus detector said this about the message: >Report: /home/spool/MailScanner/incoming/h76M0Df02980/has.bat >Infection: W32/Klez.H@mm Batch files are often mailicious in has.bat 3.21 might (I can't remember) have a concept of "Silent Viruses" in the configuration file. If it does, then add Klez to the list. Also, it is banning "*.bat" files due to a rule saying that in filename.rules.conf. >MailScanner >Email Virus Scanner >www.mailscanner.info >========================END MESSAGE > >The second is a non-delivery message from MAILER-DAEMON: > >========================START MESSAGE >From: Mail Delivery Subsystem >To: postmaster >Subject: Returned mail: see transcript for details >Auto-Submitted: auto-generated (failure) >The original message was received at Wed, 6 Aug 2003 18:03:40 -0400 from >Stinson39@Stinson.cpe.abrn.al.charter.com [68.119.76.158] > > ----- The following addresses had permanent fatal errors ----- > > (reason: system config error) > > ----- Transcript of session follows ----- >553 5.3.5 hre.e.example.com. config error: mail loops back to me (MX >problem?) 554 5.3.5 ... Local configuration error >========================END MESSAGE That implies that your mail configuration is wrong. Check the DNS records for your domain, particularly the MX records. Also, use a command such as "sendmail -bv fr@hre.e" to see how it thinks it is going to deliver that message. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ejb at QL.ORG Wed Aug 6 23:59:10 2003 From: ejb at QL.ORG (Jay Berkenbilt) Date: Thu Jan 12 21:19:14 2006 Subject: Spam Action rules: first match vs. all match? In-Reply-To: <200308052300.h75N0AOS016681@through.ads.apexinc.com> (LISTSERV@JISCMAIL.AC.UK) References: <200308052300.h75N0AOS016681@through.ads.apexinc.com> Message-ID: <200308062259.h76MxAPF003409@potamus.in.ql.org> > What was the general consensus on this subject? > > Is it worth my implementing this "stop" keyword? It will cause a couple of > extra "if" statements inside a function that is called a few dozen times > for each message, so I don't want to add it unless quite a few people will > find it useful. Of course, my preference would be that you do implement it since I don't know any other way to achieve the functionality I was looking for that prompted this suggested solution. If it has a big performance penalty, perhaps the whole feature can be turned on or off at once so that there's only one extra if statement for people who don't want the functionality. Perhaps this would make it worth implementing even if most people won't use it? Just a thought. -- Jay Berkenbilt http://www.ql.org/q/ From john at TRADOC.FR Thu Aug 7 06:29:11 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:19:14 2006 Subject: Virus Warnings In-Reply-To: <5.2.0.9.2.20030806165039.05d8ddc0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030806165039.05d8ddc0@imap.ecs.soton.ac.uk> Message-ID: <7ko3jv0uc03i8g4jcuj1b7m397lmonhl1r@tradoc.fr> On Wed, 6 Aug 2003 16:50:57 +0100, Julian Field wrote: > You can add the name of the scanner to the report lines, so you can see > exactly which scanner said what. Which reminds me - how about adding Mailscanner's name if it produces a filename/filetype warning? i.e. change | At Wed Aug 6 10:40:52 2003 the virus scanner said: | F-Prot: message.zip->message.html Infection: W32/Mimail.A@mm | ClamAV: message.zip contains Trojan.Dropper.C | Filename used by mimail virus (message.zip) to | At Wed Aug 6 10:40:52 2003 the virus scanner said: | F-Prot: message.zip->message.html Infection: W32/Mimail.A@mm | ClamAV: message.zip contains Trojan.Dropper.C | MailScanner: Filename used by mimail virus (message.zip) John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From bnixon at NIXTECH.NET Thu Aug 7 07:08:40 2003 From: bnixon at NIXTECH.NET (Brad |Nixon) Date: Thu Jan 12 21:19:14 2006 Subject: max message size Message-ID: Did I read here a while back that the submited patch for reading the message up to max message size had been added to the latest code? Brad nixon From eja at URBAKKEN.DK Thu Aug 7 10:01:52 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:14 2006 Subject: Etrust Message-ID: <3F321580.7020607@urbakken.dk> Hi. Does Etrust have AV software for Linux ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From andersan at LTKALMAR.SE Thu Aug 7 10:09:11 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:14 2006 Subject: SV: Etrust Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE6CB@lkl63.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Erik Jakobsen [mailto:eja@URBAKKEN.DK] > Skickat: den 7 augusti 2003 11:02 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Etrust > > > Hi. > > Does Etrust have AV software for Linux ?. Yes, but its only supporting up to RH 8 for the moment.... Ive just been talking to them and they are working on a 9.0 version but its not finished yet. /Anders > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. From andersan at LTKALMAR.SE Thu Aug 7 10:10:32 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:14 2006 Subject: SV: Etrust Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE6CC@lkl63.ltkalmar.se> > Fr?n: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] > > Does Etrust have AV software for Linux ?. > Yes, but its only supporting up to RH 8 for the moment.... > Ive just been talking to them and they are working on a 9.0 > version but its not finished yet. > > /Anders http://support.ca.com/techbases/ilnt/etav70linux-prodann.html more info > > > > -- > > Med venlig hilsen - Best regards. > > Erik Jakobsen - eja@urbakken.dk. > > Licensed radioamateur with the callsign OZ4KK. > > SuSE Linux 8.2 Proff. > > Registered as user #319488 with the Linux Counter, > http://counter.li.org. > From jurik at afx.cz Thu Aug 7 10:13:19 2003 From: jurik at afx.cz (=?windows-1250?Q?Kamil_Ju=F8=EDk_-_AFX?=) Date: Thu Jan 12 21:19:14 2006 Subject: Can't parse sub ProcessBitdefenderOutput Message-ID: <3F32182F.6060808@afx.cz> Hi, this Bitdefender scanner it have output in ANSI format. It comes to this, that function sub ProcessBitdefenderOutput catch direct output from Bitdefender program bdc for parse, start up problem for parsing ^[[1;31;40minfected: EICAR-Test-File (not a virus)^[[0;37;40m. Can't found infected:, because it search for \tinfected: I don't know how dispense it. It's chance parse from LogFile=/tmp/log.bdc.$$? (Bitdefender-wrapper). This log have all lines with \t and it's correct. Kamil Jurik Tento e-mail byl zkontrolovan na postovnim serveru AFX From Antony at SOFT-SOLUTIONS.CO.UK Thu Aug 7 10:22:15 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:14 2006 Subject: Can't parse sub ProcessBitdefenderOutput In-Reply-To: <3F32182F.6060808@afx.cz> References: <3F32182F.6060808@afx.cz> Message-ID: <200308070922.h779MND13170@onyx.rockstone.co.uk> On Thursday 07 August 2003 10:13 am, Kamil Ju??k - AFX wrote: > Hi, > > this Bitdefender scanner it have output in ANSI format. It comes to > this, that function sub ProcessBitdefenderOutput > catch direct output from Bitdefender program bdc for parse, start up > problem for parsing ^[[1;31;40minfected: EICAR-Test-File (not a > virus)^[[0;37;40m. Can't found infected:, because it search for > \tinfected: I don't know how dispense it. It's chance parse from > LogFile=/tmp/log.bdc.$$? (Bitdefender-wrapper). This log have all lines > with \t and it's correct. I seem to recall the last time BitDefender came up on this mailing list a month or two back, the general opinion was that it wasn't a very good anti-virus system, because there seemed to be a lot of viruses it didn't catch. What's the benefit / advantage of trying to use the output of BitDefender (especially if it's the sort of program which puts ANSI colour sequences in piped output), instead of any of the other antivirus engines supported by MailScanner? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac From eja at URBAKKEN.DK Thu Aug 7 10:30:08 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:14 2006 Subject: SV: Etrust In-Reply-To: <9F18B7DDBA88E544AB1F1995148916661CE6CB@lkl63.ltkalmar.se> References: <9F18B7DDBA88E544AB1F1995148916661CE6CB@lkl63.ltkalmar.se> Message-ID: <3F321C20.1000705@urbakken.dk> >>Does Etrust have AV software for Linux ?. > > Yes, but its only supporting up to RH 8 for the moment.... Ive just been > talking to them and they are working on a 9.0 version but its not finished > yet. Hi Anders. Does they support SuSE ?. I run here SuSE 8.2 Proff.. On which URL can I see their linux software ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From hb at dfs.dk Thu Aug 7 10:56:37 2003 From: hb at dfs.dk (Henrik Bro) Date: Thu Jan 12 21:19:14 2006 Subject: SV: SV: Etrust&MailScanner In-Reply-To: <3F321C20.1000705@urbakken.dk> Message-ID: <00cc01c35cca$3400c240$5ad43f50@henrik> Do you know if eTrust works with Mailscanner? /henrik -----Oprindelig meddelelse----- Fra: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] Pa vegne af Erik Jakobsen Sendt: 7. august 2003 11:30 Til: MAILSCANNER@JISCMAIL.AC.UK Emne: Re: SV: Etrust >>Does Etrust have AV software for Linux ?. > > Yes, but its only supporting up to RH 8 for the moment.... Ive just > been talking to them and they are working on a 9.0 version but its not > finished yet. Hi Anders. Does they support SuSE ?. I run here SuSE 8.2 Proff.. On which URL can I see their linux software ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From nerijus at USERS.SOURCEFORGE.NET Thu Aug 7 11:44:03 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:19:14 2006 Subject: clean.quarantine Message-ID: <20030807103818.344681E621@mx.ktv.lt> Hello, clean.quarantine is not included in MailScanner-4.22-5.tar.gz, I think it should be somewhere in bin or contrib. Regards, Nerijus From jurik at afx.cz Thu Aug 7 11:54:49 2003 From: jurik at afx.cz (=?windows-1252?Q?Kamil_Jur=28=EDk_-_AFX?=) Date: Thu Jan 12 21:19:14 2006 Subject: Can't parse sub ProcessBitdefenderOutput In-Reply-To: <200308070922.h779MND13170@onyx.rockstone.co.uk> References: <3F32182F.6060808@afx.cz> <200308070922.h779MND13170@onyx.rockstone.co.uk> Message-ID: <3F322FF9.5010705@afx.cz> Nic midday (in central Europe), I have now RAV, but RAV will be end for LINUX support :-( and I now selection new antivirus pruduct for my. Because my saller gave me choose from Bitdefender (-60% rom price $133,-) and Virusbuster (-40% from price $150,-) I think about NOD32, but ... NOD32 for server $335,- NOD32 for mail server whit 300 box $1.500,- I'll contravene lices when I'll apply NOD32 server (not NOD32 for mail server) form my clients? Kamil Jurik Tento e-mail byl zkontrolovan na postovnim serveru AFX From jurik at afx.cz Thu Aug 7 12:20:30 2003 From: jurik at afx.cz (=?windows-1252?Q?Kamil_Jur=28=EDk_-_AFX?=) Date: Thu Jan 12 21:19:14 2006 Subject: Can't parse sub ProcessBitdefenderOutput In-Reply-To: <200308070922.h779MND13170@onyx.rockstone.co.uk> References: <3F32182F.6060808@afx.cz> <200308070922.h779MND13170@onyx.rockstone.co.uk> Message-ID: <3F3235FE.7000807@afx.cz> ...further I'm looked it's interesting. https://www.virusbtn.com/vb100/archives/products.xml?table Kamil Jurik Antony Stone napsal(a): >I seem to recall the last time BitDefender came up on this mailing list a >month or two back, the general opinion was that it wasn't a very good >anti-virus system, because there seemed to be a lot of viruses it didn't >catch. > >What's the benefit / advantage of trying to use the output of BitDefender >(especially if it's the sort of program which puts ANSI colour sequences in >piped output), instead of any of the other antivirus engines supported by >MailScanner? > >Antony. > > > Tento e-mail byl zkontrolovan na postovnim serveru AFX From mailscanner at ecs.soton.ac.uk Thu Aug 7 12:25:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: Translation request Message-ID: <5.2.0.9.2.20030807122158.04c33b80@imap.ecs.soton.ac.uk> Please can you do me a big favour and translate all of these into your favourite languages. They are the 3 messages that are sent in response to messages containing dangerous content (such as HTML IFRAME tags and stuff like that). Sender report: >From: "MailScanner" <$localpostmaster> >To: $from >Subject: Potentially dangerous email rejected >X-MailScanner: generated > >Our email content filters have been triggered by a message you sent:- > To: $to > Subject: $subject > Date: $date >This message has been rejected. The filters said this: >$report. > >This message contained potentially dangerous content which has been removed. > >If you were attempting to send a web page, please try saving the web page >to a file, and then attach that file to the message instead. > >If you have any questions about this, or you believe you have received >this message in error, please contact the site system administrators. > >-- >MailScanner >Email Virus Scanner >www.mailscanner.info >Mailscanner thanks transtec Computers for their support Content Deleted report: >This is a message from the MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------- >The original e-mail message contained potentially dangerous content, >which has been removed for your safety. > >The content is dangerous as it is often used to spread viruses or to gain >personal or confidential information from you, such as passwords or credit >card numbers. > >Due to limitations placed on us by the Regulation of Investigatory Powers >Act 2000, we were unable to keep a copy of the original attachment. > >The content filters found this: >$report >-- >Postmaster >Mailscanner thanks transtec Computers for their support Content Stored report: >This is a message from the MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------- >The original e-mail message contained potentially dangerous content, >which has been removed for your safety. > >The content is dangerous as it is often used to spread viruses or to gain >personal or confidential information from you, such as passwords or credit >card numbers. > >If you wish to receive a copy of the original email, please >e-mail helpdesk and include the whole of this message >in your request. Alternatively, you can call them, with >the contents of this message to hand when you call. > >At $date the content filters said: >$report >Note to Help Desk: Look on $hostname in $quarantinedir/$datenumber >(message $id). >-- >Postmaster >Mailscanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From chris at TRUDEAU.ORG Thu Aug 7 14:07:09 2003 From: chris at TRUDEAU.ORG (Chris-Personal) Date: Thu Jan 12 21:19:14 2006 Subject: POSTFIX release from quarantine (WAS: How to let through innocent messages) References: Message-ID: <010901c35ce4$d74fdca0$5702010a@mscore.trusecure.net> >>I am running Postfix+MS+SA, all the latest stable versions. I grepped >>"Subject" from quarantine directory and I noticed some message weren't >>spam. How can I elegantly forward those messages where they belong? >> >In the MailScanner.conf is an option to save the quarantined messages as >queue files: >"Quarantine Whole Messages As Queue Files = yes" > >If this option is set to yes, you should be able to just move those save >queue files into you postfix queue (I'm not very familiar with postfix) >and they should be re-delivered! Be aware that the mail doesn't go >trough you spam checking again :) I have tried this and I believe postfix either doesn't allow this, OR I'm doing something wrong: Any ideas what i could be doing wrong? From Antony at SOFT-SOLUTIONS.CO.UK Thu Aug 7 14:28:33 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:14 2006 Subject: Translation request In-Reply-To: <5.2.0.9.2.20030807122158.04c33b80@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030807122158.04c33b80@imap.ecs.soton.ac.uk> Message-ID: <200308071328.h77DSZD13559@onyx.rockstone.co.uk> On Thursday 07 August 2003 12:25 pm, Julian Field wrote: > Please can you do me a big favour and translate all of these into your > favourite languages. They are the 3 messages that are sent in response to > messages containing dangerous content (such as HTML IFRAME tags and stuff > like that). Just a thought, Julian; do you want the following message translated into all the languages? Surely it's fairly UK-specific? > > Due to limitations placed on us by the Regulation of Investigatory Powers > > Act 2000, we were unable to keep a copy of the original attachment. Antony. -- Success is a lousy teacher. It seduces smart people into thinking they can't lose. - William H Gates III From chris at TRUDEAU.ORG Thu Aug 7 14:33:36 2003 From: chris at TRUDEAU.ORG (Chris-Personal) Date: Thu Jan 12 21:19:14 2006 Subject: SpamAssassin domain rules References: <5.2.0.9.2.20030805100525.09a7a6e0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030805114120.03bde680@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030805135856.09ac7348@imap.ecs.soton.ac.uk> Message-ID: <011401c35ce8$819cc990$5702010a@mscore.trusecure.net> Hope you're staying cool over there...I am using a different mail address as my ISP was having problems with the forwarding scenario: Yes most of the options are configurable via MailScanner and the system works really well thanks! However, I COULD potentially require different bayes databases for different domains, this is MUCH easier if I can simply base SA paramters based on domain and point each SA configuration at a different set of BAYES tokens...hope I'm making sense... Using the example below: If I include a rules pointer here: SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.rules That pointed to a prefs file like this: FromOrTo: example.com /etc/MailScanner/rules/example_sa_prefs.conf So that the "example_sa_prefs.conf" file has domain level SA configuration pointing to a tuned bayes database for the example.com domain. In addition, I can limit RBL use, DCC and Razor use as well as SA timeout paramters for SA on a domain-by-domain basis if this configuration is possible. Judging from the response, should I assume that rules with SA are not a reality in the current version? THX CT > You can set the SpamAssassin threshold score and the spam actions on a > per-user or per-domain (or per-anything-else for that matter) basis using > rulesets in MailScanner. > You can also have per-user and per-domain spam whitelists and blacklists. > > Between them, they implement just about all the SpamAssassin things people > ever want to change in reality. > > So some people can have a different threshold score to others, and some (a > different "some") can have their spam deleted or delivered or whatever, > just as they want. And they can each have their own whitelist and/or > blacklist if they want, too. > > At 12:53 05/08/2003, you wrote: > >I looked around in the archives and I am unable to find any references to > >this... > > > >I want to have different sa_user_prefs for each domain so that one domain > >can have a dedicated SA configuration that is seperate from another domain > >being scanned on the same MS system. Is this possible? > > > >Could I include a rules pointer here: > > > >SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.rules > > > > > >That pointed to a rules file like this: > > > >To example.com /etc/MailScanner/rules/example_sa_prefs.conf > > > > > >where /etc/MailScanner/rules/example_sa_prefs.conf was a SA prefs file > >specific to example.com? > > > >CT > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From andersan at LTKALMAR.SE Thu Aug 7 14:55:37 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:14 2006 Subject: SV: Translation request Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE6CF@lkl63.ltkalmar.se> Since it doesnt exist in sweden as far as I know it will just be removed =) > -----Ursprungligt meddelande----- > Fr?n: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] > Skickat: den 7 augusti 2003 15:29 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Translation request > > > On Thursday 07 August 2003 12:25 pm, Julian Field wrote: > > > Please can you do me a big favour and translate all of > these into your > > favourite languages. They are the 3 messages that are sent > in response > > to messages containing dangerous content (such as HTML > IFRAME tags and > > stuff like that). > > Just a thought, Julian; do you want the following message > translated into all > the languages? Surely it's fairly UK-specific? > > > > Due to limitations placed on us by the Regulation of > Investigatory > > > Powers Act 2000, we were unable to keep a copy of the original > > > attachment. > > Antony. > > -- > > Success is a lousy teacher. It seduces smart people into > thinking they > can't lose. > > - William H Gates III > From mailscanner at ecs.soton.ac.uk Thu Aug 7 14:56:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: Virus Warnings In-Reply-To: <7ko3jv0uc03i8g4jcuj1b7m397lmonhl1r@tradoc.fr> References: <5.2.0.9.2.20030806165039.05d8ddc0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030806165039.05d8ddc0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030807145101.04236500@imap.ecs.soton.ac.uk> At 06:29 07/08/2003, you wrote: >On Wed, 6 Aug 2003 16:50:57 +0100, Julian Field wrote: > > You can add the name of the scanner to the report lines, so you can see > > exactly which scanner said what. > >Which reminds me - how about adding Mailscanner's name if it produces >a filename/filetype warning? Very good idea. Nice and simple too :-) You can now do this. Of course the exact text inserted can be configured in languages.conf. If you want the old behaviour of having the names of the scanners but nothing else, then set MailScanner = in languages.conf. The new behaviour suggested by John is the default as it seems better to me. But if you are upgrading then you may well not have "Include Scanner Name In Reports" switched on anyway. >i.e. change > >| At Wed Aug 6 10:40:52 2003 the virus scanner said: >| F-Prot: message.zip->message.html Infection: W32/Mimail.A@mm >| ClamAV: message.zip contains Trojan.Dropper.C >| Filename used by mimail virus (message.zip) > >to > >| At Wed Aug 6 10:40:52 2003 the virus scanner said: >| F-Prot: message.zip->message.html Infection: W32/Mimail.A@mm >| ClamAV: message.zip contains Trojan.Dropper.C >| MailScanner: Filename used by mimail virus (message.zip) > > >John. > >-- >-- Over 2000 webcams from ski resorts around the world - >http://www.snoweye.com/ >-- Translate your technical documents and web pages - http://www.tradoc.fr/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Aug 7 14:57:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: max message size In-Reply-To: Message-ID: <5.2.0.9.2.20030807145707.041dceb0@imap.ecs.soton.ac.uk> This appeared in 4.22. At 07:08 07/08/2003, you wrote: >Did I read here a while back that the submited patch for reading the >message up to max message size had been added to the latest code? > >Brad nixon -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Aug 7 14:58:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: Translation request In-Reply-To: <200308071328.h77DSZD13559@onyx.rockstone.co.uk> References: <5.2.0.9.2.20030807122158.04c33b80@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030807122158.04c33b80@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030807145841.0423d0a0@imap.ecs.soton.ac.uk> I assume translators may/will edit the message a bit to suit their local legislation. At 14:28 07/08/2003, you wrote: >On Thursday 07 August 2003 12:25 pm, Julian Field wrote: > > > Please can you do me a big favour and translate all of these into your > > favourite languages. They are the 3 messages that are sent in response to > > messages containing dangerous content (such as HTML IFRAME tags and stuff > > like that). > >Just a thought, Julian; do you want the following message translated into all >the languages? Surely it's fairly UK-specific? > > > > Due to limitations placed on us by the Regulation of Investigatory Powers > > > Act 2000, we were unable to keep a copy of the original attachment. > >Antony. > >-- > >Success is a lousy teacher. It seduces smart people into thinking they >can't lose. > > - William H Gates III -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From john at TRADOC.FR Thu Aug 7 15:10:24 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:19:14 2006 Subject: POSTFIX release from quarantine (WAS: How to let through innocent messages) In-Reply-To: <010901c35ce4$d74fdca0$5702010a@mscore.trusecure.net> References: <010901c35ce4$d74fdca0$5702010a@mscore.trusecure.net> Message-ID: <3an4jv041vkofhg1ibrsq6saq3d0ehfcss@tradoc.fr> On Thu, 7 Aug 2003 09:07:09 -0400, Chris-Personal wrote: > >In the MailScanner.conf is an option to save the quarantined messages as > >queue files: > >"Quarantine Whole Messages As Queue Files = yes" > > > >If this option is set to yes, you should be able to just move those save > >queue files into you postfix queue (I'm not very familiar with postfix) > >and they should be re-delivered! Be aware that the mail doesn't go > >trough you spam checking again :) > > > I have tried this and I believe postfix either doesn't allow this, OR I'm > doing something wrong: I battled with this for a while, and while it should work in theory *if the file permissions are right* there's a far easier way: postdrop < quarantined-message-file John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From cslyon at NETSVCS.COM Thu Aug 7 15:10:47 2003 From: cslyon at NETSVCS.COM (Chris Lyon) Date: Thu Jan 12 21:19:14 2006 Subject: Trying to get MailScanner v4.22-5 to forward messages Message-ID: OK, this might be an easy answer and if you couldn't tell, this is my first time trying to get MailScanner working. I have installed MailScanner 4.22-5 and have it running on a Redhat 9.0 installation. Sendmail is disabled and I even did the 'dnl DAEMON...' to get it working from outside the box. I am trying to get a domain routing to this box with MailScanner running on it to my Exchange System. If I turn off MailScanner and turn on just Sendmail, everything works fine. Mail from the outside goes to RH9.0 then to the Exchange. As soon as I turn off sendmail then turn on MailScanner, the mail just sits in the /var/spool/m.... directory. Any ideas? BTW, I turned off AntiVirus, and SpamAssassin too just to bring it down to a basic level. From mailscanner at ecs.soton.ac.uk Thu Aug 7 15:05:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: SpamAssassin domain rules In-Reply-To: <011401c35ce8$819cc990$5702010a@mscore.trusecure.net> References: <5.2.0.9.2.20030805100525.09a7a6e0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030805114120.03bde680@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030805135856.09ac7348@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030807150418.03f604c8@imap.ecs.soton.ac.uk> At 14:33 07/08/2003, you wrote: >Hope you're staying cool over there...I am using a different mail address as >my ISP was having problems with the forwarding scenario: > >Yes most of the options are configurable via MailScanner and the system >works really well thanks! > >However, I COULD potentially require different bayes databases for different >domains, this is MUCH easier if I can simply base SA paramters based on >domain and point each SA configuration at a different set of BAYES >tokens...hope I'm making sense... This would involve quite a lot of work on my part. You'll have to live without for now. >Using the example below: > >If I include a rules pointer here: > >SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.rules > >That pointed to a prefs file like this: > >FromOrTo: example.com >/etc/MailScanner/rules/example_sa_prefs.conf > >So that the "example_sa_prefs.conf" file has domain level SA configuration >pointing to a tuned bayes database for the example.com domain. In addition, >I can limit RBL use, DCC and Razor use as well as SA timeout paramters for >SA on a domain-by-domain basis if this configuration is possible. > >Judging from the response, should I assume that rules with SA are not a >reality in the current version? > >THX >CT > > > > > > > You can set the SpamAssassin threshold score and the spam actions on a > > per-user or per-domain (or per-anything-else for that matter) basis using > > rulesets in MailScanner. > > You can also have per-user and per-domain spam whitelists and blacklists. > > > > Between them, they implement just about all the SpamAssassin things people > > ever want to change in reality. > > > > So some people can have a different threshold score to others, and some (a > > different "some") can have their spam deleted or delivered or whatever, > > just as they want. And they can each have their own whitelist and/or > > blacklist if they want, too. > > > > At 12:53 05/08/2003, you wrote: > > >I looked around in the archives and I am unable to find any references to > > >this... > > > > > >I want to have different sa_user_prefs for each domain so that one domain > > >can have a dedicated SA configuration that is seperate from another >domain > > >being scanned on the same MS system. Is this possible? > > > > > >Could I include a rules pointer here: > > > > > >SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.rules > > > > > > > > >That pointed to a rules file like this: > > > > > >To example.com /etc/MailScanner/rules/example_sa_prefs.conf > > > > > > > > >where /etc/MailScanner/rules/example_sa_prefs.conf was a SA prefs file > > >specific to example.com? > > > > > >CT > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Aug 7 15:04:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: POSTFIX release from quarantine (WAS: How to let through innocent messages) In-Reply-To: <010901c35ce4$d74fdca0$5702010a@mscore.trusecure.net> References: Message-ID: <5.2.0.9.2.20030807150315.042024f8@imap.ecs.soton.ac.uk> At 14:07 07/08/2003, you wrote: > >>I am running Postfix+MS+SA, all the latest stable versions. I grepped > >>"Subject" from quarantine directory and I noticed some message weren't > >>spam. How can I elegantly forward those messages where they belong? > >> > > > >In the MailScanner.conf is an option to save the quarantined messages as > >queue files: > >"Quarantine Whole Messages As Queue Files = yes" > > > >If this option is set to yes, you should be able to just move those save > >queue files into you postfix queue (I'm not very familiar with postfix) > >and they should be re-delivered! Be aware that the mail doesn't go > >trough you spam checking again :) > > >I have tried this and I believe postfix either doesn't allow this, OR I'm >doing something wrong: > >Any ideas what i could be doing wrong? Postfix queue files are named according to the inode number of the file, so dropping files back into the queue is a non-trivial exercise. I'm sure someone out there can write you a script to do it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Thu Aug 7 15:34:20 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:14 2006 Subject: Trying to get MailScanner v4.22-5 to forward messages Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF78D@pascal.priv.bmrb.co.uk> > the mail just > sits in the /var/spool/m.... directory. Bad place to trail off....... because its quite important whether that is mqueue or mqueue.in Whats happening in the maillog a) when you start MS b) when mail arrives? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Thu Aug 7 15:33:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: ANNOUNCE: beta release 4.23-1 Message-ID: <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> I have just posted 4.23-1 to the web site. This is a beta release, so the usual rules apply: I don't guarantee it works and I wouldn't advise running it on a production server. It doesn't improve on the handling of eTrust or bitdefender, they are my next targets. But I thought it would be a good idea for you folks to try it out and see how things are progressing. Download as usual from www.mailscanner.info ChangeLog is this: * New Features and Improvements * - Improved error detection in bitdefender-autoupdate. - Added 5 minute timeout to clamav-autoupdate. - Messages bigger than the max SA testing size are now checked by SA, just only the first n bytes of the message will be checked. - Logging now handles syslog-ng better, as it will attempt to re-open the syslog connection if it dies while logging to it. - Better mcafee-autoupdate script from Tony Finch. Allows non-root user more easily, and can delete old files if you want it to. - Implemented special "silent viruses" list keyword "All-Viruses" which matches the name of any virus. This means you can make messages silent which contain just viruses and none (or a combination) of the HTML hacks that are detected. - Implemented "Use Default Rules With Multiple Recipients" configuration option to force predictable results when faced with a message with multiple recipients who have conflicting user preferences. - Now check that at least 1 file matches all of the filename patterns specified in "Monitors For Sophos Updates". - Implemented various new parameters so that messages which only have dangerous content, and nothing else wrong with them, get a "dangerous content" warning rather than a "virus" warning. - "Include Scanner Name In Reports" now also includes the name "MailScanner" at the start of the report lines that come from MailScanner's own internal filename, filetype and content checks. The exact wording used can be customised in languages.conf. * Fixes * - Corrected minor typo in check_MailScanner cron job. - Corrected typo in SweepOther.pm. - Corrected handling of non-archives in kavdaemonclient scanner. - SQL Logging code now translates '' into 'NULL' before inserting into table. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Aug 7 15:34:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: Trying to get MailScanner v4.22-5 to forward messages In-Reply-To: Message-ID: <5.2.0.9.2.20030807153407.04230de8@imap.ecs.soton.ac.uk> At 15:10 07/08/2003, you wrote: >OK, this might be an easy answer and if you couldn't tell, this is my first >time trying to get MailScanner working. I have installed MailScanner 4.22-5 >and have it running on a Redhat 9.0 installation. Sendmail is disabled and >I even did the 'dnl DAEMON...' to get it working from outside the box. I am >trying to get a domain routing to this box with MailScanner running on it >to my Exchange System. If I turn off MailScanner and turn on just Sendmail, >everything works fine. Mail from the outside goes to RH9.0 then to the >Exchange. As soon as I turn off sendmail then turn on MailScanner, the mail >just sits in the /var/spool/m.... directory. What's the rest of that directory name? It's rather important! >BTW, I turned off AntiVirus, and SpamAssassin too just to bring it down to >a basic level. What else did you change? (And I want the truth, not just the bits you think matter :-) Also, try doing a "sendmail -bv one.of.your.addresses@yourdomain.com" to see how sendmail thinks it will try to deliver a message to one of your users. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From slwatts at WINCKWORTHS.CO.UK Thu Aug 7 15:43:04 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:14 2006 Subject: POSTFIX release from quarantine (WAS: How to let through i nnocent messages) Message-ID: I was just looking at this. I am running postfix 2...(whatever the latest download was 3 days ago!) and have just tried releasing several emails held in quarentine. >From the quarantine folder, If you chmod +x (filename), chown postfix:postfix (filename) then cp filename /var/spool/postfix/incoming/(first letter of filename)/ It works - its not ideal, as you do get warnings logged in the logfile saying that filename doesn't match inode and that its renaming queue files but the mail is sent. Maybe more by luck than anything but it does go! If someone could write a nice script ... Or even modify the mailscanner webmin module to handle releasing emails from quarantine it would be much appreciated! Cheers, Sam -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 07 August 2003 15:04 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: POSTFIX release from quarantine (WAS: How to let through innocent messages) At 14:07 07/08/2003, you wrote: > >>I am running Postfix+MS+SA, all the latest stable versions. I > >>grepped "Subject" from quarantine directory and I noticed some > >>message weren't spam. How can I elegantly forward those messages > >>where they belong? > >> > > > >In the MailScanner.conf is an option to save the quarantined messages > >as queue files: "Quarantine Whole Messages As Queue Files = yes" > > > >If this option is set to yes, you should be able to just move those > >save queue files into you postfix queue (I'm not very familiar with > >postfix) and they should be re-delivered! Be aware that the mail > >doesn't go trough you spam checking again :) > > >I have tried this and I believe postfix either doesn't allow this, OR >I'm doing something wrong: > >Any ideas what i could be doing wrong? Postfix queue files are named according to the inode number of the file, so dropping files back into the queue is a non-trivial exercise. I'm sure someone out there can write you a script to do it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at www.winckworths.co.uk From eja at URBAKKEN.DK Thu Aug 7 15:53:40 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:19:14 2006 Subject: SuSE 8.2. Message-ID: <3F3267F4.1070403@urbakken.dk> Hi. I do run the subject here. What I want to know is if any SuSE 8.2 linux users are using the MailScanner ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From mike at CAMAROSS.NET Thu Aug 7 16:14:56 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:14 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> Message-ID: <001d01c35cf6$ac8e1a10$9c01a8c0@home.middlefinger.net> Is there a way to extract the MailScanner.conf from the .rpm so I can get it setup before doing the upgrade? I've been trying different uses of rpm2cpio without success. I suppose I could just download the tarball and get it from there. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, August 07, 2003 9:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: beta release 4.23-1 I have just posted 4.23-1 to the web site. This is a beta release, so the usual rules apply: I don't guarantee it works and I wouldn't advise running it on a production server. It doesn't improve on the handling of eTrust or bitdefender, they are my next targets. But I thought it would be a good idea for you folks to try it out and see how things are progressing. Download as usual from www.mailscanner.info ChangeLog is this: * New Features and Improvements * - Improved error detection in bitdefender-autoupdate. - Added 5 minute timeout to clamav-autoupdate. - Messages bigger than the max SA testing size are now checked by SA, just only the first n bytes of the message will be checked. - Logging now handles syslog-ng better, as it will attempt to re-open the syslog connection if it dies while logging to it. - Better mcafee-autoupdate script from Tony Finch. Allows non-root user more easily, and can delete old files if you want it to. - Implemented special "silent viruses" list keyword "All-Viruses" which matches the name of any virus. This means you can make messages silent which contain just viruses and none (or a combination) of the HTML hacks that are detected. - Implemented "Use Default Rules With Multiple Recipients" configuration option to force predictable results when faced with a message with multiple recipients who have conflicting user preferences. - Now check that at least 1 file matches all of the filename patterns specified in "Monitors For Sophos Updates". - Implemented various new parameters so that messages which only have dangerous content, and nothing else wrong with them, get a "dangerous content" warning rather than a "virus" warning. - "Include Scanner Name In Reports" now also includes the name "MailScanner" at the start of the report lines that come from MailScanner's own internal filename, filetype and content checks. The exact wording used can be customised in languages.conf. * Fixes * - Corrected minor typo in check_MailScanner cron job. - Corrected typo in SweepOther.pm. - Corrected handling of non-archives in kavdaemonclient scanner. - SQL Logging code now translates '' into 'NULL' before inserting into table. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Thu Aug 7 16:18:17 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:19:14 2006 Subject: Translation request -- French In-Reply-To: <5.2.0.9.2.20030807122158.04c33b80@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030807122158.04c33b80@imap.ecs.soton.ac.uk> Message-ID: <1060269497.2859.91.camel@dbeauchemin.sti.usherbrooke.ca> Le jeu 07/08/2003 ? 07:25, Julian Field a ?crit : > Please can you do me a big favour and translate all of these into your > favourite languages. They are the 3 messages that are sent in response to > messages containing dangerous content (such as HTML IFRAME tags and stuff > like that). > > Sender report: From: "Passerelle antivirus MailScanner" <$localpostmaster> To: $from Subject: ALERTE: Courriel dangereux =?ISO-8859-1?Q?rejet=E9?= X-MailScanner: generated Notre passerelle antivirus refuse de transmettre le courriel que vous venez d'envoyer: ?: $to Sujet: $subject Date: $date La transmission de ce courriel est interdite par les r?gles de notre entreprise et a ?t? remplac?e par cet avertissement. R?sultats de l'analyse du courriel: $report Ce courriel renfermait un contenu potentiellement dangereux qui a ?t? enlev? pour ?viter d'infecter votre ordinateur. Si vous tentiez d'envoyer une page Web, il est pr?f?rable d'envoyer l'adresse de la page (http://adresse.du.site/...) ou de sauvegarder la page sur disque et ensuite de la joindre au courriel. Contactez $localpostmaster pour plus d'informations. -- MailScanner www.mailscanner.info Mailscanner remercie transtec pour son soutien > Content Deleted report: Avertissement de la passerelle antivirus MailScanner ---------------------------------------------------- Les r?gles de s?curit? de notre entreprise interdisent la transmission du courriel qui vous ?tait destin?. Le courriel aurait pu permettre de propager des virus ou d'obtenir des informations confidentielles comme des mots de passe ou des num?ros de cartes de cr?dit. Pour votre s?curit?, il a ?t? remplac? par cet avertissement. Le courriel n'a pas ?t? conserv? sur la passerelle. R?sultats de l'analyse du courriel: $report Contactez $localpostmaster pour plus d'informations. -- MailScanner www.mailscanner.info Mailscanner remercie transtec pour son soutien > Content Stored report: Avertissement de la passerelle antivirus MailScanner ---------------------------------------------------- Les r?gles de s?curit? de notre entreprise interdisent la transmission du courriel qui vous ?tait destin?. Le courriel aurait pu permettre de propager des virus ou d'obtenir des informations confidentielles comme des mots de passe ou des num?ros de cartes de cr?dit. Pour votre s?curit?, il a ?t? remplac? par cet avertissement. Le courriel a ?t? conserv? sur la passerelle. Il peut donc vous ?tre rendu sur demande. Faites suivre ce message ? $localpostmaster pour le r?cup?rer. R?sultats de l'analyse du courriel: $report Contactez $localpostmaster pour plus d'informations. Information de rep?rage: $hostname:$quarantinedir/$datenumber/$id -- MailScanner www.mailscanner.info Mailscanner remercie transtec pour son soutien Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From john at TRADOC.FR Thu Aug 7 16:22:25 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:19:14 2006 Subject: POSTFIX release from quarantine (WAS: How to let through i nnocent messages) In-Reply-To: References: Message-ID: <5ir4jvc8qkq4eggt2s1ahbehn88663rrap@tradoc.fr> On Thu, 7 Aug 2003 15:43:04 +0100, Samuel Luxford-Watts wrote: > I am running postfix 2...(whatever the latest download was 3 days ago!) and > have just tried releasing several emails held in quarentine. > > From the quarantine folder, If you chmod +x (filename), chown > postfix:postfix (filename) then cp filename > /var/spool/postfix/incoming/(first letter of filename)/ > > It works - its not ideal, as you do get warnings logged in the logfile > saying that filename doesn't match inode and that its renaming queue files > but the mail is sent. Maybe more by luck than anything but it does go! > > If someone could write a nice script ... No need. As I mentioned earlier, you can just do postdrop < quarantined-message-file and let postfix sort out the inode numbers all by itself. John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From mailscanner at ecs.soton.ac.uk Thu Aug 7 17:08:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: <001d01c35cf6$ac8e1a10$9c01a8c0@home.middlefinger.net> References: <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030807170506.04212e70@imap.ecs.soton.ac.uk> It goes like this: mkdir /tmp/rpmroot rpm --root=/tmp/rpmroot --noscripts --nodeps -Uvh mailscanner-4.23-1.noarch.rpm Then you will find the file in /tmp/rpmroot/etc/MailScanner/MailScanner.conf The tarball will have a different MailScanner.conf file in it as all the default paths are different (it uses /opt/MailScanner by default). At 16:14 07/08/2003, you wrote: >Is there a way to extract the MailScanner.conf from the .rpm so I can get it >setup before doing the upgrade? I've been trying different uses of rpm2cpio >without success. I suppose I could just download the tarball and get it >from there. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: Thursday, August 07, 2003 9:34 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: ANNOUNCE: beta release 4.23-1 > > >I have just posted 4.23-1 to the web site. This is a beta release, so the >usual rules apply: I don't guarantee it works and I wouldn't advise running >it on a production server. > >It doesn't improve on the handling of eTrust or bitdefender, they are my >next targets. But I thought it would be a good idea for you folks to try it >out and see how things are progressing. > >Download as usual from www.mailscanner.info > >ChangeLog is this: > >* New Features and Improvements * >- Improved error detection in bitdefender-autoupdate. >- Added 5 minute timeout to clamav-autoupdate. >- Messages bigger than the max SA testing size are now checked by SA, just > only the first n bytes of the message will be checked. >- Logging now handles syslog-ng better, as it will attempt to re-open the > syslog connection if it dies while logging to it. >- Better mcafee-autoupdate script from Tony Finch. Allows non-root user > more easily, and can delete old files if you want it to. >- Implemented special "silent viruses" list keyword "All-Viruses" which >matches > the name of any virus. This means you can make messages silent which >contain > just viruses and none (or a combination) of the HTML hacks that are >detected. >- Implemented "Use Default Rules With Multiple Recipients" configuration > option to force predictable results when faced with a message with >multiple > recipients who have conflicting user preferences. >- Now check that at least 1 file matches all of the filename patterns > specified in "Monitors For Sophos Updates". >- Implemented various new parameters so that messages which only have > dangerous content, and nothing else wrong with them, get a "dangerous > content" warning rather than a "virus" warning. >- "Include Scanner Name In Reports" now also includes the name "MailScanner" > at the start of the report lines that come from MailScanner's own > internal filename, filetype and content checks. The exact wording used >can > be customised in languages.conf. > >* Fixes * >- Corrected minor typo in check_MailScanner cron job. >- Corrected typo in SweepOther.pm. >- Corrected handling of non-archives in kavdaemonclient scanner. >- SQL Logging code now translates '' into 'NULL' before inserting into >table. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Thu Aug 7 17:19:48 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:14 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: <5.2.0.9.2.20030807170506.04212e70@imap.ecs.soton.ac.uk> Message-ID: <003201c35cff$ba86fb10$9c01a8c0@home.middlefinger.net> Ugh... [root@genesis MailScanner-4.22-5]# rpm --root=/tmp/rpmroot --noscripts --nodeps -Uvh mailscanner-4.22-5.noarch.rpm error: cannot open Packages index using db3 - No such file or directory (2) error: cannot open Packages database in /tmp/rpmroot/var/lib/rpm -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, August 07, 2003 11:09 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: beta release 4.23-1 It goes like this: mkdir /tmp/rpmroot rpm --root=/tmp/rpmroot --noscripts --nodeps -Uvh mailscanner-4.23-1.noarch.rpm Then you will find the file in /tmp/rpmroot/etc/MailScanner/MailScanner.conf The tarball will have a different MailScanner.conf file in it as all the default paths are different (it uses /opt/MailScanner by default). At 16:14 07/08/2003, you wrote: >Is there a way to extract the MailScanner.conf from the .rpm so I can >get it setup before doing the upgrade? I've been trying different uses >of rpm2cpio without success. I suppose I could just download the >tarball and get it from there. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Thursday, August 07, 2003 9:34 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: ANNOUNCE: beta release 4.23-1 > > >I have just posted 4.23-1 to the web site. This is a beta release, so >the usual rules apply: I don't guarantee it works and I wouldn't advise >running it on a production server. > >It doesn't improve on the handling of eTrust or bitdefender, they are >my next targets. But I thought it would be a good idea for you folks to >try it out and see how things are progressing. > >Download as usual from www.mailscanner.info > >ChangeLog is this: > >* New Features and Improvements * >- Improved error detection in bitdefender-autoupdate. >- Added 5 minute timeout to clamav-autoupdate. >- Messages bigger than the max SA testing size are now checked by SA, just > only the first n bytes of the message will be checked. >- Logging now handles syslog-ng better, as it will attempt to re-open the > syslog connection if it dies while logging to it. >- Better mcafee-autoupdate script from Tony Finch. Allows non-root user > more easily, and can delete old files if you want it to. >- Implemented special "silent viruses" list keyword "All-Viruses" which >matches > the name of any virus. This means you can make messages silent >which contain > just viruses and none (or a combination) of the HTML hacks that are >detected. >- Implemented "Use Default Rules With Multiple Recipients" configuration > option to force predictable results when faced with a message with >multiple > recipients who have conflicting user preferences. >- Now check that at least 1 file matches all of the filename patterns > specified in "Monitors For Sophos Updates". >- Implemented various new parameters so that messages which only have > dangerous content, and nothing else wrong with them, get a "dangerous > content" warning rather than a "virus" warning. >- "Include Scanner Name In Reports" now also includes the name "MailScanner" > at the start of the report lines that come from MailScanner's own > internal filename, filetype and content checks. The exact wording >used can > be customised in languages.conf. > >* Fixes * >- Corrected minor typo in check_MailScanner cron job. >- Corrected typo in SweepOther.pm. >- Corrected handling of non-archives in kavdaemonclient scanner. >- SQL Logging code now translates '' into 'NULL' before inserting into >table. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mikea at MIKEA.ATH.CX Thu Aug 7 17:21:48 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:14 2006 Subject: Help! SA timing out, mail undelivered In-Reply-To: <20030805190616.A34168@mikea.ath.cx>; from mikea@MIKEA.ATH.CX on Tue, Aug 05, 2003 at 07:06:16PM -0500 References: <8FFC76593085ED4A80D3601BC41EFCDF8E1A87@inex1.herffjones.hj-int> <20030805190616.A34168@mikea.ath.cx> Message-ID: <20030807112148.A45026@mikea.ath.cx> On Tue, Aug 05, 2003 at 07:06:16PM -0500, mikea wrote: > On Tue, Aug 05, 2003 at 04:24:33PM -0500, Furnish, Trever G wrote: > > This is the first time I've looked at ms/sa debug output, so maybe this is a > > red herring (especially since you say rbl's seem to be working), but why > > does it seem to think dns is unavailable? > > > > Also, I'm a little confused about why a SA timeout that MS properly kills > > would be responsible for stopped mail-flow - when I see messages like that, > > I still get the message delivered, just not scanned by SA. ...at least I > > think I still get it. Maybe I need to verify that. :-) > > > > When you say "disable SA" you mean setting "use spamassassin = no" in the > > MailScanner.conf file, right? > > Exactly. > > The only SA code that runs is the SA code started inside the various > MS processes. > > I also am looking at the DNS stuff -- or will tomorrow. I am at wit's end. The DNS requests appear all to be OK: each request to the server has a matching response. (sloppy Perl program to analyze tcpdump output available on request) I have gone so far as to reboot the mailscanner machine, have emptied /etc/mail/mailscanner/* (moved local.cf to another directory), and so on. Mail still hangs in the mqueue.in queue, I have 5 mailscanner processes eating up about 20% of the box each, and it is *obvious* to me that they're waiting on *something* -- but I can't tell what, except that SpamAssassin is timing out, and I can't tell why from the MS or SA diagnostics. Logs, configuration files, tcpdump output, beer, and small amounts of blood available on request. Blood may be limited by stock on hand, as the users are gritching about wanting mine if I don't stop the spam! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mailscanner at ecs.soton.ac.uk Thu Aug 7 17:44:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: <003201c35cff$ba86fb10$9c01a8c0@home.middlefinger.net> References: <5.2.0.9.2.20030807170506.04212e70@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030807174259.025d1ac8@imap.ecs.soton.ac.uk> At 17:19 07/08/2003, you wrote: >Ugh... > >[root@genesis MailScanner-4.22-5]# rpm --root=/tmp/rpmroot --noscripts >--nodeps -Uvh mailscanner-4.22-5.noarch.rpm >error: cannot open Packages index using db3 - No such file or directory (2) >error: cannot open Packages database in /tmp/rpmroot/var/lib/rpm Mine used to do that too. mkdir -p /tmp/rpmroot/var/lib/rpm touch /tmp/rpmroot/var/lib/rpm/Packages then do the rpm command again. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: Thursday, August 07, 2003 11:09 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: ANNOUNCE: beta release 4.23-1 > > >It goes like this: > >mkdir /tmp/rpmroot >rpm --root=/tmp/rpmroot --noscripts --nodeps -Uvh >mailscanner-4.23-1.noarch.rpm > >Then you will find the file in > /tmp/rpmroot/etc/MailScanner/MailScanner.conf > >The tarball will have a different MailScanner.conf file in it as all the >default paths are different (it uses /opt/MailScanner by default). > >At 16:14 07/08/2003, you wrote: > >Is there a way to extract the MailScanner.conf from the .rpm so I can > >get it setup before doing the upgrade? I've been trying different uses > >of rpm2cpio without success. I suppose I could just download the > >tarball and get it from there. > > > >Mike > > > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Julian Field > >Sent: Thursday, August 07, 2003 9:34 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: ANNOUNCE: beta release 4.23-1 > > > > > >I have just posted 4.23-1 to the web site. This is a beta release, so > >the usual rules apply: I don't guarantee it works and I wouldn't advise > >running it on a production server. > > > >It doesn't improve on the handling of eTrust or bitdefender, they are > >my next targets. But I thought it would be a good idea for you folks to > >try it out and see how things are progressing. > > > >Download as usual from www.mailscanner.info > > > >ChangeLog is this: > > > >* New Features and Improvements * > >- Improved error detection in bitdefender-autoupdate. > >- Added 5 minute timeout to clamav-autoupdate. > >- Messages bigger than the max SA testing size are now checked by SA, just > > only the first n bytes of the message will be checked. > >- Logging now handles syslog-ng better, as it will attempt to re-open the > > syslog connection if it dies while logging to it. > >- Better mcafee-autoupdate script from Tony Finch. Allows non-root user > > more easily, and can delete old files if you want it to. > >- Implemented special "silent viruses" list keyword "All-Viruses" which > >matches > > the name of any virus. This means you can make messages silent > >which contain > > just viruses and none (or a combination) of the HTML hacks that are > >detected. > >- Implemented "Use Default Rules With Multiple Recipients" configuration > > option to force predictable results when faced with a message with > >multiple > > recipients who have conflicting user preferences. > >- Now check that at least 1 file matches all of the filename patterns > > specified in "Monitors For Sophos Updates". > >- Implemented various new parameters so that messages which only have > > dangerous content, and nothing else wrong with them, get a "dangerous > > content" warning rather than a "virus" warning. > >- "Include Scanner Name In Reports" now also includes the name >"MailScanner" > > at the start of the report lines that come from MailScanner's own > > internal filename, filetype and content checks. The exact wording > >used can > > be customised in languages.conf. > > > >* Fixes * > >- Corrected minor typo in check_MailScanner cron job. > >- Corrected typo in SweepOther.pm. > >- Corrected handling of non-archives in kavdaemonclient scanner. > >- SQL Logging code now translates '' into 'NULL' before inserting into > >table. > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dustin.baer at IHS.COM Thu Aug 7 17:44:17 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:14 2006 Subject: Sophos and PDF revisited Message-ID: <3F3281E1.6702A7E4@ihs.com> Good Day, Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current version of Sophos I am receiving the following error messages on some PDFs that go through MailScanner: Report: Could not check ./h77FLfbR002021/blah.pdf (unexpected error [0x80040202]) According to MailScanner.conf, "Anything on the next line that appears in brackets at the end of a line of output from Sophos will cause the error/infection to be ignored." I have added "0x80040202" to "Allowed Sophos Error Messages=" but the quarantine still occurs. I have also tried adding "unexpected error," with no luck. So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, but the quarantined still occurs. Any suggestions on what I could do to allow the PDFs with the above error message? Thanks, Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at ecs.soton.ac.uk Thu Aug 7 17:47:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: Help! SA timing out, mail undelivered In-Reply-To: <20030807112148.A45026@mikea.ath.cx> References: <20030805190616.A34168@mikea.ath.cx> <8FFC76593085ED4A80D3601BC41EFCDF8E1A87@inex1.herffjones.hj-int> <20030805190616.A34168@mikea.ath.cx> Message-ID: <5.2.1.1.2.20030807174511.03625de0@imap.ecs.soton.ac.uk> Give me (off-list!) IP and access details for ssh, along with the root password and I'll take a look for you. At 17:21 07/08/2003, you wrote: >On Tue, Aug 05, 2003 at 07:06:16PM -0500, mikea wrote: > > On Tue, Aug 05, 2003 at 04:24:33PM -0500, Furnish, Trever G wrote: > > > This is the first time I've looked at ms/sa debug output, so maybe > this is a > > > red herring (especially since you say rbl's seem to be working), but why > > > does it seem to think dns is unavailable? > > > > > > Also, I'm a little confused about why a SA timeout that MS properly kills > > > would be responsible for stopped mail-flow - when I see messages like > that, > > > I still get the message delivered, just not scanned by SA. ...at least I > > > think I still get it. Maybe I need to verify that. :-) > > > > > > When you say "disable SA" you mean setting "use spamassassin = no" in the > > > MailScanner.conf file, right? > > > > Exactly. > > > > The only SA code that runs is the SA code started inside the various > > MS processes. > > > > I also am looking at the DNS stuff -- or will tomorrow. > >I am at wit's end. The DNS requests appear all to be OK: each request >to the server has a matching response. (sloppy Perl program to analyze >tcpdump output available on request) > >I have gone so far as to reboot the mailscanner machine, have emptied >/etc/mail/mailscanner/* (moved local.cf to another directory), and so >on. Mail still hangs in the mqueue.in queue, I have 5 mailscanner >processes eating up about 20% of the box each, and it is *obvious* to >me that they're waiting on *something* -- but I can't tell what, except >that SpamAssassin is timing out, and I can't tell why from the MS or >SA diagnostics. > >Logs, configuration files, tcpdump output, beer, and small amounts of >blood available on request. Blood may be limited by stock on hand, as >the users are gritching about wanting mine if I don't stop the spam! > >-- >Mike Andrews >mikea@mikea.ath.cx >Tired old sysadmin since 1964 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Thu Aug 7 17:58:08 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:14 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: <5.2.1.1.2.20030807174259.025d1ac8@imap.ecs.soton.ac.uk> Message-ID: <003601c35d05$14c7bd80$9c01a8c0@home.middlefinger.net> Matt Laney sent me this link which worked right away: Perhaps 'disrpm' can help: http://www.ibiblio.org/pub/Linux/utils/compress/disrpm Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, August 07, 2003 11:44 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: beta release 4.23-1 At 17:19 07/08/2003, you wrote: >Ugh... > >[root@genesis MailScanner-4.22-5]# rpm --root=/tmp/rpmroot --noscripts >--nodeps -Uvh mailscanner-4.22-5.noarch.rpm >error: cannot open Packages index using db3 - No such file or directory >(2) >error: cannot open Packages database in /tmp/rpmroot/var/lib/rpm Mine used to do that too. mkdir -p /tmp/rpmroot/var/lib/rpm touch /tmp/rpmroot/var/lib/rpm/Packages then do the rpm command again. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Thursday, August 07, 2003 11:09 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: ANNOUNCE: beta release 4.23-1 > > >It goes like this: > >mkdir /tmp/rpmroot >rpm --root=/tmp/rpmroot --noscripts --nodeps -Uvh >mailscanner-4.23-1.noarch.rpm > >Then you will find the file in > /tmp/rpmroot/etc/MailScanner/MailScanner.conf > >The tarball will have a different MailScanner.conf file in it as all >the default paths are different (it uses /opt/MailScanner by default). > >At 16:14 07/08/2003, you wrote: > >Is there a way to extract the MailScanner.conf from the .rpm so I can > >get it setup before doing the upgrade? I've been trying different > >uses of rpm2cpio without success. I suppose I could just download > >the tarball and get it from there. > > > >Mike > > > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Julian Field > >Sent: Thursday, August 07, 2003 9:34 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: ANNOUNCE: beta release 4.23-1 > > > > > >I have just posted 4.23-1 to the web site. This is a beta release, so > >the usual rules apply: I don't guarantee it works and I wouldn't > >advise running it on a production server. > > > >It doesn't improve on the handling of eTrust or bitdefender, they are > >my next targets. But I thought it would be a good idea for you folks > >to try it out and see how things are progressing. > > > >Download as usual from www.mailscanner.info > > > >ChangeLog is this: > > > >* New Features and Improvements * > >- Improved error detection in bitdefender-autoupdate. > >- Added 5 minute timeout to clamav-autoupdate. > >- Messages bigger than the max SA testing size are now checked by SA, just > > only the first n bytes of the message will be checked. > >- Logging now handles syslog-ng better, as it will attempt to re-open the > > syslog connection if it dies while logging to it. > >- Better mcafee-autoupdate script from Tony Finch. Allows non-root user > > more easily, and can delete old files if you want it to. > >- Implemented special "silent viruses" list keyword "All-Viruses" > >which matches > > the name of any virus. This means you can make messages silent > >which contain > > just viruses and none (or a combination) of the HTML hacks that > >are detected. > >- Implemented "Use Default Rules With Multiple Recipients" configuration > > option to force predictable results when faced with a message > >with multiple > > recipients who have conflicting user preferences. > >- Now check that at least 1 file matches all of the filename patterns > > specified in "Monitors For Sophos Updates". > >- Implemented various new parameters so that messages which only have > > dangerous content, and nothing else wrong with them, get a "dangerous > > content" warning rather than a "virus" warning. > >- "Include Scanner Name In Reports" now also includes the name >"MailScanner" > > at the start of the report lines that come from MailScanner's own > > internal filename, filetype and content checks. The exact wording > >used can > > be customised in languages.conf. > > > >* Fixes * > >- Corrected minor typo in check_MailScanner cron job. > >- Corrected typo in SweepOther.pm. > >- Corrected handling of non-archives in kavdaemonclient scanner. > >- SQL Logging code now translates '' into 'NULL' before inserting > >into table. > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Aug 7 18:15:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: Sophos and PDF revisited In-Reply-To: <3F3281E1.6702A7E4@ihs.com> Message-ID: <5.2.1.1.2.20030807181523.037f5c40@imap.ecs.soton.ac.uk> And you are doing a "reload" of MailScanner after changing the MailScanner.conf file? At 17:44 07/08/2003, you wrote: >Good Day, > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current version of >Sophos > >I am receiving the following error messages on some PDFs that go through >MailScanner: > > Report: Could not check ./h77FLfbR002021/blah.pdf (unexpected error >[0x80040202]) > >According to MailScanner.conf, "Anything on the next line that appears >in brackets at the end of a line of output from Sophos will cause the >error/infection to be ignored." > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but the >quarantine still occurs. I have also tried adding "unexpected error," >with no luck. > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, but the >quarantined still occurs. > >Any suggestions on what I could do to allow the PDFs with the above >error message? > >Thanks, > >Dustin >-- >Dustin Baer >Unix Administrator/Postmaster >Information Handling Services >15 Inverness Way East >Englewood, CO 80112 >303-397-2836 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Thu Aug 7 18:20:19 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:14 2006 Subject: Strange Error In-Reply-To: <5.2.1.1.2.20030807174511.03625de0@imap.ecs.soton.ac.uk> Message-ID: <004301c35d08$2e0cacd0$9c01a8c0@home.middlefinger.net> I just upgraded to 4.22-5 and got the message below...obviously MiMail, but why is Sophos having a problem with it? The following e-mail messages were found to have viruses in them: Sender: admin-bounces@mymph.com IP Address: 127.0.0.1 Recipient: admin-owner@mymph.com Subject: Admin post from mailer-daemon@genesis.camaross.net requires approval MessageID: h77HCnw07575 Report: Sophos: Could not check message.zip/message.html (part of multi volume archive) From andersan at LTKALMAR.SE Thu Aug 7 18:23:11 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:14 2006 Subject: SV: Strange Error Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE6D1@lkl63.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Mike Kercher [mailto:mike@CAMAROSS.NET] > Skickat: den 7 augusti 2003 19:20 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Strange Error > > > I just upgraded to 4.22-5 and got the message > below...obviously MiMail, but why is Sophos having a problem with it? > > > The following e-mail messages were found to have viruses in them: > > Sender: admin-bounces@mymph.com > IP Address: 127.0.0.1 > Recipient: admin-owner@mymph.com > Subject: Admin post from > mailer-daemon@genesis.camaross.net requires approval > MessageID: h77HCnw07575 > Report: Sophos: Could not check message.zip/message.html > (part of multi volume archive) Sounds like somone is using outlook express and deviding file to small separet messages..... sorry cant remeber correct english term :( From mike at CAMAROSS.NET Thu Aug 7 18:31:37 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:14 2006 Subject: Strange Error In-Reply-To: <9F18B7DDBA88E544AB1F1995148916661CE6D1@lkl63.ltkalmar.se> Message-ID: <004401c35d09$c2206e60$9c01a8c0@home.middlefinger.net> I *do* have this in my MailScanner.conf: # Do you want to allow partial messages, which only contain a fraction of # the attachments, not the whole thing? There is absolutely no way to # scan these "partial messages" properly for viruses, as MailScanner never # sees all of the attachment at the same time. Enabling this option can # allow viruses through. You have been warned. # This can also be the filename of a ruleset so you can, for example, allow # them in outgoing mail but not in incoming mail. Allow Partial Messages = no Is that what you are talking about? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Anders Andersson, IT Sent: Thursday, August 07, 2003 12:23 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SV: Strange Error > -----Ursprungligt meddelande----- > Fr?n: Mike Kercher [mailto:mike@CAMAROSS.NET] > Skickat: den 7 augusti 2003 19:20 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Strange Error > > > I just upgraded to 4.22-5 and got the message > below...obviously MiMail, but why is Sophos having a problem with it? > > > The following e-mail messages were found to have viruses in them: > > Sender: admin-bounces@mymph.com > IP Address: 127.0.0.1 > Recipient: admin-owner@mymph.com > Subject: Admin post from > mailer-daemon@genesis.camaross.net requires approval > MessageID: h77HCnw07575 > Report: Sophos: Could not check message.zip/message.html > (part of multi volume archive) Sounds like somone is using outlook express and deviding file to small separet messages..... sorry cant remeber correct english term :( From andersan at LTKALMAR.SE Thu Aug 7 18:32:36 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:14 2006 Subject: SV: Strange Error Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE6D2@lkl63.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Mike Kercher [mailto:mike@CAMAROSS.NET] > I *do* have this in my MailScanner.conf: > > # Do you want to allow partial messages, which only contain a > fraction of # the attachments, not the whole thing? There is > absolutely no way to # scan these "partial messages" properly > for viruses, as MailScanner never # sees all of the > attachment at the same time. Enabling this option can # allow > viruses through. You have been warned. # This can also be the > filename of a ruleset so you can, for example, allow # them > in outgoing mail but not in incoming mail. Allow Partial Messages = no > > Is that what you are talking about? > Yes, I have to admit I never used sophos but thats the first thing I could think of. Julian can probably tell more in what order the rules are executed. If viruscan is done before that check then that might be the reson...? > Mike > > > > -----Ursprungligt meddelande----- > > Fr?n: Mike Kercher [mailto:mike@CAMAROSS.NET] > > > > I just upgraded to 4.22-5 and got the message below...obviously > > MiMail, but why is Sophos having a problem with it? > > > > > > The following e-mail messages were found to have viruses in them: > > > > Sender: admin-bounces@mymph.com > > IP Address: 127.0.0.1 > > Recipient: admin-owner@mymph.com > > Subject: Admin post from mailer-daemon@genesis.camaross.net > > requires approval > > MessageID: h77HCnw07575 > > Report: Sophos: Could not check message.zip/message.html > > (part of multi volume archive) > > Sounds like somone is using outlook express and deviding file > to small separet messages..... sorry cant remeber correct > english term :( From thomas_duvally at BROWN.EDU Thu Aug 7 18:29:43 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:19:14 2006 Subject: OT: Sendmail setup - better list suggestions? Message-ID: <1060277382.16212.13.camel@croithine> All, I know this is WAY off topic/list, but I need help. Send me to a better list of you know of one, but I can't find any. Question: We have sendmail doing LDAP lookups on addresses before we accept mail. It the recipient is invalid, the server errors with "user unknown". Good for spam control, bad for users 'cause we use it as out smtp relay. User sending to large list gets error and mail doesn't get sent. Anyone out there doing this sorta thing? Anyone doing it differently that seems better? And yes, our MX and our SMTP relays are the same systems. -- Thomas J. DuVally http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 From gerry at dorfam.ca Thu Aug 7 18:35:34 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:14 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> Message-ID: <45149.129.80.22.133.1060277734.squirrel@tiger.dorfam.ca> > I have just posted 4.23-1 to the web site. This is a beta release, so the > usual rules apply: I don't guarantee it works and I wouldn't advise > running > it on a production server. > > It doesn't improve on the handling of eTrust or bitdefender, they are my > next targets. But I thought it would be a good idea for you folks to try > it > out and see how things are progressing. > > Download as usual from www.mailscanner.info > snip > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > Julian, I believe there is a bug in the Bailout routine in f-prot-autoupdate script. It doesn't write to the syslog as intended because the log hasn't been opened before the call is made. If I'm correct perhaps you could include this fix too??? Gerry From mailscanner at ecs.soton.ac.uk Thu Aug 7 18:41:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: <45149.129.80.22.133.1060277734.squirrel@tiger.dorfam.ca> References: <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030807184033.037ef3f0@imap.ecs.soton.ac.uk> At 18:35 07/08/2003, you wrote: > > I have just posted 4.23-1 to the web site. This is a beta release, so the > > usual rules apply: I don't guarantee it works and I wouldn't advise > > running > > it on a production server. > > > > It doesn't improve on the handling of eTrust or bitdefender, they are my > > next targets. But I thought it would be a good idea for you folks to try > > it > > out and see how things are progressing. > > > > Download as usual from www.mailscanner.info > > >snip > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > >Julian, I believe there is a bug in the Bailout routine in >f-prot-autoupdate script. It doesn't write to the syslog as intended >because the log hasn't been opened before the call is made. If I'm >correct perhaps you could include this fix too??? Try this patch to f-prot-autoupdate and let me know if it works okay. --- f-prot-autoupdate Mon Jun 9 16:54:23 2003 +++ f-prot-autoupdate.new Thu Aug 7 18:46:31 2003 @@ -73,6 +73,11 @@ $HttpReturn = 10; # +# Start logging +# +Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); + +# # Check command-line parameters # foreach (@ARGV) { @@ -219,7 +224,6 @@ # Clean up and exit. CleanTempDir(); &UnlockFProt(); -Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.":"F-Prot did not need updating."); Sys::Syslog::closelog(); exit 0; -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ka at PACIFIC.NET Thu Aug 7 18:45:56 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:14 2006 Subject: OT: Sendmail setup - better list suggestions? In-Reply-To: <1060277382.16212.13.camel@croithine> References: <1060277382.16212.13.camel@croithine> Message-ID: <3F329054.4090508@pacific.net> This is a sendmail config problem. Your ldap lookups should not be done on mail that is not local. Local mail is defined in virtusertable and local-host-names maps. news://comp.mail.sendmail would be a much better source of help. Post relevant bits of sendmail.cf or sendmail.mc there. Ken Thomas DuVally wrote: > All, > I know this is WAY off topic/list, but I need help. Send me to a > better list of you know of one, but I can't find any. > > Question: We have sendmail doing LDAP lookups on addresses before we > accept mail. It the recipient is invalid, the server errors with "user > unknown". > > Good for spam control, bad for users 'cause we use it as out smtp > relay. User sending to large list gets error and mail doesn't get sent. > > Anyone out there doing this sorta thing? Anyone doing it differently > that seems better? And yes, our MX and our SMTP relays are the same > systems. > > -- > Thomas J. DuVally > > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 > > From nejc.skoberne at guest.arnes.si Thu Aug 7 18:52:37 2003 From: nejc.skoberne at guest.arnes.si (Nejc Skoberne) Date: Thu Jan 12 21:19:14 2006 Subject: POSTFIX release from quarantine (WAS: How to let through i nnocent messages) In-Reply-To: <5ir4jvc8qkq4eggt2s1ahbehn88663rrap@tradoc.fr> References: <5ir4jvc8qkq4eggt2s1ahbehn88663rrap@tradoc.fr> Message-ID: <7710175671.20030807195237@guest.arnes.si> Hi. >> If someone could write a nice script ... > No need. As I mentioned earlier, you can just do > postdrop < quarantined-message-file > and let postfix sort out the inode numbers all by itself. That's true, but I agree that it would be really nice to have a "GUI" way of doing this. As a Webmin module or something. That would be very useful for non UNIX-aware administrators. Something else bothers me. If I set this: Quarantine Whole Messages As Queue Files = yes it is quite hard to grep those files for i.e. for "Subject". How do you guys monitor innocent messages? Just monitoring the messages (or maillog) file? Thanks. -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si From dustin.baer at IHS.COM Thu Aug 7 18:55:04 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:14 2006 Subject: Sophos and PDF revisited References: <5.2.1.1.2.20030807181523.037f5c40@imap.ecs.soton.ac.uk> Message-ID: <3F329278.BAEE9C3C@ihs.com> Julian Field wrote: > > And you are doing a "reload" of MailScanner after changing the > MailScanner.conf file? Yes: # ps -ef | grep MailScanner root 6320 6315 1 10:10:25 ? 0:38 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 14404 6337 0 11:47:59 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 6316 6315 1 10:10:14 ? 0:42 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 6333 6315 2 10:10:45 ? 0:41 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 6326 6315 0 10:10:35 ? 0:36 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 6337 6315 1 10:10:55 ? 0:37 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 6315 1 0 10:10:14 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail # sudo pkill MailScanner # ps -ef | grep MailScanner (nothing) # sudo /opt/MailScanner/bin/check_mailscanner # ps -ef | grep MailScanner root 14577 14576 1 11:50:10 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 14513 14483 6 11:49:38 ? 0:04 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 14554 14483 8 11:49:58 ? 0:02 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 14576 14513 0 11:50:10 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 14575 14528 2 11:50:09 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 14528 14483 9 11:49:48 ? 0:04 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 14498 14483 3 11:49:28 ? 0:04 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 14483 1 0 11:49:17 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 14484 14483 3 11:49:17 ? 0:05 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail Sent another test message and received the same error: Report: Could not check ./h77HpFbR014728/blah.pdf (unexpected error [0x80040202]) Dustin > At 17:44 07/08/2003, you wrote: > >Good Day, > > > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current version of > >Sophos > > > >I am receiving the following error messages on some PDFs that go through > >MailScanner: > > > > Report: Could not check ./h77FLfbR002021/blah.pdf (unexpected error > >[0x80040202]) > > > >According to MailScanner.conf, "Anything on the next line that appears > >in brackets at the end of a line of output from Sophos will cause the > >error/infection to be ignored." > > > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but the > >quarantine still occurs. I have also tried adding "unexpected error," > >with no luck. > > > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, but the > >quarantined still occurs. > > > >Any suggestions on what I could do to allow the PDFs with the above > >error message? > > > >Thanks, > > > >Dustin > >-- > >Dustin Baer > >Unix Administrator/Postmaster > >Information Handling Services > >15 Inverness Way East > >Englewood, CO 80112 > >303-397-2836 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From nerijus at USERS.SOURCEFORGE.NET Thu Aug 7 18:57:53 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:19:14 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: <001d01c35cf6$ac8e1a10$9c01a8c0@home.middlefinger.net> References: <001d01c35cf6$ac8e1a10$9c01a8c0@home.middlefinger.net> Message-ID: <20030807174816.D133E1E354@mx.ktv.lt> On Thu, 7 Aug 2003 10:14:56 -0500 Mike Kercher wrote: > Is there a way to extract the MailScanner.conf from the .rpm so I can get it > setup before doing the upgrade? I've been trying different uses of rpm2cpio > without success. I just enter the file in mc... Regards, Nerijus From DHarding at GILATLA.COM Thu Aug 7 19:21:35 2003 From: DHarding at GILATLA.COM (Devon Harding - GTHLA) Date: Thu Jan 12 21:19:14 2006 Subject: blacklist file Message-ID: <97D0DDFA3C2F5B44AAC0960B99E96213C97826@VMX.gilatla.com> When I look in the /etc/MailScanner/rules dir I see three files README, EXAMPLES, & spam.whitelist.rules. What is the correct name for the blacklist file? In EXAMPLES, it points to /opt/MailScanner/rules/blacklist.rules. Is it blacklist.rules or spam.blacklist.rules? _____________________ Devon Harding System Administrator Gilat Latin America 954-858-1600 dharding@gilatla.com This e-mail is intended for the above named addressee(s), and may contain information which is confidential or privileged. If you are not the intended recipient, please inform us immediately: you should not copy or use this e-mail for any purpose nor disclose its contents to any person. From lists at STHOMAS.NET Thu Aug 7 19:26:11 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:14 2006 Subject: OT: Sendmail setup - better list suggestions? In-Reply-To: <1060277382.16212.13.camel@croithine>; from thomas_duvally@BROWN.EDU on Thu, Aug 07, 2003 at 01:29:43PM -0400 References: <1060277382.16212.13.camel@croithine> Message-ID: <20030807112611.B28141@sthomas.net> On Thu, Aug 07, 2003 at 01:29:43PM -0400, Thomas DuVally is rumored to have said: > > Good for spam control, bad for users 'cause we use it as out smtp > relay. User sending to large list gets error and mail doesn't get sent. > > Anyone out there doing this sorta thing? Anyone doing it differently > that seems better? And yes, our MX and our SMTP relays are the same > systems. > If you're relaying for users on a specific network, just add that network to the access list: (in /etc/mail/access [file location may differ]): 172.30.1 RELAY Then run "makemap hash /etc/mail/access < /etc/mail/access". Be sure to substitute your network for the one in my example. Also, there's no need to restart/HUP sendmail after doing this. You could also set up sendmail for SMTP AUTH and allow all authenticated mail through. There's some HOWTOs that you can google for that detail how to do this. The downside with that is that you'll have to reconfigure all your mail clients, which (depending on how tech savvy your userbase is) could be a serious pain in the butt. I'm also not sure about how you'd go about it with all your user info being stored in LDAP. Maybe a cron job that pulls all the user/password info out of the LDAP directory and rebuilds the PAM database - I'd done something similar a while back to get SMTP AUTH working. It was dirty, but it worked. HTH -- "A man can't be too careful in the choice of his enemies." - Oscar Wilde (1854-1900) From mbowman at UDCOM.COM Thu Aug 7 19:23:09 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:14 2006 Subject: blacklist file Message-ID: Hi, The actual filename's name is irrelevant as long as you have set the correct pointer to it in MailScanner.conf (I actually use spam.blacklist.rules) Matthew Devon Harding - GTHLA Sent by: MailScanner mailing list 08/07/2003 02:21 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: blacklist file When I look in the /etc/MailScanner/rules dir I see three files README, EXAMPLES, & spam.whitelist.rules. What is the correct name for the blacklist file? In EXAMPLES, it points to /opt/MailScanner/rules/blacklist.rules. Is it blacklist.rules or spam.blacklist.rules? _____________________ Devon Harding System Administrator Gilat Latin America 954-858-1600 dharding@gilatla.com This e-mail is intended for the above named addressee(s), and may contain information which is confidential or privileged. If you are not the intended recipient, please inform us immediately: you should not copy or use this e-mail for any purpose nor disclose its contents to any person. From Antony at SOFT-SOLUTIONS.CO.UK Thu Aug 7 19:29:28 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:14 2006 Subject: blacklist file In-Reply-To: <97D0DDFA3C2F5B44AAC0960B99E96213C97826@VMX.gilatla.com> References: <97D0DDFA3C2F5B44AAC0960B99E96213C97826@VMX.gilatla.com> Message-ID: <200308071829.h77ITVD14252@onyx.rockstone.co.uk> On Thursday 07 August 2003 7:21 pm, Devon Harding - GTHLA wrote: > When I look in the /etc/MailScanner/rules dir I see three files README, > EXAMPLES, & spam.whitelist.rules. What is the correct name for the > blacklist file? In EXAMPLES, it points to > /opt/MailScanner/rules/blacklist.rules. > > Is it blacklist.rules or spam.blacklist.rules? Whatever you call it in the configuration option Is Definitely Spam = .... eg Is Definitely Spam - /opt/MailScanner/etc/rules/spam.blacklist.rules will work fine Antony. -- Wanted: telepath. You know where to apply. From gsmithe at OFALLON90.NET Thu Aug 7 20:17:08 2003 From: gsmithe at OFALLON90.NET (Gary Smithe) Date: Thu Jan 12 21:19:14 2006 Subject: POSTFIX release from quarantine (WAS: How to let through i nnocent messages) Message-ID: "That would be very useful for non UNIX-aware administrators." Maybe I'm just malaligned mentally, but IMHO I think that it you're using Mailscanner in any form, then you should be *NIX-aware - at least more than most Windows users. Not trying to start a flame war, I just get ticked with people in fields of work that aren't competent. Gary > -----Original Message----- > From: Nejc Skoberne [mailto:nejc.skoberne@GUEST.ARNES.SI] > Sent: Thursday, August 07, 2003 12:53 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: POSTFIX release from quarantine (WAS: How to let > through i > nnocent messages) > > > Hi. > > >> If someone could write a nice script ... > > No need. As I mentioned earlier, you can just do > > postdrop < quarantined-message-file > > and let postfix sort out the inode numbers all by itself. > > That's true, but I agree that it would be really nice to have a "GUI" > way of doing this. As a Webmin module or something. That would be very > useful for non UNIX-aware administrators. > > Something else bothers me. If I set this: > > Quarantine Whole Messages As Queue Files = yes > > it is quite hard to grep those files for i.e. for "Subject". How do > you guys monitor innocent messages? Just monitoring the messages (or > maillog) file? > > Thanks. > > -- > Nejc Skoberne > Grajska 5 > SI-5220 Tolmin > E-mail: nejc.skoberne@guest.arnes.si > From mailscanner at ecs.soton.ac.uk Thu Aug 7 20:11:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:14 2006 Subject: Sophos and PDF revisited In-Reply-To: <3F329278.BAEE9C3C@ihs.com> References: <5.2.1.1.2.20030807181523.037f5c40@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030807201017.038458a8@imap.ecs.soton.ac.uk> Can you put the troublesome PDF into a password-protected zip file and mail it to me please (off-list). I'm slightly at a loss as to why this option works sometimes (e.g. detecting corrupt files) but not in your case. I need to be able to reproduce the problem. At 18:55 07/08/2003, you wrote: >Julian Field wrote: > > > > And you are doing a "reload" of MailScanner after changing the > > MailScanner.conf file? > >Yes: > ># ps -ef | grep MailScanner > > root 6320 6315 1 10:10:25 ? 0:38 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14404 6337 0 11:47:59 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 6316 6315 1 10:10:14 ? 0:42 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 6333 6315 2 10:10:45 ? 0:41 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 6326 6315 0 10:10:35 ? 0:36 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 6337 6315 1 10:10:55 ? 0:37 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 6315 1 0 10:10:14 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > ># sudo pkill MailScanner ># ps -ef | grep MailScanner > >(nothing) > ># sudo /opt/MailScanner/bin/check_mailscanner ># ps -ef | grep MailScanner > root 14577 14576 1 11:50:10 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14513 14483 6 11:49:38 ? 0:04 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14554 14483 8 11:49:58 ? 0:02 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14576 14513 0 11:50:10 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14575 14528 2 11:50:09 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14528 14483 9 11:49:48 ? 0:04 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14498 14483 3 11:49:28 ? 0:04 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14483 1 0 11:49:17 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14484 14483 3 11:49:17 ? 0:05 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > >Sent another test message and received the same error: > >Report: Could not check ./h77HpFbR014728/blah.pdf (unexpected error >[0x80040202]) > >Dustin > > > > > > > At 17:44 07/08/2003, you wrote: > > >Good Day, > > > > > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current version of > > >Sophos > > > > > >I am receiving the following error messages on some PDFs that go through > > >MailScanner: > > > > > > Report: Could not check ./h77FLfbR002021/blah.pdf (unexpected > error > > >[0x80040202]) > > > > > >According to MailScanner.conf, "Anything on the next line that appears > > >in brackets at the end of a line of output from Sophos will cause the > > >error/infection to be ignored." > > > > > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but the > > >quarantine still occurs. I have also tried adding "unexpected error," > > >with no luck. > > > > > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, but the > > >quarantined still occurs. > > > > > >Any suggestions on what I could do to allow the PDFs with the above > > >error message? > > > > > >Thanks, > > > > > >Dustin > > >-- > > >Dustin Baer > > >Unix Administrator/Postmaster > > >Information Handling Services > > >15 Inverness Way East > > >Englewood, CO 80112 > > >303-397-2836 > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Thu Aug 7 20:50:46 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:14 2006 Subject: Sophos and PDF revisited In-Reply-To: <5.2.1.1.2.20030807201017.038458a8@imap.ecs.soton.ac.uk> Message-ID: <000c01c35d1d$33f0a6f0$9c01a8c0@home.middlefinger.net> I am seeing the same thing: The following e-mail messages were found to have viruses in them: Sender: tlstauft@purvingertz.com IP Address: 207.34.112.53 Recipient: tracy.gallucci@williams.com, deb.bogoros@williams.com, miriam.mitchell-banks@williams.com Subject: RE: Stampede Follow-up MessageID: h77JYuj02622 Report: Could not check ./h77JYuj02622/Williams0803.zip/C2375_R03_Report1.pdf (unexpected error [0x80040202]) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, August 07, 2003 2:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos and PDF revisited Can you put the troublesome PDF into a password-protected zip file and mail it to me please (off-list). I'm slightly at a loss as to why this option works sometimes (e.g. detecting corrupt files) but not in your case. I need to be able to reproduce the problem. At 18:55 07/08/2003, you wrote: >Julian Field wrote: > > > > And you are doing a "reload" of MailScanner after changing the > > MailScanner.conf file? > >Yes: > ># ps -ef | grep MailScanner > > root 6320 6315 1 10:10:25 ? 0:38 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14404 6337 0 11:47:59 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 6316 6315 1 10:10:14 ? 0:42 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 6333 6315 2 10:10:45 ? 0:41 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 6326 6315 0 10:10:35 ? 0:36 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 6337 6315 1 10:10:55 ? 0:37 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 6315 1 0 10:10:14 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > ># sudo pkill MailScanner ># ps -ef | grep MailScanner > >(nothing) > ># sudo /opt/MailScanner/bin/check_mailscanner ># ps -ef | grep MailScanner > root 14577 14576 1 11:50:10 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14513 14483 6 11:49:38 ? 0:04 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14554 14483 8 11:49:58 ? 0:02 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14576 14513 0 11:50:10 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14575 14528 2 11:50:09 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14528 14483 9 11:49:48 ? 0:04 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14498 14483 3 11:49:28 ? 0:04 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14483 1 0 11:49:17 ? 0:00 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 14484 14483 3 11:49:17 ? 0:05 /usr/bin/perl >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > >Sent another test message and received the same error: > >Report: Could not check ./h77HpFbR014728/blah.pdf (unexpected error >[0x80040202]) > >Dustin > > > > > > > At 17:44 07/08/2003, you wrote: > > >Good Day, > > > > > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current > > >version of Sophos > > > > > >I am receiving the following error messages on some PDFs that go > > >through > > >MailScanner: > > > > > > Report: Could not check ./h77FLfbR002021/blah.pdf > > > (unexpected > error > > >[0x80040202]) > > > > > >According to MailScanner.conf, "Anything on the next line that > > >appears in brackets at the end of a line of output from Sophos will > > >cause the error/infection to be ignored." > > > > > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but > > >the quarantine still occurs. I have also tried adding "unexpected > > >error," with no luck. > > > > > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, but > > >the quarantined still occurs. > > > > > >Any suggestions on what I could do to allow the PDFs with the above > > >error message? > > > > > >Thanks, > > > > > >Dustin > > >-- > > >Dustin Baer > > >Unix Administrator/Postmaster > > >Information Handling Services > > >15 Inverness Way East > > >Englewood, CO 80112 > > >303-397-2836 > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz MailScanner > > thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From damien at MC-KENNA.COM Thu Aug 7 20:59:30 2003 From: damien at MC-KENNA.COM (Damien McKenna) Date: Thu Jan 12 21:19:15 2006 Subject: Problem with 4.22-5 startup Message-ID: <200308071559.30537.damien@mc-kenna.com> I've just upgraded my 4.12-2 setup to 4.22-5. I manually updated the config file. This is on a RH 7.2 machine with Ensim Webppliance 3.1.x installed. When I run "/etc/init/MailScanner start" the maillog gives me: Aug 7 15:39:34 secure MailScanner[1059]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Aug 7 15:39:36 secure MailScanner[1059]: Using locktype = flock Aug 7 15:39:36 secure MailScanner[1059]: New Batch: Found 7 messages waiting Aug 7 15:39:36 secure MailScanner[1059]: New Batch: Scanning 6 messages, 46450 bytes Aug 7 15:39:36 secure MailScanner[1059]: MailScanner child caught a SIGHUP When I run "/usr/bin/MailScanner " it starts up and works. Any idea what to look for? Is there any way to see where the SIGHUP might be coming from? Any help would be appreciated. -- Damien McKenna damien@mc-kenna.com http://mc-kenna.com/ From mailscanner at BARENDSE.TO Thu Aug 7 21:00:08 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:19:15 2006 Subject: DSN: Return receipt ?? Message-ID: I have something which I can't quite figure out: I use the following to kill all the read/not read messages with sendmail through the following lines in sendmail.mc: LOCAL_RULESETS F{SSJunk} /etc/mail/ssjunk.txt F{DiscardSubs} /etc/mail/discardsubs.txt HSubject: $>Check_Subject SCheck_Subject R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" R$* $={DiscardSubs} $* $#discard This is what's in discardsubs.txt read: not.read: gelezen: niet.gelezen: le?do: no.le?do: Still some read/not read messages are getting through. When I look at the copies in normal view in pine the subject line is this: Subject: Read: FW: Entrega de which should comply with the sendmail rule to get discarded (but isn't). I suspect this maybe because of M$ Exchange doing something funny with the read receipt messages (they are generated by Exchange, not Outlook according to the signature of the message). When doing full header view the subject looks like this: Subject: =?iso-8859-1?Q?Read=3A_FW=3A_Entrega_de If the funny subject is indeed the problem is there any way to filter these weird messages out too?? The option in the message below (goaway) doesn't do anything in my case, I think sendmail will refuse to send out DSN messages but all the users are connected to an Exchange server and the behaviour of Exchange is not affected by this option (apparently the mails themselves aren't cleaned of any DSN parts either). Any help greatly appreciated! Remco On Wed, 2 Jul 2003, Sebastian Wiesinger wrote: > * Remco Barendse [2003-07-02 16:15]: > > In the maillog I noticed a remark about a DSN: Return receipt. > > > > What does the line from maillog mean? Any return receipt did not appear in > > the mailbox for archived outgoing mail. > > If a user adds a "Return-Receipt-To: " header to his/her > mail, sendmail will deliver an receipt upon successful delivery of the > mail. You can deactivate this feature with the following option in > your sendmail.mc: > > define(`confPRIVACY_FLAGS', `noreceipts')dnl > > >From the sendmail operation guide: > #v+ > public Allow open access > needmailhelo Insist on HELO or EHLO command before MAIL > needexpnhelo Insist on HELO or EHLO command before EXPN > noexpn Disallow EXPN entirely, implies noverb. > needvrfyhelo Insist on HELO or EHLO command before VRFY > novrfy Disallow VRFY entirely > noetrn Disallow ETRN entirely > noverb Disallow VERB entirely > restrictmailq Restrict mailq command > restrictqrun Restrict -q command line flag > restrictexpand Restrict -bv and -v command line flags > noreceipts Don't return success DSNs20 > nobodyreturn Don't return the body of a message with DSNs > goaway Disallow essentially all SMTP status queries > authwarnings Put X-Authentication-Warning: headers in messages > and log warnings > #v- > > I prefer the following line: > > define(`confPRIVACY_FLAGS', `goaway,noreceipts,restrictqrun,restrictexpand')dnl > > > I use sendmail rules to discard read receipt messages but in this case > > there is nothing in the maillog that this message or reply was discarded. > > I don't know what rules you use for discarding, but the configuration > option above is the right way to deactivate the DSN2.x.x messages. > > For more info about the privacy options, see the sendmail installation > and operation guide (op/op.txt.gz). > > -- > InterNetX GmbH > Sebastian Wiesinger > System Administration > > eMail: sw@internetx.de > From gsmithe at OFALLON90.NET Thu Aug 7 21:00:18 2003 From: gsmithe at OFALLON90.NET (Gary Smithe) Date: Thu Jan 12 21:19:15 2006 Subject: ANNOUNCE: beta release 4.23-1 Message-ID: Julian, I'm on version 4.21-9. Like many, I try stick to a known good version of software, but I've seen references where you suggest people upgrade to a newer version for general improvement and bugfix reasons (unless I misunderstood of course). If we don't need anything specific in the newer releases, how often should we upgrade for "general purposes?" The reason I'm asking is: a: the release here is beta b: I'm getting a new server and will be installing security updates and such, but wanted to know what to do with MS (stick to my current version, which works great, or go to a new version). Thanks, Gary > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Thursday, August 07, 2003 9:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: beta release 4.23-1 > > > I have just posted 4.23-1 to the web site. This is a beta > release, so the > usual rules apply: I don't guarantee it works and I wouldn't > advise running > it on a production server. > > It doesn't improve on the handling of eTrust or bitdefender, > they are my > next targets. But I thought it would be a good idea for you > folks to try it > out and see how things are progressing. > > Download as usual from www.mailscanner.info > > ChangeLog is this: > > * New Features and Improvements * > - Improved error detection in bitdefender-autoupdate. > - Added 5 minute timeout to clamav-autoupdate. > - Messages bigger than the max SA testing size are now > checked by SA, just > only the first n bytes of the message will be checked. > - Logging now handles syslog-ng better, as it will attempt to > re-open the > syslog connection if it dies while logging to it. > - Better mcafee-autoupdate script from Tony Finch. Allows > non-root user > more easily, and can delete old files if you want it to. > - Implemented special "silent viruses" list keyword > "All-Viruses" which matches > the name of any virus. This means you can make messages > silent which contain > just viruses and none (or a combination) of the HTML hacks that are > detected. > - Implemented "Use Default Rules With Multiple Recipients" > configuration > option to force predictable results when faced with a > message with multiple > recipients who have conflicting user preferences. > - Now check that at least 1 file matches all of the filename patterns > specified in "Monitors For Sophos Updates". > - Implemented various new parameters so that messages which only have > dangerous content, and nothing else wrong with them, get a > "dangerous > content" warning rather than a "virus" warning. > - "Include Scanner Name In Reports" now also includes the > name "MailScanner" > at the start of the report lines that come from MailScanner's own > internal filename, filetype and content checks. The exact > wording used can > be customised in languages.conf. > > * Fixes * > - Corrected minor typo in check_MailScanner cron job. > - Corrected typo in SweepOther.pm. > - Corrected handling of non-archives in kavdaemonclient scanner. > - SQL Logging code now translates '' into 'NULL' before > inserting into table. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailscanner at ecs.soton.ac.uk Thu Aug 7 21:06:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:15 2006 Subject: Sophos and PDF revisited In-Reply-To: <000c01c35d1d$33f0a6f0$9c01a8c0@home.middlefinger.net> References: <5.2.1.1.2.20030807201017.038458a8@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030807210545.027aeea0@imap.ecs.soton.ac.uk> Please try this patch to SweepViruses.pm. --- SweepViruses.pm 2003-08-05 21:42:19.000000000 +0100 +++ SweepViruses.pm.new 2003-08-07 21:00:09.000000000 +0100 @@ -961,8 +961,13 @@ # If the error is one of the allowed errors, then don't report any # infections on this file. if ($error ne "") { + # Treat their string as a list of words, any of which can match my $errorlist = MailScanner::Config::Value('sophosallowederrors'); - if ($errorlist && $errorlist =~ /$error/) { + $errorlist =~ s/\s+/ /g; + $errorlist =~ s/[^0-9A-Za-z ]/\\$&/g; + $errorlist =~ s/ /\|/g; + #if ($errorlist ne "" && $errorlist =~ /$error/) { + if ($errorlist ne "" && $error =~ /$errorlist/) { MailScanner::Log::WarnLog("Ignored Sophos '%s' error", $error); return 0; } At 20:50 07/08/2003, you wrote: >I am seeing the same thing: > >The following e-mail messages were found to have viruses in them: > > Sender: tlstauft@purvingertz.com >IP Address: 207.34.112.53 > Recipient: tracy.gallucci@williams.com, deb.bogoros@williams.com, >miriam.mitchell-banks@williams.com > Subject: RE: Stampede Follow-up > MessageID: h77JYuj02622 > Report: Could not check >./h77JYuj02622/Williams0803.zip/C2375_R03_Report1.pdf (unexpected error >[0x80040202]) > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: Thursday, August 07, 2003 2:11 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos and PDF revisited > > >Can you put the troublesome PDF into a password-protected zip file and mail >it to me please (off-list). I'm slightly at a loss as to why this option >works sometimes (e.g. detecting corrupt files) but not in your case. I need >to be able to reproduce the problem. > >At 18:55 07/08/2003, you wrote: > >Julian Field wrote: > > > > > > And you are doing a "reload" of MailScanner after changing the > > > MailScanner.conf file? > > > >Yes: > > > ># ps -ef | grep MailScanner > > > > root 6320 6315 1 10:10:25 ? 0:38 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14404 6337 0 11:47:59 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6316 6315 1 10:10:14 ? 0:42 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6333 6315 2 10:10:45 ? 0:41 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6326 6315 0 10:10:35 ? 0:36 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6337 6315 1 10:10:55 ? 0:37 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6315 1 0 10:10:14 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > ># sudo pkill MailScanner > ># ps -ef | grep MailScanner > > > >(nothing) > > > ># sudo /opt/MailScanner/bin/check_mailscanner > ># ps -ef | grep MailScanner > > root 14577 14576 1 11:50:10 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14513 14483 6 11:49:38 ? 0:04 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14554 14483 8 11:49:58 ? 0:02 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14576 14513 0 11:50:10 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14575 14528 2 11:50:09 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14528 14483 9 11:49:48 ? 0:04 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14498 14483 3 11:49:28 ? 0:04 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14483 1 0 11:49:17 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14484 14483 3 11:49:17 ? 0:05 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > >Sent another test message and received the same error: > > > >Report: Could not check ./h77HpFbR014728/blah.pdf (unexpected error > >[0x80040202]) > > > >Dustin > > > > > > > > > > > > > At 17:44 07/08/2003, you wrote: > > > >Good Day, > > > > > > > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current > > > >version of Sophos > > > > > > > >I am receiving the following error messages on some PDFs that go > > > >through > > > >MailScanner: > > > > > > > > Report: Could not check ./h77FLfbR002021/blah.pdf > > > > (unexpected > > error > > > >[0x80040202]) > > > > > > > >According to MailScanner.conf, "Anything on the next line that > > > >appears in brackets at the end of a line of output from Sophos will > > > >cause the error/infection to be ignored." > > > > > > > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but > > > >the quarantine still occurs. I have also tried adding "unexpected > > > >error," with no luck. > > > > > > > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, but > > > >the quarantined still occurs. > > > > > > > >Any suggestions on what I could do to allow the PDFs with the above > > > >error message? > > > > > > > >Thanks, > > > > > > > >Dustin > > > >-- > > > >Dustin Baer > > > >Unix Administrator/Postmaster > > > >Information Handling Services > > > >15 Inverness Way East > > > >Englewood, CO 80112 > > > >303-397-2836 > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz MailScanner > > > thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Aug 7 21:09:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:15 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: Message-ID: <5.2.1.1.2.20030807210804.02797770@imap.ecs.soton.ac.uk> At 21:00 07/08/2003, you wrote: >Julian, > I'm on version 4.21-9. Like many, I try stick to a known good > version of software, but I've seen references where you suggest people > upgrade to a newer version for general improvement and bugfix reasons > (unless I misunderstood of course). > >If we don't need anything specific in the newer releases, how often should >we upgrade for "general purposes?" > >The reason I'm asking is: >a: the release here is beta >b: I'm getting a new server and will be installing security updates and >such, but wanted to know what to do with MS (stick to my current version, >which works great, or go to a new version). I would not advise ever running beta software on production machines, that's why it's beta. Otherwise, take a look at the ChangeLog and see if you think any of the issues or improvements affect you. If you have a version that is working just fine, and you don't need any of the new features, then there's no point upgrading. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ELKNET.NET Thu Aug 7 21:17:31 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:15 2006 Subject: Update on F-prot issue Message-ID: <200308072017.h77KHXS06196@ori.rl.ac.uk> Julian, My copy of eTrust came in today, so I'd like to get it to you, along with the keys, and some notes I made. Could you email me a good address to off-list send you the details on where to get the files from? Thanks, -Alan From dustin.baer at IHS.COM Thu Aug 7 21:23:39 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:15 2006 Subject: Sophos and PDF revisited References: <5.2.1.1.2.20030807181523.037f5c40@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030807201017.038458a8@imap.ecs.soton.ac.uk> Message-ID: <3F32B54B.75D2F873@ihs.com> Julian Field wrote: > > Can you put the troublesome PDF into a password-protected zip file and mail > it to me please (off-list). > I'm slightly at a loss as to why this option works sometimes (e.g. > detecting corrupt files) but not in your case. I need to be able to > reproduce the problem. Hi Julian, I seem to recall trying to send you a password protected zip file once and it didn't work out, so I am sending just a regular zip file. Hope this is sufficient. No viruses, so no need to worry. Thanks for taking a look at this, and I will try out your patch. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 -------------- next part -------------- A non-text attachment was scrubbed... Name: blah.pdf.zip Type: application/zip Size: 225820 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030807/80367edb/blah.pdf.zip From rscarano at targetsis.com.br Thu Aug 7 21:25:28 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:19:15 2006 Subject: Fragmented messages Message-ID: <003101c35d22$0b9fd040$6900000a@targetsis.com.br> Hi list Today I receive 3 messages that was considered as a virus but I think it's free (pls take a look below). Anybody can explain me what the meaning of "Fragmented messages cannot be scanned and are removed". Thanks, Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br -----Mensagem original----- De: MailScanner [mailto:postmaster@targetsis.com.br] Enviada em: Quinta-feira, 7 de Agosto de 2003 11:42 Para: postmaster@mail.targetsis.com.br Assunto: Warning: E-mail viruses detected The following e-mail messages were found to have viruses in them: Sender: rickueda@terra.com.br IP Address: 200.176.3.20 Recipient: rscarano@targetsis.com.br Subject: =?iso-8859-1?Q?Fw:_Festa_Mexicana_Emp?rio_FESTA_MEXICANA_FRE_web.jp?= MessageID: h77EfS728938 Report: Fragmented messages cannot be scanned and are removed Sender: rickueda@terra.com.br IP Address: 200.176.3.19 Recipient: rscarano@targetsis.com.br Subject: =?iso-8859-1?Q?Fw:_Festa_Mexicana_Emp?rio_FESTA_MEXICANA_FRE_web.jp?= MessageID: h77EfY728940 Report: Fragmented messages cannot be scanned and are removed -- MailScanner Email Virus Scanner www.mailscanner.info From dustin.baer at IHS.COM Thu Aug 7 21:27:58 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:15 2006 Subject: {Virus?} Re: Sophos and PDF revisited References: <5.2.1.1.2.20030807181523.037f5c40@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030807201017.038458a8@imap.ecs.soton.ac.uk> <3F32B54B.75D2F873@ihs.com> Message-ID: <3F32B64E.ADCF15E9@ihs.com> DUH! It is getting towards the end of my day, and I am tired. Sorry for sending this attachment to the list. -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at elknet.net Thu Aug 7 21:32:09 2003 From: mailscanner at elknet.net (Alan Fiebig) Date: Thu Jan 12 21:19:15 2006 Subject: eTrust Message-ID: <200308072032.VAA07923@jackdaw.ecs.soton.ac.uk> Thanks so much for working on this Julian! $120 per year sure beats F-Prots $5,000 per year for my 7,000 inbox service! I have three files for you to download, all from www.elknet.net/work The first is the actual software, about 37 MB: eAV_Linux.tar.Z The second is the pdf manual, you will probably find pages 3-7 through 3-11 the most useful and applicable: Administrator_Guide.pdf The last file are some notes I made from installing and playing with the software, I hope these notes can help save you time: notes.txt You will find the software key in the notes file in the section that logs my install session, about line 25 Let me know how I can help etc. Once this is working, I could create an entry in your FAQ-O-Matic for installing eTrust if you would like. Thanks again! -Alan From mailscanner at ecs.soton.ac.uk Thu Aug 7 21:41:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:15 2006 Subject: Trying to get MailScanner v4.22-5 to forward messages In-Reply-To: Message-ID: <5.2.1.1.2.20030807213942.038ebeb0@imap.ecs.soton.ac.uk> At 21:28 07/08/2003, you wrote: >I posted this to the group but haven't seen it yet so hope you don't >mind that I posted to you directly. > > > > > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Sent: Thursday, August 07, 2003 7:35 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Trying to get MailScanner v4.22-5 to forward messages > > > > > > At 15:10 07/08/2003, you wrote: > > > >OK, this might be an easy answer and if you couldn't tell, this is >my > > > first > > > >time trying to get MailScanner working. I have installed >MailScanner > > > 4.22-5 > > > >and have it running on a Redhat 9.0 installation. Sendmail is >disabled > > > and > > > >I even did the 'dnl DAEMON...' to get it working from outside the >box. > > I > > > am > > > >trying to get a domain routing to this box with MailScanner running >on > > it > > > >to my Exchange System. If I turn off MailScanner and turn on just > > > Sendmail, > > > >everything works fine. Mail from the outside goes to RH9.0 then to >the > > > >Exchange. As soon as I turn off sendmail then turn on MailScanner, >the > > > mail > > > >just sits in the /var/spool/m.... directory. > > > > > > What's the rest of that directory name? It's rather important! > > > > > Here is the full directory > > /var/spool/mqueue.in > > > > > >BTW, I turned off AntiVirus, and SpamAssassin too just to bring it >down > > > to > > > >a basic level. > > > > > > What else did you change? (And I want the truth, not just the bits >you > > > think matter :-) > > I think the configuration for MailScanner is straight out of the box so >to > speak. The only things that I changed were that I turned off >Spamassassin > and Sophos, yes I turned them on. That is all that I can think of. If >you > would like I can forward over the Mailscanner.conf file. > > > > > > > > > Also, try doing a "sendmail -bv >one.of.your.addresses@yourdomain.com" to > > > see how sendmail thinks it will try to deliver a message to one of >your > > > users. > > > Here is the command and the output. > > ./sendmail -bv cslyon@netsvcs.com > cslyon@netsvcs.com... deliverable: mailer esmtp, host netsvcs.com., >user > cslyon@netsvcs.com What sort of setup are you using to run MailScanner? The one I suggest in the FAQ involving using your firewall to block incoming access to your primary MX, and running MailScanner on a secondary MX? Or else what? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dustin.baer at IHS.COM Thu Aug 7 21:59:09 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:15 2006 Subject: Sophos and PDF revisited References: <5.2.1.1.2.20030807201017.038458a8@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030807210545.027aeea0@imap.ecs.soton.ac.uk> Message-ID: <3F32BD9D.10147AD9@ihs.com> Julian Field wrote: > > Please try this patch to SweepViruses.pm. > > --- SweepViruses.pm 2003-08-05 21:42:19.000000000 +0100 > +++ SweepViruses.pm.new 2003-08-07 21:00:09.000000000 +0100 > @@ -961,8 +961,13 @@ > # If the error is one of the allowed errors, then don't report any > # infections on this file. > if ($error ne "") { > + # Treat their string as a list of words, any of which can match > my $errorlist = MailScanner::Config::Value('sophosallowederrors'); > - if ($errorlist && $errorlist =~ /$error/) { > + $errorlist =~ s/\s+/ /g; > + $errorlist =~ s/[^0-9A-Za-z ]/\\$&/g; > + $errorlist =~ s/ /\|/g; > + #if ($errorlist ne "" && $errorlist =~ /$error/) { > + if ($errorlist ne "" && $error =~ /$errorlist/) { > MailScanner::Log::WarnLog("Ignored Sophos '%s' error", $error); > return 0; > } Julian, This patch works. Thanks for your assistance! Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From cslyon at NETSVCS.COM Thu Aug 7 20:53:03 2003 From: cslyon at NETSVCS.COM (Christopher Lyon) Date: Thu Jan 12 21:19:15 2006 Subject: Trying to get MailScanner v4.22-5 to forward messages Message-ID: > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Thursday, August 07, 2003 7:35 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Trying to get MailScanner v4.22-5 to forward messages > > At 15:10 07/08/2003, you wrote: > >OK, this might be an easy answer and if you couldn't tell, this is my > first > >time trying to get MailScanner working. I have installed MailScanner > 4.22-5 > >and have it running on a Redhat 9.0 installation. Sendmail is disabled > and > >I even did the 'dnl DAEMON...' to get it working from outside the box. I > am > >trying to get a domain routing to this box with MailScanner running on it > >to my Exchange System. If I turn off MailScanner and turn on just > Sendmail, > >everything works fine. Mail from the outside goes to RH9.0 then to the > >Exchange. As soon as I turn off sendmail then turn on MailScanner, the > mail > >just sits in the /var/spool/m.... directory. > > What's the rest of that directory name? It's rather important! > Here is the full directory /var/spool/mqueue.in > >BTW, I turned off AntiVirus, and SpamAssassin too just to bring it down > to > >a basic level. > > What else did you change? (And I want the truth, not just the bits you > think matter :-) I think the configuration for MailScanner is straight out of the box so to speak. The only things that I changed were that I turned off Spamassassin and Sophos, yes I turned them on. That is all that I can think of. If you would like I can forward over the Mailscanner.conf file. > > Also, try doing a "sendmail -bv one.of.your.addresses@yourdomain.com" to > see how sendmail thinks it will try to deliver a message to one of your > users. Here is the command and the output. ./sendmail -bv cslyon@netsvcs.com cslyon@netsvcs.com... deliverable: mailer esmtp, host netsvcs.com., user cslyon@netsvcs.com > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From cslyon at NETSVCS.COM Thu Aug 7 22:42:17 2003 From: cslyon at NETSVCS.COM (Christopher Lyon) Date: Thu Jan 12 21:19:15 2006 Subject: Trying to get MailScanner v4.22-5 to forward messages Message-ID: > > > > > > > > > > > Also, try doing a "sendmail -bv > >one.of.your.addresses@yourdomain.com" to > > > > see how sendmail thinks it will try to deliver a message to one of > >your > > > > users. > > > > > Here is the command and the output. > > > > ./sendmail -bv cslyon@netsvcs.com > > cslyon@netsvcs.com... deliverable: mailer esmtp, host netsvcs.com., > >user > > cslyon@netsvcs.com > > What sort of setup are you using to run MailScanner? The one I suggest in > the FAQ involving using your firewall to block incoming access to your > primary MX, and running MailScanner on a secondary MX? Or else what? I want to have MailScanner scan all incoming mail for spam and viri content and forward it over to my production mail server which is exchange. Mail scanner is opened from the outside on port 25 and I can telnet to it on port 25. I see the mail coming into the box and it sits in the /var/spool/mqueue.in directory. So, I know that is working. The MX records are pointed just as you have stated above? > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From cslyon at netsvcs.com Thu Aug 7 22:42:17 2003 From: cslyon at netsvcs.com (Christopher Lyon) Date: Thu Jan 12 21:19:15 2006 Subject: Trying to get MailScanner v4.22-5 to forward messages Message-ID: > > > > > > > > > > > Also, try doing a "sendmail -bv > >one.of.your.addresses@yourdomain.com" to > > > > see how sendmail thinks it will try to deliver a message to one of > >your > > > > users. > > > > > Here is the command and the output. > > > > ./sendmail -bv cslyon@netsvcs.com > > cslyon@netsvcs.com... deliverable: mailer esmtp, host netsvcs.com., > >user > > cslyon@netsvcs.com > > What sort of setup are you using to run MailScanner? The one I suggest in > the FAQ involving using your firewall to block incoming access to your > primary MX, and running MailScanner on a secondary MX? Or else what? I want to have MailScanner scan all incoming mail for spam and viri content and forward it over to my production mail server which is exchange. Mail scanner is opened from the outside on port 25 and I can telnet to it on port 25. I see the mail coming into the box and it sits in the /var/spool/mqueue.in directory. So, I know that is working. The MX records are pointed just as you have stated above? > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Aug 7 23:02:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:15 2006 Subject: eTrust support Message-ID: <5.2.1.1.2.20030807224655.038d3e40@imap.ecs.soton.ac.uk> I've pursuaded it to install on RedHat 8.0 (the patch on CA's web site works), and support for it in MailScanner appears to be working just fine. It's basically just Inoculate renamed, but I have implemented it as a separate scanner so if they change it in future it won't mean any messy changes for anyone. The autoupdate script is currently very simple. I'm very interested to hear whether this works or not. If it works okay, I'll polish it properly. There was one other scanner (BitDefender I think) that needed some work, so I'll try to spend some time on that before releasing another beta. Unless of course you're dying to get your hands on it now... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Aug 7 23:14:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:15 2006 Subject: Can't parse sub ProcessBitdefenderOutput In-Reply-To: <3F32182F.6060808@afx.cz> Message-ID: <5.2.1.1.2.20030807231318.02785550@imap.ecs.soton.ac.uk> As a very simple thing to test, add a line export TERM=none near the top of /usr/lib/MailScanner/bitdefender-wrapper If that doesn't work, then try unset TERM instead. Please let me know what effect this has, if any. At 10:13 07/08/2003, you wrote: >this Bitdefender scanner it have output in ANSI format. It comes to >this, that function sub ProcessBitdefenderOutput >catch direct output from Bitdefender program bdc for parse, start up >problem for parsing ^[[1;31;40minfected: EICAR-Test-File (not a >virus)^[[0;37;40m. Can't found infected:, because it search for >\tinfected: I don't know how dispense it. It's chance parse from >LogFile=/tmp/log.bdc.$$? (Bitdefender-wrapper). This log have all lines >with \t and it's correct. > > >Kamil Jurik > > > > >Tento e-mail byl zkontrolovan na postovnim serveru AFX -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From steve at BASSI.COM Fri Aug 8 02:27:25 2003 From: steve at BASSI.COM (Steve Bassi) Date: Thu Jan 12 21:19:15 2006 Subject: f-protwrapper version 3.27 Message-ID: <007b01c35d4c$399b90e0$02fea8c0@LILBESS> I am still using 3.27 with F-prot. With the latest version of f-prot and the old mailscanner (3.27) I get the following message. Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Action: Report only". Please mail the author of MailScanner What do I need to amend in f-protwrapper to correct this ? Many thanks Bassi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030808/37249115/attachment.html From raymond at PROLOCATION.NET Fri Aug 8 02:40:26 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:15 2006 Subject: f-protwrapper version 3.27 In-Reply-To: <007b01c35d4c$399b90e0$02fea8c0@LILBESS> Message-ID: Hi! > I am still using 3.27 with F-prot. > > With the latest version of f-prot and the old mailscanner (3.27) I get the following message. > > Either you've found a bug in MailScanner's F-Prot output parser, or > F-Prot's output format has changed! F-Prot said this "Action: Report > only". Please mail the author of MailScanner > > What do I need to amend in f-protwrapper to correct this ? Please dont waste time on fixing this. Upgrade to the latest available engine (4.1.2), else you wont catch up for example Mimail... Bye, Raymond. From steve at BASSI.COM Fri Aug 8 02:50:43 2003 From: steve at BASSI.COM (Steve Bassi) Date: Thu Jan 12 21:19:15 2006 Subject: f-protwrapper version 3.27 References: Message-ID: <009b01c35d4f$7b358350$02fea8c0@LILBESS> ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Friday, August 08, 2003 2:40 AM Subject: Re: f-protwrapper version 3.27 > Hi! > > > I am still using 3.27 with F-prot. > > > > With the latest version of f-prot and the old mailscanner (3.27) I get the following message. > > > > Either you've found a bug in MailScanner's F-Prot output parser, or > > F-Prot's output format has changed! F-Prot said this "Action: Report > > only". Please mail the author of MailScanner > > > > What do I need to amend in f-protwrapper to correct this ? > > Please dont waste time on fixing this. Upgrade to the latest available > engine (4.1.2), else you wont catch up for example Mimail... > > Bye, > Raymond. > > Thats not an option for many on Cobalt RAQ3 due to the perl version required. So something is better than nothing and therefore, I would appreciate some help in resolving this matter. Bassi From raymond at PROLOCATION.NET Fri Aug 8 03:06:26 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:15 2006 Subject: f-protwrapper version 3.27 In-Reply-To: <009b01c35d4f$7b358350$02fea8c0@LILBESS> Message-ID: Hi! > > engine (4.1.2), else you wont catch up for example Mimail... > Thats not an option for many on Cobalt RAQ3 due to the perl version > So something is better than nothing and therefore, I would appreciate some > help in resolving this matter. What does perl have to do with a engine that comes as a binary ? I dont see that link. Solution, really, you must upgrade. It wont catch new virusses, like Mimail, no script will fix that for you. Your users wont be happy stuck with this. Simply replace your f-prot distribution. No perl involved there. Get a new one from ftp.f-prot.com Perhaps i am missing something, but i just had a look in both the distribution sets, its realy just binaries. And if i am correct the wrapper works for both that you have inside MS 3.27 Bye, Raymond. From ugob at LINUX.CA Fri Aug 8 03:39:35 2003 From: ugob at LINUX.CA (Ugo Bellavance) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 Message-ID: Hi, I searched through the archives, but didn't find anythig relevant. I am looking forward to use Mailscanner in front of my Exchange 2000 server (by the way, it could be any SMTP server). I read the docs, but in all cases, it talks about mailscanner being installed on the machine where the actual mailboxes are. What I want to do is filter out spam and viruses (although I have symantec AV for exchange) with mailscanner, in the DMZ, and then send the filtered messages to my Exchange 2000 server. Right now, my Exchange 2000 server receives mail directly from the internet and I don't really like that. I would, at least, want to have a mail relay in my DMZ (so that I wouldn't care too much if it's compromised, since there is a firewall between it and my LAN), that sends the messages to my internal Exchange server. Of course, since MailScanner can filter spam and viruses, I would like to implement that as well. How do I do that? simply putting my exchange 2000 server as a "relay_host" in postfix? I tried a few things, like playing with the transport file, but the result is that it sent the mail to the Exchange server, but without scanning for virus and filtering spam. How do I know it is not scanned? I don't see these messages in my logs: Aug 7 07:48:20 server MailScanner[4450]: New Batch: Scanning 1 messages, 501 byte s Aug 7 07:48:34 server MailScanner[4450]: Virus and Content Scanning: Starting Aug 7 07:48:34 server MailScanner[4450]: Uninfected: Delivered 1 messages Thanks, Ugo Bellavance, ----------------------------- What do you plan to do with all your freedom? http://www.gnu.org/ From mike at CAMAROSS.NET Fri Aug 8 04:03:10 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: Message-ID: <004c01c35d59$99f55310$9c01a8c0@home.middlefinger.net> This is actually a very simple process. Say your TLD is domain.com You make the MX record in DNS point to the IP of your sendmail/MailScanner machine. You add an entry to /etc/mail/relay-domains: domain.com Add an entry to /etc/mailertable: domain.com smtp:hostname.exchange.server Save your file and hash it. Restart MailScanner and you are done. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance Sent: Thursday, August 07, 2003 9:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Internet -> Mailscanner -> Exchange 2000 Hi, I searched through the archives, but didn't find anythig relevant. I am looking forward to use Mailscanner in front of my Exchange 2000 server (by the way, it could be any SMTP server). I read the docs, but in all cases, it talks about mailscanner being installed on the machine where the actual mailboxes are. What I want to do is filter out spam and viruses (although I have symantec AV for exchange) with mailscanner, in the DMZ, and then send the filtered messages to my Exchange 2000 server. Right now, my Exchange 2000 server receives mail directly from the internet and I don't really like that. I would, at least, want to have a mail relay in my DMZ (so that I wouldn't care too much if it's compromised, since there is a firewall between it and my LAN), that sends the messages to my internal Exchange server. Of course, since MailScanner can filter spam and viruses, I would like to implement that as well. How do I do that? simply putting my exchange 2000 server as a "relay_host" in postfix? I tried a few things, like playing with the transport file, but the result is that it sent the mail to the Exchange server, but without scanning for virus and filtering spam. How do I know it is not scanned? I don't see these messages in my logs: Aug 7 07:48:20 server MailScanner[4450]: New Batch: Scanning 1 messages, 501 byte s Aug 7 07:48:34 server MailScanner[4450]: Virus and Content Scanning: Starting Aug 7 07:48:34 server MailScanner[4450]: Uninfected: Delivered 1 messages Thanks, Ugo Bellavance, ----------------------------- What do you plan to do with all your freedom? http://www.gnu.org/ From chris at TRUDEAU.ORG Fri Aug 8 04:51:36 2003 From: chris at TRUDEAU.ORG (Chris Trudeau-Personal) Date: Thu Jan 12 21:19:15 2006 Subject: Notifications? References: <004c01c35d59$99f55310$9c01a8c0@home.middlefinger.net> Message-ID: <001601c35d60$5e125850$23c8a8c0@SERV> I was reading through the documentation and I stumbled across the actions section for SPAM. I was playing with the settings and rules files (which make all of our lives easier) when I finally ended up with "store" being the action I opted for SPAM and "delete" for HIGH SPAM. This is working well, (after learning the hard way that quarantine directory has to be owned by postfix:postfix :)) exepct that I don't get notified when a message is received and "stored". I assume this is by design, however, I'm curious about whether the system can notify AND store the message with a notification such as the one used to notify of "stored" messages that are identified as viruses/filename? I suppose I'm looking for a SPAM equilvalent for the "Stored Virus Message Report" variable that is ONLY sent to the ADMIN identified by "Notices To"... CT From sanjay.patel at REXWIRE.COM Fri Aug 8 06:36:31 2003 From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel) Date: Thu Jan 12 21:19:15 2006 Subject: Ruleset for spam check by domain Message-ID: <000001c35d6f$0640d110$6f01a8c0@Laptop1> If I want only want certain domains to be checked for spam what do I put in the ruleset? domainA.com yes DomainB.com no Is this correct? SKP. From jkoetsier at CORP.HOME.NL Fri Aug 8 06:47:45 2003 From: jkoetsier at CORP.HOME.NL (Jeffrey Koetsier) Date: Thu Jan 12 21:19:15 2006 Subject: Ruleset for spam check by domain In-Reply-To: <000001c35d6f$0640d110$6f01a8c0@Laptop1> References: <000001c35d6f$0640d110$6f01a8c0@Laptop1> Message-ID: <3F333981.5030901@corp.home.nl> Sanjay K. Patel wrote: >If I want only want certain domains to be checked for spam what do I put in >the ruleset? > >domainA.com yes > >DomainB.com no > >Is this correct? > no :) Ruleset file should contain 3 values per line, example: From: DomainX.com yes To: postmaster@DomainY.com no FromTo: default no In my version of MailScanner, there is a README file in the rules directory which contains some info about this. -- Jeffrey Koetsier Unix Administrator "I don't believe UNIX is Utopia. It's just the best set of tools around." -- Dick Haight, Unix Review, Jan. 1985, pg. 117 From radislav.vrnata at porcela.cz Fri Aug 8 07:43:14 2003 From: radislav.vrnata at porcela.cz (Radislav Vrnata) Date: Thu Jan 12 21:19:15 2006 Subject: Translation request - Czech In-Reply-To: <5.2.0.9.2.20030807122158.04c33b80@imap.ecs.soton.ac.uk> Message-ID: <3F3362A2.20478.1382B455@localhost> Hi, here is czech version... Radislav. > Please can you do me a big favour and translate all of these into your > favourite languages. They are the 3 messages that are sent in response to > messages containing dangerous content (such as HTML IFRAME tags and stuff > like that). > > Sender report: > From: "MailScanner" <$localpostmaster> To: $from Subject: Potencialne nebezpecny email vymazan X-MailScanner: generated Nas system kontroly obsahu elektronicke posty byl spusten zpravou, kterou jste zaslali:- Komu: $to Predmet: $subject Datum: $date Zprava byla vymazana. System ohlasil o teto zprave nasledujici: $report. Tato zprava obsahovala potencialne nebezpecny obsah, ktery byl vymazan. Pokud jste se pokouseli odeslat www stranku, ulozte ji prosim do souboru a prilozte ji ke zprave. Pokud mate jakekoliv dotazy, kontaktujte prosim administratora systemu. -- MailScanner Email Virus Scanner www.mailscanner.info > Content Deleted report: Toto je zprava od systemu antivirove ochrany elektronicke posty 'MailScanner' ----------------------------------------------------------------------------- Originalni zprava obsahovala potencialne nebezpecny obsah, ktery byl z duvodu vasi bezpecnosti vymazan. Tento druh nebezpecneho obsahu je casto vyuzivan k sireni viru nebo pro ziskavani vasich osobnich nebo utajovanych informaci jako jsou hesla nebo cisla kreditnich karet. V dusledku limitovaneho prostoru, kterym nas postovni system disponuje, neni mozne zachovat kopii puvodni zpravy. System kontroly obsahu elektronicke posty nasel nasledujici: $report -- Postmaster > Content Stored report: Toto je zprava od systemu antivirove ochrany elektronicke posty 'MailScanner' ----------------------------------------------------------------------------- Originalni zprava obsahovala potencialne nebezpecny obsah, ktery byl z duvodu vasi bezpecnosti vymazan. Tento druh nebezpecneho obsahu je casto vyuzivan k sireni viru nebo pro ziskavani vasich osobnich nebo utajovanych informaci jako jsou hesla nebo cisla kreditnich karet. Pokud pozadujete doruceni kopie puvodni zpravy, prosim poslete e-mail podpore a prilozte k tomu tuto zpravu. Pripadne muzete helpesk kontaktovat telefonicky a sdelit mu obsah teto zpravy. Dne $date system kontroly obsahu elektronicke posty ohlasil: $report Poznamka pro podporu: Podivej se na $hostname do $quarantinedir/$datenumber (message $id). -- Postmaster From denis at CROOMBS.ORG Fri Aug 8 08:43:43 2003 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:19:15 2006 Subject: Please help. Me very confused Message-ID: <003401c35d80$cb63d3a0$85b8fea9@Laptop> I have installed Spamassassin & Mailscanner on a new machine as I have on a number of others (all Redhat 7.3) using the Spamassassin & MailScanner RPM's but this time I am getting the following error from MailScanner (in /var/log/maillog) "Aug 8 02:28:21 ensim MailScanner[27075]: SpamAssassin installation could not be found" How do I tell MailScanner where to look for spamassassin ? All clues very welcome Thanks Denis [root@ensim mail]# tail /var/log/maillog Aug 8 02:28:10 ensim sendmail[27037]: alias database /etc/aliases rebuilt by root Aug 8 02:28:10 ensim sendmail[27037]: /etc/aliases: 41 aliases, longest 39 bytes, 443 bytes total Aug 8 02:28:10 ensim sendmail[27046]: starting daemon (8.11.6): SMTP Aug 8 02:28:10 ensim sendmail[27051]: starting daemon (8.11.6): queueing@00:15:00 Aug 8 02:28:11 ensim MailScanner[27072]: MailScanner E-Mail Virus Scanner version 4.22-4 starting... Aug 8 02:28:11 ensim MailScanner[27072]: SpamAssassin installation could not be found Aug 8 02:28:21 ensim MailScanner[27075]: MailScanner E-Mail Virus Scanner version 4.22-4 starting... Aug 8 02:28:21 ensim MailScanner[27075]: SpamAssassin installation could not be found Aug 8 02:28:31 ensim MailScanner[27076]: MailScanner E-Mail Virus Scanner version 4.22-4 starting... Aug 8 02:28:31 ensim MailScanner[27076]: SpamAssassin installation could not be found If I do a spamassassin -D --lint I can confirm that I have dcc installed & bayers has been taught by over 1000 spams [root@ensim mail]# spamassassin -D --lint debug: Score set 0 chosen. debug: running in taint mode? no debug: ignore: using a test message to lint rules debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: using "/root/.spamassassin" for user state dir debug: bayes: 27083 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 27083 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: debug: Only 0 ham(s) in Bayes DB < 200 debug: bayes: 27083 untie-ing debug: bayes: 27083 untie-ing db_toks debug: bayes: 27083 untie-ing db_seen debug: Score set 1 chosen. debug: Initialising learner debug: using "/root/.spamassassin" for user state dir debug: bayes: 27083 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 27083 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: debug: Only 0 ham(s) in Bayes DB < 200 debug: bayes: 27083 untie-ing debug: bayes: 27083 untie-ing db_toks debug: bayes: 27083 untie-ing db_seen debug: is Net::DNS::Resolver available? yes debug: trying (3) leo.org... debug: looking up MX for 'leo.org' debug: MX for 'leo.org' exists? 1 debug: MX lookup of leo.org succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.9 debug: running raw-body-text per-line regexp tests; score so far=1.9 debug: running uri tests; score so far=1.9 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.9 debug: Razor2 is not available debug: Current PATH is: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin: /root/bin debug: executable for dccproc was found at /usr/local/bin/dccproc debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-neonova-Metrics: ensim.rackshack.net 1127; Body=32182 Fuz1=776625 debug: leaving helper-app run mode debug: Pyzor is not available: pyzor not found debug: all '*To' addrs: debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org debug: running meta tests; score so far=2.4 debug: is spam? score=2.4 required=5 tests=DATE_MISSING,MISSING_HEADERS,NO_REAL_NAME debug: bayes: 27083 untie-ing [root@ensim mail]# If I do a spamassassin -V I get:- [root@ensim mail]# spamassassin -V SpamAssassin version 2.55 [root@ensim mail]# From mailscanner at ecs.soton.ac.uk Fri Aug 8 08:40:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:15 2006 Subject: f-protwrapper version 3.27 In-Reply-To: <007b01c35d4c$399b90e0$02fea8c0@LILBESS> Message-ID: <5.2.0.9.2.20030808083303.03f35c60@imap.ecs.soton.ac.uk> At 02:27 08/08/2003, you wrote: >I am still using 3.27 with F-prot. > >With the latest version of f-prot and the old mailscanner (3.27) I get the >following message. > >Either you've found a bug in MailScanner's F-Prot output parser, or >F-Prot's output format has changed! F-Prot said this "Action: Report >only". Please mail the author of MailScanner > >What do I need to amend in f-protwrapper to correct this ? You need to get the latest F-Prot parser from the more recent MailScanner, and replace your old one with this new one. Go somewhere safe cd /tmp Download the latest MailScanner-4.22-5.tar.gz Unpack it tar xzf MailScanner-4.22-5.tar.gz Get to the right place cd MailScanner-4.22-5/lib/MailScanner Now take a look at SweepViruses.pm. You will find a line sub ProcessFProtOutput { Save the whole of that sub to a file. Now go to wherever you have installed your copy of MailScanner 3.27. Hunt in there and you will find a file "sweep.pl". Save a backup copy of this somewhere safe in case you get into trouble. Again, in that file you will find a "sub ProcessFProtOutput {" line. Replace the whole of that sub with the one you just extracted from version 4.22-5. Then do a perl -c sweep.pl to syntax check it. Then restart MailScanner and you should now have the most recent parser which will handle the new F-Prot versions. Sorry that is so long and convoluted, but the only direct support I now do for version 3 is major security bugs (which no-one has found). P.S. Don't try blindly copying any other code from version 4 into version 3, the *only* bits you can copy over are the virus scanners parsers. It was a deliberate choice I made when creating version 4 just in case this exact thing happened. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 8 08:42:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:15 2006 Subject: Notifications? In-Reply-To: <001601c35d60$5e125850$23c8a8c0@SERV> References: <004c01c35d59$99f55310$9c01a8c0@home.middlefinger.net> Message-ID: <5.2.0.9.2.20030808084202.03ebf270@imap.ecs.soton.ac.uk> You cannot currently do this. Wouldn't it generate an /awful/ lot of mail? At 04:51 08/08/2003, you wrote: >I was reading through the documentation and I stumbled across the actions >section for SPAM. I was playing with the settings and rules files (which >make all of our lives easier) when I finally ended up with "store" being the >action I opted for SPAM and "delete" for HIGH SPAM. > >This is working well, (after learning the hard way that quarantine directory >has to be owned by postfix:postfix :)) exepct that I don't get notified when >a message is received and "stored". I assume this is by design, however, >I'm curious about whether the system can notify AND store the message with a >notification such as the one used to notify of "stored" messages that are >identified as viruses/filename? > >I suppose I'm looking for a SPAM equilvalent for the "Stored Virus Message >Report" variable that is ONLY sent to the ADMIN identified by "Notices >To"... > >CT -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 8 08:45:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:15 2006 Subject: Please help. Me very confused In-Reply-To: <003401c35d80$cb63d3a0$85b8fea9@Laptop> Message-ID: <5.2.0.9.2.20030808084400.0428ff58@imap.ecs.soton.ac.uk> How did you install SpamAssassin? If you used their RPM, then uninstall it and re-install from the .tar.gz file instead. By definition, a single RPM of perl modules cannot work on all versions of all distributions, as the correct installation directory can only be determined when the RPM is built and not when it is installed. This is why the MailScanner installation script goes through the process of building each RPM in turn from source, then installing the newly built RPM. At 08:43 08/08/2003, you wrote: >I have installed Spamassassin & Mailscanner on a new machine as I have on a >number of others (all Redhat 7.3) using the Spamassassin & MailScanner RPM's >but this time I am getting the following error from MailScanner (in >/var/log/maillog) > >"Aug 8 02:28:21 ensim MailScanner[27075]: SpamAssassin installation could >not be found" > >How do I tell MailScanner where to look for spamassassin ? > >All clues very welcome > >Thanks > >Denis > >[root@ensim mail]# tail /var/log/maillog >Aug 8 02:28:10 ensim sendmail[27037]: alias database /etc/aliases rebuilt >by root >Aug 8 02:28:10 ensim sendmail[27037]: /etc/aliases: 41 aliases, longest 39 >bytes, 443 bytes total >Aug 8 02:28:10 ensim sendmail[27046]: starting daemon (8.11.6): SMTP >Aug 8 02:28:10 ensim sendmail[27051]: starting daemon (8.11.6): >queueing@00:15:00 >Aug 8 02:28:11 ensim MailScanner[27072]: MailScanner E-Mail Virus Scanner >version 4.22-4 starting... >Aug 8 02:28:11 ensim MailScanner[27072]: SpamAssassin installation could >not be found >Aug 8 02:28:21 ensim MailScanner[27075]: MailScanner E-Mail Virus Scanner >version 4.22-4 starting... >Aug 8 02:28:21 ensim MailScanner[27075]: SpamAssassin installation could >not be found >Aug 8 02:28:31 ensim MailScanner[27076]: MailScanner E-Mail Virus Scanner >version 4.22-4 starting... >Aug 8 02:28:31 ensim MailScanner[27076]: SpamAssassin installation could >not be found > >If I do a spamassassin -D --lint I can confirm that I have dcc installed & >bayers has been taught by over 1000 spams > >[root@ensim mail]# spamassassin -D --lint >debug: Score set 0 chosen. >debug: running in taint mode? no >debug: ignore: using a test message to lint rules >debug: using "/usr/share/spamassassin" for default rules dir >debug: using "/etc/mail/spamassassin" for site rules dir >debug: using "/root/.spamassassin" for user state dir >debug: using "/root/.spamassassin/user_prefs" for user prefs file >debug: using "/root/.spamassassin" for user state dir >debug: bayes: 27083 tie-ing to DB file R/O /root/.spamassassin/bayes_toks >debug: bayes: 27083 tie-ing to DB file R/O /root/.spamassassin/bayes_seen >debug: debug: Only 0 ham(s) in Bayes DB < 200 >debug: bayes: 27083 untie-ing >debug: bayes: 27083 untie-ing db_toks >debug: bayes: 27083 untie-ing db_seen >debug: Score set 1 chosen. >debug: Initialising learner >debug: using "/root/.spamassassin" for user state dir >debug: bayes: 27083 tie-ing to DB file R/O /root/.spamassassin/bayes_toks >debug: bayes: 27083 tie-ing to DB file R/O /root/.spamassassin/bayes_seen >debug: debug: Only 0 ham(s) in Bayes DB < 200 >debug: bayes: 27083 untie-ing >debug: bayes: 27083 untie-ing db_toks >debug: bayes: 27083 untie-ing db_seen >debug: is Net::DNS::Resolver available? yes >debug: trying (3) leo.org... >debug: looking up MX for 'leo.org' >debug: MX for 'leo.org' exists? 1 >debug: MX lookup of leo.org succeeded => Dns available (set dns_available to >hardcode) >debug: is DNS available? 1 >debug: running header regexp tests; score so far=0 >debug: running body-text per-line regexp tests; score so far=1.9 >debug: running raw-body-text per-line regexp tests; score so far=1.9 >debug: running uri tests; score so far=1.9 >debug: uri tests: Done uriRE >debug: running full-text regexp tests; score so far=1.9 >debug: Razor2 is not available >debug: Current PATH is: >/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin: >/root/bin >debug: executable for dccproc was found at /usr/local/bin/dccproc >debug: DCC is available: /usr/local/bin/dccproc >debug: entering helper-app run mode >debug: DCC: got response: X-DCC-neonova-Metrics: ensim.rackshack.net 1127; >Body=32182 Fuz1=776625 >debug: leaving helper-app run mode >debug: Pyzor is not available: pyzor not found >debug: all '*To' addrs: >debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org >debug: running meta tests; score so far=2.4 >debug: is spam? score=2.4 required=5 >tests=DATE_MISSING,MISSING_HEADERS,NO_REAL_NAME >debug: bayes: 27083 untie-ing >[root@ensim mail]# > >If I do a spamassassin -V I get:- > >[root@ensim mail]# spamassassin -V >SpamAssassin version 2.55 >[root@ensim mail]# -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at utwente.nl Fri Aug 8 09:03:08 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: References: Message-ID: <80m6jv8fpbfh8ndhibvq2bg2s5m2ekitt1@4ax.com> On Thu, 7 Aug 2003 22:39:35 -0400, you wrote: > I searched through the archives, but didn't find anythig relevant. I am >looking forward to use Mailscanner in front of my Exchange 2000 server (by >the way, it could be any SMTP server). I read the docs, but in all cases, >it talks about mailscanner being installed on the machine where the actual >mailboxes are. What I want to do is filter out spam and viruses (although I >have symantec AV for exchange) with mailscanner, in the DMZ, and then send >the filtered messages to my Exchange 2000 server. Right now, my Exchange >2000 server receives mail directly from the internet and I don't really like >that. I would, at least, want to have a mail relay in my DMZ (so that I >wouldn't care too much if it's compromised, since there is a firewall >between it and my LAN), that sends the messages to my internal Exchange >server. Of course, since MailScanner can filter spam and viruses, I would >like to implement that as well. We are running this kind of configuration. But what we also do is have all excisting e-mail addresses in the virtusertable of our sendmail frontend. So nobody can shoot in 1 million addresses leaving you with the bounces of allmost the same number. We use a dummy-domain to handle renaming of the exchange server. So the entries in virtusertable are like: @utwente.nl: error:nouser No such user postmaster@utwente.nl: admin@exchange-dummy.utwente.nl abuse@utwente.nl: admin@exchange-dummy.utwente.nl p.g.m.peters@utwente.nl: my-mailbox@some-other.system.utwente.nl And in mailertable we define the forwarding of exchange-dummy.utwente.nl domain to the exchange server. This way you can also define e-mail addresses that should get forwarded to other mailboxes. And you can keep internal lists from getting spam when some spammer uses a dictionary attack. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From denis at IMSLTD.COM Fri Aug 8 09:18:01 2003 From: denis at IMSLTD.COM (Denis Croombs) Date: Thu Jan 12 21:19:15 2006 Subject: Please help. Me very confused References: <5.2.0.9.2.20030808084400.0428ff58@imap.ecs.soton.ac.uk> Message-ID: <003101c35d85$987565d0$9601a8c0@cel1700> Thanks Julian That has got rid of the error. Denis > How did you install SpamAssassin? > If you used their RPM, then uninstall it and re-install from the .tar.gz > file instead. > > By definition, a single RPM of perl modules cannot work on all versions of > all distributions, as the correct installation directory can only be > determined when the RPM is built and not when it is installed. > > This is why the MailScanner installation script goes through the process of > building each RPM in turn from source, then installing the newly built RPM. > > At 08:43 08/08/2003, you wrote: > >I have installed Spamassassin & Mailscanner on a new machine as I have on a > >number of others (all Redhat 7.3) using the Spamassassin & MailScanner RPM's > >but this time I am getting the following error from MailScanner (in > >/var/log/maillog) > > > >"Aug 8 02:28:21 ensim MailScanner[27075]: SpamAssassin installation could > >not be found" > > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.507 / Virus Database: 304 - Release Date: 04/08/2003 From andersan at LTKALMAR.SE Fri Aug 8 09:50:42 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:19:15 2006 Subject: SV: eTrust support Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE6D3@lkl63.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 8 augusti 2003 00:02 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: eTrust support > > > I've pursuaded it to install on RedHat 8.0 (the patch on CA's > web site works), and support for it in MailScanner appears to > be working just fine. It's basically just Inoculate renamed, > but I have implemented it as a separate scanner so if they > change it in future it won't mean any messy changes for anyone. > > The autoupdate script is currently very simple. I'm very > interested to hear whether this works or not. If it works > okay, I'll polish it properly. > > There was one other scanner (BitDefender I think) that needed > some work, so I'll try to spend some time on that before > releasing another beta. Unless of course you're dying to get > your hands on it now... Nice work, dont rush but if you get the time to get the second engine working that would be even better. Not bad to get 2 different for the price of one :) /Anders > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From slwatts at WINCKWORTHS.CO.UK Fri Aug 8 10:02:26 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 Message-ID: I have just setup something similar here - tho at the moment postfix/MS is acting as a pure mail filter. I have not yet setup user export from our exchange (5.5sp3) to the postfix/MS and setup postfix to only accept emails to valid users - not too sure how to do that, so I guess I have a lot more reading up to do! Anyway - basically this kind of setup seems to work very well, and isnt a lot harder to setup than some commercial mail sweepers :-) So give it a whirl! Sam -----Original Message----- From: Peter Peters [mailto:P.G.M.Peters@UTWENTE.NL] Sent: 08 August 2003 09:03 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Internet -> Mailscanner -> Exchange 2000 On Thu, 7 Aug 2003 22:39:35 -0400, you wrote: > I searched through the archives, but didn't find anythig >relevant. I am looking forward to use Mailscanner in front of my >Exchange 2000 server (by the way, it could be any SMTP server). I read >the docs, but in all cases, it talks about mailscanner being installed >on the machine where the actual mailboxes are. What I want to do is >filter out spam and viruses (although I have symantec AV for exchange) >with mailscanner, in the DMZ, and then send the filtered messages to my >Exchange 2000 server. Right now, my Exchange 2000 server receives mail >directly from the internet and I don't really like that. I would, at >least, want to have a mail relay in my DMZ (so that I wouldn't care too >much if it's compromised, since there is a firewall between it and my >LAN), that sends the messages to my internal Exchange server. Of >course, since MailScanner can filter spam and viruses, I would like to >implement that as well. We are running this kind of configuration. But what we also do is have all excisting e-mail addresses in the virtusertable of our sendmail frontend. So nobody can shoot in 1 million addresses leaving you with the bounces of allmost the same number. We use a dummy-domain to handle renaming of the exchange server. So the entries in virtusertable are like: @utwente.nl: error:nouser No such user postmaster@utwente.nl: admin@exchange-dummy.utwente.nl abuse@utwente.nl: admin@exchange-dummy.utwente.nl p.g.m.peters@utwente.nl: my-mailbox@some-other.system.utwente.nl And in mailertable we define the forwarding of exchange-dummy.utwente.nl domain to the exchange server. This way you can also define e-mail addresses that should get forwarded to other mailboxes. And you can keep internal lists from getting spam when some spammer uses a dictionary attack. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at www.winckworths.co.uk From slwatts at WINCKWORTHS.CO.UK Fri Aug 8 10:16:38 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:15 2006 Subject: OT - RE: POSTFIX release from quarantine (WAS: How to let thro ugh i nnocent messages) Message-ID: Hmm.... True to a point but I would like to be able to delegate the menial tasks to those who are less skilled :-) I don't want my or my techie guy's time taken up with having to do simple repetative tasks that could be easily performed by frontline support. And I don't want those guys having command line access to our servers - hence the need for some sort of basic gui for simple day-to day management and monitoring. Sam -----Original Message----- From: Gary Smithe [mailto:gsmithe@OFALLON90.NET] Sent: 07 August 2003 20:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: POSTFIX release from quarantine (WAS: How to let through i nnocent messages) "That would be very useful for non UNIX-aware administrators." Maybe I'm just malaligned mentally, but IMHO I think that it you're using Mailscanner in any form, then you should be *NIX-aware - at least more than most Windows users. Not trying to start a flame war, I just get ticked with people in fields of work that aren't competent. Gary > -----Original Message----- > From: Nejc Skoberne [mailto:nejc.skoberne@GUEST.ARNES.SI] > Sent: Thursday, August 07, 2003 12:53 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: POSTFIX release from quarantine (WAS: How to let > through i > nnocent messages) > > > Hi. > > >> If someone could write a nice script ... > > No need. As I mentioned earlier, you can just do > > postdrop < quarantined-message-file > > and let postfix sort out the inode numbers all by itself. > > That's true, but I agree that it would be really nice to have a "GUI" > way of doing this. As a Webmin module or something. That would be very > useful for non UNIX-aware administrators. > > Something else bothers me. If I set this: > > Quarantine Whole Messages As Queue Files = yes > > it is quite hard to grep those files for i.e. for "Subject". How do > you guys monitor innocent messages? Just monitoring the messages (or > maillog) file? > > Thanks. > > -- > Nejc Skoberne > Grajska 5 > SI-5220 Tolmin > E-mail: nejc.skoberne@guest.arnes.si > -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at www.winckworths.co.uk From arm at SPAR.AT Fri Aug 8 10:34:04 2003 From: arm at SPAR.AT (Rainer Anschober) Date: Thu Jan 12 21:19:15 2006 Subject: trend mircro with MailScanner In-Reply-To: References: Message-ID: <1060335244.1700.16.camel@gandalf> Hello, i use MailScanner 4.21-9. Now, i want to implement a virusscanner from Trend Micro. If i receive a message with an virus, it does work. But is the virus in an archive and/or compressed File, then the virus engine does not find the virus. But if i use the virus engine on commandline, the engine find every virus ( .gz, .tgz, .zip, .Z, .tar ). In /opt/MailScanner/etc/ is a file virus.scanner.conf. In this file is the path and filename of the wrapper for trend micros engine. But this wrapper ( /opt/MailScanner/lib/trend-wrapper ) would be never used. What must i do? Thank you for your help! Rainer From ugob at LINUX.CA Fri Aug 8 10:55:41 2003 From: ugob at LINUX.CA (Ugo Bellavance) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: <004c01c35d59$99f55310$9c01a8c0@home.middlefinger.net> Message-ID: would an entry in /etc/hosts would do the work, since I don't want to setup a dns server just for that? Thanks -----Message d'origine----- De : MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]De la part de Mike Kercher Envoye : 7 aout, 2003 23:03 A : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: Internet -> Mailscanner -> Exchange 2000 This is actually a very simple process. Say your TLD is domain.com You make the MX record in DNS point to the IP of your sendmail/MailScanner machine. You add an entry to /etc/mail/relay-domains: domain.com Add an entry to /etc/mailertable: domain.com smtp:hostname.exchange.server Save your file and hash it. Restart MailScanner and you are done. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance Sent: Thursday, August 07, 2003 9:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Internet -> Mailscanner -> Exchange 2000 Hi, I searched through the archives, but didn't find anythig relevant. I am looking forward to use Mailscanner in front of my Exchange 2000 server (by the way, it could be any SMTP server). I read the docs, but in all cases, it talks about mailscanner being installed on the machine where the actual mailboxes are. What I want to do is filter out spam and viruses (although I have symantec AV for exchange) with mailscanner, in the DMZ, and then send the filtered messages to my Exchange 2000 server. Right now, my Exchange 2000 server receives mail directly from the internet and I don't really like that. I would, at least, want to have a mail relay in my DMZ (so that I wouldn't care too much if it's compromised, since there is a firewall between it and my LAN), that sends the messages to my internal Exchange server. Of course, since MailScanner can filter spam and viruses, I would like to implement that as well. How do I do that? simply putting my exchange 2000 server as a "relay_host" in postfix? I tried a few things, like playing with the transport file, but the result is that it sent the mail to the Exchange server, but without scanning for virus and filtering spam. How do I know it is not scanned? I don't see these messages in my logs: Aug 7 07:48:20 server MailScanner[4450]: New Batch: Scanning 1 messages, 501 byte s Aug 7 07:48:34 server MailScanner[4450]: Virus and Content Scanning: Starting Aug 7 07:48:34 server MailScanner[4450]: Uninfected: Delivered 1 messages Thanks, Ugo Bellavance, ----------------------------- What do you plan to do with all your freedom? http://www.gnu.org/ From Kevin.Spicer at BMRB.CO.UK Fri Aug 8 10:59:03 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:15 2006 Subject: trend mircro with MailScanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk> > But this wrapper ( /opt/MailScanner/lib/trend-wrapper ) would be > never used. Could you please explain why you believe this to be the case. MailScanner always uses the wrapper scripts. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Fri Aug 8 10:59:48 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF795@pascal.priv.bmrb.co.uk> Ugo Bellavance wrote: > would an entry in /etc/hosts would do the work, since I don't want to > setup a dns server just for that? > Surely you already have DNS, otherwise how does your mail get to you? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From steve at BASSI.COM Fri Aug 8 10:59:57 2003 From: steve at BASSI.COM (Steve Bassi) Date: Thu Jan 12 21:19:15 2006 Subject: f-protwrapper version 3.27 References: <5.2.0.9.2.20030808083303.03f35c60@imap.ecs.soton.ac.uk> Message-ID: <004101c35d93$d337a1c0$02fea8c0@LILBESS> ----- Original Message ----- From: "Julian Field" To: Sent: Friday, August 08, 2003 8:40 AM Subject: Re: f-protwrapper version 3.27 > At 02:27 08/08/2003, you wrote: > >I am still using 3.27 with F-prot. > > > >With the latest version of f-prot and the old mailscanner (3.27) I get the > >following message. > > > >Either you've found a bug in MailScanner's F-Prot output parser, or > >F-Prot's output format has changed! F-Prot said this "Action: Report > >only". Please mail the author of MailScanner > > > >What do I need to amend in f-protwrapper to correct this ? > > You need to get the latest F-Prot parser from the more recent MailScanner, > and replace your old one with this new one. > > Go somewhere safe > cd /tmp > Download the latest MailScanner-4.22-5.tar.gz > Unpack it > tar xzf MailScanner-4.22-5.tar.gz > Get to the right place > cd MailScanner-4.22-5/lib/MailScanner > > Now take a look at SweepViruses.pm. You will find a line > sub ProcessFProtOutput { > Save the whole of that sub to a file. > > Now go to wherever you have installed your copy of MailScanner 3.27. Hunt > in there and you will find a file "sweep.pl". Save a backup copy of this > somewhere safe in case you get into trouble. > > Again, in that file you will find a "sub ProcessFProtOutput {" line. > Replace the whole of that sub with the one you just extracted from version > 4.22-5. > > Then do a > perl -c sweep.pl > to syntax check it. > > Then restart MailScanner and you should now have the most recent parser > which will handle the new F-Prot versions. > > Sorry that is so long and convoluted, but the only direct support I now do > for version 3 is major security bugs (which no-one has found). > > P.S. Don't try blindly copying any other code from version 4 into version > 3, the *only* bits you can copy over are the virus scanners parsers. It was > a deliberate choice I made when creating version 4 just in case this exact > thing happened. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > Thanks Julian. That works ... Rgds Bassi From ugob at LINUX.CA Fri Aug 8 11:04:20 2003 From: ugob at LINUX.CA (Ugo Bellavance) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF795@pascal.priv.bmrb.co.uk> Message-ID: >Ugo Bellavance wrote: >> would an entry in /etc/hosts would do the work, since I don't want to >> setup a dns server just for that? >> >Surely you already have DNS, otherwise how does your mail get to you? My MX DNS record gives the address of my external firewall (1.2.3.4, for example), which does NAT and forwards trafic on port 25 to my MailScanner mail server, which would be, for example, 192.168.1.2 and then MS server sends the filtered messages to my internal firewall (192.168.1.3), which forwards the packets to the Microsoft Exchange server. We are a small office (8 users), so we use basic networking equipment. From jurik at afx.cz Fri Aug 8 11:04:47 2003 From: jurik at afx.cz (=?windows-1252?Q?Kamil_Jur=28=EDk_-_AFX?=) Date: Thu Jan 12 21:19:15 2006 Subject: Can't parse sub ProcessBitdefenderOutput In-Reply-To: <5.2.1.1.2.20030807231318.02785550@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030807231318.02785550@imap.ecs.soton.ac.uk> Message-ID: <3F3375BF.3090206@afx.cz> Julian, it's ok. It's my bug. :-) Kamil Jurik Kamil Jurik Julian Field napsal(a): > As a very simple thing to test, add a line > export TERM=none > near the top of /usr/lib/MailScanner/bitdefender-wrapper > > If that doesn't work, then try > unset TERM > instead. > > Please let me know what effect this has, if any. > > Tento e-mail byl zkontrolovan na postovnim serveru AFX From ugob at LINUX.CA Fri Aug 8 11:22:19 2003 From: ugob at LINUX.CA (Ugo Bellavance) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: <004c01c35d59$99f55310$9c01a8c0@home.middlefinger.net> Message-ID: You wrote: < References: Message-ID: <3F337E0E.3000409@totalise.co.uk> Sam that's what we are working on for the next point release of mailwatch. I think the first system will be sendmail only (easier to do), but we could look at postfix/exim to see just how trivial it is to do. Steve can we add that to the todo list, at least the investigation part for for postfix and exim to the 0.3 release? -- martin Samuel Luxford-Watts wrote: > Hmm.... True to a point but I would like to be able to delegate the menial > tasks to those who are less skilled :-) > > I don't want my or my techie guy's time taken up with having to do simple > repetative tasks that could be easily performed by frontline support. And I > don't want those guys having command line access to our servers - hence the > need for some sort of basic gui for simple day-to day management and > monitoring. > > Sam > > -----Original Message----- > From: Gary Smithe [mailto:gsmithe@OFALLON90.NET] > Sent: 07 August 2003 20:17 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: POSTFIX release from quarantine (WAS: How to let through i > nnocent messages) > > > "That would be very useful for non UNIX-aware administrators." > > Maybe I'm just malaligned mentally, but IMHO I think that it you're using > Mailscanner in any form, then you should be *NIX-aware - at least more than > most Windows users. > > Not trying to start a flame war, I just get ticked with people in fields of > work that aren't competent. > > Gary > > >>-----Original Message----- >>From: Nejc Skoberne [mailto:nejc.skoberne@GUEST.ARNES.SI] >>Sent: Thursday, August 07, 2003 12:53 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: POSTFIX release from quarantine (WAS: How to let >>through i >>nnocent messages) >> >> >>Hi. >> >> >>>>If someone could write a nice script ... >>> >>>No need. As I mentioned earlier, you can just do >>>postdrop < quarantined-message-file >>>and let postfix sort out the inode numbers all by itself. >> >>That's true, but I agree that it would be really nice to have a "GUI" >>way of doing this. As a Webmin module or something. That would be very >>useful for non UNIX-aware administrators. >> >>Something else bothers me. If I set this: >> >>Quarantine Whole Messages As Queue Files = yes >> >>it is quite hard to grep those files for i.e. for "Subject". How do >>you guys monitor innocent messages? Just monitoring the messages (or >>maillog) file? >> >>Thanks. >> >>-- >>Nejc Skoberne >>Grajska 5 >>SI-5220 Tolmin >>E-mail: nejc.skoberne@guest.arnes.si >> > > > -------------- > Winckworth Sherwood Solicitors and Parliamentary Agents > DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR > Telephone 020 7593 5000 Fax 020 7593 5099 > > Do something amazing! > The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit www.vietnambikeride.org > > -Confidentiality- > This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. > > -Caution- > Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. > > -Regulation- > The firm is regulated by the Law Society. > > -Partners- > A list of partners is available for inspection at each office of the firm and on the firm's website at www.winckworths.co.uk From john at TRADOC.FR Fri Aug 8 11:40:58 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: References: <004c01c35d59$99f55310$9c01a8c0@home.middlefinger.net> Message-ID: On Fri, 8 Aug 2003 06:22:19 -0400, Ugo Bellavance wrote: > Anyone would, by any chance, have the config for a postfix mail server? > transport_maps? I'll try to figure out by myself and let you know if I find > it. I have a similar config with postfix forwarding to an internal server. Yes, transport_maps is the answer. transport_maps = hash:/etc/postfix/transport where /etc/postfix/transport contains: domain.com smtp:destination.server and has to be hashed with postmap before use. John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From ugob at LINUX.CA Fri Aug 8 11:51:17 2003 From: ugob at LINUX.CA (Ugo Bellavance) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: Message-ID: > Anyone would, by any chance, have the config for a postfix mail server? > transport_maps? I'll try to figure out by myself and let you know if I find > it. I have a similar config with postfix forwarding to an internal server. Yes, transport_maps is the answer. transport_maps = hash:/etc/postfix/transport where /etc/postfix/transport contains: domain.com smtp:destination.server and has to be hashed with postmap before use. John. ----- I think I see my mistake... I edited /etc/postfix.in/transport_maps. but now my question is: which one of the main.cf should I configure? /etc/postfix.in/main.cf or /etc/postfix/main.cf? Thanks, Ugo From john at TRADOC.FR Fri Aug 8 11:58:15 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: References: Message-ID: On Fri, 8 Aug 2003 06:51:17 -0400, Ugo Bellavance wrote: > I think I see my mistake... I edited /etc/postfix.in/transport_maps. > > but now my question is: which one of the main.cf should I configure? > /etc/postfix.in/main.cf or /etc/postfix/main.cf? Messages are delivered by the outgoing postfix, so you need to edit /etc/postfix/main.cf John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From steve.freegard at LBSLTD.CO.UK Fri Aug 8 12:07:01 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:15 2006 Subject: OTmailwatch - was( RE: POSTFIX release from quarantine) Message-ID: <67D9E7698329D411936E00508B6590B902773A67@neelix.lbsltd.co.uk> Hi Martin, I've been working on it this morning - the good news is that what is written so far isn't MTA specific as it uses the MIME_Mail pear class to re-send the mail as an attachement. It does however rely on having 'Quarantine Whole Messages As Queue Files = no' and 'xxx Spam Actions = store ...' for it to work correctly (the resulting quarantine files are then stored as message/rfc822 files). I've still got a fair amount of work to do to sort out permissions and polish off the UI, but there will be something workable for the 0.3 release. Kind regards,, Steve. -----Original Message----- From: Martin Hepworth [mailto:maxsec@TOTALISE.CO.UK] Sent: 08 August 2003 11:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: OTmailwatch - was( RE: POSTFIX release from quarantine) Sam that's what we are working on for the next point release of mailwatch. I think the first system will be sendmail only (easier to do), but we could look at postfix/exim to see just how trivial it is to do. Steve can we add that to the todo list, at least the investigation part for for postfix and exim to the 0.3 release? -- martin Samuel Luxford-Watts wrote: > Hmm.... True to a point but I would like to be able to delegate the menial > tasks to those who are less skilled :-) > > I don't want my or my techie guy's time taken up with having to do simple > repetative tasks that could be easily performed by frontline support. And I > don't want those guys having command line access to our servers - hence the > need for some sort of basic gui for simple day-to day management and > monitoring. > > Sam > > -----Original Message----- > From: Gary Smithe [mailto:gsmithe@OFALLON90.NET] > Sent: 07 August 2003 20:17 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: POSTFIX release from quarantine (WAS: How to let through i > nnocent messages) > > > "That would be very useful for non UNIX-aware administrators." > > Maybe I'm just malaligned mentally, but IMHO I think that it you're using > Mailscanner in any form, then you should be *NIX-aware - at least more than > most Windows users. > > Not trying to start a flame war, I just get ticked with people in fields of > work that aren't competent. > > Gary > > >>-----Original Message----- >>From: Nejc Skoberne [mailto:nejc.skoberne@GUEST.ARNES.SI] >>Sent: Thursday, August 07, 2003 12:53 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: POSTFIX release from quarantine (WAS: How to let >>through i >>nnocent messages) >> >> >>Hi. >> >> >>>>If someone could write a nice script ... >>> >>>No need. As I mentioned earlier, you can just do >>>postdrop < quarantined-message-file >>>and let postfix sort out the inode numbers all by itself. >> >>That's true, but I agree that it would be really nice to have a "GUI" >>way of doing this. As a Webmin module or something. That would be very >>useful for non UNIX-aware administrators. >> >>Something else bothers me. If I set this: >> >>Quarantine Whole Messages As Queue Files = yes >> >>it is quite hard to grep those files for i.e. for "Subject". How do >>you guys monitor innocent messages? Just monitoring the messages (or >>maillog) file? >> >>Thanks. >> >>-- >>Nejc Skoberne >>Grajska 5 >>SI-5220 Tolmin >>E-mail: nejc.skoberne@guest.arnes.si >> > > > -------------- > Winckworth Sherwood Solicitors and Parliamentary Agents > DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR > Telephone 020 7593 5000 Fax 020 7593 5099 > > Do something amazing! > The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit www.vietnambikeride.org > > -Confidentiality- > This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. > > -Caution- > Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. > > -Regulation- > The firm is regulated by the Law Society. > > -Partners- > A list of partners is available for inspection at each office of the firm and on the firm's website at www.winckworths.co.uk -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From slwatts at WINCKWORTHS.CO.UK Fri Aug 8 12:13:34 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 Message-ID: Cant you have both /etc/postfix.in and /etc/postfix using the same transport maps? (/etc/postfix/transport) The only thing that is different between my two postfix main.cf's is the queue paths and /etc/postfix.in/main.cf has defer_transports = smtp local virtual relay. Is this wrong? Its all working ok. Sam -----Original Message----- From: John Wilcock [mailto:john@TRADOC.FR] Sent: 08 August 2003 11:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Internet -> Mailscanner -> Exchange 2000 On Fri, 8 Aug 2003 06:51:17 -0400, Ugo Bellavance wrote: > I think I see my mistake... I edited /etc/postfix.in/transport_maps. > > but now my question is: which one of the main.cf should I configure? > /etc/postfix.in/main.cf or /etc/postfix/main.cf? Messages are delivered by the outgoing postfix, so you need to edit /etc/postfix/main.cf John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at www.winckworths.co.uk From arm at SPAR.AT Fri Aug 8 12:24:02 2003 From: arm at SPAR.AT (Rainer Anschober) Date: Thu Jan 12 21:19:15 2006 Subject: trend mircro with MailScanner In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk> Message-ID: <1060341841.1701.20.camel@gandalf> I write in the first line a command like this: date >>/var/log/trend.log 2>&1 But there are no entries in the log. mfg Rainer On Fri, 2003-08-08 at 11:59, Spicer, Kevin wrote: > > But this wrapper ( /opt/MailScanner/lib/trend-wrapper ) would be > > never used. > > Could you please explain why you believe this to be the case. MailScanner always uses the wrapper scripts. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. From john at TRADOC.FR Fri Aug 8 12:33:53 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:19:15 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: References: Message-ID: On Fri, 8 Aug 2003 12:13:34 +0100, Samuel Luxford-Watts wrote: > Cant you have both /etc/postfix.in and /etc/postfix using the same transport > maps? (/etc/postfix/transport) You can (and if you follow Julian's instructions you will have) but since Ugo already has the two instances he only needs to edit the file for the instance which will actually use the smtp transport. John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From mailscanner at ecs.soton.ac.uk Fri Aug 8 12:34:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:15 2006 Subject: trend mircro with MailScanner In-Reply-To: <1060341841.1701.20.camel@gandalf> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.2.20030808122935.04089dc8@imap.ecs.soton.ac.uk> It works like this. You put Virus Scanners = trend in your MailScanner.conf and then restart MailScanner. MailScanner reads the location of the virus scanners configuration file from the "Virus Scanner Definitions" in MailScanner.conf. This is probably set to /opt/MailScanner/etc/virus.scanners.conf. MailScanner looks up "trend" in /opt/MailScanner/etc/virus.scanners.conf. It finds it needs to use the wrapper script /opt/MailScanner/lib/trend-wrapper to run the virus scanner. It adds some command-line options specified in an internal table in SweepViruses.pm in the main code, adds a "." on the end so the scanner knows to scan the current directory, and calls "/opt/MailScanner/lib/trend-wrapper" with all the options on the end of the command-line. If that doesn't work, you have played with something you shouldn't have. You don't need a "date" command in a script to be able to tell if it is used or not, that's what "ls -lu" is for (gives you the last time files were read, not when they were modified). At 12:24 08/08/2003, you wrote: >I write in the first line a command like this: > >date >>/var/log/trend.log 2>&1 > >But there are no entries in the log. > >mfg Rainer > > >On Fri, 2003-08-08 at 11:59, Spicer, Kevin wrote: > > > But this wrapper ( /opt/MailScanner/lib/trend-wrapper ) would be > > > never used. > > > > Could you please explain why you believe this to be the > case. MailScanner always uses the wrapper scripts. > > > > > > > > BMRB International > > http://www.bmrb.co.uk > > +44 (0)20 8566 5000 > > _________________________________________________________________ > > This message (and any attachment) is intended only for the > > recipient and may contain confidential and/or privileged > > material. If you have received this in error, please contact the > > sender and delete this message immediately. Disclosure, copying > > or other action taken in respect of this email or in > > reliance on it is prohibited. BMRB International Limited > > accepts no liability in relation to any personal emails, or > > content of any email which does not directly relate to our > > business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 8 12:41:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:15 2006 Subject: ANNOUNCE: Beta release 4.23-2 Message-ID: <5.2.0.9.2.20030808124017.0464e458@imap.ecs.soton.ac.uk> I have added support for eTrust. I have also greatly improved the flexibility of the "Allowed Sophos Error Messages" option so you can specify multiple strings so you can allow for lots of different errors it may produce. Download as usual from www.mailscanner.info Let me know how you get on. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From nerijus at USERS.SOURCEFORGE.NET Fri Aug 8 12:49:00 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:19:15 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> Message-ID: <20030808113813.F004A1E99E@mx.ktv.lt> On Thu, 7 Aug 2003 15:33:32 +0100 Julian Field wrote: > * Fixes * > - Corrected handling of non-archives in kavdaemonclient scanner. Hello, I just diffed SweepViruses.pm between MailScanner-4.22-5.rpm.tar.gz and MailScanner-4.23-2.rpm.tar.gz and don't see any difference in kavdaemonclient output parsing code. Regards, Nerijus From martin.hierling at fh-luh.de Fri Aug 8 12:47:58 2003 From: martin.hierling at fh-luh.de (Martin Hierling) Date: Thu Jan 12 21:19:15 2006 Subject: reinserting saved quarantine messages Message-ID: <20030808114758.GA15818@sulu.cc.fh-lippe.de> Hi List, have a short (i hope) question about mailscanner with exim. I have counfigured mailscanner with: Quarantine Whole Message = yes so that i get a complete message in quarantine dir. This message looks like: --- Received: from uhura.somedoain.de ([192.168.1.1]) by suedfall.somedomain.de with esmtp (Exim 4.12) id 19l2I2-00078S-00 for mad@suedfall.somedomain.de; Fri, 08 Aug 2003 10:07:58 +0200 .... some header stuff .... --SLDf9lqlvOQaIe6s Content-Type: application/x-msdos-program Content-Disposition: attachment; filename="Cogito_Ergo_Sum.exe" Content-Transfer-Encoding: base64 .... AAAAAAAAAAAAAAAAAAAA --SLDf9lqlvOQaIe6s-- --- so, now my question is how do i feed this back to exim to get it delivered as it is? regards and have a nice weekend Martin -- Dipl.-Ing. Martin Hierling - S|KIM [it] FH Lippe und Hoexter Raum 343 - Liebigstr. 87 - 32657 Lemgo - Germany - Earth Tel.: +49-(0)5261 - 702-433 - Fax: +49-(0)5261 - 702-467 ---------------------------------------------------------------- If it walks out of your refrigerator, LET IT GO !! ---------------------------------------------------------------- From nerijus at USERS.SOURCEFORGE.NET Fri Aug 8 13:09:55 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:19:15 2006 Subject: trend mircro with MailScanner In-Reply-To: <5.2.0.9.2.20030808122935.04089dc8@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk><5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk> <5.2.0.9.2.20030808122935.04089dc8@imap.ecs.soton.ac.uk> Message-ID: <20030808115813.6F38B1ED44@mx.ktv.lt> On Fri, 8 Aug 2003 12:34:30 +0100 Julian Field wrote: > MailScanner looks up "trend" in /opt/MailScanner/etc/virus.scanners.conf. > It finds it needs to use the wrapper script > /opt/MailScanner/lib/trend-wrapper > to run the virus scanner. I've just had an idea - why not to transfer all configurable paths from antivir-wrappers (PackageDir and prog) to virus.scanners.conf? Then for antivir it looked like: antivir /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir prog=antivir or antivir /usr/lib/MailScanner/antivir-wrapper PackageDir=/usr/lib/AntiVir prog=antivir Regards, Nerijus From Steve at swaney.com Fri Aug 8 14:22:22 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:19:15 2006 Subject: Release from quarantine In-Reply-To: <67D9E7698329D411936E00508B6590B902773A67@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773A67@neelix.lbsltd.co.uk> Message-ID: <1060348942.25553.149.camel@speedy> Being able to release a quarantined message using a GUI will be an immensely helpful tool. While the "attachment" feature that Julian added has been a big success with our users, I've been thinking a bit about how to handle spam and the interaction of the recipient with an overworked help desk. Rolling out MailScanner and SpamAssassin can be an interesting experience for a help desk. Often (unfortunately) the end users are not properly prepared for the results of virus and spam filtering. The new report message options Julian has added will definitely reduce the number of "confused" recipients, but in a perfect world, the spam delivery process might work something like this: Subject: {Spam?} gjjansen mdkbymfa [Msg ID: h78D8sfM014806] Our MailScanner believes that this message sent to you From: 47dotb@erie.net Subject: gjansen mdkbymfa is Unsolicited Commerial Email (spam) and has been quarantined. This message will be stored for 7 days and then deleted. If you are sure that this message is incorrectly thought to be Spam, please forward this email to spamsender@helpdesk.somewhere.com and the quarantined message will be forwarded to you. If you want to have messages from this Sender never marked as spam, please forward this email to whitelist@helpdesk.somewhere.com spamsender@helpdesk.somewhere.com would be a pipe to to a process that releases the message from quarantine. whitelist@helpdesk.somewhere.com would be a pipe to to a process that whitelists the sender for this recipient. While these scripts would need to be different for varying site configurations, MTAs and user preference storage alternatives, some sample scripts could be provided for MailScanner users who wish to implement this feature. Just my 2 cents and hopefully not a "feature bloat" issue Steve Swaney Steve@FSL.com On Fri, 2003-08-08 at 07:07, Steve Freegard wrote: > Hi Martin, > > I've been working on it this morning - the good news is that what is written > so far isn't MTA specific as it uses the MIME_Mail pear class to re-send the > mail as an attachement. > > It does however rely on having 'Quarantine Whole Messages As Queue Files = > no' and 'xxx Spam Actions = store ...' for it to work correctly (the > resulting quarantine files are then stored as message/rfc822 files). > > I've still got a fair amount of work to do to sort out permissions and > polish off the UI, but there will be something workable for the 0.3 release. > > Kind regards,, > Steve. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Postmaster@FSL.com Fortress Systems, Ltd. Email Gateways info@FSL.com www.FSL.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030808/434a9f1d/attachment.html From mike at CAMAROSS.NET Fri Aug 8 14:25:48 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:16 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: Message-ID: <000601c35db0$9544d7d0$9c01a8c0@home.middlefinger.net> No...the MX record tells the rest of the world where your mail server is. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance Sent: Friday, August 08, 2003 4:56 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Internet -> Mailscanner -> Exchange 2000 would an entry in /etc/hosts would do the work, since I don't want to setup a dns server just for that? Thanks -----Message d'origine----- De : MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]De la part de Mike Kercher Envoye : 7 aout, 2003 23:03 A : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: Internet -> Mailscanner -> Exchange 2000 This is actually a very simple process. Say your TLD is domain.com You make the MX record in DNS point to the IP of your sendmail/MailScanner machine. You add an entry to /etc/mail/relay-domains: domain.com Add an entry to /etc/mailertable: domain.com smtp:hostname.exchange.server Save your file and hash it. Restart MailScanner and you are done. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance Sent: Thursday, August 07, 2003 9:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Internet -> Mailscanner -> Exchange 2000 Hi, I searched through the archives, but didn't find anythig relevant. I am looking forward to use Mailscanner in front of my Exchange 2000 server (by the way, it could be any SMTP server). I read the docs, but in all cases, it talks about mailscanner being installed on the machine where the actual mailboxes are. What I want to do is filter out spam and viruses (although I have symantec AV for exchange) with mailscanner, in the DMZ, and then send the filtered messages to my Exchange 2000 server. Right now, my Exchange 2000 server receives mail directly from the internet and I don't really like that. I would, at least, want to have a mail relay in my DMZ (so that I wouldn't care too much if it's compromised, since there is a firewall between it and my LAN), that sends the messages to my internal Exchange server. Of course, since MailScanner can filter spam and viruses, I would like to implement that as well. How do I do that? simply putting my exchange 2000 server as a "relay_host" in postfix? I tried a few things, like playing with the transport file, but the result is that it sent the mail to the Exchange server, but without scanning for virus and filtering spam. How do I know it is not scanned? I don't see these messages in my logs: Aug 7 07:48:20 server MailScanner[4450]: New Batch: Scanning 1 messages, 501 byte s Aug 7 07:48:34 server MailScanner[4450]: Virus and Content Scanning: Starting Aug 7 07:48:34 server MailScanner[4450]: Uninfected: Delivered 1 messages Thanks, Ugo Bellavance, ----------------------------- What do you plan to do with all your freedom? http://www.gnu.org/ From mailscanner at ecs.soton.ac.uk Fri Aug 8 14:08:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:16 2006 Subject: ANNOUNCE: beta release 4.23-1 In-Reply-To: <20030808113813.F004A1E99E@mx.ktv.lt> References: <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030807153034.04246c50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030808140743.040bf970@imap.ecs.soton.ac.uk> At 12:49 08/08/2003, you wrote: >On Thu, 7 Aug 2003 15:33:32 +0100 Julian Field > wrote: > > > * Fixes * > > - Corrected handling of non-archives in kavdaemonclient scanner. > >Hello, > >I just diffed SweepViruses.pm between MailScanner-4.22-5.rpm.tar.gz >and MailScanner-4.23-2.rpm.tar.gz and don't see any difference in >kavdaemonclient output parsing code. > >Regards, >Nerijus Well caught! Here's a patch for SweepViruses (it's a 2 character change in 1 line). --- SweepViruses.pm 2003-08-08 12:29:10.000000000 +0100 +++ SweepViruses.pm.new 2003-08-08 14:11:03.000000000 +0100 @@ -1267,7 +1266,7 @@ $logout =~ s/%/%%/g; MailScanner::Log::InfoLog($logout); $line =~ s/^$BaseDir//; - $line =~ s/(.*) infected:.*/\.$1/; # To handle long paths again + $line =~ s/(.*)\sinfected:.*/\.$1/; # To handle long paths again ($dot,$id,$part,@rest) = split(/\//, $line); $report = $Name . ': ' . $report if $Name; $infections->{"$id"}{"$part"} .= $report . "\n"; This will be in the next release. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 8 14:11:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:16 2006 Subject: trend mircro with MailScanner In-Reply-To: <20030808115813.6F38B1ED44@mx.ktv.lt> References: <5.2.0.9.2.20030808122935.04089dc8@imap.ecs.soton.ac.uk> <5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk> <5.2.0.9.2.20030808122935.04089dc8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> At 13:09 08/08/2003, you wrote: >On Fri, 8 Aug 2003 12:34:30 +0100 Julian Field > wrote: > > > MailScanner looks up "trend" in /opt/MailScanner/etc/virus.scanners.conf. > > It finds it needs to use the wrapper script > > /opt/MailScanner/lib/trend-wrapper > > to run the virus scanner. > >I've just had an idea - why not to transfer all configurable paths from >antivir-wrappers (PackageDir and prog) to virus.scanners.conf? >Then for antivir it looked like: >antivir /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir >prog=antivir >or >antivir /usr/lib/MailScanner/antivir-wrapper >PackageDir=/usr/lib/AntiVir prog=antivir Not a bad idea, but let me think about possible consequences of upgrading systems where people have already modified some of the default wrappers to handle their own paths.... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 8 14:14:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:16 2006 Subject: Trying to get MailScanner v4.22-5 to forward messages In-Reply-To: Message-ID: <5.2.0.9.2.20030808141406.087fa878@imap.ecs.soton.ac.uk> At 22:42 07/08/2003, you wrote: > > > > > > > > > > > > > > Also, try doing a "sendmail -bv > > >one.of.your.addresses@yourdomain.com" to > > > > > see how sendmail thinks it will try to deliver a message to one >of > > >your > > > > > users. > > > > > > > Here is the command and the output. > > > > > > ./sendmail -bv cslyon@netsvcs.com > > > cslyon@netsvcs.com... deliverable: mailer esmtp, host netsvcs.com., > > >user > > > cslyon@netsvcs.com > > > > What sort of setup are you using to run MailScanner? The one I suggest >in > > the FAQ involving using your firewall to block incoming access to your > > primary MX, and running MailScanner on a secondary MX? Or else what? > >I want to have MailScanner scan all incoming mail for spam and viri >content and forward it over to my production mail server which is >exchange. Mail scanner is opened from the outside on port 25 and I can >telnet to it on port 25. I see the mail coming into the box and it sits >in the /var/spool/mqueue.in directory. So, I know that is working. The >MX records are pointed just as you have stated above? Please do a "ps ax" and send me the output. Also, what does your maillog have to say about MailScanner? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Antony at SOFT-SOLUTIONS.CO.UK Fri Aug 8 14:34:38 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:16 2006 Subject: trend mircro with MailScanner In-Reply-To: <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030808122935.04089dc8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> Message-ID: <200308081334.h78DYfD15858@onyx.rockstone.co.uk> On Friday 08 August 2003 2:11 pm, Julian Field wrote: > >I've just had an idea - why not to transfer all configurable paths from > >antivir-wrappers (PackageDir and prog) to virus.scanners.conf? > >Then for antivir it looked like: > >antivir /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir > >prog=antivir > >or > >antivir /usr/lib/MailScanner/antivir-wrapper > >PackageDir=/usr/lib/AntiVir prog=antivir > > Not a bad idea, but let me think about possible consequences of upgrading > systems where people have already modified some of the default wrappers to > handle their own paths.... I like this idea too. As far as people who've already modified the default wrappers are concerned, surely they need to be on the lookout whenever there's a new version (of MS) anyway, to make sure their customer wrapper doesn't get over-written? So, no more than the usual warnings needed, I would think? Antony. -- The truth is rarely pure, and never simple. - Oscar Wilde From mailscanner at ecs.soton.ac.uk Fri Aug 8 14:42:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:16 2006 Subject: trend mircro with MailScanner In-Reply-To: <200308081334.h78DYfD15858@onyx.rockstone.co.uk> References: <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030808122935.04089dc8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030808144042.04ddc708@imap.ecs.soton.ac.uk> At 14:34 08/08/2003, you wrote: >On Friday 08 August 2003 2:11 pm, Julian Field wrote: > > > >I've just had an idea - why not to transfer all configurable paths from > > >antivir-wrappers (PackageDir and prog) to virus.scanners.conf? > > >Then for antivir it looked like: > > >antivir /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir > > >prog=antivir > > >or > > >antivir /usr/lib/MailScanner/antivir-wrapper > > >PackageDir=/usr/lib/AntiVir prog=antivir > > > > Not a bad idea, but let me think about possible consequences of upgrading > > systems where people have already modified some of the default wrappers to > > handle their own paths.... > >I like this idea too. > >As far as people who've already modified the default wrappers are concerned, >surely they need to be on the lookout whenever there's a new version (of MS) >anyway, to make sure their customer wrapper doesn't get over-written? I will need to rewrite update_virus_scanners as it now needs to be able to parse a file sensibly. I'll think about it and see how bored I get this weekend. Its competition is sitting in a shady part of my garden with a chilled bottle of white wine (possibly a Chablis) and a damn good book. Hmmm..... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From nerijus at USERS.SOURCEFORGE.NET Fri Aug 8 14:46:12 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:19:16 2006 Subject: trend mircro with MailScanner In-Reply-To: <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030808122935.04089dc8@imap.ecs.soton.ac.uk><5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk><5C0296D26910694BB9A9BBFC577E7AB0EBF794@pascal.priv.bmrb.co.uk><5.2.0.9.2.20030808122935.04089dc8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> Message-ID: <200308081347.h78DloO10640@mail.schetelig.lt> On Fri, 8 Aug 2003 14:11:32 +0100 Julian Field wrote: > >I've just had an idea - why not to transfer all configurable paths from > >antivir-wrappers (PackageDir and prog) to virus.scanners.conf? > >Then for antivir it looked like: > >antivir /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir > >prog=antivir > >or > >antivir /usr/lib/MailScanner/antivir-wrapper > >PackageDir=/usr/lib/AntiVir prog=antivir > > Not a bad idea, but let me think about possible consequences of upgrading > systems where people have already modified some of the default wrappers to > handle their own paths.... Only one time change, but in the future it will be easier in exactly such cases - people will modify only config file (virus.scanners.conf) which is not upgraded when upgrading rpm, and thus preserving changes the user made, and all wrappers can be safely upgraded. Regards, Nerijus From mikea at MIKEA.ATH.CX Fri Aug 8 14:59:45 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:16 2006 Subject: Found And Fixed: Help! SA timing out, mail undelivered Message-ID: <20030808085945.A50746@mikea.ath.cx> There was something wrong in the Bayes_* databases, apparently. When I moved the Bayes databases into another directory and nuked/restarted everything, mail flowed right through -- and still is doing so. SA is catching things just as it ought to, and the only thing not working (yet) is Bayesian scoring. I'm sure it will kick in pretty soon, with our spam load. I have saved the databases, and will inquire on the SA-talk list about the problem. To everyone, and to Julian especially, *THANKS* for your help and suggestions. And huge thanks to Julian, again, but never sufficiently, for MailScanner. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mailscanner at ecs.soton.ac.uk Fri Aug 8 15:14:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:16 2006 Subject: Found And Fixed: Help! SA timing out, mail undelivered In-Reply-To: <20030808085945.A50746@mikea.ath.cx> Message-ID: <5.2.0.9.2.20030808150613.08bf50e0@imap.ecs.soton.ac.uk> At 14:59 08/08/2003, you wrote: >There was something wrong in the Bayes_* databases, apparently. Make sure you have DB_File installed, with the Berkeley DB library (which is available from www.sleepycat.com). Any other DB libraries have great trouble with SpamAssassin. If you can't get the Berkeley DB to compile (if you haven't already got it), then try the previous version (version 3) as that solved all the problems I had when getting it to install. >To everyone, and to Julian especially, *THANKS* for your help >and suggestions. > >And huge thanks to Julian, again, but never sufficiently, for >MailScanner. No worries. All donations, body parts (anyone remember that thread?), etc gratefully appreciated. P.S. Ever been to www.frozencritters.com? When I found that one, I officially declared the internet "complete". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at utwente.nl Fri Aug 8 15:23:49 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:19:16 2006 Subject: Release from quarantine In-Reply-To: <1060348942.25553.149.camel@speedy> References: <67D9E7698329D411936E00508B6590B902773A67@neelix.lbsltd.co.uk> <1060348942.25553.149.camel@speedy> Message-ID: On Fri, 8 Aug 2003 09:22:22 -0400, you wrote: >Being able to release a quarantined message using a GUI will be an >immensely helpful tool. I have been thinking about this, but installing an application that gives this GUI is an extra security risk. And extra maintenance. We run sendmail, MailScanner as user mail. Some operators are allowed to log in as user mail. With some (extensive) guidelines they can release quarantined messages. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ELKNET.NET Fri Aug 8 15:29:30 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:16 2006 Subject: eTrust support Message-ID: <200308081429.h78ETVS19101@ori.rl.ac.uk> That was fast! No, I'm not dying for it, I can wait 10-15 minutes ;-) Joking, take your time. If I rush you now, you won't want to help me with that outstanding Bayes runaway problem later on. -Alan >I've pursuaded it to install on RedHat 8.0 (the patch on CA's web site >works), and support for it in MailScanner appears to be working just fine. >It's basically just Inoculate renamed, but I have implemented it as a >separate scanner so if they change it in future it won't mean any messy >changes for anyone. > >The autoupdate script is currently very simple. I'm very interested to hear >whether this works or not. If it works okay, I'll polish it properly. > >There was one other scanner (BitDefender I think) that needed some work, so >I'll try to spend some time on that before releasing another beta. Unless >of course you're dying to get your hands on it now... >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support From ka at PACIFIC.NET Fri Aug 8 15:39:39 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:16 2006 Subject: Notifications? In-Reply-To: <5.2.0.9.2.20030808084202.03ebf270@imap.ecs.soton.ac.uk> References: <004c01c35d59$99f55310$9c01a8c0@home.middlefinger.net> <5.2.0.9.2.20030808084202.03ebf270@imap.ecs.soton.ac.uk> Message-ID: <3F33B62B.8010307@pacific.net> Julian Field wrote: > You cannot currently do this. Wouldn't it generate an /awful/ lot of mail? It would. But if it could be a daily (or configurable) digest sent to the end user of spam quarantined with a nice link to release the individual emails? That would be nice. I'm sure this has occurred to others on this list.. Anyone put any work into such a thing? Other Anti-Spam solutions have this; Postini, active-state's new anti-spam product - I saw it at linuxworld tuesday - very cool, but I can't remember the name of the product! The result would be that the end user wouldn't have to d/l 50-80% {SPAM} tagged email and filter it locally. The impression by the end user would be that we were taking care of that for them. :-) This may not be a MailScanner feature, maybe an addon script or two? MailScanner could help by writing out a log of what it has quarantined when and where it has put it. I would expect this could be done with some simple logging code in MailScanner at the same points it currently logs quarantine info to the maillog. Then a perl script run from cron could read the "quarantine log" and generate emails to end users on a regular basis. Another script could handle releasing the quarantined email when an end user clicked a link in the email. Ken Pacific.Net > At 04:51 08/08/2003, you wrote: > >> I was reading through the documentation and I stumbled across the actions >> section for SPAM. I was playing with the settings and rules files (which >> make all of our lives easier) when I finally ended up with "store" >> being the >> action I opted for SPAM and "delete" for HIGH SPAM. >> >> This is working well, (after learning the hard way that quarantine >> directory >> has to be owned by postfix:postfix :)) exepct that I don't get >> notified when >> a message is received and "stored". I assume this is by design, however, >> I'm curious about whether the system can notify AND store the message >> with a >> notification such as the one used to notify of "stored" messages that are >> identified as viruses/filename? >> >> I suppose I'm looking for a SPAM equilvalent for the "Stored Virus >> Message >> Report" variable that is ONLY sent to the ADMIN identified by "Notices >> To"... >> >> CT > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > From TGFurnish at HERFF-JONES.COM Fri Aug 8 15:49:27 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:16 2006 Subject: Notifications? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0766@inex1.herffjones.hj-int> The activestate product is "PureMessage": http://www.activestate.com/Products/PureMessage/system_requirements.plex I noted it when someone linked to the associated "Field Guide to Spam" on slashdot. Although certainly not complete, that document might be nice to show to management or others as a quick intro to the complexity of spam filtering: http://www.activestate.com/Products/PureMessage/Field_Guide_to_Spam/tricks.p lex I think the idea to quarantine spam and allow users to release it if they desire might be a nice, low-admin-overhead way of letting users search for false positives on their own, but wouldn't it also require splitting messages before MS sees them? Otherwise I would expect that there may be issues with one user releasing a spam expecting it to come only to him and inadvertantly sending it to other recipients of the original message. I really like the idea though. > -----Original Message----- > From: Ken Anderson [mailto:ka@PACIFIC.NET] > Sent: Friday, August 08, 2003 9:40 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Notifications? > > > Julian Field wrote: > > > You cannot currently do this. Wouldn't it generate an > /awful/ lot of mail? > > It would. But if it could be a daily (or configurable) digest sent to > the end user of spam quarantined with a nice link to release the > individual emails? That would be nice. I'm sure this has occurred to > others on this list.. Anyone put any work into such a thing? > > Other Anti-Spam solutions have this; Postini, active-state's new > anti-spam product - I saw it at linuxworld tuesday - very cool, but I > can't remember the name of the product! > > The result would be that the end user wouldn't have to d/l > 50-80% {SPAM} > tagged email and filter it locally. The impression by the end > user would > be that we were taking care of that for them. :-) > > This may not be a MailScanner feature, maybe an addon script or two? > MailScanner could help by writing out a log of what it has quarantined > when and where it has put it. I would expect this could be done with > some simple logging code in MailScanner at the same points it > currently > logs quarantine info to the maillog. > Then a perl script run from cron could read the "quarantine log" and > generate emails to end users on a regular basis. Another script could > handle releasing the quarantined email when an end user clicked a link > in the email. > > Ken > Pacific.Net > > > > At 04:51 08/08/2003, you wrote: > > > >> I was reading through the documentation and I stumbled > across the actions > >> section for SPAM. I was playing with the settings and > rules files (which > >> make all of our lives easier) when I finally ended up with "store" > >> being the > >> action I opted for SPAM and "delete" for HIGH SPAM. > >> > >> This is working well, (after learning the hard way that quarantine > >> directory > >> has to be owned by postfix:postfix :)) exepct that I don't get > >> notified when > >> a message is received and "stored". I assume this is by > design, however, > >> I'm curious about whether the system can notify AND store > the message > >> with a > >> notification such as the one used to notify of "stored" > messages that are > >> identified as viruses/filename? > >> > >> I suppose I'm looking for a SPAM equilvalent for the "Stored Virus > >> Message > >> Report" variable that is ONLY sent to the ADMIN identified > by "Notices > >> To"... > >> > >> CT > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > From Antony at SOFT-SOLUTIONS.CO.UK Fri Aug 8 15:52:41 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:16 2006 Subject: trend mircro with MailScanner In-Reply-To: <5.2.0.9.2.20030808144042.04ddc708@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030808144042.04ddc708@imap.ecs.soton.ac.uk> Message-ID: <200308081452.h78EqiD16120@onyx.rockstone.co.uk> On Friday 08 August 2003 2:42 pm, Julian Field wrote: > I'll think about it and see how bored I get this weekend. Its competition > is sitting in a shady part of my garden with a chilled bottle of white wine > (possibly a Chablis) and a damn good book. Hmmm..... Sounds like an ideal application for 802.11b to me :) Enjoy yourself whatever you do, Julian. Regards, Antony. -- Windows: just another pane in the glass. From slwatts at WINCKWORTHS.CO.UK Fri Aug 8 16:27:53 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:16 2006 Subject: Notifications? Message-ID: How about linking this with sql logging. Rather than generate loads of extra emails and fill logfiles with lots of mail delivery and status messages - why not log such events to a database and write a few php scrits to allow users to access their email details to view statistics and to release, blacklist, or whitelist their own email? Sam -----Original Message----- From: Ken Anderson [mailto:ka@PACIFIC.NET] Sent: 08 August 2003 15:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Notifications? Julian Field wrote: > You cannot currently do this. Wouldn't it generate an /awful/ lot of > mail? It would. But if it could be a daily (or configurable) digest sent to the end user of spam quarantined with a nice link to release the individual emails? That would be nice. I'm sure this has occurred to others on this list.. Anyone put any work into such a thing? Other Anti-Spam solutions have this; Postini, active-state's new anti-spam product - I saw it at linuxworld tuesday - very cool, but I can't remember the name of the product! The result would be that the end user wouldn't have to d/l 50-80% {SPAM} tagged email and filter it locally. The impression by the end user would be that we were taking care of that for them. :-) This may not be a MailScanner feature, maybe an addon script or two? MailScanner could help by writing out a log of what it has quarantined when and where it has put it. I would expect this could be done with some simple logging code in MailScanner at the same points it currently logs quarantine info to the maillog. Then a perl script run from cron could read the "quarantine log" and generate emails to end users on a regular basis. Another script could handle releasing the quarantined email when an end user clicked a link in the email. Ken Pacific.Net > At 04:51 08/08/2003, you wrote: > >> I was reading through the documentation and I stumbled across the >> actions section for SPAM. I was playing with the settings and rules >> files (which make all of our lives easier) when I finally ended up >> with "store" being the action I opted for SPAM and "delete" for HIGH >> SPAM. >> >> This is working well, (after learning the hard way that quarantine >> directory has to be owned by postfix:postfix :)) exepct that I don't >> get notified when >> a message is received and "stored". I assume this is by design, however, >> I'm curious about whether the system can notify AND store the message >> with a >> notification such as the one used to notify of "stored" messages that are >> identified as viruses/filename? >> >> I suppose I'm looking for a SPAM equilvalent for the "Stored Virus >> Message Report" variable that is ONLY sent to the ADMIN identified by >> "Notices To"... >> >> CT > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at www.winckworths.co.uk From mailscanner at ecs.soton.ac.uk Fri Aug 8 16:35:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:16 2006 Subject: Notifications? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C0766@inex1.herffjones.hj -int> Message-ID: <5.2.0.9.2.20030808163502.0400e130@imap.ecs.soton.ac.uk> If someone else wants to write it, I'll happily add some extra logging for them to use. At 15:49 08/08/2003, you wrote: >I think the idea to quarantine spam and allow users to release it if they >desire might be a nice, low-admin-overhead way of letting users search for >false positives on their own, but wouldn't it also require splitting >messages before MS sees them? Otherwise I would expect that there may be >issues with one user releasing a spam expecting it to come only to him and >inadvertantly sending it to other recipients of the original message. I >really like the idea though. > > > -----Original Message----- > > From: Ken Anderson [mailto:ka@PACIFIC.NET] > > Sent: Friday, August 08, 2003 9:40 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Notifications? > > > > > > Julian Field wrote: > > > > > You cannot currently do this. Wouldn't it generate an > > /awful/ lot of mail? > > > > It would. But if it could be a daily (or configurable) digest sent to > > the end user of spam quarantined with a nice link to release the > > individual emails? That would be nice. I'm sure this has occurred to > > others on this list.. Anyone put any work into such a thing? > > > > Other Anti-Spam solutions have this; Postini, active-state's new > > anti-spam product - I saw it at linuxworld tuesday - very cool, but I > > can't remember the name of the product! > > > > The result would be that the end user wouldn't have to d/l > > 50-80% {SPAM} > > tagged email and filter it locally. The impression by the end > > user would > > be that we were taking care of that for them. :-) > > > > This may not be a MailScanner feature, maybe an addon script or two? > > MailScanner could help by writing out a log of what it has quarantined > > when and where it has put it. I would expect this could be done with > > some simple logging code in MailScanner at the same points it > > currently > > logs quarantine info to the maillog. > > Then a perl script run from cron could read the "quarantine log" and > > generate emails to end users on a regular basis. Another script could > > handle releasing the quarantined email when an end user clicked a link > > in the email. > > > > Ken > > Pacific.Net > > > > > > > At 04:51 08/08/2003, you wrote: > > > > > >> I was reading through the documentation and I stumbled > > across the actions > > >> section for SPAM. I was playing with the settings and > > rules files (which > > >> make all of our lives easier) when I finally ended up with "store" > > >> being the > > >> action I opted for SPAM and "delete" for HIGH SPAM. > > >> > > >> This is working well, (after learning the hard way that quarantine > > >> directory > > >> has to be owned by postfix:postfix :)) exepct that I don't get > > >> notified when > > >> a message is received and "stored". I assume this is by > > design, however, > > >> I'm curious about whether the system can notify AND store > > the message > > >> with a > > >> notification such as the one used to notify of "stored" > > messages that are > > >> identified as viruses/filename? > > >> > > >> I suppose I'm looking for a SPAM equilvalent for the "Stored Virus > > >> Message > > >> Report" variable that is ONLY sent to the ADMIN identified > > by "Notices > > >> To"... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From TGFurnish at HERFF-JONES.COM Fri Aug 8 16:52:18 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:16 2006 Subject: Internet -> Mailscanner -> Exchange 2000 Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1AA8@inex1.herffjones.hj-int> Which is to say the DNS comment simply doesn't apply to you, since you're not using dns on your firewall or mailscanner to decide how mail gets routed. > -----Original Message----- > From: Ugo Bellavance [mailto:ugob@LINUX.CA] > Sent: Friday, August 08, 2003 5:04 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet -> Mailscanner -> Exchange 2000 > > > >Ugo Bellavance wrote: > >> would an entry in /etc/hosts would do the work, since I > don't want to > >> setup a dns server just for that? > >> > > >Surely you already have DNS, otherwise how does your mail get to you? > > > My MX DNS record gives the address of my external firewall > (1.2.3.4, for > example), which does NAT and forwards trafic on port 25 to my > MailScanner > mail server, which would be, for example, 192.168.1.2 and > then MS server > sends the filtered messages to my internal firewall > (192.168.1.3), which > forwards the packets to the Microsoft Exchange server. > > We are a small office (8 users), so we use basic networking equipment. > From dwinkler at ALGORITHMICS.COM Fri Aug 8 16:58:34 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:19:16 2006 Subject: Notifications? Message-ID: <06EE2C86D3DAD5119A6C0060943F3C97055E70EB@tormail1.algorithmics.com> I would definitely be interested in contributing to/writing this. I'll defer to Julian as to what would be useful in the log but a syslog-like format would probably be useful... Date/time hostname message-id path-to-message recipient sender subject If this log could make multiple entries for each recipient it could save some parsing on scripts using the log. I'd probably attach the original message to a new message with one recipient in order to avoid the inadvertant sending to all recipients. It might not be too diffcult to write two methods of retrieveing/whitelisting/learning these messages, one via email and the other via a web interface. Thanks, Derek Winkler Security Administrator Algorithmics Inc., Toronto Tel: (416) 217-4107 Fax: (416) 971-6263 www.algorithmics.com -----Original Message----- From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Sent: Friday, August 08, 2003 11:36 AM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Notifications? If someone else wants to write it, I'll happily add some extra logging for them to use. At 15:49 08/08/2003, you wrote: >I think the idea to quarantine spam and allow users to release it if they >desire might be a nice, low-admin-overhead way of letting users search for >false positives on their own, but wouldn't it also require splitting >messages before MS sees them? Otherwise I would expect that there may be >issues with one user releasing a spam expecting it to come only to him and >inadvertantly sending it to other recipients of the original message. I >really like the idea though. > > > -----Original Message----- > > From: Ken Anderson [mailto:ka@PACIFIC.NET] > > Sent: Friday, August 08, 2003 9:40 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Notifications? > > > > > > Julian Field wrote: > > > > > You cannot currently do this. Wouldn't it generate an > > /awful/ lot of mail? > > > > It would. But if it could be a daily (or configurable) digest sent to > > the end user of spam quarantined with a nice link to release the > > individual emails? That would be nice. I'm sure this has occurred to > > others on this list.. Anyone put any work into such a thing? > > > > Other Anti-Spam solutions have this; Postini, active-state's new > > anti-spam product - I saw it at linuxworld tuesday - very cool, but I > > can't remember the name of the product! > > > > The result would be that the end user wouldn't have to d/l > > 50-80% {SPAM} > > tagged email and filter it locally. The impression by the end > > user would > > be that we were taking care of that for them. :-) > > > > This may not be a MailScanner feature, maybe an addon script or two? > > MailScanner could help by writing out a log of what it has quarantined > > when and where it has put it. I would expect this could be done with > > some simple logging code in MailScanner at the same points it > > currently > > logs quarantine info to the maillog. > > Then a perl script run from cron could read the "quarantine log" and > > generate emails to end users on a regular basis. Another script could > > handle releasing the quarantined email when an end user clicked a link > > in the email. > > > > Ken > > Pacific.Net > > > > > > > At 04:51 08/08/2003, you wrote: > > > > > >> I was reading through the documentation and I stumbled > > across the actions > > >> section for SPAM. I was playing with the settings and > > rules files (which > > >> make all of our lives easier) when I finally ended up with "store" > > >> being the > > >> action I opted for SPAM and "delete" for HIGH SPAM. > > >> > > >> This is working well, (after learning the hard way that quarantine > > >> directory > > >> has to be owned by postfix:postfix :)) exepct that I don't get > > >> notified when > > >> a message is received and "stored". I assume this is by > > design, however, > > >> I'm curious about whether the system can notify AND store > > the message > > >> with a > > >> notification such as the one used to notify of "stored" > > messages that are > > >> identified as viruses/filename? > > >> > > >> I suppose I'm looking for a SPAM equilvalent for the "Stored Virus > > >> Message > > >> Report" variable that is ONLY sent to the ADMIN identified > > by "Notices > > >> To"... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030808/99cad1ea/attachment.html From nigel at CREJU.COM Fri Aug 8 17:04:09 2003 From: nigel at CREJU.COM (Nigel Haveron) Date: Thu Jan 12 21:19:16 2006 Subject: Bouncing individual email addresses Message-ID: Is it possible in MailScanner to bounce singly addressed emails just for certain "To:" addresses with a "user not found", these are for people who have left but I am still getting large amounts of spam (over 50% is to these), as I am just using MailScanner/Sendmail as a relay I cannot use the address mapping features in Sendmail to say "no user". So is there an easy way to do this, it would cut down on the MailScanner processing if it was bounced first. I have figured out a roundabout way, using rulesets for 'definitely is spam' and 'spam actions', by marking all email for the address as spam and then bouncing spam for that address, but I don't feel this is the correct way to do it. I have recently installed MailScanner 4.22-5 on RedHat8 as an SMTP relay, running with Sendmail, SpamAssassin and ClamAV. Any help would be appreciated. Regards, Nigel Haveron From Kevin.Spicer at BMRB.CO.UK Fri Aug 8 17:19:42 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:19:16 2006 Subject: Bouncing individual email addresses Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016495D6@pascal.priv.bmrb.co.uk> Nigel Haveron wrote: > Is it possible in MailScanner to bounce singly addressed emails just > for certain "To:" addresses with a "user not found", these are for > people who have left but I am still getting large amounts of spam > (over 50% is to these), as I am just using MailScanner/Sendmail as a > relay I cannot use the address mapping features in Sendmail to say > "no user". I do it using sendmail's access database, add lines like... To:left.user@mydomain.com REJECT then do a makemap hash /etc/mail/access < /etc/mail/access BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Antony at SOFT-SOLUTIONS.CO.UK Fri Aug 8 17:20:34 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:16 2006 Subject: Bouncing individual email addresses In-Reply-To: References: Message-ID: <200308081620.h78GKbD16376@onyx.rockstone.co.uk> On Friday 08 August 2003 5:04 pm, Nigel Haveron wrote: > Is it possible in MailScanner to bounce singly addressed emails just for > certain "To:" addresses with a "user not found", these are for people who > have left but I am still getting large amounts of spam (over 50% is to > these), as I am just using MailScanner/Sendmail as a relay I cannot use the > address mapping features in Sendmail to say "no user". So is there an easy > way to do this, it would cut down on the MailScanner processing if it was > bounced first. > > I have figured out a roundabout way, using rulesets for 'definitely is > spam' and 'spam actions', by marking all email for the address as spam and > then bouncing spam for that address, but I don't feel this is the correct > way to do it. If you want to avoid the MS processing overhead for these users, why not set rules for "Spam Checks = " so that those users are listed as "no" and not bother to do any spam checking for them at all? Then just let the relay machine deliver them as quickly as possible to the system which *can* do proper address mapping to either dump the email to /dev/null or else return "no such user". Regards, Antony. -- If builders built buildings the way programmers write programs, then the first woodpecker that came along would destroy civilisation. From mark at TIPPINGMAR.COM Fri Aug 8 17:20:27 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:19:16 2006 Subject: Unexpected Error? In-Reply-To: <3F2F8557.5456.13FE0EF2@localhost> References: <036A6BCC9FD10749AD3CE32255AF49A60170A02D@dalsxc01.geniant.net> Message-ID: <3F336B5B.26225.23389F8A@localhost> Here is the response from Sophos regarding this issue: Thank you for contacting Sophos Technical Support. Due to the way that Sophos has been changed to handle PDFs we have got a problem scanning certain PDFs at the moment. The production team are aware of this problem and are currently working on a fix for it. For now you can exclude PDFs from being scanned if you want to as currently there are only 2 PDF viruses in the world and these will only affect a system running a full version of Adobe (Distiller/Writer) not just Reader. On 5 Aug 2003 at 10:22, Mark Nienberg wrote: > I'm seeing this too, with Sophos 3.72. I have some PDF files that 3.71 scans > successfully, but 3.72 chokes on with the "unexpected error". I sent a sample file to > Sophos. > > My MailScanner is still using 3.71, so I think I'll postpone the update to 3.72 on this > machine. > > Mark Nienberg > > On 4 Aug 2003 at 12:02, Max Kipness wrote: > > > I've got an employee who has been sending docs all morning and then > > suddenly has a problem with one doc getting corrupt/unexpected errors. > > Does this just mean that MailScanner thinks it's corrupt and then had an > > error trying to check it? Here is the log: > > > > Aug 4 11:47:53 xxxxxxxxx sendmail[29123]: h74GklL1029123: > > from=, size=1015025, class=0, nrcpts=1, > > msgid=<036A6BCC9FD10749AD3CE32255AF49A601702857@dalsxc01.geniant.net>, > > proto=ESMTP, daemon=MTA, relay=adsl-64-217-212-137.dsl.rcsntx.swbell.net > > [64.217.212.137] > > Aug 4 11:47:53 xxxxxxxxx sendmail[29123]: h74GklL1029123: > > to=, delay=00:01:05, mailer=esmtp, pri=30639, > > stat=queued > > Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check > > ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx > > AD Design - DRAFT.doc (corrupt) > > Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check > > ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx > > AD Design - DRAFT.doc (unexpected error [0x80040202]) > > Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check > > ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx > > AD Design - DRAFT.doc (unexpected error [0x80040202]) > > Aug 4 11:47:57 xxxxxxxxx MailScanner[20684]: Saved infected > > "winmail.dat" to > > /var/spool/MailScanner/quarantine/20030804/h74GklL1029123 > > Aug 4 11:48:05 xxxxxxxxx sendmail[29165]: h74GklL1029123: > > to=, delay=00:01:17, xdelay=00:00:08, mailer=esmtp, > > pri=120639, relay=houmail.companyx.com. [204.194.96.13], dsn=2.0.0, > > stat=Sent (h74GlvRp028965 Message accepted for delivery) > > > > Thanks, > > Max -- Mark W. Nienberg, SE Tipping Mar + associates 1906 Shattuck Ave, Berkeley, CA 94704 visit our website at http://www.tippingmar.com From Antony at SOFT-SOLUTIONS.CO.UK Fri Aug 8 17:22:01 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:16 2006 Subject: Bouncing individual email addresses In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016495D6@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0016495D6@pascal.priv.bmrb.co.uk> Message-ID: <200308081622.h78GM4D16388@onyx.rockstone.co.uk> On Friday 08 August 2003 5:19 pm, Spicer, Kevin wrote: > Nigel Haveron wrote: > > Is it possible in MailScanner to bounce singly addressed emails just > > for certain "To:" addresses with a "user not found", these are for > > people who have left but I am still getting large amounts of spam > > (over 50% is to these), as I am just using MailScanner/Sendmail as a > > relay I cannot use the address mapping features in Sendmail to say > > "no user". > > I do it using sendmail's access database, add lines like... > > To:left.user@mydomain.com REJECT But can you do this sort of thing for a relay-domain, rather than a local-domain ? I thought sendmail's access lists only applied to local domains which sendmail acted as delivery agent for? Antony. -- The idea that Bill Gates appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams in The Guardian, August 25, 1995 From sanjay.patel at REXWIRE.COM Fri Aug 8 17:23:45 2003 From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel) Date: Thu Jan 12 21:19:16 2006 Subject: Ruleset for spam check by domain In-Reply-To: <3F333981.5030901@corp.home.nl> Message-ID: <002501c35dc9$717a8390$6f01a8c0@Laptop1> So what is the correct format? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeffrey Koetsier Sent: Friday, August 08, 2003 1:48 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Ruleset for spam check by domain Sanjay K. Patel wrote: >If I want only want certain domains to be checked for spam what do I put in >the ruleset? > >domainA.com yes > >DomainB.com no > >Is this correct? > no :) Ruleset file should contain 3 values per line, example: From: DomainX.com yes To: postmaster@DomainY.com no FromTo: default no In my version of MailScanner, there is a README file in the rules directory which contains some info about this. -- Jeffrey Koetsier Unix Administrator "I don't believe UNIX is Utopia. It's just the best set of tools around." -- Dick Haight, Unix Review, Jan. 1985, pg. 117 From TGFurnish at HERFF-JONES.COM Fri Aug 8 17:25:39 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:16 2006 Subject: Bouncing individual email addresses Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1AAB@inex1.herffjones.hj-int> > But can you do this sort of thing for a relay-domain, rather than a > local-domain ? Yes. Surprised me too, but it works. Version I have installed is currently an 8.11.6 and later at least have that functionality. -t. From jase at SENSIS.COM Fri Aug 8 17:27:56 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:16 2006 Subject: reinserting saved quarantine messages Message-ID: What I do is: * Copy the -D and -H files from the quarantine to the second exim's input spool directory * Make sure that the files have the correct owners (I chown mail.mail *) * Send the message with exim (exim -C /path/to/second_exim_config -M ) - you can add a -v flag to that command to see more info. If you don't do this, your normal queue runner should eventually find it and send it. Jason > -----Original Message----- > From: Martin Hierling [mailto:martin.hierling@FH-LUH.DE] > Sent: Friday, August 08, 2003 7:48 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] reinserting saved quarantine messages > > > Hi List, > > have a short (i hope) question about mailscanner with exim. > > I have counfigured mailscanner with: > Quarantine Whole Message = yes > so that i get a complete message in quarantine dir. > > This message looks like: > --- > Received: from uhura.somedoain.de ([192.168.1.1]) > by suedfall.somedomain.de with esmtp (Exim 4.12) > id 19l2I2-00078S-00 > for mad@suedfall.somedomain.de; Fri, 08 Aug 2003 > 10:07:58 +0200 > .... > some header stuff > .... > > --SLDf9lqlvOQaIe6s > Content-Type: application/x-msdos-program > Content-Disposition: attachment; filename="Cogito_Ergo_Sum.exe" > Content-Transfer-Encoding: base64 > > .... > > AAAAAAAAAAAAAAAAAAAA > > --SLDf9lqlvOQaIe6s-- > > --- > > so, now my question is how do i feed this back to exim to get > it delivered > as it is? > > regards and have a nice weekend > > Martin > > -- > Dipl.-Ing. Martin Hierling - S|KIM [it] FH Lippe und Hoexter > Raum 343 - Liebigstr. 87 - 32657 Lemgo - Germany - Earth > Tel.: +49-(0)5261 - 702-433 - Fax: +49-(0)5261 - 702-467 > ---------------------------------------------------------------- > If it walks out of your refrigerator, LET IT GO !! > ---------------------------------------------------------------- > From mailscanner at ecs.soton.ac.uk Fri Aug 8 17:36:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:16 2006 Subject: Unexpected Error? In-Reply-To: <3F336B5B.26225.23389F8A@localhost> References: <3F2F8557.5456.13FE0EF2@localhost> <036A6BCC9FD10749AD3CE32255AF49A60170A02D@dalsxc01.geniant.net> Message-ID: <5.2.1.1.2.20030808173403.02614188@imap.ecs.soton.ac.uk> The new version of the Allowed Sophos Error Messages code I have just released will enable you to let through PDF files which hit these problems. This setting should cover the problems I have seen: Allowed Sophos Error Messages = "corrupt", "0x80040202" You will need the latest beta release for this setting to work, however, At 17:20 08/08/2003, you wrote: >Here is the response from Sophos regarding this issue: > >Thank you for contacting Sophos Technical Support. > >Due to the way that Sophos has been changed to handle PDFs we >have got a problem scanning certain PDFs at the moment. The >production team are aware of this problem and are currently >working on a fix for it. > >For now you can exclude PDFs from being scanned if you want to >as currently there are only 2 PDF viruses in the world and >these will only affect a system running a full version of >Adobe (Distiller/Writer) not just Reader. > > >On 5 Aug 2003 at 10:22, Mark Nienberg wrote: > > > I'm seeing this too, with Sophos 3.72. I have some PDF files that 3.71 > scans > > successfully, but 3.72 chokes on with the "unexpected error". I sent a > sample file to > > Sophos. > > > > My MailScanner is still using 3.71, so I think I'll postpone the update > to 3.72 on this > > machine. > > > > Mark Nienberg > > > > On 4 Aug 2003 at 12:02, Max Kipness wrote: > > > > > I've got an employee who has been sending docs all morning and then > > > suddenly has a problem with one doc getting corrupt/unexpected errors. > > > Does this just mean that MailScanner thinks it's corrupt and then had an > > > error trying to check it? Here is the log: > > > > > > Aug 4 11:47:53 xxxxxxxxx sendmail[29123]: h74GklL1029123: > > > from=, size=1015025, class=0, nrcpts=1, > > > msgid=<036A6BCC9FD10749AD3CE32255AF49A601702857@dalsxc01.geniant.net>, > > > proto=ESMTP, daemon=MTA, relay=adsl-64-217-212-137.dsl.rcsntx.swbell.net > > > [64.217.212.137] > > > Aug 4 11:47:53 xxxxxxxxx sendmail[29123]: h74GklL1029123: > > > to=, delay=00:01:05, mailer=esmtp, pri=30639, > > > stat=queued > > > Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check > > > ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx > > > AD Design - DRAFT.doc (corrupt) > > > Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check > > > ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx > > > AD Design - DRAFT.doc (unexpected error [0x80040202]) > > > Aug 4 11:47:56 xxxxxxxxx MailScanner[20684]: Could not check > > > ./h74GklL1029123/winmail.dat/Xxxxxxxxx AD Design - DRAFT.zip/Xxxxxxxxx > > > AD Design - DRAFT.doc (unexpected error [0x80040202]) > > > Aug 4 11:47:57 xxxxxxxxx MailScanner[20684]: Saved infected > > > "winmail.dat" to > > > /var/spool/MailScanner/quarantine/20030804/h74GklL1029123 > > > Aug 4 11:48:05 xxxxxxxxx sendmail[29165]: h74GklL1029123: > > > to=, delay=00:01:17, xdelay=00:00:08, mailer=esmtp, > > > pri=120639, relay=houmail.companyx.com. [204.194.96.13], dsn=2.0.0, > > > stat=Sent (h74GlvRp028965 Message accepted for delivery) > > > > > > Thanks, > > > Max > > >-- >Mark W. Nienberg, SE >Tipping Mar + associates >1906 Shattuck Ave, Berkeley, CA 94704 >visit our website at http://www.tippingmar.com -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ka at PACIFIC.NET Fri Aug 8 18:10:32 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:16 2006 Subject: Notifications? In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C97055E70EB@tormail1.algorithmics.com> References: <06EE2C86D3DAD5119A6C0060943F3C97055E70EB@tormail1.algorithmics.com> Message-ID: <3F33D988.5010804@pacific.net> Derek Winkler wrote: > I would definitely be interested in contributing to/writing this. > > I'll defer to Julian as to what would be useful in the log but a syslog-like > format would probably be useful... > > Date/time hostname message-id path-to-message recipient sender subject This looks right. I think that would give us the raw data to create different types of ui systems that allowed customers to interact with the quarantined spam to release, whitelist or blacklist. > If this log could make multiple entries for each recipient it could save > some parsing on scripts using the log. > I'd probably attach the original message to a new message with one recipient > in order to avoid the inadvertant sending to all recipients. We split mail coming in using sendmail's queue groups, so we'd just cp them from quarantine directly to /var/spool/mqueue. Attaching the original messages would not be needed, though it would be a nice option. How about altering the subject, prepending "released from quarantine " or something? > It might not be too diffcult to write two methods of > retrieveing/whitelisting/learning these messages, one via email and the > other via a web interface. Everyone may do this a bit differently. We'd probably want to have a simple 'are you sure' web interface that would be arrived at by clicking on a link in the quarantine digest email. Others may want to use sql logging and present users with a variety of other options at this point. In our case, the webserver is another machine that would queue jobs for a simple script on the mail relays that would do the cp operation with the right permissions. Ken Pacific.Net > Thanks, > > Derek Winkler > Security Administrator > Algorithmics Inc., Toronto > Tel: (416) 217-4107 > Fax: (416) 971-6263 > www.algorithmics.com > > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] > Sent: Friday, August 08, 2003 11:36 AM > To: MAILSCANNER@jiscmail.ac.uk > Subject: Re: Notifications? > > > If someone else wants to write it, I'll happily add some extra logging for > them to use. > > At 15:49 08/08/2003, you wrote: > >>I think the idea to quarantine spam and allow users to release it if they >>desire might be a nice, low-admin-overhead way of letting users search for >>false positives on their own, but wouldn't it also require splitting >>messages before MS sees them? Otherwise I would expect that there may be >>issues with one user releasing a spam expecting it to come only to him and >>inadvertantly sending it to other recipients of the original message. I >>really like the idea though. >> >> >>>-----Original Message----- >>>From: Ken Anderson [mailto:ka@PACIFIC.NET] >>>Sent: Friday, August 08, 2003 9:40 AM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: Notifications? >>> >>> >>>Julian Field wrote: >>> >>> >>>>You cannot currently do this. Wouldn't it generate an >>> >>>/awful/ lot of mail? >>> >>>It would. But if it could be a daily (or configurable) digest sent to >>>the end user of spam quarantined with a nice link to release the >>>individual emails? That would be nice. I'm sure this has occurred to >>>others on this list.. Anyone put any work into such a thing? >>> >>>Other Anti-Spam solutions have this; Postini, active-state's new >>>anti-spam product - I saw it at linuxworld tuesday - very cool, but I >>>can't remember the name of the product! >>> >>>The result would be that the end user wouldn't have to d/l >>>50-80% {SPAM} >>>tagged email and filter it locally. The impression by the end >>>user would >>>be that we were taking care of that for them. :-) >>> >>>This may not be a MailScanner feature, maybe an addon script or two? >>>MailScanner could help by writing out a log of what it has quarantined >>>when and where it has put it. I would expect this could be done with >>>some simple logging code in MailScanner at the same points it >>>currently >>>logs quarantine info to the maillog. >>>Then a perl script run from cron could read the "quarantine log" and >>>generate emails to end users on a regular basis. Another script could >>>handle releasing the quarantined email when an end user clicked a link >>>in the email. >>> >>>Ken >>>Pacific.Net >>> >>> >>> >>>>At 04:51 08/08/2003, you wrote: >>>> >>>> >>>>>I was reading through the documentation and I stumbled >>> >>>across the actions >>> >>>>>section for SPAM. I was playing with the settings and >>> >>>rules files (which >>> >>>>>make all of our lives easier) when I finally ended up with "store" >>>>>being the >>>>>action I opted for SPAM and "delete" for HIGH SPAM. >>>>> >>>>>This is working well, (after learning the hard way that quarantine >>>>>directory >>>>>has to be owned by postfix:postfix :)) exepct that I don't get >>>>>notified when >>>>>a message is received and "stored". I assume this is by >>> >>>design, however, >>> >>>>>I'm curious about whether the system can notify AND store >>> >>>the message >>> >>>>>with a >>>>>notification such as the one used to notify of "stored" >>> >>>messages that are >>> >>>>>identified as viruses/filename? >>>>> >>>>>I suppose I'm looking for a SPAM equilvalent for the "Stored Virus >>>>>Message >>>>>Report" variable that is ONLY sent to the ADMIN identified >>> >>>by "Notices >>> >>>>>To"... > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From cslyon at netsvcs.com Fri Aug 8 18:16:18 2003 From: cslyon at netsvcs.com (Christopher Lyon) Date: Thu Jan 12 21:19:16 2006 Subject: Trying to get MailScanner v4.22-5 to forward messages Message-ID: Here it the output from the maillog: Aug 8 10:08:37 smtp3 MailScanner[21213]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Aug 8 10:08:37 smtp3 MailScanner[21213]: Error in line 1124 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin User State Dir twice! Error in line 1125 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Install Prefix twice! Error in line 1126 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Local Rules Dir twice! Error in line 1127 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Default Rules Dir twice! Error in line 1128 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin User State Dir twice! Error in line 1129 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Install Prefix twice! Error in line 1130 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Local Rules Dir twice! Error in line 1131 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Default Rules Dir twice! Error in line 1132 of /etc/MailScanner/MailScanner.conf, setting value of Spam Domain List twice! Can't continue proce Aug 8 10:08:47 smtp3 MailScanner[21216]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Aug 8 10:08:47 smtp3 MailScanner[21216]: Error in line 1124 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin User State Dir twice! Error in line 1125 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Install Prefix twice! Error in line 1126 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Local Rules Dir twice! Error in line 1127 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Default Rules Dir twice! Error in line 1128 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin User State Dir twice! Error in line 1129 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Install Prefix twice! Error in line 1130 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Local Rules Dir twice! Error in line 1131 of /etc/MailScanner/MailScanner.conf, setting value of SpamAssassin Default Rules Dir twice! Error in line 1132 of /etc/MailScanner/MailScanner.conf, setting value of Spam Domain List twice! Can't continue proce That might explain why the MailScanner is "defunk" Here is the ps ax: PID TTY STAT TIME COMMAND 1 ? S 0:03 init 2 ? SW 0:00 [keventd] 3 ? SW 0:00 [kapmd] 4 ? SWN 0:00 [ksoftirqd_CPU0] 9 ? SW 0:00 [bdflush] 5 ? SW 0:00 [kswapd] 6 ? SW 0:00 [kscand/DMA] 7 ? SW 0:00 [kscand/Normal] 8 ? SW 0:00 [kscand/HighMem] 10 ? SW 0:00 [kupdated] 11 ? SW 0:00 [mdrecoveryd] 15 ? SW 0:00 [kjournald] 73 ? SW 0:00 [khubd] 865 ? SW 0:00 [kjournald] 1996 ? S 0:00 syslogd -m 0 2000 ? S 0:00 klogd -x 2018 ? S 0:00 portmap 2037 ? S 0:00 rpc.statd 2073 ? S 0:00 /usr/local/affant/sbin/snmpd 2124 ? S 0:00 /usr/sbin/sshd 2138 ? S 0:00 xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid 2164 ? SL 0:00 /usr/local/affant/bin/ntpd -c /etc/ntp.conf 2227 ? S 0:00 gpm -t imps2 -m /dev/mouse 2236 ? S 0:00 crond 2251 ? S 0:00 /usr/bin/perl /usr/local/affant/bin/swatch --tail-file=/var/log/messages --config-file=/etc/affant/ip 2256 ? S 0:00 /usr/bin/perl //.swatch_script.2251 2257 ? S 0:00 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf 2260 tty1 S 0:00 /sbin/mingetty tty1 2261 tty2 S 0:00 /sbin/mingetty tty2 2262 tty3 S 0:00 /sbin/mingetty tty3 2263 tty4 S 0:00 /sbin/mingetty tty4 2264 tty5 S 0:00 /sbin/mingetty tty5 2265 tty6 S 0:00 /sbin/mingetty tty6 2266 ttyS0 S 0:00 /sbin/agetty -L 9600 ttyS0 vt102 2268 ? S 0:00 /usr/bin/tail -n 1 -f /var/log/messages 20912 ? S 0:00 /usr/sbin/sshd 20915 ? S 0:00 /usr/sbin/sshd 20916 pts/0 S 0:00 -bash 20950 pts/0 S 0:00 su 20951 pts/0 S 0:00 bash 21115 ? S 0:00 sendmail: accepting connections 21120 ? S 0:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue 21126 ? S 0:00 sendmail: Queue runner@00:15:00 for /var/spool/mqueue 21144 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 21145 ? Z 0:00 [MailScanner ] 21149 pts/0 R 0:00 ps ax > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Friday, August 08, 2003 6:15 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Trying to get MailScanner v4.22-5 to forward messages > > At 22:42 07/08/2003, you wrote: > > > > > > > > > > > > > > > > > Also, try doing a "sendmail -bv > > > >one.of.your.addresses@yourdomain.com" to > > > > > > see how sendmail thinks it will try to deliver a message to one > >of > > > >your > > > > > > users. > > > > > > > > > Here is the command and the output. > > > > > > > > ./sendmail -bv cslyon@netsvcs.com > > > > cslyon@netsvcs.com... deliverable: mailer esmtp, host netsvcs.com., > > > >user > > > > cslyon@netsvcs.com > > > > > > What sort of setup are you using to run MailScanner? The one I suggest > >in > > > the FAQ involving using your firewall to block incoming access to your > > > primary MX, and running MailScanner on a secondary MX? Or else what? > > > >I want to have MailScanner scan all incoming mail for spam and viri > >content and forward it over to my production mail server which is > >exchange. Mail scanner is opened from the outside on port 25 and I can > >telnet to it on port 25. I see the mail coming into the box and it sits > >in the /var/spool/mqueue.in directory. So, I know that is working. The > >MX records are pointed just as you have stated above? > > Please do a "ps ax" and send me the output. > Also, what does your maillog have to say about MailScanner? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From mailscanner at elknet.net Fri Aug 8 18:21:27 2003 From: mailscanner at elknet.net (Alan Fiebig) Date: Thu Jan 12 21:19:16 2006 Subject: eTrust support Message-ID: <200308081721.SAA10967@jackdaw.ecs.soton.ac.uk> No, I just had not gotten that far down the list yet. When I typically get into the office in the morning, I have 70-80 messages from the list waiting. Thanks so much for getting this done! I have it installed, and have been beating it up for the last hour. Works great! When you finalize the auto-update script, will you incorporate the syslog messages of 'Didn't need updating' or 'Updated'? I'm running the mailstats package, which uses that string to update the web page with the last date the sig files were updated. Thanks again! -Alan >Did you miss my announcement of the release at 12:41pm this afternoon? From brent at WHITE-DEV.QUATRO.COM Fri Aug 8 18:50:54 2003 From: brent at WHITE-DEV.QUATRO.COM (Brent) Date: Thu Jan 12 21:19:16 2006 Subject: ANNOUNCE: Beta release 4.23-2 In-Reply-To: <5.2.0.9.2.20030808124017.0464e458@imap.ecs.soton.ac.uk> Message-ID: <200308081800.h78I0Pp31767@white-dev.quatro.com> Julian: Would it be possible to include my patch for Message.pm that turns on sending blacklisted entries to highscore action in this next beta? 309a310 > $this->{ishigh} = 1; If everyone doesn't think this is a good idea, perhaps we could have a config option for it. It's a small patch but it's made a big impact on our users. If there isn't enough interest in this I will just continue manually applying my patch. Brent -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Friday, August 08, 2003 7:42 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Beta release 4.23-2 I have added support for eTrust. I have also greatly improved the flexibility of the "Allowed Sophos Error Messages" option so you can specify multiple strings so you can allow for lots of different errors it may produce. Download as usual from www.mailscanner.info Let me know how you get on. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 8 18:58:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:16 2006 Subject: ANNOUNCE: Beta release 4.23-2 In-Reply-To: <200308081800.h78I0Pp31767@white-dev.quatro.com> References: <5.2.0.9.2.20030808124017.0464e458@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030808185809.026f0d88@imap.ecs.soton.ac.uk> It would definitely have to be configurable. Does anyone else need this feature? At 18:50 08/08/2003, you wrote: >Julian: > >Would it be possible to include my patch for Message.pm that turns on >sending blacklisted entries to highscore action in this next beta? > >309a310 > > $this->{ishigh} = 1; > >If everyone doesn't think this is a good idea, perhaps we could have a >config option for it. It's a small patch but it's made a big impact on our >users. If there isn't enough interest in this I will just continue manually >applying my patch. > >Brent > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: Friday, August 08, 2003 7:42 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: ANNOUNCE: Beta release 4.23-2 > >I have added support for eTrust. >I have also greatly improved the flexibility of the "Allowed Sophos Error >Messages" option so you can specify multiple strings so you can allow for >lots of different errors it may produce. > >Download as usual from > www.mailscanner.info > >Let me know how you get on. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Steve at swaney.com Fri Aug 8 19:11:08 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:19:16 2006 Subject: Bouncing individual email addresses In-Reply-To: References: Message-ID: <1060366267.25553.355.camel@speedy> Check the MailScanner list List archive. Search for: sendmail access Steve Steve@FSL.com On Fri, 2003-08-08 at 12:04, Nigel Haveron wrote: > Is it possible in MailScanner to bounce singly addressed emails just for > certain "To:" addresses with a "user not found", these are for people who > have left but I am still getting large amounts of spam (over 50% is to > these), as I am just using MailScanner/Sendmail as a relay I cannot use the > address mapping features in Sendmail to say "no user". So is there an easy > way to do this, it would cut down on the MailScanner processing if it was > bounced first. > > I have figured out a roundabout way, using rulesets for 'definitely is > spam' and 'spam actions', by marking all email for the address as spam and > then bouncing spam for that address, but I don't feel this is the correct > way to do it. > > I have recently installed MailScanner 4.22-5 on RedHat8 as an SMTP relay, > running with Sendmail, SpamAssassin and ClamAV. > > Any help would be appreciated. > > Regards, > Nigel Haveron -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Postmaster@FSL.com Fortress Systems, Ltd. Email Gateways info@FSL.com www.FSL.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030808/8d34f057/attachment.html From RKearney at AZERTY.COM Fri Aug 8 19:20:09 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:19:16 2006 Subject: Internet -> Mailscanner -> Exchange 2000 Message-ID: <210DF55DED65B547896F728FB057F3B2019C4569@seaver.ussco.com> I don't know if this applies to Postfix, but in sendmail, you would need to enclose your SMTP server in brackets '[' and ']' to bypass DNS lookups. This is just in case your DNS server in your DMZ points to your Mailscanner box or firewall, so mail doesn't go in a loop. so for sendmail, you would use in mailertable domain.com smtp:[hostname.exchange.server] -rob -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, August 07, 2003 11:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Internet -> Mailscanner -> Exchange 2000 This is actually a very simple process. Say your TLD is domain.com You make the MX record in DNS point to the IP of your sendmail/MailScanner machine. You add an entry to /etc/mail/relay-domains: domain.com Add an entry to /etc/mailertable: domain.com smtp:hostname.exchange.server Save your file and hash it. Restart MailScanner and you are done. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance Sent: Thursday, August 07, 2003 9:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Internet -> Mailscanner -> Exchange 2000 Hi, I searched through the archives, but didn't find anythig relevant. I am looking forward to use Mailscanner in front of my Exchange 2000 server (by the way, it could be any SMTP server). I read the docs, but in all cases, it talks about mailscanner being installed on the machine where the actual mailboxes are. What I want to do is filter out spam and viruses (although I have symantec AV for exchange) with mailscanner, in the DMZ, and then send the filtered messages to my Exchange 2000 server. Right now, my Exchange 2000 server receives mail directly from the internet and I don't really like that. I would, at least, want to have a mail relay in my DMZ (so that I wouldn't care too much if it's compromised, since there is a firewall between it and my LAN), that sends the messages to my internal Exchange server. Of course, since MailScanner can filter spam and viruses, I would like to implement that as well. How do I do that? simply putting my exchange 2000 server as a "relay_host" in postfix? I tried a few things, like playing with the transport file, but the result is that it sent the mail to the Exchange server, but without scanning for virus and filtering spam. How do I know it is not scanned? I don't see these messages in my logs: Aug 7 07:48:20 server MailScanner[4450]: New Batch: Scanning 1 messages, 501 byte s Aug 7 07:48:34 server MailScanner[4450]: Virus and Content Scanning: Starting Aug 7 07:48:34 server MailScanner[4450]: Uninfected: Delivered 1 messages Thanks, Ugo Bellavance, ----------------------------- What do you plan to do with all your freedom? http://www.gnu.org/ From TGFurnish at HERFF-JONES.COM Fri Aug 8 19:22:44 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:16 2006 Subject: Notifications? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0768@inex1.herffjones.hj-int> Actually my first thought was a daily email message with a list of messages (sender and subject), and since the goal would be to make it quick and simple, how about a checkbox by each message row and a submit button at the bottom of the message. We'd just embed a form tag in the me... Oh, wait, form tag. Nevermind. ;^) But then, along the same lines, it occurs to me that putting even just a list of message senders and subjects into a digest to be sent to the user may be likely never to get there ... because it would be likely considered spam. And that leads me to, "Well, that's ok, I really didn't want another daily message anyway." And THAT, leads me in turn to the idea that perhaps instead of daily digests, we could automatically create a username and password for access to a web interface that allows releasing messages. This username would just be the email address and the password something autogenerated. It would be sent to the user the first time a spam was stored, then only sent again if the user loses the password and requests it. Several advantages here, not the least of which is that instead of waiting for a daily digest listing the blocked messages, the user could hit the web page as soon as they suspect a message has been blocked. For example, when Tom emails Bob a message and Bob is waiting for it, after a few minutes he doesn't have to say "It didn't come through, I bet the spamfilter got it - I'll call the helpdesk" - instead he can say "Hold on, maybe it got stuck in that dang spamfilter again - let me check." Of course, immediacy of being able to check for a "stuck" message implies real-time (not batched) logging into a database or log file - otherwise the user would have to wait for MS to flush its logs. -t. PS: I reserve the right to be wrong. :-) From mbowman at UDCOM.COM Fri Aug 8 19:20:42 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:16 2006 Subject: Internet -> Mailscanner -> Exchange 2000 Message-ID: I think you need esmtp E.g. domain.tld esmtp:[hostname.domain.tld] In mailertable This is how I set my setup to forward onto exchange servers. Matthew "Kearney, Rob" Sent by: MailScanner mailing list 08/08/2003 02:20 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Internet -> Mailscanner -> Exchange 2000 I don't know if this applies to Postfix, but in sendmail, you would need to enclose your SMTP server in brackets '[' and ']' to bypass DNS lookups. This is just in case your DNS server in your DMZ points to your Mailscanner box or firewall, so mail doesn't go in a loop. so for sendmail, you would use in mailertable domain.com smtp:[hostname.exchange.server] -rob -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Thursday, August 07, 2003 11:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Internet -> Mailscanner -> Exchange 2000 This is actually a very simple process. Say your TLD is domain.com You make the MX record in DNS point to the IP of your sendmail/MailScanner machine. You add an entry to /etc/mail/relay-domains: domain.com Add an entry to /etc/mailertable: domain.com smtp:hostname.exchange.server Save your file and hash it. Restart MailScanner and you are done. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance Sent: Thursday, August 07, 2003 9:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Internet -> Mailscanner -> Exchange 2000 Hi, I searched through the archives, but didn't find anythig relevant. I am looking forward to use Mailscanner in front of my Exchange 2000 server (by the way, it could be any SMTP server). I read the docs, but in all cases, it talks about mailscanner being installed on the machine where the actual mailboxes are. What I want to do is filter out spam and viruses (although I have symantec AV for exchange) with mailscanner, in the DMZ, and then send the filtered messages to my Exchange 2000 server. Right now, my Exchange 2000 server receives mail directly from the internet and I don't really like that. I would, at least, want to have a mail relay in my DMZ (so that I wouldn't care too much if it's compromised, since there is a firewall between it and my LAN), that sends the messages to my internal Exchange server. Of course, since MailScanner can filter spam and viruses, I would like to implement that as well. How do I do that? simply putting my exchange 2000 server as a "relay_host" in postfix? I tried a few things, like playing with the transport file, but the result is that it sent the mail to the Exchange server, but without scanning for virus and filtering spam. How do I know it is not scanned? I don't see these messages in my logs: Aug 7 07:48:20 server MailScanner[4450]: New Batch: Scanning 1 messages, 501 byte s Aug 7 07:48:34 server MailScanner[4450]: Virus and Content Scanning: Starting Aug 7 07:48:34 server MailScanner[4450]: Uninfected: Delivered 1 messages Thanks, Ugo Bellavance, ----------------------------- What do you plan to do with all your freedom? http://www.gnu.org/ From mike at CAMAROSS.NET Fri Aug 8 19:27:52 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:16 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: Message-ID: <011e01c35dda$c77875c0$a91cbdcf@home.middlefinger.net> I couldn't say for sure...for the most part, I forward to OpenExchange servers. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matthew Bowman > Sent: Friday, August 08, 2003 1:21 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet -> Mailscanner -> Exchange 2000 > > > I think you need esmtp > > E.g. > > domain.tld esmtp:[hostname.domain.tld] > > In mailertable > > This is how I set my setup to forward onto exchange servers. > > Matthew > > > > > > "Kearney, Rob" > Sent by: MailScanner mailing list > 08/08/2003 02:20 PM Please > respond to MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: Re: Internet -> Mailscanner -> Exchange 2000 > > > I don't know if this applies to Postfix, but in sendmail, you > would need to enclose your SMTP server in brackets '[' and > ']' to bypass DNS lookups. This is just in case your DNS > server in your DMZ points to your Mailscanner box or > firewall, so mail doesn't go in a loop. > > so for sendmail, you would use in mailertable > > domain.com smtp:[hostname.exchange.server] > > > -rob > > > > -----Original Message----- > From: Mike Kercher [mailto:mike@CAMAROSS.NET] > Sent: Thursday, August 07, 2003 11:03 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet -> Mailscanner -> Exchange 2000 > > > This is actually a very simple process. > > Say your TLD is domain.com > > You make the MX record in DNS point to the IP of your > sendmail/MailScanner machine. > > You add an entry to /etc/mail/relay-domains: > > domain.com > > Add an entry to /etc/mailertable: > > domain.com smtp:hostname.exchange.server > > Save your file and hash it. > > Restart MailScanner and you are done. > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Ugo > Bellavance > Sent: Thursday, August 07, 2003 9:40 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Internet -> Mailscanner -> Exchange 2000 > > > Hi, > > I searched through the archives, but didn't find > anythig relevant. I am looking forward to use Mailscanner in > front of my Exchange 2000 server (by the way, it could be any > SMTP server). I read the docs, but in all cases, it talks > about mailscanner being installed on the machine where the > actual mailboxes are. What I want to do is filter out spam > and viruses (although I have symantec AV for exchange) with > mailscanner, in the DMZ, and then send the filtered messages > to my Exchange 2000 server. Right now, my Exchange 2000 > server receives mail directly from the internet and I don't > really like that. I would, at least, want to have a mail > relay in my DMZ (so that I wouldn't care too much if it's > compromised, since there is a firewall between it and my > LAN), that sends the messages to my internal Exchange server. > Of course, since MailScanner can filter spam and viruses, I > would like to implement that as well. > > How do I do that? simply putting my exchange 2000 > server as a "relay_host" in postfix? I tried a few things, > like playing with the transport file, but the result is that > it sent the mail to the Exchange server, but without scanning > for virus and filtering spam. How do I know it is not > scanned? I don't see these messages in my logs: > > Aug 7 07:48:20 server MailScanner[4450]: New Batch: Scanning > 1 messages, 501 byte s Aug 7 07:48:34 server > MailScanner[4450]: Virus and Content > Scanning: Starting Aug 7 07:48:34 server MailScanner[4450]: > Uninfected: Delivered 1 messages > > Thanks, > > Ugo Bellavance, > ----------------------------- > What do you plan to do with all your freedom? http://www.gnu.org/ > From dwinkler at ALGORITHMICS.COM Fri Aug 8 19:50:18 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:19:16 2006 Subject: Notifications? Message-ID: <06EE2C86D3DAD5119A6C0060943F3C97055E70ED@tormail1.algorithmics.com> Should be easy enough to whitelist daily digest. My idea was to have a link for each message in the digest. The link would include an MD5 signature of the email or subject, sender and receiver combined as basic authentication. This avoids the messy authentication for each user. Of course people would be able to see these in the digest emails but how far do you want to go. I'm not too interested in maintaining yet another username/password combo. The web page could display a list of actions to perform on that email, including Whitelist, Forward, Learn as Ham... Users would be able to select more than one action. -----Original Message----- From: Furnish, Trever G [mailto:TGFurnish@herff-jones.com] Sent: Friday, August 08, 2003 2:23 PM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Notifications? Actually my first thought was a daily email message with a list of messages (sender and subject), and since the goal would be to make it quick and simple, how about a checkbox by each message row and a submit button at the bottom of the message. We'd just embed a form tag in the me... Oh, wait, form tag. Nevermind. ;^) But then, along the same lines, it occurs to me that putting even just a list of message senders and subjects into a digest to be sent to the user may be likely never to get there ... because it would be likely considered spam. And that leads me to, "Well, that's ok, I really didn't want another daily message anyway." And THAT, leads me in turn to the idea that perhaps instead of daily digests, we could automatically create a username and password for access to a web interface that allows releasing messages. This username would just be the email address and the password something autogenerated. It would be sent to the user the first time a spam was stored, then only sent again if the user loses the password and requests it. Several advantages here, not the least of which is that instead of waiting for a daily digest listing the blocked messages, the user could hit the web page as soon as they suspect a message has been blocked. For example, when Tom emails Bob a message and Bob is waiting for it, after a few minutes he doesn't have to say "It didn't come through, I bet the spamfilter got it - I'll call the helpdesk" - instead he can say "Hold on, maybe it got stuck in that dang spamfilter again - let me check." Of course, immediacy of being able to check for a "stuck" message implies real-time (not batched) logging into a database or log file - otherwise the user would have to wait for MS to flush its logs. -t. PS: I reserve the right to be wrong. :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030808/fc267453/attachment.html From mailscanner at LISTS.COM.AR Fri Aug 8 20:04:37 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:16 2006 Subject: Translation request - Spanish In-Reply-To: <5.2.0.9.2.20030807122158.04c33b80@imap.ecs.soton.ac.uk> Message-ID: <3F33CA15.22702.15E6B4E2@localhost> Hi, I'm attaching the new files from 4.22-3 translated into Spanish. I made a slight modification to languages.conf also. Regards. El 7 Aug 2003 a las 12:25, Julian Field escribi?: > Please can you do me a big favour and translate all of these into your > favourite languages. They are the 3 messages that are sent in response to > messages containing dangerous content (such as HTML IFRAME tags and stuff > like that). > > Sender report: > > >From: "MailScanner" <$localpostmaster> > >To: $from > >Subject: Potentially dangerous email rejected > >X-MailScanner: generated > > > >Our email content filters have been triggered by a message you sent:- > > To: $to > > Subject: $subject > > Date: $date > >This message has been rejected. The filters said this: > >$report. > > > >This message contained potentially dangerous content which has been removed. > > > >If you were attempting to send a web page, please try saving the web page > >to a file, and then attach that file to the message instead. > > > >If you have any questions about this, or you believe you have received > >this message in error, please contact the site system administrators. > > > >-- > >MailScanner > >Email Virus Scanner > >www.mailscanner.info > >Mailscanner thanks transtec Computers for their support > > Content Deleted report: > > >This is a message from the MailScanner E-Mail Virus Protection Service > >---------------------------------------------------------------------- > >The original e-mail message contained potentially dangerous content, > >which has been removed for your safety. > > > >The content is dangerous as it is often used to spread viruses or to gain > >personal or confidential information from you, such as passwords or credit > >card numbers. > > > >Due to limitations placed on us by the Regulation of Investigatory Powers > >Act 2000, we were unable to keep a copy of the original attachment. > > > >The content filters found this: > >$report > >-- > >Postmaster > >Mailscanner thanks transtec Computers for their support > > > Content Stored report: > > >This is a message from the MailScanner E-Mail Virus Protection Service > >---------------------------------------------------------------------- > >The original e-mail message contained potentially dangerous content, > >which has been removed for your safety. > > > >The content is dangerous as it is often used to spread viruses or to gain > >personal or confidential information from you, such as passwords or credit > >card numbers. > > > >If you wish to receive a copy of the original email, please > >e-mail helpdesk and include the whole of this message > >in your request. Alternatively, you can call them, with > >the contents of this message to hand when you call. > > > >At $date the content filters said: > >$report > >Note to Help Desk: Look on $hostname in $quarantinedir/$datenumber > >(message $id). > >-- > >Postmaster > >Mailscanner thanks transtec Computers for their support > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Mariano Absatz El Baby ---------------------------------------------------------- I never forget a face, but in your case I'll be glad to make an exception. -- Groucho Marx -------------- next part -------------- A non-text attachment was scrubbed... Name: reports-spanish.tgz Type: application/octet-stream Size: 2349 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030808/7ca03166/reports-spanish.obj From mailscanner at LISTS.COM.AR Fri Aug 8 20:12:54 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:16 2006 Subject: ANNOUNCE: Beta release 4.23-2 In-Reply-To: <5.2.0.9.2.20030808124017.0464e458@imap.ecs.soton.ac.uk> Message-ID: <3F33CC06.15710.15EE4CF8@localhost> Hi, I just opened the rpm and see that you didn't apply the patches for smooth ZMailer usage via rpm... I left copies of the modified files under http://baby.com.ar/MailScanner/ModifiedFilesForMailScannerDistribution/ in the init.d and sysconfig directories. In the doc directory, you'll find an updated zmailer.shtml installation instruction. If you want, just upgrade the init.d and sysconfig scripts and I'll later complete the doc so you can upgrade the site. Next week I'll be completely off-line, hopefully skiing in the southern winter :-) Regards. El 8 Aug 2003 a las 12:41, Julian Field escribi?: > I have added support for eTrust. > I have also greatly improved the flexibility of the "Allowed Sophos Error > Messages" option so you can specify multiple strings so you can allow for > lots of different errors it may produce. > > Download as usual from > www.mailscanner.info > > Let me know how you get on. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Mariano Absatz El Baby ---------------------------------------------------------- Lottery: A tax on people who are bad at math. From mailinglists at PC.CHICAGO.IL.US Fri Aug 8 20:00:20 2003 From: mailinglists at PC.CHICAGO.IL.US (f ewf) Date: Thu Jan 12 21:19:16 2006 Subject: Mailscanner/Sophos detecting fewer and fewer viruses every day??? Message-ID: <6.0.0.14.0.20030808133948.025f6a60@cainkar.com> My mailscanner installation is exhibiting behavior which may be symptoms of malfunctioning. When I first installed mailscanner + sophos three weeks ago mailscanner-mrtg reported 840 finds the first day, 840 the second, 620 the third, 420 the fourth, 250 the fifth, 210 the sixth. First week instlalation numbers set aside, mailscanner has only found around 60-80 a day during last 2 weeks. I also have had reports of our users receiving the mimail virus through the relay but it is possible that the ide patch was delayed. I have verified the existence of the Mimail's IDE file for Sophos. Additionally, when my user forwarded the message to me the virus scanner picked it up. However, with the wildness of this virus I'd expect to receive more than 2 occurrences per day for 23k messages relayed. Are these normal virus detection patterns, or is something configured incorrectly or malfunctioning? What percentage of mail, on average, is a virus? Was there a spike of viruses net-wide the first week it was installed (three weeks ago)? Every time I send the eicar test virus is picks it up. Mailscanner-mrtg graphs are available upon request. Thank you! From Antony at SOFT-SOLUTIONS.CO.UK Fri Aug 8 20:23:41 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:16 2006 Subject: Mailscanner/Sophos detecting fewer and fewer viruses every day??? In-Reply-To: <6.0.0.14.0.20030808133948.025f6a60@cainkar.com> References: <6.0.0.14.0.20030808133948.025f6a60@cainkar.com> Message-ID: <200308081923.h78JNiD16625@onyx.rockstone.co.uk> On Friday 08 August 2003 8:00 pm, f ewf wrote: > My mailscanner installation is exhibiting behavior which may be symptoms of > malfunctioning. When I first installed mailscanner + sophos three weeks > ago mailscanner-mrtg reported 840 finds the first day, 840 the second, 620 > the third, 420 the fourth, 250 the fifth, 210 the sixth. > > Are these normal virus detection patterns, or is something configured > incorrectly or malfunctioning? If you're doubtful about whether Sophos is working correctly, try adding another virus scanning engine to the system and see if anything gets picked up by one and not the other. I recommend you try ClamAV - it's free, it's Open Source, and in the past few months it's become tremendously better, with some pretty prompt updates in the past few weeks as well. One possible explanation for your diminishing virus detection rates is that internal machines are not getting infected and then trying to send the viruses out again? What anti-virus measures did you have in place before implementing MailScanner & Sophos? > What percentage of mail, on average, is a virus? That depends a lot on whether you're measuring incoming or outgoing mail, or both. I see something like 2%, for both inbound & outbound mail (but I have no idea whether that's considered "normal"). Regards, Antony. -- If the human brain were so simple that we could understand it, we'd be so simple that we couldn't. From mailscanner at ecs.soton.ac.uk Fri Aug 8 20:30:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:16 2006 Subject: Mailscanner/Sophos detecting fewer and fewer viruses every day??? In-Reply-To: <200308081923.h78JNiD16625@onyx.rockstone.co.uk> References: <6.0.0.14.0.20030808133948.025f6a60@cainkar.com> <6.0.0.14.0.20030808133948.025f6a60@cainkar.com> Message-ID: <5.2.1.1.2.20030808202921.03749ec8@imap.ecs.soton.ac.uk> At 20:23 08/08/2003, you wrote: > > What percentage of mail, on average, is a virus? > >That depends a lot on whether you're measuring incoming or outgoing mail, or >both. I see something like 2%, for both inbound & outbound mail (but I have >no idea whether that's considered "normal"). According to MessageLabs, who have a much larger marketing budget than I do, it's about 1 in 150 messages on average. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Aug 8 20:34:39 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:16 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200308081934.h78JYd53006476@seer.ecs.soton.ac.uk> New Guestbook-Entry from Vlad A. Friedman Your software has proven itself to be quite remarkable and no-one here can believe the results we are achieving.



In processing about 500,000 messages in our first month, MailScanner has caught 100% of the viruses and 99.5% of all of all Spam (with SA) entering our network with a false positive rate of less than 0.04% with only a minor amount of tweaking. We are still tuning SA settings to get the false positive rate down even further.



Overall, I would say we are getting the same if not better results with MailScanner than with a $10,000 per year commercial package we beta tested.



Even the install went smoothly (an uncommon experience for open source apps)



Just wanted to say thanks for doing such a great job!!!!



Vlad A. Friedman, CEO

http://Edgewebhosting.net





From Antony at SOFT-SOLUTIONS.CO.UK Fri Aug 8 20:40:35 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:16 2006 Subject: Mailscanner/Sophos detecting fewer and fewer viruses every day??? In-Reply-To: <5.2.1.1.2.20030808202921.03749ec8@imap.ecs.soton.ac.uk> References: <6.0.0.14.0.20030808133948.025f6a60@cainkar.com> <5.2.1.1.2.20030808202921.03749ec8@imap.ecs.soton.ac.uk> Message-ID: <200308081940.h78JecD16643@onyx.rockstone.co.uk> On Friday 08 August 2003 8:30 pm, Julian Field wrote: > At 20:23 08/08/2003, you wrote: > > > What percentage of mail, on average, is a virus? > > > >That depends a lot on whether you're measuring incoming or outgoing mail, > > or both. I see something like 2%, for both inbound & outbound mail (but > > I have no idea whether that's considered "normal"). > > According to MessageLabs, who have a much larger marketing budget than I > do, it's about 1 in 150 messages on average. And I suspect that should nearly all be considered as "incoming" mail, since customers use MessageLabs to filter their inbound mail - I don't believe they typically process the outbound stuff as well? Antony. -- Normal people think "if it ain't broke, don't fix it". Engineers think "if it ain't broke, it doesn't have enough features yet". From dml at UNB.CA Fri Aug 8 20:43:34 2003 From: dml at UNB.CA (Lancaster, David) Date: Thu Jan 12 21:19:16 2006 Subject: Mailscanner/Sophos detecting fewer and fewer viruses every day??? In-Reply-To: <5.2.1.1.2.20030808202921.03749ec8@imap.ecs.soton.ac.uk> References: <6.0.0.14.0.20030808133948.025f6a60@cainkar.com> <6.0.0.14.0.20030808133948.025f6a60@cainkar.com> <5.2.1.1.2.20030808202921.03749ec8@imap.ecs.soton.ac.uk> Message-ID: <1060371814.3f33fd668861c@webmail.unb.ca> Quoting Julian Field : > At 20:23 08/08/2003, you wrote: > > > What percentage of mail, on average, is a virus? > > > >That depends a lot on whether you're measuring incoming or outgoing mail, or > >both. I see something like 2%, for both inbound & outbound mail (but I have > >no idea whether that's considered "normal"). > > According to MessageLabs, who have a much larger marketing budget than I > do, it's about 1 in 150 messages on average. My weekly stats for incoming external email are 2360/453488, or 0.5% Internally, we had 6/136559, or 0.004% These are figures for # of mail messsages, not # of recipients. D. From kevins at BMRB.CO.UK Fri Aug 8 20:50:10 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:16 2006 Subject: Bouncing individual email addresses In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7287@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7287@pascal.priv.bmrb.co.uk> Message-ID: <1060372214.3668.6.camel@bach.kevinspicer.co.uk> >If you want to avoid the MS processing overhead for these users, why >not set >rules for "Spam Checks = " so that those users are listed as "no" and >not >bother to do any spam checking for them at all? Then just let the >relay >machine deliver them as quickly as possible to the system which *can* >do >proper address mapping to either dump the email to /dev/null or else >return >"no such user". This is not such a good idea, my experience is that most messages for people who have left are spam and what tends to happen is this.... MS machine receives mail attempts to forward to internal server (exchange in my case) internal server rejects mail because user doesn't exist MS machine attempts to return mail to sender with a delivery failure notification. Because sender address is often forged the bounce sits in the queue for 5 days before being sent to the local postmaster. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailinglists at PC.CHICAGO.IL.US Fri Aug 8 20:47:57 2003 From: mailinglists at PC.CHICAGO.IL.US (f ewf) Date: Thu Jan 12 21:19:16 2006 Subject: Mailscanner/Sophos detecting fewer and fewer viruses every day??? In-Reply-To: <200308081923.h78JNiD16625@onyx.rockstone.co.uk> References: <6.0.0.14.0.20030808133948.025f6a60@cainkar.com> <6.0.0.14.0.20030808133948.025f6a60@cainkar.com> Message-ID: <6.0.0.14.0.20030808144157.025e11f8@cainkar.com> This implementation of mailscanner only scans incoming messages at this time. I could try installing ClamAV and see what happens. Currently, 0.2% of e-mails received are viruses (1 in 500). During it's peak at the intial installation it was finding around 3.7%. Thanks! At 02:23 PM 8/8/2003, you wrote: >On Friday 08 August 2003 8:00 pm, f ewf wrote: > > > My mailscanner installation is exhibiting behavior which may be symptoms of > > malfunctioning. When I first installed mailscanner + sophos three weeks > > ago mailscanner-mrtg reported 840 finds the first day, 840 the second, 620 > > the third, 420 the fourth, 250 the fifth, 210 the sixth. > > > > Are these normal virus detection patterns, or is something configured > > incorrectly or malfunctioning? > >If you're doubtful about whether Sophos is working correctly, try adding >another virus scanning engine to the system and see if anything gets picked >up by one and not the other. I recommend you try ClamAV - it's free, it's >Open Source, and in the past few months it's become tremendously better, with >some pretty prompt updates in the past few weeks as well. > >One possible explanation for your diminishing virus detection rates is that >internal machines are not getting infected and then trying to send the >viruses out again? What anti-virus measures did you have in place before >implementing MailScanner & Sophos? > > > What percentage of mail, on average, is a virus? > >That depends a lot on whether you're measuring incoming or outgoing mail, or >both. I see something like 2%, for both inbound & outbound mail (but I have >no idea whether that's considered "normal"). > >Regards, > >Antony. > >-- > >If the human brain were so simple that we could understand it, >we'd be so simple that we couldn't. From mike at CAMAROSS.NET Fri Aug 8 20:58:27 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:16 2006 Subject: Mailscanner/Sophos detecting fewer and fewer viruses every day??? In-Reply-To: <6.0.0.14.0.20030808144157.025e11f8@cainkar.com> Message-ID: <012601c35de7$6e9fc9a0$a91cbdcf@home.middlefinger.net> I have noticed that the number of viruses detected on my systems has decreased too. Perhaps this is the result of Admins, ISP's and users being more diligent about virus eradication. People like MailScanner users make the net safer on the whole. Although MiMail was touted to be running rampant, I received very few infections on all of my servers. None of them were from the US. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of f ewf > Sent: Friday, August 08, 2003 2:48 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Mailscanner/Sophos detecting fewer and fewer > viruses every day??? > > > This implementation of mailscanner only scans incoming > messages at this time. I could try installing ClamAV and see > what happens. Currently, 0.2% of e-mails received are > viruses (1 in 500). During it's peak at the intial > installation it was finding around 3.7%. > > Thanks! > > > > At 02:23 PM 8/8/2003, you wrote: > >On Friday 08 August 2003 8:00 pm, f ewf wrote: > > > > > My mailscanner installation is exhibiting behavior which may be > > > symptoms of malfunctioning. When I first installed mailscanner + > > > sophos three weeks ago mailscanner-mrtg reported 840 > finds the first > > > day, 840 the second, 620 the third, 420 the fourth, 250 > the fifth, > > > 210 the sixth. > > > > > > Are these normal virus detection patterns, or is something > > > configured incorrectly or malfunctioning? > > > >If you're doubtful about whether Sophos is working correctly, try > >adding another virus scanning engine to the system and see > if anything gets picked > >up by one and not the other. I recommend you try ClamAV - > it's free, it's > >Open Source, and in the past few months it's become tremendously > >better, with some pretty prompt updates in the past few > weeks as well. > > > >One possible explanation for your diminishing virus > detection rates is > >that internal machines are not getting infected and then > trying to send the > >viruses out again? What anti-virus measures did you have > in place before > >implementing MailScanner & Sophos? > > > > > What percentage of mail, on average, is a virus? > > > >That depends a lot on whether you're measuring incoming or > outgoing mail, or > >both. I see something like 2%, for both inbound & outbound > mail (but I have > >no idea whether that's considered "normal"). > > > >Regards, > > > >Antony. > > > >-- > > > >If the human brain were so simple that we could understand > it, we'd be > >so simple that we couldn't. > From Antony at SOFT-SOLUTIONS.CO.UK Fri Aug 8 20:56:27 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:16 2006 Subject: Bouncing individual email addresses In-Reply-To: <1060372214.3668.6.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7287@pascal.priv.bmrb.co.uk> <1060372214.3668.6.camel@bach.kevinspicer.co.uk> Message-ID: <200308081956.h78JuUD16650@onyx.rockstone.co.uk> On Friday 08 August 2003 8:50 pm, Kevin Spicer wrote: > >If you want to avoid the MS processing overhead for these users, why > >not set rules for "Spam Checks = " so that those users are listed as "no" > >and not bother to do any spam checking for them at all? Then just let the > >relay machine deliver them as quickly as possible to the system which *can* > >do proper address mapping to either dump the email to /dev/null or else > >return "no such user". > > This is not such a good idea, my experience is that most messages for > people who have left are spam and what tends to happen is this.... > > MS machine receives mail > attempts to forward to internal server (exchange in my case) > internal server rejects mail because user doesn't exist > MS machine attempts to return mail to sender with a delivery failure > notification. > Because sender address is often forged the bounce sits in the queue for > 5 days before being sent to the local postmaster. This is a good reason for not trying to bounce the mail with "no such user" unless it can be done on the receiving MTA (which, very happily, according to Trever Furnish, it can be, even when it's only acting as a relay). Hence my alternative suggestion that mail for those users be forwarded to /dev/null on the 'real' mail server. Regards, Antony. -- This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour, or irrational religious beliefs. If you have received this email in error, you are required to shred it immediately, add some nutmeg, three egg whites and a dessertspoonful of caster sugar. ? Whisk until soft peaks form, then place in a warm oven for 40 minutes. ? Remove promptly and let stand for 2 hours before adding some decorative kiwi fruit and cream. ? Then notify me immediately by return email and eat the original message. From kevins at BMRB.CO.UK Fri Aug 8 20:56:56 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:16 2006 Subject: Mailscanner/Sophos detecting fewer and fewer viruses every day??? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0015A7298@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0015A7298@pascal.priv.bmrb.co.uk> Message-ID: <1060372617.3670.11.camel@bach.kevinspicer.co.uk> > Was there a spike of viruses net-wide the first week it was >installed (three weeks ago)? Every time I send the eicar test virus is >picks it up. Mailscanner-mrtg graphs are available upon request. I certainly noticed a lot of viruses around that time (mostly Fizzer & Bugbear IIRC). I notice wide fluctuations though - usually when one of our client or partner companies has a problem they'll flood all their contacts in our domain which multiple virus mails. I guess this would only even out with a massively bigger user base. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ELKNET.NET Fri Aug 8 21:12:02 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:16 2006 Subject: Mailscanner/Sophos detecting fewer and fewer viruses every day??? Message-ID: <200308082012.h78KC3S06134@ori.rl.ac.uk> For what its worth: Over the past 16 days, my MailScanner has processed 2.9 million emails. Infection rate was 0.07% running Clam for the 8 days and F-Prot for the last 8 days. I have yet to record seeing even one mimial infected email. Since this morning I've been running eTrust, and it is showing an infection rate of 0.13% against 26,000 emails procesed. Again, not a single mimail seen yet -Alan >Are these normal virus detection patterns, or is something configured >incorrectly or malfunctioning? What percentage of mail, on average, is a >virus? From rpeiper at WACA.COM Fri Aug 8 21:15:54 2003 From: rpeiper at WACA.COM (Richard Peiper) Date: Thu Jan 12 21:19:16 2006 Subject: Messages in Mqueue not being delivered Message-ID: <8DB4001650D7D411AF4C00902779129C0253207F@exchange1.waca.com> I am not sure this is a MailScanner issue, but someone here probably knows more about sendmail than I do and can help with this. We are running MailScanner 4.50 with the patch, and Spamassassin on a RedHat Linux 8.0 machine. Twice in the past 2 days the mail has stopped being delivered. It comes in, and is scanned, moves from mqueue.in to mqueue then just sits there. If I reboot the machine, everything starts being delivered again EXCEPT for the ones which were sitting in mqueue previously. This has happened twice now and I have 5000 messages sitting in mqueue. Anything new which comes in is immediately scanned and delivered. Running sendmail -q processes the new messages but not the old ones. And running sendmail -qI -v just comes back to the prompt with nothing else printed. Any ideas? Are these old messages now marked as undeliverable and will never be delieverd again? Help please? Thanks Richard Peiper From Antony at SOFT-SOLUTIONS.CO.UK Fri Aug 8 21:30:31 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:16 2006 Subject: Messages in Mqueue not being delivered In-Reply-To: <8DB4001650D7D411AF4C00902779129C0253207F@exchange1.waca.com> References: <8DB4001650D7D411AF4C00902779129C0253207F@exchange1.waca.com> Message-ID: <200308082030.h78KUYD16676@onyx.rockstone.co.uk> On Friday 08 August 2003 9:15 pm, Richard Peiper wrote: > We are running MailScanner 4.50 with the patch, and Spamassassin on > a RedHat Linux 8.0 machine. Twice in the past 2 days the mail has stopped > being delivered. It comes in, and is scanned, moves from mqueue.in to > mqueue then just sits there. > > Any ideas? Are these old messages now marked as undeliverable and > will never be delieverd again? Help please? Do the files in your mqueue directory consist entirely of df.... and qf.... pairs, or do you have Qf... and/or xf.... files as well ? Do the system logs show anything significant at the time the mail stopped being delivered (maybe, for example, a virus database update which got stuck?) Antony. -- You can spend the whole of your life trying to be popular, but at the end of the day the size of the crowd at your funeral will be largely dictated by the weather. - Frank Skinner From mailinglists at PC.CHICAGO.IL.US Fri Aug 8 21:27:04 2003 From: mailinglists at PC.CHICAGO.IL.US (f ewf) Date: Thu Jan 12 21:19:16 2006 Subject: Messages in Mqueue not being delivered In-Reply-To: <8DB4001650D7D411AF4C00902779129C0253207F@exchange1.waca.co m> Message-ID: <6.0.0.14.0.20030808152339.025d8c40@cainkar.com> Take a look at the file names of the "stuck" messages in and queue and see the key at http://people.freenet.de/slgig/op_en/appendix_b.html . If your qf files are becoming Qf files, a configuration problem may need to be fixed and the uppercase Q put back to q to resume processing. At 03:15 PM 8/8/2003, you wrote: > I am not sure this is a MailScanner issue, but someone here probably >knows more about sendmail than I do and can help with this. > > We are running MailScanner 4.50 with the patch, and Spamassassin on >a RedHat Linux 8.0 machine. Twice in the past 2 days the mail has stopped >being delivered. It comes in, and is scanned, moves from mqueue.in to mqueue >then just sits there. > > If I reboot the machine, everything starts being delivered again >EXCEPT for the ones which were sitting in mqueue previously. This has >happened twice now and I have 5000 messages sitting in mqueue. > > Anything new which comes in is immediately scanned and delivered. >Running sendmail -q processes the new messages but not the old ones. And >running sendmail -qI -v just comes back to the prompt with nothing else >printed. > > Any ideas? Are these old messages now marked as undeliverable and >will never be delieverd again? Help please? > > Thanks > Richard Peiper From raymond at PROLOCATION.NET Fri Aug 8 21:33:45 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:16 2006 Subject: Messages in Mqueue not being delivered In-Reply-To: <6.0.0.14.0.20030808152339.025d8c40@cainkar.com> Message-ID: Hi! On Fri, 8 Aug 2003, f ewf wrote: ^^^^^ > Take a look at the file names of the "stuck" messages in and queue and see > the key at http://people.freenet.de/slgig/op_en/appendix_b.html . If your > qf files are becoming Qf files, a configuration problem may need to be > fixed and the uppercase Q put back to q to resume processing. Would you be so polite to put your real name in the messages you are sending to the list, assuming your name isnt ewf ? Thanks, Raymond. From rpeiper at WACA.COM Fri Aug 8 21:40:19 2003 From: rpeiper at WACA.COM (Richard Peiper) Date: Thu Jan 12 21:19:16 2006 Subject: Messages in Mqueue not being delivered Message-ID: <8DB4001650D7D411AF4C00902779129C02532082@exchange1.waca.com> 99% of the files in the directory are df files. There are *NO* corresponding qf files of any kind (Qf, qf, tf, etc). So it sounds like the messages either got delivered or the queing process had a problem generating the qf files. Nothing shows in the logfiles for that period. Richard -----Original Message----- From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] Sent: Friday, August 08, 2003 4:31 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Messages in Mqueue not being delivered On Friday 08 August 2003 9:15 pm, Richard Peiper wrote: > We are running MailScanner 4.50 with the patch, and Spamassassin on > a RedHat Linux 8.0 machine. Twice in the past 2 days the mail has stopped > being delivered. It comes in, and is scanned, moves from mqueue.in to > mqueue then just sits there. > > Any ideas? Are these old messages now marked as undeliverable and > will never be delieverd again? Help please? Do the files in your mqueue directory consist entirely of df.... and qf.... pairs, or do you have Qf... and/or xf.... files as well ? Do the system logs show anything significant at the time the mail stopped being delivered (maybe, for example, a virus database update which got stuck?) Antony. -- You can spend the whole of your life trying to be popular, but at the end of the day the size of the crowd at your funeral will be largely dictated by the weather. - Frank Skinner From Antony at SOFT-SOLUTIONS.CO.UK Fri Aug 8 21:48:29 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:16 2006 Subject: Messages in Mqueue not being delivered In-Reply-To: <8DB4001650D7D411AF4C00902779129C02532082@exchange1.waca.com> References: <8DB4001650D7D411AF4C00902779129C02532082@exchange1.waca.com> Message-ID: <200308082048.h78KmWD16694@onyx.rockstone.co.uk> On Friday 08 August 2003 9:40 pm, Richard Peiper wrote: > 99% of the files in the directory are df files. There are *NO* > corresponding qf files of any kind (Qf, qf, tf, etc). Weird. > So it sounds like the messages either got delivered or the queing > process had a problem generating the qf files. I can't imagine why it wouldn't be able to create a qf file if it managed to create the df file. Is there any way (perhaps by looking at the content of some of the df files, which are simply the bodies of the emails without the headers) of finding out of these emails did in fact get delivered, but there was then a problem deleting the df file afterwards? One way of looking at the problem is: if you don't have the qf file, then you have no idea who the email was from, or who it was to, so you may as well delete the df file, because you can't do anything with it... > Nothing shows in the logfiles for that period. Nothing!? No successful delivery, no problem, no "queued" message? Weirder... Antony. -- If you want to be happy for an hour, get drunk. If you want to be happy for a year, get married. If you want to be happy for a lifetime, get a garden. From campbell at CNPAPERS.COM Fri Aug 8 21:59:07 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:19:16 2006 Subject: Messages in Mqueue not being delivered References: Message-ID: <002701c35def$e895bc80$cf01a8c0@cnpapers.net> You mean "Dijkxhoorn" is real? Come on now, this guy has a valid question and it doesn't really matter what his name is. No wonder this list is so full all of the time. Just answer the question or leave him alone. If you need to contact him, I'm sure he would respond with his real name, unless his/her name is really f ewf. Manners work both ways. Steve Campbell ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Friday, August 08, 2003 4:33 PM Subject: Re: Messages in Mqueue not being delivered > Hi! > > On Fri, 8 Aug 2003, f ewf wrote: > ^^^^^ > > Take a look at the file names of the "stuck" messages in and queue and see > > the key at http://people.freenet.de/slgig/op_en/appendix_b.html . If your > > qf files are becoming Qf files, a configuration problem may need to be > > fixed and the uppercase Q put back to q to resume processing. > > Would you be so polite to put your real name in the messages you are > sending to the list, assuming your name isnt ewf ? > > Thanks, > Raymond. From ugob at LINUX.CA Fri Aug 8 21:56:56 2003 From: ugob at LINUX.CA (Ugo Bellavance) Date: Thu Jan 12 21:19:17 2006 Subject: Internet -> Mailscanner -> Exchange 2000 In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1AA8@inex1.herffjones.hj-int> Message-ID: Which is to say the DNS comment simply doesn't apply to you, since you're not using dns on your firewall or mailscanner to decide how mail gets routed. -- >Exactly, but can I put the IP adress where to send mail to in transport_maps? If not, can I put a hostname and put the entry in a hosts file? Thanks, From mailscanner at elknet.net Fri Aug 8 21:56:41 2003 From: mailscanner at elknet.net (Alan Fiebig) Date: Thu Jan 12 21:19:17 2006 Subject: eTrust support Message-ID: <200308082056.VAA13482@jackdaw.ecs.soton.ac.uk> The output from InoDist is logged into /opt/eTrustAntivirus/ino/log/DistLog/.txt If no update is necessary, the log file ends with: 2003/08/08 20:01:04,0,root,0,Downloading the list of signature files. 2003/08/08 20:01:08,0,root,0,Finished download process successfully. If an update IS performed, it ends like this: 2003/08/08 17:06:02,0,root,0,Downloading the list of signature files. 2003/08/08 17:06:04,0,root,0,Finished download process successfully. 2003/08/08 17:06:04,0,root,0,Launching the updating process /opt/eTrustAntivirus/ino/scripts/InoUnloadUpdate.sh /opt/eTrustAntivirus/ino/Incoming/fi_Linux_i386.tar fi_Linux_i386.tar. 2003/08/08 17:06:05,0,root,0,Succeeded updating InoculateIT engine to version 23.62.19 Every time InoDist runs, a new logfile is created, but you can't easily anticipate the filename. Perhaps something like this? 1) rm -f /opt/eTrustAntivirus/ino/log/DistLog/* 2) do the normal InoDist 3) mv /opt/eTrustAntivirus/ino/log/DistLog/* /opt/eTrustAntivirus/ino/log/DistLog/update.log 4) parse /opt/eTrustAntivirus/ino/log/DistLog/update.log looking for 'Succeeded updating' and if found, it was updated, otherwise it wasn't? A second possibility? Could 'inocmd32 -SIG' be compared pre and post InoDist to see if different? -Alan >I am not at all sure that I can tell the difference between the 2 results. >The eTrust update command produces no output whatsoever. From raymond at PROLOCATION.NET Fri Aug 8 22:01:14 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:17 2006 Subject: Messages in Mqueue not being delivered In-Reply-To: <002701c35def$e895bc80$cf01a8c0@cnpapers.net> Message-ID: Hi! > You mean "Dijkxhoorn" is real? Come on now, this guy has a valid question > and it doesn't really matter what his name is. No wonder this list is so Yes, its my real name. Doh. > need to contact him, I'm sure he would respond with his real name, unless > his/her name is really f ewf. Manners work both ways. That was my only question, if he could use his real name on the list. Not too much asked isnt it ? Bye, Raymond. From mailscanner at ecs.soton.ac.uk Fri Aug 8 22:46:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: Messages in Mqueue not being delivered In-Reply-To: <002701c35def$e895bc80$cf01a8c0@cnpapers.net> References: Message-ID: <5.2.1.1.2.20030808224414.027b3eb8@imap.ecs.soton.ac.uk> Enough. Does it really matter what people choose to call themselves? There was a guy on the news here this evening who said his name was "Zee". A bit odd, I admit, but that's his choice. Let's leave it at that. What people call themselves is up to them, period. At 21:59 08/08/2003, you wrote: >You mean "Dijkxhoorn" is real? Come on now, this guy has a valid question >and it doesn't really matter what his name is. No wonder this list is so >full all of the time. Just answer the question or leave him alone. If you >need to contact him, I'm sure he would respond with his real name, unless >his/her name is really f ewf. Manners work both ways. > >Steve Campbell > >----- Original Message ----- >From: "Raymond Dijkxhoorn" >To: >Sent: Friday, August 08, 2003 4:33 PM >Subject: Re: Messages in Mqueue not being delivered > > > > Hi! > > > > On Fri, 8 Aug 2003, f ewf wrote: > > ^^^^^ > > > Take a look at the file names of the "stuck" messages in and queue and >see > > > the key at http://people.freenet.de/slgig/op_en/appendix_b.html . If >your > > > qf files are becoming Qf files, a configuration problem may need to be > > > fixed and the uppercase Q put back to q to resume processing. > > > > Would you be so polite to put your real name in the messages you are > > sending to the list, assuming your name isnt ewf ? > > > > Thanks, > > Raymond. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at elknet.net Fri Aug 8 22:51:06 2003 From: mailscanner at elknet.net (Alan Fiebig) Date: Thu Jan 12 21:19:17 2006 Subject: eTrust support Message-ID: <200308082151.WAA22121@jackdaw.ecs.soton.ac.uk> Julian, How about something like this code? My example simply prints a 'yes' if an update took place, or 'no' if not. You would replace that with your syslog statements. The code simply checks the signature file to see if its changed in the last 5 minutes. #################### $result=`find /opt/eTrustAntivirus/ino/config/ -cmin -5 -maxdepth 1 -name virsig.da0`; if ($result =~ /virsig/) { print "yes"; } else { print "no"; } #################### Could this be used? -Alan >I am not at all sure that I can tell the difference between the 2 results. >The eTrust update command produces no output whatsoever. From mailinglists at PC.CHICAGO.IL.US Fri Aug 8 23:37:52 2003 From: mailinglists at PC.CHICAGO.IL.US (PC) Date: Thu Jan 12 21:19:17 2006 Subject: Messages in Mqueue not being delivered In-Reply-To: References: <002701c35def$e895bc80$cf01a8c0@cnpapers.net> Message-ID: <6.0.0.14.0.20030808173459.025d6be8@cainkar.com> Look what I started :). Ok, I put my initials in. If you want my real name there's enough information in this message to determine it. Normally, I use disposable e-mail addresses for mailing lists because of the spam they attract and didn't bother to fill out my name on the mail client. -Paul At 04:01 PM 8/8/2003, you wrote: >Hi! > > > You mean "Dijkxhoorn" is real? Come on now, this guy has a valid question > > and it doesn't really matter what his name is. No wonder this list is so > >Yes, its my real name. Doh. > > > need to contact him, I'm sure he would respond with his real name, unless > > his/her name is really f ewf. Manners work both ways. > >That was my only question, if he could use his real name on the list. Not >too much asked isnt it ? > >Bye, >Raymond. From mike at CAMAROSS.NET Fri Aug 8 23:50:26 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:17 2006 Subject: Messages in Mqueue not being delivered In-Reply-To: <6.0.0.14.0.20030808173459.025d6be8@cainkar.com> Message-ID: <001d01c35dff$764394d0$9c01a8c0@home.middlefinger.net> Politically Correct? Nice to meet you! :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of PC Sent: Friday, August 08, 2003 5:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Messages in Mqueue not being delivered Look what I started :). Ok, I put my initials in. If you want my real name there's enough information in this message to determine it. Normally, I use disposable e-mail addresses for mailing lists because of the spam they attract and didn't bother to fill out my name on the mail client. -Paul At 04:01 PM 8/8/2003, you wrote: >Hi! > > > You mean "Dijkxhoorn" is real? Come on now, this guy has a valid > > question and it doesn't really matter what his name is. No wonder > > this list is so > >Yes, its my real name. Doh. > > > need to contact him, I'm sure he would respond with his real name, > > unless his/her name is really f ewf. Manners work both ways. > >That was my only question, if he could use his real name on the list. >Not too much asked isnt it ? > >Bye, >Raymond. From mailscanner at elknet.net Sat Aug 9 00:21:58 2003 From: mailscanner at elknet.net (mailscanner@elknet.net) Date: Thu Jan 12 21:19:17 2006 Subject: etrust autoupdate Message-ID: <3F33EA46.3982.107CA5B8@localhost> Julian, I had earlier emailed the list a code segment with an idea on how to recognize if the etrust signatures were updated during one of the hourly cycles. But my message never appeared on the list. Did you get it? If not, it was something like this (Place it in the etrust-autoupdate after the InoDist runs. This code then checks the installed signature file to see if its 5 min or less old): #!/usr/bin/perl $result=`find /opt/eTrustAntivirus/ino/config/ -cmin -5 -maxdepth 1 -name virsig.da0`; if ($result =~ /virsig/) { Sys::Syslog::syslog('info', "eTrust was updated"); } else { Sys::Syslog::syslog('info', "eTrust did not need updating"); } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030808/ade30bd4/attachment.html From mailscanner at ecs.soton.ac.uk Sat Aug 9 10:28:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: ANNOUNCE: Beta release 4.23-2 In-Reply-To: <3F33CC06.15710.15EE4CF8@localhost> References: <5.2.0.9.2.20030808124017.0464e458@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030809102828.02632738@imap.ecs.soton.ac.uk> Thanks for the reminder. Applied now. At 20:12 08/08/2003, you wrote: >Hi, > >I just opened the rpm and see that you didn't apply the patches for smooth >ZMailer usage via rpm... > >I left copies of the modified files under >http://baby.com.ar/MailScanner/ModifiedFilesForMailScannerDistribution/ in >the init.d and sysconfig directories. > >In the doc directory, you'll find an updated zmailer.shtml installation >instruction. > >If you want, just upgrade the init.d and sysconfig scripts and I'll later >complete the doc so you can upgrade the site. > >Next week I'll be completely off-line, hopefully skiing in the southern >winter :-) > >Regards. > >El 8 Aug 2003 a las 12:41, Julian Field escribi?: > > > I have added support for eTrust. > > I have also greatly improved the flexibility of the "Allowed Sophos Error > > Messages" option so you can specify multiple strings so you can allow for > > lots of different errors it may produce. > > > > Download as usual from > > www.mailscanner.info > > > > Let me know how you get on. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Lottery: A tax on people who are bad at math. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From martin.hierling at fh-luh.de Sat Aug 9 13:13:44 2003 From: martin.hierling at fh-luh.de (Martin Hierling) Date: Thu Jan 12 21:19:17 2006 Subject: reinserting saved quarantine messages In-Reply-To: References: Message-ID: <20030809121344.GB3160@sulu.cc.fh-lippe.de> Hi, > * Copy the -D and -H files from the quarantine to the second exim's > input spool directory > * Make sure that the files have the correct owners (I chown mail.mail > *) > * Send the message with exim (exim -C /path/to/second_exim_config -M ) > - you can add a -v flag to that command to see more info. If you don't do > this, your normal queue runner should eventually find it and send it. > Yep, thats right. I obviously forgot to set: Quarantine Whole Messages As Queue Files I?ve only set Quarantine Whole Message. So, now it works for me. thanks Martin -- ---------------------------------------------------------------- 2 + 2 = 5 for extremely large values of 2. ---------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Sat Aug 9 13:35:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: ANNOUNCE: Beta release 4.23-2 In-Reply-To: <5.2.1.1.2.20030808185809.026f0d88@imap.ecs.soton.ac.uk> References: <200308081800.h78I0Pp31767@white-dev.quatro.com> <5.2.0.9.2.20030808124017.0464e458@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030809133521.026cdea0@imap.ecs.soton.ac.uk> Added. # Setting this to yes means that spam found in the blacklist is treated # as "High Scoring Spam" in the "Spam Actions" section below. Setting it # to no means that it will be treated as "normal" spam. # This can also be the filename of a ruleset. Definite Spam Is High Scoring = no At 18:58 08/08/2003, you wrote: >It would definitely have to be configurable. >Does anyone else need this feature? > >At 18:50 08/08/2003, you wrote: >>Julian: >> >>Would it be possible to include my patch for Message.pm that turns on >>sending blacklisted entries to highscore action in this next beta? >> >>309a310 >> > $this->{ishigh} = 1; >> >>If everyone doesn't think this is a good idea, perhaps we could have a >>config option for it. It's a small patch but it's made a big impact on our >>users. If there isn't enough interest in this I will just continue manually >>applying my patch. >> >>Brent -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Aug 9 14:36:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: trend mircro + virus.scanners.conf In-Reply-To: <5.2.0.9.2.20030808144042.04ddc708@imap.ecs.soton.ac.uk> References: <200308081334.h78DYfD15858@onyx.rockstone.co.uk> <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030808122935.04089dc8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030809142944.026cadf0@imap.ecs.soton.ac.uk> At 14:42 08/08/2003, you wrote: >At 14:34 08/08/2003, you wrote: >>On Friday 08 August 2003 2:11 pm, Julian Field wrote: >> > >I've just had an idea - why not to transfer all configurable paths from >> > >antivir-wrappers (PackageDir and prog) to virus.scanners.conf? >> > >Then for antivir it looked like: >> > >antivir /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir >> > >prog=antivir >> > >or >> > >antivir /usr/lib/MailScanner/antivir-wrapper >> > >PackageDir=/usr/lib/AntiVir prog=antivir >> > >> > Not a bad idea, but let me think about possible consequences of upgrading >> > systems where people have already modified some of the default wrappers to >> > handle their own paths.... >> >>I like this idea too. >> >>As far as people who've already modified the default wrappers are concerned, >>surely they need to be on the lookout whenever there's a new version (of MS) >>anyway, to make sure their customer wrapper doesn't get over-written? > >I will need to rewrite update_virus_scanners as it now needs to be able to >parse a file sensibly. > >I'll think about it and see how bored I get this weekend. Its competition >is sitting in a shady part of my garden with a chilled bottle of white wine >(possibly a Chablis) and a damn good book. Hmmm..... Well it's too hot outside, currently 33C (91F). Fortunately, due to loads of insulation, inside is cooler :) The Chablis is going down nicely, and the code all works. I didn't rewrite update_virus_scanners in the end, it just needed to be a bit cleverer. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Antony at SOFT-SOLUTIONS.CO.UK Sat Aug 9 14:41:11 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:17 2006 Subject: trend mircro + virus.scanners.conf In-Reply-To: <5.2.1.1.2.20030809142944.026cadf0@imap.ecs.soton.ac.uk> References: <200308081334.h78DYfD15858@onyx.rockstone.co.uk> <5.2.0.9.2.20030808141100.045d4f80@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030809142944.026cadf0@imap.ecs.soton.ac.uk> Message-ID: <200308091341.h79DfEO17328@onyx.rockstone.co.uk> On Saturday 09 August 2003 2:36 pm, Julian Field wrote: > The Chablis is going down nicely, and the code all works. I think we've finally found out the secret of Julian's excellent (and prolific) programming style :-) Antony. -- Most people have more than the average number of legs. From gerry at DORFAM.CA Sat Aug 9 14:42:28 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:17 2006 Subject: Timeouts for f-prot-autoupdate? Message-ID: Julian, I noticed that you included a timeout function for clamav-autoupdate but I didn't see any notice of adding in the timeout function for f-prot-autoupdate. Is that actually in there or did you decided not to bother? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From bnixon at NIXTECH.NET Sat Aug 9 15:33:33 2003 From: bnixon at NIXTECH.NET (Brad |Nixon) Date: Thu Jan 12 21:19:17 2006 Subject: Messages in Mqueue not being delivered Message-ID: I had the same problem today after installing 4.22-5 ,I also had problems with bind stopping for no apparent reason. After going back to 4.19 the problem went away. I have two identical RH 7.2 machines running sendmail 8.12-9, spamassassin 2.55 and both of them did exactly the same thing. Anybody have any ideas? From gerry at DORFAM.CA Sat Aug 9 23:40:15 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:17 2006 Subject: pod2man problem Message-ID: I am having a major problem with perl and I'm hoping someone here can help. I keep getting errors saying unable to find pod2man. Make sure it is in the path. pod2man is in /usr/bin. This is on a Redhat 9 box. I've tried reinstalling perl...everything but I can't get past this error. It's stopping me from upgrading MailScanner and most other packages! -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From Steve at swaney.com Sun Aug 10 00:34:34 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:19:17 2006 Subject: pod2man problem In-Reply-To: References: Message-ID: <1060472073.25553.405.camel@speedy> the answers in the List archive Try setting: LANG=en_US export $LANG And retry the install Steve Steve@Swaney.com On Sat, 2003-08-09 at 18:40, Gerry Doris wrote: > I am having a major problem with perl and I'm hoping someone here can > help. I keep getting errors saying unable to find pod2man. Make sure it > is in the path. > > pod2man is in /usr/bin. This is on a Redhat 9 box. I've tried > reinstalling perl...everything but I can't get past this error. It's > stopping me from upgrading MailScanner and most other packages! > > -- > Gerry > > "The lyfe so short, the craft so long to learne" Chaucer -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Postmaster@FSL.com Fortress Systems, Ltd. Email Gateways info@FSL.com www.FSL.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030809/79ce3c19/attachment.html From gerry at DORFAM.CA Sun Aug 10 00:40:06 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:19:17 2006 Subject: pod2man problem In-Reply-To: Message-ID: On Sat, 9 Aug 2003, Gerry Doris wrote: > I am having a major problem with perl and I'm hoping someone here can > help. I keep getting errors saying unable to find pod2man. Make sure it > is in the path. > > pod2man is in /usr/bin. This is on a Redhat 9 box. I've tried > reinstalling perl...everything but I can't get past this error. It's > stopping me from upgrading MailScanner and most other packages! > > -- > Gerry > > "The lyfe so short, the craft so long to learne" Chaucer I've solved the problem. It was just Redhat's unicode. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From michele at BLACKNIGHTSOLUTIONS.COM Mon Aug 11 00:05:16 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:17 2006 Subject: MailScanner on slack 9 Message-ID: <200308102305.h7AN5Eb01906@camelot.blacknightsolutions.com> Hi all We've been trying to get MailScanner setup on a Slackware 9 box, but keep on getting the following errors: Aug 10 22:24:09 arimathea MailScanner[14433]: Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. Aug 10 22:24:11 arimathea MailScanner[14434]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Aug 10 22:24:11 arimathea MailScanner[14434]: Syntax error(s) in configuration file: Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "allowformtags" at line 369 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "filecommand" at line 178 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "filetimeout" at line 182 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "filetyperules" at line 420 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "includescoresinspamassassinreport" at line 546 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "inlinespamwarning" at line 968 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "logpermittedfiletypes" at line 995 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "maximummessagesize" at line 190 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "monitorsforsophosupdates" at line 319 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "nonspamactions" at line 947 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "spamliststoreachhighscore" at line 793 Aug 10 22:24:11 arimathea MailScanner[14434]: Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. Any ideas or thoughts would be appreciated. Thanks in advance, Michele ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From mailscanner at ecs.soton.ac.uk Mon Aug 11 09:24:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: MailScanner on slack 9 In-Reply-To: <200308102305.h7AN5Eb01906@camelot.blacknightsolutions.com> Message-ID: <5.2.1.1.2.20030811092432.02244d60@imap.ecs.soton.ac.uk> Make sure you have the ConfigDefs.pl file from the correct version. At 00:05 11/08/2003, you wrote: > Hi all > >We've been trying to get MailScanner setup on a Slackware 9 box, but keep on >getting the following errors: > > >Aug 10 22:24:09 arimathea MailScanner[14433]: Aborting due to syntax errors >in /etc/MailScanner/MailScanner.conf. >Aug 10 22:24:11 arimathea MailScanner[14434]: MailScanner E-Mail Virus >Scanner version 4.22-5 starting... >Aug 10 22:24:11 arimathea MailScanner[14434]: Syntax error(s) in >configuration file: >Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword >"allowformtags" at line 369 Aug 10 22:24:11 arimathea MailScanner[14434]: >Unrecognised keyword "filecommand" at line 178 Aug 10 22:24:11 arimathea >MailScanner[14434]: Unrecognised keyword "filetimeout" at line 182 Aug 10 >22:24:11 arimathea MailScanner[14434]: Unrecognised keyword "filetyperules" >at line 420 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised >keyword "includescoresinspamassassinreport" at line 546 Aug 10 22:24:11 >arimathea MailScanner[14434]: Unrecognised keyword "inlinespamwarning" at >line 968 Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword >"logpermittedfiletypes" at line 995 Aug 10 22:24:11 arimathea >MailScanner[14434]: Unrecognised keyword "maximummessagesize" at line 190 >Aug 10 22:24:11 arimathea MailScanner[14434]: Unrecognised keyword >"monitorsforsophosupdates" at line 319 Aug 10 22:24:11 arimathea >MailScanner[14434]: Unrecognised keyword "nonspamactions" at line 947 Aug 10 >22:24:11 arimathea MailScanner[14434]: Unrecognised keyword >"spamliststoreachhighscore" at line 793 Aug 10 22:24:11 arimathea >MailScanner[14434]: Aborting due to syntax errors in >/etc/MailScanner/MailScanner.conf. > > >Any ideas or thoughts would be appreciated. > >Thanks in advance, > >Michele > > > >######################################################### >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance to it is prohibited. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dh at UPTIME.AT Mon Aug 11 16:04:16 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:19:17 2006 Subject: Message was corrupted with sweep... Message-ID: <1357394C-CC0D-11D7-B98F-00039379E28A@uptime.at> I am just curious. have any of you ever seen this output from SophosSAVI ? ERROR:: Sweep could not proceed, the file was corrupted (538):: ./h7BF2AUl00xx75/msg-1xx05-xx.txt -- nee amata wo mitsukete soshite midoto wasrezu domma mi mumega itakutemo soba mi iru mo zutto...zutto...zutto -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030811/f6d44f6e/attachment.bin From mailscanner at ecs.soton.ac.uk Mon Aug 11 16:50:17 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:19:17 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200308111550.h7BFoHsw016925@seer.ecs.soton.ac.uk> New Guestbook-Entry from Sidney J Hebert We\'\'ve been using mailscanner on our mailserver for nearly a year without any issues or problems. I can\'\'t recall any time that a virus has made it through and gotten snatched by our desttop protection software (Norton SystemWoks). Mailscanner is awsome and we love it!!



Sidney J. Hebert From lbergman at wtxs.net Mon Aug 11 16:56:22 2003 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:19:17 2006 Subject: MPEG file type Message-ID: <200308111056.26002.lbergman@wtxs.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I searched the archives and found the discussion related to the filetype directive. For those like me that are less aware of various threats could someone please summarize why I might want to block the various movie file types? MPEG MNG AVI QuickTime - -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/N7yppT00mQjG01gRAhUhAJwJVTOJ4Ejuw9/c6+nIDuIz2drQCACfdeIy mEyIsMhp7a4q5IpjilvVKXw= =gZLh -----END PGP SIGNATURE----- From lists at STHOMAS.NET Mon Aug 11 17:00:32 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:17 2006 Subject: pod2man problem In-Reply-To: ; from gerry@DORFAM.CA on Sat, Aug 09, 2003 at 06:40:15PM -0400 References: Message-ID: <20030811090032.A5024@sthomas.net> IIRC, this is an i18n problem. Edit your /etc/sysconfig/i18n file and make sure the LANG variable is set to en_US - it's utf8 that's breaking it (and probably a lot of other stuff..). LANG="en_US" HTH, Steve On Sat, Aug 09, 2003 at 06:40:15PM -0400, Gerry Doris is rumored to have said: > > pod2man is in /usr/bin. This is on a Redhat 9 box. I've tried > reinstalling perl...everything but I can't get past this error. It's -- "When choosing between two evils, I always like to try the one I've never tried before." - Mae West (1892-1980) From Jan-Peter.Koopmann at SECEIDOS.DE Mon Aug 11 17:11:25 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:19:17 2006 Subject: New FreeBSD ports Message-ID: Hi, I just submitted an update for mailscanner 4.22-5 to the FreeBSD ports tree. You can download the port at http://www.seceidos.de/downloads/freebsd/ports/mailscanner-4.22.5.tgz as well. The most current beta is available as http://www.seceidos.de/downloads/freebsd/ports/mailscanner-4.23.2.tgz Regards, JP From Andrew.Magnusson at COCC.COM Mon Aug 11 16:24:49 2003 From: Andrew.Magnusson at COCC.COM (Magnusson, Andrew) Date: Thu Jan 12 21:19:17 2006 Subject: Children dying and not being replaced Message-ID: Twice in the last few days we've had a situation here in which a child dies of old age and is not replaced. We should be running 5 children at all times, but it drops to 3 which massively slows down processing. After a mailscanner restart, of course, everything is fine. Logs show nothing unusual: Aug 11 05:54:06 external-smtp MailScanner[29357]: Config: calling custom end fun ction SQLLogging Aug 11 05:54:06 external-smtp MailScanner[29357]: Ending SQL Logging temp output and flushing to database Aug 11 05:54:24 external-smtp MailScanner[29357]: Database flush completed Aug 11 05:54:24 external-smtp MailScanner[29357]: MailScanner child dying of old age Is there anything in particular I should be looking for to determine the cause? Andrew Magnusson Internet Product Analyst COCC 1-877-678-0444 extension 640 -- *** This message originates from COCC, Inc. If the reader of this message, regardless of the address or routing, is not an intended recipient, you are hereby notified that you have received this transmittal in error and any review; use, distribution, dissemination or copying is strictly prohibited. If you have received this message in error, please delete this e-mail and all files transmitted with it from your system and immediately notify COCC, Inc. by sending reply e-mail to the sender of this message. Thank you. *** From Andrew.Magnusson at COCC.COM Mon Aug 11 16:45:44 2003 From: Andrew.Magnusson at COCC.COM (Magnusson, Andrew) Date: Thu Jan 12 21:19:17 2006 Subject: FW: Children dying and not being replaced Message-ID: A related question: after having restarted, it looks like we have 10 children running (ps -ax|grep MailScanner). How does this jibe with 'Max Children' set to 5 in MailScanner.conf? Andrew Magnusson Internet Product Analyst COCC 1-877-678-0444 extension 640 -----Original Message----- From: Magnusson, Andrew Sent: Monday, August 11, 2003 11:25 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Children dying and not being replaced Twice in the last few days we've had a situation here in which a child dies of old age and is not replaced. We should be running 5 children at all times, but it drops to 3 which massively slows down processing. After a mailscanner restart, of course, everything is fine. Logs show nothing unusual: Aug 11 05:54:06 external-smtp MailScanner[29357]: Config: calling custom end fun ction SQLLogging Aug 11 05:54:06 external-smtp MailScanner[29357]: Ending SQL Logging temp output and flushing to database Aug 11 05:54:24 external-smtp MailScanner[29357]: Database flush completed Aug 11 05:54:24 external-smtp MailScanner[29357]: MailScanner child dying of old age Is there anything in particular I should be looking for to determine the cause? Andrew Magnusson Internet Product Analyst COCC 1-877-678-0444 extension 640 -- *** This message originates from COCC, Inc. If the reader of this message, regardless of the address or routing, is not an intended recipient, you are hereby notified that you have received this transmittal in error and any review; use, distribution, dissemination or copying is strictly prohibited. If you have received this message in error, please delete this e-mail and all files transmitted with it from your system and immediately notify COCC, Inc. by sending reply e-mail to the sender of this message. Thank you. *** From Steve at swaney.com Mon Aug 11 17:35:26 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:19:17 2006 Subject: Children dying and not being replaced In-Reply-To: References: Message-ID: <1060619726.25553.643.camel@speedy> Andrew, is check_MailScanner being run from cron at some interval? If it is, this should not happen. Steve Steve@Swaney.com On Mon, 2003-08-11 at 11:24, Magnusson, Andrew wrote: > Twice in the last few days we've had a situation here in which a child dies > of old age and is not replaced. We should be running 5 children at all > times, but it drops to 3 which massively slows down processing. After a > mailscanner restart, of course, everything is fine. Logs show nothing > unusual: > > Aug 11 05:54:06 external-smtp MailScanner[29357]: Config: calling custom end > fun > ction SQLLogging > Aug 11 05:54:06 external-smtp MailScanner[29357]: Ending SQL Logging temp > output > and flushing to database > Aug 11 05:54:24 external-smtp MailScanner[29357]: Database flush completed > Aug 11 05:54:24 external-smtp MailScanner[29357]: MailScanner child dying of > old > age > > Is there anything in particular I should be looking for to determine the > cause? > > Andrew Magnusson > Internet Product Analyst > COCC > 1-877-678-0444 extension 640 > > > > -- > *** This message originates from COCC, Inc. > > If the reader of this message, regardless of the address or routing, is not an intended recipient, you are hereby notified that you have received this transmittal in error and any review; use, distribution, dissemination or copying is strictly prohibited. If you have received this message in error, please delete this e-mail and all files transmitted with it from your system and immediately notify COCC, Inc. by sending reply e-mail to the sender of this message. > > Thank you. *** -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Postmaster@FSL.com Fortress Systems, Ltd. Email Gateways info@FSL.com www.FSL.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030811/01e91e1c/attachment.html From mailscanner at ecs.soton.ac.uk Mon Aug 11 17:48:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: Children dying and not being replaced In-Reply-To: Message-ID: <5.2.1.1.2.20030811174633.02679298@imap.ecs.soton.ac.uk> I fixed this in a recent release. Not 100% sure when, but the ChangeLog for 4.13 mentions improvements to child process handling. At 16:24 11/08/2003, you wrote: >Twice in the last few days we've had a situation here in which a child dies >of old age and is not replaced. We should be running 5 children at all >times, but it drops to 3 which massively slows down processing. After a >mailscanner restart, of course, everything is fine. Logs show nothing >unusual: > >Aug 11 05:54:06 external-smtp MailScanner[29357]: Config: calling custom end >fun >ction SQLLogging >Aug 11 05:54:06 external-smtp MailScanner[29357]: Ending SQL Logging temp >output > and flushing to database >Aug 11 05:54:24 external-smtp MailScanner[29357]: Database flush completed >Aug 11 05:54:24 external-smtp MailScanner[29357]: MailScanner child dying of >old > age > >Is there anything in particular I should be looking for to determine the >cause? > >Andrew Magnusson >Internet Product Analyst >COCC >1-877-678-0444 extension 640 > > > >-- >*** This message originates from COCC, Inc. > >If the reader of this message, regardless of the address or routing, is >not an intended recipient, you are hereby notified that you have received >this transmittal in error and any review; use, distribution, dissemination >or copying is strictly prohibited. If you have received this message in >error, please delete this e-mail and all files transmitted with it from >your system and immediately notify COCC, Inc. by sending reply e-mail to >the sender of this message. > >Thank you. *** -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Aug 11 17:49:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: FW: Children dying and not being replaced In-Reply-To: Message-ID: <5.2.1.1.2.20030811174825.02670798@imap.ecs.soton.ac.uk> Each MailScanner child forks a lot to do things like run virus scanners, run SpamAssassin, things like that. You should find the PID of 6 of them stay the same, while the PIDs of the others keep changing. At 16:45 11/08/2003, you wrote: >A related question: after having restarted, it looks like we have 10 >children running (ps -ax|grep MailScanner). How does this jibe with 'Max >Children' set to 5 in MailScanner.conf? > >Andrew Magnusson >Internet Product Analyst >COCC >1-877-678-0444 extension 640 > > > >-----Original Message----- >From: Magnusson, Andrew >Sent: Monday, August 11, 2003 11:25 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Children dying and not being replaced > > >Twice in the last few days we've had a situation here in which a child dies >of old age and is not replaced. We should be running 5 children at all >times, but it drops to 3 which massively slows down processing. After a >mailscanner restart, of course, everything is fine. Logs show nothing >unusual: > >Aug 11 05:54:06 external-smtp MailScanner[29357]: Config: calling custom end >fun >ction SQLLogging >Aug 11 05:54:06 external-smtp MailScanner[29357]: Ending SQL Logging temp >output > and flushing to database >Aug 11 05:54:24 external-smtp MailScanner[29357]: Database flush completed >Aug 11 05:54:24 external-smtp MailScanner[29357]: MailScanner child dying of >old > age > >Is there anything in particular I should be looking for to determine the >cause? > >Andrew Magnusson >Internet Product Analyst >COCC >1-877-678-0444 extension 640 > > > >-- >*** This message originates from COCC, Inc. > >If the reader of this message, regardless of the address or routing, is >not an intended recipient, you are hereby notified that you have received >this transmittal in error and any review; use, distribution, dissemination >or copying is strictly prohibited. If you have received this message in >error, please delete this e-mail and all files transmitted with it from >your system and immediately notify COCC, Inc. by sending reply e-mail to >the sender of this message. > >Thank you. *** -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Chris.Campbell at FAC.COM Mon Aug 11 18:07:39 2003 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:19:17 2006 Subject: MySQL logging Message-ID: I have done all the documented changes needed for SQL logging, and I see no errors in the maillog. I have tested to make sure the mailscanner box can log into the remote mysql server with the supplied username and password. Has anyone else ran across any problems logging to a remote mysql box? Can anyone help me out here? Thanks. ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com From Andrew.Magnusson at COCC.COM Mon Aug 11 18:17:49 2003 From: Andrew.Magnusson at COCC.COM (Magnusson, Andrew) Date: Thu Jan 12 21:19:17 2006 Subject: Children dying and not being replaced Message-ID: We're on 4.20-3 now. Andrew Magnusson Internet Product Analyst COCC 1-877-678-0444 extension 640 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, August 11, 2003 12:48 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Children dying and not being replaced I fixed this in a recent release. Not 100% sure when, but the ChangeLog for 4.13 mentions improvements to child process handling. At 16:24 11/08/2003, you wrote: >Twice in the last few days we've had a situation here in which a child dies >of old age and is not replaced. We should be running 5 children at all >times, but it drops to 3 which massively slows down processing. After a >mailscanner restart, of course, everything is fine. Logs show nothing >unusual: > >Aug 11 05:54:06 external-smtp MailScanner[29357]: Config: calling custom end >fun >ction SQLLogging >Aug 11 05:54:06 external-smtp MailScanner[29357]: Ending SQL Logging temp >output > and flushing to database >Aug 11 05:54:24 external-smtp MailScanner[29357]: Database flush completed >Aug 11 05:54:24 external-smtp MailScanner[29357]: MailScanner child dying of >old > age > >Is there anything in particular I should be looking for to determine the >cause? > >Andrew Magnusson >Internet Product Analyst >COCC >1-877-678-0444 extension 640 > > > >-- >*** This message originates from COCC, Inc. > >If the reader of this message, regardless of the address or routing, is >not an intended recipient, you are hereby notified that you have received >this transmittal in error and any review; use, distribution, dissemination >or copying is strictly prohibited. If you have received this message in >error, please delete this e-mail and all files transmitted with it from >your system and immediately notify COCC, Inc. by sending reply e-mail to >the sender of this message. > >Thank you. *** -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -- *** This message originates from COCC, Inc. If the reader of this message, regardless of the address or routing, is not an intended recipient, you are hereby notified that you have received this transmittal in error and any review; use, distribution, dissemination or copying is strictly prohibited. If you have received this message in error, please delete this e-mail and all files transmitted with it from your system and immediately notify COCC, Inc. by sending reply e-mail to the sender of this message. Thank you. *** From martin.hierling at fh-luh.de Mon Aug 11 18:09:44 2003 From: martin.hierling at fh-luh.de (Martin Hierling) Date: Thu Jan 12 21:19:17 2006 Subject: problem with rules file Message-ID: <20030811170944.GE12087@sulu.cc.fh-lippe.de> Hi List, i?ve Virus Scanning = %etc-dir%/rules/Virus_Scanning.rules in my Mailscanner Config. Thr rules file looks like: To: martin@domain.de no To: test@domain.de no To: *@domain.de yes # default score To: default no but mails send to test@domain.de get scanned! Aug 11 16:59:02 vs3 MailScanner[818]: New Batch: Scanning 1 messages, 46728 bytes Aug 11 16:59:02 vs3 MailScanner[818]: Spam Checks: Starting Aug 11 16:59:03 vs3 MailScanner[818]: Virus and Content Scanning: Starting Aug 11 16:59:04 vs3 MailScanner[818]: /var/spool/MailScanner/incoming/818/./19mG0P-0001Fv-3V/Transcripts.zip: Lirva-C FOUND Aug 11 16:59:04 vs3 MailScanner[818]: Virus Scanning: ClamAV found 1 infections Aug 11 16:59:04 vs3 MailScanner[818]: Virus Scanning: Found 1 viruses Aug 11 16:59:04 vs3 MailScanner[818]: Filename Checks: Allowing msg-818-4.txt Aug 11 16:59:04 vs3 MailScanner[818]: Filename Checks: Allowing Transcripts.zip Aug 11 16:59:04 vs3 MailScanner[818]: Filetype Checks: No executables (Transcripts.zip) Aug 11 16:59:04 vs3 MailScanner[818]: Filetype Checks: Allowing msg-818-4.txt Aug 11 16:59:04 vs3 MailScanner[818]: Other Checks: Found 1 problems Aug 11 16:59:04 vs3 MailScanner[818]: Saved entire message to /var/spool/MailScanner/quarantine/20030811/19mG0P-0001Fv-3V Aug 11 16:59:04 vs3 MailScanner[818]: Saved infected "Transcripts.zip" to /var/spool/MailScanner/quarantine/20030811/19mG0P-0001Fv-3V Aug 11 16:59:04 vs3 MailScanner[818]: Cleaned: Delivered 1 cleaned messages Aug 11 16:59:04 vs3 MailScanner[818]: Notices: Warned about 1 messages Entrys from Exim.log: 2003-08-11 16:58:49 19mG0P-0001Fv-3V <= mad@cc.fh-lippe.de H=uhura.cc.fh-lippe.de [193.16.112.77]:50532 P=esmtp S=46257 id=m19mG0K-0026g2C@sulu.cc.fh-lippe.de T="test1234" from for test@domain.de 2003-08-11 16:59:04 19mG0P-0001Fv-3V => test@domain.de F= R=force_path T=remote_smtp S=3360 H=epikur.domain.de [10.1.1.1] C="250 OK id=19mG0e-0001Gz-00" 2003-08-11 16:59:04 19mG0P-0001Fv-3V Completed so, am i blind...? The Mail shoudn?t get scanned, right? regards Martin -- ---------------------------------------------------------------- Verbosity leads to unclear, inarticulate things. ---------------------------------------------------------------- From steve.freegard at LBSLTD.CO.UK Mon Aug 11 18:35:50 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:19:17 2006 Subject: MySQL logging Message-ID: <67D9E7698329D411936E00508B6590B902773A6A@neelix.lbsltd.co.uk> Hi Chris, It's up to you what you use ;-)), and it really depends on what you want to do. If you have a look at the archives (search for SQL Logging) - there was a recent thread where I compared the two types of SQL Logging available for MailScanner. Going back to your original question - you are using the code supplied with MailScanner, this writes the log to a temporary file first, then writes all the values to the database when it restarts, so try restarting MailScanner, check the logs for any errors, then check the database and see if it's got anything in it... Cheers, Steve. -----Original Message----- From: Chris.Campbell@fac.com To: Steve Freegard Sent: 11/08/03 18:25 Subject: RE: MySQL logging I am using the code with MailScanner... should I be using Mailwatch? Thanks! ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com Steve Freegard ltd.co.uk> cc: Subject: RE: MySQL logging 08/11/03 01:13 PM Hi Chris, Which version of the SQL logging are you using?? - the code supplied with MailScanner, or the code that comes with MailWatch?? If you using the former - then you won't see any data until you either restart MailScanner, or when the MailScanner children die of old age. Kind regards, Steve -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -----Original Message----- From: Chris Campbell To: MAILSCANNER@JISCMAIL.AC.UK Sent: 11/08/03 18:07 Subject: MySQL logging I have done all the documented changes needed for SQL logging, and I see no errors in the maillog. I have tested to make sure the mailscanner box can log into the remote mysql server with the supplied username and password. Has anyone else ran across any problems logging to a remote mysql box? Can anyone help me out here? Thanks. ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at ELKNET.NET Mon Aug 11 19:11:50 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:17 2006 Subject: Question for Clam users Message-ID: <200308111811.h7BIBqS23083@ori.rl.ac.uk> I've been running ClamAV now for a couple of weeks. The autoupdate of new signatures runs just fine. However, I'm seeing a pattern in Clam that I'm not used to in my experiance with F-Prot, McAfee etc. MS has an excellent auto-update routine to grab and install new signatures for Clam as they become available. However, I'm seeing almost as many updates to the actual Clam program as I'm seeing updates to the signature files. With other anti-virus programs I use, I typically only see one or two new releases for the engine a year, everything else is updated via the periodic signature files. With Clam, it seems the engine is updated almost as often as the signatures. Obviously the auto-update routine in MS can't handle an update to the actual program. How are the rest of you dealing with all these engine updates? Right now I find myself either paying close attention to my email and/or the Clam website, and manually installing the new software when I see it; this all sort of defeats the purpose of the auto-update procedure. I wouldn't mind doing this a few times a year, but just in the last month there have been four updates (ignoring the development updates). Thanks for any ideas, -Alan From RKearney at AZERTY.COM Mon Aug 11 19:31:45 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:19:17 2006 Subject: MySQL logging Message-ID: <210DF55DED65B547896F728FB057F3B2019C4577@seaver.ussco.com> Supposing your using SQLLogging that comes with MailScanner, and have this enabled this in your MailScanner.conf, 1) Did you change the DSN/connection string in EndSQLLogging function in CustomConfig.pm to point to a different host. ("DBI:mysql:mailscanner::")? 2) MailScanner writes to a temp-file, and will purge these to the Database when MailScanner is gracefully killed, try to stop and start Mailscanner to see the results, otherwise, wait for MailScanner to restart, depending on the "Restart Every" option in MailScanner.conf -rob -----Original Message----- From: Chris Campbell [mailto:Chris.Campbell@FAC.COM] Sent: Monday, August 11, 2003 1:08 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MySQL logging I have done all the documented changes needed for SQL logging, and I see no errors in the maillog. I have tested to make sure the mailscanner box can log into the remote mysql server with the supplied username and password. Has anyone else ran across any problems logging to a remote mysql box? Can anyone help me out here? Thanks. ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com From richard_cipher at YAHOO.COM Mon Aug 11 19:54:18 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:19:17 2006 Subject: Question for Clam users In-Reply-To: <200308111811.h7BIBqS23083@ori.rl.ac.uk> Message-ID: My 2 cents worth. ClamAV is Open Source Software. As such, it would tend to have an accelerated development cycle in comparison to other Anti-virus software. The new engine releases may relate to a new feature that you may not necessarily need. As with any open source software, i grabbed a stable release and made sure the updates work. I keep a general eye on the features added to new versions, and when new features come into a stable release that are desirable, i'll upgrade. Or, if the updates quit working, or Clamav quits doing a good job catching viruses, i'll look at upgrading. With most propietary software, new engine releases are critical because they are directed at specific new viruses out there. This isn't necessarily going to be true with a piece of open source software. Evert Ford Computer Guy Westone Laboratories http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Alan Fiebig Sent: Monday, August 11, 2003 12:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Question for Clam users I've been running ClamAV now for a couple of weeks. The autoupdate of new signatures runs just fine. However, I'm seeing a pattern in Clam that I'm not used to in my experiance with F-Prot, McAfee etc. MS has an excellent auto-update routine to grab and install new signatures for Clam as they become available. However, I'm seeing almost as many updates to the actual Clam program as I'm seeing updates to the signature files. With other anti-virus programs I use, I typically only see one or two new releases for the engine a year, everything else is updated via the periodic signature files. With Clam, it seems the engine is updated almost as often as the signatures. Obviously the auto-update routine in MS can't handle an update to the actual program. How are the rest of you dealing with all these engine updates? Right now I find myself either paying close attention to my email and/or the Clam website, and manually installing the new software when I see it; this all sort of defeats the purpose of the auto-update procedure. I wouldn't mind doing this a few times a year, but just in the last month there have been four updates (ignoring the development updates). Thanks for any ideas, -Alan --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From Chris.Campbell at FAC.COM Mon Aug 11 19:59:18 2003 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:19:17 2006 Subject: MySQL logging Message-ID: Yup, changed the hostname, and supplied my password as well.... ..................................... Christopher S. Campbell UNIX Admin "Kearney, Rob" cc: Sent by: Subject: Re: MySQL logging MailScanner mailing list 08/11/03 02:31 PM Please respond to MailScanner mailing list Supposing your using SQLLogging that comes with MailScanner, and have this enabled this in your MailScanner.conf, 1) Did you change the DSN/connection string in EndSQLLogging function in CustomConfig.pm to point to a different host. ("DBI:mysql:mailscanner::")? 2) MailScanner writes to a temp-file, and will purge these to the Database when MailScanner is gracefully killed, try to stop and start Mailscanner to see the results, otherwise, wait for MailScanner to restart, depending on the "Restart Every" option in MailScanner.conf -rob -----Original Message----- From: Chris Campbell [mailto:Chris.Campbell@FAC.COM] Sent: Monday, August 11, 2003 1:08 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MySQL logging I have done all the documented changes needed for SQL logging, and I see no errors in the maillog. I have tested to make sure the mailscanner box can log into the remote mysql server with the supplied username and password. Has anyone else ran across any problems logging to a remote mysql box? Can anyone help me out here? Thanks. ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com From gerry at dorfam.ca Mon Aug 11 20:18:30 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:19:17 2006 Subject: Question for Clam users In-Reply-To: References: <200308111811.h7BIBqS23083@ori.rl.ac.uk> Message-ID: <39671.129.80.22.143.1060629510.squirrel@tiger.dorfam.ca> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Alan Fiebig > Sent: Monday, August 11, 2003 12:12 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Question for Clam users > > > I've been running ClamAV now for a couple of weeks. The autoupdate of new > signatures runs just fine. However, I'm seeing a pattern in Clam that I'm > not used to in my experiance with F-Prot, McAfee etc. > > MS has an excellent auto-update routine to grab and install new signatures > for Clam as they become available. However, I'm seeing almost as many > updates to the actual Clam program as I'm seeing updates to the signature > files. With other anti-virus programs I use, I typically only see one or > two > new releases for the engine a year, everything else is updated via the > periodic signature files. > > With Clam, it seems the engine is updated almost as often as the > signatures. > Obviously the auto-update routine in MS can't handle an update to the > actual > program. How are the rest of you dealing with all these engine updates? > Right now I find myself either paying close attention to my email and/or > the > Clam website, and manually installing the new software when I see it; this > all sort of defeats the purpose of the auto-update procedure. > > I wouldn't mind doing this a few times a year, but just in the last month > there have been four updates (ignoring the development updates). > > Thanks for any ideas, > -Alan I just checked and the most recent stable version is 0.60 dated June 20. However, there are a series of snapshot releases. Depending on your use of the product you may not even want to consider using these? Checking the changelog shows that they're the result of active development particularly in the mbox area. The commercial scanners are likely going through the same process but you don't have the opportunity to see the snapshots! Gerry From Antony at SOFT-SOLUTIONS.CO.UK Mon Aug 11 20:28:17 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:17 2006 Subject: MPEG file type In-Reply-To: <200308111056.26002.lbergman@wtxs.net> References: <200308111056.26002.lbergman@wtxs.net> Message-ID: <200308111928.h7BJSL024522@agate.rockstone.co.uk> On Monday 11 August 2003 4:56 pm, Lewis Bergman wrote: > I searched the archives and found the discussion related to the filetype > directive. For those like me that are less aware of various threats could > someone please summarize why I might want to block the various movie file > types? > MPEG > MNG > AVI > QuickTime They're not so much threats (AFAIK), as simply files which businesses in particular might be interested in blocking people from sending or receiving as attachments. Remember that MS is not only used to stop things (such as viruses) which might cause problems if they were to arrive, but is also used to implement acceptable use policies etc, especially by the use of extension or file type matching. Regards, Antony -- The first ninety percent of an engineering project takes ninety percent of the time, and the last ten percent takes the remaining ninety percent. From marco at MUW.EDU Mon Aug 11 21:25:52 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:19:17 2006 Subject: MPEG file type In-Reply-To: <200308111928.h7BJSL024522@agate.rockstone.co.uk> References: <200308111056.26002.lbergman@wtxs.net> <200308111928.h7BJSL024522@agate.rockstone.co.uk> Message-ID: <1060633551.3f37fbd0026dd@webmail.MUW.Edu> Hi, > For those like me that are less aware of various threats could > someone please summarize why I might want to block the various movie file > types? Not so much of a threat, but can be used to enforce policies. In the institution where I work, students were trading movies and media files through e-mail. Some where sending an entire CD over e-mail, either because they did not know any better or being lazy. The threat, if you wanna call it that, is that I had to deal with mail bombs. So I stopped it via MS. It is worth noting that blocking Media files using File Rules is not effective, for that purpose, unless you have some cap on the attachment size through your MTA. The students in my institution got around MS by renaming their files to strange extenstions or no extentions. Conveniently, they e-mailed each other instructions on what would the original file name be. I discouraged that by setting a cap on the attachment size. They don't like me now, but mail is flowing faster than ever. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From mailscanner at ecs.soton.ac.uk Mon Aug 11 21:13:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: MPEG file type In-Reply-To: <1060633551.3f37fbd0026dd@webmail.MUW.Edu> References: <200308111928.h7BJSL024522@agate.rockstone.co.uk> <200308111056.26002.lbergman@wtxs.net> <200308111928.h7BJSL024522@agate.rockstone.co.uk> Message-ID: <5.2.1.1.2.20030811211218.03a9ce48@imap.ecs.soton.ac.uk> At 21:25 11/08/2003, you wrote: >It is worth noting that blocking Media files using File Rules is not >effective, >for that purpose, unless you have some cap on the attachment size through your >MTA. The students in my institution got around MS by renaming their files to >strange extenstions or no extentions. Conveniently, they e-mailed each other >instructions on what would the original file name be. I discouraged that by >setting a cap on the attachment size. They don't like me now, but mail is >flowing faster than ever. Which is one of the reasons I wrote the filetype checking in addition to the filename checking ;-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From marco at MUW.EDU Mon Aug 11 21:35:30 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:19:17 2006 Subject: MPEG file type In-Reply-To: <5.2.1.1.2.20030811211218.03a9ce48@imap.ecs.soton.ac.uk> References: <200308111928.h7BJSL024522@agate.rockstone.co.uk> <200308111056.26002.lbergman@wtxs.net> <200308111928.h7BJSL024522@agate.rockstone.co.uk> <5.2.1.1.2.20030811211218.03a9ce48@imap.ecs.soton.ac.uk> Message-ID: <1060634130.3f37fe12a38fc@webmail.MUW.Edu> Hi, > Which is one of the reasons I wrote the filetype checking in addition to > the filename checking > ;-) I won't tell them that because they will hate you even more :) Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From TGFurnish at HERFF-JONES.COM Mon Aug 11 21:23:27 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:17 2006 Subject: useless use of private variable in void context at CustomConfig.p m line 475...? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1ABC@inex1.herffjones.hj-int> If I do: perl -cw CustomConfig.pm ...then I get: private variable in void context at CustomConfig.pm2 line 475. The line numbers may have changed a little bit, but here's the tidbit of code in question: # Use the sanitised filename to avoid problems caused by people forcing # logging of attachment filenames which contain nasty SQL instructions. $file = $message->{file2safefile}{$file} or $file; Looking at that though I'm not sure whether it's really a problem or not. So... any MS+Perl guru care to say whether that is something that needs fixing? I just adapted the SQLLogging code to work with flat files instead (not enough spare mem on the test system to run mysqld :-( ) and inherited this line in the process. -- Trever From brent at MIRABITO.COM Mon Aug 11 21:31:56 2003 From: brent at MIRABITO.COM (Brent Strignano) Date: Thu Jan 12 21:19:17 2006 Subject: MPEG file type Message-ID: <62E46E0C3CB8024C807447814E1B20A501225C8F@granitemail.mirabito.com> Actually MPEG an QT movies can be a security threat. You can imbed a URL in them the will activate when they are played. Real Media files can do this as well. Brent Strignano System Administrator Granite Capital Holdings Sidney, NY > -----Original Message----- > From: Lewis Bergman [mailto:lbergman@wtxs.net] > Sent: Monday, August 11, 2003 11:56 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MPEG file type > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I searched the archives and found the discussion related to > the filetype directive. For those like me that are less aware > of various threats could someone please summarize why I might > want to block the various movie file types? MPEG MNG AVI QuickTime > - -- > Lewis Bergman > Texas Communications > 4309 Maple St. > Abilene, TX 79602-8044 > 915-695-6962 ext 115 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE/N7yppT00mQjG01gRAhUhAJwJVTOJ4Ejuw9/c6+nIDuIz2drQCACfdeIy > mEyIsMhp7a4q5IpjilvVKXw= > =gZLh > -----END PGP SIGNATURE----- > From mailscanner at ecs.soton.ac.uk Mon Aug 11 21:39:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: ANNOUNCE: Beta 4.23-4 released Message-ID: <5.2.1.1.2.20030811213127.027faeb0@imap.ecs.soton.ac.uk> Another update for you. Please let me know if it works for you or not. Download as usual from www.mailscanner.info. ChangeLog is - Improved handling of Allowed Sophos Error Messages. To allow more than 1 string, put each string in quotes and separate them with commas. For example Allowed Sophos Error Messages = "corrupt", "format not supported" - Added ZMailer support to RedHat init.d script. - All virus scanner package installation paths have been moved to virus.scanners.conf so they are not in any of the wrapper or autoupdate scripts. *NOTE*: If you are not using my "update_virus_scanners" global updater *NOTE*: script, but have written your own cron jobs, then you must add *NOTE*: the installation path to the autoupdate commands. To see the *NOTE*: default path, read virus.scanners.conf. *NOTE*: If you don't do this, your autoupdates may not work. - Added "Definite Spam Is High Scoring" configuration option so that spam that is blacklisted is treated using the "High Scoring Spam Actions". - Improved SuSE init.d script handles sendmail and Postfix. It will handle Exim once I can get it to build. I have also fixed the minor safe filename handling bug in CustomConfig.pm. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Aug 11 21:39:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: useless use of private variable in void context at CustomConfig.p m line 475...? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1ABC@inex1.herffjones.hj -int> Message-ID: <5.2.1.1.2.20030811213936.03a67460@imap.ecs.soton.ac.uk> Well spotted. It should be "||" and not "or". At 21:23 11/08/2003, you wrote: >If I do: > >perl -cw CustomConfig.pm > >...then I get: >private variable in void context at CustomConfig.pm2 line 475. > >The line numbers may have changed a little bit, but here's the tidbit of >code in question: > # Use the sanitised filename to avoid problems caused by people forcing > # logging of attachment filenames which contain nasty SQL instructions. > $file = $message->{file2safefile}{$file} or $file; > >Looking at that though I'm not sure whether it's really a problem or not. >So... any MS+Perl guru care to say whether that is something that needs >fixing? I just adapted the SQLLogging code to work with flat files instead >(not enough spare mem on the test system to run mysqld :-( ) and inherited >this line in the process. > >-- >Trever -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From TGFurnish at HERFF-JONES.COM Mon Aug 11 22:13:38 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:17 2006 Subject: useless use of private variable in void context at CustomConf ig.p m line 475...? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1ABD@inex1.herffjones.hj-int> Ah, thanks. Fixed. It is with real trepidation that I'll go ahead and offer up the attached modified version of CustomConfig.pm with the changes I made to get it writing to a flat log file instead of to a SQL server. Trepidation because I won't be all that surprised when someone points out something like "There's already flat-file logging in the XYZ function at the top of that file" or "That's dumb, why'd you do it that way." It's also really just a slightly modified version of the SQLLogging functions. I re-used functions from the MailScanner modules without a deep understanding of them - just made them look similar to how I saw them used in other functions. It seems to work, but if anyone looks at the code to get a good laugh and spots a problem, I'd be most grateful to be informed. There's no sorting of the log messages here so the log file will end up out of order - I thought I'd just put re-sorting functionality into the logrotate stanza used to rotate the log file. Haven't done that bit yet. -t. > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Monday, August 11, 2003 3:40 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: useless use of private variable in void context at > CustomConfig.p m line 475...? > > > Well spotted. It should be "||" and not "or". > > At 21:23 11/08/2003, you wrote: > >If I do: > > > >perl -cw CustomConfig.pm > > > >...then I get: > >private variable in void context at CustomConfig.pm2 line 475. > > > >The line numbers may have changed a little bit, but here's > the tidbit of > >code in question: > > # Use the sanitised filename to avoid problems caused > by people forcing > > # logging of attachment filenames which contain nasty > SQL instructions. > > $file = $message->{file2safefile}{$file} or $file; > > > >Looking at that though I'm not sure whether it's really a > problem or not. > >So... any MS+Perl guru care to say whether that is something > that needs > >fixing? I just adapted the SQLLogging code to work with > flat files instead > >(not enough spare mem on the test system to run mysqld :-( ) > and inherited > >this line in the process. > > > >-- > >Trever > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -------------- next part -------------- A non-text attachment was scrubbed... Name: CustomConfig.pm2 Type: application/octet-stream Size: 25229 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030811/745d7ac1/CustomConfig.obj From mike at CAMAROSS.NET Mon Aug 11 23:24:21 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:17 2006 Subject: Sophos and PDF revisited In-Reply-To: <5.2.1.1.2.20030807210545.027aeea0@imap.ecs.soton.ac.uk> Message-ID: <002001c36057$50364120$9c01a8c0@home.middlefinger.net> This may be a stupid question, but do I just save this text as a file and then 'patch < filename.patch'? AND...does this patch apply to 4.21-9? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, August 07, 2003 3:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos and PDF revisited Please try this patch to SweepViruses.pm. --- SweepViruses.pm 2003-08-05 21:42:19.000000000 +0100 +++ SweepViruses.pm.new 2003-08-07 21:00:09.000000000 +0100 @@ -961,8 +961,13 @@ # If the error is one of the allowed errors, then don't report any # infections on this file. if ($error ne "") { + # Treat their string as a list of words, any of which can match my $errorlist = MailScanner::Config::Value('sophosallowederrors'); - if ($errorlist && $errorlist =~ /$error/) { + $errorlist =~ s/\s+/ /g; + $errorlist =~ s/[^0-9A-Za-z ]/\\$&/g; + $errorlist =~ s/ /\|/g; + #if ($errorlist ne "" && $errorlist =~ /$error/) { + if ($errorlist ne "" && $error =~ /$errorlist/) { MailScanner::Log::WarnLog("Ignored Sophos '%s' error", $error); return 0; } At 20:50 07/08/2003, you wrote: >I am seeing the same thing: > >The following e-mail messages were found to have viruses in them: > > Sender: tlstauft@purvingertz.com >IP Address: 207.34.112.53 > Recipient: tracy.gallucci@williams.com, deb.bogoros@williams.com, >miriam.mitchell-banks@williams.com > Subject: RE: Stampede Follow-up > MessageID: h77JYuj02622 > Report: Could not check >./h77JYuj02622/Williams0803.zip/C2375_R03_Report1.pdf (unexpected error >[0x80040202]) > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Thursday, August 07, 2003 2:11 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos and PDF revisited > > >Can you put the troublesome PDF into a password-protected zip file and >mail it to me please (off-list). I'm slightly at a loss as to why this >option works sometimes (e.g. detecting corrupt files) but not in your >case. I need to be able to reproduce the problem. > >At 18:55 07/08/2003, you wrote: > >Julian Field wrote: > > > > > > And you are doing a "reload" of MailScanner after changing the > > > MailScanner.conf file? > > > >Yes: > > > ># ps -ef | grep MailScanner > > > > root 6320 6315 1 10:10:25 ? 0:38 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14404 6337 0 11:47:59 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6316 6315 1 10:10:14 ? 0:42 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6333 6315 2 10:10:45 ? 0:41 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6326 6315 0 10:10:35 ? 0:36 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6337 6315 1 10:10:55 ? 0:37 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6315 1 0 10:10:14 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > ># sudo pkill MailScanner > ># ps -ef | grep MailScanner > > > >(nothing) > > > ># sudo /opt/MailScanner/bin/check_mailscanner > ># ps -ef | grep MailScanner > > root 14577 14576 1 11:50:10 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14513 14483 6 11:49:38 ? 0:04 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14554 14483 8 11:49:58 ? 0:02 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14576 14513 0 11:50:10 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14575 14528 2 11:50:09 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14528 14483 9 11:49:48 ? 0:04 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14498 14483 3 11:49:28 ? 0:04 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14483 1 0 11:49:17 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14484 14483 3 11:49:17 ? 0:05 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > >Sent another test message and received the same error: > > > >Report: Could not check ./h77HpFbR014728/blah.pdf (unexpected error > >[0x80040202]) > > > >Dustin > > > > > > > > > > > > > At 17:44 07/08/2003, you wrote: > > > >Good Day, > > > > > > > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current > > > >version of Sophos > > > > > > > >I am receiving the following error messages on some PDFs that go > > > >through > > > >MailScanner: > > > > > > > > Report: Could not check ./h77FLfbR002021/blah.pdf > > > > (unexpected > > error > > > >[0x80040202]) > > > > > > > >According to MailScanner.conf, "Anything on the next line that > > > >appears in brackets at the end of a line of output from Sophos > > > >will cause the error/infection to be ignored." > > > > > > > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but > > > >the quarantine still occurs. I have also tried adding > > > >"unexpected error," with no luck. > > > > > > > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, > > > >but the quarantined still occurs. > > > > > > > >Any suggestions on what I could do to allow the PDFs with the > > > >above error message? > > > > > > > >Thanks, > > > > > > > >Dustin > > > >-- > > > >Dustin Baer > > > >Unix Administrator/Postmaster > > > >Information Handling Services > > > >15 Inverness Way East > > > >Englewood, CO 80112 > > > >303-397-2836 > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz MailScanner > > > thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Mon Aug 11 23:40:20 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:17 2006 Subject: ANNOUNCE: Beta 4.23-4 released In-Reply-To: <5.2.1.1.2.20030811213127.027faeb0@imap.ecs.soton.ac.uk> Message-ID: <002101c36059$8b600ef0$9c01a8c0@home.middlefinger.net> I just installed this and I'm getting: Aug 11 17:36:27 rh MailScanner[15246]: Spam Actions: message h7BMXsK14874 actions are striphtml,deliver Aug 11 17:36:27 rh cucipop[15293]: Opened tsuyuki's mailbox Aug 11 17:36:28 rh MailScanner[15246]: Virus and Content Scanning: Starting Aug 11 17:36:28 rh MailScanner[15246]: Never heard of scanner 'sophos'! Aug 11 17:36:28 rh MailScanner[15278]: New Batch: Scanning 7 messages, 397963 bytes Aug 11 17:36:28 rh MailScanner[15278]: Spam Checks: Starting Aug 11 17:36:28 rh MailScanner[15307]: MailScanner E-Mail Virus Scanner version 4.23-4 starting... Ideas? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Monday, August 11, 2003 3:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Beta 4.23-4 released Another update for you. Please let me know if it works for you or not. Download as usual from www.mailscanner.info. ChangeLog is - Improved handling of Allowed Sophos Error Messages. To allow more than 1 string, put each string in quotes and separate them with commas. For example Allowed Sophos Error Messages = "corrupt", "format not supported" - Added ZMailer support to RedHat init.d script. - All virus scanner package installation paths have been moved to virus.scanners.conf so they are not in any of the wrapper or autoupdate scripts. *NOTE*: If you are not using my "update_virus_scanners" global updater *NOTE*: script, but have written your own cron jobs, then you must add *NOTE*: the installation path to the autoupdate commands. To see the *NOTE*: default path, read virus.scanners.conf. *NOTE*: If you don't do this, your autoupdates may not work. - Added "Definite Spam Is High Scoring" configuration option so that spam that is blacklisted is treated using the "High Scoring Spam Actions". - Improved SuSE init.d script handles sendmail and Postfix. It will handle Exim once I can get it to build. I have also fixed the minor safe filename handling bug in CustomConfig.pm. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Tue Aug 12 01:05:49 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:17 2006 Subject: ANNOUNCE: Beta 4.23-4 released In-Reply-To: <002101c36059$8b600ef0$9c01a8c0@home.middlefinger.net> Message-ID: <002b01c36065$7d34edd0$9c01a8c0@home.middlefinger.net> It seems that setting Virus Scanners = None doesn't work either: Aug 11 18:55:59 rh MailScanner[398]: MailScanner E-Mail Virus Scanner version 4.23-4 starting... Aug 11 18:56:02 rh MailScanner[353]: New Batch: Found 62 messages waiting Aug 11 18:56:02 rh MailScanner[353]: New Batch: Scanning 2 messages, 250855 bytes Aug 11 18:56:02 rh MailScanner[353]: Spam Checks: Starting Aug 11 18:56:06 rh MailScanner[398]: Using locktype = flock Aug 11 18:56:09 rh MailScanner[437]: MailScanner E-Mail Virus Scanner version 4.23-4 starting... Aug 11 18:56:10 rh MailScanner[353]: Virus and Content Scanning: Starting Aug 11 18:56:10 rh MailScanner[353]: Never heard of scanner 'none'! Aug 11 18:56:11 rh MailScanner[398]: New Batch: Found 62 messages waiting Aug 11 18:56:11 rh MailScanner[398]: New Batch: Scanning 2 messages, 250855 bytes Aug 11 18:56:11 rh MailScanner[398]: Spam Checks: Starting Soooo...no mail gets delivered! Anyone have any ideas? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher Sent: Monday, August 11, 2003 5:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: Beta 4.23-4 released I just installed this and I'm getting: Aug 11 17:36:27 rh MailScanner[15246]: Spam Actions: message h7BMXsK14874 actions are striphtml,deliver Aug 11 17:36:27 rh cucipop[15293]: Opened tsuyuki's mailbox Aug 11 17:36:28 rh MailScanner[15246]: Virus and Content Scanning: Starting Aug 11 17:36:28 rh MailScanner[15246]: Never heard of scanner 'sophos'! Aug 11 17:36:28 rh MailScanner[15278]: New Batch: Scanning 7 messages, 397963 bytes Aug 11 17:36:28 rh MailScanner[15278]: Spam Checks: Starting Aug 11 17:36:28 rh MailScanner[15307]: MailScanner E-Mail Virus Scanner version 4.23-4 starting... Ideas? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Monday, August 11, 2003 3:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Beta 4.23-4 released Another update for you. Please let me know if it works for you or not. Download as usual from www.mailscanner.info. ChangeLog is - Improved handling of Allowed Sophos Error Messages. To allow more than 1 string, put each string in quotes and separate them with commas. For example Allowed Sophos Error Messages = "corrupt", "format not supported" - Added ZMailer support to RedHat init.d script. - All virus scanner package installation paths have been moved to virus.scanners.conf so they are not in any of the wrapper or autoupdate scripts. *NOTE*: If you are not using my "update_virus_scanners" global updater *NOTE*: script, but have written your own cron jobs, then you must add *NOTE*: the installation path to the autoupdate commands. To see the *NOTE*: default path, read virus.scanners.conf. *NOTE*: If you don't do this, your autoupdates may not work. - Added "Definite Spam Is High Scoring" configuration option so that spam that is blacklisted is treated using the "High Scoring Spam Actions". - Improved SuSE init.d script handles sendmail and Postfix. It will handle Exim once I can get it to build. I have also fixed the minor safe filename handling bug in CustomConfig.pm. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From TGFurnish at HERFF-JONES.COM Mon Aug 11 22:13:38 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:17 2006 Subject: useless use of private variable in void context at CustomConf ig.p m line 475...? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1ABD@inex1.herffjones.hj-int> Ah, thanks. Fixed. It is with real trepidation that I'll go ahead and offer up the attached modified version of CustomConfig.pm with the changes I made to get it writing to a flat log file instead of to a SQL server. Trepidation because I won't be all that surprised when someone points out something like "There's already flat-file logging in the XYZ function at the top of that file" or "That's dumb, why'd you do it that way." It's also really just a slightly modified version of the SQLLogging functions. I re-used functions from the MailScanner modules without a deep understanding of them - just made them look similar to how I saw them used in other functions. It seems to work, but if anyone looks at the code to get a good laugh and spots a problem, I'd be most grateful to be informed. There's no sorting of the log messages here so the log file will end up out of order - I thought I'd just put re-sorting functionality into the logrotate stanza used to rotate the log file. Haven't done that bit yet. -t. > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Monday, August 11, 2003 3:40 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: useless use of private variable in void context at > CustomConfig.p m line 475...? > > > Well spotted. It should be "||" and not "or". > > At 21:23 11/08/2003, you wrote: > >If I do: > > > >perl -cw CustomConfig.pm > > > >...then I get: > >private variable in void context at CustomConfig.pm2 line 475. > > > >The line numbers may have changed a little bit, but here's > the tidbit of > >code in question: > > # Use the sanitised filename to avoid problems caused > by people forcing > > # logging of attachment filenames which contain nasty > SQL instructions. > > $file = $message->{file2safefile}{$file} or $file; > > > >Looking at that though I'm not sure whether it's really a > problem or not. > >So... any MS+Perl guru care to say whether that is something > that needs > >fixing? I just adapted the SQLLogging code to work with > flat files instead > >(not enough spare mem on the test system to run mysqld :-( ) > and inherited > >this line in the process. > > > >-- > >Trever > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -------------- next part -------------- A non-text attachment was scrubbed... Name: CustomConfig.pm2 Type: application/octet-stream Size: 25229 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030811/745d7ac1/CustomConfig-0001.obj From mike at CAMAROSS.NET Mon Aug 11 23:24:21 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:17 2006 Subject: Sophos and PDF revisited In-Reply-To: <5.2.1.1.2.20030807210545.027aeea0@imap.ecs.soton.ac.uk> Message-ID: <002001c36057$50364120$9c01a8c0@home.middlefinger.net> This may be a stupid question, but do I just save this text as a file and then 'patch < filename.patch'? AND...does this patch apply to 4.21-9? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, August 07, 2003 3:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos and PDF revisited Please try this patch to SweepViruses.pm. --- SweepViruses.pm 2003-08-05 21:42:19.000000000 +0100 +++ SweepViruses.pm.new 2003-08-07 21:00:09.000000000 +0100 @@ -961,8 +961,13 @@ # If the error is one of the allowed errors, then don't report any # infections on this file. if ($error ne "") { + # Treat their string as a list of words, any of which can match my $errorlist = MailScanner::Config::Value('sophosallowederrors'); - if ($errorlist && $errorlist =~ /$error/) { + $errorlist =~ s/\s+/ /g; + $errorlist =~ s/[^0-9A-Za-z ]/\\$&/g; + $errorlist =~ s/ /\|/g; + #if ($errorlist ne "" && $errorlist =~ /$error/) { + if ($errorlist ne "" && $error =~ /$errorlist/) { MailScanner::Log::WarnLog("Ignored Sophos '%s' error", $error); return 0; } At 20:50 07/08/2003, you wrote: >I am seeing the same thing: > >The following e-mail messages were found to have viruses in them: > > Sender: tlstauft@purvingertz.com >IP Address: 207.34.112.53 > Recipient: tracy.gallucci@williams.com, deb.bogoros@williams.com, >miriam.mitchell-banks@williams.com > Subject: RE: Stampede Follow-up > MessageID: h77JYuj02622 > Report: Could not check >./h77JYuj02622/Williams0803.zip/C2375_R03_Report1.pdf (unexpected error >[0x80040202]) > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Thursday, August 07, 2003 2:11 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos and PDF revisited > > >Can you put the troublesome PDF into a password-protected zip file and >mail it to me please (off-list). I'm slightly at a loss as to why this >option works sometimes (e.g. detecting corrupt files) but not in your >case. I need to be able to reproduce the problem. > >At 18:55 07/08/2003, you wrote: > >Julian Field wrote: > > > > > > And you are doing a "reload" of MailScanner after changing the > > > MailScanner.conf file? > > > >Yes: > > > ># ps -ef | grep MailScanner > > > > root 6320 6315 1 10:10:25 ? 0:38 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14404 6337 0 11:47:59 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6316 6315 1 10:10:14 ? 0:42 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6333 6315 2 10:10:45 ? 0:41 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6326 6315 0 10:10:35 ? 0:36 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6337 6315 1 10:10:55 ? 0:37 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 6315 1 0 10:10:14 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > ># sudo pkill MailScanner > ># ps -ef | grep MailScanner > > > >(nothing) > > > ># sudo /opt/MailScanner/bin/check_mailscanner > ># ps -ef | grep MailScanner > > root 14577 14576 1 11:50:10 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14513 14483 6 11:49:38 ? 0:04 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14554 14483 8 11:49:58 ? 0:02 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14576 14513 0 11:50:10 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14575 14528 2 11:50:09 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14528 14483 9 11:49:48 ? 0:04 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14498 14483 3 11:49:28 ? 0:04 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14483 1 0 11:49:17 ? 0:00 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > root 14484 14483 3 11:49:17 ? 0:05 /usr/bin/perl > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > >Sent another test message and received the same error: > > > >Report: Could not check ./h77HpFbR014728/blah.pdf (unexpected error > >[0x80040202]) > > > >Dustin > > > > > > > > > > > > > At 17:44 07/08/2003, you wrote: > > > >Good Day, > > > > > > > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current > > > >version of Sophos > > > > > > > >I am receiving the following error messages on some PDFs that go > > > >through > > > >MailScanner: > > > > > > > > Report: Could not check ./h77FLfbR002021/blah.pdf > > > > (unexpected > > error > > > >[0x80040202]) > > > > > > > >According to MailScanner.conf, "Anything on the next line that > > > >appears in brackets at the end of a line of output from Sophos > > > >will cause the error/infection to be ignored." > > > > > > > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but > > > >the quarantine still occurs. I have also tried adding > > > >"unexpected error," with no luck. > > > > > > > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, > > > >but the quarantined still occurs. > > > > > > > >Any suggestions on what I could do to allow the PDFs with the > > > >above error message? > > > > > > > >Thanks, > > > > > > > >Dustin > > > >-- > > > >Dustin Baer > > > >Unix Administrator/Postmaster > > > >Information Handling Services > > > >15 Inverness Way East > > > >Englewood, CO 80112 > > > >303-397-2836 > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz MailScanner > > > thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Mon Aug 11 23:40:20 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:17 2006 Subject: ANNOUNCE: Beta 4.23-4 released In-Reply-To: <5.2.1.1.2.20030811213127.027faeb0@imap.ecs.soton.ac.uk> Message-ID: <002101c36059$8b600ef0$9c01a8c0@home.middlefinger.net> I just installed this and I'm getting: Aug 11 17:36:27 rh MailScanner[15246]: Spam Actions: message h7BMXsK14874 actions are striphtml,deliver Aug 11 17:36:27 rh cucipop[15293]: Opened tsuyuki's mailbox Aug 11 17:36:28 rh MailScanner[15246]: Virus and Content Scanning: Starting Aug 11 17:36:28 rh MailScanner[15246]: Never heard of scanner 'sophos'! Aug 11 17:36:28 rh MailScanner[15278]: New Batch: Scanning 7 messages, 397963 bytes Aug 11 17:36:28 rh MailScanner[15278]: Spam Checks: Starting Aug 11 17:36:28 rh MailScanner[15307]: MailScanner E-Mail Virus Scanner version 4.23-4 starting... Ideas? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Monday, August 11, 2003 3:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Beta 4.23-4 released Another update for you. Please let me know if it works for you or not. Download as usual from www.mailscanner.info. ChangeLog is - Improved handling of Allowed Sophos Error Messages. To allow more than 1 string, put each string in quotes and separate them with commas. For example Allowed Sophos Error Messages = "corrupt", "format not supported" - Added ZMailer support to RedHat init.d script. - All virus scanner package installation paths have been moved to virus.scanners.conf so they are not in any of the wrapper or autoupdate scripts. *NOTE*: If you are not using my "update_virus_scanners" global updater *NOTE*: script, but have written your own cron jobs, then you must add *NOTE*: the installation path to the autoupdate commands. To see the *NOTE*: default path, read virus.scanners.conf. *NOTE*: If you don't do this, your autoupdates may not work. - Added "Definite Spam Is High Scoring" configuration option so that spam that is blacklisted is treated using the "High Scoring Spam Actions". - Improved SuSE init.d script handles sendmail and Postfix. It will handle Exim once I can get it to build. I have also fixed the minor safe filename handling bug in CustomConfig.pm. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Tue Aug 12 01:05:49 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:17 2006 Subject: ANNOUNCE: Beta 4.23-4 released In-Reply-To: <002101c36059$8b600ef0$9c01a8c0@home.middlefinger.net> Message-ID: <002b01c36065$7d34edd0$9c01a8c0@home.middlefinger.net> It seems that setting Virus Scanners = None doesn't work either: Aug 11 18:55:59 rh MailScanner[398]: MailScanner E-Mail Virus Scanner version 4.23-4 starting... Aug 11 18:56:02 rh MailScanner[353]: New Batch: Found 62 messages waiting Aug 11 18:56:02 rh MailScanner[353]: New Batch: Scanning 2 messages, 250855 bytes Aug 11 18:56:02 rh MailScanner[353]: Spam Checks: Starting Aug 11 18:56:06 rh MailScanner[398]: Using locktype = flock Aug 11 18:56:09 rh MailScanner[437]: MailScanner E-Mail Virus Scanner version 4.23-4 starting... Aug 11 18:56:10 rh MailScanner[353]: Virus and Content Scanning: Starting Aug 11 18:56:10 rh MailScanner[353]: Never heard of scanner 'none'! Aug 11 18:56:11 rh MailScanner[398]: New Batch: Found 62 messages waiting Aug 11 18:56:11 rh MailScanner[398]: New Batch: Scanning 2 messages, 250855 bytes Aug 11 18:56:11 rh MailScanner[398]: Spam Checks: Starting Soooo...no mail gets delivered! Anyone have any ideas? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher Sent: Monday, August 11, 2003 5:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: Beta 4.23-4 released I just installed this and I'm getting: Aug 11 17:36:27 rh MailScanner[15246]: Spam Actions: message h7BMXsK14874 actions are striphtml,deliver Aug 11 17:36:27 rh cucipop[15293]: Opened tsuyuki's mailbox Aug 11 17:36:28 rh MailScanner[15246]: Virus and Content Scanning: Starting Aug 11 17:36:28 rh MailScanner[15246]: Never heard of scanner 'sophos'! Aug 11 17:36:28 rh MailScanner[15278]: New Batch: Scanning 7 messages, 397963 bytes Aug 11 17:36:28 rh MailScanner[15278]: Spam Checks: Starting Aug 11 17:36:28 rh MailScanner[15307]: MailScanner E-Mail Virus Scanner version 4.23-4 starting... Ideas? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Monday, August 11, 2003 3:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Beta 4.23-4 released Another update for you. Please let me know if it works for you or not. Download as usual from www.mailscanner.info. ChangeLog is - Improved handling of Allowed Sophos Error Messages. To allow more than 1 string, put each string in quotes and separate them with commas. For example Allowed Sophos Error Messages = "corrupt", "format not supported" - Added ZMailer support to RedHat init.d script. - All virus scanner package installation paths have been moved to virus.scanners.conf so they are not in any of the wrapper or autoupdate scripts. *NOTE*: If you are not using my "update_virus_scanners" global updater *NOTE*: script, but have written your own cron jobs, then you must add *NOTE*: the installation path to the autoupdate commands. To see the *NOTE*: default path, read virus.scanners.conf. *NOTE*: If you don't do this, your autoupdates may not work. - Added "Definite Spam Is High Scoring" configuration option so that spam that is blacklisted is treated using the "High Scoring Spam Actions". - Improved SuSE init.d script handles sendmail and Postfix. It will handle Exim once I can get it to build. I have also fixed the minor safe filename handling bug in CustomConfig.pm. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Aug 12 09:25:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: ANNOUNCE: Beta 4.23-5 released In-Reply-To: <5.2.1.1.2.20030811213127.027faeb0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030812092439.0406cbf0@imap.ecs.soton.ac.uk> Well, what can I say? Bit of a show-stopper in -4, so here is -5. The RAV handling is better too, would be grateful if someone with RAV could give it a thorough test. Download as usual from www.mailscanner.info. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Aug 12 09:21:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:17 2006 Subject: Sophos and PDF revisited In-Reply-To: <002001c36057$50364120$9c01a8c0@home.middlefinger.net> References: <5.2.1.1.2.20030807210545.027aeea0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030812092113.04256b70@imap.ecs.soton.ac.uk> At 23:24 11/08/2003, you wrote: >This may be a stupid question, but do I just save this text as a file and >then 'patch < filename.patch'? Yes. >AND...does this patch apply to 4.21-9? Patch will let you know if it succeeded or failed. It should work okay though. >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: Thursday, August 07, 2003 3:06 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos and PDF revisited > > >Please try this patch to SweepViruses.pm. > >--- SweepViruses.pm 2003-08-05 21:42:19.000000000 +0100 >+++ SweepViruses.pm.new 2003-08-07 21:00:09.000000000 +0100 >@@ -961,8 +961,13 @@ > # If the error is one of the allowed errors, then don't report any > # infections on this file. > if ($error ne "") { >+ # Treat their string as a list of words, any of which can match > my $errorlist = MailScanner::Config::Value('sophosallowederrors'); >- if ($errorlist && $errorlist =~ /$error/) { >+ $errorlist =~ s/\s+/ /g; >+ $errorlist =~ s/[^0-9A-Za-z ]/\\$&/g; >+ $errorlist =~ s/ /\|/g; >+ #if ($errorlist ne "" && $errorlist =~ /$error/) { >+ if ($errorlist ne "" && $error =~ /$errorlist/) { > MailScanner::Log::WarnLog("Ignored Sophos '%s' error", $error); > return 0; > } > >At 20:50 07/08/2003, you wrote: > >I am seeing the same thing: > > > >The following e-mail messages were found to have viruses in them: > > > > Sender: tlstauft@purvingertz.com > >IP Address: 207.34.112.53 > > Recipient: tracy.gallucci@williams.com, deb.bogoros@williams.com, > >miriam.mitchell-banks@williams.com > > Subject: RE: Stampede Follow-up > > MessageID: h77JYuj02622 > > Report: Could not check > >./h77JYuj02622/Williams0803.zip/C2375_R03_Report1.pdf (unexpected error > >[0x80040202]) > > > >Mike > > > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Julian Field > >Sent: Thursday, August 07, 2003 2:11 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Sophos and PDF revisited > > > > > >Can you put the troublesome PDF into a password-protected zip file and > >mail it to me please (off-list). I'm slightly at a loss as to why this > >option works sometimes (e.g. detecting corrupt files) but not in your > >case. I need to be able to reproduce the problem. > > > >At 18:55 07/08/2003, you wrote: > > >Julian Field wrote: > > > > > > > > And you are doing a "reload" of MailScanner after changing the > > > > MailScanner.conf file? > > > > > >Yes: > > > > > ># ps -ef | grep MailScanner > > > > > > root 6320 6315 1 10:10:25 ? 0:38 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 14404 6337 0 11:47:59 ? 0:00 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 6316 6315 1 10:10:14 ? 0:42 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 6333 6315 2 10:10:45 ? 0:41 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 6326 6315 0 10:10:35 ? 0:36 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 6337 6315 1 10:10:55 ? 0:37 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 6315 1 0 10:10:14 ? 0:00 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > > > ># sudo pkill MailScanner > > ># ps -ef | grep MailScanner > > > > > >(nothing) > > > > > ># sudo /opt/MailScanner/bin/check_mailscanner > > ># ps -ef | grep MailScanner > > > root 14577 14576 1 11:50:10 ? 0:00 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 14513 14483 6 11:49:38 ? 0:04 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 14554 14483 8 11:49:58 ? 0:02 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 14576 14513 0 11:50:10 ? 0:00 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 14575 14528 2 11:50:09 ? 0:00 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 14528 14483 9 11:49:48 ? 0:04 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 14498 14483 3 11:49:28 ? 0:04 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 14483 1 0 11:49:17 ? 0:00 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > root 14484 14483 3 11:49:17 ? 0:05 /usr/bin/perl > > >-I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > > > > >Sent another test message and received the same error: > > > > > >Report: Could not check ./h77HpFbR014728/blah.pdf (unexpected error > > >[0x80040202]) > > > > > >Dustin > > > > > > > > > > > > > > > > > > > At 17:44 07/08/2003, you wrote: > > > > >Good Day, > > > > > > > > > >Setup: MS 4.22-5, Sendmail 8.12.9, SpamAssassin 2.55, current > > > > >version of Sophos > > > > > > > > > >I am receiving the following error messages on some PDFs that go > > > > >through > > > > >MailScanner: > > > > > > > > > > Report: Could not check ./h77FLfbR002021/blah.pdf > > > > > (unexpected > > > error > > > > >[0x80040202]) > > > > > > > > > >According to MailScanner.conf, "Anything on the next line that > > > > >appears in brackets at the end of a line of output from Sophos > > > > >will cause the error/infection to be ignored." > > > > > > > > > >I have added "0x80040202" to "Allowed Sophos Error Messages=" but > > > > >the quarantine still occurs. I have also tried adding > > > > >"unexpected error," with no luck. > > > > > > > > > >So, I decided to add "allow \.pdf$ - -" to filename.rules.conf, > > > > >but the quarantined still occurs. > > > > > > > > > >Any suggestions on what I could do to allow the PDFs with the > > > > >above error message? > > > > > > > > > >Thanks, > > > > > > > > > >Dustin > > > > >-- > > > > >Dustin Baer > > > > >Unix Administrator/Postmaster > > > > >Information Handling Services > > > > >15 Inverness Way East > > > > >Englewood, CO 80112 > > > > >303-397-2836 > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > Professional Support Services at www.MailScanner.biz MailScanner > > > > thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz MailScanner thanks > >transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Aug 12 09:19:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:18 2006 Subject: ANNOUNCE: Beta 4.23-4 released In-Reply-To: <002b01c36065$7d34edd0$9c01a8c0@home.middlefinger.net> References: <002101c36059$8b600ef0$9c01a8c0@home.middlefinger.net> Message-ID: <5.2.0.9.2.20030812091920.0402b858@imap.ecs.soton.ac.uk> Sorry about that. Bit of a show-stopper really! Guess that's why it's a beta :-) Have now fixed and will release -5 in a moment. At 01:05 12/08/2003, you wrote: >It seems that setting Virus Scanners = None doesn't work either: > >Aug 11 18:55:59 rh MailScanner[398]: MailScanner E-Mail Virus Scanner >version 4.23-4 starting... >Aug 11 18:56:02 rh MailScanner[353]: New Batch: Found 62 messages waiting >Aug 11 18:56:02 rh MailScanner[353]: New Batch: Scanning 2 messages, 250855 >bytes >Aug 11 18:56:02 rh MailScanner[353]: Spam Checks: Starting >Aug 11 18:56:06 rh MailScanner[398]: Using locktype = flock >Aug 11 18:56:09 rh MailScanner[437]: MailScanner E-Mail Virus Scanner >version 4.23-4 starting... >Aug 11 18:56:10 rh MailScanner[353]: Virus and Content Scanning: Starting >Aug 11 18:56:10 rh MailScanner[353]: Never heard of scanner 'none'! >Aug 11 18:56:11 rh MailScanner[398]: New Batch: Found 62 messages waiting >Aug 11 18:56:11 rh MailScanner[398]: New Batch: Scanning 2 messages, 250855 >bytes >Aug 11 18:56:11 rh MailScanner[398]: Spam Checks: Starting > >Soooo...no mail gets delivered! Anyone have any ideas? > >Mike > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Mike Kercher >Sent: Monday, August 11, 2003 5:40 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: ANNOUNCE: Beta 4.23-4 released > > >I just installed this and I'm getting: > >Aug 11 17:36:27 rh MailScanner[15246]: Spam Actions: message h7BMXsK14874 >actions are striphtml,deliver >Aug 11 17:36:27 rh cucipop[15293]: Opened tsuyuki's mailbox >Aug 11 17:36:28 rh MailScanner[15246]: Virus and Content Scanning: Starting >Aug 11 17:36:28 rh MailScanner[15246]: Never heard of scanner 'sophos'! >Aug 11 17:36:28 rh MailScanner[15278]: New Batch: Scanning 7 messages, >397963 bytes >Aug 11 17:36:28 rh MailScanner[15278]: Spam Checks: Starting >Aug 11 17:36:28 rh MailScanner[15307]: MailScanner E-Mail Virus Scanner >version 4.23-4 starting... > >Ideas? > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: Monday, August 11, 2003 3:39 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: ANNOUNCE: Beta 4.23-4 released > > >Another update for you. Please let me know if it works for you or not. > >Download as usual from www.mailscanner.info. > >ChangeLog is >- Improved handling of Allowed Sophos Error Messages. To allow more than 1 > string, put each string in quotes and separate them with commas. For >example > Allowed Sophos Error Messages = "corrupt", "format not supported" >- Added ZMailer support to RedHat init.d script. >- All virus scanner package installation paths have been moved to > virus.scanners.conf so they are not in any of the wrapper or autoupdate > scripts. > *NOTE*: If you are not using my "update_virus_scanners" global updater > *NOTE*: script, but have written your own cron jobs, then you must add > *NOTE*: the installation path to the autoupdate commands. To see the > *NOTE*: default path, read virus.scanners.conf. > *NOTE*: If you don't do this, your autoupdates may not work. >- Added "Definite Spam Is High Scoring" configuration option so that spam > that is blacklisted is treated using the "High Scoring Spam Actions". >- Improved SuSE init.d script handles sendmail and Postfix. > It will handle Exim once I can get it to build. > >I have also fixed the minor safe filename handling bug in CustomConfig.pm. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From slwatts at WINCKWORTHS.CO.UK Tue Aug 12 10:34:17 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:18 2006 Subject: Slightly OT - Postdrop wont re-inject mailmessages from quarantin e Message-ID: Hi, I know that this is more of a postfix issue than a mailscanner one but since this has come up before and since its related to Mailscaner...... I have been trying to use 'postdrop -c /etc/postfix < [message filename]' to re-inject a quarantined message into /var/spool/postfix/incoming (the outgoing message queue) but keep getting the following error: Aug 12 09:49:10 mailscanner postfix/postdrop[26278]: fatal: uid=0: unexpected record type: 67 The mail file is a proper queue file, its owned by postfix:postfix but it only has owner rw flags set. If I also add x flag and copy it to /var/spool/postfix/incoming/ postfix sends it no problem at all. Am I doing something wrong? Cheers, Sam -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at www.winckworths.co.uk From Q.G.Campbell at NEWCASTLE.AC.UK Tue Aug 12 12:05:44 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:19:18 2006 Subject: How to deliberately skew Bayes self-learn in SA Message-ID: <74BC2BBF06470148911E64E2B48FE1390BA62D@pinewood.ncl.ac.uk> I am seeing an increasing number of spam messages of the form (shown between the "cut here" delimiters): ---------- cut here evaluate sayings hopelessly pondering euphoria poop midmorn access braving barr expanded bomber positively experimenting accumulations exaltation scriptural actuated tear scientist messiah hungrily acrylate temptation bolshevism exposure amoco meaningful tells bookmobile adrift how seashores scramble crewman mercantile addis berlitz countermeasures brambly brainchildren terry alicia aventine adopt scum tarpaulin evolutions hydrangea hunger iceland portable actuarially hubbub televisions satires satires thanked melodramatic posters braggart imagining bookstores seagull housebroken creeks coruscate teammate boss hunters medical exchequers savoy metric maximized playgrounds mending actinometer bethlehem hourglass adolph searchingly telephoned [ra.gif] merganser boson bobbed memory hosted adducing bordellos credited body experimenter expectant mentioners experienced teleprompter horse ali sank adhesives tangled tame scrim bratwurst bogota plunger horseplay amerada mediums teaches taproot creased tenements hosiery scraped scat excretion maximizes hydrant acolytes mate mathematical evict boost plumped allyn action baltic tanh tensing acoustics examines exit bract crochets polishing screeched exclusiveness etude porphyry exhales bessie hydrofluoric creaming albany actualization ar creativity scales antoine cranny saver midstream crawl cows hyperboloidal however belfast accountably excommunicating hydrophobic tetravalent terrains scurried playwrights ---------- cut here Presumably the blocks of valid words are meant to hide from SA the presence of the "real" content which is just a single image file. By itself SA would probly score this highly. I have a question and an observation on this sort of spam. QUESTION: How do you formulate a rule to tackle such messages? Analysis of sentence structure? Counting conjunctions and articles in a block of words - if not enough then treat as spam? OBSERVATION: Simply feeding these sorts of messages by hand into "sa-learn" is likely to eventually train SA to recognise many of these innocuous words as being indicative of spam. This suggests that it is possible for a spammer to deliberately skew the Bayes mechanism. For example a persistent spammer could create messages which score well over 25 but which *also* contain a number of words that are normally found only in non-spam messages. If sufficient volume of these messages are received at a site then it seems that the Bayes self-learn mechanism can be subverted to begin rejecting non-spam messages that contain these (innocent) words. Any comments? Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From chris at TRUDEAU.ORG Tue Aug 12 12:20:59 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:18 2006 Subject: How to deliberately skew Bayes self-learn in SA References: <74BC2BBF06470148911E64E2B48FE1390BA62D@pinewood.ncl.ac.uk> Message-ID: <007601c360c3$ce88b1e0$5702010a@mscore.trusecure.net> I would avoid learning these messages into the bayes db. I would craft SA rules that handle this... I would throttle UP the SA score for the HTML_IMAGE_ONLY_02 with BAYES: Perhaps: HTML_IMAGE_ONLY_02 3.50 2.76 2.54 1.97 I guess it depends on what the message scored in your system, wee what other SA rules were triggered and throttle them as needed. Remember changing these rules could affect other combinations. In my business operations, Anyone who is going to send me an image embedded in an HTML document and include less than 200 words, there is a high lieklyhood that the email is not business related anyway :) CT ----- Original Message ----- From: "Quentin Campbell" To: Sent: Tuesday, August 12, 2003 7:05 AM Subject: How to deliberately skew Bayes self-learn in SA I am seeing an increasing number of spam messages of the form (shown between the "cut here" delimiters): ---------- cut here evaluate sayings hopelessly pondering euphoria poop midmorn access braving barr expanded bomber positively experimenting accumulations exaltation scriptural actuated tear scientist messiah hungrily acrylate temptation bolshevism exposure amoco meaningful tells bookmobile adrift how seashores scramble crewman mercantile addis berlitz countermeasures brambly brainchildren terry alicia aventine adopt scum tarpaulin evolutions hydrangea hunger iceland portable actuarially hubbub televisions satires satires thanked melodramatic posters braggart imagining bookstores seagull housebroken creeks coruscate teammate boss hunters medical exchequers savoy metric maximized playgrounds mending actinometer bethlehem hourglass adolph searchingly telephoned [ra.gif] merganser boson bobbed memory hosted adducing bordellos credited body experimenter expectant mentioners experienced teleprompter horse ali sank adhesives tangled tame scrim bratwurst bogota plunger horseplay amerada mediums teaches taproot creased tenements hosiery scraped scat excretion maximizes hydrant acolytes mate mathematical evict boost plumped allyn action baltic tanh tensing acoustics examines exit bract crochets polishing screeched exclusiveness etude porphyry exhales bessie hydrofluoric creaming albany actualization ar creativity scales antoine cranny saver midstream crawl cows hyperboloidal however belfast accountably excommunicating hydrophobic tetravalent terrains scurried playwrights ---------- cut here Presumably the blocks of valid words are meant to hide from SA the presence of the "real" content which is just a single image file. By itself SA would probly score this highly. I have a question and an observation on this sort of spam. QUESTION: How do you formulate a rule to tackle such messages? Analysis of sentence structure? Counting conjunctions and articles in a block of words - if not enough then treat as spam? OBSERVATION: Simply feeding these sorts of messages by hand into "sa-learn" is likely to eventually train SA to recognise many of these innocuous words as being indicative of spam. This suggests that it is possible for a spammer to deliberately skew the Bayes mechanism. For example a persistent spammer could create messages which score well over 25 but which *also* contain a number of words that are normally found only in non-spam messages. If sufficient volume of these messages are received at a site then it seems that the Bayes self-learn mechanism can be subverted to begin rejecting non-spam messages that contain these (innocent) words. Any comments? Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From chris at TRUDEAU.ORG Tue Aug 12 12:26:44 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:19:18 2006 Subject: Slightly OT - Postdrop wont re-inject mailmessages from quarantin e References: Message-ID: <007d01c360c4$9c822fe0$5702010a@mscore.trusecure.net> Sam I wrestled with this for a while. I finally set: # When you quarantine an entire message, do you want to store it as # raw mail queue files (so you can easily send them onto users) or # as human-readable files (header then body in 1 file)? Quarantine Whole Messages As Queue Files = no so that quarantine messages are maintained in mbox format....then you can easily use the postfix "sendmail" which essentially calls postdrop and allow it to forward original message: [root@BLAH]# sendmail < /var/spool/quarantine/9DA7F1C012 This will take the queue file and allow postfix to re-inject into the dataflow of message processing... That's how I got it to work. CT ----- Original Message ----- From: "Samuel Luxford-Watts" To: Sent: Tuesday, August 12, 2003 5:34 AM Subject: Slightly OT - Postdrop wont re-inject mailmessages from quarantin e > Hi, > > I know that this is more of a postfix issue than a mailscanner one but since > this has come up before and since its related to Mailscaner...... > > I have been trying to use 'postdrop -c /etc/postfix < [message filename]' to > re-inject a quarantined message into /var/spool/postfix/incoming (the > outgoing message queue) but keep getting the following error: > > Aug 12 09:49:10 mailscanner postfix/postdrop[26278]: fatal: uid=0: > unexpected record type: 67 > > The mail file is a proper queue file, its owned by postfix:postfix but it > only has owner rw flags set. If I also add x flag and copy it to > /var/spool/postfix/incoming/ postfix sends it no problem at > all. Am I doing something wrong? > > Cheers, > > Sam > > -------------- > Winckworth Sherwood Solicitors and Parliamentary Agents > DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR > Telephone 020 7593 5000 Fax 020 7593 5099 > > Do something amazing! > The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit www.vietnambikeride.org > > -Confidentiality- > This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. > > -Caution- > Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. > > -Regulation- > The firm is regulated by the Law Society. > > -Partners- > A list of partners is available for inspection at each office of the firm and on the firm's website at www.winckworths.co.uk From christopher.albert at MCGILL.CA Tue Aug 12 12:36:06 2003 From: christopher.albert at MCGILL.CA (chris albert) Date: Thu Jan 12 21:19:18 2006 Subject: How to deliberately skew Bayes self-learn in SA In-Reply-To: <74BC2BBF06470148911E64E2B48FE1390BA62D@pinewood.ncl.ac.uk> References: <74BC2BBF06470148911E64E2B48FE1390BA62D@pinewood.ncl.ac.uk> Message-ID: <3F38D126.8050007@mcgill.ca> Quentin Campbell wrote: >This suggests that it is possible for a spammer to deliberately skew the >Bayes mechanism. > >For example a persistent spammer could create messages which score well >over 25 but which *also* contain a number of words that are normally >found only in non-spam messages. If sufficient volume of these messages >are received at a site then it seems that the Bayes self-learn mechanism >can be subverted to begin rejecting non-spam messages that contain these >(innocent) words. > >Any comments? > > > Paul Graham discusses this in a recent article: http://www.paulgraham.com/ffb.html Chris From Jan-Peter.Koopmann at SECEIDOS.DE Tue Aug 12 13:28:52 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:19:18 2006 Subject: New FreeBSD ports Message-ID: The stable port is submitted to the tree! > -----Original Message----- > From: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] > Sent: Monday, August 11, 2003 6:11 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: New FreeBSD ports > > Hi, > > I just submitted an update for mailscanner 4.22-5 to the > FreeBSD ports tree. You can download the port at > > http://www.seceidos.de/downloads/freebsd/ports/mailscanner-4.22.5.tgz > > as well. The most current beta is available as > > http://www.seceidos.de/downloads/freebsd/ports/mailscanner-4.23.2.tgz > > > Regards, > JP > > From slwatts at WINCKWORTHS.CO.UK Tue Aug 12 14:41:08 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:19:18 2006 Subject: Slightly OT - Postdrop wont re-inject mailmessages from quara ntin e Message-ID: I have set Quarantine Whole Messages As Queue Files = YES and yes Mailscanner has been restarted a few times now since this change. I have just tried using sendmail < /var/spool/MailScanner/quarantine/20030811/329F7891/329F7891 and it appears to work in that it runs! - however I get a non-delivery report sent to root saying that recipients unknown... I have incluced the whole report at the end of this message. I am using postfix 2.0.13 and MS 4.22-5 Sam Delivery failed report: Reporting-MTA: dns; mailscanner.winckworthsherwood.com Arrival-Date: Tue, 12 Aug 2003 14:30:47 +0100 (BST) Final-Recipient: rfc822; unknown Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; No recipients specified -----Original Message----- From: Chris Trudeau [mailto:chris@TRUDEAU.ORG] Sent: 12 August 2003 12:27 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Slightly OT - Postdrop wont re-inject mailmessages from quarantin e Sam I wrestled with this for a while. I finally set: # When you quarantine an entire message, do you want to store it as # raw mail queue files (so you can easily send them onto users) or # as human-readable files (header then body in 1 file)? Quarantine Whole Messages As Queue Files = no so that quarantine messages are maintained in mbox format....then you can easily use the postfix "sendmail" which essentially calls postdrop and allow it to forward original message: [root@BLAH]# sendmail < /var/spool/quarantine/9DA7F1C012 This will take the queue file and allow postfix to re-inject into the dataflow of message processing... That's how I got it to work. CT ----- Original Message ----- From: "Samuel Luxford-Watts" To: Sent: Tuesday, August 12, 2003 5:34 AM Subject: Slightly OT - Postdrop wont re-inject mailmessages from quarantin e > Hi, > > I know that this is more of a postfix issue than a mailscanner one but since > this has come up before and since its related to Mailscaner...... > > I have been trying to use 'postdrop -c /etc/postfix < [message > filename]' to > re-inject a quarantined message into /var/spool/postfix/incoming (the > outgoing message queue) but keep getting the following error: > > Aug 12 09:49:10 mailscanner postfix/postdrop[26278]: fatal: uid=0: > unexpected record type: 67 > > The mail file is a proper queue file, its owned by postfix:postfix but > it only has owner rw flags set. If I also add x flag and copy it to > /var/spool/postfix/incoming/ postfix sends it no problem > at all. Am I doing something wrong? > > Cheers, > > Sam > > -------------- > Winckworth Sherwood Solicitors and Parliamentary Agents > DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR > Telephone 020 7593 5000 Fax 020 7593 5099 > > Do something amazing! > The firm is supporting a charitable bike ride through Vietnam and > needs your help. For further information please visit www.vietnambikeride.org > > -Confidentiality- > This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. > > -Caution- > Before advice received only by email (whether by attachment or > otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. > > -Regulation- > The firm is regulated by the Law Society. > > -Partners- > A list of partners is available for inspection at each office of the > firm and on the firm's website at www.winckworths.co.uk -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 Do something amazing! The firm is supporting a charitable bike ride through Vietnam and needs your help. For further information please visit www.vietnambikeride.org -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at www.winckworths.co.uk From mike at CAMAROSS.NET Tue Aug 12 15:21:17 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:19:18 2006 Subject: ANNOUNCE: Beta 4.23-5 released In-Reply-To: <5.2.0.9.2.20030812092439.0406cbf0@imap.ecs.soton.ac.uk> Message-ID: <006f01c360dc$fe78ff40$9c01a8c0@home.middlefinger.net> I'll give this one a shot later. I ended up having to downgrade back to 4.22-5 to get the scanning back. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Tuesday, August 12, 2003 3:26 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Beta 4.23-5 released Well, what can I say? Bit of a show-stopper in -4, so here is -5. The RAV handling is better too, would be grateful if someone with RAV could give it a thorough test. Download as usual from www.mailscanner.info. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tyler at BELOIT.EDU Tue Aug 12 15:55:44 2003 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:19:18 2006 Subject: false positive? Message-ID: <5.2.0.9.0.20030812094707.018e25f8@beloit.edu> mailscanner experts, We are running 4.x version of mailscanner with spamassassin which we updated last month. We have been running it for nearly 3 weeks now and I got my first report of a false positive. A professor received a legitimate message with a score of 6.4. The relevant headers are below: >> X-MailScanner: Found to be clean >> X-MailScanner-SpamCheck: spam, SpamAssassin (score=6.4, required 5, >> MIME_BOUND_NEXTPART 0.16, RCVD_FAKE_HELO_DOTCOM 3.43, >> RCVD_FAKE_HELO_DOTCOM_2 2.80) >> X-MailScanner-SpamScore: ssssss The bulk of the score relates to rcvd_fake_helo_dotcom. Can anyone tell me what that means and why it might occur on a legitimate message? I believe the message was sent from a service in Morocco for whatever that is worth. Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From mbowman at UDCOM.COM Tue Aug 12 16:00:35 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:18 2006 Subject: tag rulesets Message-ID: Hi Can someone confirm the ruleset for the tags - Is it Spam Subject Text = /etc/MailScanner/rules/spam.tags.rules FromOrTo: udcom.com {SPAM FILTERED} FromOrTo: default {SPAM?} Thanks Matthew From mikea at MIKEA.ATH.CX Tue Aug 12 16:16:19 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:18 2006 Subject: false positive? In-Reply-To: <5.2.0.9.0.20030812094707.018e25f8@beloit.edu>; from tyler@BELOIT.EDU on Tue, Aug 12, 2003 at 09:55:44AM -0500 References: <5.2.0.9.0.20030812094707.018e25f8@beloit.edu> Message-ID: <20030812101619.A69259@mikea.ath.cx> On Tue, Aug 12, 2003 at 09:55:44AM -0500, Tim Tyler wrote: > mailscanner experts, > We are running 4.x version of mailscanner with spamassassin which we > updated last month. We have been running it for nearly 3 weeks now and I > got my first report of a false positive. A professor received a legitimate > message with a score of 6.4. The relevant headers are below: > > >> X-MailScanner: Found to be clean > >> X-MailScanner-SpamCheck: spam, SpamAssassin (score=6.4, required 5, > >> MIME_BOUND_NEXTPART 0.16, RCVD_FAKE_HELO_DOTCOM 3.43, > >> RCVD_FAKE_HELO_DOTCOM_2 2.80) > >> X-MailScanner-SpamScore: ssssss > > The bulk of the score relates to rcvd_fake_helo_dotcom. Can anyone tell > me what that means and why it might occur on a legitimate message? I > believe the message was sent from a service in Morocco for whatever that is > worth. [folded to 72 characters max] header RCVD_FAKE_HELO_DOTCOM Received =~ /^from (?:msn|yahoo| yourwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs| mydomain|juno|eudoramail|compuserve|desertmail|excite|caramail) \.com \(/m describe RCVD_FAKE_HELO_DOTCOM Received contains a faked HELO hostname This rule triggers on data like "msn.com" or "cs.com" followed by a left parenthesis. I suppose that this rule is designed to catch spam with a "Received:" header falsely claiming to be from one of those ISPs, and that none of them ever appears as a bare .com for in the rule above, but rather as ..com. I've seen it trigger falsely a few times, but not a whole lot. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From Kevin_Miller at CI.JUNEAU.AK.US Tue Aug 12 17:41:01 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:18 2006 Subject: Found dangerous Object Codebase tag... Message-ID: <08146035CA49D6119A36009027AC822A0264E695@CITY-EXCH-NTS> Can someone please tell me what an object codebase tag is and why they're dangerous? I get reports like the following pretty regularly; most are probably spam, but I think this one is legitimate. Dreadfully boring IMHO, but legitimate. I can whitelist this one, but would be chuffed to know what's actually going on here. ------------------------------------------------------------------------ The following e-mail messages were found to have viruses in them: Sender: calandrastockwatch-html-return-18-bosco_beancounter=ci.juneau.ak.us@mail2.ma rketwatchmail.com IP Address: 63.240.173.124 Recipient: bosco_beancounter@ci.juneau.ak.us Subject: Thom Calandra's StockWatch: Miners rush to finance ventures as bullion gains steam MessageID: h7BGiwJ7001861 Report: Found dangerous Object Codebase tag in HTML message ------------------------------------------------------------------------ TIA... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From lists at STHOMAS.NET Tue Aug 12 17:56:10 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:19:18 2006 Subject: false positive? In-Reply-To: <20030812101619.A69259@mikea.ath.cx>; from mikea@MIKEA.ATH.CX on Tue, Aug 12, 2003 at 10:16:19AM -0500 References: <5.2.0.9.0.20030812094707.018e25f8@beloit.edu> <20030812101619.A69259@mikea.ath.cx> Message-ID: <20030812095610.B18104@sthomas.net> On Tue, Aug 12, 2003 at 10:16:19AM -0500, mikea is rumored to have said: > > This rule triggers on data like "msn.com" or "cs.com" followed by a > left parenthesis. I suppose that this rule is designed to catch spam > with a "Received:" header falsely claiming to be from one of those > ISPs, and that none of them ever appears as a bare .com for > in the rule above, but rather as ..com. > > I've seen it trigger falsely a few times, but not a whole lot. I have an account @lycos.com which forwards to my regular e-mail. Every message that gets forwarded hits on this rule, which pushes most non-spam messages over the edge. I guess I'll go open a bugzilla report on it... -- "Manuscript: something submitted in haste and returned at leisure." - Oliver Herford (1863-1935) From TGFurnish at HERFF-JONES.COM Tue Aug 12 18:08:36 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:18 2006 Subject: Found dangerous Object Codebase tag... Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0770@inex1.herffjones.hj-int> An HTML tag that causes a browser to load programming code when the page is viewed. Some mail filtering systems "defang" such tags by changing them to something safe, which usually leaves the rest of the message completely readable, but I don't think (and will hopefully be corrected if I'm wrong) that MS yet can be made to do that. Actually, are there any plans (or does anyone have a suggestion for the best way to) allow using such "defanging" functionality in MS? In a past life I used a procmail script (http://www.impsec.org/email-tools/procmail-security.html) that would prepend DEFANGED to the start of tags considered dangerous. It was nice functionality, even if only for all the anger it engendered in the web dev department. :-) -t. > -----Original Message----- > From: Kevin Miller [mailto:Kevin_Miller@CI.JUNEAU.AK.US] > Sent: Tuesday, August 12, 2003 11:41 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Found dangerous Object Codebase tag... > > > Can someone please tell me what an object codebase tag is and > why they're > dangerous? I get reports like the following pretty > regularly; most are > probably spam, but I think this one is legitimate. > Dreadfully boring IMHO, > but legitimate. > > I can whitelist this one, but would be chuffed to know what's > actually going > on here. > > -------------------------------------------------------------- > ---------- > The following e-mail messages were found to have viruses in them: > > Sender: > calandrastockwatch-html-return-18-bosco_beancounter=ci.juneau. > ak.us@mail2.ma > rketwatchmail.com > IP Address: 63.240.173.124 > Recipient: bosco_beancounter@ci.juneau.ak.us > Subject: Thom Calandra's StockWatch: Miners rush to > finance ventures as > bullion gains steam > MessageID: h7BGiwJ7001861 > Report: Found dangerous Object Codebase tag in HTML message > -------------------------------------------------------------- > ---------- > > TIA... > > ...Kevin > ------------------- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Administrator, Mail > Administrator > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > From Kevin_Miller at CI.JUNEAU.AK.US Tue Aug 12 18:17:02 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:19:18 2006 Subject: Found dangerous Object Codebase tag... Message-ID: <08146035CA49D6119A36009027AC822A0264E697@CITY-EXCH-NTS> Can you give an example? Would java or JavaScript count? Is this typically tracking mechanisms, with some malevolency thrown in by the odd miscreant? Also, if I change MS to strip out the code, do html messages come in butt-ugly or are they still pretty much intact and functional? As always, much appreciated... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM] >Sent: Tuesday, August 12, 2003 9:09 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Found dangerous Object Codebase tag... > > >An HTML tag that causes a browser to load programming code >when the page is >viewed. Some mail filtering systems "defang" such tags by >changing them to >something safe, which usually leaves the rest of the message completely >readable, but I don't think (and will hopefully be corrected >if I'm wrong) >that MS yet can be made to do that. > >Actually, are there any plans (or does anyone have a >suggestion for the best >way to) allow using such "defanging" functionality in MS? In >a past life I >used a procmail script >(http://www.impsec.org/email-tools/procmail-security.html) that would >prepend DEFANGED to the start of tags considered dangerous. >It was nice >functionality, even if only for all the anger it engendered in >the web dev >department. :-) > >-t. > > >> -----Original Message----- >> From: Kevin Miller [mailto:Kevin_Miller@CI.JUNEAU.AK.US] >> Sent: Tuesday, August 12, 2003 11:41 AM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Found dangerous Object Codebase tag... >> >> >> Can someone please tell me what an object codebase tag is and >> why they're >> dangerous? I get reports like the following pretty >> regularly; most are >> probably spam, but I think this one is legitimate. >> Dreadfully boring IMHO, >> but legitimate. >> >> I can whitelist this one, but would be chuffed to know what's >> actually going >> on here. >> >> -------------------------------------------------------------- >> ---------- >> The following e-mail messages were found to have viruses in them: >> >> Sender: >> calandrastockwatch-html-return-18-bosco_beancounter=ci.juneau. >> ak.us@mail2.ma >> rketwatchmail.com >> IP Address: 63.240.173.124 >> Recipient: bosco_beancounter@ci.juneau.ak.us >> Subject: Thom Calandra's StockWatch: Miners rush to >> finance ventures as >> bullion gains steam >> MessageID: h7BGiwJ7001861 >> Report: Found dangerous Object Codebase tag in HTML message >> -------------------------------------------------------------- >> ---------- >> >> TIA... >> >> ...Kevin >> ------------------- >> Kevin Miller Registered Linux User No: 307357 >> CBJ MIS Dept. Network Systems Administrator, Mail >> Administrator >> 155 South Seward Street ph: (907) 586-0242 >> Juneau, Alaska 99801 fax: (907 586-4500 >> > From TGFurnish at HERFF-JONES.COM Tue Aug 12 19:38:31 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:18 2006 Subject: Found dangerous Object Codebase tag... Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0772@inex1.herffjones.hj-int> I'm *sure* others on this list are more qualified to answer that question than I, but here's some background info: http://www.w3.org/TR/REC-html40/struct/objects.html ...and it looks like you can specify an object of any mime type. The codebase attribute seems analogous to the html tag "baseref" - ie it just sets the parent path for use with relative urls - so it doesn't seem to necessarily imply that the object being loaded is actual code (for instance a jpg could also have a codebase attribute, though that seems an unlikely usage). Java counts, not sure about javascript. You can also have code loaded by an object tag without the codebase attribute though, so this doesn't really protect against loading Java... Perhaps the motivation for treating object tags with codebase attributes specially is a result of a specific bug, rather than just the general idea of using the object tag as I implied earlier. Fyi, the code that handles this is in the SweepContent.pm module. HTH, Trever > -----Original Message----- > From: Kevin Miller [mailto:Kevin_Miller@CI.JUNEAU.AK.US] > Sent: Tuesday, August 12, 2003 12:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Found dangerous Object Codebase tag... > > > Can you give an example? Would java or JavaScript count? Is > this typically > tracking mechanisms, with some malevolency thrown in by the > odd miscreant? > > Also, if I change MS to strip out the code, do html messages come in > butt-ugly or are they still pretty much intact and functional? > > As always, much appreciated... > > ...Kevin > ------------------- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Administrator, Mail > Administrator > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > > >-----Original Message----- > >From: Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM] > >Sent: Tuesday, August 12, 2003 9:09 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Found dangerous Object Codebase tag... > > > > > >An HTML tag that causes a browser to load programming code > >when the page is > >viewed. Some mail filtering systems "defang" such tags by > >changing them to > >something safe, which usually leaves the rest of the message > completely > >readable, but I don't think (and will hopefully be corrected > >if I'm wrong) > >that MS yet can be made to do that. > > > >Actually, are there any plans (or does anyone have a > >suggestion for the best > >way to) allow using such "defanging" functionality in MS? In > >a past life I > >used a procmail script > >(http://www.impsec.org/email-tools/procmail-security.html) that would > >prepend DEFANGED to the start of tags considered dangerous. > >It was nice > >functionality, even if only for all the anger it engendered in > >the web dev > >department. :-) > > > >-t. > > > > > >> -----Original Message----- > >> From: Kevin Miller [mailto:Kevin_Miller@CI.JUNEAU.AK.US] > >> Sent: Tuesday, August 12, 2003 11:41 AM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Found dangerous Object Codebase tag... > >> > >> > >> Can someone please tell me what an object codebase tag is and > >> why they're > >> dangerous? I get reports like the following pretty > >> regularly; most are > >> probably spam, but I think this one is legitimate. > >> Dreadfully boring IMHO, > >> but legitimate. > >> > >> I can whitelist this one, but would be chuffed to know what's > >> actually going > >> on here. > >> > >> -------------------------------------------------------------- > >> ---------- > >> The following e-mail messages were found to have viruses in them: > >> > >> Sender: > >> calandrastockwatch-html-return-18-bosco_beancounter=ci.juneau. > >> ak.us@mail2.ma > >> rketwatchmail.com > >> IP Address: 63.240.173.124 > >> Recipient: bosco_beancounter@ci.juneau.ak.us > >> Subject: Thom Calandra's StockWatch: Miners rush to > >> finance ventures as > >> bullion gains steam > >> MessageID: h7BGiwJ7001861 > >> Report: Found dangerous Object Codebase tag in HTML message > >> -------------------------------------------------------------- > >> ---------- > >> > >> TIA... > >> > >> ...Kevin > >> ------------------- > >> Kevin Miller Registered Linux User No: 307357 > >> CBJ MIS Dept. Network Systems Administrator, Mail > >> Administrator > >> 155 South Seward Street ph: (907) 586-0242 > >> Juneau, Alaska 99801 fax: (907 586-4500 > >> > > > From mkettler at EVI-INC.COM Tue Aug 12 20:06:11 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:18 2006 Subject: false positive? In-Reply-To: <5.2.0.9.0.20030812094707.018e25f8@beloit.edu> Message-ID: <5.2.1.1.0.20030812150225.019b19f8@xanadu.evi-inc.com> At 09:55 AM 8/12/2003 -0500, Tim Tyler wrote: >The bulk of the score relates to rcvd_fake_helo_dotcom. Can anyone tell >me what that means and why it might occur on a legitimate message? I >believe the message was sent from a service in Morocco for whatever that is >worth. These rules attempt to detect messages where someone issues a HELO as "yahoo.com" or similar popular ISP, without any kind of host name. For example since yahoo always helo's as " web####.mail.yahoo.com " or something similar, and never as "yahoo.com" anyone issuing that hello is either attempting to deceive you, or misconfigured. Here's a copy of the rule for FAKE_HELO_DOTCOM: 20_head_tests.cf:header RCVD_FAKE_HELO_DOTCOM Received =~ /^from (?:msn|yahoo|you rwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|eudoramail| compuserve|desertmail|excite|caramail)\.com \(/m It sounds like the Moroccan service is misconfigured. Check the Received headers. From tyler at beloit.edu Tue Aug 12 21:02:00 2003 From: tyler at beloit.edu (Tim Tyler) Date: Thu Jan 12 21:19:18 2006 Subject: false positive? In-Reply-To: <5.2.1.1.0.20030812150225.019b19f8@xanadu.evi-inc.com> from "Matt Kettler" at Aug 12, 2003 03:06:11 PM Message-ID: <200308122002.h7CK20o29374@beloit.edu> Matt, Yes, but what about when sites use the same hostname as their domain name? For instance, we have beloit.edu as our domain while also using beloit.edu as our hostname for our faculty/staff smtp server. Its not totally clear to me why it should be assumed that the lack of a hostname extension is necessarily a violation of any welcome rules. But since it might indicate an issue, it seems to me that it might be prudent to lower its weighted value given the number of false positives this issue seems to create. Can I lower the weighted value for this variable myself? Tim > >At 09:55 AM 8/12/2003 -0500, Tim Tyler wrote: >>The bulk of the score relates to rcvd_fake_helo_dotcom. Can anyone tell >>me what that means and why it might occur on a legitimate message? I >>believe the message was sent from a service in Morocco for whatever that is >>worth. > >These rules attempt to detect messages where someone issues a HELO as >"yahoo.com" or similar popular ISP, without any kind of host name. For >example since yahoo always helo's as " web####.mail.yahoo.com " or >something similar, and never as "yahoo.com" anyone issuing that hello is >either attempting to deceive you, or misconfigured. > >Here's a copy of the rule for FAKE_HELO_DOTCOM: > >20_head_tests.cf:header RCVD_FAKE_HELO_DOTCOM Received =~ /^from >(?:msn|yahoo|you >rwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|eudoramail| >compuserve|desertmail|excite|caramail)\.com \(/m > >It sounds like the Moroccan service is misconfigured. Check the Received >headers. > -- Tim Tyler Network Manager - Beloit College tyler@beloit.edu From Antony at SOFT-SOLUTIONS.CO.UK Tue Aug 12 21:11:22 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:18 2006 Subject: false positive? In-Reply-To: <200308122002.h7CK20o29374@beloit.edu> References: <200308122002.h7CK20o29374@beloit.edu> Message-ID: <200308122011.h7CKBQ024928@agate.rockstone.co.uk> On Tuesday 12 August 2003 9:02 pm, Tim Tyler wrote: > Matt, > Yes, but what about when sites use the same hostname as their domain > name? For instance, we have beloit.edu as our domain while also using > beloit.edu as our hostname for our faculty/staff smtp server. Its not > totally clear to me why it should be assumed that the lack of a hostname > extension is necessarily a violation of any welcome rules. It isn't, for the majority of domains. The FAKE_HELO_DOTCOM rule only applies to the specific domains listed in the regex: > >20_head_tests.cf:header RCVD_FAKE_HELO_DOTCOM Received =~ /^from > >(?:msn|yahoo|you > >rwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|e > >udoramail| compuserve|desertmail|excite|caramail)\.com \(/m In other words, only the following domains will match: msn.com yahoo.com yourwebsite.com lycos.com excite.com cs.com aol.com localhost.com koreanmail.com allexecs.com mydomain.com juno.com eudoramail.com compuserve.com desertmail.com excite.com (no, I don't know why it's listed twice either) caramail.com Mail from any other domain will not match this rule. Regards, Antony. -- I can resist everything but temptation, I can tolerate everything but intolerance, and I can survive everything but death. From mark at TIPPINGMAR.COM Tue Aug 12 22:03:28 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:19:18 2006 Subject: false positive? In-Reply-To: <200308122011.h7CKBQ024928@agate.rockstone.co.uk> References: <200308122002.h7CK20o29374@beloit.edu> Message-ID: <3F38F3B0.2499.889261@localhost> You can change the scores for any of the tests by listing them in your /etc/MailScanner/spam.assassin.prefs.conf. Here is an example from mine: # seems like adv code should score higher score ADVERT_CODE 5 score ADVERT_CODE2 5 If you want to eliminate the test altogether, assign a score of zero. Mark From tyler at BELOIT.EDU Tue Aug 12 22:08:39 2003 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:19:18 2006 Subject: false positive? In-Reply-To: <200308122011.h7CKBQ024928@agate.rockstone.co.uk> References: <200308122002.h7CK20o29374@beloit.edu> <200308122002.h7CK20o29374@beloit.edu> Message-ID: <5.2.0.9.0.20030812154834.01cd4f28@beloit.edu> Antony, Ok, that makes sense. The violation that I see was triggered from caramail.com though the full smtp server address follows it in parenthesis. Is it the configuration of their mail client or mail server? Is there any specific advise that I can give back to the sender? Tim >> Received: from caramail.com (cmcodec01.st1.spray.net [212.78.202.246]) >> by lmout01.st1.spray.net (Postfix) with SMTP id 556001FECC >> for ; Thu, 7 Aug 2003 21:36:59 +0200 (MEST) >> From: "xxxxx xxxxxx " Tim At 09:11 PM 8/12/2003 +0100, you wrote: >On Tuesday 12 August 2003 9:02 pm, Tim Tyler wrote: > > > Matt, > > Yes, but what about when sites use the same hostname as their domain > > name? For instance, we have beloit.edu as our domain while also using > > beloit.edu as our hostname for our faculty/staff smtp server. Its not > > totally clear to me why it should be assumed that the lack of a hostname > > extension is necessarily a violation of any welcome rules. > >It isn't, for the majority of domains. > >The FAKE_HELO_DOTCOM rule only applies to the specific domains listed in the >regex: > > > >20_head_tests.cf:header RCVD_FAKE_HELO_DOTCOM Received =~ /^from > > >(?:msn|yahoo|you > > >rwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|e > > >udoramail| compuserve|desertmail|excite|caramail)\.com \(/m > >In other words, only the following domains will match: >msn.com >yahoo.com >yourwebsite.com >lycos.com >excite.com >cs.com >aol.com >localhost.com >koreanmail.com >allexecs.com >mydomain.com >juno.com >eudoramail.com >compuserve.com >desertmail.com >excite.com (no, I don't know why it's listed twice either) >caramail.com > >Mail from any other domain will not match this rule. > >Regards, > >Antony. > >-- > >I can resist everything but temptation, >I can tolerate everything but intolerance, >and I can survive everything but death. Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From Antony at SOFT-SOLUTIONS.CO.UK Tue Aug 12 22:51:47 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:18 2006 Subject: false positive? In-Reply-To: <5.2.0.9.0.20030812154834.01cd4f28@beloit.edu> References: <200308122002.h7CK20o29374@beloit.edu> <5.2.0.9.0.20030812154834.01cd4f28@beloit.edu> Message-ID: <200308122151.h7CLpo024962@agate.rockstone.co.uk> On Tuesday 12 August 2003 10:08 pm, Tim Tyler wrote: > Antony, > Ok, that makes sense. The violation that I see was triggered from > caramail.com though the full smtp server address follows it in > parenthesis. Is it the configuration of their mail client or mail > server? Is there any specific advise that I can give back to the sender? Well, the question I would ask is "what is their correct email address"? If their email address is somebody@something.caramail.com then they need to change their email client program so that it sends out email from the correct address (if they say they've done that, and you really believe they know what they're talking about, then it's possible that the server they're sending through is rewriting the source address - but I would say this is very very unlikely). If, on the other hand, their email address really is just somebody@caramail.com (ie: without the something), and therefore the SpamAssassin rule which complains about such an address is inappropriate, then I suggest you (a) edit the rule in your file /usr/share/spamassassin/20_head_tests.cf to remove the entry for caramail, and also report this to SA so that they can amend the rule in the general distribution. Regards, Antony. -- Success is a lousy teacher. It seduces smart people into thinking they can't lose. - William H Gates III From mailscanner at ecs.soton.ac.uk Wed Aug 13 11:33:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:18 2006 Subject: tag rulesets In-Reply-To: Message-ID: <5.2.0.9.2.20030813113319.04996ff8@imap.ecs.soton.ac.uk> That should be fine. At 16:00 12/08/2003, you wrote: >Hi > >Can someone confirm the ruleset for the tags - > >Is it > >Spam Subject Text = /etc/MailScanner/rules/spam.tags.rules > >FromOrTo: udcom.com {SPAM FILTERED} >FromOrTo: default {SPAM?} > >Thanks > >Matthew -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Aug 13 11:35:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:19:18 2006 Subject: Found dangerous Object Codebase tag... In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C0770@inex1.herffjones.hj -int> Message-ID: <5.2.0.9.2.20030813113504.04a12810@imap.ecs.soton.ac.uk> At 18:08 12/08/2003, you wrote: >An HTML tag that causes a browser to load programming code when the page is >viewed. Some mail filtering systems "defang" such tags by changing them to >something safe, which usually leaves the rest of the message completely >readable, but I don't think (and will hopefully be corrected if I'm wrong) >that MS yet can be made to do that. # Do you want to convert HTML messages containing