From rcooper at DIMENSION-FLM.COM Mon Dec 1 00:57:25 2003 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:21:22 2006 Subject: f-prot eicar test In-Reply-To: Message-ID: Add -dumb to the options. Without that option it knows the eicar signatures are not an actual virus > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Noel Vargas > Sent: Sunday, November 30, 2003 5:45 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: f-prot eicar test > > > Hi: > > I've installed MailScanner on a Linux box with Postfix and > f-prot, and I've been trying to test the system. It delivers > and sends messages fine. I built the EICAR.COM test file from > windows and sent it to this box, but it keeps showing me the > eicar file and the logs don't show any attempt of disinfection. > > I just edited the f-prot wrapper to add the -auto -disinf > options to no avail. > > Any help will be greatly appreciated. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at ZANKER.ORG Mon Dec 1 06:33:51 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:21:22 2006 Subject: New Batch message appearing twice In-Reply-To: <6.0.1.1.2.20031130223201.0284cb70@imap.ecs.soton.ac.uk> References: <200311300000.hAU006uS021920@gaia.elec.ucl.ac.be> <6.0.1.1.2.20031130223201.0284cb70@imap.ecs.soton.ac.uk> Message-ID: <124278968.1070260431@jemima.zanker.org> On 30 November 2003 22:33 +0000 Julian Field wrote: > I have just posted 4.25-12 which solves this. The only difference is > in Log.pm. Thanks, that has indeed fixed it. Mike. From m.sapsed at BANGOR.AC.UK Mon Dec 1 11:16:17 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:22 2006 Subject: icheckd vs. SAVI-Perl References: Message-ID: <3FCB2301.9000007@bangor.ac.uk> Robin M. wrote: > I am testing sophos and initially I set it up to run as a daemon with the > icheckd interface, but after reading the mailscanner docs it appears to > suggest that not installing icheckd and compiling the Savi-Perl module > instead. Are there any benefits to running sophos with SAVI-Perl rather > than running icheckd. From my experience, all I get from icheckd is reporting of stuff from windows clients. I don't really see it fitting into the MailScanner equation at all? As far as I can see, the only question with Sophos is whether to use sweep or savi-perl? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From smilga at MIKROTIK.COM Mon Dec 1 12:02:34 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:22 2006 Subject: Mailscanner with Debian 3 testing Message-ID: <052b01c3b803$01c0c890$a500010a@martinsss> Hello, May be somone have expierence with mailscanner how to install on Debian testing version. I have Spammassin + Sendmail. I installed mailscanner from apitude, I can not find any detailed documentation how to install mailscanner on Debina with sendmail. (http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) I can find where I can change these senttings (script). May be there is other way how to put mailscanner + Debian+ sendmail Martins From robin at PRIMUS.CA Mon Dec 1 13:31:41 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:22 2006 Subject: icheckd vs. SAVI-Perl In-Reply-To: <3FCB2301.9000007@bangor.ac.uk> References: <3FCB2301.9000007@bangor.ac.uk> Message-ID: On Mon, 1 Dec 2003, Martin Sapsed wrote: > From my experience, all I get from icheckd is reporting of stuff from > windows clients. I don't really see it fitting into the MailScanner > equation at all? > > As far as I can see, the only question with Sophos is whether to use > sweep or savi-perl? > Hi I realize now the purpose of icheckd. I had misunderstood the purpose of it. I did assume that it was part of the sophos virus checking scenario when in fact it was just using the command line sweep. I have since started using the SaVi interface. Thanks for this clarification. cheers. From jim at ENTROPHY-FREE.NET Mon Dec 1 13:47:44 2003 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:21:22 2006 Subject: [OT] MS + Trend InterScan Virus Wall In-Reply-To: <1070060599.3522.3.camel@ra.thethompsonhouse.com> References: <1070060599.3522.3.camel@ra.thethompsonhouse.com> Message-ID: <1070286464.4136.3.camel@wilowisp.entrophy-free.net> On Fri, 2003-11-28 at 17:03, Robert A. Thompson wrote: > or the appropriate redhat/fedora release that RHEL is built from. > > --rat > > > On Fri, 2003-11-28 at 16:17, Michele Neylon :: Blacknight Solutions > wrote: > > Can't you simply grab it from MySQL.com ? > > I believe a better solution is to build the server components from the RHEL SRPMS, which is what I did before they relented and placed those components in the "Extras". -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email:jim@entrophy-free.net From rc at ITSS.NERC.AC.UK Mon Dec 1 14:13:57 2003 From: rc at ITSS.NERC.AC.UK (Ron Campbell) Date: Thu Jan 12 21:21:22 2006 Subject: maps-rbl+ Message-ID: <3FCB4CA5.1010208@itss.nerc.ac.uk> This is probably not of interest to those who are not in ac.uk The MAPS-RBL+ list is actually the union of 4 separate lists (RBL, DUL, RSS and OPS). For details, see http://www.ja.net/CERT/JANET-CERT/mail/mail-abuse/rbl-plus-guide.html#available One of these - the "dial-up list" is probably our main reason for SPAM "false positives" at the moment. This is usually down to people working from home via an ISP. Is it possible to configure MS to use only some of the individual MAPS-RBL+ lists ? Or should we just give up on these lists and rely on SpamAssassin - all the "false positives" which I have seen, have negative SA scores so it is clearly getting these right. Of course, there will be other cases which the lists get right and SA misses ? Thanks ... Ron From sysadmins at ENHTECH.COM Mon Dec 1 14:39:51 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:22 2006 Subject: Mailscanner with Debian 3 testing In-Reply-To: <052b01c3b803$01c0c890$a500010a@martinsss> References: <052b01c3b803$01c0c890$a500010a@martinsss> Message-ID: <6.0.0.22.0.20031201093927.0251e1f0@mail.enhtech.com> At 07:02 AM 12/1/2003, Martins Smilga wrote: >Hello, > >May be somone have expierence with mailscanner how to install on Debian >testing version. > >I have Spammassin + Sendmail. > >I installed mailscanner from apitude, >I can not find any detailed documentation how to install mailscanner on >Debina with sendmail. >(http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) >I can find where I can change these senttings (script). > >May be there is other way how to put mailscanner + Debian+ sendmail > > >Martins Exactly what are you having problems with? Errol Neal From gabor at RC-SUBOTICA.CO.YU Mon Dec 1 14:33:44 2003 From: gabor at RC-SUBOTICA.CO.YU (=?iso-8859-1?Q?Szemer=E9dy=20G=E1bor?=) Date: Thu Jan 12 21:21:22 2006 Subject: MailScanner and RedHat 6.0 Message-ID: <3FCB5148.D2A5961F@rc-subotica.co.yu> Hello! We are using RH 6.0 , perl-5.00503-2 , and sendmail 8.9.3 and would like to use Mailscanner with clamav. We tryed MailScanner-3.27-1.i386.rpm and 4.24-5.rpm.tar.gz without any success. There are to many depependencie errors during the installation. Is somebody running MailScanner on RH 6.0 and which release? Thanks From brose at MED.WAYNE.EDU Mon Dec 1 14:44:01 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:21:22 2006 Subject: maps-rbl+ Message-ID: DULs don't effect people sending emails from home unless they are running their own smtp server at home. If people are relaying their mail thru their ISP like they're supposed to then it's not a problem. The only issue with DULs is businesses with their own mail servers and using dialup or broadband for their internet connection. But then again ISPs tend not to want people using the cheaper residential services to run a business and want them pay a extra for static IPs and such which usually are not in the DULs. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ron Campbell Sent: Monday, December 01, 2003 9:14 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: maps-rbl+ This is probably not of interest to those who are not in ac.uk The MAPS-RBL+ list is actually the union of 4 separate lists (RBL, DUL, RSS and OPS). For details, see http://www.ja.net/CERT/JANET-CERT/mail/mail-abuse/rbl-plus-guide.html#av ailable One of these - the "dial-up list" is probably our main reason for SPAM "false positives" at the moment. This is usually down to people working from home via an ISP. Is it possible to configure MS to use only some of the individual MAPS-RBL+ lists ? Or should we just give up on these lists and rely on SpamAssassin - all the "false positives" which I have seen, have negative SA scores so it is clearly getting these right. Of course, there will be other cases which the lists get right and SA misses ? Thanks ... Ron From mailscanner at ecs.soton.ac.uk Mon Dec 1 14:51:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:22 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <3FCB5148.D2A5961F@rc-subotica.co.yu> References: <3FCB5148.D2A5961F@rc-subotica.co.yu> Message-ID: <6.0.1.1.2.20031201145034.06ebe6b8@imap.ecs.soton.ac.uk> At 14:33 01/12/2003, you wrote: >Hello! >We are using RH 6.0 , perl-5.00503-2 , and sendmail 8.9.3 and would like >to >use Mailscanner with clamav. >We tryed MailScanner-3.27-1.i386.rpm and 4.24-5.rpm.tar.gz without any >success. >There are to many depependencie errors during the installation. Did you run the install.sh script? What dependencies did it complain about it? I don't really support anything before 6.2. If my calculations are correct, 6.0 is 6 or 7 versions out of date. Are RedHat still supporting it? >Is somebody running MailScanner on RH 6.0 and which release? >Thanks -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Mon Dec 1 14:52:43 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:22 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <3FCB5148.D2A5961F@rc-subotica.co.yu> Message-ID: Hi Quite a number of people are running it on Cobalt RAQs, so you should look at the documents regarding this. WORD OF WARNING: Be very careful using the command line CPAN module, as it will probably upgrade your entire Perl installation even if you don't want it to Michele Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Szemeredy Gabor > Sent: 01 December 2003 14:34 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner and RedHat 6.0 > > > Hello! > We are using RH 6.0 , perl-5.00503-2 , and sendmail 8.9.3 and would like > to > use Mailscanner with clamav. > We tryed MailScanner-3.27-1.i386.rpm and 4.24-5.rpm.tar.gz without any > success. > There are to many depependencie errors during the installation. > Is somebody running MailScanner on RH 6.0 and which release? > Thanks > From raymond at PROLOCATION.NET Mon Dec 1 14:48:38 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:22 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <3FCB5148.D2A5961F@rc-subotica.co.yu> Message-ID: Hi! > We are using RH 6.0 , perl-5.00503-2 , and sendmail 8.9.3 and would like > to use Mailscanner with clamav. > We tryed MailScanner-3.27-1.i386.rpm and 4.24-5.rpm.tar.gz without any > success. > There are to many depependencie errors during the installation. > Is somebody running MailScanner on RH 6.0 and which release? > Thanks I would recommend upgrading to a more recent version of RH, you are also missing security updates now. Bye, Raymond. From raymond at PROLOCATION.NET Mon Dec 1 14:57:17 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:22 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <6.0.1.1.2.20031201145034.06ebe6b8@imap.ecs.soton.ac.uk> Message-ID: Hi! > Did you run the install.sh script? What dependencies did it complain about it? > I don't really support anything before 6.2. If my calculations are correct, > 6.0 is 6 or 7 versions out of date. Are RedHat still supporting it? RH doesnt support is anymore and wont make new errata either. I would stronly advise not to install new MS projects on a box like that ... :) Bye, Raymond. From Denis.Beauchemin at USHERBROOKE.CA Mon Dec 1 17:11:03 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:22 2006 Subject: ANNOUNCE: Stable Release 4.25-11 In-Reply-To: <6.0.1.1.2.20031129115646.04c45e38@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031129115646.04c45e38@imap.ecs.soton.ac.uk> Message-ID: <1070298662.3002.167.camel@dbeauchemin.sti.usherbrooke.ca> Hello Julian, Haven't tested 4.25-12 yet but I did upgrade my RPM (on Fedora) and the MailScanner.conf.rpmnew that was created still included Infinite-Monkeys: MailScanner]# grep Monk MailScanner.conf.rpmnew Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk) Denis Le sam 29/11/2003 ? 07:06, Julian Field a ?crit : > G'Day all! > > I have just released the latest stable version 4.25-11. > > Some of the most important new features in this release are > -- the ability to "disarm" dangerous HTML tags, while leaving the bulk of > the message intact; > -- a means to throttle SMTP connections from hosts which are deluging you > with spam or viruses. You set the limit on the number of messages to > receive per hour from any given host, and mail above that limit will be > refused in the SMTP connection (sendmail only at the moment, sorry). > -- the ability to set the permissions and ownership of temporary working > files and the quarantine. This means that external systems such as a web > server can access and manage the quarantine on behalf of your users, > without the need for any risky setuid scripts. > > Download as usual from > www.mailscanner.info > > The full ChangeLog for this release is here: > > 29/11/2003 New in Version 4.25-11 > ================================= > * New Features and Improvements * > - Added support for "disarm" option on all HTML tag detectors, which will > disarm those tags while leaving the rest of the HTML intact. > - Added support for more ways of specifying IP ranges in rulesets. > Can now do all of: > 152.78 > 152.78. > /^152\.78/ > 152.78.0.0/16 > 152.78.0.0-152.78.255.255 > - Added support for retrieving configuration from LDAP. > - Added support for changing uid, gid and permissions of both Incoming Work > Dir and Quarantine Dir. > - Added facility to limit the size of any individual attachment. > > - Added support for DrWeb virus scanner, courtesy of Konrad Madej > . > - Added support for Mail::ClamAV perl module, enabling ClamAV to scan without > having to call any external programs at all. > - Panda version 7.0 supported. > - Improved ClamAV parser to handle errors printed when processing viruses > containing corrupted zip files. > - Improved F-Prot output parser. > - Added inoculan autoupdater courtesy of "W-Mark Kubacki" . > - Improved bitdefender-autoupdate script to support BitDefender 7 rather > better. > > - Greatly improved IPBlock code that throttles incoming SMTP connections > when a host sends too many messages per hour. Now support netblocks in all > sorts of different formats, and is enormously faster than previous code. > It works much more reliably and effectively too. See CustomConfig.pm. > - Changed SpamAssassin timeout handler to kill processes and not process group. > - Improved documentation in virus.scanners.conf. > - Improved documentation of "disarm" configuration settings. > - Added optimisation to LDAP ruleset compiler that identifies 1-line rulesets > which hold the default value. > - Improved Linux install.sh script so it spots *.rpmnew files in amongst > -wrapper and -autoupdate scripts. > - Added 'spamblacklisted' message property for use by MailWatch. > - Added a new Custom Function to provide multiple outgoing queues for spam, > high-scoring spam, and real email. > - Improved Linux init.d script so the "restart" delay is configurable in > /etc/sysconfig/MailScanner as that is preserved across upgrades. > - Improved error message when unknown virus scanner name is used. > - Added SORBS RBLs to spam.lists.conf. > - Added some subject line sanity checks to cope with Outlook's bizarre > behaviour. > - Added speed logging of different parts of the processing of a batch. > See the new "Log Speed" configuration setting. > - Changed error handling in ruleset parser so it doesn't die if it finds > syntax errors, it now just warns you instead. > - Improved syntax checking of rules in configuration ruleset files. > > * Fixes* > - RPM distribution install.sh script now checks and creates pod2text properly. > - Fixed bug whereby the same message files could be deleted more than once, > which could delete unprocessed messages using MTAs that name files after > the inode and not the time. > - Syslogging should now start successfully on all versions of Solaris and IRIX. > - Bug fix in Postfix file handling code from Stefan Baltus which will > hopefully patch up the last Solaris Postfix problem. > - Fixed bug causing uid+gid to be ignored when quarantining whole messages. > - Fixed bug causing Maximum Message Size not to be enforced properly. > - Fixed bug where sender of bulk precedence mail would be sent some warnings > if their mail was identified as spam. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From raymond at PROLOCATION.NET Mon Dec 1 17:24:48 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:22 2006 Subject: ANNOUNCE: Stable Release 4.25-11 In-Reply-To: <1070298662.3002.167.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: Hi! > Haven't tested 4.25-12 yet but I did upgrade my RPM (on Fedora) and the > MailScanner.conf.rpmnew that was created still included > Infinite-Monkeys: > MailScanner]# grep Monk MailScanner.conf.rpmnew > Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk) Its in 4.25-12, and this might casue trouble, since in the new spam.lists.conf its removed (or better, commented out with a #) So yes, that needs to be fixed, the default config should not have it anymore :) Thanks, Raymond. From mailscanner at ecs.soton.ac.uk Mon Dec 1 18:37:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:22 2006 Subject: ANNOUNCE: Stable Release 4.25-11 In-Reply-To: References: <1070298662.3002.167.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <6.0.1.1.2.20031201183625.02782d20@imap.ecs.soton.ac.uk> At 17:24 01/12/2003, you wrote: >Hi! > > > Haven't tested 4.25-12 yet but I did upgrade my RPM (on Fedora) and the > > MailScanner.conf.rpmnew that was created still included > > Infinite-Monkeys: > > MailScanner]# grep Monk MailScanner.conf.rpmnew > > Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except > .ac.uk) > >Its in 4.25-12, and this might casue trouble, since in the new >spam.lists.conf its removed (or better, commented out with a #) So yes, >that needs to be fixed, the default config should not have it anymore :) You are quite right, it will cause trouble. Now fixed with release of 4.25-13. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jacques at MONACO.NET Mon Dec 1 18:25:52 2003 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:21:22 2006 Subject: Empty messages, again (on 4.25-9) Message-ID: <200312011920.50708.jacques@monaco.net> Hi everybody, I have upgraded to 4.25-9 since Thursday, and today the dreaded empty-mail problem has resurfaced. The problems always appear in the same order : * MS stops processing messages without logging anything. The messages start to clog up the postfix.in/deferred queue * We notice the problem (usually when the queue is very huge, around ~1400 messages today) and restart MS * Processing of messages restarts, the system load goes through the roof (from ~3 to ~15) * Postfix begins to emit 'Skipped, still being delivered' messages, as MS accesses messages in the (wrong) postfix.in/incoming queue : [root@sceuzi][~]# cat lsof.out | grep postfix.in/incom MailScann 15893 postfix 18uW REG 8,2 2362 1802747 /var/spool/postfix.in/incoming/4/4ABB91B81FB MailScann 15900 postfix 25uW REG 8,2 1672 1802536 /var/spool/postfix.in/incoming/7/701A91B8128 MailScann 15900 postfix 30uW REG 8,2 2204 1804071 /var/spool/postfix.in/incoming/7/707E41B8727 MailScann 15900 postfix 31uW REG 8,2 2306 1804100 /var/spool/postfix.in/incoming/7/7F8C41B8744 MailScann 15900 postfix 32uW REG 8,2 25385 1804118 /var/spool/postfix.in/incoming/7/7959C1B8756 MailScann 15900 postfix 33uW REG 8,2 3954 1802533 /var/spool/postfix.in/incoming/7/713D81B8125 MailScann 15900 postfix 34uW REG 8,2 2161 1802605 /var/spool/postfix.in/incoming/7/76CE31B816D MailScann 15900 postfix 35uW REG 8,2 2636 1803233 /var/spool/postfix.in/incoming/7/7CCAC1B83E1 MailScann 15910 postfix 20uW REG 8,2 1998 1802462 /var/spool/postfix.in/incoming/B/BDF961B80DE MailScann 15924 postfix 17uW REG 8,2 1771 1802541 /var/spool/postfix.in/incoming/7/761651B812D MailScann 15945 postfix 27uW REG 8,2 1614 1803853 /var/spool/postfix.in/incoming/7/73F9C1B864D cleanup 17875 postfix 16u REG 8,2 81920 1802800 /var/spool/postfix.in/incoming/5/57FDC1B8230 cleanup 18615 postfix 16u REG 8,2 0 1802797 /var/spool/postfix.in/incoming/4/45A501B822D MailScann 21344 postfix 18u REG 8,2 2362 1802747 /var/spool/postfix.in/incoming/4/4ABB91B81FB MailScann 21348 postfix 20u REG 8,2 1998 1802462 /var/spool/postfix.in/incoming/B/BDF961B80DE I noticed that a new version appeared on 29/11. Still, the changelog lists only two more fixes, apparently unrelated to my problem : - Fixed bug where sender of bulk precedence mail would be sent some warnings if their mail was identified as spam. - Fixed duplicate logging of New Batch messages. Abandoned support of syslog-ng until I can test it properly on my own systems. Like last time, I put the result of 'lsof' and 'ps -afx' on a web server : http://aragorn.monaco.net/tmp/ms/2/lsof.out.txt http://aragorn.monaco.net/tmp/ms/2/psafx.out.txt Could someone give me hints about : * preventing MS from stopping to process mail ? This happens every few days for apparently no reason. The processes just sit idle. * preventing MS from accessing mail in the postfix.in/incoming queue ? I've thought about permissions but I don't see how to let MS read in deferred but not in incoming (after all, they need to have the same permissions for Postfix to operate). Any help (like a hint to a probable cause for the problems) will be greatly appreciated. Cheers, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ * Tired of choosing the lesser of two evils? Vote Cthulhu in 2004! * ] From ccampbell at BRUEGGERS.COM Mon Dec 1 18:45:23 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice Message-ID: I am currently running MailScanner 8.12.8 and Spam Assassin 2.55 on a RedHat 8.0 server with Sendmail 8.12.8. This is a production server. I am interested in upgrading to the most recent versions of MS and SA. MS and SA were installed via RPM. Since then, I have heard that installing SA via RPM isn't the best idea, especially when wanting to upgrade SA. The ideal SA installation and upgrade is building from source, from what I've gathered. I am in the unfortunate position of running all this on a production box, and not having an identical test box to try my upgrade out. In addition, this server is responsible for DNS and our Apache server. IOW: I can't mess this box up. Looking for advice as to the best way to upgrade both MS and SA. Should I do a RPM upgrade on MS, uninstall the SA RPM and reinstall the new version of SA from source? Or, is there a better way to go about this? Does it matter which order I do this in? In addition, over time, more spam seems to not be tagged. I assume that with each release of SA, the SA rulebase is updated, and there will be a better chance of catching more spam? If that's the case, is there a way to update the SA rules without upgrading? Or, is a rule update the same as upgrading? Looking for suggestions. Pardon my ignorance...MS and SA are still pretty new to me. Thanks in advance, Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises, Inc. Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great... it does infinite loops in 5 seconds." -- Linus Torvalds From ccampbell at BRUEGGERS.COM Mon Dec 1 18:47:05 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice Message-ID: > I am currently running MailScanner 8.12.8 and Spam Assassin Correction...my MS version is 4.23 From Denis.Beauchemin at USHERBROOKE.CA Mon Dec 1 18:48:34 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:22 2006 Subject: upgrade_MailScanner_conf Message-ID: <1070304513.3002.182.camel@dbeauchemin.sti.usherbrooke.ca> Hello Julian, When running upgrade_MailScanner_conf I end up losing the default/recommended values you suggest for settings I have changed. I usually keep your value scommented out but upgrade_MailScanner_conf deletes them. I know about the --keep-comments option but I want the new values and improved configuration options too... Could upgrade_MailScanner_conf keep its default/recommended values as comments if they differ from our values? Thanks again! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From robin at PRIMUS.CA Mon Dec 1 18:56:10 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:22 2006 Subject: ANNOUNCE: Stable Release 4.25-13 In-Reply-To: <6.0.1.1.2.20031201183625.02782d20@imap.ecs.soton.ac.uk> References: <1070298662.3002.167.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031201183625.02782d20@imap.ecs.soton.ac.uk> Message-ID: On Mon, 1 Dec 2003, Julian Field wrote: > You are quite right, it will cause trouble. Now fixed with release of 4.25-13. Hi Julian is there any way you would be willing to title your versions 4.25.13 when creating rpms the dash is not recognized as a proper delimiter for versions. When creating rpms the dash is used to delimit the release number. From kevins at BMRB.CO.UK Mon Dec 1 19:13:15 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B6C2@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B6C2@pascal.priv.bmrb.co.uk> Message-ID: <1070306600.10877.7.camel@bach.kevinspicer.co.uk> On Mon, 2003-12-01 at 18:45, Christian Campbell wrote: > Looking for advice as to the best way to upgrade both MS and SA. I would not do both upgrades at the same time (actually thats not completely true - I probably would do it but then I'm a fool). So if you have problems you'll know which upgrade caused them. I'd suggest upgrading MailScanner first when doing any upgrade [newer versions of external programs are more likely to cause problems for mailscanner that the other way around]. Remember that upgrade_MailScanner_conf is your friend. Once you're sure all is well with MS then upgrade SA. Turn off spamassassin in MailScanner (don't forget to restart MailScanner after changing the config file). rpm -e spamassassin, build and install the new version from the tarfile (follow the docs on the MailScanner site rather than the SA install docs, you'll save yourself some work). Then turn spamassassin back on. From Denis.Beauchemin at USHERBROOKE.CA Mon Dec 1 19:24:52 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:22 2006 Subject: Maximum Attachment Size Message-ID: <1070306691.3002.192.camel@dbeauchemin.sti.usherbrooke.ca> Hi, I am testing the Maximum Attachment Size value and think it can save me time... once again! :-) I was wondering if the email that is sent to the sender (sender.error.report.txt) could include the size of the attachment that was rejected... If not, could it at least include the value of Maximum Attachment Size? How? Thanks again Julian! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Mon Dec 1 19:31:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: References: Message-ID: <6.0.1.1.2.20031201192528.03f57e90@imap.ecs.soton.ac.uk> Installing SA from RPM is indeed a bad idea. But to get the packaging, you can download the SRPM and "rpmbuild -rebuild" the RPM from it. This will give you an RPM which is set up for your system. I've done that on 1 or 2 machines and it all works fine. If you upgrade MS, be sure to run "upgrade_MailScanner_conf" afterwards so you get all the new config options in your MailScanner.conf. Also, note that Net::CIDR is a new dependency, so you may want to perl -MCPAN -e shell install Net::CIDR before you start doing anything. If that install command looks like it is downloading perl itself, thump Ctrl-C quickly and bail out. You will find the source of Net::CIDR under ~root/.cpan/build and you can build it from there without it trying to install Perl 5.8.2! Once you have installed MailScanner, stop the service and then it might be worth setting "Debug = yes" and then run check_MailScanner. If there are any errors, you will see them straight away and can fix them. Then set "Debug = no" again and start it as normal. I upgraded my own production servers today and it went okay :-) At 18:45 01/12/2003, you wrote: >I am currently running MailScanner 8.12.8 and Spam Assassin 2.55 on a RedHat >8.0 server with Sendmail 8.12.8. This is a production server. I am >interested in upgrading to the most recent versions of MS and SA. MS and SA >were installed via RPM. Since then, I have heard that installing SA via RPM >isn't the best idea, especially when wanting to upgrade SA. The ideal SA >installation and upgrade is building from source, from what I've gathered. > >I am in the unfortunate position of running all this on a production box, >and not having an identical test box to try my upgrade out. In addition, >this server is responsible for DNS and our Apache server. IOW: I can't >mess this box up. > >Looking for advice as to the best way to upgrade both MS and SA. > >Should I do a RPM upgrade on MS, uninstall the SA RPM and reinstall the new >version of SA from source? Or, is there a better way to go about this? >Does it matter which order I do this in? > >In addition, over time, more spam seems to not be tagged. I assume that >with each release of SA, the SA rulebase is updated, and there will be a >better chance of catching more spam? If that's the case, is there a way to >update the SA rules without upgrading? Or, is a rule update the same as >upgrading? > >Looking for suggestions. Pardon my ignorance...MS and SA are still pretty >new to me. > >Thanks in advance, > >Christian > > >Christian P. Campbell >Systems Engineer >Information Technology Department >Bruegger's Enterprises, Inc. >Desk: (802) 652-9270 >Cell: (802) 734-5023 >Email: ccampbell at brueggers dot com >Registered Linux User #319324 > >PGP public key available via PGP keyservers >or http://www2.brueggers.com/pgp/ccampbell.html > >"We all know Linux is great... >it does infinite loops in 5 seconds." > -- Linus Torvalds -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Mon Dec 1 19:47:14 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:22 2006 Subject: Notes on new IPBlock code, 4.25-11 Message-ID: Gang, Julian introduced a newer, faster, cooler version of IPBlock (see CustomConfig.pm) in version 4.25-11. The new version allows you to dynamically block connections from rogue/spam machines in your sendmail access.db file in real time. IPBlock counts mail messages (good, bad, spam) from IP numbers, tracks these connection numbers in a DB file, and modifies your sendmail access.db file if the number of connections exceeds thresholds that you configure. The major new feature in IPBlock is that the config file understands CIDR netblocks, so you can set different thresholds for different netblocks. You can literally "rule the world" with about 30 lines in your config file, see: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html for the details of how I set up things at my site. I have been running with this ruleset for about a week now, plus additional rulesets for my own domain -- admin offices get one setting and dorm rooms get a lower setting. I had asked Julian a couple of weeks ago if IPBlock could user Net::CIDR because my site has been getting hit with student computers that contain spam trojans. Julian graciously modified IPBlock to use CIDR and I tested it last week. When a spam trojan fires off, it can bury my mail server very quickly. IPBlock gives me a tool to fight this. The Good News and Bad News... Good News: The new IPBlock works as advertised. It will modify access.db and block a rogue site according to the config file, and the CIDR configs work. The Bad News: not that much happens, even with very low settings for my dorm networks, and my "world domination" CIDR settings for the planet. In one week, only three off-campus sites ended up in the access.db file, with zero emails actually blocked after the access.db changes. Last night was the acid test with an on-campus spam trojan. The rogue machine came alive at 00:01:32 last night. With a config limit of 100 messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent connections blocked out. But, the rogue machine had flooded my mqueue.in with several thousand messages in those 13 minutes, and it took nearly two hours for this flood to be processed by my server. A lot of these messages were subsequently deleted as high-spam by Spamassassin and MS, or doublebounced, or were blocked by AOL (the target site). Some got delivered. The tsunami of spam was already on my mail server by the time MS shut the door, since IPBlock is run last in the MS process. Summary: IPBlock is useful against spam trojans, but not as useful as I had hoped. YMMV. Sendmail Note: sendmail 8.13.0 is on the horizon, see http://www.sendmail.org/8.13.0.PreAlpha4.html One new feature buried there is connection rate control, see the ChangeLog. This may aid in blocking rogue machines too. --- Jeff Earickson Colby College From raymond at PROLOCATION.NET Mon Dec 1 19:54:49 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:22 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: Message-ID: Hi! > machine came alive at 00:01:32 last night. With a config limit of 100 > messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent > connections blocked out. But, the rogue machine had flooded my mqueue.in > with several thousand messages in those 13 minutes, and it took nearly > two hours for this flood to be processed by my server. A lot of these > messages were subsequently deleted as high-spam by Spamassassin and MS, > or doublebounced, or were blocked by AOL (the target site). Some got > delivered. The tsunami of spam was already on my mail server by the > time MS shut the door, since IPBlock is run last in the MS process. Thats due to Swen. But you could fight Swen. I assume you have currently the MX functions for your server AND the smtp relay function on the same box ? Swen does a MX lookup and starts to blow mail. If you want to stop this, seperate the MX and SMTP function. If your MX -ONLY- accepts mail for @yourdomain.com it will -completely- block this crap. Since its always mail to external party's, most of them AOL.COM and that wont pass the rules of your MX, since its not TO: @yourdomain. I didnt see a simgle AOL Swen thing pass since we altered our configs. Load dropped with around 1M messages a day, so i guess AOL was pretty happy when we activated the changes. Bye, Raymond. From raymond at PROLOCATION.NET Mon Dec 1 19:58:16 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:22 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: Message-ID: Hi! > connections blocked out. But, the rogue machine had flooded my mqueue.in > with several thousand messages in those 13 minutes, and it took nearly > two hours for this flood to be processed by my server. A lot of these > messages were subsequently deleted as high-spam by Spamassassin and MS, > or doublebounced, or were blocked by AOL (the target site). Some got > delivered. The tsunami of spam was already on my mail server by the > time MS shut the door, since IPBlock is run last in the MS process. Another thing you could do is use the simple script i have running. It can clean out your in and your out queue, i made it for bot h sendmail and exim. If you have a IP in your accesslist with DENY it will lookup the files of that sender and delete the according q* and d* files automaticly. That will clean your queue for the offending IPs amazingly fast. :) If you proceess the queue most likely you will end up in AOLs spamblock in a few days. If people are interested i can mail it. Bye, Raymond. From damin at NACS.NET Mon Dec 1 20:00:40 2003 From: damin at NACS.NET (Greg Boehnlein) Date: Thu Jan 12 21:21:22 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: Message-ID: On Mon, 1 Dec 2003, Raymond Dijkxhoorn wrote: > Hi! > > > connections blocked out. But, the rogue machine had flooded my mqueue.in > > with several thousand messages in those 13 minutes, and it took nearly > > two hours for this flood to be processed by my server. A lot of these > > messages were subsequently deleted as high-spam by Spamassassin and MS, > > or doublebounced, or were blocked by AOL (the target site). Some got > > delivered. The tsunami of spam was already on my mail server by the > > time MS shut the door, since IPBlock is run last in the MS process. > > Another thing you could do is use the simple script i have running. It > can clean out your in and your out queue, i made it for bot h sendmail > and exim. If you have a IP in your accesslist with DENY it will lookup > the files of that sender and delete the according q* and d* files > automaticly. That will clean your queue for the offending IPs amazingly > fast. :) If you proceess the queue most likely you will end up in AOLs > spamblock in a few days. > > If people are interested i can mail it. I am interested. Send it to me off list, or be a Pal and post a link to the list so everyone can share in the fun! :) -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST From ccampbell at BRUEGGERS.COM Mon Dec 1 20:26:40 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice Message-ID: > >Should I do a RPM upgrade on MS, uninstall the SA RPM and > reinstall the new > >version of SA from source? Or, is there a better way to go > about this? > >Does it matter which order I do this in? > > > > I upgraded my own production servers today and it went okay :-) Should I uninstall the perl-Mail-SpamAssassin-2.55-rh8.1.i386.rpm package along with the spamassassin and spamassassin-tools packages? Thanks, Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great...it does infinite loops in 5 seconds." -- Linus Torvalds From mailscanner at ecs.soton.ac.uk Mon Dec 1 20:30:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: References: Message-ID: <6.0.1.1.2.20031201203015.027e4a88@imap.ecs.soton.ac.uk> At 20:26 01/12/2003, you wrote: > > >Should I do a RPM upgrade on MS, uninstall the SA RPM and > > reinstall the new > > >version of SA from source? Or, is there a better way to go > > about this? > > >Does it matter which order I do this in? > > > > > > > I upgraded my own production servers today and it went okay :-) > >Should I uninstall the perl-Mail-SpamAssassin-2.55-rh8.1.i386.rpm package >along with the spamassassin and spamassassin-tools packages? Yes, definitely. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Mon Dec 1 20:29:48 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: Message-ID: Depends on how you plan to replace them :) If you run rpm -Uvh it should upgrade them Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Christian Campbell > Sent: 01 December 2003 20:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Upgrade Advice > > > > >Should I do a RPM upgrade on MS, uninstall the SA RPM and > > reinstall the new > > >version of SA from source? Or, is there a better way to go > > about this? > > >Does it matter which order I do this in? > > > > > > > I upgraded my own production servers today and it went okay :-) > > Should I uninstall the perl-Mail-SpamAssassin-2.55-rh8.1.i386.rpm package > along with the spamassassin and spamassassin-tools packages? > > Thanks, > > Christian > > > Christian P. Campbell > Systems Engineer > Information Technology Department > Bruegger's Enterprises > Desk: (802) 652-9270 > Cell: (802) 734-5023 > Email: ccampbell at brueggers dot com > Registered Linux User #319324 > > PGP public key available via PGP keyservers > or http://www2.brueggers.com/pgp/ccampbell.html > > > "We all know Linux is great...it does infinite loops in 5 > seconds." -- Linus > Torvalds > From mike at TC3NET.COM Mon Dec 1 20:19:33 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:22 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: References: Message-ID: <1070309973.752.23.camel@mike-new2.tc3net.com> I run a cron script, based on software from 1997 that I found that was called "SpamShield", I run this every 3 minutes it counts the amount of recipients in that span, and if they are over the threshhold I've set it ads the deny. I realized this would be a problem to do in mailscanner, because the mail is received before mailscanner calculates it's statistics. I would expect the MailScanner blocks to be more effective as long term throttles, rather then instant spam flood stops. The MailStats.pl guy has something similar to the script I use to stop these spam storms, his might be more ready for other users then mine. Regards MIKE > Gang, > > Julian introduced a newer, faster, cooler version of IPBlock > (see CustomConfig.pm) in version 4.25-11. The new version allows > you to dynamically block connections from rogue/spam machines in > your sendmail access.db file in real time. IPBlock counts mail > messages (good, bad, spam) from IP numbers, tracks these connection > numbers in a DB file, and modifies your sendmail access.db file > if the number of connections exceeds thresholds that you configure. > > The major new feature in IPBlock is that the config file understands CIDR > netblocks, so you can set different thresholds for different netblocks. > You can literally "rule the world" with about 30 lines in your config > file, see: > > http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html > > for the details of how I set up things at my site. I have been running > with this ruleset for about a week now, plus additional rulesets for > my own domain -- admin offices get one setting and dorm rooms get a > lower setting. I had asked Julian a couple of weeks ago if IPBlock could > user Net::CIDR because my site has been getting hit with student computers > that contain spam trojans. Julian graciously modified IPBlock to use > CIDR and I tested it last week. When a spam trojan fires off, it can bury > my mail server very quickly. IPBlock gives me a tool to fight this. > > The Good News and Bad News... Good News: The new IPBlock works as > advertised. It will modify access.db and block a rogue site according > to the config file, and the CIDR configs work. The Bad News: not that > much happens, even with very low settings for my dorm networks, and my > "world domination" CIDR settings for the planet. In one week, only three > off-campus sites ended up in the access.db file, with zero emails actually > blocked after the access.db changes. > > Last night was the acid test with an on-campus spam trojan. The rogue > machine came alive at 00:01:32 last night. With a config limit of 100 > messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent > connections blocked out. But, the rogue machine had flooded my mqueue.in > with several thousand messages in those 13 minutes, and it took nearly > two hours for this flood to be processed by my server. A lot of these > messages were subsequently deleted as high-spam by Spamassassin and MS, > or doublebounced, or were blocked by AOL (the target site). Some got > delivered. The tsunami of spam was already on my mail server by the > time MS shut the door, since IPBlock is run last in the MS process. > > Summary: IPBlock is useful against spam trojans, but not as useful as > I had hoped. YMMV. > > Sendmail Note: sendmail 8.13.0 is on the horizon, see > > http://www.sendmail.org/8.13.0.PreAlpha4.html > > One new feature buried there is connection rate control, see the ChangeLog. > This may aid in blocking rogue machines too. > > --- Jeff Earickson > Colby College > From ccampbell at BRUEGGERS.COM Mon Dec 1 20:39:13 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice Message-ID: > Also, note that Net::CIDR is a new dependency, so you may want to > perl -MCPAN -e shell > install Net::CIDR > before you start doing anything. If that install command > looks like it is > downloading perl itself, thump Ctrl-C quickly and bail out. > You will find > the source of Net::CIDR under ~root/.cpan/build and you can > build it from > there without it trying to install Perl 5.8.2! Output of "install Net::CIDR" : ----%< snip %<---- Checking if your kit is complete... Looks good Writing Makefile for Net::CIDR make: *** Warning: File `Makefile.PL' has modification time in the future (2003 11-18 19:22:55 > 2003-10-22 10:31:19) Makefile out-of-date with respect to Makefile.PL Cleaning current config before rebuilding Makefile... /usr/bin/make -f Makefile.old clean > /dev/null 2>&1 || /bin/sh -c true /usr/bin/perl Makefile.PL Checking if your kit is complete... Looks good Writing Makefile for Net::CIDR ==> Your Makefile has been rebuilt. <== ==> Please rerun the make command. <== false make: *** [Makefile] Error 1 /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible ----%< snip %<---- Any ideas? Christian From kodak at FRONTIERHOMEMORTGAGE.COM Mon Dec 1 21:01:54 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: Message-ID: <00f601c3b84e$59b99400$0501a8c0@darkside> [snip] >make: *** Warning: File `Makefile.PL' has modification time in >the future >(2003 >11-18 19:22:55 > 2003-10-22 10:31:19) [snip] Looks like your system date is off, if I'm reading this correctly. Your system thinks it's October 22. --J(K) From mailscanner at ecs.soton.ac.uk Mon Dec 1 21:08:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: References: Message-ID: <6.0.1.1.2.20031201210828.027a20a0@imap.ecs.soton.ac.uk> At 20:39 01/12/2003, you wrote: > > Also, note that Net::CIDR is a new dependency, so you may want to > > perl -MCPAN -e shell > > install Net::CIDR > > before you start doing anything. If that install command > > looks like it is > > downloading perl itself, thump Ctrl-C quickly and bail out. > > You will find > > the source of Net::CIDR under ~root/.cpan/build and you can > > build it from > > there without it trying to install Perl 5.8.2! > >Output of "install Net::CIDR" : > >----%< snip %<---- >Checking if your kit is complete... > >Looks good > >Writing Makefile for Net::CIDR > >make: *** Warning: File `Makefile.PL' has modification time in the future >(2003 >11-18 19:22:55 > 2003-10-22 10:31:19) Why does your machine think it is currently the 22nd of October? >Makefile out-of-date with respect to Makefile.PL > >Cleaning current config before rebuilding Makefile... > >/usr/bin/make -f Makefile.old clean > /dev/null 2>&1 || /bin/sh -c true > >/usr/bin/perl Makefile.PL > >Checking if your kit is complete... > >Looks good > >Writing Makefile for Net::CIDR > >==> Your Makefile has been rebuilt. <== > >==> Please rerun the make command. <== > >false > >make: *** [Makefile] Error 1 > > /usr/bin/make -- NOT OK > >Running make test > > Can't test without successful make > >Running make install > > make had returned bad status, install seems impossible > >----%< snip %<---- > >Any ideas? > >Christian -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscan at PRIS.CA Mon Dec 1 23:24:48 2003 From: mailscan at PRIS.CA (MailScanner Mailbox) Date: Thu Jan 12 21:21:22 2006 Subject: MS not logging in Solaris 9 (solved) In-Reply-To: <3FB9552E.90908@ucgbook.com> Message-ID: Hello Julian Thanks greatly for MS 4.25-13 , logging now works as it should. Great Work! Rick On Tue, 18 Nov 2003, Peter Bonivart wrote: > I'm sorry, but I don't think I can help since everything has worked > right out of the box for me for several versions. I have not changed > anything regarding logging in Solaris or MS. I have read about Solaris > log problems on this list a few times before but never had those > problems myself so I didn't pay much attention. Have you searched the > archives? > > I'm still on 4.23 though, maybe it's a new problem. I'm gonna test the > latest beta on my test system this week, I will post if I have a problem > but Julian can probably help you right away. I can't post from work but > if your problem is not solved tomorrow I will post my log configs this > time tomorrow from home for comparison. > > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11, > SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829 > > MailScanner Mailbox wrote: > > Hello All specifically Peter or other Solaris 9 users > > > > As well as the other problems I am having (patching Mimetools etc) > > > > I have downloaded the latest beta of MS in my hopes of getting something > > to work. I no longer get the errors while in Debug Mode (Yeah Julian) > > however I am not getting any logging at all. Not with the beta version, > > the stable version, or the production version I have running on a Solaris8 > > box. > > > > I do have the following in syslog.conf: mail.debug /var/maillog same as on > > my production box. I know MailScanner is running as I get a postmaster > > message when sending the eicar test virus through. > > > > So I figured as you are running Solaris 9 perhaps you may have some > > insight as to why I have no logging > From jfraley at glenraven.com Mon Dec 1 21:13:30 2003 From: jfraley at glenraven.com (Jon Fraley) Date: Thu Jan 12 21:21:22 2006 Subject: install Mail::ClamAV Message-ID: <1070313210.2087.9.camel@jfraleyx.glenraven.com> I just upgraded to MS-4.25-13 and installed clamav-0.65. I was following the directions on installing Mail::ClamAV and got this: Recursive dependency detected: Mail::ClamAV => S/SA/SABECK/Mail-ClamAV-0.04.tar.gz => Inline => I/IN/INGY/Inline-0.44.tar.gz => Digest::MD5 => G/GA/GAAS/Digest-MD5-2.31.tar.gz => Digest::base => G/GA/GAAS/Digest-1.04.tar.gz => Digest::MD5. Cannot continue. How can I proceed at this point? Thanks, Jon From mkettler at EVI-INC.COM Mon Dec 1 21:42:42 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:23 2006 Subject: install Mail::ClamAV In-Reply-To: <1070313210.2087.9.camel@jfraleyx.glenraven.com> References: <1070313210.2087.9.camel@jfraleyx.glenraven.com> Message-ID: <6.0.0.22.0.20031201163705.02da9078@xanadu.evi-inc.com> At 04:13 PM 12/1/2003, Jon Fraley wrote: >How can I proceed at this point? You try using Digest-1.05 instead of 1.04. 2003-12-01 Gisle Aas Release 1.05 Drop Digest::MD5 dependency. Avoids circular dependency now that Digest::MD5 depend on this package to inherit Digest::base. Included a section about digest speed with benchmark results for some implementations of this API. From Denis.Beauchemin at USHERBROOKE.CA Mon Dec 1 22:00:04 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:23 2006 Subject: McAfee doesn't time out Message-ID: <1070316003.3002.209.camel@dbeauchemin.sti.usherbrooke.ca> Hello, One of my 3 MS servers (Red Hat Linux release 7.3) occasionally gets stuck on one uvscan call. I've never seen this on my 2 other MS servers (same specs). I just killed one uvscan that was started about 45 minutes ago. My MS (mailscanner-4.23-11) is configured this way: Max Children = 5 Virus Scanner Timeout = 300 Virus Scanners = mcafee I run uvscan: Scan engine v4.2.40 for Linux. Virus data file v4306 created Nov 26 2003 Any idea what might be causing this? When it happens the CPU goes through the roof and the machine slows significantly. Thanks again! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From sevans at FOUNDATION.SDSU.EDU Mon Dec 1 22:52:26 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:21:23 2006 Subject: Message Backups and Spam Checks Message-ID: <3A411846CD3C0D4CB3D8704F93735370646C@be-00.foundation.sdsu.edu> I had a lot of problems with backed up mail today. CPU usage was low, and there was plenty of free memory. When I changed MailScanner.conf to Spam Checks = no it quickly processed all the queued mail. So I assume that one of the net checks (RBL, Razor, or DCC) was causing problems. My question is how can I tell when one of the net checks is causing problems and how can I tell which one? Steve Evans SDSU Foundation From Kevin_Miller at CI.JUNEAU.AK.US Mon Dec 1 23:19:47 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:23 2006 Subject: Message Backups and Spam Checks Message-ID: <08146035CA49D6119A36009027AC822A0264EABA@CITY-EXCH-NTS> >-----Original Message----- >From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] >Sent: Monday, December 01, 2003 1:52 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Message Backups and Spam Checks > > >I had a lot of problems with backed up mail today. CPU usage was low, >and there was plenty of free memory. When I changed >MailScanner.conf to >Spam Checks = no it quickly processed all the queued mail. So I assume >that one of the net checks (RBL, Razor, or DCC) was causing problems. >My question is how can I tell when one of the net checks is causing >problems and how can I tell which one? I see a lot of timeouts for spamcop today - maybe the DOS attack boys are at it again. I noticed mine in /var/log/warn (SuSE)... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From fmedery at VIDEOTRON.CA Tue Dec 2 00:28:28 2003 From: fmedery at VIDEOTRON.CA (=?ISO-8859-1?Q?Fr=E9d=E9ric_M=E9dery?=) Date: Thu Jan 12 21:21:23 2006 Subject: question about spambydomain Message-ID: <1070324907.3182.12.camel@bastion> Hello ML Users, We use the spambydmain function inside MailScanner.conf (with Customconfig.pm). My whitelist and blacklist folders contain : default file several domain files and several user@domain files. My questions are How does MS select those rules : is user@domain overwrite default and domain files ? What if a user is inside the default file inside blacklist and inside a user whitelist ? thanks ! From markcism at DOST.GOV.PH Tue Dec 2 01:10:57 2003 From: markcism at DOST.GOV.PH (Mark Hernandez) Date: Thu Jan 12 21:21:23 2006 Subject: receiving mails with executable. Message-ID: hi all, Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add features on my production mail server. Unfortunately, having the email up. Ive tested to send mails from my internal network to yahoo.com and vice versa and the results were bad. Its not filtering emails with executable. conf of my Mailscanner Filename Rules = %rules-dir%/filename.rules Filetype Rules = %rules-dir%/filetype.rules where rulesdir is %rules-dir% = /usr/local/etc/MailScanner/rules and etc-dir is %etc-dir% = /usr/local/etc/MailScanner content of filename.rules FromOrTo: default %etc-dir%/filename.rules.conf content of filetype.rules FromOrTo: default %etc-dir%/filetype.rules.conf Im using the default of filename and filetype.rules.conf. Still, I can receive/send attachments from/to outside . I am checking activities on /var/log/maillog and /var/log/messages but can seem to determine whats wrong. Pls. help.. Tnx, Mark -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ From martyn at invictawiz.com Tue Dec 2 07:37:37 2003 From: martyn at invictawiz.com (InvictaWiz Customer Support) Date: Thu Jan 12 21:21:23 2006 Subject: maps-rbl+ In-Reply-To: <3FCB4CA5.1010208@itss.nerc.ac.uk> Message-ID: Why should homeworkers generate failures through the dial-up list? If they send their email through their ISP's mail server, their email should not be treated any different to an email from any other source as once it arrives at your server it will have come from a "propper" MX'd mail server. The dialup "problem" arises if the client is using a mailserver of their own on a dialup account that does not have an MX record assigned. This is the reason for the existence of the list of dialup ips as it used to be a common method for junk emailers to send out email. I suspect your false positive problem is from mis-configuration somewhere on your own network, not on the clients. Martyn Routley ----------------------------------------------------------------- InvictaWiz - The Internet in Plain English, Guaranteed http://www.invictawiz.com martyn@invictawiz.com phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service. Ask us how you could save money on your telephone bill. ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Ron Campbell Sent: 01 December 2003 14:14 To: MAILSCANNER@JISCMAIL.AC.UK Subject: maps-rbl+ This is probably not of interest to those who are not in ac.uk The MAPS-RBL+ list is actually the union of 4 separate lists (RBL, DUL, RSS and OPS). For details, see http://www.ja.net/CERT/JANET-CERT/mail/mail-abuse/rbl-plus-guide.html#available One of these - the "dial-up list" is probably our main reason for SPAM "false positives" at the moment. This is usually down to people working from home via an ISP. Is it possible to configure MS to use only some of the individual MAPS-RBL+ lists ? Or should we just give up on these lists and rely on SpamAssassin - all the "false positives" which I have seen, have negative SA scores so it is clearly getting these right. Of course, there will be other cases which the lists get right and SA misses ? Thanks ... Ron ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From P.G.M.Peters at utwente.nl Tue Dec 2 08:20:10 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:23 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: References: Message-ID: On Mon, 1 Dec 2003 15:00:40 -0500, you wrote: >> If people are interested i can mail it. > >I am interested. Send it to me off list, or be a Pal and post a link to >the list so everyone can share in the fun! :) I would like it too. So a link would help everybody. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From gdoris at ROGERS.COM Tue Dec 2 08:24:46 2003 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:21:23 2006 Subject: Changelog for 4.25-13? Message-ID: I must of missed the message about announcing 4.25-13. Exactly what was changed from 4.25-12? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From raymond at PROLOCATION.NET Tue Dec 2 08:30:08 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:23 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: Message-ID: Hi! > >> If people are interested i can mail it. > > > >I am interested. Send it to me off list, or be a Pal and post a link to > >the list so everyone can share in the fun! :) > > I would like it too. So a link would help everybody. The code is quick and dirty, i dont think its worth posting (yet) :) I will mail it to the people who requested it, and work on a clean version the next days. The exim version is pretty much cleaned up allready, that one i can post somewhere. Bye, Raymond. From raymond at PROLOCATION.NET Tue Dec 2 08:31:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:23 2006 Subject: Changelog for 4.25-13? In-Reply-To: Message-ID: Hi! > I must of missed the message about announcing 4.25-13. Exactly what was > changed from 4.25-12? The Monkeys list was removed from the default config. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Tue Dec 2 08:45:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: question about spambydomain In-Reply-To: <1070324907.3182.12.camel@bastion> References: <1070324907.3182.12.camel@bastion> Message-ID: <6.0.1.1.2.20031202083427.039a4ea8@imap.ecs.soton.ac.uk> user@domain over-rides domain which over-rides default. At 00:28 02/12/2003, you wrote: >Hello ML Users, >We use the spambydmain function inside MailScanner.conf (with >Customconfig.pm). > >My whitelist and blacklist folders contain : >default file >several domain files >and several user@domain files. > >My questions are How does MS select those rules : >is user@domain overwrite default and domain files ? >What if a user is inside the default file inside blacklist and inside a >user whitelist ? > > >thanks ! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 08:46:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: Changelog for 4.25-13? In-Reply-To: References: Message-ID: <6.0.1.1.2.20031202084624.035fbf90@imap.ecs.soton.ac.uk> Removed "Infinite-Monkeys" from the list of "Spam List =" settings in the default MailScanner.conf file. At 08:24 02/12/2003, you wrote: >I must of missed the message about announcing 4.25-13. Exactly what was >changed from 4.25-12? > >-- >Gerry > >"The lyfe so short, the craft so long to learne" Chaucer -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 08:45:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: receiving mails with executable. In-Reply-To: References: Message-ID: <6.0.1.1.2.20031202084537.03c21008@imap.ecs.soton.ac.uk> At 01:10 02/12/2003, you wrote: >hi all, > >Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add >features >on my production mail server. Unfortunately, having the email up. > >Ive tested to send mails from my internal network to yahoo.com and vice >versa >and the results were bad. Its not filtering emails with executable. > >conf of my Mailscanner >Filename Rules = %rules-dir%/filename.rules >Filetype Rules = %rules-dir%/filetype.rules > >where rulesdir is >%rules-dir% = /usr/local/etc/MailScanner/rules >and etc-dir is >%etc-dir% = /usr/local/etc/MailScanner > >content of filename.rules >FromOrTo: default %etc-dir%/filename.rules.conf You can't use %% variables in rulesets, only in MailScanner.conf. >content of filetype.rules >FromOrTo: default %etc-dir%/filetype.rules.conf > >Im using the default of filename and filetype.rules.conf. > >Still, I can receive/send attachments from/to outside . > >I am checking activities on /var/log/maillog and /var/log/messages >but can seem to determine whats wrong. > >Pls. help.. > >Tnx, > >Mark > > > > >-- >Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From andersjk at SOL-INVICTUS.ORG Tue Dec 2 09:07:41 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:21:23 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: Message-ID: I actually wrote a script that parses the mail log script looking for tell tale signs of a dictionary attack (yes I like reinventing the wheel mainly for my own lack of programming talent that needs refreshing :) it looks for grep "\.\.\. User unknown" then grep "lost input channel" which then gets the sendmail tag hxxxxxxxxxx from that I get a ip address which then chucks it into the access database, at the moment there are 50k ip's in there... would anyone like this db? I also log the ip addresses, culprits like comcast, rr.com, wanadoo.fr and a lot more show up. The program runs every hour from cron. thanks, kevin anderson On Mon, 1 Dec 2003, Jeff A. Earickson wrote: > Gang, > > Julian introduced a newer, faster, cooler version of IPBlock > (see CustomConfig.pm) in version 4.25-11. The new version allows > you to dynamically block connections from rogue/spam machines in > your sendmail access.db file in real time. IPBlock counts mail > messages (good, bad, spam) from IP numbers, tracks these connection > numbers in a DB file, and modifies your sendmail access.db file > if the number of connections exceeds thresholds that you configure. > > The major new feature in IPBlock is that the config file understands CIDR > netblocks, so you can set different thresholds for different netblocks. > You can literally "rule the world" with about 30 lines in your config > file, see: > > http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html > > for the details of how I set up things at my site. I have been running > with this ruleset for about a week now, plus additional rulesets for > my own domain -- admin offices get one setting and dorm rooms get a > lower setting. I had asked Julian a couple of weeks ago if IPBlock could > user Net::CIDR because my site has been getting hit with student computers > that contain spam trojans. Julian graciously modified IPBlock to use > CIDR and I tested it last week. When a spam trojan fires off, it can bury > my mail server very quickly. IPBlock gives me a tool to fight this. > > The Good News and Bad News... Good News: The new IPBlock works as > advertised. It will modify access.db and block a rogue site according > to the config file, and the CIDR configs work. The Bad News: not that > much happens, even with very low settings for my dorm networks, and my > "world domination" CIDR settings for the planet. In one week, only three > off-campus sites ended up in the access.db file, with zero emails actually > blocked after the access.db changes. > > Last night was the acid test with an on-campus spam trojan. The rogue > machine came alive at 00:01:32 last night. With a config limit of 100 > messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent > connections blocked out. But, the rogue machine had flooded my mqueue.in > with several thousand messages in those 13 minutes, and it took nearly > two hours for this flood to be processed by my server. A lot of these > messages were subsequently deleted as high-spam by Spamassassin and MS, > or doublebounced, or were blocked by AOL (the target site). Some got > delivered. The tsunami of spam was already on my mail server by the > time MS shut the door, since IPBlock is run last in the MS process. > > Summary: IPBlock is useful against spam trojans, but not as useful as > I had hoped. YMMV. > > Sendmail Note: sendmail 8.13.0 is on the horizon, see > > http://www.sendmail.org/8.13.0.PreAlpha4.html > > One new feature buried there is connection rate control, see the ChangeLog. > This may aid in blocking rogue machines too. > > --- Jeff Earickson > Colby College > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From smilga at MIKROTIK.COM Tue Dec 2 10:30:59 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:23 2006 Subject: Mailscanner with Debian 3 testing References: <052b01c3b803$01c0c890$a500010a@martinsss> <6.0.0.22.0.20031201093927.0251e1f0@mail.enhtech.com> Message-ID: <030101c3b8bf$607db020$a500010a@martinsss> I installed mailscanner through aptitude and started reading /usr/share/doc/mailscanner but didn`t found anything usefull. I started reading in internet >(http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) I made directory and stop at script, I can find where to change it. May be there is other way how to start working mailscanner with sendmail in Debian. Martins ----- Original Message ----- From: "Errol Neal" To: Sent: Monday, December 01, 2003 4:39 PM Subject: Re: Mailscanner with Debian 3 testing > At 07:02 AM 12/1/2003, Martins Smilga wrote: > >Hello, > > > >May be somone have expierence with mailscanner how to install on Debian > >testing version. > > > >I have Spammassin + Sendmail. > > > >I installed mailscanner from apitude, > >I can not find any detailed documentation how to install mailscanner on > >Debina with sendmail. > >(http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) > >I can find where I can change these senttings (script). > > > >May be there is other way how to put mailscanner + Debian+ sendmail > > > > > >Martins > > > > Exactly what are you having problems with? > > > Errol Neal From Kevin.Hansard at IPLBATH.COM Tue Dec 2 10:51:41 2003 From: Kevin.Hansard at IPLBATH.COM (Kevin Hansard) Date: Thu Jan 12 21:21:23 2006 Subject: Problem with subject tagging 4.25-13 Message-ID: I have upgraded from 4.24-5 to 4.25-13 and I am now experiencing a problem with the subject tagging of Spam messages. Most messages get the subject modified correctly. However, occasionally Mailscanner fails to replace the subject text, but instead adds another Subject header at the top. So I end up with two Subject headers and the recipient client uses the last, unmodified one. Microsoft Mail Internet Headers Version 2.0 Received: from xxx ([xx.xx.xx.xx]) by xxx.xxx.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 2 Dec 2003 09:48:00 +0000 Subject: *****SPAM***** Clean Colons chjpliapmkbp vfzp Received: from dhcp024-210-032-230.columbus.rr.com (dhcp024-210-032-230.columbus.rr.com [24.210.32.230]) by xxx (8.12.8/8.12.8) with SMTP id hB29lpBN025040 for ; Tue, 2 Dec 2003 09:47:53 GMT Received: from [113.48.195.3] by dhcp024-210-032-230.columbus.rr.com; Tue, 02 Dec 2003 14:45:55 +0500 Message-ID: From: "Cyril Patton" Reply-To: "Cyril Patton" To: rpc@iplbath.com Subject: Clean Colons chjpliapmkbp vfzp Date: Tue, 02 Dec 03 14:45:55 GMT X-Mailer: QUALCOMM Windows Eudora Version 5.1 MIME-Version: 1.0 Content-type: multipart/report; boundary="======18289==29249======" X-Priority: 3 X-MailScanner: Found to be clean X-MailScanner-SpamCheck: spam, SpamAssassin (score=28.654, required 5, BAYES_99 5.40, DATE_IN_FUTURE_03_06 1.93, DATE_SPAMWARE_Y2K 4.20, DCC_CHECK 2.91, FORGED_MUA_EUDORA 3.02, HTML_FONTCOLOR_RED 0.10, HTML_FONT_BIG 0.27, HTML_FONT_INVISIBLE 0.60, HTML_MESSAGE 0.10, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.59, MISSING_OUTLOOK_NAME 0.10, PYZOR_CHECK 3.51, REMOVE_PAGE 0.50, REMOVE_REMOVAL_2WORD 1.95, RISK_FREE 0.50) X-OriginalArrivalTime: 02 Dec 2003 09:48:00.0748 (UTC) Has anyone got any ideas? I never had this problem with 4.24-5. Thanks Kevin Hansard --- From raymond at PROLOCATION.NET Tue Dec 2 11:04:48 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:23 2006 Subject: Problem with subject tagging 4.25-13 In-Reply-To: Message-ID: Hi! > Subject: *****SPAM***** Clean Colons chjpliapmkbp vfzp > Received: from dhcp024-210-032-230.columbus.rr.com > (dhcp024-210-032-230.columbus.rr.com [24.210.32.230]) > by xxx (8.12.8/8.12.8) with SMTP id hB29lpBN025040 > for ; Tue, 2 Dec 2003 09:47:53 GMT > Received: from [113.48.195.3] by dhcp024-210-032-230.columbus.rr.com; > Tue, 02 Dec 2003 14:45:55 +0500 > Message-ID: > From: "Cyril Patton" > Reply-To: "Cyril Patton" > To: rpc@iplbath.com > Subject: Clean Colons chjpliapmkbp vfzp I have seen this once, on 4.25-8 or something, but didnt see it again so didnt make any notice. I also wonder if the original message allready had a duplicate subject line. bye, Raymond. From miguelk at KONSULTEX.COM.BR Tue Dec 2 11:08:07 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:21:23 2006 Subject: [OT] - Re: maps-rbl+ References: Message-ID: <3FCC7297.8010803@konsultex.com.br> Martyn; Part of the problem lies in defining what is actually a "dial up domain". I'm going through an extremely frustrating experience with the "gang" at MAPS to get the ip block my ISP uses out of their list. The real problem here lies in self righteous "businesses" that sell these "services" to others who trust them to have quality information while they put in all kinds of junk. My suggestion is to completely ignore any DUL lists in general and MAPS in particular. So far the "MAPS police" has made my company lose many hours of productive work by tracking down people at the ISP and at MAPS itself for their declared purpose of "educating" ISPs. I have fixed IPs and valid reverse DNS. I believe the gang itself needs quite a bit of education of various kinds first. Miguel InvictaWiz Customer Support wrote: >Why should homeworkers generate failures through the dial-up list? >If they send their email through their ISP's mail server, their email should not be treated any >different to an email from any other source as once it arrives at your server it will have come from >a "propper" MX'd mail server. > >The dialup "problem" arises if the client is using a mailserver of their own on a dialup account >that does not have an MX record assigned. This is the reason for the existence of the list of dialup >ips as it used to be a common method for junk emailers to send out email. > >I suspect your false positive problem is from mis-configuration somewhere on your own network, not >on the clients. > >Martyn Routley >----------------------------------------------------------------- >InvictaWiz - The Internet in Plain English, Guaranteed >http://www.invictawiz.com >martyn@invictawiz.com >phone: 08707 440180 >fax: 08707 440181 >Ask us about our online Antivirus and Junk mail scanning service. >Ask us how you could save money on your telephone bill. >----------------------------------------------------------------- > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Ron Campbell >Sent: 01 December 2003 14:14 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: maps-rbl+ > > >This is probably not of interest to those who are not in ac.uk > > >The MAPS-RBL+ list is actually the union of 4 separate lists (RBL, DUL, >RSS and OPS). > >For details, see > >http://www.ja.net/CERT/JANET-CERT/mail/mail-abuse/rbl-plus-guide.html#available > > > One of these - the "dial-up list" is probably our >main reason for SPAM "false positives" at the moment. This is usually > down to people working from home via an ISP. Is it possible >to configure MS to use only some of the individual MAPS-RBL+ lists ? > >Or should we just give up on these lists and rely on SpamAssassin - all >the "false positives" which I have seen, have negative SA scores so it >is clearly getting these right. Of course, there will be other cases >which the lists get right and SA misses ? > > Thanks ... Ron > > >----------------------------------------------------------------------------- >This message has been scanned for viruses and >dangerous content by the http://www.anti84787.com >MailScanner, and is believed to be clean. >----------------------------------------------------------------------------- > > > From mailscanner at ecs.soton.ac.uk Tue Dec 2 11:50:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 Message-ID: <6.0.1.1.2.20031202114746.038328f0@imap.ecs.soton.ac.uk> I have just released 4.25-14. Due to Outlook's bizarre behaviour, I now have to check for a few nasty things in the Subject: line of messages, and clean it up a bit; hopefully in ways that you won't notice. There was a bug in 4.25-13 and previous versions which would cause the Subject: line to be doubled up rather than replaced with the clean version of it. I have now fixed this and re-released 4.25 as 4.25-14. Download from www.mailscanner.info Sorry for this one folks! :-( Jules. P.S. If you are up to manually replacing files, the only files changed to fix this are Message.pm and SweepContent.pm. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 11:47:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: Problem with subject tagging 4.25-13 In-Reply-To: References: Message-ID: <6.0.1.1.2.20031202114523.03832e10@imap.ecs.soton.ac.uk> This is indeed a problem in 4.25-13. You spotted it about 10 minutes before I did. It will cause problems with the Subject: line of delivered messages becoming doubled-up. Due to Outlook's bizarre behaviour, I now have to check for a few nasty things in the Subject: line of messages, and clean it up a bit; hopefully in ways that you won't notice. I have therefore just released 4.25-14 which fixed this problem. The only files which have changed are SweepContent.pm and Message.pm. At 11:04 02/12/2003, you wrote: >Hi! > > > Subject: *****SPAM***** Clean Colons chjpliapmkbp vfzp > > Received: from dhcp024-210-032-230.columbus.rr.com > > (dhcp024-210-032-230.columbus.rr.com [24.210.32.230]) > > by xxx (8.12.8/8.12.8) with SMTP id hB29lpBN025040 > > for ; Tue, 2 Dec 2003 09:47:53 GMT > > Received: from [113.48.195.3] by dhcp024-210-032-230.columbus.rr.com; > > Tue, 02 Dec 2003 14:45:55 +0500 > > Message-ID: > > From: "Cyril Patton" > > Reply-To: "Cyril Patton" > > To: rpc@iplbath.com > > Subject: Clean Colons chjpliapmkbp vfzp > >I have seen this once, on 4.25-8 or something, but didnt see it again so >didnt make any notice. I also wonder if the original message allready had >a duplicate subject line. > >bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Tue Dec 2 12:28:52 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:23 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 In-Reply-To: <6.0.1.1.2.20031202114746.038328f0@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, > I have just released 4.25-14. > > Due to Outlook's bizarre behaviour, I now have to check for a few nasty > things in the Subject: line of messages, and clean it up a bit; hopefully > in ways that you won't notice. > > There was a bug in 4.25-13 and previous versions which would cause the > Subject: line to be doubled up rather than replaced with the clean version > of it. > > I have now fixed this and re-released 4.25 as 4.25-14. I also noticed 4.26-1 arrived, whats the difference ? bye, Raymond. From Ulysees at ULYSEES.COM Tue Dec 2 12:32:04 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:21:23 2006 Subject: ClamAV module Message-ID: <000501c3b8d0$4aee1090$3201010a@nimitz> anybody else had trouble getting this working ? when I grab the module from cpan it seems to grumble about not being able to find clamav.h Should I be using a tarball of ClamAV instead of the RPM ? Uly cpan> install Mail::ClamAV Running install for module Mail::ClamAV Running make for S/SA/SABECK/Mail-ClamAV-0.04.tar.gz CPAN: Digest::MD5 loaded ok Checksum for /root/.cpan/sources/authors/id/S/SA/SABECK/Mail-ClamAV-0.04.tar.gz ok Scanning cache /root/.cpan/build for sizes Mail-ClamAV-0.04/ Mail-ClamAV-0.04/t/ Mail-ClamAV-0.04/t/virus.eml Mail-ClamAV-0.04/t/Mail-ClamAV.t Mail-ClamAV-0.04/README Mail-ClamAV-0.04/ClamAV.pm Mail-ClamAV-0.04/Changes Mail-ClamAV-0.04/Makefile.PL Mail-ClamAV-0.04/ppport.h Mail-ClamAV-0.04/META.yml Mail-ClamAV-0.04/MANIFEST Removing previously used /root/.cpan/build/Mail-ClamAV-0.04 CPAN.pm: Going to build S/SA/SABECK/Mail-ClamAV-0.04.tar.gz Checking if your kit is complete... Looks good Writing Makefile for Mail::ClamAV cp ClamAV.pm blib/lib/Mail/ClamAV.pm /usr/bin/perl -Mblib -MInline=NOISY,_INSTALL_ -MMail::ClamAV -e1 0.04 blib/arch Starting Build Prepocess Stage Finished Build Prepocess Stage Starting Build Parse Stage Finished Build Parse Stage Starting Build Glue 1 Stage Finished Build Glue 1 Stage Starting Build Glue 2 Stage Finished Build Glue 2 Stage Starting Build Glue 3 Stage Finished Build Glue 3 Stage Starting Build Compile Stage Starting "perl Makefile.PL" Stage Writing Makefile for Mail::ClamAV Finished "perl Makefile.PL" Stage Starting "make" Stage make[1]: Entering directory `/root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV' /usr/bin/perl /usr/lib/perl5/5.8.1/ExtUtils/xsubpp -typemap /usr/lib/perl5/5.8.1/ExtUtils/typemap ClamAV.xs > ClamAV.xsc && mv ClamAV.xsc ClamAV.c gcc -c -I/root/.cpan/build/Mail-ClamAV-0.04 -D_REENTRANT -D_GNU_SOURCE -DTH READS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -I/usr/local/include -D_LAR GEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -g -pipe -march =i386 -mcpu=i686 -DVERSION=\"0.04\" -DXS_VERSION=\"0.04\" -fPIC "-I/usr/lib/perl5/5.8.1/i386-linux-thread-multi/CORE" ClamAV.c ClamAV.xs:11:20: clamav.h: No such file or directory ClamAV.xs:19: error: field `limits' has incomplete type ClamAV.xs: In function `clamav_perl_retdbdir': ClamAV.xs:59: warning: return makes pointer from integer without a cast ClamAV.xs: In function `clamav_perl__scanbuff': ClamAV.xs:122: error: `CL_VIRUS' undeclared (first use in this function) ClamAV.xs:122: error: (Each undeclared identifier is reported only once ClamAV.xs:122: error: for each function it appears in.) ClamAV.xs:124: error: `CL_CLEAN' undeclared (first use in this function) ClamAV.xs:127: warning: passing arg 2 of `Perl_newSVpv' makes pointer from integer without a cast ClamAV.xs: In function `clamav_perl__scanfd': ClamAV.xs:163: error: `CL_VIRUS' undeclared (first use in this function) ClamAV.xs:165: error: `CL_CLEAN' undeclared (first use in this function) ClamAV.xs:168: warning: passing arg 3 of `Perl_sv_setpv' makes pointer from integer without a cast ClamAV.xs: In function `clamav_perl__scanfile': ClamAV.xs:199: error: `CL_VIRUS' undeclared (first use in this function) ClamAV.xs:201: error: `CL_CLEAN' undeclared (first use in this function) ClamAV.xs:204: warning: passing arg 3 of `Perl_sv_setpv' makes pointer from integer without a cast ClamAV.xs: In function `error': ClamAV.xs:219: warning: assignment makes pointer from integer without a cast ClamAV.xs: In function `clamav_perl_constant': ClamAV.xs:226: error: `CL_EACCES' undeclared (first use in this function) ClamAV.xs:227: error: `CL_EBZIP' undeclared (first use in this function) ClamAV.xs:228: error: `CL_EFSYNC' undeclared (first use in this function) ClamAV.xs:229: error: `CL_EGZIP' undeclared (first use in this function) ClamAV.xs:230: error: `CL_EMALFDB' undeclared (first use in this function) ClamAV.xs:231: error: `CL_EMALFZIP' undeclared (first use in this function) ClamAV.xs:232: error: `CL_EMAXFILES' undeclared (first use in this function) ClamAV.xs:233: error: `CL_EMAXREC' undeclared (first use in this function) ClamAV.xs:234: error: `CL_EMAXSIZE' undeclared (first use in this function) ClamAV.xs:235: error: `CL_EMEM' undeclared (first use in this function) ClamAV.xs:236: error: `CL_ENULLARG' undeclared (first use in this function) ClamAV.xs:237: error: `CL_EOPEN' undeclared (first use in this function) ClamAV.xs:238: error: `CL_EPATSHORT' undeclared (first use in this function) ClamAV.xs:239: error: `CL_ERAR' undeclared (first use in this function) ClamAV.xs:240: error: `CL_ETMPDIR' undeclared (first use in this function) ClamAV.xs:241: error: `CL_ETMPFILE' undeclared (first use in this function) ClamAV.xs:242: error: `CL_EZIP' undeclared (first use in this function) ClamAV.xs:243: error: `CL_MIN_LENGTH' undeclared (first use in this function) ClamAV.xs:244: error: `CL_NUM_CHILDS' undeclared (first use in this function) ClamAV.xs:245: error: `CL_MAIL' undeclared (first use in this function) ClamAV.xs:246: error: `CL_ARCHIVE' undeclared (first use in this function) ClamAV.xs:247: error: `CL_RAW' undeclared (first use in this function) ClamAV.xs:248: error: `CL_VIRUS' undeclared (first use in this function) ClamAV.xs:249: error: `CL_CLEAN' undeclared (first use in this function) make[1]: *** [ClamAV.o] Error 1 make[1]: Leaving directory `/root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV' A problem was encountered while attempting to compile and install your Inline C code. The command that failed was: make The build directory was: /root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV To debug the problem, cd to the build directory, and inspect the output files. at /root/.cpan/build/Mail-ClamAV-0.04/blib/lib/Mail/ClamAV.pm line 141 BEGIN failed--compilation aborted at /root/.cpan/build/Mail-ClamAV-0.04/blib/lib/Mail/ClamAV.pm line 390. Compilation failed in require. BEGIN failed--compilation aborted. make: *** [ClamAV.inl] Error 2 /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible From mailscanner at ecs.soton.ac.uk Tue Dec 2 12:38:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 In-Reply-To: References: <6.0.1.1.2.20031202114746.038328f0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031202123649.0762c858@imap.ecs.soton.ac.uk> At 12:28 02/12/2003, you wrote: >Hi Julian, > > > I have just released 4.25-14. > > > > Due to Outlook's bizarre behaviour, I now have to check for a few nasty > > things in the Subject: line of messages, and clean it up a bit; hopefully > > in ways that you won't notice. > > > > There was a bug in 4.25-13 and previous versions which would cause the > > Subject: line to be doubled up rather than replaced with the clean version > > of it. > > > > I have now fixed this and re-released 4.25 as 4.25-14. > >I also noticed 4.26-1 arrived, whats the difference ? The new support of Norman anti-virus, which I put into 4.26-1, happens to now be in 4.25-14 as I couldn't be bothered to remove it to roll back to 4.25-14. However, I don't guarantee it works, and it is marked "Alpha". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Tue Dec 2 12:42:55 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:23 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 In-Reply-To: <6.0.1.1.2.20031202123649.0762c858@imap.ecs.soton.ac.uk> Message-ID: Hi! > > > I have now fixed this and re-released 4.25 as 4.25-14. > > > >I also noticed 4.26-1 arrived, whats the difference ? > > The new support of Norman anti-virus, which I put into 4.26-1, happens to > now be in 4.25-14 as I couldn't be bothered to remove it to roll back to > 4.25-14. However, I don't guarantee it works, and it is marked "Alpha". Just doublechecking, if people want to have the double subject fields fixed they should go for 4.25-14 or wait for 4.26-2 since i dont think its added there yet ? Or is it added on both allready now ? :) Bye, Raymond. From Rvdmerwe at MHG.CO.ZA Tue Dec 2 13:14:14 2003 From: Rvdmerwe at MHG.CO.ZA (Rabie van der Merwe) Date: Thu Jan 12 21:21:23 2006 Subject: install problem on Mandrake 9.2 of 4.25-* Message-ID: <39B69D20AF5DD611BA7F00306E1E8F2E02B13925@cptexc02.bankmed.co.za> Hi 4.24 Installed fine on MD9.2 using the RPM install, I now have a problem with 4.25-14 where the perl src rpms compiles fine on my dev box, but when it tries to install the rpms, it complains that my perl-base >= 5.801 and I have perl-base-5.8.1-0.RC4.3mdk installed, my guess is that is just is context mismatch when trying to matchup the Requires field for the spec file. But I looked in the spec file, and nothing, only a BuidRequires. I went into the BUILD dir and succesfully did a 'make install'. Any ideas? R ********************************************************************** ------ NOTICE ------ This message contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates do not accept liability for any personal views expressed in this message. ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/010c19e9/attachment.html From fmedery at videotron.ca Tue Dec 2 13:38:29 2003 From: fmedery at videotron.ca (=?ISO-8859-15?B?RnLpZOlyaWMgTelkZXJ5?=) Date: Thu Jan 12 21:21:23 2006 Subject: question about spambydomain In-Reply-To: <6.0.1.1.2.20031202083427.039a4ea8@imap.ecs.soton.ac.uk> References: <1070324907.3182.12.camel@bastion> <6.0.1.1.2.20031202083427.039a4ea8@imap.ecs.soton.ac.uk> Message-ID: <14345834756.20031202083829@videotron.ca> Hello Julian, Tuesday, December 2, 2003, 3:45:21 AM, tu as ?crit: JF> user@domain over-rides domain which over-rides default. JF> At 00:28 02/12/2003, you wrote: JF> -- JF> Julian Field JF> www.MailScanner.info JF> MailScanner thanks transtec Computers for their support JF> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Thanks ! And How about conflict between white and black list ? -- Fr?d?ric email:fmedery@videotron.ca From ryan.finnesey at CORPDSG.COM Tue Dec 2 04:02:22 2003 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:21:23 2006 Subject: code audit? Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BBCD@dc012.corpdsg.com> Does anyone know if anyone has done a code audit of MS? Ryan From ryan.finnesey at CORPDSG.COM Tue Dec 2 02:05:09 2003 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:21:23 2006 Subject: Linux list(s) Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BBC1@dc012.corpdsg.com> Can anyone recommend some good Linux list(s) that I can join? Ryan From mike at CAMAROSS.NET Tue Dec 2 14:12:41 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:23 2006 Subject: code audit? In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407BBCD@dc012.corpdsg.com> Message-ID: <200312021407.hB2E7d2Q012320@genesis.camaross.net> An audit in what way(s)? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Finnesey > Sent: Monday, December 01, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: code audit? > > Does anyone know if anyone has done a code audit of MS? > > > Ryan > From mike at CAMAROSS.NET Tue Dec 2 14:12:51 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:23 2006 Subject: Linux list(s) In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407BBC1@dc012.corpdsg.com> Message-ID: <200312021407.hB2E7o2Q012333@genesis.camaross.net> For which distro? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Finnesey > Sent: Monday, December 01, 2003 8:05 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Linux list(s) > > Can anyone recommend some good Linux list(s) that I can join? > > > > Ryan > From evertjan at VANRAMSELAAR.NL Tue Dec 2 14:18:44 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:21:23 2006 Subject: Linux list(s) In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407BBC1@dc012.corpdsg.com> References: <3041D4D2B8A6F746AD9217BE05AE68C407BBC1@dc012.corpdsg.com> Message-ID: <29769.194.151.195.222.1070374724.squirrel@mail.vanramselaar.nl> Ryan Finnesey said: > Can anyone recommend some good Linux list(s) that I can join? ISP-Linux is a pretty good list at times, even when you're not an ISP. http://isp-lists.isp-planet.com/isp-linux/ -- Evert Jan van Ramselaar Van Ramselaar Info Tech Internet Consultancy & Webdesign From michele at BLACKNIGHTSOLUTIONS.COM Tue Dec 2 14:31:50 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:23 2006 Subject: code audit? In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407BBCD@dc012.corpdsg.com> Message-ID: What for? Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Ryan Finnesey > Sent: 02 December 2003 04:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: code audit? > > > Does anyone know if anyone has done a code audit of MS? > > > Ryan > From jlarsen at RICHWEB.COM Tue Dec 2 13:46:40 2003 From: jlarsen at RICHWEB.COM (C. Jon Larsen) Date: Thu Jan 12 21:21:23 2006 Subject: receiving mails with executable. In-Reply-To: Message-ID: On Tue, 2 Dec 2003, Mark Hernandez wrote: > hi all, > > Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add > features Is MailScanner safe to use with postfix ? The postfix site and several messages in the archives advise strongly not to use postfix with MS because postfix does not like to have its queues manipulated by an external program. Postfix has a content filter interface they they suggest using and the current postfix snapshot has a new smtp content filter proxy interface that looks interesting. I don't like sendmail anymore (security issues seem to never stop), so I have switched to postfix for all mail relay and mailbox destinations - with a MailScanner + sendmail box that sits in the middle. From pndiku at DSMAGIC.COM Tue Dec 2 14:37:19 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:21:23 2006 Subject: ClamAV module In-Reply-To: <000501c3b8d0$4aee1090$3201010a@nimitz> References: <000501c3b8d0$4aee1090$3201010a@nimitz> Message-ID: <1070375839.2916.13.camel@mufasa.ds.co.ug> You need to install ClamAV first. On Tue, 2003-12-02 at 15:32, Ulysees wrote: > anybody else had trouble getting this working ? > when I grab the module from cpan it seems to grumble about not being able to > find clamav.h > > Should I be using a tarball of ClamAV instead of the RPM ? > > Uly > > > cpan> install Mail::ClamAV > Running install for module Mail::ClamAV > Running make for S/SA/SABECK/Mail-ClamAV-0.04.tar.gz > CPAN: Digest::MD5 loaded ok > Checksum for > /root/.cpan/sources/authors/id/S/SA/SABECK/Mail-ClamAV-0.04.tar.gz ok > Scanning cache /root/.cpan/build for sizes > Mail-ClamAV-0.04/ > Mail-ClamAV-0.04/t/ > Mail-ClamAV-0.04/t/virus.eml > Mail-ClamAV-0.04/t/Mail-ClamAV.t > Mail-ClamAV-0.04/README > Mail-ClamAV-0.04/ClamAV.pm > Mail-ClamAV-0.04/Changes > Mail-ClamAV-0.04/Makefile.PL > Mail-ClamAV-0.04/ppport.h > Mail-ClamAV-0.04/META.yml > Mail-ClamAV-0.04/MANIFEST > Removing previously used /root/.cpan/build/Mail-ClamAV-0.04 > > CPAN.pm: Going to build S/SA/SABECK/Mail-ClamAV-0.04.tar.gz > > Checking if your kit is complete... > Looks good > Writing Makefile for Mail::ClamAV > cp ClamAV.pm blib/lib/Mail/ClamAV.pm > /usr/bin/perl -Mblib -MInline=NOISY,_INSTALL_ -MMail::ClamAV -e1 0.04 > blib/arch > Starting Build Prepocess Stage > Finished Build Prepocess Stage > > Starting Build Parse Stage > Finished Build Parse Stage > > Starting Build Glue 1 Stage > Finished Build Glue 1 Stage > > Starting Build Glue 2 Stage > Finished Build Glue 2 Stage > > Starting Build Glue 3 Stage > Finished Build Glue 3 Stage > > Starting Build Compile Stage > Starting "perl Makefile.PL" Stage > Writing Makefile for Mail::ClamAV > Finished "perl Makefile.PL" Stage > > Starting "make" Stage > make[1]: Entering directory > `/root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV' > /usr/bin/perl /usr/lib/perl5/5.8.1/ExtUtils/xsubpp -typemap > /usr/lib/perl5/5.8.1/ExtUtils/typemap ClamAV.xs > ClamAV.xsc && mv > ClamAV.xsc ClamAV.c > gcc -c -I/root/.cpan/build/Mail-ClamAV-0.04 -D_REENTRANT -D_GNU_SOURCE -DTH > READS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -I/usr/local/include -D_LAR > GEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -g -pipe -march > =i386 -mcpu=i686 -DVERSION=\"0.04\" -DXS_VERSION=\"0.04\" -fPIC > "-I/usr/lib/perl5/5.8.1/i386-linux-thread-multi/CORE" ClamAV.c > ClamAV.xs:11:20: clamav.h: No such file or directory > ClamAV.xs:19: error: field `limits' has incomplete type > ClamAV.xs: In function `clamav_perl_retdbdir': > ClamAV.xs:59: warning: return makes pointer from integer without a cast > ClamAV.xs: In function `clamav_perl__scanbuff': > ClamAV.xs:122: error: `CL_VIRUS' undeclared (first use in this function) > ClamAV.xs:122: error: (Each undeclared identifier is reported only once > ClamAV.xs:122: error: for each function it appears in.) > ClamAV.xs:124: error: `CL_CLEAN' undeclared (first use in this function) > ClamAV.xs:127: warning: passing arg 2 of `Perl_newSVpv' makes pointer from > integer without a cast > ClamAV.xs: In function `clamav_perl__scanfd': > ClamAV.xs:163: error: `CL_VIRUS' undeclared (first use in this function) > ClamAV.xs:165: error: `CL_CLEAN' undeclared (first use in this function) > ClamAV.xs:168: warning: passing arg 3 of `Perl_sv_setpv' makes pointer from > integer without a cast > ClamAV.xs: In function `clamav_perl__scanfile': > ClamAV.xs:199: error: `CL_VIRUS' undeclared (first use in this function) > ClamAV.xs:201: error: `CL_CLEAN' undeclared (first use in this function) > ClamAV.xs:204: warning: passing arg 3 of `Perl_sv_setpv' makes pointer from > integer without a cast > ClamAV.xs: In function `error': > ClamAV.xs:219: warning: assignment makes pointer from integer without a cast > ClamAV.xs: In function `clamav_perl_constant': > ClamAV.xs:226: error: `CL_EACCES' undeclared (first use in this function) > ClamAV.xs:227: error: `CL_EBZIP' undeclared (first use in this function) > ClamAV.xs:228: error: `CL_EFSYNC' undeclared (first use in this function) > ClamAV.xs:229: error: `CL_EGZIP' undeclared (first use in this function) > ClamAV.xs:230: error: `CL_EMALFDB' undeclared (first use in this function) > ClamAV.xs:231: error: `CL_EMALFZIP' undeclared (first use in this function) > ClamAV.xs:232: error: `CL_EMAXFILES' undeclared (first use in this function) > ClamAV.xs:233: error: `CL_EMAXREC' undeclared (first use in this function) > ClamAV.xs:234: error: `CL_EMAXSIZE' undeclared (first use in this function) > ClamAV.xs:235: error: `CL_EMEM' undeclared (first use in this function) > ClamAV.xs:236: error: `CL_ENULLARG' undeclared (first use in this function) > ClamAV.xs:237: error: `CL_EOPEN' undeclared (first use in this function) > ClamAV.xs:238: error: `CL_EPATSHORT' undeclared (first use in this function) > ClamAV.xs:239: error: `CL_ERAR' undeclared (first use in this function) > ClamAV.xs:240: error: `CL_ETMPDIR' undeclared (first use in this function) > ClamAV.xs:241: error: `CL_ETMPFILE' undeclared (first use in this function) > ClamAV.xs:242: error: `CL_EZIP' undeclared (first use in this function) > ClamAV.xs:243: error: `CL_MIN_LENGTH' undeclared (first use in this > function) > ClamAV.xs:244: error: `CL_NUM_CHILDS' undeclared (first use in this > function) > ClamAV.xs:245: error: `CL_MAIL' undeclared (first use in this function) > ClamAV.xs:246: error: `CL_ARCHIVE' undeclared (first use in this function) > ClamAV.xs:247: error: `CL_RAW' undeclared (first use in this function) > ClamAV.xs:248: error: `CL_VIRUS' undeclared (first use in this function) > ClamAV.xs:249: error: `CL_CLEAN' undeclared (first use in this function) > make[1]: *** [ClamAV.o] Error 1 > make[1]: Leaving directory > `/root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV' > > A problem was encountered while attempting to compile and install your > Inline > C code. The command that failed was: > make > > The build directory was: > /root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV > > To debug the problem, cd to the build directory, and inspect the output > files. > > at /root/.cpan/build/Mail-ClamAV-0.04/blib/lib/Mail/ClamAV.pm line 141 > BEGIN failed--compilation aborted at > /root/.cpan/build/Mail-ClamAV-0.04/blib/lib/Mail/ClamAV.pm line 390. > Compilation failed in require. > BEGIN failed--compilation aborted. > make: *** [ClamAV.inl] Error 2 > /usr/bin/make -- NOT OK > Running make test > Can't test without successful make > Running make install > make had returned bad status, install seems impossible > From RKearney at AZERTY.COM Tue Dec 2 14:56:31 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:23 2006 Subject: Message Backups and Spam Checks Message-ID: <210DF55DED65B547896F728FB057F3B2019C49F3@seaver.ussco.com> We were having issues with pyzor... An easy way to check.. is to try.. spamassassin -D --lint you will generally see the slowdown/timeout. However, you could try other methods in additions: pyzor ping razor-check -d -M dccproc -Q -i -H I don't know what to do for RBL's since I don't use them. -rob -----Original Message----- From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] Sent: Monday, December 01, 2003 5:52 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Message Backups and Spam Checks I had a lot of problems with backed up mail today. CPU usage was low, and there was plenty of free memory. When I changed MailScanner.conf to Spam Checks = no it quickly processed all the queued mail. So I assume that one of the net checks (RBL, Razor, or DCC) was causing problems. My question is how can I tell when one of the net checks is causing problems and how can I tell which one? Steve Evans SDSU Foundation From mailscanner at ecs.soton.ac.uk Tue Dec 2 14:52:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: code audit? In-Reply-To: <200312021407.hB2E7d2Q012320@genesis.camaross.net> References: <3041D4D2B8A6F746AD9217BE05AE68C407BBCD@dc012.corpdsg.com> <200312021407.hB2E7d2Q012320@genesis.camaross.net> Message-ID: <6.0.1.1.2.20031202145103.039fb150@imap.ecs.soton.ac.uk> Mariano and his colleagues in Argentina (might be Brazil) has gone through a lot of the code and thoroughly understands it. They wrote the ZMailer support. Tony Finch at Cambridge University has gone through all of the code in very great detail, which resulted in several bug fixes and performance improvements. At 14:12 02/12/2003, you wrote: >An audit in what way(s)? > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Finnesey > > Sent: Monday, December 01, 2003 10:02 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: code audit? > > > > Does anyone know if anyone has done a code audit of MS? > > > > > > Ryan > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 14:50:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: receiving mails with executable. In-Reply-To: References: Message-ID: <6.0.1.1.2.20031202144346.076f2818@imap.ecs.soton.ac.uk> To give you the brief answer to this question.... The Postfix guys don't like me as I dared to use their software in a way they hadn't intended. Rather than publish the file format (which sendmail does) or happily let me use it (the Exim authors use MailScanner themselves), the Postfix guys throw their toys out of the pram and whinge a lot. I'm not going to apologise for daring to "think outside the box". Many people run MailScanner on Postfix without any problems. A few sites see a fault where very occasionally a message with no body is delivered. The correct version of the same message with its body is later delivered correctly, in addition to the version with the body missing. No mail is lost. As many MailScanner sites now run it on a dedicated server, it makes very little difference what MTA is chosen, as all the MTA's can take mail in and just punt it onto another server. My personal recommendation is probably Exim, especially if you don't like sendmail. Exim is very easy to configure and is very fast. When used with MailScanner it is considerably faster than Postfix as Postfix copies all the data around more often than it needs to, resulting in inefficient handling, particularly of large messages. At 13:46 02/12/2003, you wrote: >On Tue, 2 Dec 2003, Mark Hernandez wrote: > > > hi all, > > > > Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add > > features > >Is MailScanner safe to use with postfix ? The postfix site and several >messages in the archives advise strongly not to use postfix with MS >because postfix does not like to have its queues manipulated by an >external program. > >Postfix has a content filter interface they they suggest using and the >current postfix snapshot has a new smtp content filter proxy interface >that looks interesting. > >I don't like sendmail anymore (security issues seem to never stop), so I >have switched to postfix for all mail relay and mailbox destinations - >with a MailScanner + sendmail box that sits in the middle. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 14:41:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 In-Reply-To: References: <6.0.1.1.2.20031202123649.0762c858@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031202144039.03695068@imap.ecs.soton.ac.uk> At 12:42 02/12/2003, you wrote: >Hi! > > > > > I have now fixed this and re-released 4.25 as 4.25-14. > > > > > >I also noticed 4.26-1 arrived, whats the difference ? > > > > The new support of Norman anti-virus, which I put into 4.26-1, happens to > > now be in 4.25-14 as I couldn't be bothered to remove it to roll back to > > 4.25-14. However, I don't guarantee it works, and it is marked "Alpha". > >Just doublechecking, if people want to have the double subject fields >fixed they should go for 4.25-14 Yes. > or wait for 4.26-2 since i dont think its >added there yet ? Or is it added on both allready now ? :) It's on both (there is only 1 code tree, I don't like maintaining more than I need to). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevins at BMRB.CO.UK Tue Dec 2 15:39:14 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:23 2006 Subject: install problem on Mandrake 9.2 of 4.25-* In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B6EF@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B6EF@pascal.priv.bmrb.co.uk> Message-ID: <1070379555.11842.42.camel@bach.kevinspicer.co.uk> On Tue, 2003-12-02 at 13:14, Rabie van der Merwe wrote: Hi >4.24 Installed fine on MD9.2 using the RPM install, I now have a >problem with 4.25-14 where the perl src rpms compiles fine on my dev >box, but when it tries to install the rpms, it complains that my >perl-base >= 5.801 and I have perl-base-5.8.1-0.RC4.3mdk installed, my >guess is that is just is context mismatch when trying to matchup the >Requires field for the spec file. But I looked in the spec file, and >nothing, only a BuidRequires. >I went into the BUILD dir and succesfully did a 'make install'. >Any ideas? ./install.sh nodeps From Rvdmerwe at MHG.CO.ZA Tue Dec 2 15:49:15 2003 From: Rvdmerwe at MHG.CO.ZA (Rabie van der Merwe) Date: Thu Jan 12 21:21:23 2006 Subject: install problem on Mandrake 9.2 of 4.25-* Message-ID: <39B69D20AF5DD611BA7F00306E1E8F2E02B13927@cptexc02.bankmed.co.za> I managed to rewrite the SPEC file for perl-Net-CIDR to compile and install properly on MD9.2. If I get all SPEC files converted (I'll only do the ones that doesn't come with md9.2 or the contribs) I'll provide the spec files if anyone is interested. Regards Rabie ********************************************************************** ------ NOTICE ------ This message contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates do not accept liability for any personal views expressed in this message. ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/b6d092da/attachment.html From jlarsen at RICHWEB.COM Tue Dec 2 15:52:10 2003 From: jlarsen at RICHWEB.COM (C. Jon Larsen) Date: Thu Jan 12 21:21:23 2006 Subject: postfix comments ... was: Re: receiving mails with executable. In-Reply-To: <6.0.1.1.2.20031202144346.076f2818@imap.ecs.soton.ac.uk> Message-ID: On Tue, 2 Dec 2003, Julian Field wrote: > To give you the brief answer to this question.... > > The Postfix guys don't like me as I dared to use their software in a way > they hadn't intended. Rather than publish the file format (which sendmail > does) or happily let me use it (the Exim authors use MailScanner > themselves), the Postfix guys throw their toys out of the pram and whinge a > lot. I see your point :=) I think postfix is supposed to be formalizing their APIs for dealing with queues, etc. Thanks for the background info. > > I'm not going to apologise for daring to "think outside the box". MailScanner is *great* software. You have a lot to be proud of. Postfix guys seem to suggest using Amavis-new instead of MS. But to me thats a step backwards and away from the best software to scan and protect emails (MailScanner). I wanted postfix and I wanted MailScanner :=) Here's what I did to make them work together - see below ... > > Many people run MailScanner on Postfix without any problems. A few sites > see a fault where very occasionally a message with no body is delivered. > The correct version of the same message with its body is later delivered > correctly, in addition to the version with the body missing. No mail is lost. I did not want to take that chance, so I setup 1 postfix instance as an external smtp router and proxy that looks up incoming domains in an SQL database and makes routing decisions based on a content_scan column. It can route the mail directly to the destination, drop the mail if its for an invalid domain, or route it to the dedicated MailScanner box, which uses sendmail. The MailScanner box does its job, and then sends the mail to a third postfix box which does message delivery to mailboxes, and handles SMTP AUTH for customers that send email from mail clients. Exim was not my cup of tea for a secure internet facing MTA :=) I'm not saying its not secure, its just not what I wanted. I did not see Exim as being more secure than sendmail due to its design (my opinion only, send flames to /dev/null). I was looking for something that had privilege separation like qmail or postfix for an internet facing MTA. Since my internal mailscanner box is locked down from an SMTP listener perspective, I am o.k. running sendmail on that, though exim would probably make a better host than sendmail for the MS - thanks for the tips though. I looked as smtp.proxy, Obtuse/juniper smtp proxy, qpsmtpd, and mailfront as ways to improve the security of the internet facing MTA. qpsmtpd and mailfront were too qmailish (also not my preference) and none of the smtp proxies gave me a warm and fuzzy regarding protocol support/workaround (ESMTP, cisco pix workarounds like postfix has). They seemed o.k. for hobbyists but not for production networks that get a lot of mail from a lot of different networks with different (often partially broken MTAs). I kept coming back to postfix as the best combination of security, protocol support, and usability for my external MTA. I had already picked postfix as my MTA for my mailboxes. So I went from 2 boxes (mailscanner + postfix) to 3 boxes (inbound postfix message router, mailscanner/sendmail, mailbox, smtp auth postfix). Hopefully this will help someone else. If not, thats fine too. Just relaying my experiences and research. -jon > > As many MailScanner sites now run it on a dedicated server, it makes very > little difference what MTA is chosen, as all the MTA's can take mail in and > just punt it onto another server. > > My personal recommendation is probably Exim, especially if you don't like > sendmail. Exim is very easy to configure and is very fast. When used with > MailScanner it is considerably faster than Postfix as Postfix copies all > the data around more often than it needs to, resulting in inefficient > handling, particularly of large messages. > > At 13:46 02/12/2003, you wrote: > >On Tue, 2 Dec 2003, Mark Hernandez wrote: > > > > > hi all, > > > > > > Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add > > > features > > > >Is MailScanner safe to use with postfix ? The postfix site and several > >messages in the archives advise strongly not to use postfix with MS > >because postfix does not like to have its queues manipulated by an > >external program. > > > >Postfix has a content filter interface they they suggest using and the > >current postfix snapshot has a new smtp content filter proxy interface > >that looks interesting. > > > >I don't like sendmail anymore (security issues seem to never stop), so I > >have switched to postfix for all mail relay and mailbox destinations - > >with a MailScanner + sendmail box that sits in the middle. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- + Jon Larsen: Chief Technology Officer, Richweb, Inc. + Richweb.com: Providing Internet-Based Business Solutions since 1995 + GnuPG Public Key: http://richweb.com/jlarsen.gpg + Business: (804) 359.2220 x 101; Mobile: (804) 307.6939 From james.ogley at PINNACLE.CO.UK Tue Dec 2 16:09:17 2003 From: james.ogley at PINNACLE.CO.UK (James Ogley) Date: Thu Jan 12 21:21:23 2006 Subject: Questions about how MailScanner deals with mails to be quarantined Message-ID: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> Hi, As the annoying auto-append will reveal, we're currently using MAILSweeper, but we're evaluating MailScanner as a replacement. We really like the functionality of MAILSweeper, but equally dislike the implementation. We're running MS 4.25-13 on SuSE 8.2 on our test machine, and we've been sending various test mails though it, to see how it dealt with them. Basically, our requirements would be to be able to quarantine mails because of being too large, virus-laden, with attachments of various types. Once a mail is quarantined, we would like to have the option to notify three groups of people, the sender, the recipient and the admin, depending on the reason the mail had been quarantined. Our testing of quarantining large mails threw up some confusion, as the mails from MS always said that the mails had been stopped as virii, which was not the case, however it seems to be that it says that irrespective of the actual reason in the mails to the admin, which could cause confusion. It would be better if a different notification mail could be sent according to why the mail had been stopped (ie, "this mail is too large", "this mail had an executable file attached", "this mail has a script attached"). Also, we would prefer to be able to notify the recipient, rather than delivering a 'disinfected' version of the mail to them, something like "you have been sent a mail that exceeds size limitations by foo@bar.baz. If this mail is for business purposes, please contact systems admin". Have I totally misunderstood the way MS deals with mails, and these options are possible? (I hope so) I can provide my MailScanner.conf if that will be helpful. James -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc Work: james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Personal: james@rubberturnip.org.uk www.rubberturnip.org.uk Updated GNOME RPMs for SuSE Linux: www.usr-local-bin.org *********************************************************************** CONFIDENTIALITY. This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance Plc. If you have received this e-mail in error please immediately notify our Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From Kevin.Hansard at IPLBATH.COM Tue Dec 2 16:26:15 2003 From: Kevin.Hansard at IPLBATH.COM (Kevin Hansard) Date: Thu Jan 12 21:21:23 2006 Subject: Problem with subject tagging 4.25-13 Message-ID: Thanks! 4.25-14 seems to be working ok. Kevin Hansard --- From mailscanner at ecs.soton.ac.uk Tue Dec 2 16:36:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: Questions about how MailScanner deals with mails to be quarantined In-Reply-To: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> References: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> Message-ID: <6.0.1.1.2.20031202162219.03d68ec0@imap.ecs.soton.ac.uk> At 16:09 02/12/2003, you wrote: >Hi, > >As the annoying auto-append will reveal, we're currently using >MAILSweeper, but we're evaluating MailScanner as a replacement. We >really like the functionality of MAILSweeper, but equally dislike the >implementation. > >We're running MS 4.25-13 on SuSE 8.2 on our test machine, and we've been >sending various test mails though it, to see how it dealt with them. > >Basically, our requirements would be to be able to quarantine mails >because of being too large, virus-laden, with attachments of various >types. > >Once a mail is quarantined, we would like to have the option to notify >three groups of people, the sender, the recipient and the admin, >depending on the reason the mail had been quarantined. > >Our testing of quarantining large mails threw up some confusion, as the >mails from MS always said that the mails had been stopped as virii, >which was not the case, however it seems to be that it says that >irrespective of the actual reason in the mails to the admin, which could >cause confusion. It would be better if a different notification mail >could be sent according to why the mail had been stopped (ie, "this mail >is too large", "this mail had an executable file attached", "this mail >has a script attached"). The individual "Report" lines in the mail to the sysadmin give the exact reason the message was stopped. The Subject: line is always the same (just makes it easier to filter on). I didn't really intend human beings to read every admin notification. Most sysadmins don't have the time to read stuff like this anyway. >Also, we would prefer to be able to notify the recipient, rather than >delivering a 'disinfected' version of the mail to them, something like >"you have been sent a mail that exceeds size limitations by >foo@bar.baz. If this mail is for business purposes, please contact >systems admin". That's all down to what you put in the VirusWarning.txt file, which you might well rename as well. >Have I totally misunderstood the way MS deals with mails, and these >options are possible? (I hope so) > >I can provide my MailScanner.conf if that will be helpful. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From carlos.pacheco at DIPROTECH.COM Tue Dec 2 16:22:45 2003 From: carlos.pacheco at DIPROTECH.COM (Carlos Pacheco) Date: Thu Jan 12 21:21:23 2006 Subject: Not modify attach if content-transfer-enconding is quoted-printable. Message-ID: Hi all. I've that problem. I have a mail server using Debian 2.4.18, sendmail and mailscanner. If a user sends me an old PDF file (1.2) from outlook, it's transfered in MIME, and the content-transfer-encoding is by default set to quoted- printable (I think in outlook 2000 you can't change it...). When the message passes through mailscanner, I suposse it analyses the attach, and modifies it, because all the 0x0A binary bytes are transformed into 0x0D 0x0A. Considering the PDF version I've told you, this corrupts PDF file and it can't be seen, so the solution for me (since I can't change outlook encoding) is to tell mailscanner not to modify content if MIME is an application/pdf, for example. Is that possible ? Thanks a lot. From Kevin.Hansard at IPLBATH.COM Tue Dec 2 16:43:54 2003 From: Kevin.Hansard at IPLBATH.COM (Kevin Hansard) Date: Thu Jan 12 21:21:23 2006 Subject: Small feature request Message-ID: I have started tagging spam messages with the spam score in the subject because this makes it much easier for people to see the score if they use Outlook. It would be nice if a user could sort their spam folder by subject and then the marginal spams would be at the top, allowing for easier spotting of false positives. Unfortunately this doesn't work because the spam score doesn't have a leading zero. Is it possible that a leading zero could be added in the next release? Many Thanks Kevin Hansard --- From mailscanner at ecs.soton.ac.uk Tue Dec 2 16:50:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: Small feature request In-Reply-To: References: Message-ID: <6.0.1.1.2.20031202164723.0384add0@imap.ecs.soton.ac.uk> At 16:43 02/12/2003, you wrote: >I have started tagging spam messages with the spam score in the subject >because this makes it much easier for people to see the score if they >use Outlook. > >It would be nice if a user could sort their spam folder by subject and >then the marginal spams would be at the top, allowing for easier >spotting of false positives. > >Unfortunately this doesn't work because the spam score doesn't have a >leading zero. Is it possible that a leading zero could be added in the >next release? I'm not going to add this as a feature unless loads of people want it, it's a rather specialised request. However all you need to do is apply the attached patch to /usr/lib/MailScanner/MailScanner/Message.pm and then restart MailScanner. A command like cd /usr/lib/MailScanner/MailScanner patch < Message.pm.leadingzero.patch service MailScanner restart should do the trick for you. Don't lose the patch as you will need it for future upgrades. -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.leadingzero.patch Type: application/octet-stream Size: 1480 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/f358214d/Message.pm.leadingzero.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From james.ogley at PINNACLE.CO.UK Tue Dec 2 16:48:35 2003 From: james.ogley at PINNACLE.CO.UK (James Ogley) Date: Thu Jan 12 21:21:23 2006 Subject: Questions about how MailScanner deals with mails to be quarantined In-Reply-To: <6.0.1.1.2.20031202162219.03d68ec0@imap.ecs.soton.ac.uk> References: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> <6.0.1.1.2.20031202162219.03d68ec0@imap.ecs.soton.ac.uk> Message-ID: <1070383714.1511.117.camel@jogley.pinnacle.co.uk> > The individual "Report" lines in the mail to the sysadmin give the exact > reason the message was stopped. That much is certainly true :) > The Subject: line is always the same (just makes it easier to filter on). I > didn't really intend human beings to read every admin notification. Most > sysadmins don't have the time to read stuff like this anyway. Well, we tend to skim the subject lines, unless something looks like we need to attend to it, only then do we actually read the mail, and then to verify which machine sent it (we have multiple sweepers for resiliency). Obviously on MScanner, we'd include the machine name in our report mails :) Having the actual reason a mail was stopped in the Subject: line makes this a lot easier. > That's all down to what you put in the VirusWarning.txt file, which you > might well rename as well. I realise that, but it still delivers the rest of the mail, doesn't it? Also, there the option to only notify/deliver disinfected to the recipient on certain reasons for quarantining would be helpful (eg, we notify recipients of large mails, but not executables or videos). -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc Work: james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Personal: james@rubberturnip.org.uk www.rubberturnip.org.uk Updated GNOME RPMs for SuSE Linux: www.usr-local-bin.org *********************************************************************** CONFIDENTIALITY. This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance Plc. If you have received this e-mail in error please immediately notify our Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From mailscanner at ecs.soton.ac.uk Tue Dec 2 16:56:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: Questions about how MailScanner deals with mails to be quarantined In-Reply-To: <1070383714.1511.117.camel@jogley.pinnacle.co.uk> References: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> <6.0.1.1.2.20031202162219.03d68ec0@imap.ecs.soton.ac.uk> <1070383714.1511.117.camel@jogley.pinnacle.co.uk> Message-ID: <6.0.1.1.2.20031202165429.036b3580@imap.ecs.soton.ac.uk> At 16:48 02/12/2003, you wrote: > > The individual "Report" lines in the mail to the sysadmin give the exact > > reason the message was stopped. > >That much is certainly true :) > > > The Subject: line is always the same (just makes it easier to filter on). I > > didn't really intend human beings to read every admin notification. Most > > sysadmins don't have the time to read stuff like this anyway. > >Well, we tend to skim the subject lines, unless something looks like we >need to attend to it, only then do we actually read the mail, and then >to verify which machine sent it (we have multiple sweepers for >resiliency). Obviously on MScanner, we'd include the machine name in >our report mails :) > >Having the actual reason a mail was stopped in the Subject: line makes >this a lot easier. But there can be many reasons, often at least 3 (HTML exploit trying to load a .pif which has a virus in it, for example). What then? > > That's all down to what you put in the VirusWarning.txt file, which you > > might well rename as well. > >I realise that, but it still delivers the rest of the mail, doesn't it? >Also, there the option to only notify/deliver disinfected to the >recipient on certain reasons for quarantining would be helpful (eg, we >notify recipients of large mails, but not executables or videos). But then what do you do with large executables? You have conflicting requests, which is kinda hard to code. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dot at DOTAT.AT Tue Dec 2 16:53:33 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:21:23 2006 Subject: code audit? In-Reply-To: References: <3041D4D2B8A6F746AD9217BE05AE68C407BBCD@dc012.corpdsg.com> <200312021407.hB2E7d2Q012320@genesis.camaross.net> <200312021407.hB2E7d2Q012320@genesis.camaross.net> Message-ID: Julian Field wrote: > >Tony Finch at Cambridge University has gone through all of the code in very >great detail, which resulted in several bug fixes and performance improvements. I wouldn't quite go that far :-) I did not look at all the code in detail, and I wasn't particularly looking out for security problems -- I don't have the right kind of deviousness to spot them reliably. Since MailScanner is written in Perl, buffer overflow bugs aren't a problem, so security problems are more likely to be related to dodgy filenames (but MailScanner sanitizes them) or denial-of-service (but MailScanner uses timeouts to protect itself) or something else... (which short list shows why I don't count myself as a security person). Tony. -- f.a.n.finch http://dotat.at/ SELSEY BILL TO LYME REGIS: NORTHEAST 3 OR 4, EASING VARIABLE 2 OR LESS. NORTHEAST 4 LATER. RAIN, FAIR LATER. MODERATE OR GOOD, LATER GOOD. SMOOTH OR SLIGHT. From james.ogley at PINNACLE.CO.UK Tue Dec 2 17:07:31 2003 From: james.ogley at PINNACLE.CO.UK (James Ogley) Date: Thu Jan 12 21:21:23 2006 Subject: Questions about how MailScanner deals with mails to be quarantined In-Reply-To: <6.0.1.1.2.20031202165429.036b3580@imap.ecs.soton.ac.uk> References: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> <6.0.1.1.2.20031202162219.03d68ec0@imap.ecs.soton.ac.uk> <1070383714.1511.117.camel@jogley.pinnacle.co.uk> <6.0.1.1.2.20031202165429.036b3580@imap.ecs.soton.ac.uk> Message-ID: <1070384850.1507.130.camel@jogley.pinnacle.co.uk> [Disclaimer: I'm approaching this from the POV of how MAILsweeper does it...] > But there can be many reasons, often at least 3 (HTML exploit trying to > load a .pif which has a virus in it, for example). What then? Then the 'big' issue is that it's a virus. > But then what do you do with large executables? You have conflicting > requests, which is kinda hard to code. MAILsweeper allows you to order by priority the things it scans for, so in our case, large file checks come before executables, but after virii (virus being the most important thing to check for, but once we're confident it's not a virus-laden, we check the size, and if it's too big, stop there so we don't have to load it into memory to check it's content again). If it's stopped, we examine the mail to determine whether it should be released to the recipient, and part of that is seeing it's an executable, and dealing accordingly with that information. -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc Work: james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Personal: james@rubberturnip.org.uk www.rubberturnip.org.uk Updated GNOME RPMs for SuSE Linux: www.usr-local-bin.org ********************************************************************** CONFIDENTIALITY.This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance plc. If you have received this email in error please immediately notify the Pinnacle Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From michel at SENTINIX.ORG Tue Dec 2 17:05:41 2003 From: michel at SENTINIX.ORG (Michel (by way of Michel )) Date: Thu Jan 12 21:21:23 2006 Subject: SENTINIX Postfix+MailScanner+SpamAssassin Message-ID: <200312021805.41300.michel@sentinix.org> Hi! First, thanks Julian for a great piece of software!! I'm the project manager of SENTINIX (http://sentinix.org), a Linux distro that includes Postfix with MailScanner and SpamAssassin. An earlier thread mentioned problems with Postfix and MailScanner. I've read about this elsewhere too, but never experienced any problem myself. I do now consider changing MTA.... I'm orginally a "Sendmail-guy" but would like to test Exim or Zmailer before falling back to Sendmail (if). Julian recommended Exim, so perhaps that's the logical choice?! *but*, I'm reading about some local root exploits for, although earlier versions of, Exim, which is why I'm hesitating. :) If anyone of you MailScanner users would want to use a pre-configured anti-virus & anti-spam e-mail system, what configuration would you want? Preferred MTA? Exim or Zmailer or {insert favourite MTA} ? Anyone got good/bad experience of Zmailer + MailScanner ( + SpamAssassin) ?? On a busy (1000+ e-mails per day) proxy/gateway or server?? Compared to {insert favourite MTA} ? Thanks! -- Michel Blomgren SENTINIX Project Manager http://sentinix.org From dh at UPTIME.AT Tue Dec 2 17:22:32 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:23 2006 Subject: SENTINIX Postfix+MailScanner+SpamAssassin In-Reply-To: <200312021805.41300.michel@sentinix.org> References: <200312021805.41300.michel@sentinix.org> Message-ID: <3FCCCA58.6080600@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Michel (by way of Michel ) wrote: > I do now consider changing MTA.... I'm orginally a "Sendmail-guy" but would > like to test Exim or Zmailer before falling back to Sendmail I am a sendmail guy as well (and happy with it :P) but currently evaluating Exim + MailScanner, which seems to work fine too. (if). Julian > recommended Exim, so perhaps that's the logical choice?! *but*, I'm reading > about some local root exploits for, although earlier versions of, Exim, which > is why I'm hesitating. :) Is that Exim3 ? > > Preferred MTA? Exim or Zmailer or {insert favourite MTA} ? > I'd want First Choice Sendmail + MailScanner (due to milter support) Second Choice Exim + MailScanner > Anyone got good/bad experience of Zmailer + MailScanner ( + SpamAssassin) ?? > On a busy (1000+ e-mails per day) proxy/gateway or server?? 1000+ I would not call anywhere near busy ;) One of the Server we have on sendmail+MailScanner does around 20K a day and is happy. But even that is a laughable amount of daily mail. - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/zMpdPMoaMn4kKR4RA9ctAJ9P0Ttz87Lc7FG9hG7/emb2/toBTwCfYfF1 i+UAOeXBGUrsI9VipTC7pcw= =qOvr -----END PGP SIGNATURE----- From michel at SENTINIX.ORG Tue Dec 2 17:31:32 2003 From: michel at SENTINIX.ORG (Michel) Date: Thu Jan 12 21:21:23 2006 Subject: SENTINIX Postfix+MailScanner+SpamAssassin In-Reply-To: <3FCCCA58.6080600@uptime.at> References: <200312021805.41300.michel@sentinix.org> <3FCCCA58.6080600@uptime.at> Message-ID: <200312021831.32477.michel@sentinix.org> That should be 10000 (10k) :) but you get the point, all depends on the processing power anyway... I meant if anyone has run Zmailer + MailScanner absolutely stable on an active e-mail server for an extended perior of time without stopping it (say, a few months)? /Michel On Tuesday 02 December 2003 18:22, David H. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Michel (by way of Michel ) wrote: > > > > > I do now consider changing MTA.... I'm orginally a "Sendmail-guy" but > > would like to test Exim or Zmailer before falling back to Sendmail > > I am a sendmail guy as well (and happy with it :P) but currently > evaluating Exim + MailScanner, which seems to work fine too. > > > (if). Julian > > > recommended Exim, so perhaps that's the logical choice?! *but*, I'm > > reading about some local root exploits for, although earlier versions of, > > Exim, which is why I'm hesitating. :) > > Is that Exim3 ? > > > Preferred MTA? Exim or Zmailer or {insert favourite MTA} ? > > I'd want > First Choice Sendmail + MailScanner (due to milter support) > Second Choice Exim + MailScanner > > > Anyone got good/bad experience of Zmailer + MailScanner ( + SpamAssassin) > > ?? On a busy (1000+ e-mails per day) proxy/gateway or server?? > > 1000+ I would not call anywhere near busy ;) One of the Server we have > on sendmail+MailScanner does around 20K a day and is happy. But even > that is a laughable amount of daily mail. > > > - -d > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (Darwin) > > iD8DBQE/zMpdPMoaMn4kKR4RA9ctAJ9P0Ttz87Lc7FG9hG7/emb2/toBTwCfYfF1 > i+UAOeXBGUrsI9VipTC7pcw= > =qOvr > -----END PGP SIGNATURE----- From dbird at SGHMS.AC.UK Tue Dec 2 19:30:07 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:23 2006 Subject: AOL blocking MailScanner messages! Message-ID: <3FCCE83F.7070500@sghms.ac.uk> Dear all, Apologies for the shock subject line, but it seems to be the case (at least for our site;-). Recently, we started seeing messages like: 2003-12-02 16:09:43 1ARD5c-0002Sm-Rm ** ******@aol.com <*****@aol.com> R=dnslookup T=remote_smtp: SMTP error from remote mailer after end of data: host mailin-03.mx.aol.com [64.12.137.152]: 554 TRANSACTION FAILED 554 AOL will not accept delivery of this message in our Exim mail logs After numerous emails to postmaster@aol.com (all replys were automated "sorry for the inconvenience", "read this/that policy" types) I ended up calling them (at international rates I might add!!!). The 'helpful' gentleman on the end of the phone suggested turning off any scanning software and retrying. Now, all I did was add the line To: *@aol.com no to /etc/MailScanner/rules/virus.scanning.rules and restart. After this change all was well and delivery started. The only differences I can think of between the two emails that would have been sent would be the omission of the X-MailScanner headers (apart from X-MailScanner-: not scanned,etc )and a MailScanner signature Looking at the error message they are rejecting on data content after the initial SMTP connection so this makes me think (a hunch) they are rejecting on X-MailScanner-xxxx : Found to be clean or other MailScanner headers. (Sobig.F springs to mind!) Has anyone else noticed this behavior from AOL on their MTA? I have opened a ticket with their postmaster team to see if I can verify the above assumptions. In the mean time I've left the virus scanning off for AOL recipients. Additionally, if they are blocking on "X-MailScanner-: Found to be clean" I am wondering if it would be possible to customize the "found to be clean message" as this would be the value in the MailScanner headers from my 4 mail hubs that would be consistent. Regards Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From chicks at CHICKS.NET Tue Dec 2 19:37:37 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:21:23 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCCE83F.7070500@sghms.ac.uk> Message-ID: On Tue, 2 Dec 2003, Daniel Bird wrote: > In the mean time I've left the virus scanning off for AOL recipients. hehehe. hohoho. They must want more viruses or something! I love it. -- I would not, could not SAVE ON PHONE, I would not, could not BUY YOUR LOAN, I would not, could not MAKE MONEY FAST, (by I would not, could not SEND NO CA$H, Matthew I would not, could not SEE YOUR SITE, Kennel) I would not, could not EAT VEG-I-MITE, I do *not* *like* GREEN CARDS AND SPAM! Mad-I-Am! From mailscanner at ecs.soton.ac.uk Tue Dec 2 19:39:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCCE83F.7070500@sghms.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> At 19:30 02/12/2003, you wrote: >Additionally, if they are blocking on "X-MailScanner-: Found >to be clean" I am wondering if it would be possible to customize the >"found to be clean message" as this would be the value in the >MailScanner headers from my 4 mail hubs that would be consistent. This can already be done. Assign a ruleset to the Clean Header Value configuration option in MailScanner.conf. AOL move in mysterious ways :-( -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mike at TC3NET.COM Tue Dec 2 19:40:04 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:23 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCCE83F.7070500@sghms.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> Message-ID: <1070394004.5205.83.camel@mike-new2.tc3net.com> No such problems here, MailScanner 4.25-9, on linux. to=, ctladdr= (22724/111), delay=00:00:30, xdelay=00:00:18, mailer=esmtp, pri=120420, relay=mailin-04.mx.aol.com. [64.12.138.152], dsn=2.0.0, stat=Sent (OK) Regards MIKE > Dear all, > Apologies for the shock subject line, but it seems to be the case (at > least for our site;-). > > Recently, we started seeing messages like: > 2003-12-02 16:09:43 1ARD5c-0002Sm-Rm ** ******@aol.com <*****@aol.com> > R=dnslookup T=remote_smtp: SMTP error from remote mailer after end of > data: host mailin-03.mx.aol.com [64.12.137.152]: 554 TRANSACTION FAILED > 554 AOL will not accept delivery of this message > > in our Exim mail logs > > After numerous emails to postmaster@aol.com (all replys were automated > "sorry for the inconvenience", "read this/that policy" types) I ended up > calling them (at international rates I might add!!!). > > The 'helpful' gentleman on the end of the phone suggested turning off > any scanning software and retrying. Now, all I did was add the line > > To: *@aol.com no > > to /etc/MailScanner/rules/virus.scanning.rules > > and restart. > > After this change all was well and delivery started. The only > differences I can think of between the two emails that would have been > sent would be the omission of the X-MailScanner headers (apart from > X-MailScanner-: not scanned,etc )and a MailScanner signature > > Looking at the error message they are rejecting on data content after > the initial SMTP connection so this makes me think (a hunch) they are > rejecting on X-MailScanner-xxxx : Found to be clean or other MailScanner > headers. (Sobig.F springs to mind!) > > Has anyone else noticed this behavior from AOL on their MTA? > > I have opened a ticket with their postmaster team to see if I can verify > the above assumptions. In the mean time I've left the virus scanning off > for AOL recipients. > > Additionally, if they are blocking on "X-MailScanner-: Found > to be clean" I am wondering if it would be possible to customize the > "found to be clean message" as this would be the value in the > MailScanner headers from my 4 mail hubs that would be consistent. > > Regards > Dan > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From dbird at SGHMS.AC.UK Tue Dec 2 20:01:32 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:23 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> Message-ID: <3FCCEF9C.3070806@sghms.ac.uk> Julian Field wrote: > At 19:30 02/12/2003, you wrote: > >> Additionally, if they are blocking on "X-MailScanner-: Found >> to be clean" I am wondering if it would be possible to customize the >> "found to be clean message" as this would be the value in the >> MailScanner headers from my 4 mail hubs that would be consistent. > > > This can already be done. Assign a ruleset to the > Clean Header Value > configuration option in MailScanner.conf. Thanks Julian, don't know how I missed that one. I must need glasses ;-) > > AOL move in mysterious ways :-( Indeed they do! Has anyone read thier "mail acceptance" policies? Abosulte nightmare! Anyhow, I changed the "Found to be clean" value to "No virueses detected" and turned on the virus scanning. My MTA now looks like its delivering to AOL, virus scanned and all!. Thanks again. Dan > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Tue Dec 2 20:06:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCCE83F.7070500@sghms.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> I have just tested this and found it not to be true: 220-rly-yb03.mx.aol.com ESMTP mail_relay_in-yb3.3; Tue, 02 Dec 2003 15:01:11 -0500 220-America Online (AOL) and its affiliated companies do not 220- authorize the use of its proprietary computers and computer 220- networks to accept, transmit, or distribute unsolicited bulk 220- e-mail sent from the internet. Effective immediately: AOL 220- may no longer accept connections from IP addresses which 220 have no reverse-DNS (PTR record) assigned. HELO mailscanner.biz 250 rly-yb03.mx.aol.com OK MAIL from: 250 OK RCPT to: 250 OK DATA 354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF From: jules@jules.fm To: steve1@aol.com Date: Tue, 2 Dec 2003 18:33:41 +0000 Subject: This is a test message X-MailScanner: Found to be clean This is a test message. Please delete me. -- Jules . 250 OK which appears to say it has accepted the message. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 20:19:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: <1070395964.18455.35.camel@cis-staff-kntx90.cis.brown.edu> References: <1070395964.18455.35.camel@cis-staff-kntx90.cis.brown.edu> Message-ID: <6.0.1.1.2.20031202201752.03f5fe78@imap.ecs.soton.ac.uk> At 20:12 02/12/2003, you wrote: >Hi all, > I'm looking for some info on what other universities and colleges are >doing in the MS/virus scanning area. > > We (Brown University, USA) are using MS and hacked in support for >Symantec Scan Engine. Cost issues are starting to creep in again and we >want to know what some other options are. We love MS and just wanna >know what the virus scanners cost you (total or per >address/user/FTE/whatever) ClamAV is free and open source, and is remarkably good. eTrust from Computer Associates (www.ca.com) is only $129 per server. Norman (www.norman.de) is free for non-commercial use. Sophos have extremely good educational discounts. Start with those... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dnsadmin at 1BIGTHINK.COM Tue Dec 2 20:28:16 2003 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> <3FCCE83F.7070500@sghms.ac.uk> Message-ID: <5.2.1.1.0.20031202152704.04d31ed8@mail.1bigthink.com> At 08:06 PM 12/2/2003 +0000, you wrote: >I have just tested this and found it not to be true: > >220-rly-yb03.mx.aol.com ESMTP mail_relay_in-yb3.3; Tue, 02 Dec 2003 >15:01:11 -0500 >220-America Online (AOL) and its affiliated companies do not >220- authorize the use of its proprietary computers and computer >220- networks to accept, transmit, or distribute unsolicited bulk >220- e-mail sent from the internet. Effective immediately: AOL >220- may no longer accept connections from IP addresses which >220 have no reverse-DNS (PTR record) assigned. Which means that you never had your reverse DNS correct, or maybe something happened to it recently. Perhaps your upstream provider? Cheers, Glenn >HELO mailscanner.biz >250 rly-yb03.mx.aol.com OK >MAIL from: >250 OK >RCPT to: >250 OK >DATA >354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF >From: jules@jules.fm >To: steve1@aol.com >Date: Tue, 2 Dec 2003 18:33:41 +0000 >Subject: This is a test message >X-MailScanner: Found to be clean > >This is a test message. Please delete me. >-- >Jules >. >250 OK > >which appears to say it has accepted the message. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From tduvally at BROWN.EDU Tue Dec 2 20:36:05 2003 From: tduvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: <6.0.1.1.2.20031202201752.03f5fe78@imap.ecs.soton.ac.uk> References: <1070395964.18455.35.camel@cis-staff-kntx90.cis.brown.edu> <6.0.1.1.2.20031202201752.03f5fe78@imap.ecs.soton.ac.uk> Message-ID: <1070397364.18455.67.camel@cis-staff-kntx90.cis.brown.edu> On Tue, 2003-12-02 at 15:19, Julian Field wrote: > At 20:12 02/12/2003, you wrote: > >Hi all, > > I'm looking for some info on what other universities and colleges are > >doing in the MS/virus scanning area. > > > > We (Brown University, USA) are using MS and hacked in support for > >Symantec Scan Engine. Cost issues are starting to creep in again and we > >want to know what some other options are. We love MS and just wanna > >know what the virus scanners cost you (total or per > >address/user/FTE/whatever) > > ClamAV is free and open source, and is remarkably good. > eTrust from Computer Associates (www.ca.com) is only $129 per server. I was not aware that MS supported eTrust. I don't see any documentation anywhere. Which version did that start in? > Norman (www.norman.de) is free for non-commercial use. > Sophos have extremely good educational discounts. > > Start with those... > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/9c4bf53f/attachment.bin From dustin.baer at IHS.COM Tue Dec 2 20:34:11 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> <3FCCEF9C.3070806@sghms.ac.uk> Message-ID: <3FCCF743.3D8ABFC6@ihs.com> Daniel Bird wrote: > > Julian Field wrote: > > > AOL move in mysterious ways :-( > > Indeed they do! > Has anyone read thier "mail acceptance" policies? Abosulte nightmare! Which is why they are listed on two rfc-ignorant lists: http://www.rfc-ignorant.org/tools/lookup.php?domain=aol.com Dustin From tduvally at BROWN.EDU Tue Dec 2 20:12:45 2003 From: tduvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities Message-ID: <1070395964.18455.35.camel@cis-staff-kntx90.cis.brown.edu> Hi all, I'm looking for some info on what other universities and colleges are doing in the MS/virus scanning area. We (Brown University, USA) are using MS and hacked in support for Symantec Scan Engine. Cost issues are starting to creep in again and we want to know what some other options are. We love MS and just wanna know what the virus scanners cost you (total or per address/user/FTE/whatever) Thanks! -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/f6d18da2/attachment.bin From mailscanner at ecs.soton.ac.uk Tue Dec 2 20:55:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: <1070397364.18455.67.camel@cis-staff-kntx90.cis.brown.edu> References: <1070395964.18455.35.camel@cis-staff-kntx90.cis.brown.edu> <6.0.1.1.2.20031202201752.03f5fe78@imap.ecs.soton.ac.uk> <1070397364.18455.67.camel@cis-staff-kntx90.cis.brown.edu> Message-ID: <6.0.1.1.2.20031202205456.040e55f0@imap.ecs.soton.ac.uk> At 20:36 02/12/2003, you wrote: >*** PGP SIGNATURE VERIFICATION *** >*** Status: Good Signature from Invalid Key >*** Alert: Please verify signer's key before trusting signature. >*** Signer: Thomas J. Du Vally (0x15F233F6) >*** Signed: 02/12/2003 20:36:03 >*** Verified: 02/12/2003 20:53:28 >*** BEGIN PGP VERIFIED MESSAGE *** > >On Tue, 2003-12-02 at 15:19, Julian Field wrote: > > At 20:12 02/12/2003, you wrote: > > >Hi all, > > > I'm looking for some info on what other universities and > colleges are > > >doing in the MS/virus scanning area. > > > > > > We (Brown University, USA) are using MS and hacked in support for > > >Symantec Scan Engine. Cost issues are starting to creep in again and we > > >want to know what some other options are. We love MS and just wanna > > >know what the virus scanners cost you (total or per > > >address/user/FTE/whatever) > > > > ClamAV is free and open source, and is remarkably good. > > eTrust from Computer Associates (www.ca.com) is only $129 per server. > >I was not aware that MS supported eTrust. I don't see any documentation >anywhere. Which version did that start in? 4.23. I need to write an up-to-date feature list, including all the supported scanners and all the major features I have added since the first release of 4.00. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 01:02:45 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:24 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312030102.hB312j8Z029970@seer.ecs.soton.ac.uk> New Guestbook-Entry from Paul Thanks for a tool that is a cinch to setup and works very well From res at AUSICS.NET Tue Dec 2 21:16:34 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCCE83F.7070500@sghms.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> Message-ID: On Tue, 2 Dec 2003, Daniel Bird wrote: > > To: *@aol.com no > > to /etc/MailScanner/rules/virus.scanning.rules > > and restart. > > After this change all was well and delivery started. The only AOL are renowned for stopping people trying to stop their customers from spa.. errr mailing out and have all these mystical policies, but when it comes to acting on their own spmmers they never do, we have blocked aol here totally for a year, and its all been good :) -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From res at AUSICS.NET Tue Dec 2 21:19:06 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> Message-ID: On Tue, 2 Dec 2003, Julian Field wrote: > 220- e-mail sent from the internet. Effective immediately: AOL So they DO have a policy about their customers are allowd to send spam :) > -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From hermit921 at YAHOO.COM Tue Dec 2 21:19:47 2003 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates In-Reply-To: <6.0.1.1.2.20031128111939.0383b578@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3AD@jessica.herefords hire.gov.uk> <0EBC45FCABFC95428EBFC3A51B368C9501C9C3AD@jessica.herefordshire.gov.uk> Message-ID: <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> Does the automatic Sophos updating process installed with MailScanner include engine updates or just new virus signatures? The mail logs show new Sophos ide files every hour on most days. Are virus signatures updated that often or is this an artifact of the update script? hermit921 From jaearick at COLBY.EDU Tue Dec 2 21:23:18 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:24 2006 Subject: clamavmodule and 4.25-14 Message-ID: Setup: Solaris 9, perl 5.8.2, MS 4.25-14, ClamAV 0.65 installed in /opt/clamav-0.65, with a symlink clamav->clamav-0.65. The "clamav" module in "Virus scanners" works just fine, with the directory "/opt/clamav" specified for clamav in virus.scanners.conf. No problems. So I want to use clamavmodule instead. I couldn't get Mail-ClamAV-0.04 to build properly until the author clued me into how to specify non-standard clam locations. See FAQ http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/242.html So, with Mail-ClamAV-0.04 installed, I try clamavmodule. I get the syslog complaint: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! from lib/MailScanner/SweepViruses.pm. What's wrong?? From jstuart at EDENPR.K12.MN.US Tue Dec 2 21:27:42 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:21:24 2006 Subject: .hoststat Message-ID: Hi, I'm running mailscanner with postfix on suse linux and whenever I start Mailscanner up it starts as a defunct process and the maillog keeps printing this and I cant find any info in the net. MailScanner[5588]: Cannot open dir .hoststat when finding depth Any help is appreciated Thanks From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 2 21:27:25 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates In-Reply-To: <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> Message-ID: <005101c3b91b$14cf6ea0$0501a8c0@darkside> >Does the automatic Sophos updating process installed with MailScanner >include engine updates or just new virus signatures? MailScanner only updates the ide files. You can use a script called MajorSophos to download the engine, then run the Sophos.install script included with MS. I run it all from cron on a monthly basis. >The mail logs show new Sophos ide files every hour on most >days. Are virus >signatures updated that often or is this an artifact of the >update script? In my experience, Sophos updates frequently, but to answer the question I think you're asking: no, it's probably not Sophos updating every hour. The autoupdate script does check every hour, and AFAIK, it reports a sucessful update wether you needed the update or not -- that's what you're seeing in your logs. You can find MajorSophos here: http://www.tippingmar.com/majorsophos/ --J(K) From dbird at SGHMS.AC.UK Tue Dec 2 21:26:32 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> Message-ID: <3FCD0388.3070201@sghms.ac.uk> Julian Field wrote: > 250 OK > R > which appears to say it has accepted the message. Indeed, if I do the same it appears to be accepted for me also. Like I said earlier, this was all based on an assumption. To make things even more weird, I checked back thru our logs and found **some** of AOL;'s relays were accepting mail and some weren't. I've changed the Cleaned header back to "Found to be clean" in MailScanner.conf , and checked it. It works as expected. i.e mail gets through. It's all very strange. I haven't had anything from AOL support as yet, but I did give them my mail relay IP's earlier so maybe they've white listed me?? :-) I'll leave as is for now and see how we get on, but I'll let you know if I find out any more info. Dan > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jase at SENSIS.COM Tue Dec 2 21:29:15 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! Message-ID: Does your site-name have any weird characters in it? Maybe an underscore or something else? They could be blocking email based on what they thing is an invalid header. Jason > -----Original Message----- > From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] > Sent: Tuesday, December 02, 2003 2:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] AOL blocking MailScanner messages! > > > Dear all, > Apologies for the shock subject line, but it seems to be the case (at > least for our site;-). > > Recently, we started seeing messages like: > 2003-12-02 16:09:43 1ARD5c-0002Sm-Rm ** ******@aol.com <*****@aol.com> > R=dnslookup T=remote_smtp: SMTP error from remote mailer after end of > data: host mailin-03.mx.aol.com [64.12.137.152]: 554 > TRANSACTION FAILED > 554 AOL will not accept delivery of this message > > in our Exim mail logs > > After numerous emails to postmaster@aol.com (all replys were automated > "sorry for the inconvenience", "read this/that policy" types) > I ended up > calling them (at international rates I might add!!!). > > The 'helpful' gentleman on the end of the phone suggested turning off > any scanning software and retrying. Now, all I did was add the line > > To: *@aol.com no > > to /etc/MailScanner/rules/virus.scanning.rules > > and restart. > > After this change all was well and delivery started. The only > differences I can think of between the two emails that would have been > sent would be the omission of the X-MailScanner headers (apart from > X-MailScanner-: not scanned,etc )and a MailScanner > signature > > Looking at the error message they are rejecting on data content after > the initial SMTP connection so this makes me think (a hunch) they are > rejecting on X-MailScanner-xxxx : Found to be clean or other > MailScanner > headers. (Sobig.F springs to mind!) > > Has anyone else noticed this behavior from AOL on their MTA? > > I have opened a ticket with their postmaster team to see if I > can verify > the above assumptions. In the mean time I've left the virus > scanning off > for AOL recipients. > > Additionally, if they are blocking on > "X-MailScanner-: Found > to be clean" I am wondering if it would be possible to customize the > "found to be clean message" as this would be the value in the > MailScanner headers from my 4 mail hubs that would be consistent. > > Regards > Dan > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From dbird at SGHMS.AC.UK Tue Dec 2 21:31:54 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: Message-ID: <3FCD04CA.6000009@sghms.ac.uk> Desai, Jason wrote: >Does your site-name have any weird characters in it? Maybe an underscore or >something else? They could be blocking email based on what they thing is an >invalid header. > > nope, just MH then 1 thru 4. Dan >Jason > > > >>-----Original Message----- >>From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] >>Sent: Tuesday, December 02, 2003 2:30 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: [MAILSCANNER] AOL blocking MailScanner messages! >> >> >>Dear all, >>Apologies for the shock subject line, but it seems to be the case (at >>least for our site;-). >> >>Recently, we started seeing messages like: >>2003-12-02 16:09:43 1ARD5c-0002Sm-Rm ** ******@aol.com <*****@aol.com> >>R=dnslookup T=remote_smtp: SMTP error from remote mailer after end of >>data: host mailin-03.mx.aol.com [64.12.137.152]: 554 >>TRANSACTION FAILED >>554 AOL will not accept delivery of this message >> >>in our Exim mail logs >> >>After numerous emails to postmaster@aol.com (all replys were automated >>"sorry for the inconvenience", "read this/that policy" types) >>I ended up >>calling them (at international rates I might add!!!). >> >>The 'helpful' gentleman on the end of the phone suggested turning off >>any scanning software and retrying. Now, all I did was add the line >> >>To: *@aol.com no >> >>to /etc/MailScanner/rules/virus.scanning.rules >> >>and restart. >> >>After this change all was well and delivery started. The only >>differences I can think of between the two emails that would have been >>sent would be the omission of the X-MailScanner headers (apart from >>X-MailScanner-: not scanned,etc )and a MailScanner >>signature >> >>Looking at the error message they are rejecting on data content after >>the initial SMTP connection so this makes me think (a hunch) they are >>rejecting on X-MailScanner-xxxx : Found to be clean or other >>MailScanner >>headers. (Sobig.F springs to mind!) >> >>Has anyone else noticed this behavior from AOL on their MTA? >> >>I have opened a ticket with their postmaster team to see if I >>can verify >>the above assumptions. In the mean time I've left the virus >>scanning off >>for AOL recipients. >> >>Additionally, if they are blocking on >>"X-MailScanner-: Found >>to be clean" I am wondering if it would be possible to customize the >>"found to be clean message" as this would be the value in the >>MailScanner headers from my 4 mail hubs that would be consistent. >> >>Regards >>Dan >> >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. >> >> >> > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dwinkler at ALGORITHMICS.COM Tue Dec 2 21:32:45 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B0BD@tormail2.algorithmics.com> You don't experience any problems running Sophos.install while MailScanner/Sophos are running? No uninstall necessary? Thanks, Derek Winkler Security Administrator Algorithmics Inc., Toronto Tel: (416) 217-4107 Fax: (416) 971-6263 www.algorithmics.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jason Balicki Sent: Tuesday, December 02, 2003 4:27 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos updates >Does the automatic Sophos updating process installed with MailScanner >include engine updates or just new virus signatures? MailScanner only updates the ide files. You can use a script called MajorSophos to download the engine, then run the Sophos.install script included with MS. I run it all from cron on a monthly basis. >The mail logs show new Sophos ide files every hour on most >days. Are virus >signatures updated that often or is this an artifact of the >update script? In my experience, Sophos updates frequently, but to answer the question I think you're asking: no, it's probably not Sophos updating every hour. The autoupdate script does check every hour, and AFAIK, it reports a sucessful update wether you needed the update or not -- that's what you're seeing in your logs. You can find MajorSophos here: http://www.tippingmar.com/majorsophos/ --J(K) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/c4eb6d38/attachment.html From Jan-Peter.Koopmann at SECEIDOS.DE Tue Dec 2 21:37:36 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:21:24 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 / FreeBSD port Message-ID: I just upgraded the MailScanner port to 4.25-14. The PR is on ist way but since there is a ports freeze at the moment you should rather download it at www.mailscanner.info or here http://www.seceidos.de/downloads/freebsd/ports/MailScanner.tgz Have fun. Regards, JP From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 2 21:44:20 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B0BD@tormail2.algorithmics.com> Message-ID: <005401c3b91d$71b8ea40$0501a8c0@darkside> >You don't experience any problems running Sophos.install while MailScanner/Sophos are running? >No uninstall necessary? I've never had a problem BEFORE. But now that YOU'VE said something.... Seriously, no. I run in place upgrades all the time -- Sophos.install will reload MS I believe. --J(K) From hermit921 at YAHOO.COM Tue Dec 2 21:56:42 2003 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates In-Reply-To: <005101c3b91b$14cf6ea0$0501a8c0@darkside> References: <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> Message-ID: <5.1.0.14.2.20031202135416.01d4b130@pop.mail.yahoo.com> At 01:27 PM 12/2/2003, Jason Balicki wrote: > >Does the automatic Sophos updating process installed with MailScanner > >include engine updates or just new virus signatures? > >MailScanner only updates the ide files. You can use a script >called MajorSophos to download the engine, then run the >Sophos.install script included with MS. I run it all from >cron on a monthly basis. > > >The mail logs show new Sophos ide files every hour on most > >days. Are virus > >signatures updated that often or is this an artifact of the > >update script? > >In my experience, Sophos updates frequently, but to answer the >question I think you're asking: no, it's probably not Sophos >updating every hour. The autoupdate script does check every >hour, and AFAIK, it reports a sucessful update wether you needed >the update or not -- that's what you're seeing in your logs. > >You can find MajorSophos here: >http://www.tippingmar.com/majorsophos/ > >--J(K) I see a new file (373_ides.zip) in /usr/local/Sophos/ide each time I check, not just the log entry. If the updates are really new files, that implies MailScanner is downloading new files every hour whether virus data is new or not. hermit921 From nvargas at NICATECH.COM.NI Tue Dec 2 22:12:59 2003 From: nvargas at NICATECH.COM.NI (Noel Vargas) Date: Thu Jan 12 21:21:24 2006 Subject: f-prot eicar test Message-ID: Thank you for your answer, but It seems not to be working, and followed the Install guide step by step. I would like to send the MailScanner.conf file to see what could be wrong. I tested f-prot and it runs fine. From Kevin_Miller at CI.JUNEAU.AK.US Tue Dec 2 22:13:11 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:24 2006 Subject: False positives Message-ID: <08146035CA49D6119A36009027AC822A0264EAC9@CITY-EXCH-NTS> Last week I upgraded SA to 2.6, and am catching a lot more spam, but I'm also getting a number of false positives, and what's just as weird, spam is being caught that doesn't add up to 5. The false positives are often negative numbers, the low scoring (but still caught) true positives are usually in the 3 - 4.99 range. At least the one's I've looked at. Spam Actions are: Spam Actions = forward Alphonse_Spamdog@mx.ci.juneau.ak.us delete High Scoring Spam Actions = forward Alphonse_Spamdog@mx.ci.juneau.ak.us delete I've also noticed that some, but not all, the notices to postmaster are being rerouted as spam too. I'm running Exchange on the inside. Anybody have any clues as to why/how a low scoring message would still be getting zapped? Here's the headers from one - as you can see, it scored a -19.9: Received: from mis-mxg-lnx.ci.juneau.ak.us (mail.ci.juneau.ak.us [199.58.55.24]) by city-exch-nts.ci.juneau.ak.us with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id YBVH5H42; Tue, 2 Dec 2003 00:34:00 -0900 Received: from abv-sfo1-acmta3.cnet.com (abv-sfo1-acmta3.cnet.com [206.16.1.138]) by mis-mxg-lnx.ci.juneau.ak.us (8.12.3/8.12.3/SuSE Linux 0.6) with SMTP id hB29Xtch004167 for ; Tue, 2 Dec 2003 00:33:56 -0900 Received: by abv-sfo1-acmta3.cnet.com (PowerMTA(TM) v2.0r1) id hphe88042i03; Tue, 2 Dec 2003 04:33:55 -0500 (envelope-from ) Message-ID: <2723353.1070357635567.JavaMail.accucast@206.16.1.138> Date: Tue, 2 Dec 2003 01:33:55 -0800 (PST) From: "Linux Tips at TechRepublic.com" Reply-To: CNET_Networks_#3.110928.3330383834353230@newsletters.online.com To: kevin_miller@ci.juneau.ak.us Subject: {Spam?} [TechRepublic] Find system holes with chkrootkit Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailer-Version: 3.5.3 build 710 X-Mailer: Accucast X-Accutrak: CNET_Networks_#3.110928.3330383834353230@newsletters.online.com X-MailScanner-Information: For more information see www . mailscanner . info X-CBJ-MailScanner: Found to be clean X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin (score=-19.9, required 5, BAYES_00, USER_IN_DEF_WHITELIST) Thanks... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mikea at MIKEA.ATH.CX Tue Dec 2 22:14:03 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:21:24 2006 Subject: (change request) Infected message came from Message-ID: <20031202161403.A22204@mikea.ath.cx> ClamAV gives me the following for each hit: (stuff deleted) Virus Scanning: ClamAV found 1 infections (stuff deleted) Infected message hB2LXjks045635 came from 192.149.244.18 which is well and good, as far as that goes: I got an infected message in the inbound mail, and ClamAV told MailScanner to quarantine it. I _love_ that. But my MailScanner box is fed by our firewall's SMTP proxy, rather than seeing the other end of the SMTP conversation directly, and so the offending IP number always is the same, and I don't get to see who the real offender is. Is there a handle that can be tweaked to run backwards down the chain of "Received:" headers, or the IP addresses in them, at this point? I see that the message is generated in MergeReports, which is called by ScanBatch after all the AV scanners have run, but I haven't dug deep enough into the code to see what handles are available at this time. I really need to go one "Received:" header back in the chain, to the one that set up the SMTP session with our SMTP proxy. If possible, I'd _love_ to see something like : Infected message hB2LXjks045635 came from 192.149.244.18 : which got it from 12.24.199.207 : which got it from 42.140.77.222 : which got it from 24.12.44.139 all the way back through all the "Received:" headers, but I can see how that might be _very_ difficult. Oh, and I updated to MailScanner-4.25-13 today. It Just Works. But I've been saying that about MailScanner all along. Thanks for a great product, Julian! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From Kevin at MICA.NET Tue Dec 2 22:16:48 2003 From: Kevin at MICA.NET (Kevin Hanser) Date: Thu Jan 12 21:21:24 2006 Subject: False positives Message-ID: <8B699873CEBA3543926B467E768082321A679A@sol.hq.mica.net> Look like spamcop.net is saying it's spam: X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin (score=-19.9, required 5, BAYES_00, USER_IN_DEF_WHITELIST) That first part that says "spam, spamcop.net" means that spamcop thinks it's spam. I don't really know how spamcop decides something is spam, however... k -----Original Message----- From: Kevin Miller [mailto:Kevin_Miller@CI.JUNEAU.AK.US] Sent: Tuesday, December 02, 2003 17:13 To: MAILSCANNER@JISCMAIL.AC.UK Subject: False positives Last week I upgraded SA to 2.6, and am catching a lot more spam, but I'm also getting a number of false positives, and what's just as weird, spam is being caught that doesn't add up to 5. The false positives are often negative numbers, the low scoring (but still caught) true positives are usually in the 3 - 4.99 range. At least the one's I've looked at. Spam Actions are: Spam Actions = forward Alphonse_Spamdog@mx.ci.juneau.ak.us delete High Scoring Spam Actions = forward Alphonse_Spamdog@mx.ci.juneau.ak.us delete I've also noticed that some, but not all, the notices to postmaster are being rerouted as spam too. I'm running Exchange on the inside. Anybody have any clues as to why/how a low scoring message would still be getting zapped? Here's the headers from one - as you can see, it scored a -19.9: Received: from mis-mxg-lnx.ci.juneau.ak.us (mail.ci.juneau.ak.us [199.58.55.24]) by city-exch-nts.ci.juneau.ak.us with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id YBVH5H42; Tue, 2 Dec 2003 00:34:00 -0900 Received: from abv-sfo1-acmta3.cnet.com (abv-sfo1-acmta3.cnet.com [206.16.1.138]) by mis-mxg-lnx.ci.juneau.ak.us (8.12.3/8.12.3/SuSE Linux 0.6) with SMTP id hB29Xtch004167 for ; Tue, 2 Dec 2003 00:33:56 -0900 Received: by abv-sfo1-acmta3.cnet.com (PowerMTA(TM) v2.0r1) id hphe88042i03; Tue, 2 Dec 2003 04:33:55 -0500 (envelope-from ) Message-ID: <2723353.1070357635567.JavaMail.accucast@206.16.1.138> Date: Tue, 2 Dec 2003 01:33:55 -0800 (PST) From: "Linux Tips at TechRepublic.com" Reply-To: CNET_Networks_#3.110928.3330383834353230@newsletters.online.com To: kevin_miller@ci.juneau.ak.us Subject: {Spam?} [TechRepublic] Find system holes with chkrootkit Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailer-Version: 3.5.3 build 710 X-Mailer: Accucast X-Accutrak: CNET_Networks_#3.110928.3330383834353230@newsletters.online.com X-MailScanner-Information: For more information see www . mailscanner . info X-CBJ-MailScanner: Found to be clean X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin (score=-19.9, required 5, BAYES_00, USER_IN_DEF_WHITELIST) Thanks... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at CI.JUNEAU.AK.US Tue Dec 2 23:08:10 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:24 2006 Subject: False positives Message-ID: <08146035CA49D6119A36009027AC822A0264EAD1@CITY-EXCH-NTS> >-----Original Message----- >From: Kevin Hanser [mailto:Kevin@MICA.NET] >Sent: Tuesday, December 02, 2003 1:17 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: False positives > > >Look like spamcop.net is saying it's spam: > >X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin >(score=-19.9, > required 5, BAYES_00, USER_IN_DEF_WHITELIST) > >That first part that says "spam, spamcop.net" means that spamcop thinks >it's spam. I don't really know how spamcop decides something is spam, >however... I was wondering about that, but I would expect that MS would just take that under advisement but depend on the total score but I'd never given it too much thought. I just took spamcop out of the mix, so we'll see how much difference it makes. I have a .forward file in roots home dir, so any messages get routed to our main mail server. I guess all those virus and dangerous content messages must have gotten routed to spamcop.net before being delivered. Kinda funny, blacklisting myself. Go figure. Thanks... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From michel at SENTINIX.ORG Tue Dec 2 23:08:47 2003 From: michel at SENTINIX.ORG (Michel) Date: Thu Jan 12 21:21:24 2006 Subject: Arguments for Amavisd-new or MailScanner? Message-ID: <200312030008.47682.michel@sentinix.org> Hi! As a long time MailScanner user and without any experience of AMAVISD-new, what are the arguments against using amavisd-new for, e.g. this config: Sendmail + {AMAVISD-new,MailScanner} + SpamAssassin (+ ClamAV) Postfix + Amavisd-new is, I know, without doubt the best combo, since it's using the Postfix content filter... but what about Sendmail and/or other MTAs? (just trying to pick up some good arguments to say whenever I need to explain why I'm choosing MailScanner and not amavisd-new) Thanks! /Michel From mkettler at EVI-INC.COM Tue Dec 2 23:21:43 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:24 2006 Subject: False positives In-Reply-To: <8B699873CEBA3543926B467E768082321A679A@sol.hq.mica.net> References: <8B699873CEBA3543926B467E768082321A679A@sol.hq.mica.net> Message-ID: <6.0.0.22.0.20031202181222.0201de50@xanadu.evi-inc.com> At 05:16 PM 12/2/2003, Kevin Hanser wrote: >Look like spamcop.net is saying it's spam: > >X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin >(score=-19.9, > required 5, BAYES_00, USER_IN_DEF_WHITELIST) > >That first part that says "spam, spamcop.net" means that spamcop thinks >it's spam. I don't really know how spamcop decides something is spam, >however... Spamcop is a straight "IP address block list" system. It's a semi-automated system based on spamtraps, and a few other things. 206.16.1.138 listed in bl.spamcop.net (127.0.0.2) http://www.spamcop.net/w3m?action=checkblock&ip=206.16.1.138 From the looks of it, one of the spamcop spamtraps is subscribed to the CNN mailing lists. Due to the way modern virii work, it's common for such accidental subscribes to occur if a mailing list simply subscribes *anyone* who sends *any* email to a given address. Of course, any smart system should require at _least_ something like "subscribe" in the subject, and really should do confirmed opt-in. From mkettler at EVI-INC.COM Tue Dec 2 23:25:45 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:24 2006 Subject: False positives In-Reply-To: <08146035CA49D6119A36009027AC822A0264EAD1@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EAD1@CITY-EXCH-NTS> Message-ID: <6.0.0.22.0.20031202182327.0201d508@xanadu.evi-inc.com> At 06:08 PM 12/2/2003, Kevin Miller wrote: >I was wondering about that, but I would expect that MS would just take that >under advisement but depend on the total score but I'd never given it too >much thought. I just took spamcop out of the mix, so we'll see how much >difference it makes. If you configure MailScanner to use "spam lists" it WILL consider any message in them to be spam. Basically at the MailScanner level, any of the spam detectors will flag a message a spam, just as any virus scanner firing off will flag a message as containing a virus. If you want to use score-totaling type behaviors, disable all the spam lists in mailscanner, and enable DNSBLs in spamassassin (be sure to install Net::DNS). Spamassassin scores things, MailScanner does not. From hermit921 at YAHOO.COM Tue Dec 2 23:33:51 2003 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:21:24 2006 Subject: silent virus In-Reply-To: <6.0.0.22.0.20031202182327.0201d508@xanadu.evi-inc.com> References: <08146035CA49D6119A36009027AC822A0264EAD1@CITY-EXCH-NTS> <08146035CA49D6119A36009027AC822A0264EAD1@CITY-EXCH-NTS> Message-ID: <5.1.0.14.2.20031202153109.01cc8eb0@pop.mail.yahoo.com> I am testing the dropping of silent viruses. MailScanner 4.23 with postfix. The logs show the message arriving and being scanned (virus found), but nothing telling me the message was dropped. That is an important piece of information to me. Is there some way to add this to the maillog? Or is it already there and I just don't recognize it? hermit921 From james at PCXPERIENCE.COM Wed Dec 3 00:23:19 2003 From: james at PCXPERIENCE.COM (James Pattie) Date: Thu Jan 12 21:21:24 2006 Subject: Mailscanner with Debian 3 testing In-Reply-To: <030101c3b8bf$607db020$a500010a@martinsss> References: <052b01c3b803$01c0c890$a500010a@martinsss> <6.0.0.22.0.20031201093927.0251e1f0@mail.enhtech.com> <030101c3b8bf$607db020$a500010a@martinsss> Message-ID: <3FCD2CF7.1030707@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martins Smilga wrote: | I installed mailscanner through aptitude and started reading | /usr/share/doc/mailscanner but didn`t found anything usefull. | | I started reading in internet | |>(http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) | | I made directory and stop at script, I can find where to change it. | | May be there is other way how to start working mailscanner with sendmail in | Debian. | have you searched the FAQ for Debian? There is a section that details the changes that need to be made to /etc/mail/sendmail.conf to get sendmail properly configured under Debian for MailScanner. Then you just have to modify the MailScanner.conf file using the sendmail options. - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/zSz1tUXjwPIRLVERAjtpAKCnk1zxNt+H6jxmy9UXYz7NcTeK5wCgsJkV p5QC6HlEWWBC15nZubiiRuQ= =qXxo -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From nathan at TCPNETWORKS.NET Wed Dec 3 03:49:18 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities Message-ID: CA (etrust) is actually ~$129.00 for five node licenses. You could install it on five "servers" for that price. --Nathan -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, December 02, 2003 12:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanners and universities At 20:12 02/12/2003, you wrote: >Hi all, > I'm looking for some info on what other universities and colleges are >doing in the MS/virus scanning area. > > We (Brown University, USA) are using MS and hacked in support for >Symantec Scan Engine. Cost issues are starting to creep in again and we >want to know what some other options are. We love MS and just wanna >know what the virus scanners cost you (total or per >address/user/FTE/whatever) ClamAV is free and open source, and is remarkably good. eTrust from Computer Associates (www.ca.com) is only $129 per server. Norman (www.norman.de) is free for non-commercial use. Sophos have extremely good educational discounts. Start with those... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 08:57:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: clamavmodule and 4.25-14 In-Reply-To: References: Message-ID: <6.0.1.1.2.20031203085649.03b12a80@imap.ecs.soton.ac.uk> At 21:23 02/12/2003, you wrote: >Setup: Solaris 9, perl 5.8.2, MS 4.25-14, ClamAV 0.65 installed >in /opt/clamav-0.65, with a symlink clamav->clamav-0.65. The >"clamav" module in "Virus scanners" works just fine, with the >directory "/opt/clamav" specified for clamav in virus.scanners.conf. >No problems. > >So I want to use clamavmodule instead. I couldn't get >Mail-ClamAV-0.04 to build properly until the author clued me >into how to specify non-standard clam locations. See FAQ > >http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/242.html > >So, with Mail-ClamAV-0.04 installed, I try clamavmodule. I get >the syslog complaint: > >None of the files matched by the "Monitors For ClamAV Updates" >patterns exist! > >from lib/MailScanner/SweepViruses.pm. What's wrong?? Have you looked in MailScanner.conf for the setting "Monitors for clamav updates"? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 08:56:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates In-Reply-To: <5.1.0.14.2.20031202135416.01d4b130@pop.mail.yahoo.com> References: <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> <5.1.0.14.2.20031202135416.01d4b130@pop.mail.yahoo.com> Message-ID: <6.0.1.1.2.20031203085430.03ae3a30@imap.ecs.soton.ac.uk> At 21:56 02/12/2003, you wrote: >At 01:27 PM 12/2/2003, Jason Balicki wrote: >> >Does the automatic Sophos updating process installed with MailScanner >> >include engine updates or just new virus signatures? >> >>MailScanner only updates the ide files. You can use a script >>called MajorSophos to download the engine, then run the >>Sophos.install script included with MS. I run it all from >>cron on a monthly basis. >> >> >The mail logs show new Sophos ide files every hour on most >> >days. Are virus >> >signatures updated that often or is this an artifact of the >> >update script? >> >>In my experience, Sophos updates frequently, but to answer the >>question I think you're asking: no, it's probably not Sophos >>updating every hour. The autoupdate script does check every >>hour, and AFAIK, it reports a sucessful update wether you needed >>the update or not -- that's what you're seeing in your logs. >> >>You can find MajorSophos here: >>http://www.tippingmar.com/majorsophos/ >> >>--J(K) > > >I see a new file (373_ides.zip) in /usr/local/Sophos/ide each time I check, >not just the log entry. If the updates are really new files, that implies >MailScanner is downloading new files every hour whether virus data is new >or not. It downloads the 373_ides.zip file every hour. It's a very small file. It doesn't necessarily contain any new files it hasn't seen before. But unless you remember the size of the file from a previous run of the script, there's no way to tell whether it actually contains any new files or not. So it always gets unpacked and installed, regardless. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 08:58:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: .hoststat In-Reply-To: References: Message-ID: <6.0.1.1.2.20031203085759.03b086c0@imap.ecs.soton.ac.uk> At 21:27 02/12/2003, you wrote: >Hi, >I'm running mailscanner with postfix on suse linux and whenever I start >Mailscanner up it starts as a defunct process and the maillog keeps >printing this and I cant find any info in the net. > >MailScanner[5588]: Cannot open dir .hoststat when finding depth Your Postfix queues are set out strangely. It's not expecting to see a .hoststat file/dir when scanning for the directory hashing depth. If you delete .hoststat does it re-appear? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 09:06:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: (change request) Infected message came from In-Reply-To: <20031202161403.A22204@mikea.ath.cx> References: <20031202161403.A22204@mikea.ath.cx> Message-ID: <6.0.1.1.2.20031203090532.03af95f8@imap.ecs.soton.ac.uk> SpamAssassin will check all the Received: headers, MailScanner doesn't. So just use the RBL rules within SpamAssassin, rather than the "Spam List" setting in MailScanner.conf. You might want to increase the scores on SA rules that are RBL checks, to make it behave more like using the "Spam List" setting. At 22:14 02/12/2003, you wrote: >ClamAV gives me the following for each hit: > >(stuff deleted) Virus Scanning: ClamAV found 1 infections >(stuff deleted) Infected message hB2LXjks045635 came from 192.149.244.18 > >which is well and good, as far as that goes: I got an infected message >in the inbound mail, and ClamAV told MailScanner to quarantine it. I >_love_ that. > >But my MailScanner box is fed by our firewall's SMTP proxy, rather >than seeing the other end of the SMTP conversation directly, and so >the offending IP number always is the same, and I don't get to see >who the real offender is. > >Is there a handle that can be tweaked to run backwards down the chain >of "Received:" headers, or the IP addresses in them, at this point? I >see that the message is generated in MergeReports, which is called by >ScanBatch after all the AV scanners have run, but I haven't dug deep >enough into the code to see what handles are available at this time. >I really need to go one "Received:" header back in the chain, to the >one that set up the SMTP session with our SMTP proxy. > >If possible, I'd _love_ to see something like >: Infected message hB2LXjks045635 came from 192.149.244.18 >: which got it from 12.24.199.207 >: which got it from 42.140.77.222 >: which got it from 24.12.44.139 >all the way back through all the "Received:" headers, but I can see >how that might be _very_ difficult. > > > >Oh, and I updated to MailScanner-4.25-13 today. It Just Works. But >I've been saying that about MailScanner all along. > >Thanks for a great product, Julian! > >-- >Mike Andrews >mikea@mikea.ath.cx >Tired old sysadmin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From sb-list at CRI01.ORG Wed Dec 3 09:09:49 2003 From: sb-list at CRI01.ORG (Sylvain Blanc - CRI du Pays De Gex et du Bassin Bellegardien) Date: Thu Jan 12 21:21:24 2006 Subject: Mailscanner with Debian 3 testing References: <052b01c3b803$01c0c890$a500010a@martinsss> Message-ID: <06e501c3b97d$34b91060$6c01cac3@ccpaysdegex.fr> I use debian woody + sendmail + mailscanner 4.24 + f-prot + spamassassin In sendmail.conf change DAEMON_PARMS to DAEMON_PARMS="-ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in "; That's all for sendmail Configure your mailscanner.conf and uncomment the line run_mailscanner=1 in /etc/default/mailscanner restart sendmail restart mailscanner ----- Original Message ----- From: "Martins Smilga" To: Sent: Monday, December 01, 2003 1:02 PM Subject: Mailscanner with Debian 3 testing > Hello, > > May be somone have expierence with mailscanner how to install on Debian > testing version. > > I have Spammassin + Sendmail. > > I installed mailscanner from apitude, > I can not find any detailed documentation how to install mailscanner on > Debina with sendmail. > (http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) > I can find where I can change these senttings (script). > > May be there is other way how to put mailscanner + Debian+ sendmail > > > Martins > From pete at eatathome.com.au Wed Dec 3 12:51:14 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:24 2006 Subject: postfix comments ... was: Re: receiving mails with executable. In-Reply-To: References: Message-ID: <3FCDDC42.5010407@eatathome.com.au> C. Jon Larsen wrote: >On Tue, 2 Dec 2003, Julian Field wrote: > > > >>To give you the brief answer to this question.... >> >>The Postfix guys don't like me as I dared to use their software in a way >>they hadn't intended. Rather than publish the file format (which sendmail >>does) or happily let me use it (the Exim authors use MailScanner >>themselves), the Postfix guys throw their toys out of the pram and whinge a >>lot. >> >> > >I see your point :=) I think postfix is supposed to be formalizing their >APIs for dealing with queues, etc. Thanks for the background info. > > > >>I'm not going to apologise for daring to "think outside the box". >> >> > >MailScanner is *great* software. You have a lot to be proud of. Postfix >guys seem to suggest using Amavis-new instead of MS. But to me thats a >step backwards and away from the best software to scan and protect emails >(MailScanner). > >I wanted postfix and I wanted MailScanner :=) Here's what I did to make >them work together - see below ... > > > >>Many people run MailScanner on Postfix without any problems. A few sites >>see a fault where very occasionally a message with no body is delivered. >>The correct version of the same message with its body is later delivered >>correctly, in addition to the version with the body missing. No mail is lost. >> >> > >I did not want to take that chance, so I setup 1 postfix instance as an >external smtp router and proxy that looks up incoming domains in an SQL >database and makes routing decisions based on a content_scan column. It >can route the mail directly to the destination, drop the mail if its for an >invalid domain, or route it to the dedicated MailScanner box, which uses >sendmail. The MailScanner box does its job, and then sends the mail to a >third postfix box which does message delivery to mailboxes, and handles >SMTP AUTH for customers that send email from mail clients. > >Exim was not my cup of tea for a secure internet facing MTA :=) I'm not >saying its not secure, its just not what I wanted. I did not see Exim as >being more secure than sendmail due to its design (my opinion only, send >flames to /dev/null). > >I was looking for something that had privilege separation like qmail or >postfix for an internet facing MTA. Since my internal mailscanner box is >locked down from an SMTP listener perspective, I am o.k. running sendmail >on that, though exim would probably make a better host than sendmail for >the MS - thanks for the tips though. > >I looked as smtp.proxy, Obtuse/juniper smtp proxy, qpsmtpd, and mailfront >as ways to improve the security of the internet facing MTA. qpsmtpd and >mailfront were too qmailish (also not my preference) and none of the smtp >proxies gave me a warm and fuzzy regarding protocol support/workaround >(ESMTP, cisco pix workarounds like postfix has). They seemed o.k. for >hobbyists but not for production networks that get a lot of mail from a >lot of different networks with different (often partially broken MTAs). > >I kept coming back to postfix as the best combination of security, >protocol support, and usability for my external MTA. > >I had already picked postfix as my MTA for my mailboxes. So I >went from 2 boxes (mailscanner + postfix) to 3 boxes (inbound postfix >message router, mailscanner/sendmail, mailbox, smtp auth postfix). > >Hopefully this will help someone else. If not, thats fine too. Just >relaying my experiences and research. > >-jon > > > > >>As many MailScanner sites now run it on a dedicated server, it makes very >>little difference what MTA is chosen, as all the MTA's can take mail in and >>just punt it onto another server. >> >>My personal recommendation is probably Exim, especially if you don't like >>sendmail. Exim is very easy to configure and is very fast. When used with >>MailScanner it is considerably faster than Postfix as Postfix copies all >>the data around more often than it needs to, resulting in inefficient >>handling, particularly of large messages. >> >>At 13:46 02/12/2003, you wrote: >> >> >>>On Tue, 2 Dec 2003, Mark Hernandez wrote: >>> >>> >>> >>>>hi all, >>>> >>>>Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add >>>>features >>>> >>>> >>>Is MailScanner safe to use with postfix ? The postfix site and several >>>messages in the archives advise strongly not to use postfix with MS >>>because postfix does not like to have its queues manipulated by an >>>external program. >>> >>>Postfix has a content filter interface they they suggest using and the >>>current postfix snapshot has a new smtp content filter proxy interface >>>that looks interesting. >>> >>>I don't like sendmail anymore (security issues seem to never stop), so I >>>have switched to postfix for all mail relay and mailbox destinations - >>>with a MailScanner + sendmail box that sits in the middle. >>> >>> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> >> > >-- >+ Jon Larsen: Chief Technology Officer, Richweb, Inc. >+ Richweb.com: Providing Internet-Based Business Solutions since 1995 >+ GnuPG Public Key: http://richweb.com/jlarsen.gpg >+ Business: (804) 359.2220 x 101; Mobile: (804) 307.6939 > > > > > There is already haps of info in the list - but i am still pretty new with MailScanner, and mine works flawlessly with postfix 2.016 on RH9. These 2 boxes sit in the DMZ and handle all our inbound mail - its fast enough (how fast does smtp mail need to be?) very reliable and stops almost all of our spam - perfect! I personally tried for so long to get amavis, sa and postfix working nicely together i gavce up entirely until i stumbled accorss a post about mailscanner elsewhere - gave it a try and was hooked, inside of 3 weeks we had conducted testing, planned and executed a rollout - a rollout that has not required the restart of the MS service or box once, not even once since going live with 2 machines in a multi domain environment - not bad for a linux newbie :) My point is, its works SO well, and is very easy to get going, i cant understand why anyone wouldnt use it... From pete at eatathome.com.au Wed Dec 3 13:11:57 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:24 2006 Subject: Arguments for Amavisd-new or MailScanner? In-Reply-To: <200312030008.47682.michel@sentinix.org> References: <200312030008.47682.michel@sentinix.org> Message-ID: <3FCDE11D.9040908@eatathome.com.au> Michel wrote: >Hi! > >As a long time MailScanner user and without any experience of AMAVISD-new, >what are the arguments against using amavisd-new for, e.g. this config: > >Sendmail + {AMAVISD-new,MailScanner} + SpamAssassin (+ ClamAV) > >Postfix + Amavisd-new is, I know, without doubt the best combo, since it's >using the Postfix content filter... but what about Sendmail and/or other >MTAs? > >(just trying to pick up some good arguments to say whenever I need to explain >why I'm choosing MailScanner and not amavisd-new) > >Thanks! >/Michel > > > > > I am NOT a linux guru, and after trying really hard and following 3 ro 4 different guides, i could never get it working - MailScanner on the other hand seems to be very simple to install and configure, and is written by Julian, who would have to be the most helpful software author going around - how many times do you see him write and post a patch to meet some ones specific needs, or if they suggest something that could be usefull to everyone, its in the next release, he is here responding to newbie and experienced peoples questions 'every' day (seems like every day?). He doesnt give you shit and put you down when you ask for help or ask a question 50 other people have asked this month - i think this kinda of support, from an author, is about as good as software gets...hard to imagine what his paying customers get out of him? Feet rubs and massages while he maintains thier email security? From jaearick at COLBY.EDU Wed Dec 3 13:52:47 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:24 2006 Subject: clamavmodule and 4.25-14 In-Reply-To: <6.0.1.1.2.20031203085649.03b12a80@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031203085649.03b12a80@imap.ecs.soton.ac.uk> Message-ID: Doh! I had my path wrong in "Monitors for ClamAV Updates". Thanks, working now. On Wed, 3 Dec 2003, Julian Field wrote: > Date: Wed, 3 Dec 2003 08:57:13 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: clamavmodule and 4.25-14 > > At 21:23 02/12/2003, you wrote: > >Setup: Solaris 9, perl 5.8.2, MS 4.25-14, ClamAV 0.65 installed > >in /opt/clamav-0.65, with a symlink clamav->clamav-0.65. The > >"clamav" module in "Virus scanners" works just fine, with the > >directory "/opt/clamav" specified for clamav in virus.scanners.conf. > >No problems. > > > >So I want to use clamavmodule instead. I couldn't get > >Mail-ClamAV-0.04 to build properly until the author clued me > >into how to specify non-standard clam locations. See FAQ > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/242.html > > > >So, with Mail-ClamAV-0.04 installed, I try clamavmodule. I get > >the syslog complaint: > > > >None of the files matched by the "Monitors For ClamAV Updates" > >patterns exist! > > > >from lib/MailScanner/SweepViruses.pm. What's wrong?? > > Have you looked in MailScanner.conf for the setting "Monitors for clamav > updates"? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From tduvally at BROWN.EDU Wed Dec 3 14:01:56 2003 From: tduvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: References: Message-ID: <1070460115.20543.0.camel@cis-staff-kntx90.cis.brown.edu> On Tue, 2003-12-02 at 22:49, Nathan Johanson wrote: > CA (etrust) is actually ~$129.00 for five node licenses. You could > install it on five "servers" for that price. > --Nathan > That sounds great, but is anyone using it and how is it? > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, December 02, 2003 12:20 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Virus scanners and universities > > > At 20:12 02/12/2003, you wrote: > >Hi all, > > I'm looking for some info on what other universities and > colleges are > >doing in the MS/virus scanning area. > > > > We (Brown University, USA) are using MS and hacked in support > for > >Symantec Scan Engine. Cost issues are starting to creep in again and > we > >want to know what some other options are. We love MS and just wanna > >know what the virus scanners cost you (total or per > >address/user/FTE/whatever) > > ClamAV is free and open source, and is remarkably good. > eTrust from Computer Associates (www.ca.com) is only $129 per server. > Norman (www.norman.de) is free for non-commercial use. > Sophos have extremely good educational discounts. > > Start with those... > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031203/f3cc079d/attachment.bin From mike at TC3NET.COM Wed Dec 3 13:58:09 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> Message-ID: <1070459889.9562.0.camel@mike-new2.tc3net.com> What would the ruleset look like? To: *aol.com no FromTo: default Found To Be Clean ? Regards MIKE > At 19:30 02/12/2003, you wrote: > >Additionally, if they are blocking on "X-MailScanner-: Found > >to be clean" I am wondering if it would be possible to customize the > >"found to be clean message" as this would be the value in the > >MailScanner headers from my 4 mail hubs that would be consistent. > > This can already be done. Assign a ruleset to the > Clean Header Value > configuration option in MailScanner.conf. > > AOL move in mysterious ways :-( > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From sanjay.patel at REXWIRE.COM Wed Dec 3 14:16:44 2003 From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: Message-ID: <200312031425.hB3EPLqj002848@mx.sargam.com> CA -etrust is only $14 you can install this on any device server or workstation. Here is the part number I got from a CA rep ETRAVE7001CMPE2C. Give this to your reseller and they should be able to purchase it for you. -SKP -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Tuesday, December 02, 2003 10:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanners and universities CA (etrust) is actually ~$129.00 for five node licenses. You could install it on five "servers" for that price. --Nathan -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, December 02, 2003 12:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanners and universities At 20:12 02/12/2003, you wrote: >Hi all, > I'm looking for some info on what other universities and colleges are >doing in the MS/virus scanning area. > > We (Brown University, USA) are using MS and hacked in support for >Symantec Scan Engine. Cost issues are starting to creep in again and we >want to know what some other options are. We love MS and just wanna >know what the virus scanners cost you (total or per >address/user/FTE/whatever) ClamAV is free and open source, and is remarkably good. eTrust from Computer Associates (www.ca.com) is only $129 per server. Norman (www.norman.de) is free for non-commercial use. Sophos have extremely good educational discounts. Start with those... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jbuda at NOTICIASARGENTINAS.COM Wed Dec 3 14:19:58 2003 From: jbuda at NOTICIASARGENTINAS.COM (Jose Julian Buda) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF References: <200312031425.hB3EPLqj002848@mx.sargam.com> Message-ID: <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> Why appear this reports? "Could not parse Outlook Rich Text Atachment" i saw this reports sometimes on some warnings. what is it mean? thank you Jose Julian Buda From mailscanner at ecs.soton.ac.uk Wed Dec 3 14:33:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> Message-ID: <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> At 14:19 03/12/2003, you wrote: >Why appear this reports? > >"Could not parse Outlook Rich Text Atachment" > >i saw this reports sometimes on some warnings. > >what is it mean? It means one of these: 1) You haven't built the "tnef" program in /opt/MailScanner/bin for your architecture. 2) For some reason MailScanner is failing to run the "tnef" program 3) The "tnef" program really couldn't decode the winmail.dat attachment in the message 4) You might be better off setting the location of the "tnef" program to "internal" so that MailScanner uses the internal Perl module which is slower but often better at decoding TNEF attachments (winmail.dat). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 14:31:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <1070459889.9562.0.camel@mike-new2.tc3net.com> References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> <1070459889.9562.0.camel@mike-new2.tc3net.com> Message-ID: <6.0.1.1.2.20031203143045.036a6de8@imap.ecs.soton.ac.uk> To: aol.com Some other text saying it is clean FromOrTo: default Found to be clean At 13:58 03/12/2003, you wrote: >What would the ruleset look like? >To: *aol.com no >FromTo: default Found To Be Clean >? > >Regards >MIKE > > > > At 19:30 02/12/2003, you wrote: > > >Additionally, if they are blocking on "X-MailScanner-: Found > > >to be clean" I am wondering if it would be possible to customize the > > >"found to be clean message" as this would be the value in the > > >MailScanner headers from my 4 mail hubs that would be consistent. > > > > This can already be done. Assign a ruleset to the > > Clean Header Value > > configuration option in MailScanner.conf. > > > > AOL move in mysterious ways :-( > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jah at CALEOTECH.COM Wed Dec 3 14:21:51 2003 From: jah at CALEOTECH.COM (Jens Ahlin) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: <1070460115.20543.0.camel@cis-staff-kntx90.cis.brown.edu> Message-ID: We have been using CA eTrust for a couple of months now. I't works ok for us. I haven't seen any viruses that has escaped through yet... (KOW) Jens -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Thomas DuVally Sent: den 3 december 2003 15:02 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanners and universities On Tue, 2003-12-02 at 22:49, Nathan Johanson wrote: > CA (etrust) is actually ~$129.00 for five node licenses. You could > install it on five "servers" for that price. > --Nathan > That sounds great, but is anyone using it and how is it? From Ulysees at ULYSEES.COM Wed Dec 3 14:57:56 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:21:24 2006 Subject: ClamAV module References: <000501c3b8d0$4aee1090$3201010a@nimitz> <1070375839.2916.13.camel@mufasa.ds.co.ug> Message-ID: <000801c3b9ad$d61e5a20$3201010a@nimitz> > You need to install ClamAV first. > > On Tue, 2003-12-02 at 15:32, Ulysees wrote: > > anybody else had trouble getting this working ? > > when I grab the module from cpan it seems to grumble about not being able to > > find clamav.h > > > > Should I be using a tarball of ClamAV instead of the RPM ? > > > > Uly > > Ok the clamav.h error was because I didn't have the clamav-devel rpm installed, I got that, and then the install went a bit further and stopped. I then just went and removed the rpms and used a tarball instead, worked first time. Has anybody actually done it from rpms or is everybody using the tarball ? Uly From Denis.Beauchemin at USHERBROOKE.CA Wed Dec 3 14:54:33 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> Message-ID: <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/12/2003 ? 09:33, Julian Field a ?crit : > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > the message > 4) You might be better off setting the location of the "tnef" program to > "internal" so that MailScanner uses the internal Perl module which is > slower but often better at decoding TNEF attachments (winmail.dat). Julian, Could MS be modified to use both tnef decoders if need be? Let's say the first decoder cannot analyze the winmail.dat file, then MS fires off the second one to try to do better. We could write something like: External TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Expander = external internal Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mikea at MIKEA.ATH.CX Wed Dec 3 15:02:33 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:21:24 2006 Subject: ProcessClamAVOutput: Zip module failure. Message-ID: <20031203090233.A26202@mikea.ath.cx> Seen only once so far. The rest of the time, things seem to Just Work, Ideas? Dec 3 07:59:23 isdmon2 MailScanner[4416]: Virus and Content Scanning: Starting Dec 3 07:59:27 isdmon2 MailScanner[4416]: ProcessClamAVOutput: Zip module failure. Dec 3 07:59:28 isdmon2 MailScanner[4416]: ERROR: Can't run unzip Dec 3 07:59:29 isdmon2 MailScanner[4416]: ERROR: Can't execute some unpacker. Check paths and permissions on the temporary directory. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From raymond at PROLOCATION.NET Wed Dec 3 15:05:38 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:24 2006 Subject: ProcessClamAVOutput: Zip module failure. In-Reply-To: <20031203090233.A26202@mikea.ath.cx> Message-ID: Hi! > Ideas? > > Dec 3 07:59:23 isdmon2 MailScanner[4416]: Virus and Content Scanning: Starting > Dec 3 07:59:27 isdmon2 MailScanner[4416]: ProcessClamAVOutput: Zip module failure. > Dec 3 07:59:28 isdmon2 MailScanner[4416]: ERROR: Can't run unzip > Dec 3 07:59:29 isdmon2 MailScanner[4416]: ERROR: Can't execute some > unpacker. Check paths and permissions on the temporary directory. Do you have unzip in your path somewhere ? It seems it cant find it. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Wed Dec 3 15:26:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: ProcessClamAVOutput: Zip module failure. In-Reply-To: References: <20031203090233.A26202@mikea.ath.cx> Message-ID: <6.0.1.1.2.20031203152513.09109758@imap.ecs.soton.ac.uk> At 15:05 03/12/2003, you wrote: >Hi! > > > Ideas? > > > > Dec 3 07:59:23 isdmon2 MailScanner[4416]: Virus and Content Scanning: > Starting > > Dec 3 07:59:27 isdmon2 MailScanner[4416]: ProcessClamAVOutput: Zip > module failure. > > Dec 3 07:59:28 isdmon2 MailScanner[4416]: ERROR: Can't run unzip > > Dec 3 07:59:29 isdmon2 MailScanner[4416]: ERROR: Can't execute some > > unpacker. Check paths and permissions on the temporary directory. > >Do you have unzip in your path somewhere ? It seems it cant find it. Also you may need to change the "Incoming Work Permissions" setting so that the unpacker (run as a non-root user) can read the files it is trying to unpack in the temporary directory. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 15:24:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <6.0.1.1.2.20031203152342.03d005d8@imap.ecs.soton.ac.uk> Not really worth the effort any more. TNEF is now (thankfully) a rare sight, since Microsoft learnt the error of their ways and started using HTML instead. At 14:54 03/12/2003, you wrote: >Le mer 03/12/2003 ? 09:33, Julian Field a ?crit : > > > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > > the message > > 4) You might be better off setting the location of the "tnef" program to > > "internal" so that MailScanner uses the internal Perl module which is > > slower but often better at decoding TNEF attachments (winmail.dat). > >Julian, > >Could MS be modified to use both tnef decoders if need be? > >Let's say the first decoder cannot analyze the winmail.dat file, then MS >fires off the second one to try to do better. > >We could write something like: >External TNEF Expander = /usr/bin/tnef --maxsize=100000000 >TNEF Expander = external internal > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jbuda at NOTICIASARGENTINAS.COM Wed Dec 3 15:30:56 2003 From: jbuda at NOTICIASARGENTINAS.COM (Jose Julian Buda) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> Message-ID: <00b801c3b9b2$71f2f150$6000a8c0@noticiasargentinas.com> mmmm, i have compiled tnef-1.1.4+sizelimit.tar already but on /opt/MailScanner/bin i have: tnef -> tnef.solaris tnef.linux tnef.solaris could it be this? i change to tnef -> tnef.linux and let's see if this work thank you ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, December 03, 2003 11:33 AM Subject: Re: BadTNEF > At 14:19 03/12/2003, you wrote: > >Why appear this reports? > > > >"Could not parse Outlook Rich Text Atachment" > > > >i saw this reports sometimes on some warnings. > > > >what is it mean? > > It means one of these: > 1) You haven't built the "tnef" program in /opt/MailScanner/bin for your > architecture. > 2) For some reason MailScanner is failing to run the "tnef" program > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > the message > 4) You might be better off setting the location of the "tnef" program to > "internal" so that MailScanner uses the internal Perl module which is > slower but often better at decoding TNEF attachments (winmail.dat). > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jstuart at EDENPR.K12.MN.US Wed Dec 3 15:45:18 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:21:24 2006 Subject: .hoststat Message-ID: I dont know much about mail but I did a chown -R postfix.postfix /var/spool/mqueue and now it is done complaining. Is that correct permissions or is it a stupid thing to do? Thanks, Joe >>> mailscanner@ECS.SOTON.AC.UK 12/03/03 02:58AM >>> At 21:27 02/12/2003, you wrote: >Hi, >I'm running mailscanner with postfix on suse linux and whenever I start >Mailscanner up it starts as a defunct process and the maillog keeps >printing this and I cant find any info in the net. > >MailScanner[5588]: Cannot open dir .hoststat when finding depth Your Postfix queues are set out strangely. It's not expecting to see a .hoststat file/dir when scanning for the directory hashing depth. If you delete .hoststat does it re-appear? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Wed Dec 3 16:02:49 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <6.0.1.1.2.20031203152342.03d005d8@imap.ecs.soton.ac.uk> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031203152342.03d005d8@imap.ecs.soton.ac.uk> Message-ID: <1070467368.4514.51.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/12/2003 ? 10:24, Julian Field a ?crit : > Not really worth the effort any more. TNEF is now (thankfully) a rare > sight, since Microsoft learnt the error of their ways and started using > HTML instead. Maybe some day they will be rare, but I get an average of 175 "Corrupt TNEF" messages per day using the external decoder (this includes weekends where they drop near zero). I think I will try the internal one to see if it can do better. Denis > > At 14:54 03/12/2003, you wrote: > >Le mer 03/12/2003 ? 09:33, Julian Field a ?crit : > > > > > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > > > the message > > > 4) You might be better off setting the location of the "tnef" program to > > > "internal" so that MailScanner uses the internal Perl module which is > > > slower but often better at decoding TNEF attachments (winmail.dat). > > > >Julian, > > > >Could MS be modified to use both tnef decoders if need be? > > > >Let's say the first decoder cannot analyze the winmail.dat file, then MS > >fires off the second one to try to do better. > > > >We could write something like: > >External TNEF Expander = /usr/bin/tnef --maxsize=100000000 > >TNEF Expander = external internal > > > >Denis > >-- > >Denis Beauchemin, analyste > >Universit? de Sherbrooke, S.T.I. > >T: 819.821.8000x2252 F: 819.821.8045 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From ccampbell at BRUEGGERS.COM Wed Dec 3 16:10:10 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:24 2006 Subject: Update SA Rules Message-ID: Is it safe to use SA 2.6 .cf files in my SA 2.55 installation? I just want to update the rules until I get a chance to properly upgrade to 2.6. Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises, Inc. Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great... it does infinite loops in 5 seconds." -- Linus Torvalds From james at CHE.UTEXAS.EDU Wed Dec 3 16:06:05 2003 From: james at CHE.UTEXAS.EDU (James Hammett) Date: Thu Jan 12 21:21:24 2006 Subject: Modifying the Filter for HTML (spefically allowing HTML-forms or address based allowing them). Message-ID: Several of my users receive a mailing from a Science journal which includes an HTML From. I've looked through the various config files and the documentation and I can't find how to allow these through. Alternative (and I haven't looked into this as much), is there a way to allow HTM-Form email from just that address? Please send me an off response, and I'll post a summary to the list. thanks, James -- -------------------------------------------------------------------------- James Hammett Users Services / Server and Lab Administration (SLAM) Information Technology Services ( (ITS) CPE 4.442 Chemical Engineering Unix Support 471-9701 ---------------------------------------------------------------------------- An injustice anywhere is a threat to justice everywhere - MLK jr. ---------------------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Wed Dec 3 16:20:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: Modifying the Filter for HTML (spefically allowing HTML-forms or address based allowing them). In-Reply-To: References: Message-ID: <6.0.1.1.2.20031203161625.094c3ea0@imap.ecs.soton.ac.uk> This is yet another job for a ruleset. In MailScanner.conf, set Allow Form Tags = /etc/MailScanner/rules/allow.forms.rules And then in /etc/MailScanner/rules/allow.forms.rules put this: From: somejournal@science.com yes FromOrTo: default no where "somejournal@science.com" is the address the journal comes from. Note this is not the address in the "From:" header of the message, but the envelope sender address which you may find in either the "Return-Path:" header (if there is one) or else in your mail log. You can apply rulesets to virtually any configuration setting in MailScanner, and they can happily each be several hundred lines long if that's the complexity of configuration you need. At 16:06 03/12/2003, you wrote: >Several of my users receive a mailing from a Science journal which >includes an HTML From. I've looked through the various config files >and the documentation and I can't find how to allow these through. > >Alternative (and I haven't looked into this as much), is there a way >to allow HTM-Form email from just that address? > >Please send me an off response, and I'll post a summary to the list. > >thanks, >James >-- > >-------------------------------------------------------------------------- >James Hammett >Users Services / Server and Lab Administration (SLAM) >Information Technology Services ( (ITS) CPE 4.442 >Chemical Engineering Unix Support 471-9701 >---------------------------------------------------------------------------- > An injustice anywhere is a threat to justice everywhere - MLK jr. >---------------------------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 16:15:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <00b801c3b9b2$71f2f150$6000a8c0@noticiasargentinas.com> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <00b801c3b9b2$71f2f150$6000a8c0@noticiasargentinas.com> Message-ID: <6.0.1.1.2.20031203161427.0379b1a8@imap.ecs.soton.ac.uk> You clearly need to be running the correct tnef for you CPU and OS. I supply ones pre-built for Linux on i386 and for Solaris on SPARC. Anything else you will have to compile your own version. At 15:30 03/12/2003, you wrote: >mmmm, i have compiled tnef-1.1.4+sizelimit.tar already >but on /opt/MailScanner/bin i have: > >tnef -> tnef.solaris >tnef.linux >tnef.solaris > >could it be this? > >i change to >tnef -> tnef.linux >and let's see if this work > >thank you > > > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, December 03, 2003 11:33 AM >Subject: Re: BadTNEF > > > > At 14:19 03/12/2003, you wrote: > > >Why appear this reports? > > > > > >"Could not parse Outlook Rich Text Atachment" > > > > > >i saw this reports sometimes on some warnings. > > > > > >what is it mean? > > > > It means one of these: > > 1) You haven't built the "tnef" program in /opt/MailScanner/bin for your > > architecture. > > 2) For some reason MailScanner is failing to run the "tnef" program > > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > > the message > > 4) You might be better off setting the location of the "tnef" program to > > "internal" so that MailScanner uses the internal Perl module which is > > slower but often better at decoding TNEF attachments (winmail.dat). > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jbuda at NOTICIASARGENTINAS.COM Wed Dec 3 16:24:30 2003 From: jbuda at NOTICIASARGENTINAS.COM (Jose Julian Buda) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <00b801c3b9b2$71f2f150$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203161427.0379b1a8@imap.ecs.soton.ac.uk> Message-ID: <005501c3b9b9$ee8b70f0$6000a8c0@noticiasargentinas.com> yes i know but when i compile the default is tnef -> tnef.solaris and i did not see it,sorry i change the link to the tnef.linux file on the directory tnef -> tnef.linux thank you i hope this time it work ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, December 03, 2003 1:15 PM Subject: Re: BadTNEF > You clearly need to be running the correct tnef for you CPU and OS. I > supply ones pre-built for Linux on i386 and for Solaris on SPARC. Anything > else you will have to compile your own version. > > At 15:30 03/12/2003, you wrote: > >mmmm, i have compiled tnef-1.1.4+sizelimit.tar already > >but on /opt/MailScanner/bin i have: > > > >tnef -> tnef.solaris > >tnef.linux > >tnef.solaris > > > >could it be this? > > > >i change to > >tnef -> tnef.linux > >and let's see if this work > > > >thank you > > > > > > > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Wednesday, December 03, 2003 11:33 AM > >Subject: Re: BadTNEF > > > > > > > At 14:19 03/12/2003, you wrote: > > > >Why appear this reports? > > > > > > > >"Could not parse Outlook Rich Text Atachment" > > > > > > > >i saw this reports sometimes on some warnings. > > > > > > > >what is it mean? > > > > > > It means one of these: > > > 1) You haven't built the "tnef" program in /opt/MailScanner/bin for your > > > architecture. > > > 2) For some reason MailScanner is failing to run the "tnef" program > > > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > > > the message > > > 4) You might be better off setting the location of the "tnef" program to > > > "internal" so that MailScanner uses the internal Perl module which is > > > slower but often better at decoding TNEF attachments (winmail.dat). > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Wed Dec 3 16:29:52 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <1070467368.4514.51.camel@dbeauchemin.sti.usherbrooke.ca> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031203152342.03d005d8@imap.ecs.soton.ac.uk> <1070467368.4514.51.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <1070468992.4514.54.camel@dbeauchemin.sti.usherbrooke.ca> I just looked at how often the external tnef decoder fails and it is disturbing... The following stats are from Oct 1st : 22102 winmail.dat seen (11040 corrupt 49.95%) I already have switched to the internal decoder! Denis Le mer 03/12/2003 ? 11:02, Denis Beauchemin a ?crit : > Le mer 03/12/2003 ? 10:24, Julian Field a ?crit : > > Not really worth the effort any more. TNEF is now (thankfully) a rare > > sight, since Microsoft learnt the error of their ways and started using > > HTML instead. > > Maybe some day they will be rare, but I get an average of 175 "Corrupt > TNEF" messages per day using the external decoder (this includes > weekends where they drop near zero). > > I think I will try the internal one to see if it can do better. > > Denis > > > > At 14:54 03/12/2003, you wrote: > > >Le mer 03/12/2003 ? 09:33, Julian Field a ?crit : > > > > > > > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > > > > the message > > > > 4) You might be better off setting the location of the "tnef" program to > > > > "internal" so that MailScanner uses the internal Perl module which is > > > > slower but often better at decoding TNEF attachments (winmail.dat). > > > > > >Julian, > > > > > >Could MS be modified to use both tnef decoders if need be? > > > > > >Let's say the first decoder cannot analyze the winmail.dat file, then MS > > >fires off the second one to try to do better. > > > > > >We could write something like: > > >External TNEF Expander = /usr/bin/tnef --maxsize=100000000 > > >TNEF Expander = external internal > > > > > >Denis > > >-- > > >Denis Beauchemin, analyste > > >Universit? de Sherbrooke, S.T.I. > > >T: 819.821.8000x2252 F: 819.821.8045 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mkettler at EVI-INC.COM Wed Dec 3 16:41:45 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:25 2006 Subject: Update SA Rules In-Reply-To: References: Message-ID: <6.0.0.22.0.20031203113950.029ff038@xanadu.evi-inc.com> At 11:10 AM 12/3/2003, Christian Campbell wrote: >Is it safe to use SA 2.6 .cf files in my SA 2.55 installation? I just want >to update the rules until I get a chance to properly upgrade to 2.6. No. The rules and code of SA are not separable. Many rules use perl code (eval tests) and many rules depend on the way a particular version of SA processes HTML tags, new rule syntax features, etc. From m.sapsed at BANGOR.AC.UK Wed Dec 3 17:35:02 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:25 2006 Subject: Sophos updates References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3AD@jessica.herefords hire.gov.uk> <0EBC45FCABFC95428EBFC3A51B368C9501C9C3AD@jessica.herefordshire.gov.uk> <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> Message-ID: <3FCE1EC6.6080504@bangor.ac.uk> hermit921 wrote: > Does the automatic Sophos updating process installed with MailScanner > include engine updates or just new virus signatures? > > The mail logs show new Sophos ide files every hour on most days. Are virus > signatures updated that often or is this an artifact of the update script? as an aside to this, my beta testing of the new version of Enterprise Manager (now to be called EM Library I think) seems to be going ok. My test version of MailScanner has been using an EM maintained Sophos installation for some weeks now. If you use (or are thinking of using) EM to manage CIDs for windows boxes, you will soon (think the beta finishes soon) be able to use it to manage the copy MailScanner uses too. That will then take care of engine updates, new virus signatures and new versions of the engine because they've realised the release version has "issues"! If you're just using Sophos with MailScanner, you're not interested in the above! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From gdoris at rogers.com Wed Dec 3 17:50:11 2003 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:21:25 2006 Subject: Norman Scanner? Message-ID: <64570.129.80.22.143.1070473812.squirrel@tiger.dorfam.ca> I saw a reference to the Norman scanner in an earlier email. This is a new one for me and I thought I'd check it out especially as the email stated it was free for personal use. I went to the Norman site and I assume the product we're discussing is the Norman Virus Control for Linux. However, I couldn't find any reference about it being free for personal use. They have a trial copy that expires in 30 days or the full retail version. Are we sure that it is free for personal use? Do I just download the trial copy? Gerry From kodak at FRONTIERHOMEMORTGAGE.COM Wed Dec 3 18:14:22 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:25 2006 Subject: Sophos updates In-Reply-To: <3FCE1EC6.6080504@bangor.ac.uk> Message-ID: <002a01c3b9c9$46b296a0$0501a8c0@darkside> >EM to manage CIDs for windows boxes, you will soon (think the beta >finishes soon) be able to use it to manage the copy MailScanner uses >too. That will then take care of engine updates, new virus signatures W00t! I've been using EM to manage my client boxes for quite a while now, and I love it. This addition is wonderful news, even though I've found ways around not having EM support my Linux "clients". --J(K) From jen at AH.DK Wed Dec 3 18:42:59 2003 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? Message-ID: http://www.norman.com/de/news/031126.shtml?menulang=de in german langauge /jan elmqvist nielsen >>> Gerry Doris 03-12-03 18:50 >>> I saw a reference to the Norman scanner in an earlier email. This is a new one for me and I thought I'd check it out especially as the email stated it was free for personal use. I went to the Norman site and I assume the product we're discussing is the Norman Virus Control for Linux. However, I couldn't find any reference about it being free for personal use. They have a trial copy that expires in 30 days or the full retail version. Are we sure that it is free for personal use? Do I just download the trial copy? Gerry From aseelye-lists at ELTOPIA.COM Wed Dec 3 18:44:31 2003 From: aseelye-lists at ELTOPIA.COM (Aaron Seelye) Date: Thu Jan 12 21:21:25 2006 Subject: Sophos updates References: <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> <5.1.0.14.2.20031202135416.01d4b130@pop.mail.yahoo.com> <6.0.1.1.2.20031203085430.03ae3a30@imap.ecs.soton.ac.uk> Message-ID: <004101c3b9cd$7df183c0$7a01a8c0@metallus> You always can look at the latest files in /usr/local/Sophos/ide to see what files have been recently updated. Aaron Seelye ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, December 03, 2003 12:56 AM Subject: Re: Sophos updates [snip] > > It downloads the 373_ides.zip file every hour. It's a very small file. It > doesn't necessarily contain any new files it hasn't seen before. But unless > you remember the size of the file from a previous run of the script, > there's no way to tell whether it actually contains any new files or not. > So it always gets unpacked and installed, regardless. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dh at UPTIME.AT Wed Dec 3 18:53:34 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? In-Reply-To: References: Message-ID: <3FCE312E.3070307@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Jan Elmqvist Nielsen wrote: > http://www.norman.com/de/news/031126.shtml?menulang=de > > in german langauge > > /jan elmqvist nielsen > And the download link seems to be http://www.norman.com/download_nvc_linux.shtml?menulang=de# am I seeing this right? I sit utilizing Java ? - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/zjEyPMoaMn4kKR4RAwx0AJ4n0j1JKrEjtGSKdVgoOYGH7gh7hQCffc+X hSi5nyC7WtADD6M7DH2Vs0E= =UGHF -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Wed Dec 3 19:01:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? In-Reply-To: References: Message-ID: <6.0.1.1.2.20031203190046.03a08cc8@imap.ecs.soton.ac.uk> I have just translated the relevant bit into English (badly) and it says this: "Norman virus control for LINUX user the Norwegian safety specialist Norman offers free of charge immediately a free Norman to virus control version for LINUX. This offer applies to all private and not commercial LINUX user in Germany." So the offer is apparently only valid in Germany. At 18:42 03/12/2003, you wrote: >http://www.norman.com/de/news/031126.shtml?menulang=de > >in german langauge > >/jan elmqvist nielsen > > >>> Gerry Doris 03-12-03 18:50 >>> >I saw a reference to the Norman scanner in an earlier email. This is a >new one for me and I thought I'd check it out especially as the email >stated it was free for personal use. > >I went to the Norman site and I assume the product we're discussing is >the >Norman Virus Control for Linux. However, I couldn't find any reference >about it being free for personal use. They have a trial copy that >expires >in 30 days or the full retail version. > >Are we sure that it is free for personal use? Do I just download the >trial copy? > > >Gerry -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shrek-m at GMX.DE Wed Dec 3 20:00:42 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? In-Reply-To: <3FCE312E.3070307@uptime.at> References: <3FCE312E.3070307@uptime.at> Message-ID: <3FCE40EA.3050304@gmx.de> David H. wrote: > And the download link seems to be > http://www.norman.com/download_nvc_linux.shtml?menulang=de# 83(nvcc) < 86(sweep) discovered viruses :-( sorry, but i couldn?t find the new virus definitions for download :-( $ rpm -q nvcc nvcc-5.60.06-0 Norman Virus Control Version 5.60.10 Sep 9 2003 12:31:01 Copyright (c) 1993-2003 Norman ASA NSE revision 5.60.13 nvcbin.def revision 5.60 of 2003/10/03 (49233 variants) nvcmacro.def revision 5.60 of 2003/09/30 (9514 variants) Total number of variants: 58747 $ nvcc -s -u -c:1 /tmp/viren/ [...] 83 possible infections found. 53 archives unpacked, 621 files found. 621 files, 48448 kbytes scanned. Total scanning time: 0 min. 06 secs. 8074 kbytes per second. vs. $ sweep --version Product version : 3.74 Engine version : 2.17 User interface version : 2.07.025 Platform : Linux/Intel Released : 06 October 2003 Total viruses (with IDEs) : 85062 $ sweep -all -archive -mime /tmp/viren/ [...] 549 files swept in 6 seconds. 86 viruses were discovered. 86 files out of 549 were infected. -- shrek-m From pages at ntin.net Wed Dec 3 20:13:04 2003 From: pages at ntin.net (NTIN Page Guy) Date: Thu Jan 12 21:21:25 2006 Subject: John Rudd's cgp2ms and ms2cgp Message-ID: <2722029250.20031203141304@ntin.net> Hello MailScanner, There seems to be a problem with cgp2ms and ms2cgp when a email address contains an & sign. For example I send an email to jena&jema@example.com where example.com is not a local domain. The message goes out to mailscanner via cgp2ms 4:03:35.73 2 ENQUEUERRULES [29540630] rule(MailScanner) action #0: launching external task: [FILE]/usr/local/etc/cgp2ms 14:03:35.84 2 ENQUEUERRULES [29540630] rule(MailScanner) discarded the message 14:03:35.84 2 ENQUEUER-03([29540630]) discarded by Rules 14:03:35.84 2 DEQUEUER [29540630] SYSTEM()jena&jemma@baldwinfamily.us delivered Then root@mailadmin.nortex.net gets the following email, the original sender of the message gets no failure notice. Failed to deliver to '' address is blacklisted Reporting-MTA: dns; mailadmin.nortex.net Original-Recipient: rfc822; Final-Recipient: system; Action: failed Status: 5.0.0 Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) with PIPE id 29540658; Wed, 03 Dec 2003 14:03:47 -0600 Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) with PIPE id 29540650; Wed, 03 Dec 2003 14:03:42 -0600 Date: Wed, 03 Dec 2003 14:03:42 -0600 Message-ID: X-NTIN-MailScanner-Information: Please contact support@ntin.net for more information X-NTIN-MailScanner: Found to be clean X-NTIN-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.129, required 5, BAYES_00 -4.90, FROM_NO_LOWER 2.00, MSGID_FROM_MTA_SHORT 3.03) From: root@mailadmin.nortex.net X-Mailer: CommuniGate Pro CLI mailer Best regards, Robert B, NTIN mailto:pages@ntin.net From raymond at PROLOCATION.NET Wed Dec 3 20:28:46 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:25 2006 Subject: Norman Scanner? In-Reply-To: <64570.129.80.22.143.1070473812.squirrel@tiger.dorfam.ca> Message-ID: Hi! > I went to the Norman site and I assume the product we're discussing is the > Norman Virus Control for Linux. However, I couldn't find any reference > about it being free for personal use. They have a trial copy that expires > in 30 days or the full retail version. On the German site there was a not about that. I installed and tested it, but for the autoupdates it required some registration stuff, and thats not really flexible. If i recall right they want java on the machine running doing the register. So i quit at that point. > Are we sure that it is free for personal use? Do I just download the > trial copy? According the the german site, yes. Bye, Raymond. From pages at ntin.net Wed Dec 3 20:49:21 2003 From: pages at ntin.net (NTIN Page Guy) Date: Thu Jan 12 21:21:25 2006 Subject: John Rudd's ms2cgp and cgp2ms Message-ID: <18424211843.20031203144921@ntin.net> There seems to be a problem with cgp2ms and ms2cgp when a email address contains an & sign. For example I send an email to jena&jema@example.com where example.com is not a local domain. The message goes out to mailscanner via cgp2ms 4:03:35.73 2 ENQUEUERRULES [29540630] rule(MailScanner) action #0: launching external task: [FILE]/usr/local/etc/cgp2ms 14:03:35.84 2 ENQUEUERRULES [29540630] rule(MailScanner) discarded the message 14:03:35.84 2 ENQUEUER-03([29540630]) discarded by Rules 14:03:35.84 2 DEQUEUER [29540630] SYSTEM()jena&jemma@baldwinfamily.us delivered Then root@ gets the following email, the original sender of the message gets no failure notice. Failed to deliver to '' address is blacklisted I have fixed the proceeding problem, here is how I did it. I found a bug in ms2cgp which was causing problems with email addresses with & signs in them. ms2cgp had the following lines, this caused a problem because the & sign is a special character. # send the message off to CommuniGate Pro system("$CGPBIN/sendmail -i $rcpt < $msg"); Below is my fix, by inclosing the $rcpt in quotes I have convinced it to accept special characters in email addresses. # send the message off to CommuniGate Pro system("$CGPBIN/sendmail -i \"$rcpt\" < $msg"); If you see any flaws in my logic, please let me know. Best regards, Robert B, NTIN mailto:pages@ntin.net From stahl at SOEST.HAWAII.EDU Wed Dec 3 20:40:56 2003 From: stahl at SOEST.HAWAII.EDU (Sharon Stahl) Date: Thu Jan 12 21:21:25 2006 Subject: Advanced SpamAssassin Settings Message-ID: Hi, I was wondering about the search for spamassassin site-local rules. The conf file says ..... # The site-local rules are searched for here, and in prefix/etc/spamassassin, # prefix/etc/mail/spamassassin, /usr/local/etc/spamassassin, /etc/spamassassin, # /etc/mail/spamassassin, and maybe others. I do not want it to search /usr/local for these rules. Is there a way for me to set the search path? Aloha, Sharon Stahl From jrudd at UCSC.EDU Wed Dec 3 20:50:54 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:25 2006 Subject: John Rudd's cgp2ms and ms2cgp References: <2722029250.20031203141304@ntin.net> Message-ID: <3FCE4CAE.4D38B711@ucsc.edu> It's going to take a few days for me to get to this, but I'll get on it as soon as I can. (it's pretty much a perl quoting issue, I just have to remember how to fix it) John NTIN Page Guy wrote: > > Hello MailScanner, > > There seems to be a problem with cgp2ms and ms2cgp when a email > address contains an & sign. > > For example > I send an email to jena&jema@example.com where example.com > is not a local domain. > > The message goes out to mailscanner via cgp2ms > > 4:03:35.73 2 ENQUEUERRULES [29540630] rule(MailScanner) action #0: launching external task: [FILE]/usr/local/etc/cgp2ms > 14:03:35.84 2 ENQUEUERRULES [29540630] rule(MailScanner) discarded the message > 14:03:35.84 2 ENQUEUER-03([29540630]) discarded by Rules > 14:03:35.84 2 DEQUEUER [29540630] SYSTEM()jena&jemma@baldwinfamily.us delivered > > Then root@mailadmin.nortex.net gets the following email, the original > sender of the message gets no failure notice. > > Failed to deliver to '' > address is blacklisted > > Reporting-MTA: dns; mailadmin.nortex.net > > Original-Recipient: rfc822; > Final-Recipient: system; > Action: failed > Status: 5.0.0 > > Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) > with PIPE id 29540658; Wed, 03 Dec 2003 14:03:47 -0600 > Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) > with PIPE id 29540650; Wed, 03 Dec 2003 14:03:42 -0600 > Date: Wed, 03 Dec 2003 14:03:42 -0600 > Message-ID: > X-NTIN-MailScanner-Information: Please contact support@ntin.net for more information > X-NTIN-MailScanner: Found to be clean > X-NTIN-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.129, > required 5, BAYES_00 -4.90, FROM_NO_LOWER 2.00, > MSGID_FROM_MTA_SHORT 3.03) > From: root@mailadmin.nortex.net > X-Mailer: CommuniGate Pro CLI mailer > > Best regards, > Robert B, NTIN mailto:pages@ntin.net From mkettler at EVI-INC.COM Wed Dec 3 21:16:32 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:25 2006 Subject: Advanced SpamAssassin Settings In-Reply-To: References: Message-ID: <6.0.0.22.0.20031203161603.027ea310@xanadu.evi-inc.com> At 03:40 PM 12/3/2003, Sharon Stahl wrote: >Hi, > I was wondering about the search for spamassassin site-local rules. >The conf file says ..... ># The site-local rules are searched for here, and in prefix/etc/spamassassin, ># prefix/etc/mail/spamassassin, /usr/local/etc/spamassassin, >/etc/spamassassin, ># /etc/mail/spamassassin, and maybe others. > > > I do not want it to search /usr/local for these rules. >Is there a way for me to set the search path? Hack the spamassassin source code.. From steve.swaney at FSL.COM Wed Dec 3 21:25:19 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:25 2006 Subject: Advanced SpamAssassin Settings In-Reply-To: <6.0.0.22.0.20031203161603.027ea310@xanadu.evi-inc.com> Message-ID: <20031203212455.030CD21C34C@mail.fsl.com> Sharon, All SpamAssassin settings can (and should) be placed in: /spam.assassin.prefs.conf This will save your settings when next you upgrade SpamAssassin. The other files can be empty or non-existent. Steve Stephen Swaney President Fortress Systems Ltd. steve.swaney@fsl.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Matt Kettler > Sent: Wednesday, December 03, 2003 4:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Advanced SpamAssassin Settings > > At 03:40 PM 12/3/2003, Sharon Stahl wrote: > >Hi, > > I was wondering about the search for spamassassin site-local rules. > >The conf file says ..... > ># The site-local rules are searched for here, and in > prefix/etc/spamassassin, > ># prefix/etc/mail/spamassassin, /usr/local/etc/spamassassin, > >/etc/spamassassin, > ># /etc/mail/spamassassin, and maybe others. > > > > > > I do not want it to search /usr/local for these rules. > >Is there a way for me to set the search path? > > Hack the spamassassin source code.. From Denis.Beauchemin at USHERBROOKE.CA Wed Dec 3 21:35:07 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:25 2006 Subject: BadTNEF (followup) In-Reply-To: <1070468992.4514.54.camel@dbeauchemin.sti.usherbrooke.ca> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031203152342.03d005d8@imap.ecs.soton.ac.uk> <1070467368.4514.51.camel@dbeauchemin.sti.usherbrooke.ca> <1070468992.4514.54.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <1070487307.4514.78.camel@dbeauchemin.sti.usherbrooke.ca> > I just looked at how often the external tnef decoder fails and it is > disturbing... The following stats are from Oct 1st : > 22102 winmail.dat seen (11040 corrupt 49.95%) > > I already have switched to the internal decoder! > Since I switched to the internal decoder I didn't get a single corrupt tnef (in close to 300 decoded attachments). I highly recommend that everyone switch to the internal decoder! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mike at TC3NET.COM Wed Dec 3 21:25:06 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:25 2006 Subject: mcafee-autoupdate. Message-ID: <1070486706.9562.49.camel@mike-new2.tc3net.com> I noticed the mcafee-autoupdate doesn't write to syslog, when it updates the virus scanner (mailstats.pl uses this for it's statistics). It is just a bash script, so I stuck in a logger line, with syntax matching other updaters, if this functionality could be added into the main updater that would be nice. run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE run tar xvf $TARFILE #### Added for mailstats.pl virus update time graphing ##### logger -p mail.info McAfee-autoupdate: McAfee updated Regards MIKE From mkettler at EVI-INC.COM Wed Dec 3 21:40:31 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:25 2006 Subject: Advanced SpamAssassin Settings In-Reply-To: <20031203212455.030CD21C34C@mail.fsl.com> References: <6.0.0.22.0.20031203161603.027ea310@xanadu.evi-inc.com> <20031203212455.030CD21C34C@mail.fsl.com> Message-ID: <6.0.0.22.0.20031203163043.024e1dc0@xanadu.evi-inc.com> At 04:25 PM 12/3/2003, Stephen Swaney wrote: >All SpamAssassin settings can (and should) be placed in: > /spam.assassin.prefs.conf > >This will save your settings when next you upgrade SpamAssassin. >The other files can be empty or non-existent. True, but this has nothing to do with the poster's actual question. spam.assassin.prefs.conf is used to replace the "user_prefs" file in SpamAssassin. None of this will stop spamassassin from automatically reading the "site rules" as well, even when called via MailScanner. ie: /usr/local/etc/spamassassin/*.cf (although duplicate options in spam.assassin.prefs.conf will take priority, the other files will still be read.) And the original poster's question regards how to prevent SA from reading files in /usr/local. The *only* way to do that is to hack the SpamAssassin source code.. the list of paths used for this search are hard coded into spamassassin. Also, as an added detail, SA will only handle the *first* site-rules dir it finds.. it will not try any others.. The raw SA source code for 2.60 has this path search in SpamAssassin.pm: # first 3 are BSDish, latter 2 Linuxish @site_rules_path = ( '__local_rules_dir__', '__prefix__/etc/mail/spamassassin', '__prefix__/etc/spamassassin', '/usr/local/etc/spamassassin', '/usr/pkg/etc/spamassassin', '/usr/etc/spamassassin', '/etc/mail/spamassassin', '/etc/spamassassin', ); Note that __local_rules_dir__ and __prefix__ are filled in with information determined when you compile/install SA. From pages at ntin.net Wed Dec 3 21:54:41 2003 From: pages at ntin.net (NTIN Page Guy) Date: Thu Jan 12 21:21:25 2006 Subject: John Rudd's ms2cgp and cgp2ms In-Reply-To: <18424211843.20031203144921@ntin.net> References: <18424211843.20031203144921@ntin.net> Message-ID: <15528128062.20031203155441@ntin.net> Hello NTIN, Strange, I posted this message hours ago and it just now appeared. John pointed out that my fix below breaks messages that addressed to multiple recipients. Wednesday, December 03, 2003, you wrote: NPG> There seems to be a problem with cgp2ms and ms2cgp when a email NPG> address contains an & sign. NPG> For example NPG> I send an email to jena&jema@example.com where example.com NPG> is not a local domain. NPG> The message goes out to mailscanner via cgp2ms NPG> 4:03:35.73 2 ENQUEUERRULES [29540630] rule(MailScanner) action #0: launching external task: NPG> [FILE]/usr/local/etc/cgp2ms NPG> 14:03:35.84 2 ENQUEUERRULES [29540630] rule(MailScanner) discarded the message NPG> 14:03:35.84 2 ENQUEUER-03([29540630]) discarded by Rules NPG> 14:03:35.84 2 DEQUEUER [29540630] SYSTEM()jena&jemma@baldwinfamily.us delivered NPG> Then root@ gets the following email, the original NPG> sender of the message gets no failure notice. NPG> Failed to deliver to '' NPG> address is blacklisted NPG> I have fixed the proceeding problem, here is how I did it. NPG> I found a bug in ms2cgp which was causing problems with email NPG> addresses with & signs in them. NPG> ms2cgp had the following lines, this caused a problem because the & NPG> sign is a special character. NPG> # send the message off to CommuniGate Pro NPG> system("$CGPBIN/sendmail -i $rcpt < $msg"); NPG> Below is my fix, by inclosing the $rcpt in quotes I have convinced it NPG> to accept special characters in email addresses. NPG> # send the message off to CommuniGate Pro NPG> system("$CGPBIN/sendmail -i \"$rcpt\" < $msg"); NPG> If you see any flaws in my logic, please let me know. NPG> Best regards, NPG> Robert B, NTIN mailto:pages@ntin.net Best regards, Robert B, NTIN mailto:pages@ntin.net From mailscanner at ecs.soton.ac.uk Thu Dec 4 03:26:46 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:25 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312040326.hB43Qk5q024970@seer.ecs.soton.ac.uk> New Guestbook-Entry from usa Should have multi outqueuedir like inqueuedir (/var/spool/mqueue.in/*) From jstuart at EDENPR.K12.MN.US Wed Dec 3 22:32:24 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:21:25 2006 Subject: postfix defer_transport Message-ID: Ok so I have Maiscanner running with Postfix on a suse linux server that scans all the messages then forwards them off to a groupwise server. I set up Postfix and Mailscanner just like the Mailscanner insallation guide - Postfix says. But everytime I would send mail to it the maillog would say postfix/qmgr[15673]: EEBBA5A400A: to=, relay=none, delay=1, status=deferred (deferred transport) So I changed the line in /etc/postfix.in/main.cf from this defer_transports = smtp local virtual relay to defer_transports = and it now works, but I'm not comfortable with it not working like the website says. I am wondering if anyone could help me figure out why it's not working like it is supposed to. Thanks, Joe From id at W98.US Wed Dec 3 23:25:59 2003 From: id at W98.US (ian douglas) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <5.2.1.1.0.20031202152704.04d31ed8@mail.1bigthink.com> Message-ID: > Which means that you never had your reverse DNS correct, or maybe something > happened to it recently. Perhaps your upstream provider? Yeah, this happened to me a few weeks ago - AOL started blocking all Emails from my server because my reverse DNS wasn't configured correctly. Soon as I fixed that, it worked like a charm. -id From pete at eatathome.com.au Thu Dec 4 00:09:26 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:25 2006 Subject: postfix defer_transport In-Reply-To: References: Message-ID: <3FCE7B36.2060306@eatathome.com.au> Joe Stuart wrote: >Ok so I have Maiscanner running with Postfix on a suse linux server that >scans all the messages then forwards them off to a groupwise server. I >set up Postfix and Mailscanner just like the Mailscanner insallation >guide - Postfix says. But everytime I would send mail to it the maillog >would say > >postfix/qmgr[15673]: EEBBA5A400A: to=, relay=none, >delay=1, status=deferred (deferred transport) > >So I changed the line in /etc/postfix.in/main.cf from this > >defer_transports = smtp local virtual relay > >to > >defer_transports = > >and it now works, but I'm not comfortable with it not working like the >website says. I am wondering if anyone could help me figure out why it's >not working like it is supposed to. > >Thanks, >Joe > > > > > So now mail isnt being scanned by mailscanner though is it? You need to change the main.cf back. 1.Postfix (inbound) accepts mail for processing, it defers the incoming mail eg - hold the mail and do nothing else, 2.MailScanner collect the mail and process it, place it in the outbound queue, 3. Postfix.in (outbound) then discovers mail in the queue ready for delivery, it does the smtp delivery. A complete log entry looks like Dec 4 11:15:35 mail01 postfix/smtpd[4713]: disconnect from gizmo06bw.bigpond.com[144.140.70.16] Dec 4 11:15:35 mail01 postfix/qmgr[25649]: EC38633BCD: to=, relay=none, delay=1, status=deferred (deferred transport) Dec 4 11:15:35 mail01 MailScanner[321]: New Batch: Scanning 1 messages, 3869 bytes Dec 4 11:15:36 mail01 MailScanner[321]: SIGPIPE received - trying new log socket Dec 4 11:15:36 mail01 MailScanner[321]: New Batch: Scanning 1 messages, 3869 bytes Dec 4 11:15:36 mail01 MailScanner[321]: Spam Checks: Starting Dec 4 11:15:39 mail01 MailScanner[321]: Virus and Content Scanning: Starting Dec 4 11:15:41 mail01 postfix/qmgr[25659]: 2C474C6E1: from=, size=3680, nrcpt=1 (queue active) Dec 4 11:15:41 mail01 MailScanner[321]: Uninfected: Delivered 1 messages Dec 4 11:15:46 mail01 postfix/smtp[4728]: 2C474C6E1: to=, relay=203.00.00.90[203.00.00.90], delay=12, status=sent (250 Message accepted for delivery) From res at AUSICS.NET Thu Dec 4 00:16:30 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: Message-ID: On Wed, 3 Dec 2003, ian douglas wrote: > > Which means that you never had your reverse DNS correct, or maybe something > > happened to it recently. Perhaps your upstream provider? > > > Yeah, this happened to me a few weeks ago - AOL started blocking all Emails from > my server because my reverse DNS wasn't configured correctly. > > Soon as I fixed that, it worked like a charm. It's a shame other admins don't do this, however I do support AOL on this move -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From mkettler at EVI-INC.COM Thu Dec 4 00:55:52 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: Message-ID: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> At 07:16 PM 12/3/2003, you wrote: >It's a shame other admins don't do this, however I do support AOL on this >move As do I.. Hopefully it will at least cause _some_ of the lazy network admins out there to get off their butts and set up their reverse DNS zones. Unfortunately, right now there's an awful lot of admins that VERY bad about getting their butts in gear and making RDNS entires. I can't afford to bounce email just because the system admin of the other site is lazy, incompetent, or just massively understaffed and not getting the time to do it all. (note that said ineffective admin isn't always the same as the admin of the affected mailserver, but there's always SOMEONE who should be responsible for the RDNS that isn't getting the job done). I do however require a MX for the Mail From: address.. I figure if they don't have that much, nobody can reply to them anyway. It occasionally delays mail with DNS server outages, but no biggie, it's a 4xx error so it gets retried. From nathan at TCPNETWORKS.NET Thu Dec 4 01:31:47 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:21:25 2006 Subject: Virus scanners and universities Message-ID: I've tested it w/out issue and am actually putting it into production tonight. My only knock is lack of support for recent distributions, notably Red Hat 9.0 (not really recent anymore) and Red Hat Enterprise Linux ES 3.0. http://support.ca.com/techbases/ilnt/etav70linux-prodann.html It won a recent reward for "Best Security Solution" at the Linuxworld Expo in New York. Frankly, I think the real winner should have been MailScanner. http://www3.ca.com/press/PressRelease.asp?CID=39095 Nathan -----Original Message----- From: Thomas DuVally [mailto:tduvally@BROWN.EDU] Sent: Wed 12/3/2003 6:01 AM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: Virus scanners and universities From jaearick at COLBY.EDU Thu Dec 4 01:46:07 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> Message-ID: Gang, Are you guys talking about the "accept_unresolvable_domains" mc setting in sendmail? As of version 8.9, sendmail won't accept email from unresolvable domains unless this feature is defined. I've never enabled it at my site after sendmail 8.9 (a while ago), and I've never had any complaints about it. Or is there some other setting to reject sites lacking RDNS? We have a lot of users with Adelphia broadband at home, and Adelphia is notoriously bad about no RDNS for their cable modems. Since we run tcpwrappers in paranoid mode, I see lots of remote connections from Adelphia to our academic system rejected by tcpwrappers. Still, almost no complaints from our users. Maybe they are just timid. --- Jeff Earickson Colby College On Wed, 3 Dec 2003, Matt Kettler wrote: > Date: Wed, 3 Dec 2003 19:55:52 -0500 > From: Matt Kettler > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: AOL blocking MailScanner messages! > > At 07:16 PM 12/3/2003, you wrote: > >It's a shame other admins don't do this, however I do support AOL on this > >move > > As do I.. Hopefully it will at least cause _some_ of the lazy network > admins out there to get off their butts and set up their reverse DNS zones. > > Unfortunately, right now there's an awful lot of admins that VERY bad about > getting their butts in gear and making RDNS entires. I can't afford to > bounce email just because the system admin of the other site is lazy, > incompetent, or just massively understaffed and not getting the time to do > it all. > > (note that said ineffective admin isn't always the same as the admin of the > affected mailserver, but there's always SOMEONE who should be responsible > for the RDNS that isn't getting the job done). > > I do however require a MX for the Mail From: address.. I figure if they > don't have that much, nobody can reply to them anyway. It occasionally > delays mail with DNS server outages, but no biggie, it's a 4xx error so it > gets retried. > From mkettler at EVI-INC.COM Thu Dec 4 02:02:31 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> Message-ID: <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> At 08:46 PM 12/3/2003, Jeff A. Earickson wrote: >Gang, > Are you guys talking about the "accept_unresolvable_domains" mc setting >in sendmail? As of version 8.9, sendmail won't accept email from unresolvable >domains unless this feature is defined. I've never enabled it at my site >after sendmail 8.9 (a while ago), and I've never had any complaints about it. >Or is there some other setting to reject sites lacking RDNS? accept_unresolvable_domains has to do with being able to find a MX for the envelope's From: address.. Some distros (ie: older redhat) ship with accpet_unresolvable_domains enabled, I disabled it, hence my comment that I reject unresolvable from's However, this has nothing to do with RDNS at all, and nothing to do with what AOL is doing. AOL is implementing refusal of mail from servers that do not have a reverse DNS lookup for their IP. It's not rocket science to do in sendmail, i.e. something like this: http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 From chris at trudeau.org Thu Dec 4 03:31:30 2003 From: chris at trudeau.org (Chris Trudeau) Date: Thu Jan 12 21:21:25 2006 Subject: postfix defer_transport In-Reply-To: Message-ID: <010801c3ba17$1bcbefb0$23c8a8c0@serv> Joe... The "deferred transport" message you received is exactly as it should be. The way a postfix installation works is as such (roughly) Postfix.in receives the message and drops it into a mail queue. MailScanner every "n" seconds scans that directory, grabs the messages out of the directory and scans them pursuant to your config. Once completed, the MailScanner process then drops the message back into the outbound postfix instance allowing delivery based on that config. This probably doesn't help, but maybe it gives you an idea... CT -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joe Stuart Sent: Wednesday, December 03, 2003 5:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: postfix defer_transport Ok so I have Maiscanner running with Postfix on a suse linux server that scans all the messages then forwards them off to a groupwise server. I set up Postfix and Mailscanner just like the Mailscanner insallation guide - Postfix says. But everytime I would send mail to it the maillog would say postfix/qmgr[15673]: EEBBA5A400A: to=, relay=none, delay=1, status=deferred (deferred transport) So I changed the line in /etc/postfix.in/main.cf from this defer_transports = smtp local virtual relay to defer_transports = and it now works, but I'm not comfortable with it not working like the website says. I am wondering if anyone could help me figure out why it's not working like it is supposed to. Thanks, Joe From shrek-m at GMX.DE Thu Dec 4 07:26:52 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail Message-ID: <3FCEE1BC.9020002@gmx.de> hi, ms and sweep don?t recognize wendy.zip as mimail because it is encrypted, it should be blocked via filename/filetype http://www.sophos.com/virusinfo/analyses/w32mimaill.html $ ll wendy.zip -rw------- 1 admin admin 9903 Dec 4 08:02 wendy.zip $ md5sum wendy.zip 18aa642a0b7f275a51e31fe02d82ba35 /data4/doku/viren/wendy.zip $ sweep -archive wendy.zip [...] Password protected file wendy.zip/wendy.exe 1 file swept in 1 second. 1 error was encountered. No viruses were discovered. 1 encrypted file was not checked. -- shrek-m From tim-lists at BISHNET.NET Thu Dec 4 08:36:43 2003 From: tim-lists at BISHNET.NET (Tim Bishop) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCEE1BC.9020002@gmx.de> References: <3FCEE1BC.9020002@gmx.de> Message-ID: <20031204083643.GG78290@carrick.bishnet.net> On Thu, Dec 04, 2003 at 08:26:52AM +0100, shrek-m@gmx.de wrote: > $ sweep -archive wendy.zip > [...] > Password protected file wendy.zip/wendy.exe > > 1 file swept in 1 second. > 1 error was encountered. > No viruses were discovered. > 1 encrypted file was not checked. More worryingly, if you do unzip this some virus scanners don't detect the .exe file as a virus. Neither f-prot or f-secure detected the .exe as a virus, although sophos did. But as you say, that's going to be irrelevent if we can't even look inside the zip file. I guess a good compromise would be to have an option to block encrypted zip files in mailscanner? Cheers, Tim. -- Tim Bishop http://www.bishnet.net/tim PGP Key: 0x5AE7D984 From smilga at MIKROTIK.COM Thu Dec 4 09:12:13 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:25 2006 Subject: Mailscanner with Debian 3 testing References: <052b01c3b803$01c0c890$a500010a@martinsss> <06e501c3b97d$34b91060$6c01cac3@ccpaysdegex.fr> Message-ID: <096601c3ba46$b4a81fe0$a500010a@martinsss> Thanks, now it put into new direcoty files. I also edited mailscanner.conf and chose f-prot. Now all files just standing in /var/spool/mqueue.in direcotry When I do "ps -axf " I see that mailscanner ir running, but I need to understand if these mails is checked by mailscanner and why they just stand in this directory, what I need to do to deliver these mails to /var/spool/mail directory for each users Martins ----- Original Message ----- From: "Sylvain Blanc - CRI du Pays De Gex et du Bassin Bellegardien" To: "MailScanner mailing list" Cc: Sent: Wednesday, December 03, 2003 11:09 AM Subject: Re: Mailscanner with Debian 3 testing > I use debian woody + sendmail + mailscanner 4.24 + f-prot + spamassassin > > In sendmail.conf change DAEMON_PARMS to > DAEMON_PARMS="-ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in > "; > That's all for sendmail > > Configure your > mailscanner.conf > > and uncomment the line > run_mailscanner=1 > in /etc/default/mailscanner > > restart sendmail > restart mailscanner > > > > > ----- Original Message ----- > From: "Martins Smilga" > To: > Sent: Monday, December 01, 2003 1:02 PM > Subject: Mailscanner with Debian 3 testing > > > > Hello, > > > > May be somone have expierence with mailscanner how to install on Debian > > testing version. > > > > I have Spammassin + Sendmail. > > > > I installed mailscanner from apitude, > > I can not find any detailed documentation how to install mailscanner on > > Debina with sendmail. > > (http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) > > I can find where I can change these senttings (script). > > > > May be there is other way how to put mailscanner + Debian+ sendmail > > > > > > Martins > > From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 09:18:23 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> Message-ID: <3FCEFBDF.2050105@solid-state-logic.com> All there's a massive rant^Wdiscussion going on about all this on nanog as well - might be more worth while moving to this thread to that list? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 09:24:15 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCEE1BC.9020002@gmx.de> References: <3FCEE1BC.9020002@gmx.de> Message-ID: <3FCEFD3F.3050207@solid-state-logic.com> shrek-m@gmx.de wrote: > hi, > > ms and sweep don?t recognize wendy.zip as mimail because it is encrypted, > it should be blocked via filename/filetype > > http://www.sophos.com/virusinfo/analyses/w32mimaill.html > > > $ ll wendy.zip > -rw------- 1 admin admin 9903 Dec 4 08:02 wendy.zip > $ md5sum wendy.zip > 18aa642a0b7f275a51e31fe02d82ba35 /data4/doku/viren/wendy.zip > > > > $ sweep -archive wendy.zip > [...] > Password protected file wendy.zip/wendy.exe > > 1 file swept in 1 second. > 1 error was encountered. > No viruses were discovered. > 1 encrypted file was not checked. > > Hi Sophos are calling this MiMail-L http://www.sophos.com/virusinfo/analyses/w32mimaill.html and claim to detect it since 2 Dec 04.17. I guess if not let their support dept know... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From res at AUSICS.NET Thu Dec 4 10:29:10 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCEFBDF.2050105@solid-state-logic.com> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <3FCEFBDF.2050105@solid-state-logic.com> Message-ID: On Thu, 4 Dec 2003, Martin Hepworth wrote: > there's a massive rant^Wdiscussion going on about all this on nanog as > well - might be more worth while moving to this thread to that list? Many of us on this 'international' list, are not on that list u mention. But I agree that this may not be the list for an ongoing discussion on it either. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From dbird at SGHMS.AC.UK Thu Dec 4 10:29:40 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <5.2.1.1.0.20031202152704.04d31ed8@mail.1bigthink.com> References: <3FCCE83F.7070500@sghms.ac.uk> <3FCCE83F.7070500@sghms.ac.uk> <5.2.1.1.0.20031202152704.04d31ed8@mail.1bigthink.com> Message-ID: <3FCF0C94.3080306@sghms.ac.uk> DNSAdmin wrote: > At 08:06 PM 12/2/2003 +0000, you wrote: > >> I have just tested this and found it not to be true: >> >> 220-rly-yb03.mx.aol.com ESMTP mail_relay_in-yb3.3; Tue, 02 Dec 2003 >> 15:01:11 -0500 >> 220-America Online (AOL) and its affiliated companies do not >> 220- authorize the use of its proprietary computers and computer >> 220- networks to accept, transmit, or distribute unsolicited bulk >> 220- e-mail sent from the internet. Effective immediately: AOL >> 220- may no longer accept connections from IP addresses which >> 220 have no reverse-DNS (PTR record) assigned. > > > > Which means that you never had your reverse DNS correct, or maybe > something > happened to it recently. Perhaps your upstream provider? Our RDNS resolves, and we run all our own services. This problem has now become an intermittent issue. I've now ruled out any involvement with MailScanner as it's started happening with mail from our domain which hasn't been scanned (i.e I have a rule set which does not scan mails destined for AOL) It's all very odd. If MailScanner scans the messages ALL mail gets blocked by them If it's turned off some gets blocked and some doesn't. The denial is on DATA, so I'm collecting mail to AOL so I can comare those that get blocked and those that don't. I've called and called AOL and my "ticket is being processed". Frustrated Dan > > Cheers, > Glenn > >> HELO mailscanner.biz >> 250 rly-yb03.mx.aol.com OK >> MAIL from: >> 250 OK >> RCPT to: >> 250 OK >> DATA >> 354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF >> From: jules@jules.fm >> To: steve1@aol.com >> Date: Tue, 2 Dec 2003 18:33:41 +0000 >> Subject: This is a test message >> X-MailScanner: Found to be clean >> >> This is a test message. Please delete me. >> -- >> Jules >> . >> 250 OK >> >> which appears to say it has accepted the message. >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at AUSICS.NET Thu Dec 4 10:30:02 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> Message-ID: Jeff, On Wed, 3 Dec 2003, Jeff A. Earickson wrote: > Gang, > Are you guys talking about the "accept_unresolvable_domains" mc setting We are talking about enforcement of RFC1912 -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From Ulysees at ULYSEES.COM Thu Dec 4 11:22:26 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames Message-ID: <001401c3ba58$e580fcb0$3201010a@nimitz> Don't know if this already exists or not but I'm looking to get a bit more out of the log permitted filenames option. Currently it generates Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS Executable (patch.exe) What I think would be really usefull would be Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS Executable (patch.exe) in $msgid Any ideas ? Uly From mailscanner at ecs.soton.ac.uk Thu Dec 4 11:43:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: <001401c3ba58$e580fcb0$3201010a@nimitz> References: <001401c3ba58$e580fcb0$3201010a@nimitz> Message-ID: <6.0.1.1.2.20031204114227.093dd948@imap.ecs.soton.ac.uk> At 11:22 04/12/2003, you wrote: >Don't know if this already exists or not but I'm looking to get a bit more >out of the log permitted filenames option. >Currently it generates >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS >Executable (patch.exe) >What I think would be really usefull would be >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS >Executable (patch.exe) in $msgid > >Any ideas ? > >Uly Steve F -- Will this change upset MailWatch at all? I don't want to break anything... To get the extra logging, apply this patch to SweepOther.pm : --- SweepOther.pm.old 2003-12-04 11:42:28.000000000 +0000 +++ SweepOther.pm 2003-12-04 11:42:43.000000000 +0000 @@ -197,8 +197,8 @@ #print STDERR "\"$attach\" matched \"$regexp\" or \"$safename\" did\n"; if ($allowdeny =~ 'deny') { # It's a rejection rule, so log the error. - MailScanner::Log::InfoLog("Filename Checks: %s (%s)", - $logtext, $attach); + MailScanner::Log::InfoLog("Filename Checks: %s (%s) in %s", + $logtext, $attach, $id); $message->{namereports}{$safename} .= "$usertext ($safename)\n"; $message->{nametypes}{$safename} .= "f"; $counter++; -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Thu Dec 4 11:56:23 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: <6.0.1.1.2.20031204114227.093dd948@imap.ecs.soton.ac.uk> Message-ID: Hi! > Steve F -- Will this change upset MailWatch at all? I don't want to break > anything... > > To get the extra logging, apply this patch to SweepOther.pm : > > --- SweepOther.pm.old 2003-12-04 11:42:28.000000000 +0000 > +++ SweepOther.pm 2003-12-04 11:42:43.000000000 +0000 > @@ -197,8 +197,8 @@ > #print STDERR "\"$attach\" matched \"$regexp\" or \"$safename\" > did\n"; > if ($allowdeny =~ 'deny') { > # It's a rejection rule, so log the error. > - MailScanner::Log::InfoLog("Filename Checks: %s (%s)", > - $logtext, $attach); > + MailScanner::Log::InfoLog("Filename Checks: %s (%s) in %s", > + $logtext, $attach, $id); > $message->{namereports}{$safename} .= "$usertext ($safename)\n"; > $message->{nametypes}{$safename} .= "f"; > $counter++; If it doesnt break anything it would be a nice addiction, since its hard to track down messages now. =) with the msgid its pretty simple to grep around. Bye, Raymond. From raymond at PROLOCATION.NET Thu Dec 4 12:03:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: Message-ID: Hi! > If it doesnt break anything it would be a nice addiction, since its hard ^ Addition... Bye, Raymond. From dot at DOTAT.AT Thu Dec 4 12:03:07 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: Message-ID: Ulysees wrote: > >What I think would be really usefull would be >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS >Executable (patch.exe) in $msgid I have a pile of patches to make tracking message-IDs possible. Here's a selection related to file types and names... --- SweepOther.pm 4 Jul 2003 18:08:28 -0000 1.1.1.6 +++ SweepOther.pm 7 Aug 2003 09:38:46 -0000 1.7 @@ -195,19 +196,20 @@ $MatchFound = 1; if ($allowdeny eq 'deny') { # It's a rejection rule, so log the error. - MailScanner::Log::InfoLog("Filename Checks: %s (%s)", - $logtext, $attach); + MailScanner::Log::InfoLog("Filename Checks: %s (%s %s)", + $logtext, $id, $attach); $message->{namereports}{$safename} .= "$usertext ($safename)\n"; $message->{nametypes}{$safename} .= "f"; $counter++; $message->{nameinfected}++; } else { - MailScanner::Log::InfoLog("Filename Checks: Allowing %s", $safename) + MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s", + $id, $safename) if $LogNames; } } - MailScanner::Log::InfoLog("Filename Checks: Allowing %s " . - "(no rule matched)", $safename) + MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s " . + "(no rule matched)", $id, $safename) if $LogNames && !$MatchFound; } } @@ -348,14 +350,15 @@ $MatchFound = 1; if ($allowdeny eq 'deny') { # It's a rejection rule, so log the error. - MailScanner::Log::InfoLog("Filetype Checks: %s (%s)", - $logtext, $attach); + MailScanner::Log::InfoLog("Filetype Checks: %s (%s %s)", + $logtext, $id, $attach); $message->{namereports}{$safename} .= "$usertext ($safename)\n"; $message->{nametypes}{$safename} .= "f"; $counter++; $message->{nameinfected}++; } else { - MailScanner::Log::InfoLog("Filetype Checks: Allowing %s", $safename) + MailScanner::Log::InfoLog("Filetype Checks: Allowing %s %s", + $id, $safename) if $LogTypes; } } Tony. -- f.a.n.finch http://dotat.at/ THE WASH TO NORTH FORELAND: NORTHEAST 5 OR 6, PERHAPS INCREASING LOCALLY 7 FOR A TIME, LATER VEERING EAST AND DECREASING 3 OR 4 OCCASIONALLY 5. RATHER HAZY. MODERATE OR GOOD. MODERATE BUILDING LOCALLY ROUGH, LATER DECAYING SLIGHT TO MODERATE. From dbird at SGHMS.AC.UK Thu Dec 4 12:15:47 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:25 2006 Subject: blocked conent problem in 4.25-14 Message-ID: <3FCF2573.9020303@sghms.ac.uk> This is a snippet from MailScanner.conf Allow IFrame Tags = /etc/MailScanner/rules/iframe.tags.rules Log IFrame Tags = yes Allow Form Tags =/etc/MailScanner/rules/form.tags.rules Allow Object Codebase Tags = /etc/MailScanner/rules/codebase.tags.rules Convert Dangerous HTML To Text = yes Convert HTML To Text = no /etc/MailScanner/rules/iframe.tags.rules contains: From: *@nature.com yes From: *@info.nature.com yes FromTo: default no so according to the comments we should be hitting the last option below for messages from nature.com : # Allow...Tags Convert Danger... Action Taken on HTML Message # ============ ================= ============================ # no no Blocked # no yes Blocked # disarm no Specified HTML tags disarmed # disarm yes Specified HTML tags disarmed # yes no Nothing, allowed to pass *# yes yes All HTML tags stripped** * But our users are still getting Blocked content reports on email from nature.com containing I-Frame tags. ie: At Thu Dec 4 08:32:22 2003 the content filters said: MailScanner: Found dangerous IFrame tag in HTML message This worked previously on 4-22 (upgraded to 4-25-14 yesterday) Anyone have any idea's where I'm going wrong? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shrek-m at GMX.DE Thu Dec 4 12:20:23 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCEFD3F.3050207@solid-state-logic.com> References: <3FCEE1BC.9020002@gmx.de> <3FCEFD3F.3050207@solid-state-logic.com> Message-ID: <3FCF2687.5070202@gmx.de> Martin Hepworth wrote: > shrek-m@gmx.de wrote: > >> http://www.sophos.com/virusinfo/analyses/w32mimaill.html > > Sophos are calling this MiMail-L > > http://www.sophos.com/virusinfo/analyses/w32mimaill.html > > and claim to detect it since 2 Dec 04.17. > > I guess if not let their support dept know... done, together with my email to this list. apropos, mimail-l was detected without problems but not mimail-m http://www.sophos.com/virusinfo/analyses/w32mimailm.html mimail-m will be recogniced since *today* $ sweep -archive -mime /data4/doku/viren/mimail/ Password protected file /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip/wendy.exe >>> Virus 'W32/Mimail-M' found in file /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip Password protected file /data4/doku/viren/mimail/wendy.zip/wendy.exe >>> Virus 'W32/Mimail-M' found in file /data4/doku/viren/mimail/wendy.zip 2 files swept in 1 second. 2 errors were encountered. 2 viruses were discovered. 2 files out of 2 were infected. -- shrek-m From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 12:25:45 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCF2687.5070202@gmx.de> References: <3FCEE1BC.9020002@gmx.de> <3FCEFD3F.3050207@solid-state-logic.com> <3FCF2687.5070202@gmx.de> Message-ID: <3FCF27C9.8060106@solid-state-logic.com> > > done, > together with my email to this list. > > apropos, mimail-l was detected without problems but not mimail-m > http://www.sophos.com/virusinfo/analyses/w32mimailm.html > > mimail-m will be recogniced since *today* > > > $ sweep -archive -mime /data4/doku/viren/mimail/ > > Password protected file > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip/wendy.exe > >>> Virus 'W32/Mimail-M' found in file > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip > Password protected file /data4/doku/viren/mimail/wendy.zip/wendy.exe > >>> Virus 'W32/Mimail-M' found in file /data4/doku/viren/mimail/wendy.zip > > 2 files swept in 1 second. > 2 errors were encountered. > 2 viruses were discovered. > 2 files out of 2 were infected. > > -- > shrek-m yeah I saw an update come in this morning...I dunno if clamAV works better, nothing triggered either overnight so... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jaearick at COLBY.EDU Thu Dec 4 12:27:18 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: References: Message-ID: > Date: Thu, 4 Dec 2003 12:03:07 +0000 > From: Tony Finch > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Log permitted filenames > > Ulysees wrote: > > > >What I think would be really usefull would be > >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS > >Executable (patch.exe) in $msgid > > I have a pile of patches to make tracking message-IDs possible. Here's > a selection related to file types and names... > Julian, I second this effort. The more that the message-id appears in mailScanner syslogs, the happier I am. I routinely grep for msg ids to find out what happened to a piece of email, MS actions should appear in that output. Jeff Earickson Colby College From dbird at SGHMS.AC.UK Thu Dec 4 12:34:17 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:25 2006 Subject: blocked conent problem in 4.25-14 In-Reply-To: <3FCF2573.9020303@sghms.ac.uk> References: <3FCF2573.9020303@sghms.ac.uk> Message-ID: <3FCF29C9.3060507@sghms.ac.uk> Daniel Bird wrote: > This is a snippet from MailScanner.conf > > Allow IFrame Tags = /etc/MailScanner/rules/iframe.tags.rules > Log IFrame Tags = yes > Allow Form Tags =/etc/MailScanner/rules/form.tags.rules > Allow Object Codebase Tags = /etc/MailScanner/rules/codebase.tags.rules > Convert Dangerous HTML To Text = yes > Convert HTML To Text = no > > /etc/MailScanner/rules/iframe.tags.rules contains: > From: *@nature.com yes > From: *@info.nature.com yes > FromTo: default no > > so according to the comments we should be hitting the last option below > for messages from nature.com > : > # Allow...Tags Convert Danger... Action Taken on HTML Message > # ============ ================= ============================ > # no no Blocked > # no yes Blocked > # disarm no Specified HTML tags disarmed > # disarm yes Specified HTML tags disarmed > # yes no Nothing, allowed to pass > *# yes yes All HTML tags stripped** > * > > But our users are still getting Blocked content reports on email from > nature.com containing I-Frame tags. > > ie: > > At Thu Dec 4 08:32:22 2003 the content filters said: > MailScanner: Found dangerous IFrame tag in HTML message > > > This worked previously on 4-22 (upgraded to 4-25-14 yesterday) > Anyone have any idea's where I'm going wrong? Sorry to reply to my own posting, but I think I've figured it. It looks like nature.com has changed the way they send mail shots (or this a new one which we haven't seen before). The envelope address was not the same as listed in the email (as was previously). I've added the new address to the rules file, so all should be well. Regards -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Dec 4 12:38:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? In-Reply-To: <3FCE312E.3070307@uptime.at> References: <3FCE312E.3070307@uptime.at> Message-ID: <6.0.1.1.2.20031204123755.092ae5b8@imap.ecs.soton.ac.uk> At 18:53 03/12/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Jan Elmqvist Nielsen wrote: > >>http://www.norman.com/de/news/031126.shtml?menulang=de >> >>in german langauge >> >>/jan elmqvist nielsen >And the download link seems to be >http://www.norman.com/download_nvc_linux.shtml?menulang=de# > >am I seeing this right? I sit utilizing Java ? They are just about to produce a version which does not require Java for entering the licence key. Yay! :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 4 12:45:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: References: Message-ID: <6.0.1.1.2.20031204124522.092afcf0@imap.ecs.soton.ac.uk> All adopted into the main source tree. Will be in the next release. At 12:03 04/12/2003, you wrote: >Ulysees wrote: > > > >What I think would be really usefull would be > >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS > >Executable (patch.exe) in $msgid > >I have a pile of patches to make tracking message-IDs possible. Here's >a selection related to file types and names... > >--- SweepOther.pm 4 Jul 2003 18:08:28 -0000 1.1.1.6 >+++ SweepOther.pm 7 Aug 2003 09:38:46 -0000 1.7 >@@ -195,19 +196,20 @@ > $MatchFound = 1; > if ($allowdeny eq 'deny') { > # It's a rejection rule, so log the error. >- MailScanner::Log::InfoLog("Filename Checks: %s (%s)", >- $logtext, $attach); >+ MailScanner::Log::InfoLog("Filename Checks: %s (%s %s)", >+ $logtext, $id, $attach); > $message->{namereports}{$safename} .= "$usertext ($safename)\n"; > $message->{nametypes}{$safename} .= "f"; > $counter++; > $message->{nameinfected}++; > } else { >- MailScanner::Log::InfoLog("Filename Checks: Allowing %s", >$safename) >+ MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s", >+ $id, $safename) > if $LogNames; > } > } >- MailScanner::Log::InfoLog("Filename Checks: Allowing %s " . >- "(no rule matched)", $safename) >+ MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s " . >+ "(no rule matched)", $id, $safename) > if $LogNames && !$MatchFound; > } > } >@@ -348,14 +350,15 @@ > $MatchFound = 1; > if ($allowdeny eq 'deny') { > # It's a rejection rule, so log the error. >- MailScanner::Log::InfoLog("Filetype Checks: %s (%s)", >- $logtext, $attach); >+ MailScanner::Log::InfoLog("Filetype Checks: %s (%s %s)", >+ $logtext, $id, $attach); > $message->{namereports}{$safename} .= "$usertext ($safename)\n"; > $message->{nametypes}{$safename} .= "f"; > $counter++; > $message->{nameinfected}++; > } else { >- MailScanner::Log::InfoLog("Filetype Checks: Allowing %s", >$safename) >+ MailScanner::Log::InfoLog("Filetype Checks: Allowing %s %s", >+ $id, $safename) > if $LogTypes; > } > } > > >Tony. >-- >f.a.n.finch http://dotat.at/ >THE WASH TO NORTH FORELAND: NORTHEAST 5 OR 6, PERHAPS INCREASING LOCALLY 7 FOR >A TIME, LATER VEERING EAST AND DECREASING 3 OR 4 OCCASIONALLY 5. RATHER HAZY. >MODERATE OR GOOD. MODERATE BUILDING LOCALLY ROUGH, LATER DECAYING SLIGHT TO >MODERATE. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.freegard at LBSLTD.CO.UK Thu Dec 4 12:49:23 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames Message-ID: <67D9E7698329D411936E00508B6590B902773D1E@neelix.lbsltd.co.uk> Nope ... It shouldn't make any difference to MailWatch as I don't scrape the maillog for anything MailScanner related - I get everything I need from the database. Cheers, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 04 December 2003 11:44 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Log permitted filenames At 11:22 04/12/2003, you wrote: >Don't know if this already exists or not but I'm looking to get a bit >more out of the log permitted filenames option. Currently it generates >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS >Executable (patch.exe) >What I think would be really usefull would be >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS >Executable (patch.exe) in $msgid > >Any ideas ? > >Uly Steve F -- Will this change upset MailWatch at all? I don't want to break anything... To get the extra logging, apply this patch to SweepOther.pm : --- SweepOther.pm.old 2003-12-04 11:42:28.000000000 +0000 +++ SweepOther.pm 2003-12-04 11:42:43.000000000 +0000 @@ -197,8 +197,8 @@ #print STDERR "\"$attach\" matched \"$regexp\" or \"$safename\" did\n"; if ($allowdeny =~ 'deny') { # It's a rejection rule, so log the error. - MailScanner::Log::InfoLog("Filename Checks: %s (%s)", - $logtext, $attach); + MailScanner::Log::InfoLog("Filename Checks: %s (%s) in %s", + $logtext, $attach, $id); $message->{namereports}{$safename} .= "$usertext ($safename)\n"; $message->{nametypes}{$safename} .= "f"; $counter++; -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From raymond at PROLOCATION.NET Thu Dec 4 13:15:30 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? In-Reply-To: <6.0.1.1.2.20031204123755.092ae5b8@imap.ecs.soton.ac.uk> Message-ID: Hi! > >am I seeing this right? I sit utilizing Java ? > They are just about to produce a version which does not require Java for > entering the licence key. Yay! :-) If thats available i would love to try. Did anyone speedtest this product yet ? Bye, Raymond. From steinkel at PA.NET Thu Dec 4 13:57:58 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:21:25 2006 Subject: John Rudd's ms2cgp and cgp2ms References: <18424211843.20031203144921@ntin.net> <15528128062.20031203155441@ntin.net> Message-ID: <3FCF3D66.9070704@pa.net> NTIN Page Guy wrote: > Hello NTIN, > > Strange, I posted this message hours ago and it just now appeared. > > John pointed out that my fix below breaks messages that addressed to > multiple recipients. for my early postfix integration hack, I solved the same problem with a fork() and exec(). Here is the relevant code. Since I did some minor header processing earlier in the script, the headers were already available in a variable. You will have to adapt to how ms2cgp does things. 8<============= $cmd = "/usr/sbin/sendmail"; open(DATFILE, "$outgoing_spool/df$id") || die("no such id as $id"); $pid = open(INSERT, "|-"); #fork $SIG{ALRM} = sub { die "pipe broke" }; if ($pid) { #parent print INSERT "$headers\n"; while () { print INSERT; } close INSERT || die "$cmd exited $?"; } else { #child exec($cmd, '-f', $from, '--', @to) || die("cannot exec $cmd"); } close DATFILE; 8<============== I hope this helps. Leland From steinkel at PA.NET Thu Dec 4 14:01:17 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:21:25 2006 Subject: Virus scanners and universities References: Message-ID: <3FCF3E2D.3070708@pa.net> Nathan Johanson wrote: > > It won a recent reward for "Best Security Solution" at the Linuxworld Expo in New York. Frankly, I think the real winner should have been MailScanner. > > http://www3.ca.com/press/PressRelease.asp?CID=39095 MailScanner does not sponsor trade shows! ;-) Leland From dot at DOTAT.AT Thu Dec 4 13:52:33 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: References: Message-ID: Julian Field wrote: >All adopted into the main source tree. Will be in the next release. I have some more along the same lines, partly for spotting which instance of MailScanner processed a particular message, and partly just general extra message tracking. I'm fairly sure I've posted this before (but probably buried in other stuff). I haven't included the patch to ConfigDefs.pl because it's a pain to unpick from my other changes. Tony. -- f.a.n.finch http://dotat.at/ NORTH FORELAND TO SELSEY BILL: NORTHEAST 5 TO 7 LOCALLY GALE 8 LATER VEERING EAST AND DECREASING 4 OR 5. RATHER HAZY WITH SOME PATCHY DRIZZLE AT TIMES. MODERATE OR GOOD. MODERATE TO ROUGH DECAYING MODERATE. --- Exim.pm 4 Jul 2003 18:08:28 -0000 1.1.1.8 +++ Exim.pm 8 Jul 2003 16:25:12 -0000 1.20 @@ -1320,6 +1321,8 @@ $HitLimit4 = 1 if $DirtyBytes>=$MaxDirtyB; $newmessage->WriteHeaderFile(); # Write the file of headers + MailScanner::Log::InfoLog("New Message: $id to be scanned") + if MailScanner::Config::Value('logmessageids'); } else { $newmessage->NeedsScanning(0); $CleanMsgs++; @@ -1329,6 +1332,8 @@ $HitLimit2 = 1 if $CleanBytes>=$MaxCleanB; $newmessage->WriteHeaderFile(); # Write the file of headers + MailScanner::Log::InfoLog("New Message: $id to be forwarded") + if MailScanner::Config::Value('logmessageids'); } } --- MessageBatch.pm 4 Jul 2003 18:08:28 -0000 1.1.1.6 +++ MessageBatch.pm 26 Aug 2003 09:44:27 -0000 1.12 @@ -231,9 +241,13 @@ # or the HTML stripping. if ($message->{bodymodified}) { $message->DeliverModifiedBody('unscannedheader'); + MailScanner::Log::InfoLog("Delivered modified message $id") + if MailScanner::Config::Value('logmessageids'); } else { $OutQ = MailScanner::Config::Value('outqueuedir', $message); $message->DeliverUnscanned($OutQ); + MailScanner::Log::InfoLog("Delivered unscanned message $id") + if MailScanner::Config::Value('logmessageids'); } $message->{deleted} = 1; # This marks it for purging from disk push @messages, $message; @@ -465,6 +479,8 @@ next if $message->{infected}; #print STDERR "Delivering uninfected message $id\n"; $message->DeliverUninfected(); + MailScanner::Log::InfoLog("Delivered uninfected message $id") + if MailScanner::Config::Value('logmessageids'); $message->{deleted} = 1; push @messages, $message; } @@ -531,6 +547,11 @@ $message->DeliverCleaned(); #print STDERR "Deleting silent-infected message " . $message->{id} . "\n"; push @messages, $message; + MailScanner::Log::InfoLog("Delivering message $id with silent virus") + if MailScanner::Config::Value('logmessageids'); + } else { + MailScanner::Log::InfoLog("DISCARDED message $id with silent virus") + if MailScanner::Config::Value('logmessageids'); } $message->{deleted} = 1; $message->{stillwarn} = 1; @@ -557,6 +578,8 @@ #print STDERR "Deleting cleaned message " . $message->{id} . "\n"; # BUGFIX: JKF $message->{deleted} = 1; push @messages, $message; + MailScanner::Log::InfoLog("Delivering cleaned message $id") + if MailScanner::Config::Value('logmessageids'); } MailScanner::Mail::TellAbout(@messages); From mailscanner at LISTS.COM.AR Thu Dec 4 14:53:41 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCF27C9.8060106@solid-state-logic.com> References: <3FCF2687.5070202@gmx.de> Message-ID: <3FCF2045.28322.52C1740@localhost> Yesterday, minutes before 17:00 hs local (20:00 GMT) I got the latest McAffe update. From the readme (graciously logged by Tony's mcaffee- autoupdate): # Product Release: December 3, 2003 # # - DAT Version: 4307 # - Engine Version: 4.2.60 ... # NEW DETECTIONS ... # INTERNET WORM (33) # ------------------ ... # W32/MIMAIL.L@MM <-- ... # NEW REMOVALS # INTERNET WORM (33) # ------------------ ... # W32/MIMAIL.L@MM <-- ... However, later yesternight, a wendy.zip passed thru... would that be innocuous? or a newer version of mimail? here's the log: Dec 3 22:38:06 alerce MailScanner[358]: Virus and Content Scanning: Starting Dec 3 22:38:06 alerce MailScanner[358]: Filename Checks: Allowing wendy.zip Dec 3 22:38:06 alerce MailScanner[358]: Filename Checks: Allowing msg-358-70.txt Dec 3 22:38:06 alerce MailScanner[358]: Filetype Checks: Allowing wendy.zip Dec 3 22:38:06 alerce MailScanner[358]: Filetype Checks: Allowing msg-358-70.txt Dec 3 22:38:06 alerce MailScanner[358]: ZM: message 1612517 renamed into 1563662 Dec 3 22:38:06 alerce MailScanner[358]: Uninfected: Delivered 1 messages :-( NAI says ( http://vil.nai.com/vil/content/v_100856.htm ) that mimail.m is detected by 4307... however, I don't find it in the logs of the readme's: $ grep -i mimail mcaffee-autoupdate.log # W32/MIMAIL.C@MM <-- # W32/MIMAIL.C@MM <-- # W32/MIMAIL.I@MM <-- # W32/MIMAIL.I.HTA # W32/MIMAIL.I@MM <-- # W32/MIMAIL.I.HTA # W32/MIMAIL.HTA # W32/MIMAIL.I!DATA # W32/MIMAIL.J@MM <-- # W32/MIMAIL.J@MM <-- # W32/MIMAIL.L@MM <-- # W32/MIMAIL.L@MM <-- Does anyone have a copy of mimail.l & mimail.m that would like to send to me so I can test it? (please contact me off-list so I tell you to which address) Otherwise, a sample of possible subjects might help me find one thru one of my unprotected spamtraps TIA El 4 Dec 2003 a las 12:25, Martin Hepworth escribi?: > > > > done, > > together with my email to this list. > > > > apropos, mimail-l was detected without problems but not mimail-m > > http://www.sophos.com/virusinfo/analyses/w32mimailm.html > > > > mimail-m will be recogniced since *today* > > > > > > $ sweep -archive -mime /data4/doku/viren/mimail/ > > > > Password protected file > > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip/wendy.exe > > >>> Virus 'W32/Mimail-M' found in file > > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip > > Password protected file /data4/doku/viren/mimail/wendy.zip/wendy.exe > > >>> Virus 'W32/Mimail-M' found in file /data4/doku/viren/mimail/wendy.zip > > > > 2 files swept in 1 second. > > 2 errors were encountered. > > 2 viruses were discovered. > > 2 files out of 2 were infected. > > > > -- > > shrek-m > > yeah I saw an update come in this morning...I dunno if clamAV works > better, nothing triggered either overnight so... > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** -- Mariano Absatz El Baby ---------------------------------------------------------- If I held you any closer I would be on the other side of you. -- Groucho Marx From ugob at CAMO-ROUTE.COM Thu Dec 4 14:57:28 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE270@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Mariano Absatz [mailto:mailscanner@LISTS.COM.AR] > Envoy? : Thursday, December 04, 2003 9:54 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: wendy.zip - encrypted - mimail > > > Yesterday, minutes before 17:00 hs local (20:00 GMT) I got the latest > McAffe update. From the readme (graciously logged by Tony's mcaffee- > autoupdate): > > # Product Release: December 3, 2003 > # > # - DAT Version: 4307 > # - Engine Version: 4.2.60 > ... > # NEW DETECTIONS > ... > # INTERNET WORM (33) > # ------------------ > ... > # W32/MIMAIL.L@MM <-- > ... > # NEW REMOVALS > # INTERNET WORM (33) > # ------------------ > ... > # W32/MIMAIL.L@MM <-- > ... > > However, later yesternight, a wendy.zip passed thru... would that be > innocuous? or a newer version of mimail? > yup, it might be mimail.m. Ugo > here's the log: > Dec 3 22:38:06 alerce MailScanner[358]: Virus and Content > Scanning: Starting > Dec 3 22:38:06 alerce MailScanner[358]: Filename Checks: > Allowing wendy.zip > Dec 3 22:38:06 alerce MailScanner[358]: Filename Checks: > Allowing msg-358-70.txt > Dec 3 22:38:06 alerce MailScanner[358]: Filetype Checks: > Allowing wendy.zip > Dec 3 22:38:06 alerce MailScanner[358]: Filetype Checks: > Allowing msg-358-70.txt > Dec 3 22:38:06 alerce MailScanner[358]: ZM: message 1612517 > renamed into 1563662 > Dec 3 22:38:06 alerce MailScanner[358]: Uninfected: > Delivered 1 messages > > > :-( > > NAI says ( http://vil.nai.com/vil/content/v_100856.htm ) that > mimail.m is > detected by 4307... however, I don't find it in the logs of > the readme's: > > $ grep -i mimail mcaffee-autoupdate.log > # W32/MIMAIL.C@MM <-- > # W32/MIMAIL.C@MM <-- > # W32/MIMAIL.I@MM <-- > # W32/MIMAIL.I.HTA > # W32/MIMAIL.I@MM <-- > # W32/MIMAIL.I.HTA > # W32/MIMAIL.HTA > # W32/MIMAIL.I!DATA > # W32/MIMAIL.J@MM <-- > # W32/MIMAIL.J@MM <-- > # W32/MIMAIL.L@MM <-- > # W32/MIMAIL.L@MM <-- > > Does anyone have a copy of mimail.l & mimail.m that would > like to send to > me so I can test it? (please contact me off-list so I tell > you to which > address) > > Otherwise, a sample of possible subjects might help me find > one thru one > of my unprotected spamtraps > > TIA > > El 4 Dec 2003 a las 12:25, Martin Hepworth escribi?: > > > > > > > done, > > > together with my email to this list. > > > > > > apropos, mimail-l was detected without problems but not mimail-m > > > http://www.sophos.com/virusinfo/analyses/w32mimailm.html > > > > > > mimail-m will be recogniced since *today* > > > > > > > > > $ sweep -archive -mime /data4/doku/viren/mimail/ > > > > > > Password protected file > > > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip/wendy.exe > > > >>> Virus 'W32/Mimail-M' found in file > > > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip > > > Password protected file > /data4/doku/viren/mimail/wendy.zip/wendy.exe > > > >>> Virus 'W32/Mimail-M' found in file > /data4/doku/viren/mimail/wendy.zip > > > > > > 2 files swept in 1 second. > > > 2 errors were encountered. > > > 2 viruses were discovered. > > > 2 files out of 2 were infected. > > > > > > -- > > > shrek-m > > > > yeah I saw an update come in this morning...I dunno if clamAV works > > better, nothing triggered either overnight so... > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > > > ********************************************************************** > > > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > > are addressed. If you have received this email in error > please notify > > the system manager. > > > > This footnote confirms that this email message has been swept > > for the presence of computer viruses and is believed to be clean. > > > > > ********************************************************************** > > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > If I held you any closer I would be on the other side of you. > -- Groucho Marx > From raymond at PROLOCATION.NET Thu Dec 4 15:00:41 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCF2045.28322.52C1740@localhost> Message-ID: Hi! > # NEW DETECTIONS > ... > # INTERNET WORM (33) > # ------------------ > ... > # W32/MIMAIL.L@MM <-- > ... > # NEW REMOVALS > # INTERNET WORM (33) > # ------------------ > ... > # W32/MIMAIL.L@MM <-- > ... > > However, later yesternight, a wendy.zip passed thru... would that be > innocuous? or a newer version of mimail? Most likely the new M version. http://www.sophos.com/virusinfo/analyses/w32mimailm.html > Otherwise, a sample of possible subjects might help me find one thru one > of my unprotected spamtraps Subject line: Re[3]<44 spaces> Message text: Hello Greg, I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. He took my skirt off, then my panties, then my bra, he sucked my tits, with the same fury you do it. He was writing alphabet on my pussy for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger.But Greg, why didn't you warn me that his dick is 15 inches long?? I was struck, we fucked whole night. I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting... Wendy. Attached file: only_for_greg.zip (contains for_greg.jpg.exe) The second email format, which appears to have been manually mass-mailed out, has the following characteristics: Subject line: Re:Greg Message text: Hi Greg its Wendy. I was shocked, when I found out that it wasn't you but your twin brother, that's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. He took my skirt off, then my panties, then my bra, he sucked my tits, with the same fury you do it. He was writing alphabet on my pussy for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger. But Greg, why didn't you warn me that his dick is 15 inches long? I was struck, we fucked whole night. I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting... For unzip archiver download WinZip: http://download.winzip.com/winzip81.exe Password for archive is "kiss". Attached file: wendy.zip (contains file wendy.exe) this is most likely better material for the SPAM-L. Bye, Raymond From Cleveland at MAIL.WINNEFOX.ORG Thu Dec 4 15:04:47 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:25 2006 Subject: Email is only an image - tag as spam? Message-ID: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> Hello, I've noticed a new trend with spam lately. I've been getting emails that are one big image, which aren't caught by mailscanner or spamassassin. Is there a rule somewhere, where I can specify that if an email contains only an image to tag it as spam? -- Jody Cleveland (cleveland@mail.winnefox.org) From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 4 15:07:06 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:25 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> Message-ID: I've had the same problem :( Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jody Cleveland > Sent: 04 December 2003 15:05 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Email is only an image - tag as spam? > > > Hello, > > I've noticed a new trend with spam lately. I've been getting emails that > are one big image, which aren't caught by mailscanner or spamassassin. > Is there a rule somewhere, where I can specify that if an email contains > only an image to tag it as spam? > > > -- > Jody Cleveland > (cleveland@mail.winnefox.org) > From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 15:08:46 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:25 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> References: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> Message-ID: <3FCF4DFE.4010608@solid-state-logic.com> Jody Cleveland wrote: > Hello, > > I've noticed a new trend with spam lately. I've been getting emails that > are one big image, which aren't caught by mailscanner or spamassassin. > Is there a rule somewhere, where I can specify that if an email contains > only an image to tag it as spam? > > > -- > Jody Cleveland > (cleveland@mail.winnefox.org) Jody are you using the bayes scanner in SA? alot of the html based stuff gets caught by SA 2.60 with bayes for me... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From johnl at OREGONISONLINE.NET Thu Dec 4 15:12:23 2003 From: johnl at OREGONISONLINE.NET (John P. Lang) Date: Thu Jan 12 21:21:25 2006 Subject: unsubscribe Message-ID: <000201c3ba79$057049c0$6501a8c0@zander> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031204/c8d12505/attachment.html From mailscanner at LISTS.COM.AR Thu Dec 4 15:18:45 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: References: <3FCF2045.28322.52C1740@localhost> Message-ID: <3FCF2625.1849.5430A9D@localhost> Hi Raymond... (or should I call you Greg?) ;-P Thanx for the info... I didn't find it in my traps :-( What I dislike is that NAI says (in the web: http://vil.nai.com/vil/content/v_100856.htm ) that the current dat files find & remove the ".m" release... I even forced a .dat update just in case they had re-released it, but the .dat's are identical... Would you mind sending me an infected message to another account? I'd send you a request from that account (I can "double opt-in" if you want to be more assured). El 4 Dec 2003 a las 16:00, Raymond Dijkxhoorn escribi?: > Hi! > > > # NEW DETECTIONS > > ... > > # INTERNET WORM (33) > > # ------------------ > > ... > > # W32/MIMAIL.L@MM <-- > > ... > > # NEW REMOVALS > > # INTERNET WORM (33) > > # ------------------ > > ... > > # W32/MIMAIL.L@MM <-- > > ... > > > > However, later yesternight, a wendy.zip passed thru... would that be > > innocuous? or a newer version of mimail? > > Most likely the new M version. > > http://www.sophos.com/virusinfo/analyses/w32mimailm.html > > > Otherwise, a sample of possible subjects might help me find one thru one > > of my unprotected spamtraps > > Subject line: Re[3]<44 spaces> > > Message text: > > Hello Greg, > > > > I was shocked, when I found out that it wasn't you but your twin > brother!!! That's amazing, you're as like as two peas. No one in bed is > better than you Greg. I remember, I remember everything very well, that > promised you to tell how it was, I'll give you a call today after 9. > -- Mariano Absatz El Baby ---------------------------------------------------------- When I was kidnapped, my parents snapped into action. They rented out my room. -- Woody Allen From smilga at MIKROTIK.COM Thu Dec 4 15:23:40 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:25 2006 Subject: mqueue.in problem References: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> <3FCF4DFE.4010608@solid-state-logic.com> Message-ID: <0c9301c3ba7a$98792b00$a500010a@martinsss> Hello, I have probelem with /var/spool/mqueue.in It is not deliver to direcotry /var/spool/mail I understood that mailscanner will deliver from mqueue.in to mail directory, where are these setting Thanks Martins From Cleveland at MAIL.WINNEFOX.ORG Thu Dec 4 15:22:54 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:25 2006 Subject: Email is only an image - tag as spam? Message-ID: <7D3DDF19D93C3642931C3EB8803165A92E08EF@mail.winnefox.org> > are you using the bayes scanner in SA? Yes. - Jody From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 15:30:54 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A92E08EF@mail.winnefox.org> References: <7D3DDF19D93C3642931C3EB8803165A92E08EF@mail.winnefox.org> Message-ID: <3FCF532E.2010005@solid-state-logic.com> Jody Cleveland wrote: >>are you using the bayes scanner in SA? > > > Yes. > > - Jody Then maybe you need to learn them? What version of SA are you using. I know 2.55 didn't catch alot of the html stuff as they use hex numbers for the ascii characters ie http://%77%77%77 for http://www. the 2.6 update catches these. I do see quite of bit stuff getting through that I have to place into sa-learn. I use a shared imap folder and a variation of a generic sa-learn script I found on a SA email list archive (or the MS list I don't remember). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 15:33:59 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:26 2006 Subject: mqueue.in problem In-Reply-To: <0c9301c3ba7a$98792b00$a500010a@martinsss> References: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> <3FCF4DFE.4010608@solid-state-logic.com> <0c9301c3ba7a$98792b00$a500010a@martinsss> Message-ID: <3FCF53E7.2080903@solid-state-logic.com> Martins Smilga wrote: > Hello, > > > I have probelem with /var/spool/mqueue.in > It is not deliver to direcotry /var/spool/mail > I understood that mailscanner will deliver from mqueue.in to mail directory, > where are these setting > > Thanks > > Martins Martins it's set in the MailScanner.conf file. the specific lines are... Incoming Queue Dir = /var/spool/mqueue.in # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/mqueue What does your log file say when MailScanner is running? Also have you tried MailScanner in debug mode to see what's its doing? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at LISTS.COM.AR Thu Dec 4 15:35:44 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> Message-ID: <3FCF2A20.11723.55296B6@localhost> Jody, these standard SA 2.6 rules should match these messages: # HTML_IMAGE_AREA - lots of image area (absolute) body HTML_IMAGE_AREA_04 eval:html_range('image_area','400000','500000') body HTML_IMAGE_AREA_05 eval:html_range('image_area','500000','600000') body HTML_IMAGE_AREA_06 eval:html_range('image_area','600000','700000') body HTML_IMAGE_AREA_07 eval:html_range('image_area','700000','800000') body HTML_IMAGE_AREA_08 eval:html_range('image_area','800000','900000') body HTML_IMAGE_AREA_09 eval:html_range('image_area','900000') describe HTML_IMAGE_AREA_04 HTML has 4-5 kilopixels of images describe HTML_IMAGE_AREA_05 HTML has 5-6 kilopixels of images describe HTML_IMAGE_AREA_06 HTML has 6-7 kilopixels of images describe HTML_IMAGE_AREA_07 HTML has 7-8 kilopixels of images describe HTML_IMAGE_AREA_08 HTML has 8-9 kilopixels of images describe HTML_IMAGE_AREA_09 HTML has over 9 kilopixels of images # HTML_IMAGE_ONLY - not much text with images (absolute) body HTML_IMAGE_ONLY_02 eval:html_image_only('0000','0200') body HTML_IMAGE_ONLY_04 eval:html_image_only('0200','0400') body HTML_IMAGE_ONLY_06 eval:html_image_only('0400','0600') body HTML_IMAGE_ONLY_08 eval:html_image_only('0600','0800') body HTML_IMAGE_ONLY_10 eval:html_image_only('0800','1000') body HTML_IMAGE_ONLY_12 eval:html_image_only('1000','1200') describe HTML_IMAGE_ONLY_02 HTML: images with 0-200 bytes of words describe HTML_IMAGE_ONLY_04 HTML: images with 200-400 bytes of words describe HTML_IMAGE_ONLY_06 HTML: images with 400-600 bytes of words describe HTML_IMAGE_ONLY_08 HTML: images with 600-800 bytes of words describe HTML_IMAGE_ONLY_10 HTML: images with 800-1000 bytes of words describe HTML_IMAGE_ONLY_12 HTML: images with 1000-1200 bytes of words # HTML_IMAGE_RATIO - more image area than text (ratio) body HTML_IMAGE_RATIO_02 eval:html_image_ratio('0.000','0.002') body HTML_IMAGE_RATIO_04 eval:html_image_ratio('0.002','0.004') body HTML_IMAGE_RATIO_06 eval:html_image_ratio('0.004','0.006') body HTML_IMAGE_RATIO_08 eval:html_image_ratio('0.006','0.008') body HTML_IMAGE_RATIO_10 eval:html_image_ratio('0.008','0.010') body HTML_IMAGE_RATIO_12 eval:html_image_ratio('0.010','0.012') body HTML_IMAGE_RATIO_14 eval:html_image_ratio('0.012','0.014') describe HTML_IMAGE_RATIO_02 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_04 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_06 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_08 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_10 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_12 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_14 HTML has a low ratio of text to image area And these are the standard scores for them: score HTML_IMAGE_AREA_05 0.283 1.342 1.122 2.199 score HTML_IMAGE_AREA_07 1.615 1.681 1.997 1.022 score HTML_IMAGE_ONLY_02 2.751 2.244 1.472 1.230 score HTML_IMAGE_ONLY_04 1.898 1.527 1.136 1.001 score HTML_IMAGE_ONLY_06 1.531 1.709 0.527 1.439 score HTML_IMAGE_ONLY_08 0.525 0.837 0 0 score HTML_IMAGE_ONLY_10 0.615 1.138 0.431 0.019 score HTML_IMAGE_ONLY_12 0.787 1.012 0.483 0 score HTML_IMAGE_RATIO_04 0.821 0.892 0.667 1.050 score HTML_IMAGE_RATIO_06 0.935 0.317 0.649 0 score HTML_IMAGE_RATIO_08 0.605 0.408 0.413 0.359 score HTML_IMAGE_RATIO_10 0.535 0.488 0.619 0.315 score HTML_IMAGE_RATIO_12 0.324 0 0 0 score HTML_IMAGE_RATIO_14 0 0.276 0 0 score HTML_IMAGE_AREA_04 0 score HTML_IMAGE_AREA_09 0 score HTML_IMAGE_AREA_08 0 score HTML_IMAGE_RATIO_02 0 score HTML_IMAGE_AREA_06 0 Strangely enough (I'll never understand the "genetic algorithms" used to generate these scores) some of them "in the middle" are 0... that is, HTML_IMAGE_ONLY_06 and HTML_IMAGE_ONLY_10 are non-0, but HTML_IMAGE_ONLY_08 is 0 (in the fourth column). What you can do is to raise these scores in spam.assassin.conf so they are more likely to trigger. One of the things I've seen are messages which apparently are only comprised of an image, but that have hidden text (same color as background), even specially crafted "non-spam-looking" text that decreases the score and avoids some of these rules... I've even seen almost identical messages to score somehow above 5 and the next day score below 3... evidently many spammers are checking their messages with SpamAssassin, and adjusting them... playing around with some scores (especially, raising these "0" scores) might help you a lot (but be careful with false positives, check your logs). HTH El 4 Dec 2003 a las 9:04, Jody Cleveland escribi?: > Hello, > > I've noticed a new trend with spam lately. I've been getting emails that > are one big image, which aren't caught by mailscanner or spamassassin. > Is there a rule somewhere, where I can specify that if an email contains > only an image to tag it as spam? > > > -- > Jody Cleveland > (cleveland@mail.winnefox.org) -- Mariano Absatz El Baby ---------------------------------------------------------- Suicidal twin kills sister by mistake! From Cleveland at MAIL.WINNEFOX.ORG Thu Dec 4 15:46:52 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? Message-ID: <7D3DDF19D93C3642931C3EB8803165A92E08F1@mail.winnefox.org> Hi Steve, > Are you using MailScanner in front of Microsoft Exchange?? Yeah. My mail comes into a redhat 9 box with mailscanner, spamassassin, f-prot, and mailwatch, then gets forwarded on to an exchange server. - Jody From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 15:45:06 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A92E08F0@mail.winnefox.org> References: <7D3DDF19D93C3642931C3EB8803165A92E08F0@mail.winnefox.org> Message-ID: <3FCF5682.3090706@solid-state-logic.com> Jody Cleveland wrote: >>Then maybe you need to learn them? > > > How do I do that? > > >>What version of SA are you using. I know 2.55 didn't catch >>alot of the html stuff as they use hex numbers for the ascii >>characters ie >>http://%77%77%77 for http://www. the 2.6 update catches these. > > > I just updated SA to 2.60. It is catching quite a bit of spam, but not > the picture ones. It wouldn't be such a big deal, but normally the > pictures are things I don't care to be seeing. > > - Jody Jody If you've just upgraded to 2.6 you'll either need to convert the bayes DB to the new format (there's some emails in the archive about this back in October when 2.6 cam out), or create a new db. There's some sa-learn scripts about in the FAQ that will take a pop based account and populate the database with examples of spam and ham (valid email). I've got one for imap based email systems if you need that (should work with MS-Exchange once you turn on the imap access). You'll need at least 200 of each before the bayes engine will start to operate within SA. Also check the MailScanner spam.assassin.prefs.conf file and make sure that has the correct path for the DB and bayes is enabled.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jlarsen at RICHWEB.COM Thu Dec 4 15:51:36 2003 From: jlarsen at RICHWEB.COM (C. Jon Larsen) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <3FCF5682.3090706@solid-state-logic.com> Message-ID: On Thu, 4 Dec 2003, Martin Hepworth wrote: > I've got one for imap based email systems if you need that (should work > with MS-Exchange once you turn on the imap access). Could you post a link to that tool ? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- + Jon Larsen: Chief Technology Officer, Richweb, Inc. + Richweb.com: Providing Internet-Based Business Solutions since 1995 + GnuPG Public Key: http://richweb.com/jlarsen.gpg + Business: (804) 359.2220 x 101; Mobile: (804) 307.6939 From Cleveland at MAIL.WINNEFOX.ORG Thu Dec 4 15:36:31 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? Message-ID: <7D3DDF19D93C3642931C3EB8803165A92E08F0@mail.winnefox.org> > Then maybe you need to learn them? How do I do that? > > What version of SA are you using. I know 2.55 didn't catch > alot of the html stuff as they use hex numbers for the ascii > characters ie > http://%77%77%77 for http://www. the 2.6 update catches these. I just updated SA to 2.60. It is catching quite a bit of spam, but not the picture ones. It wouldn't be such a big deal, but normally the pictures are things I don't care to be seeing. - Jody From raymond at PROLOCATION.NET Thu Dec 4 15:35:27 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:26 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCF2625.1849.5430A9D@localhost> Message-ID: Hi! > I even forced a .dat update just in case they had re-released it, but the > .dat's are identical... > > Would you mind sending me an infected message to another account? I'd > send you a request from that account (I can "double opt-in" if you want > to be more assured). It cant unpack the zip, so ONLY if a enduser unpacks it, and execues it, the scanner will catch it (localy at the enduser). At least, thats my impression about this. I dont think it will be catched within MS due to this. Bye, Raymond. From steve.freegard at LBSLTD.CO.UK Thu Dec 4 15:39:09 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? Message-ID: <67D9E7698329D411936E00508B6590B902773D22@neelix.lbsltd.co.uk> Hi Jody, Are you using MailScanner in front of Microsoft Exchange?? Kind regards, Steve. -----Original Message----- From: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] Sent: 04 December 2003 15:37 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Email is only an image - tag as spam? > Then maybe you need to learn them? How do I do that? > > What version of SA are you using. I know 2.55 didn't catch alot of the > html stuff as they use hex numbers for the ascii characters ie > http://%77%77%77 for http://www. the 2.6 update catches these. I just updated SA to 2.60. It is catching quite a bit of spam, but not the picture ones. It wouldn't be such a big deal, but normally the pictures are things I don't care to be seeing. - Jody -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From Cleveland at MAIL.WINNEFOX.ORG Thu Dec 4 15:55:45 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? Message-ID: <7D3DDF19D93C3642931C3EB8803165A92E08F2@mail.winnefox.org> > > I've got one for imap based email systems if you need that (should > > work with MS-Exchange once you turn on the imap access). > > Could you post a link to that tool ? ditto From Kevin.Hansard at IPLBATH.COM Thu Dec 4 16:06:39 2003 From: Kevin.Hansard at IPLBATH.COM (Kevin Hansard) Date: Thu Jan 12 21:21:26 2006 Subject: Small feature request Message-ID: Hi, Thanks for the patch. I couldn't seem to get it to work, the score in the subject still didn't have leading zeros. Anyway I have it working now by changing all occurrences in Message.pm of $spamtag =~ s/_SCORE_/$starcount/; To $spamtag =~ s/_SCORE_/sprintf("%02d",$starcount)/e; I think that is basically what your patch was trying to achieve. Many thanks Kevin Hansard --- From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 16:10:18 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? In-Reply-To: References: Message-ID: <3FCF5C6A.2090502@solid-state-logic.com> C. Jon Larsen wrote: > On Thu, 4 Dec 2003, Martin Hepworth wrote: > > >>I've got one for imap based email systems if you need that (should work >>with MS-Exchange once you turn on the imap access). > > > Could you post a link to that tool ? find the script attached. You need to call it with the parameters as below. the userid will need a spam and ham folder to contain the emails to be learnt.. /usr/local/bin/learn_spam.pl -uid=spamupdate \ -pwd=passwd only thing you'll to change is the myserver param at the top of the script. As I said I got this from a SA email list archive. Only change I made was to add in $imap->delete_message (@msgs); in the read_email function. You'll need the Mail::IMAPClient perl module to make it run too (CPAN will have it). Seems to work for me, but I use Courier imapd rather than exchange.....YMMV !!!! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -------------- next part -------------- #!/usr/bin/perl -w use strict; use Mail::IMAPClient; use Shell; use Env qw(HOME); use Getopt::Long; use File::Temp qw/ tempfile tempdir /; my $imapserver = "myserver"; # set to 1 to enable imapclient debugging my $debug = 0; # set to 1 if running under cron (disables output) my $cron = 1; my $filename; my $fh; my %options = ( uid => undef, pwd => undef ); my $cmdsts = GetOptions ("uid=s" => \$options{uid}, "pwd=s" => \$options{pwd}); if (!$options {uid}) { die "[SPAMASSASSIN] uid not set (-uid=username)\n"; } if (!$options {pwd}) { die "[SPAMASSASSIN] pwd not set (-pwd=password)\n"; } my $uid = $options{uid}; my $pwd = $options{pwd}; # login to imap server my $imap = Mail::IMAPClient->new (Server=>$imapserver, User=>$uid, Password=>$pwd, Debug=>$debug) or die "Can't connect to $uid\@$imapserver: $@ $\n"; if ($imap) { my $count; # Deal with spam first learn_mail ($HOME."/spam/", ".spam", "INBOX.spam", 0, "--spam --showdots --prefs-file=/opt/MailScanner/etc/spam.assassin.prefs.conf"); # Now deal with ham learn_mail ($HOME."/ham/", ".ham", "INBOX.ham", 0, "--ham --showdots --prefs-file=/opt/MailScanner/etc/spam.assassin.prefs.conf"); } else { die "[SPAMASSASSIN] Unable to logon to IMAP mail account! $options{uid}\n"; } exit; # # read and learn mail from imap server # # arguments # $dir directory to place retrieved messages in # $ext file extension to use on retrieved messages # $folder imap folder name on server # $shared 0 if imap folder is in users mailbox # 1 if imap folder is in shared name space or # $sa_args additional arguments to specify to sa-learn # (e.g. --spam or --ham) # sub learn_mail { my $dir = shift (@_); my $ext = shift (@_); my $folder = shift (@_); my $shared = shift (@_); my $sa_args = shift (@_); my $count = 0; # tidy up directory before run clear_directory ($dir, $ext); # read mail from server $count = read_mail ($dir, $ext, $folder, $shared); if ($count > 0) { # learn about mail sa_learn ($dir, $ext, $sa_args); # tidy up files after sa-learn is called clear_directory ($dir, $ext); } } # # reads mail from an imap folder and saves in a local directory # # arguments # $dir directory to place retrieved messages in # $ext file extension to use on retrieved messages # $folder imap folder name on server # $shared 0 if imap folder is in users mailbox # 1 if imap folder is in shared name space or sub read_mail { my $dir = shift (@_); my $ext = shift (@_); my $folder = shift (@_); my $shared = shift (@_); my $count = 0; my $target = ""; if ($shared) { # use a shared public folder instead my ($prefix, $sep) = @{$imap->namespace->[2][0]} or die "Can't get shared folder namespace or seperator: $@\n"; $target = $prefix. ($prefix =~ /\Q$sep\E$/ || $folder =~ /^\Q$sep/ ? "" : $sep). $folder; } else { $target = $folder; } $imap->select ($target) or die "Cannot select $target: $@\n"; # If a shared public folder is required uncomment the following # lines and comment out the previous $imap->select line # read through all messages my @msgs = $imap->search("ALL"); foreach my $msg (@msgs) { ($fh, $filename) = tempfile (SUFFIX => $ext, DIR => $dir); $imap->message_to_file ($fh, $msg); close $fh; $count++; } $imap->delete_message (@msgs); if ($cron == 0) { print "Retrieved $count messages from $target\n"; } return $count; } # # Removes files in directory $dir with extension $ext # sub clear_directory{ my $dir = shift (@_); my $ext = shift (@_); opendir (DIR, $dir) or die "Couldn't open dir: $dir\n"; my @files = readdir (DIR); close (DIR); for (my $i = 0; $i <= $#files; $i++ ) { if ($files[$i] =~ /.*?$ext$/) { unlink ($dir.$files[$i]); } } } # # execute sa-learn command # sub sa_learn { my $dir = shift (@_); my $ext = shift (@_); my $type = shift (@_); my $learncmd = "/usr/local/bin/sa-learn ".$type." --dir ".$dir; if ($cron == 0) { $learncmd .= " --showdots"; } else { $learncmd .= " > /dev/null 2>&1"; } # # Run sa-learn script on spam directory # my $sh = Shell->new; my @args = ($learncmd); system (@args) == 0 or die "system @args failed: $?"; } From jaearick at COLBY.EDU Thu Dec 4 17:15:41 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> Message-ID: > > However, this has nothing to do with RDNS at all, and nothing to do with > what AOL is doing. AOL is implementing refusal of mail from servers that do > not have a reverse DNS lookup for their IP. It's not rocket science to do > in sendmail, i.e. something like this: > > http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 > Does anybody else out there run this hack, or something similar for Exim/ Postfix? I'm giving it a test run on my mail server right now, and I wonder if I am shooting myself in the foot. Virtually all of the rejections I see smell spammy to me. Comments? Jeff Earickson Colby College From butler at GLOBESERVER.COM Thu Dec 4 18:23:54 2003 From: butler at GLOBESERVER.COM (Philip Butler) Date: Thu Jan 12 21:21:26 2006 Subject: Blank lines inserted into header... In-Reply-To: <6.0.1.1.2.20031127084627.0385c670@imap.ecs.soton.ac.uk> References: <4F3AF4BE-204D-11D8-B3FA-000393D75504@globeserver.com> <6.0.1.1.2.20031127084627.0385c670@imap.ecs.soton.ac.uk> Message-ID: <04BF9DB4-2687-11D8-B8EB-000393D75504@globeserver.com> Julian, Here's a bit more information. I am still having the problem - I have noticed it's with any X- header that may be "too long" whatever that may mean. For example, I got an email that had the following header in it: X-Exclaimer-OnMessagePostCategorize-{50a0a0f9-c0e6-4bf3-be44 -9194dd1a3dbc}: F:\Program Files\exclaimer\eXclaimer.dll - 2.0.4.67 and it has a blank line preceding this in the output of mailscanner/sendmail. This effectively makes this header line become the start of the message body. However, when I change it to: X-Exclaimer: F:\Program Files\exclaimer\eXclaimer.dll - 2.0.4.67 there is no blank line added and the message headers remain intact. Therefore, it's not the X-%org-name% logic that I previously thought it was, but rather it seems to be the length of the header name. Of course, it could be sendmail that is doing this perhaps. I bet I have a misconfiguration somehow - I can't believe that nobody else is seeing this same problem otherwise. Just so everyone knows - here's how I tested: cat /file.txt | sendmail butler@globeserver.com (where /file.txt has the original email with the blank line removed) by editing the /file.txt and shortening the X- header name, it works as it should. Phil Butler On Nov 27, 2003, at 3:46 AM, Julian Field wrote: > Is anyone else experiencing this problem? > > At 20:15 26/11/2003, you wrote: >> Hi all, >> >> Sorry if this is a repeated issue. >> >> I have noticed messages with the: >> >> X-%org-name%-MailScanner-Information: (and other X-%org-name% >> headers) >> >> >> For example, an email that just came in: >> >> X-WADSNET550-MailScanner-Information: Please contact >> admin@wadsnet.net >> for more >> info >> >> >> These lines seem to have a blank line in front of them, which >> basically >> ends the header and puts the X-header as the first line of the email >> body. Is there a switch that keeps these headers in the header and >> does not start the body ?? I can see that some might want the message >> to be visible in the message, but I think I would prefer these headers >> to remain in the email header. >> >> BTW, messages like this have a blank subject and From:/To: because the >> X-org-name headers tend to show up before the Subject/etc. headers. >> These are visible in the body of the message, but it messes up email >> filters. >> >> Any comments ?? >> >> Sorry again if this is repeated - and as always: >> >> MailScanner (and Julian !!) rules !!! >> >> Phil > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From butler at GLOBESERVER.COM Thu Dec 4 19:23:28 2003 From: butler at GLOBESERVER.COM (Philip Butler) Date: Thu Jan 12 21:21:26 2006 Subject: Blank lines inserted into header... In-Reply-To: <04BF9DB4-2687-11D8-B8EB-000393D75504@globeserver.com> References: <4F3AF4BE-204D-11D8-B3FA-000393D75504@globeserver.com> <6.0.1.1.2.20031127084627.0385c670@imap.ecs.soton.ac.uk> <04BF9DB4-2687-11D8-B8EB-000393D75504@globeserver.com> Message-ID: <56AC8386-268F-11D8-B8EB-000393D75504@globeserver.com> Even more information - it's a sendmail problem. The "lightbulb" finally came on and I tried the same test on a system without MailScanner - same problem - so it must be sendmail. Sorry for the false alarm. Phil On Dec 4, 2003, at 1:23 PM, Philip Butler wrote: > Julian, > > Here's a bit more information. I am still having the problem - I have > noticed it's with any X- header that may be "too long" whatever that > may mean. > > For example, I got an email that had the following header in it: > > > X-Exclaimer-OnMessagePostCategorize-{50a0a0f9-c0e6-4bf3-be44 > -9194dd1a3dbc}: F:\Program Files\exclaimer\eXclaimer.dll - 2.0.4.67 > > and it has a blank line preceding this in the output of > mailscanner/sendmail. This effectively makes this header line become > the start of the message body. > > However, when I change it to: > > X-Exclaimer: F:\Program Files\exclaimer\eXclaimer.dll - 2.0.4.67 > > there is no blank line added and the message headers remain intact. > > > Therefore, it's not the X-%org-name% logic that I previously thought it > was, but rather it seems to be the length of the header name. Of > course, it could be sendmail that is doing this perhaps. I bet I have > a misconfiguration somehow - I can't believe that nobody else is seeing > this same problem otherwise. > > Just so everyone knows - here's how I tested: > > cat /file.txt | sendmail butler@globeserver.com (where /file.txt > has the original email with the blank line removed) > > by editing the /file.txt and shortening the X- header name, it works as > it should. > > > Phil Butler > > On Nov 27, 2003, at 3:46 AM, Julian Field wrote: > >> Is anyone else experiencing this problem? >> >> At 20:15 26/11/2003, you wrote: >>> Hi all, >>> >>> Sorry if this is a repeated issue. >>> >>> I have noticed messages with the: >>> >>> X-%org-name%-MailScanner-Information: (and other X-%org-name% >>> headers) >>> >>> >>> For example, an email that just came in: >>> >>> X-WADSNET550-MailScanner-Information: Please contact >>> admin@wadsnet.net >>> for more >>> info >>> >>> >>> These lines seem to have a blank line in front of them, which >>> basically >>> ends the header and puts the X-header as the first line of the email >>> body. Is there a switch that keeps these headers in the header and >>> does not start the body ?? I can see that some might want the >>> message >>> to be visible in the message, but I think I would prefer these >>> headers >>> to remain in the email header. >>> >>> BTW, messages like this have a blank subject and From:/To: because >>> the >>> X-org-name headers tend to show up before the Subject/etc. headers. >>> These are visible in the body of the message, but it messes up email >>> filters. >>> >>> Any comments ?? >>> >>> Sorry again if this is repeated - and as always: >>> >>> MailScanner (and Julian !!) rules !!! >>> >>> Phil >> >> -- >> Julian Field >> www.MailScanner.info >> MailScanner thanks transtec Computers for their support >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jendries at PRAGMETA.COM Thu Dec 4 19:20:20 2003 From: jendries at PRAGMETA.COM (Josh Endries) Date: Thu Jan 12 21:21:26 2006 Subject: Problems disabling viruswarning.txt attachment (making it inline) In-Reply-To: <04BF9DB4-2687-11D8-B8EB-000393D75504@globeserver.com> References: <4F3AF4BE-204D-11D8-B3FA-000393D75504@globeserver.com> <6.0.1.1.2.20031127084627.0385c670@imap.ecs.soton.ac.uk> <04BF9DB4-2687-11D8-B8EB-000393D75504@globeserver.com> Message-ID: <3FCF88F4.9080100@pragmeta.com> Hi all, I just recently installed MailScanner on a server here and I'm having trouble with diabling the attachment of the viruswarning.txt file. My config file contains this: # When a virus or attachment is replaced by a plain-text warning, # should the warning be in an attachment? If "no" then it will be # placed in-line. This can also be the filename of a ruleset. Warning Is Attachment = no I thought this would dump the text into the message (at the end) and not attach the file. It does append the text, but still attaches the text file, which I don't want. Is there another setting I need to change to get this to work? This wouldn't be an issue if I could use the same variables that are in viruswarning.txt ($date and $report) in inline.warning.txt. Is there a list anywhere of the available variables for these files, since they apparently have different access? Thanks! -- Josh From dan.farmer at PHONEDIR.COM Thu Dec 4 23:31:22 2003 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> Message-ID: Hopefully, AOL will keep this up despite the legitimate mail it will block, as it will force many admins to step up and finish the setup of their mail servers. Even better would be if yahoo, msn/hotmail, juno or some other large site would also step up and implement this, increasing the pressure. Until then, there are many more legitimate servers that have bad or no rdns than you can imagine. And the users on the other side whose mail is bounced back (usually with a message indicating they should contact their own server admins) will assume that since they can email all these other places, you have set up your server incorrectly. I had similar blocks in place for about a month after SoBig.F, and educated 3 or 4 companies (ones my users told me were having problems) about how to fix the issue with their rdns, but eventually the blocks were removed for business reasons (any more than 0 legitimate emails blocked was unacceptable). Good luck! dan On Dec 4, 2003, at 10:15 AM, Jeff A. Earickson wrote: >> >> However, this has nothing to do with RDNS at all, and nothing to do >> with >> what AOL is doing. AOL is implementing refusal of mail from servers >> that do >> not have a reverse DNS lookup for their IP. It's not rocket science >> to do >> in sendmail, i.e. something like this: >> >> http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 >> > > Does anybody else out there run this hack, or something similar for > Exim/ > Postfix? I'm giving it a test run on my mail server right now, and I > wonder if I am shooting myself in the foot. Virtually all of the > rejections > I see smell spammy to me. Comments? > > Jeff Earickson > Colby College > From mike at CAMAROSS.NET Fri Dec 5 00:37:34 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: Message-ID: <200312050032.hB50WRGr030539@genesis.camaross.net> I'm running it and I love it. For the most part, legit email has legit DNS. If not, admins on the other end need to get off their ass and make their networking correct, complete and in compliance with the RFC's. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson > Sent: Thursday, December 04, 2003 11:16 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: AOL blocking MailScanner messages! > > > > > However, this has nothing to do with RDNS at all, and nothing to do > > with what AOL is doing. AOL is implementing refusal of mail from > > servers that do not have a reverse DNS lookup for their IP. > It's not > > rocket science to do in sendmail, i.e. something like this: > > > > http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 > > > > Does anybody else out there run this hack, or something > similar for Exim/ Postfix? I'm giving it a test run on my > mail server right now, and I wonder if I am shooting myself > in the foot. Virtually all of the rejections I see smell > spammy to me. Comments? > > Jeff Earickson > Colby College > From mike at CAMAROSS.NET Fri Dec 5 00:40:17 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: Message-ID: <200312050035.hB50ZAGr030649@genesis.camaross.net> I would LOVE it if, for a Spam Action or High Scoring Spam Action, I could forward the spam to abuse@. Perhaps, if these ISP's like comcast.net, t-dialin.net, rr.com, adelphia, etc would stop allowing their users to connect to SMTP ports outside their own networks. I'm sure MS users in countries other than the US have their own homeland spam friendly ISP's. Spammers have turned up the heat...let's bug their ISP's to death :) Mike From mkettler at EVI-INC.COM Fri Dec 5 00:55:36 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: <200312050035.hB50ZAGr030649@genesis.camaross.net> References: <200312050035.hB50ZAGr030649@genesis.camaross.net> Message-ID: <6.0.0.22.0.20031204194712.02716208@xanadu.evi-inc.com> At 07:40 PM 12/4/2003, you wrote: >Spammers have turned up the heat...let's bug their ISP's to death :) Realistically, all the "automated carpet bomb complaint" type systems do is make ISP's procmail them all to /dev/null.. they create so much noise that they overload abuse systems. And personally, the first time I got *one* false auto-report, I'd 550 the IP of the server that delivered it. 10.0.0.1 550 broken autoresponders are not welcome here. Feel free to send the abuse address here legit abuse reports, but be sure they are accurate. I certainly will have zero tolerance for automated systems spamming my system accounts with false reports. That's IMO worse than being a spammer. There's an old closed bug in SA's bugzilla where someone suggested SA add an "auto abuse report" feature.. That flew about as far as a lead balloon. From lists at STHOMAS.NET Fri Dec 5 01:01:25 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <200312050032.hB50WRGr030539@genesis.camaross.net>; from mike@CAMAROSS.NET on Thu, Dec 04, 2003 at 06:37:34PM -0600 References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: <20031204170125.B21729@sthomas.net> On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is rumored to have said: > > If not, admins on the other end need to get off their ass and make their > networking correct, complete and in compliance with the RFC's. I've only been skimming this thread, so this may have been stated already. If so, I apologize... You're forgetting that reverse dns is a totally different animal than forward, and that just about anyone with less than a /24 (and many with a /24 or larger) don't have the reverse zones delegated to their servers. If I own foo.com, I can easily create any forward entry in the foo.com domain, but making something in the in-addr.arpa domain point to mailserver.foo.com is not nearly as easy. As a for instance, the machine I'm sending this message from is on a RoadRunner network. We've got a block of addresses allocated to us and despite repeated assurances that they would delegate the in-addr.arpa zone for our netblock to our dns server, it's never happened. Now if RR managed to have a corrupt zone file, forgot to generate PTR records for our netblock or for some other reason wasn't on the ball, I'd be "an admin who was sitting on my ass not making my network correct"? I think not. My dns server is properly configured to serve requests for the /28 we've been allocated but RR is still in control of the zone. Then there's network outages, software failures, fiber cuts, DDoS attacks, etc, etc to consider. You'll reject mail just because the DNS server serving the in-addr.arpa zone for the connecting machine is unreachable? I can see adding a warning header or something innocuous like that, but outright rejecting mail from machines without RDNS properly configured is overkill, IMHO. Steve -- "Blessed is the man, who having nothing to say, abstains from giving wordy evidence of the fact." - George Eliot (1819-1880) From gdoris at ROGERS.COM Fri Dec 5 01:14:24 2003 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: On Thu, 4 Dec 2003, Mike Kercher wrote: > I'm running it and I love it. For the most part, legit email has legit DNS. > If not, admins on the other end need to get off their ass and make their > networking correct, complete and in compliance with the RFC's. > > Mike I'm not sure where I picked up the following sendmail local rules (it may have been right here on this list) but they've been working well for me. I've ended up commenting out the replies and just discard the messages that are caught. It's amazing how many people have made obvious typo's in their dns tables! It's also amazing how much spam is discarded. These just go in sendmail.mc and you do the normal stuff to activate. The longer lines have wrapped. LOCAL_RULESETS SLocal_check_relay R$* $: $&{client_resolve} RTEMP $#discard $: discard RFORGED $#discard $: discard RFAIL $#discard $: discard dnl dnl RTEMP $#error $@ 5.7.1 $: "550 Access Denied ; Incomplete DNS. Cannot resolve PTR record for "$&{client_addr}" Please have your system administrator correct the zone entries." dnl dnl RFORGED $#error $@ 5.7.1 $: "550 Access Denied ; Incomplete DNS. IP name possibly forged " $&{client_name}" Please have your system administrator correct the zone entries." dnl dnl RFAIL $#error $@ 5.7.1 $: "550 Access Denied ; Incomplete DNS. Hostname lookup failed for " $&{client_name}" please have your system administrator correct the zone entries." -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mike at CAMAROSS.NET Fri Dec 5 01:23:28 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <20031204170125.B21729@sthomas.net> Message-ID: <200312050118.hB51IJGr032215@genesis.camaross.net> I understand you're on cable and have a block less than /24. In this case, it is RR's responsibility to maintain their DNS. It is your right, as their customer, to ensure that they do what they are supposed to. I haven't forgotten anything about DNS. I run MANY DNS servers :) You may have noticed different types of error messages in your mail logs. Some are temporary failures (like if a DNS server in unreachable). That is totally different from an authoritative nameserver saying "I have no information about my zones". Is it possible to delegate RDNS for a network of less than a /24? What would the zone be? Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Thomas > Sent: Thursday, December 04, 2003 7:01 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: AOL blocking MailScanner messages! > > On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is > rumored to have said: > > > > If not, admins on the other end need to get off their ass and make > > their networking correct, complete and in compliance with the RFC's. > > I've only been skimming this thread, so this may have been > stated already. If so, I apologize... > > You're forgetting that reverse dns is a totally different > animal than forward, and that just about anyone with less > than a /24 (and many with a /24 or larger) don't have the > reverse zones delegated to their servers. If I own foo.com, I > can easily create any forward entry in the foo.com domain, > but making something in the in-addr.arpa domain point to > mailserver.foo.com is not nearly as easy. > > As a for instance, the machine I'm sending this message from > is on a RoadRunner network. We've got a block of addresses > allocated to us and despite repeated assurances that they > would delegate the in-addr.arpa zone for our netblock to our > dns server, it's never happened. Now if RR managed to have a > corrupt zone file, forgot to generate PTR records for our > netblock or for some other reason wasn't on the ball, I'd be > "an admin who was sitting on my ass not making my network > correct"? I think not. My dns server is properly configured > to serve requests for the /28 we've been allocated but RR is > still in control of the zone. > > Then there's network outages, software failures, fiber cuts, > DDoS attacks, etc, etc to consider. You'll reject mail just > because the DNS server serving the in-addr.arpa zone for the > connecting machine is unreachable? > > I can see adding a warning header or something innocuous like > that, but outright rejecting mail from machines without RDNS > properly configured is overkill, IMHO. > > > Steve > > > -- > "Blessed is the man, who having nothing to say, abstains from > giving wordy evidence of the fact." > - George Eliot (1819-1880) > From mike at CAMAROSS.NET Fri Dec 5 01:36:19 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: Message-ID: <200312050131.hB51VCGr032663@genesis.camaross.net> See, I have a bigger problem with discarding mail based on incorrect RDNS. I'd rather reject the message so that HOPEFULLY, someone can fix the problem. If the emails are accepted by your MTA and then discarded, the sender assumes that his/her email was delivered successfully. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Gerry Doris > Sent: Thursday, December 04, 2003 7:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: AOL blocking MailScanner messages! > > On Thu, 4 Dec 2003, Mike Kercher wrote: > > > I'm running it and I love it. For the most part, legit > email has legit DNS. > > If not, admins on the other end need to get off their ass and make > > their networking correct, complete and in compliance with the RFC's. > > > > Mike > > I'm not sure where I picked up the following sendmail local > rules (it may have been right here on this list) but they've > been working well for me. > I've ended up commenting out the replies and just discard the > messages that are caught. > > It's amazing how many people have made obvious typo's in > their dns tables! > It's also amazing how much spam is discarded. > > These just go in sendmail.mc and you do the normal stuff to > activate. The longer lines have wrapped. > > LOCAL_RULESETS > SLocal_check_relay > R$* $: $&{client_resolve} > RTEMP $#discard $: discard > RFORGED $#discard $: discard > RFAIL $#discard $: discard > dnl > dnl RTEMP $#error $@ 5.7.1 $: "550 Access Denied ; > Incomplete DNS. > Cannot resolve PTR record for "$&{client_addr}" Please have > your system administrator correct the zone entries." > dnl > dnl RFORGED $#error $@ 5.7.1 $: "550 Access Denied ; > Incomplete DNS. > IP name possibly forged " $&{client_name}" Please have your > system administrator correct the zone entries." > dnl > dnl RFAIL $#error $@ 5.7.1 $: "550 Access Denied ; > Incomplete DNS. > Hostname lookup failed for " $&{client_name}" please have > your system administrator correct the zone entries." > > -- > Gerry > > "The lyfe so short, the craft so long to learne" Chaucer > From gdoris at ROGERS.COM Fri Dec 5 02:02:25 2003 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <200312050131.hB51VCGr032663@genesis.camaross.net> Message-ID: On Thu, 4 Dec 2003, Mike Kercher wrote: > See, I have a bigger problem with discarding mail based on incorrect RDNS. > I'd rather reject the message so that HOPEFULLY, someone can fix the > problem. If the emails are accepted by your MTA and then discarded, the > sender assumes that his/her email was delivered successfully. > > Mike I got a few snotty replies so I just discard them all. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mkettler at EVI-INC.COM Fri Dec 5 02:06:49 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:26 2006 Subject: [OT] AOL blocking MailScanner messages! In-Reply-To: <200312050118.hB51IJGr032215@genesis.camaross.net> References: <20031204170125.B21729@sthomas.net> <200312050118.hB51IJGr032215@genesis.camaross.net> Message-ID: <6.0.0.22.0.20031204210142.02741b50@xanadu.evi-inc.com> At 08:23 PM 12/4/2003, Mike Kercher wrote: >Is it possible to delegate RDNS for a network of less than a /24? What >would the zone be? This is basic DNS admin stuff, and a bit OT for this list. There's an RFC specifying how to do classless in-addr-arpa delegations. In short, it's done with cnames. Need more info, read the RFC and/or ask on a DNS oriented list. http://www.faqs.org/rfcs/rfc2317.html From jrudd at UCSC.EDU Fri Dec 5 07:36:24 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <20031204170125.B21729@sthomas.net> References: <200312050032.hB50WRGr030539@genesis.camaross.net> <20031204170125.B21729@sthomas.net> Message-ID: 1) So why can't you route all of your outgoing mail through your ISP? (I know, some people do, and some people don't ... I don't, but my reverse DNS works, so I don't need to ... but, that IS what you're supposed to be doing, so if you're having problems, why not do what you're supposed to be doing instead?) 2) If you don't control the in-addr for your IP block, then presumably it's your ISP's -- so make them fix their in-addr allocation. The problem isn't that the in-addr information has to match your mail domain, it just has to _exist_ (mail always comes from hosts that don't match the mail domain indicated). If it doesn't, and it's not your block to host on your DNS server, then your ISP isn't doing their job. Make them fix it, or switch to an ISP that isn't broken. 3) If they wont fix it, then ask them to delegate those addresses to you with NS records (which can be done on a per-IP addr basis, it doesn't have to be done in full class-C blocks). On Dec 4, 2003, at 5:01 PM, Steve Thomas wrote: > > On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is rumored to > have said: >> >> If not, admins on the other end need to get off their ass and make >> their >> networking correct, complete and in compliance with the RFC's. > > I've only been skimming this thread, so this may have been stated > already. If so, I apologize... > > You're forgetting that reverse dns is a totally different animal than > forward, and that just about anyone with less than a /24 (and many > with a /24 or larger) don't have the reverse zones delegated to their > servers. If I own foo.com, I can easily create any forward entry in > the foo.com domain, but making something in the in-addr.arpa domain > point to mailserver.foo.com is not nearly as easy. > > As a for instance, the machine I'm sending this message from is on a > RoadRunner network. We've got a block of addresses allocated to us and > despite repeated assurances that they would delegate the in-addr.arpa > zone for our netblock to our dns server, it's never happened. Now if > RR managed to have a corrupt zone file, forgot to generate PTR records > for our netblock or for some other reason wasn't on the ball, I'd be > "an admin who was sitting on my ass not making my network correct"? I > think not. My dns server is properly configured to serve requests for > the /28 we've been allocated but RR is still in control of the zone. > > Then there's network outages, software failures, fiber cuts, DDoS > attacks, etc, etc to consider. You'll reject mail just because the DNS > server serving the in-addr.arpa zone for the connecting machine is > unreachable? > > I can see adding a warning header or something innocuous like that, > but outright rejecting mail from machines without RDNS properly > configured is overkill, IMHO. > > > Steve > > > -- > "Blessed is the man, who having nothing to say, abstains from giving > wordy evidence of the fact." > - George Eliot (1819-1880) From jrudd at UCSC.EDU Fri Dec 5 07:42:13 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:26 2006 Subject: [OT] AOL blocking MailScanner messages! In-Reply-To: <6.0.0.22.0.20031204210142.02741b50@xanadu.evi-inc.com> References: <20031204170125.B21729@sthomas.net> <200312050118.hB51IJGr032215@genesis.camaross.net> <6.0.0.22.0.20031204210142.02741b50@xanadu.evi-inc.com> Message-ID: <8A785C00-26F6-11D8-B3EE-003065F939FE@ucsc.edu> On Dec 4, 2003, at 6:06 PM, Matt Kettler wrote: > > At 08:23 PM 12/4/2003, Mike Kercher wrote: >> Is it possible to delegate RDNS for a network of less than a /24? >> What >> would the zone be? > > This is basic DNS admin stuff, and a bit OT for this list. > > There's an RFC specifying how to do classless in-addr-arpa > delegations. In > short, it's done with cnames. Need more info, read the RFC and/or ask > on a > DNS oriented list. > > http://www.faqs.org/rfcs/rfc2317.html > You don't even need to use cnames, you can use ns records. From tony.johansson at SVENSKAKYRKAN.SE Fri Dec 5 08:49:58 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:21:26 2006 Subject: Small log request Message-ID: Wouldnt it be interesting to see what version of SpamAssasin MailScanner is using when it starts? "MailScanner E-Mail Virus Scanner version 4.24-5 starting..." followed by perl -MMail::SpamAssassin -e 'print "MailScanner using SpamAssassin version $Mail::SpamAssassin::VERSION\n";' would be nice IMO Regards, Tony From mailscanner at ecs.soton.ac.uk Fri Dec 5 09:40:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Small log request In-Reply-To: References: Message-ID: <6.0.1.1.2.20031205094020.036be0d0@imap.ecs.soton.ac.uk> At 08:49 05/12/2003, you wrote: >Wouldnt it be interesting to see what version of SpamAssasin MailScanner is >using when it starts? > >"MailScanner E-Mail Virus Scanner version 4.24-5 starting..." followed by > >perl -MMail::SpamAssassin -e 'print "MailScanner using SpamAssassin version >$Mail::SpamAssassin::VERSION\n";' would be nice IMO At that point it doesn't know whether you want to use SA, or even have it installed. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 5 09:41:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: <200312050035.hB50ZAGr030649@genesis.camaross.net> References: <200312050035.hB50ZAGr030649@genesis.camaross.net> Message-ID: <6.0.1.1.2.20031205094044.03aebc60@imap.ecs.soton.ac.uk> At 00:40 05/12/2003, you wrote: >I would LOVE it if, for a Spam Action or High Scoring Spam Action, I could >forward the spam to abuse@. Read the manual please. Check out the "forward" spam action. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 5 10:07:04 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:26 2006 Subject: mcafee-autoupdate. Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefordshire.gov.uk> If you're going to log, do it properly: logger -p mail.info McAfee-autoupdate: McAfee updated to version $VERSION Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Michael Baird > Sent: 03 December 2003 21:25 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: mcafee-autoupdate. > > > I noticed the mcafee-autoupdate doesn't write to syslog, when > it updates > the virus scanner (mailstats.pl uses this for it's statistics). It is > just a bash script, so I stuck in a logger line, with syntax matching > other updaters, if this functionality could be added into the main > updater that would be nice. > > run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE > run tar xvf $TARFILE > #### Added for mailstats.pl virus update time graphing ##### > logger -p mail.info McAfee-autoupdate: McAfee updated > > Regards > MIKE > From mailscanner at ecs.soton.ac.uk Fri Dec 5 10:21:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: mcafee-autoupdate. In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20031205102126.039433f0@imap.ecs.soton.ac.uk> I have implemented it like this: +++ mcafee-autoupdate 2003-12-05 10:20:54.000000000 +0000 @@ -236,6 +236,7 @@ esac say Completed OK +run logger -p mail.info McAfee-autoupdate: McAfee updated to version $VERSION 2>/dev/null run exit 0 # done Tony --- Does that look okay? I don't want errors if logger happens not to exist. At 10:07 05/12/2003, you wrote: >If you're going to log, do it properly: > >logger -p mail.info McAfee-autoupdate: McAfee updated to version $VERSION > >Phil > >--------------------------------------------- >Phil Randal >Network Engineer >Herefordshire Council >Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michael Baird > > Sent: 03 December 2003 21:25 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: mcafee-autoupdate. > > > > > > I noticed the mcafee-autoupdate doesn't write to syslog, when > > it updates > > the virus scanner (mailstats.pl uses this for it's statistics). It is > > just a bash script, so I stuck in a logger line, with syntax matching > > other updaters, if this functionality could be added into the main > > updater that would be nice. > > > > run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE > > run tar xvf $TARFILE > > #### Added for mailstats.pl virus update time graphing ##### > > logger -p mail.info McAfee-autoupdate: McAfee updated > > > > Regards > > MIKE > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dh at UPTIME.AT Fri Dec 5 11:13:45 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:26 2006 Subject: Small log request In-Reply-To: <6.0.1.1.2.20031205094020.036be0d0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031205094020.036be0d0@imap.ecs.soton.ac.uk> Message-ID: <3FD06869.4050500@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Julian Field wrote: > At 08:49 05/12/2003, you wrote: > >> Wouldnt it be interesting to see what version of SpamAssasin >> MailScanner is >> using when it starts? >> >> "MailScanner E-Mail Virus Scanner version 4.24-5 starting..." followed by >> >> perl -MMail::SpamAssassin -e 'print "MailScanner using SpamAssassin >> version >> $Mail::SpamAssassin::VERSION\n";' would be nice IMO > > > At that point it doesn't know whether you want to use SA, or even have it > installed. > -- Not to mention that MailScanner isvery noisy in my logfiles already :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/0GhpPMoaMn4kKR4RAyRMAJ9aJyBs9T/FtqbY63tAwP9z6mEY/wCfZnyk UhlLxl68nCBZcyVOp7l9M/g= =QHXs -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Fri Dec 5 12:18:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Small log request In-Reply-To: <3FD06869.4050500@uptime.at> References: <6.0.1.1.2.20031205094020.036be0d0@imap.ecs.soton.ac.uk> <3FD06869.4050500@uptime.at> Message-ID: <6.0.1.1.2.20031205121635.03ceb270@imap.ecs.soton.ac.uk> At 11:13 05/12/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Julian Field wrote: > >>At 08:49 05/12/2003, you wrote: >> >>>Wouldnt it be interesting to see what version of SpamAssasin >>>MailScanner is >>>using when it starts? >>> >>>"MailScanner E-Mail Virus Scanner version 4.24-5 starting..." followed by >>> >>>perl -MMail::SpamAssassin -e 'print "MailScanner using SpamAssassin >>>version >>>$Mail::SpamAssassin::VERSION\n";' would be nice IMO >> >> >>At that point it doesn't know whether you want to use SA, or even have it >>installed. >>-- >Not to mention that MailScanner isvery noisy in my logfiles already > :) If you make it log to something other than mail, say local0 and set up a syslog.conf entry that does something like local0.notice /var/log/MailScanner.log then you won't log any info, just the important warnings. You don't have to write everything into your logs if you don't want to. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Fri Dec 5 12:37:14 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <200312050032.hB50WRGr030539@genesis.camaross.net> References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: Y'all, I ran Rickert's sendmail ruleset for about 6 hours yesterday, then removed it and looked at the 500 sendmail rejects that it generated for the "Fix reverse DNS" error. I rejected emails from 364 unique IP numbers. I wrote a script to do a whois on these numbers and the info was ugly. Yes I was rejecting probable spam from APNIC, but I also zapped a lot of stuff from other universities, McGraw-Hill books and other publishers, Amazon (the original spammers!), IBM, the FAA (!), etc. I expect to hear some screaming about my experiment. While I think this is a great idea in theory, in practice it does a lot of collateral damage. I'll let AOL reform the world before trying it again. They will have to convince AT&T (for one) to change their DNS for their subblocks. --- Jeff Earickson Colby College On Thu, 4 Dec 2003, Mike Kercher wrote: > Date: Thu, 4 Dec 2003 18:37:34 -0600 > From: Mike Kercher > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: AOL blocking MailScanner messages! > > I'm running it and I love it. For the most part, legit email has legit DNS. > If not, admins on the other end need to get off their ass and make their > networking correct, complete and in compliance with the RFC's. > > Mike > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson > > Sent: Thursday, December 04, 2003 11:16 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: AOL blocking MailScanner messages! > > > > > > > > However, this has nothing to do with RDNS at all, and nothing to do > > > with what AOL is doing. AOL is implementing refusal of mail from > > > servers that do not have a reverse DNS lookup for their IP. > > It's not > > > rocket science to do in sendmail, i.e. something like this: > > > > > > http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 > > > > > > > Does anybody else out there run this hack, or something > > similar for Exim/ Postfix? I'm giving it a test run on my > > mail server right now, and I wonder if I am shooting myself > > in the foot. Virtually all of the rejections I see smell > > spammy to me. Comments? > > > > Jeff Earickson > > Colby College > > > From mike at TC3NET.COM Fri Dec 5 13:34:22 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:26 2006 Subject: mcafee-autoupdate. In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefordshire.gov.uk> Message-ID: <1070631261.8599.2.camel@mike-new2.tc3net.com> Sure, for use in mailstats.pl, you must also have [ after the autoupdate (or change the regexp in mailstats), empty braces will work, the perl updaters would place the PID in between the braces. logger -p mail.info McAfee-autoupdate[]: McAfee updated to version $VERSION Regards MIKE > If you're going to log, do it properly: > > logger -p mail.info McAfee-autoupdate: McAfee updated to version $VERSION > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michael Baird > > Sent: 03 December 2003 21:25 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: mcafee-autoupdate. > > > > > > I noticed the mcafee-autoupdate doesn't write to syslog, when > > it updates > > the virus scanner (mailstats.pl uses this for it's statistics). It is > > just a bash script, so I stuck in a logger line, with syntax matching > > other updaters, if this functionality could be added into the main > > updater that would be nice. > > > > run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE > > run tar xvf $TARFILE > > #### Added for mailstats.pl virus update time graphing ##### > > logger -p mail.info McAfee-autoupdate: McAfee updated > > > > Regards > > MIKE > > > From ccampbell at BRUEGGERS.COM Fri Dec 5 14:32:23 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:26 2006 Subject: Custom SA Rules...where to put them? Message-ID: I've tried putting my custom SA .cf file in ~/.spamassassin, /etc/MailScanner/mcp, and /usr/share/spamassassin. The only place it works is /usr/share/spamassassin. However I've read that putting it in /usr/share/spamassassin risks loosing any custom work if there is an upgrade. Where is the proper location for me to put my custom .cf files? Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises, Inc. Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great... it does infinite loops in 5 seconds." -- Linus Torvalds From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 5 14:42:36 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:26 2006 Subject: Custom SA Rules...where to put them? Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BE@jessica.herefordshire.gov.uk> /etc/mail/spamassassin Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Christian Campbell > Sent: 05 December 2003 14:32 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Custom SA Rules...where to put them? > > > I've tried putting my custom SA .cf file in ~/.spamassassin, > /etc/MailScanner/mcp, and /usr/share/spamassassin. The only > place it works > is /usr/share/spamassassin. However I've read that putting it in > /usr/share/spamassassin risks loosing any custom work if there is an > upgrade. > > Where is the proper location for me to put my custom .cf files? > > Christian > > > Christian P. Campbell > Systems Engineer > Information Technology Department > Bruegger's Enterprises, Inc. > Desk: (802) 652-9270 > Cell: (802) 734-5023 > Email: ccampbell at brueggers dot com > Registered Linux User #319324 > > PGP public key available via PGP keyservers > or http://www2.brueggers.com/pgp/ccampbell.html > > "We all know Linux is great... > it does infinite loops in 5 seconds." > -- Linus Torvalds > From mike at CAMAROSS.NET Fri Dec 5 14:49:51 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: <6.0.1.1.2.20031205094044.03aebc60@imap.ecs.soton.ac.uk> Message-ID: <200312051444.hB5EihGr024908@genesis.camaross.net> I understand the forwarding action...I use that now. The problem is that the address which would be forwarded to is dynamic. It also would be to be based on the relaying hostname and not the envelope sender. Make any sense? Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field > Sent: Friday, December 05, 2003 3:41 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Something I'd love to see in MailScanner > > At 00:40 05/12/2003, you wrote: > >I would LOVE it if, for a Spam Action or High Scoring Spam Action, I > >could forward the spam to abuse@. > > Read the manual please. Check out the "forward" spam action. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From dot at DOTAT.AT Fri Dec 5 14:53:26 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:21:26 2006 Subject: mcafee-autoupdate. In-Reply-To: References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefordshire.gov.uk> Message-ID: Julian Field wrote: >I have implemented it like this: > >+++ mcafee-autoupdate 2003-12-05 10:20:54.000000000 +0000 >@@ -236,6 +236,7 @@ > esac > > say Completed OK >+run logger -p mail.info McAfee-autoupdate: McAfee updated to version >$VERSION 2>/dev/null > run exit 0 > > # done > >Tony --- Does that look okay? I don't want errors if logger happens not to >exist. Looks plausible. Tony. -- f.a.n.finch http://dotat.at/ LYME REGIS TO LANDS END INCLUDING THE ISLES OF SCILLY: EAST OR NORTHEAST 5, LOCAL 6 AT FIRST. EASING NORTHEAST 4. PATCHY DRIZZLE. MAINLY GOOD, OCCASIONAL MODERATE. MODERATE OR ROUGH, EASING MAINLY SLIGHT. From mike at ZANKER.ORG Fri Dec 5 15:13:14 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition Message-ID: <343090343.1070637194@mallard.open.ac.uk> There was some recent conversation about what to do when Red Hat 8.0 and below are no longer supported at the end of this year. Higher education institutions may be interested to know that an annual license for RHEL AS can be purchased for $50 from http://www.redhat.com/. This gives you access to ISOs and RHN updates for versions 2.1 and 3.0. I can confirm that MailScanner works fine on RHAS 2.1 (which is based on RH 7.2) with either the supplied sendmail or Exim. I haven't tried version 3.0, but if MailScanner works on RH 8 and 9 it should be OK. Regards, Mike. From Denis.Beauchemin at USHERBROOKE.CA Fri Dec 5 15:17:35 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: <343090343.1070637194@mallard.open.ac.uk> References: <343090343.1070637194@mallard.open.ac.uk> Message-ID: <1070637455.1935.25.camel@dbeauchemin.sti.usherbrooke.ca> If you're interested in the management feature of Red Hat Network to keep your systems up to date then this won't cut it because it is an update only. In clear it means that you can't install patch X to servers A, B, C and D in a single operation unless your systems are under a management option. This feature is important to us because we have close to 40 servers to maintain. Denis Le ven 05/12/2003 ? 10:13, Mike Zanker a ?crit : > There was some recent conversation about what to do when Red Hat 8.0 > and below are no longer supported at the end of this year. Higher > education institutions may be interested to know that an annual license > for RHEL AS can be purchased for $50 from http://www.redhat.com/. > > This gives you access to ISOs and RHN updates for versions 2.1 and 3.0. > I can confirm that MailScanner works fine on RHAS 2.1 (which is based > on RH 7.2) with either the supplied sendmail or Exim. I haven't tried > version 3.0, but if MailScanner works on RH 8 and 9 it should be OK. > > Regards, > > Mike. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From raymond at PROLOCATION.NET Fri Dec 5 15:23:00 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: <343090343.1070637194@mallard.open.ac.uk> Message-ID: Hi! > This gives you access to ISOs and RHN updates for versions 2.1 and 3.0. > I can confirm that MailScanner works fine on RHAS 2.1 (which is based > on RH 7.2) with either the supplied sendmail or Exim. I haven't tried > version 3.0, but if MailScanner works on RH 8 and 9 it should be OK. Works ok on RHEL 3.0 also. Runs faster then my 1:1 equal server with RH9. Bye, Raymond. From jburzenski at AMERICANHM.COM Fri Dec 5 15:27:57 2003 From: jburzenski at AMERICANHM.COM (Jason Burzenski) Date: Thu Jan 12 21:21:26 2006 Subject: Spam.blacklist.rules critical mass Message-ID: <9BDD6D4AD0795C46974D7D46C17883B809185694@ahm_exchange2> Does anyone know if there is a maximum limit to the number of entries in a rules file? I've been regularly adding entries to my spam.blacklist.rules file which has now reached about 30K in size. I haven't noticed much impact on system performance or memory use but was wondering if someone else has seen a direct correlation between a growing rules file and decreased system performance? At what level did your system start to choke? Whats the best practice for blacklisting? Thanks, Jason Burzenski -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031205/e6261c1d/attachment.html From mailscanner at ecs.soton.ac.uk Fri Dec 5 16:00:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Custom SA Rules...where to put them? In-Reply-To: References: Message-ID: <6.0.1.1.2.20031205160005.09832330@imap.ecs.soton.ac.uk> You can just add rules straight onto the end of spam.assassin.prefs.conf if you like. At 14:32 05/12/2003, you wrote: >I've tried putting my custom SA .cf file in ~/.spamassassin, >/etc/MailScanner/mcp, and /usr/share/spamassassin. The only place it works >is /usr/share/spamassassin. However I've read that putting it in >/usr/share/spamassassin risks loosing any custom work if there is an >upgrade. > >Where is the proper location for me to put my custom .cf files? > >Christian > > >Christian P. Campbell >Systems Engineer >Information Technology Department >Bruegger's Enterprises, Inc. >Desk: (802) 652-9270 >Cell: (802) 734-5023 >Email: ccampbell at brueggers dot com >Registered Linux User #319324 > >PGP public key available via PGP keyservers >or http://www2.brueggers.com/pgp/ccampbell.html > >"We all know Linux is great... >it does infinite loops in 5 seconds." > -- Linus Torvalds -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mike at ZANKER.ORG Fri Dec 5 16:11:18 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: <1070640153.1935.30.camel@dbeauchemin.sti.usherbrooke.ca> References: <343090343.1070637194@mallard.open.ac.uk> <1070637455.1935.25.camel@dbeauchemin.sti.usherbrooke.ca> <345668875.1070639772@mallard.open.ac.uk> <1070640153.1935.30.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <346574406.1070640678@mallard.open.ac.uk> On 05 December 2003 11:02 -0500 Denis Beauchemin wrote: > Their web site says otherwise (from > http://www.redhat.com/solutions/industries/education/products/): > > Specific features of the academic editions include: > > * 1 Year access to Red Hat Network with Update Module Hmm - maybe their system isn't working properly yet. We purchased some individual subscriptions (not the Site Subscription) yet we have been given management service on all of them. Mike. From ivan at NUCCI.COM.BR Fri Dec 5 16:22:17 2003 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> Message-ID: <3FD0B0B9.4000908@nucci.com.br> Hi people, I have been reading a lot of posts about this issue and I wandering about something. A lot of people here in Brazil use broadband connections like xDSL and so to implement their own MTA and use it to send spam and other bulk email. Let say, if a local ISP provides a dynamic IP address to you like 200.174.45.114 you can easily get it?s reverse DNS name which is 114.45.174.200.in-addr.arpa. Well to me this M4 ruleset doen?t help at all, because I wouldn?t be rejecting mail coming from these addresses. I get an average spam of 300+ a day coming from these type of addresses. I think that if we do in fact reject mail based on RDNS we are just forcing those who have a bronken DNS configuration to fix their RR records, that?s all. I am just trying to share my point of veiw (if in fact I am right about it). But than again this is going to be way OT here. Feel free to send me PVT email anyone who wants to discuss this any further with me. Best regards to all. Ivan >>> >>> However, this has nothing to do with RDNS at all, and nothing to do >>> with >>> what AOL is doing. AOL is implementing refusal of mail from servers >>> that do >>> not have a reverse DNS lookup for their IP. It's not rocket science >>> to do >>> in sendmail, i.e. something like this: >>> >>> http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 >> From Kevin_Miller at CI.JUNEAU.AK.US Fri Dec 5 16:34:25 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:26 2006 Subject: Really tiny feature request Message-ID: <08146035CA49D6119A36009027AC822A0264EB0B@CITY-EXCH-NTS> Was upgrading MS yesterday, and as I was comparing MailScanner.conf and MailScanner.conf.rpmnew it occured to me that it might be nice to have the version number in the comments at the top of the file. Since there seems to often be a new feature/option added it would help keep things straight when comparing files. No biggie if it doesn't happen - just a small niceity if it does... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mikea at MIKEA.ATH.CX Fri Dec 5 16:01:24 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:21:26 2006 Subject: Spam.blacklist.rules critical mass In-Reply-To: <9BDD6D4AD0795C46974D7D46C17883B809185694@ahm_exchange2>; from jburzenski@AMERICANHM.COM on Fri, Dec 05, 2003 at 10:27:57AM -0500 References: <9BDD6D4AD0795C46974D7D46C17883B809185694@ahm_exchange2> Message-ID: <20031205100124.A42956@mikea.ath.cx> On Fri, Dec 05, 2003 at 10:27:57AM -0500, Jason Burzenski wrote: > Does anyone know if there is a maximum limit to the number of entries in a > rules file? I've been regularly adding entries to my spam.blacklist.rules > file which has now reached about 30K in size. I haven't noticed much impact > on system performance or memory use but was wondering if someone else has > seen a direct correlation between a growing rules file and decreased system > performance? At what level did your system start to choke? Whats the best > practice for blacklisting? I've noticed that there is some correlation between rulefile linecount (and complexity) and SA process time-to-scan, but that is only to be expected. It is much more evident on older, slower machines (e.g., _mine_ *sigh*) than on newer, roomer, faster machines, but (again) that is only to be expected. Even if you can keep the rulefiles in RAM, you still have to go through the rules, and even RAM access time is nonzero. Best practice? Minimal ruleset size and complexity consistent with blocking efficiently. It's not a static thing: rulesets themselves are works in progress. My system starts to choke at about 5K rules, running MS 4.25-13 and SA 2.50, with 5 instances of MS and of SA running. But my box is, as I wrote above, old, small, and slow. Not as small and slow as its predecessor, but small and slow by modern standards. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From mike at ZANKER.ORG Fri Dec 5 15:56:12 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: <1070637455.1935.25.camel@dbeauchemin.sti.usherbrooke.ca> References: <343090343.1070637194@mallard.open.ac.uk> <1070637455.1935.25.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <345668875.1070639772@mallard.open.ac.uk> On 05 December 2003 10:17 -0500 Denis Beauchemin wrote: > If you're interested in the management feature of Red Hat Network to > keep your systems up to date then this won't cut it because it is an > update only. On the contrary, the ones we have purchased today under the scheme show as management service, not just update. Mike. From Denis.Beauchemin at USHERBROOKE.CA Fri Dec 5 16:02:34 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: <345668875.1070639772@mallard.open.ac.uk> References: <343090343.1070637194@mallard.open.ac.uk> <1070637455.1935.25.camel@dbeauchemin.sti.usherbrooke.ca> <345668875.1070639772@mallard.open.ac.uk> Message-ID: <1070640153.1935.30.camel@dbeauchemin.sti.usherbrooke.ca> > On 05 December 2003 10:17 -0500 Denis Beauchemin > wrote: > > > If you're interested in the management feature of Red Hat Network to > > keep your systems up to date then this won't cut it because it is an > > update only. > > On the contrary, the ones we have purchased today under the scheme show > as management service, not just update. > > Mike. Their web site says otherwise (from http://www.redhat.com/solutions/industries/education/products/): Specific features of the academic editions include: * 1 Year access to Red Hat Network with Update Module * Red Hat Enterprise Linux WS (x86, IPF, or AMD64) channel for WS * Red Hat Enterprise Linux AS (x86, IPF, or AMD64) channel for AS Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Fri Dec 5 16:44:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Spam.blacklist.rules critical mass In-Reply-To: <9BDD6D4AD0795C46974D7D46C17883B809185694@ahm_exchange2> References: <9BDD6D4AD0795C46974D7D46C17883B809185694@ahm_exchange2> Message-ID: <6.0.1.1.2.20031205164206.0394a0b8@imap.ecs.soton.ac.uk> At 15:27 05/12/2003, you wrote: >Does anyone know if there is a maximum limit to the number of entries in a >rules file? No theoretical fixed limit, no. > I've been regularly adding entries to my spam.blacklist.rules file > which has now reached about 30K in size. I haven't noticed much impact > on system performance or memory use but was wondering if someone else has > seen a direct correlation between a growing rules file and decreased > system performance? At what level did your system start to choke? Whats > the best practice for blacklisting? If you want fast per-domain spam blacklist/whitelisting, use the per-domain stuff in CustomConfig.pm. If you want a straightforward spam blacklist that works very fast, look in the latest CustomConfig.pm and search for "FastSpamList". That code isn't quite what you want, but will be a very good starting point to implement it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 5 16:49:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Really tiny feature request In-Reply-To: <08146035CA49D6119A36009027AC822A0264EB0B@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EB0B@CITY-EXCH-NTS> Message-ID: <6.0.1.1.2.20031205164752.03ce6ec0@imap.ecs.soton.ac.uk> At 16:34 05/12/2003, you wrote: >Was upgrading MS yesterday, and as I was comparing MailScanner.conf and >MailScanner.conf.rpmnew it occured to me that it might be nice to have the >version number in the comments at the top of the file. Since there seems to >often be a new feature/option added it would help keep things straight when >comparing files. > >No biggie if it doesn't happen - just a small niceity if it does... Let me take a look over the weekend, it's just a change to the Build scripts. I'll probably put in a magic "version number" line and replace that when the package is bolted together. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 5 16:45:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: <200312051444.hB5EihGr024908@genesis.camaross.net> References: <6.0.1.1.2.20031205094044.03aebc60@imap.ecs.soton.ac.uk> <200312051444.hB5EihGr024908@genesis.camaross.net> Message-ID: <6.0.1.1.2.20031205164430.03949e28@imap.ecs.soton.ac.uk> At 14:49 05/12/2003, you wrote: >I understand the forwarding action...I use that now. The problem is that >the address which would be forwarded to is dynamic. It also would be to be >based on the relaying hostname and not the envelope sender. Make any sense? In which case use a very simple Custom Function to produce the "Spam Actions" and "High Scoring Spam Actions" which use the $message->{from} and $message->{clientip} to produce their result. >Mike > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field > > Sent: Friday, December 05, 2003 3:41 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Something I'd love to see in MailScanner > > > > At 00:40 05/12/2003, you wrote: > > >I would LOVE it if, for a Spam Action or High Scoring Spam Action, I > > >could forward the spam to abuse@. > > > > Read the manual please. Check out the "forward" spam action. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 5 16:47:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FD0B0B9.4000908@nucci.com.br> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> <3FD0B0B9.4000908@nucci.com.br> Message-ID: <6.0.1.1.2.20031205164644.03949b98@imap.ecs.soton.ac.uk> At 16:22 05/12/2003, you wrote: >Hi people, > >I have been reading a lot of posts about this issue and I wandering >about something. >A lot of people here in Brazil use broadband connections like xDSL and >so to implement their own MTA and use it to send spam and other bulk >email. Let say, if a local ISP provides a dynamic IP address to you like >200.174.45.114 you can easily get it?s reverse DNS name which is >114.45.174.200.in-addr.arpa. In which case use one of the DULs as a blacklist. These contain all the known dial-up IP addresses, so you can just reject mail that hasn't been sent through their ISP's mail server. >Well to me this M4 ruleset doen?t help at all, because I wouldn?t be >rejecting mail coming from these addresses. I get an average spam of >300+ a day coming from these type of addresses. I think that if we do in >fact reject mail based on RDNS we are just forcing those who have a >bronken DNS configuration to fix their RR records, that?s all. >I am just trying to share my point of veiw (if in fact I am right about >it). But than again this is going to be way OT here. >Feel free to send me PVT email anyone who wants to discuss this any >further with me. > >Best regards to all. >Ivan > >>>> >>>>However, this has nothing to do with RDNS at all, and nothing to do >>>>with >>>>what AOL is doing. AOL is implementing refusal of mail from servers >>>>that do >>>>not have a reverse DNS lookup for their IP. It's not rocket science >>>>to do >>>>in sendmail, i.e. something like this: >>>> >>>>http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Fri Dec 5 17:07:11 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query Message-ID: Has anybody done anything with IP to country regarding sources of spam etc? Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland From ugob at CAMO-ROUTE.COM Fri Dec 5 17:18:10 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE271@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Michele Neylon :: Blacknight Solutions > [mailto:michele@BLACKNIGHTSOLUTIONS.COM] > Envoy? : Friday, December 05, 2003 12:07 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Ip to country query > > > Has anybody done anything with IP to country regarding > sources of spam etc? what do you mean? do you use mailstats? Gives you stats on countries. > > > Mr. Michele Neylon > Blacknight Internet Solutions Ltd > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > Tel. + 353 (0)59 9139897 > Lowest price domains in Ireland > From sailer at BNL.GOV Fri Dec 5 17:20:23 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query In-Reply-To: References: Message-ID: <20031205172023.GA13158@bnl.gov> On Fri, Dec 05, 2003 at 05:07:11PM -0000, Michele Neylon :: Blacknight Solutions wrote: > Has anybody done anything with IP to country regarding sources of spam etc? We routinely look at the country that email was sent from, by IP (using GEO-IP). China, then USA, seem to be the highest sources, at least that we see here... Tim -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 From mkettler at EVI-INC.COM Fri Dec 5 18:06:19 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query In-Reply-To: References: Message-ID: <6.0.0.22.0.20031205130249.029cf5c0@xanadu.evi-inc.com> At 12:07 PM 12/5/2003, Michele Neylon :: Blacknight Solutions wrote: >Has anybody done anything with IP to country regarding sources of spam etc? I use a couple of the blackholes.us lists to add a small amount (max 1.0) to the SA scores of email coming from countries that aren't normally much of the day-to-day email here but generate a lot of spam. Mostly cn-kr and brazil. I keep the scores low to avoid tagging posts to mailing lists (as I do get some legitimate traffic from these countries) but it's helpful with some of the "not quite 5.0" scoring spam. From lists at STHOMAS.NET Fri Dec 5 18:06:21 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: ; from jrudd@UCSC.EDU on Thu, Dec 04, 2003 at 11:36:24PM -0800 References: <200312050032.hB50WRGr030539@genesis.camaross.net> <20031204170125.B21729@sthomas.net> Message-ID: <20031205100621.A16375@sthomas.net> On Thu, Dec 04, 2003 at 11:36:24PM -0800, John Rudd is rumored to have said: > > 1) So why can't you route all of your outgoing mail through your ISP? We don't want or need to. We pay for business class service and run all our own services. The only outside services we rely on are the root DNS servers. > (I know, some people do, and some people don't ... I don't, but my > reverse DNS works, so I don't need to ... but, that IS what you're > supposed to be doing, so if you're having problems, why not do what > you're supposed to be doing instead?) We're not having problems - I simply pointed out a scenario that is entire possible. And why is relaying through our ISP what we're "supposed to be doing"??!! I thought that what we were "supposed to be doing" is using our Internet connection in any way that pleases us as long as we're not violating our ISPs TOS or breaking any laws. > 2) If you don't control the in-addr for your IP block, then presumably > it's your ISP's -- so make them fix their in-addr allocation. The > problem isn't that the in-addr information has to match your mail > domain, it just has to _exist_ (mail always comes from hosts that don't > match the mail domain indicated). If it doesn't, and it's not your > block to host on your DNS server, then your ISP isn't doing their job. > Make them fix it, or switch to an ISP that isn't broken. Again, it's not broken. I only posed a hypothetical scenario. > 3) If they wont fix it, then ask them to delegate those addresses to > you with NS records (which can be done on a per-IP addr basis, it > doesn't have to be done in full class-C blocks). I think it's pretty clear at this point that you either didn't read or didn't understand my original message. Steve > On Dec 4, 2003, at 5:01 PM, Steve Thomas wrote: > > > > > On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is rumored to > > have said: > >> > >> If not, admins on the other end need to get off their ass and make > >> their > >> networking correct, complete and in compliance with the RFC's. > > > > I've only been skimming this thread, so this may have been stated > > already. If so, I apologize... > > > > You're forgetting that reverse dns is a totally different animal than > > forward, and that just about anyone with less than a /24 (and many > > with a /24 or larger) don't have the reverse zones delegated to their > > servers. If I own foo.com, I can easily create any forward entry in > > the foo.com domain, but making something in the in-addr.arpa domain > > point to mailserver.foo.com is not nearly as easy. > > > > As a for instance, the machine I'm sending this message from is on a > > RoadRunner network. We've got a block of addresses allocated to us and > > despite repeated assurances that they would delegate the in-addr.arpa > > zone for our netblock to our dns server, it's never happened. Now if > > RR managed to have a corrupt zone file, forgot to generate PTR records > > for our netblock or for some other reason wasn't on the ball, I'd be > > "an admin who was sitting on my ass not making my network correct"? I > > think not. My dns server is properly configured to serve requests for > > the /28 we've been allocated but RR is still in control of the zone. > > > > Then there's network outages, software failures, fiber cuts, DDoS > > attacks, etc, etc to consider. You'll reject mail just because the DNS > > server serving the in-addr.arpa zone for the connecting machine is > > unreachable? > > > > I can see adding a warning header or something innocuous like that, > > but outright rejecting mail from machines without RDNS properly > > configured is overkill, IMHO. > > > > > > Steve > > > > > > -- > > "Blessed is the man, who having nothing to say, abstains from giving > > wordy evidence of the fact." > > - George Eliot (1819-1880) -- "Don't be so humble - you are not that great." - Golda Meir (1898-1978) to a visiting diplomat From lists at STHOMAS.NET Fri Dec 5 18:12:36 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query In-Reply-To: <6.0.0.22.0.20031205130249.029cf5c0@xanadu.evi-inc.com>; from mkettler@EVI-INC.COM on Fri, Dec 05, 2003 at 01:06:19PM -0500 References: <6.0.0.22.0.20031205130249.029cf5c0@xanadu.evi-inc.com> Message-ID: <20031205101236.B16375@sthomas.net> On Fri, Dec 05, 2003 at 01:06:19PM -0500, Matt Kettler is rumored to have said: > > I use a couple of the blackholes.us lists to add a small amount (max 1.0) > to the SA scores of email coming from countries that aren't normally much > of the day-to-day email here but generate a lot of spam. Mostly cn-kr and > brazil. On my personal server, I outright reject mail from hosts on cn-kr. I don't know anyone in those countries and if someone there needs to get a hold of me that badly, they can use a throwaway hotmail account or something. I have *never* received a legitimate e-mail from China or Korea. Of course, YMMV and I'd never do this on our servers at work (being an international company, it'd be a Bad Thing). Steve -- "Talent does what it can; genius does what it must." - Edward George Bulwer-Lytton (1803-1873) From mkettler at EVI-INC.COM Fri Dec 5 18:36:37 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: <6.0.1.1.2.20031205164430.03949e28@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031205094044.03aebc60@imap.ecs.soton.ac.uk> <200312051444.hB5EihGr024908@genesis.camaross.net> <6.0.1.1.2.20031205164430.03949e28@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20031205132318.0203e0e0@xanadu.evi-inc.com> At 11:45 AM 12/5/2003, Julian Field wrote: > >I understand the forwarding action...I use that now. The problem is that > >the address which would be forwarded to is dynamic. It also would be to be > >based on the relaying hostname and not the envelope sender. Make any sense? > >In which case use a very simple Custom Function to produce the "Spam >Actions" and "High Scoring Spam Actions" which use the $message->{from} and >$message->{clientip} to produce their result. Ugh... now the world can be infected with more broken mailservers. I love MailScanner, it's just unfortunate that it's so easy to do incredibly foolish things with it. Really a system like this should use abuse.net lookups or use a semi-smart system like spamcop, and not do what is suggested above. That's just broken beyond belief. If you're going to do something incredibly stupid like auto-abuse-report spam, at least do it correctly. Comment #3 in SA bug 1219 has some good insights on doing this kind of thing correctly. http://bugzilla.spamassassin.org/show_bug.cgi?id=1219 And note that this was considered as an option for *manual* reporting, it was never considered as an automatic thing. You might want to consider looking at Theo's handlespam script and/or using spamcop. From michele at BLACKNIGHTSOLUTIONS.COM Fri Dec 5 20:40:24 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE271@mtlnt501fs.CAMOROUTE.COM> Message-ID: > > Has anybody done anything with IP to country regarding > > sources of spam etc? > > what do you mean? do you use mailstats? Gives you stats on countries. > > That uses Geo IP, which is a different data source. The IP to country database is freely available at: http://ip-to-country.webhosting.info/ We are using an older version of mailwatch (http://mailwatch.sourceforge.net/) for statistics on spam etc., as it can log multiple servers to a central MySQL database. However getting some kind of geographical information would be handy :) The IP to country database seems to be fairly comprehensive and could be stored locally, thus decreasing lookup times M From jrudd at UCSC.EDU Fri Dec 5 20:51:53 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! References: <200312050032.hB50WRGr030539@genesis.camaross.net> <20031204170125.B21729@sthomas.net> <20031205100621.A16375@sthomas.net> Message-ID: <3FD0EFE9.F68B869D@ucsc.edu> Steve Thomas wrote: > > On Thu, Dec 04, 2003 at 11:36:24PM -0800, John Rudd is rumored to have said: > > > > 1) So why can't you route all of your outgoing mail through your ISP? > > We don't want or need to. We pay for business class service and run all our own services. The only outside services we rely on are the root DNS servers. > > > (I know, some people do, and some people don't ... I don't, but my > > reverse DNS works, so I don't need to ... but, that IS what you're > > supposed to be doing, so if you're having problems, why not do what > > you're supposed to be doing instead?) > > We're not having problems - I simply pointed out a scenario that is entire possible. And the questions are framed within that senario. If you're not having problems in real life, then answer the questions from within the scenario (ie. as if you were having the problem). > And why is relaying through our ISP what we're "supposed to be doing"??!! I thought that what we were "supposed to be doing" is using our Internet connection in any way that pleases us as long as we're not violating our ISPs TOS or breaking any laws. That's one way to look at it. Another is that you're using IP addresses that belong to your ISP, and with the current state of the net many people don't want to receive direct mail connections from end-customers on low end connections (ie. where you don't have enough fixed infrastructure in place that you control everything INCLUDING your reverse DNS). It's not just that they might be spammers (low end -> non-permanent -> the spammer's "ISP account of the day"), it's that they might legitimate end users who might be hosting the latest open-proxy trojan that has turned their workstation into a spam relay. Rather than play those whack-a-mole games, you simply block all of those addresses. For some, that means blocking DUL lists, for some they expand that to include DSL customers. And another good way to catch those people is to target people whose reverse DNS isn't propperly set up ... because in many cases, it's not set up propperly because they don't control it, because they don't own the network address block. So, make those people relay through their ISP, and you don't have to deal with all of those head-aches and potential-whack-a-mole's. It's simple, effective, and doesn't place an unreasonable burden upon the mail senders. > > 2) If you don't control the in-addr for your IP block, then presumably > > it's your ISP's -- so make them fix their in-addr allocation. The > > problem isn't that the in-addr information has to match your mail > > domain, it just has to _exist_ (mail always comes from hosts that don't > > match the mail domain indicated). If it doesn't, and it's not your > > block to host on your DNS server, then your ISP isn't doing their job. > > Make them fix it, or switch to an ISP that isn't broken. > > Again, it's not broken. I only posed a hypothetical scenario. And, again, answer it from within the hypothetical scenario. If you were having the problem, and you didn't control your in-addr block, then it's presumably your ISP's block, so why can't you make them fix it or move to a different ISP if they're not responsible enough to fix it? > > 3) If they wont fix it, then ask them to delegate those addresses to > > you with NS records (which can be done on a per-IP addr basis, it > > doesn't have to be done in full class-C blocks). > > I think it's pretty clear at this point that you either didn't read or didn't understand my original message. It doesn't fit the very specific case you gave of "what if RR hadn't..", but it does fit the general problem. Just because you don't own the block doesn't mean you can't ask your ISP to delegate the specific in-addr addresses to you so that you can manage them yourself. That WOULD fix the problem for some of the people who have reverse DNS problems. > > Steve > > > On Dec 4, 2003, at 5:01 PM, Steve Thomas wrote: > > > > > > > > On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is rumored to > > > have said: > > >> > > >> If not, admins on the other end need to get off their ass and make > > >> their > > >> networking correct, complete and in compliance with the RFC's. > > > > > > I've only been skimming this thread, so this may have been stated > > > already. If so, I apologize... > > > > > > You're forgetting that reverse dns is a totally different animal than > > > forward, and that just about anyone with less than a /24 (and many > > > with a /24 or larger) don't have the reverse zones delegated to their > > > servers. If I own foo.com, I can easily create any forward entry in > > > the foo.com domain, but making something in the in-addr.arpa domain > > > point to mailserver.foo.com is not nearly as easy. > > > > > > As a for instance, the machine I'm sending this message from is on a > > > RoadRunner network. We've got a block of addresses allocated to us and > > > despite repeated assurances that they would delegate the in-addr.arpa > > > zone for our netblock to our dns server, it's never happened. Now if > > > RR managed to have a corrupt zone file, forgot to generate PTR records > > > for our netblock or for some other reason wasn't on the ball, I'd be > > > "an admin who was sitting on my ass not making my network correct"? I > > > think not. My dns server is properly configured to serve requests for > > > the /28 we've been allocated but RR is still in control of the zone. > > > > > > Then there's network outages, software failures, fiber cuts, DDoS > > > attacks, etc, etc to consider. You'll reject mail just because the DNS > > > server serving the in-addr.arpa zone for the connecting machine is > > > unreachable? > > > > > > I can see adding a warning header or something innocuous like that, > > > but outright rejecting mail from machines without RDNS properly > > > configured is overkill, IMHO. > > > > > > > > > Steve > > > > > > > > > -- > > > "Blessed is the man, who having nothing to say, abstains from giving > > > wordy evidence of the fact." > > > - George Eliot (1819-1880) > > -- > "Don't be so humble - you are not that great." > - Golda Meir (1898-1978) to a visiting diplomat From michele at BLACKNIGHTSOLUTIONS.COM Fri Dec 5 21:17:31 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:27 2006 Subject: weird ClamAv error Message-ID: ClamAv module blocked this today: The following e-mail messages were found to have viruses in them: Sender: xxxx@xxxxx.net IP Address: 127.0.0.1 Recipient: xxxx@xxxx.de Subject: STL Round 2 MessageID: hB5H9Hi2021280 Report: ClamAV Module: Round2.zip was infected: Oversized Zip It was a valid zip file of a text document. The total size of the file was less than 1kb, so our sysadmin is rather confused - especially as the file was clean Anybody??? Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland From DHarding at GILATLA.COM Fri Dec 5 21:16:31 2003 From: DHarding at GILATLA.COM (Devon Harding - GTHLA) Date: Thu Jan 12 21:21:27 2006 Subject: No subject Message-ID: <97D0DDFA3C2F5B44AAC0960B99E962130172F8CC@VMX.gilatla.com> _____________________ Devon Harding System Administrator Gilat Latin America 954-858-1600 dharding@gilatla.com This e-mail is intended for the above named addressee(s), and may contain information which is confidential or privileged. If you are not the intended recipient, please inform us immediately: you should not copy or use this e-mail for any purpose nor disclose its contents to any person. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031205/272a4307/attachment.html From kevins at BMRB.CO.UK Fri Dec 5 21:27:45 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:27 2006 Subject: weird ClamAv error In-Reply-To: References: Message-ID: <1070659669.15679.10.camel@bach.kevinspicer.co.uk> On Fri, 2003-12-05 at 21:17, Michele Neylon :: Blacknight Solutions wrote: > > It was a valid zip file of a text document. The total size of the file was > less than 1kb, so our sysadmin is rather confused - especially as the file > was clean There are thresholds for both total size of zip and compression ratio. The default max compression ratio is currently 20:1 This is rather low actually. If you built clam from source you can tweak this... Direct quote from the clam list... Please edit libclamav/scanners.c, the line 64: #define ZIPOSDET 20 /* FIXME: Make it user definable */ and increase the value to 50. [others have since suggested this should be 70 or higher] From michele at BLACKNIGHTSOLUTIONS.COM Fri Dec 5 21:33:13 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:27 2006 Subject: weird ClamAv error In-Reply-To: <1070659669.15679.10.camel@bach.kevinspicer.co.uk> Message-ID: If this wasn't a public mailing list my comment would be a lot more blunt :) Curses! (that was restrained) Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kevin Spicer > Sent: 05 December 2003 21:28 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: weird ClamAv error > > > On Fri, 2003-12-05 at 21:17, Michele Neylon :: Blacknight Solutions > wrote: > > > > It was a valid zip file of a text document. The total size of > the file was > > less than 1kb, so our sysadmin is rather confused - especially > as the file > > was clean > > There are thresholds for both total size of zip and compression ratio. > The default max compression ratio is currently 20:1 This is rather low > actually. If you built clam from source you can tweak this... > > Direct quote from the clam list... > > Please edit libclamav/scanners.c, the line 64: > > #define ZIPOSDET 20 /* FIXME: Make it user definable */ > > and increase the value to 50. > > > [others have since suggested this should be 70 or higher] > From dwinkler at ALGORITHMICS.COM Fri Dec 5 21:38:14 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:21:27 2006 Subject: weird ClamAv error Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B0CB@tormail2.algorithmics.com> I increased it to 50 and still got this error, maybe I'll try 70. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kevin Spicer Sent: Friday, December 05, 2003 4:28 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: weird ClamAv error On Fri, 2003-12-05 at 21:17, Michele Neylon :: Blacknight Solutions wrote: > > It was a valid zip file of a text document. The total size of the file was > less than 1kb, so our sysadmin is rather confused - especially as the file > was clean There are thresholds for both total size of zip and compression ratio. The default max compression ratio is currently 20:1 This is rather low actually. If you built clam from source you can tweak this... Direct quote from the clam list... Please edit libclamav/scanners.c, the line 64: #define ZIPOSDET 20 /* FIXME: Make it user definable */ and increase the value to 50. [others have since suggested this should be 70 or higher] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031205/4ae79d67/attachment.html From mkettler at EVI-INC.COM Fri Dec 5 21:43:31 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:27 2006 Subject: [OT] In-Reply-To: <97D0DDFA3C2F5B44AAC0960B99E962130172F8CC@VMX.gilatla.com> References: <97D0DDFA3C2F5B44AAC0960B99E962130172F8CC@VMX.gilatla.com> Message-ID: <6.0.0.22.0.20031205164142.0204c530@xanadu.evi-inc.com> At 04:16 PM 12/5/2003, Devon Harding - GTHLA wrote: >his e-mail is intended for the above named addressee(s), and may contain >information which is confidential or privileged. In fact, the information is so confidential, that it's not even there! WOW! Gotta love HTML messages... 6k of cruft for an empty message. From jrudd at UCSC.EDU Fri Dec 5 22:02:44 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:27 2006 Subject: Help in testing AV Plugins References: Message-ID: <3FD10084.7EE8F381@ucsc.edu> (I'm cc'ing this to the MailScanner list so that they can run the tests and maybe incorporate these results into their future versions; while I don't care about Outlook, I'm sure others do, and 4/7 of the Outlook tests did get through) Stefan Seiz wrote: > > Hi, > > over on the cgvirusscan list, someone was just running some tests against > our little self made av-scanner which uses Mcafee Virex. It failed on quite > some of the test viruses. > > I'd be interessted if anyone on this list could specificaly run these tests > using the *real* CommuniGate McAfee Plugin. It'd also be interresting to > know how the other AV Plugins are doing with the tests. > > Here's the url to the tests: > > What I use: MailScanner-4.24-5 (with cgp2ms/ms2cgp) and sophos 3.74 w/current IDE's (the sophos AV/savi engine through MailScanner's sophos-wrapper, not via the CGP plug-in) (my IDE update script runs every night at midnight, so my IDE's are current as of last night at 12am Pacific time). I did all of the tests on that page, including the outlook ones. Here's what made it through: - Eicar virus sent using BinHex encoding - Outlook 'Space Gap' vulnerability - Outlook 'Blank Folding' Vulnerability - Outlook 'Boundary Space Gap' Vulnerability - Outlook 'Long Boundary' Vulnerability Here's what showed up in my virus folder (with infections removed and replaced by warnings): - Eicar virus sent using BinHex encoding within a MIME segment - (one with a fragmented message, which I think is the second-to-the-last Outlook one, but the message itself was removed and only the warning was present) - A file with a CLSID extension which may hide the real file extension So, those had been cleaned, but got through because they weren't technically viruses according to which MailScanner rules had blocked them (they were blocked because they had dangerous formatting, which was triggered before it determined whether or not they had viruses). The first was blocked because it was a .com file, and we block .com files. The second was blocked because we block fragmented messages. The third was blocked because we block attachments that appear to have multiple file extensions (like foo.txt.exe) because that can mean it's someone trying to sneak an executable through. (and when I say "we block", I mean "we have configured MailScanner to block") ALL of the other messages were completely removed, they never even made it to my virus folder. So, 1/20 that I care about got through. 5/20 could have deployed their payload (4 of those on Outlook, where my standard response is "that's what you get for using Outlook"). 12/20 were silently deleted. Seems decent. There's a little room for improvement, though. It would be nice if MailScanner had been able to open up the BinHex attachment, but it may be that MailScanner expects the AV engine to take that into account. I'm not sure. Unlike John Radel, my MailScanner (using Sophos instead of F-Prot) _DID_ block the "Eicar virus sent using BinHex encoding within a MIME segment" one. That might be because of MailScanner versions, or it might be because it really is an AV engine issue (where John Radel thought it was probably more of a MailScanner issue). John From res at AUSICS.NET Fri Dec 5 22:20:31 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: Jeff, On Fri, 5 Dec 2003, Jeff A. Earickson wrote: > Y'all, > I ran Rickert's sendmail ruleset for about 6 hours yesterday, then > removed it and looked at the 500 sendmail rejects that it generated > for the "Fix reverse DNS" error. I rejected emails from 364 unique > IP numbers. I wrote a script to do a whois on these numbers and the > info was ugly. Yes I was rejecting probable spam from APNIC, but I > also zapped a lot of stuff from other universities, McGraw-Hill books > and other publishers, Amazon (the original spammers!), IBM, the FAA (!), > etc. I expect to hear some screaming about my experiment. > > While I think this is a great idea in theory, in practice it does a > lot of collateral damage. I'll let AOL reform the world before Can you explain why we should operate non compliant mail servers? JUST to get mail from other non complaint mail servers? Sure, RFC1912 is not law, but its there and its there for a good reason, so do we now start to ignore other RFC's ? or just the ones we dont like? When these people get all there bounced mails they soon get the picture, complain to their IT unit who in turn should get off there lazy asses and fix what should have been setup correctly in the first place! There are just too many lazy incompetant idiots in the IT industry. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From ka at PACIFIC.NET Fri Dec 5 23:14:56 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: <3FD11170.20205@pacific.net> Res wrote: > Jeff, > > On Fri, 5 Dec 2003, Jeff A. Earickson wrote: > > >>Y'all, >> I ran Rickert's sendmail ruleset for about 6 hours yesterday, then >>removed it and looked at the 500 sendmail rejects that it generated >>for the "Fix reverse DNS" error. I rejected emails from 364 unique >>IP numbers. I wrote a script to do a whois on these numbers and the >>info was ugly. Yes I was rejecting probable spam from APNIC, but I >>also zapped a lot of stuff from other universities, McGraw-Hill books >>and other publishers, Amazon (the original spammers!), IBM, the FAA (!), >>etc. I expect to hear some screaming about my experiment. >> >>While I think this is a great idea in theory, in practice it does a >>lot of collateral damage. I'll let AOL reform the world before > > > > Can you explain why we should operate non compliant mail servers? JUST to > get mail from other non complaint mail servers? Is accepting mail from non-compliant servers non-compliant? > Sure, RFC1912 is not law, but its there and its there for a good reason, > so do we now start to ignore other RFC's ? or just the ones we dont like? > > When these people get all there bounced mails they soon get the picture, > complain to their IT unit who in turn should get off there lazy asses and > fix what should have been setup correctly in the first place! > There are just too many lazy incompetant idiots in the IT industry. > > -- > Regards, > Res > Network Administrator > Postmaster / Abusemaster / Flamemaster > http://www.ausics.net Australian Hosting Services > > From jim at ENTROPHY-FREE.NET Fri Dec 5 23:53:36 2003 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:21:27 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: References: Message-ID: <1070668416.5370.2.camel@chaos.entrophy-free.net> On Fri, 2003-12-05 at 09:23, Raymond Dijkxhoorn wrote: > Hi! > > > This gives you access to ISOs and RHN updates for versions 2.1 and 3.0. > > I can confirm that MailScanner works fine on RHAS 2.1 (which is based > > on RH 7.2) with either the supplied sendmail or Exim. I haven't tried > > version 3.0, but if MailScanner works on RH 8 and 9 it should be OK. > > Works ok on RHEL 3.0 also. Runs faster then my 1:1 equal server with RH9. > I'll second that. My load test showed 3.0 ES to be almost 20% faster than RH 9 on the same hardware. -- The instructions said to use Windows 98 or better, so I installed RedHat. From dan.farmer at PHONEDIR.COM Fri Dec 5 23:56:29 2003 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: On Dec 5, 2003, at 3:20 PM, Res wrote: > Jeff, > > On Fri, 5 Dec 2003, Jeff A. Earickson wrote: > >> Y'all, >> I ran Rickert's sendmail ruleset for about 6 hours yesterday, then >> removed it and looked at the 500 sendmail rejects that it generated >> for the "Fix reverse DNS" error. I rejected emails from 364 unique >> IP numbers. I wrote a script to do a whois on these numbers and the >> info was ugly. Yes I was rejecting probable spam from APNIC, but I >> also zapped a lot of stuff from other universities, McGraw-Hill books >> and other publishers, Amazon (the original spammers!), IBM, the FAA >> (!), >> etc. I expect to hear some screaming about my experiment. >> >> While I think this is a great idea in theory, in practice it does a >> lot of collateral damage. I'll let AOL reform the world before > > > Can you explain why we should operate non compliant mail servers? JUST > to > get mail from other non complaint mail servers? Uh, aren't these blocking rules non-default configurations? So you're saying that 99% of mail servers are non-compliant as installed because they don't block servers with missing rdns? > Sure, RFC1912 is not law, but its there and its there for a good > reason, > so do we now start to ignore other RFC's ? or just the ones we dont > like? > > When these people get all there bounced mails they soon get the > picture, > complain to their IT unit who in turn should get off there lazy asses > and > fix what should have been setup correctly in the first place! Having used these blocks for nearly a month on real production servers, what really happens is this: user1@remotedomain.com sends mail to user2@ourdomain.com, they get the reject and don't read it. They proceed to contact user2 by phone to say their mail was rejected and they don't know why. user1 then sends mail to user2@homedomain.com and it goes through fine since homedomain.com isn't blocking missing rdns. Since user1 gets their mail through fine to user2's home/alternate address, they never say anything to their mail server admin, but user2 complains that ourdomain.com is blocking customer/business email's and they can't do their work. And user2 is right - ourdomain.com may be trying to limit spam/viruses/etc by requiring other mail servers to have proper rdns, but it is the server "blocking" legitimate mail (legitimate mail = non-spam, non-virus, business/personal communication, albeit from a server with no rdns) Servers can get away with incorrect/bad rdns simply because 99% of servers will not bounce their messages back, which is why it is a good sign that a large force like AOL is starting to push in that direction, it will make it easier on us when we decide to implement these changes. > There are just too many lazy incompetant idiots in the IT industry. ^-ent Not sure if you're directing this at the non-compliant server admins or the 99% of server admins who aren't blocking like you, but this isn't a black or white issue (I once thought it was, and I spent a month trying to prove it, unsuccessfully.) I will re-implement the blocking when it becomes more commonplace, but I agree with Jeff - I'll let AOL blaze the initial path, in hopes that when I re-implement 99% of servers will be compliant and our users won't be so inconvenienced by it. > -- > Regards, > Res > Network Administrator > Postmaster / Abusemaster / Flamemaster > http://www.ausics.net Australian Hosting Services > From res at AUSICS.NET Fri Dec 5 23:58:46 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FD11170.20205@pacific.net> References: <200312050032.hB50WRGr030539@genesis.camaross.net> <3FD11170.20205@pacific.net> Message-ID: On Fri, 5 Dec 2003, Ken Anderson wrote: > > Can you explain why we should operate non compliant mail servers? JUST to > > get mail from other non complaint mail servers? > > Is accepting mail from non-compliant servers non-compliant? Well, that comes down to each individuals interpretation, mine is yes, a non compliant server, is in effect 'broken', why should my network be at risk from somthing a broken server sends, I mean if you know a server is an open relay, do you knowingly allow it to send mail into your network? -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From res at AUSICS.NET Sat Dec 6 00:10:37 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: On Fri, 5 Dec 2003, Dan Farmer wrote: > > Can you explain why we should operate non compliant mail servers? JUST > > to > > get mail from other non complaint mail servers? > > Uh, aren't these blocking rules non-default configurations? So you're > saying that 99% of mail servers are non-compliant as installed because > they don't block servers with missing rdns? In there default configuration, sendmail and qmail only get fussy about forwards. > Having used these blocks for nearly a month on real production servers, likewise, 100's of emails a minute 24/7, we've had about 8 complaints all told. > what really happens is this: user1@remotedomain.com sends mail to > user2@ourdomain.com, they get the reject and don't read it. They If they dont read a reject message why is that our fault. > Servers can get away with incorrect/bad rdns simply because 99% of > servers will not bounce their messages back, which is why it is a good > sign that a large force like AOL is starting to push in that direction, > it will make it easier on us when we decide to implement these changes. > > There are just too many lazy incompetant idiots in the IT industry. > ^-ent > > Not sure if you're directing this at the non-compliant server admins or > the 99% of server admins who aren't blocking like you, but this isn't a Anyone who sets up a server that any part directly or indirectly is not correct, fits in that class. It is more so with DNS related material. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From res at AUSICS.NET Sat Dec 6 00:04:17 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FD0B0B9.4000908@nucci.com.br> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> <3FD0B0B9.4000908@nucci.com.br> Message-ID: Hi Ivan, On Fri, 5 Dec 2003, Ivan Mirisola wrote: > fact reject mail based on RDNS we are just forcing those who have a > bronken DNS configuration to fix their RR records, that?s all. The vast majority of spam in this region comes from Asia/Europe, and the majority of them have no PTR, our spam levels dropped like you'd never believe when we implimented these checks. However the use of a DNSBL that checks for residential IP/Hostname groups would be advantageous to you. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From ka at PACIFIC.NET Sat Dec 6 00:59:13 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <200312050032.hB50WRGr030539@genesis.camaross.net> <3FD11170.20205@pacific.net> Message-ID: <3FD129E1.2060901@pacific.net> Res wrote: > On Fri, 5 Dec 2003, Ken Anderson wrote: > > >>>Can you explain why we should operate non compliant mail servers? JUST to >>>get mail from other non complaint mail servers? >> >>Is accepting mail from non-compliant servers non-compliant? > > > Well, that comes down to each individuals interpretation, mine is yes, a > non compliant server, is in effect 'broken', why should my network be at > risk from somthing a broken server sends, I mean if you know a server is > an open relay, do you knowingly allow it to send mail into your network? That's not an rfc, that's not non-compliance. That's your interpretation (or rather opinion). But if that works for you, that's great. I have customers, and it's their interpretation that quickly becomes my problem if I block mail from their relatives. :-) Ken Pacific.Net > > -- > Regards, > Res > Network Administrator > Postmaster / Abusemaster / Flamemaster > http://www.ausics.net Australian Hosting Services > > From chris at trudeau.org Sat Dec 6 05:14:13 2003 From: chris at trudeau.org (Chris Trudeau) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: Message-ID: <000101c3bbb7$c9b00070$23c8a8c0@serv> There (in my interpretation) is no reference to reverse records in the RFC cited below that address mail flow relative to PTR (reverse) records anywhere. The RFC clearly states: Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain. If a host is multi-homed, (more than one IP address) make sure that all IP addresses have a corresponding PTR record (not just the first one). Failure to have matching PTR and A records can cause loss of Internet services similar to not being registered in the DNS at all. Also, PTR records must point back to a valid A record, not a alias defined by a CNAME. It is highly recommended that you use some software which automates this checking, or generate your DNS data from a database which automatically creates consistent data. That a PTR record should exist. Unfortunately, it says that for every A record, a PTR should exist. While that IS valid, I'm not sure, I understand how that relates to a configurable entry on almost every MTA created. Methinks the thread has taken a bad turn...and should either be brough back on course or abandoned altogether. CT -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Res Sent: Friday, December 05, 2003 5:21 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: AOL blocking MailScanner messages! Jeff, On Fri, 5 Dec 2003, Jeff A. Earickson wrote: > Y'all, > I ran Rickert's sendmail ruleset for about 6 hours yesterday, then > removed it and looked at the 500 sendmail rejects that it generated > for the "Fix reverse DNS" error. I rejected emails from 364 unique > IP numbers. I wrote a script to do a whois on these numbers and the > info was ugly. Yes I was rejecting probable spam from APNIC, but I > also zapped a lot of stuff from other universities, McGraw-Hill books > and other publishers, Amazon (the original spammers!), IBM, the FAA (!), > etc. I expect to hear some screaming about my experiment. > > While I think this is a great idea in theory, in practice it does a > lot of collateral damage. I'll let AOL reform the world before Can you explain why we should operate non compliant mail servers? JUST to get mail from other non complaint mail servers? Sure, RFC1912 is not law, but its there and its there for a good reason, so do we now start to ignore other RFC's ? or just the ones we dont like? When these people get all there bounced mails they soon get the picture, complain to their IT unit who in turn should get off there lazy asses and fix what should have been setup correctly in the first place! There are just too many lazy incompetant idiots in the IT industry. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From harryh at CET.COM Sat Dec 6 05:16:50 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:27 2006 Subject: Mailscanner/freebsd 5.1/postfix In-Reply-To: <6.0.1.1.2.20031202084537.03c21008@imap.ecs.soton.ac.uk> Message-ID: <200312060517.hB65HCfX013515@fili.jiscmail.ac.uk> Trying to get it setup. Have it all installed and configured, however I can't seem to get MS to start. /usr/local/libexec/MailScanner: Permission denied Tho from docs I am unclear on how exaclty it needs to be set up to start. Any advice? Thanks. From res at AUSICS.NET Sat Dec 6 05:32:25 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FD129E1.2060901@pacific.net> References: <200312050032.hB50WRGr030539@genesis.camaross.net> <3FD11170.20205@pacific.net> <3FD129E1.2060901@pacific.net> Message-ID: On Fri, 5 Dec 2003, Ken Anderson wrote: > > Well, that comes down to each individuals interpretation, mine is yes, a > > non compliant server, is in effect 'broken', why should my network be at > > risk from somthing a broken server sends, I mean if you know a server is > > an open relay, do you knowingly allow it to send mail into your network? > > That's not an rfc, that's not non-compliance. That's your interpretation not but RFC1912 is. > (or rather opinion). But if that works for you, that's great. much like it is yours :) > I have customers, and it's their interpretation that quickly becomes my > problem if I block mail from their relatives. :-) Well, like I said, 8 complaints... 140K emails a day, now even if i took those 8 in just one day, thats like .000005 of a percent, but its worse, because those 8 are for ever, total.. IOW its so few it doesnt even register. But yes it suprises me because 2 of them were large banking corps, 4 Govt depts, and the other couple were pvt companies. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From res at AUSICS.NET Sat Dec 6 06:00:18 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! Message-ID: On Sat, 6 Dec 2003, Chris Trudeau wrote: > That a PTR record should exist. Unfortunately, it says that for every A > record, a PTR should exist. While that IS valid, I'm not sure, I By your own quote, in particular to the commencement of teh second sentance: > The RFC clearly states: Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From mike at TC3NET.COM Fri Dec 5 15:46:44 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:27 2006 Subject: Could not analyze. Message-ID: <1070639204.8601.22.camel@mike-new2.tc3net.com> Suddenly I seem to be getting customer complaints about MailScanner sending these messages back to the clients. My Virus Scanner appears to be working properly, what other factors would cause such errors, (they seem to be forwarded messages). I'm using MailScanner-4.25-9/Mcafee Uvscan, max attachments per message = 10. Regards MIKE At Fri Dec 5 08:37:00 2003 the virus scanner said: Could not analyze message From P.G.M.Peters at utwente.nl Sat Dec 6 14:35:57 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:27 2006 Subject: Ip to country query In-Reply-To: References: Message-ID: On Fri, 5 Dec 2003 17:07:11 -0000, you wrote: >Has anybody done anything with IP to country regarding sources of spam etc? I believe zz.countries.nerd.dk gives the ISO-code of the country. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Sat Dec 6 14:45:05 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:27 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312061445.hB6Ej5Pc011234@seer.ecs.soton.ac.uk> New Guestbook-Entry from Johannes Hoen MailScanner + SpamAssassin is the most powerful team against spam and viruses.



Thanks and go on !



From stiret at ONEREDSHOE.NET Sun Dec 7 16:35:25 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch Installation Message-ID: <1070814925.4347.13.camel@alain.oneredshoe.net> Greetings, I'm having some trouble installing MailWatch on Gentoo. detta MailScanner # bin/check_mailscanner Starting MailScanner... syntax error at /opt/MailScanner/lib/MailScanner/CustomConfig.pm line 143, near "my " Global symbol "$WhitelistDir" requires explicit package name at /opt/MailScanner/lib/MailScanner/CustomConfig.pm line 143. BEGIN not safe after errors--compilation aborted at /opt/MailScanner/lib/MailScanner/CustomConfig.pm line 146. Compilation failed in require at /opt/MailScanner/bin/MailScanner line 43. BEGIN failed--compilation aborted at /opt/MailScanner/bin/MailScanner line 43. I've checked and changed the directory locations in CustomConfig.pm at line 143 # Set these to be the location of your whitelist files and blacklist files my $WhitelistDir = '/opt/MailScanner/etc/spam.bydomain/whitelist'; my $BlacklistDir = '/opt/MailScanner/etc/spam.bydomain/blacklist'; The directories exist and there does not appear to be any problem with the syntax. Any suggestions? Thanks very much, -- Scott Tiret 04458494 Scott Tiret stiret AT oneredshoe DOT net Fingerprint = EA80 6414 79DC 6D7D 992F 2F98 F93C 9CB9 0445 8494 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031207/69fa5346/attachment.bin From mailscanner at ecs.soton.ac.uk Sun Dec 7 16:57:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch Installation In-Reply-To: <1070814925.4347.13.camel@alain.oneredshoe.net> References: <1070814925.4347.13.camel@alain.oneredshoe.net> Message-ID: <6.0.1.1.2.20031207165541.03e02340@imap.ecs.soton.ac.uk> At 16:35 07/12/2003, you wrote: >I've checked and changed the directory locations in CustomConfig.pm at >line 143 > ># Set these to be the location of your whitelist files and blacklist >files >my $WhitelistDir = '/opt/MailScanner/etc/spam.bydomain/whitelist'; >my $BlacklistDir = '/opt/MailScanner/etc/spam.bydomain/blacklist'; It looks like you may have made the comment line split itself over 2 lines. Make sure it is only 1 line, or else put a # at the start of the 2nd line. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From stiret at ONEREDSHOE.NET Sun Dec 7 17:09:43 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch Installation In-Reply-To: <6.0.1.1.2.20031207165541.03e02340@imap.ecs.soton.ac.uk> References: <1070814925.4347.13.camel@alain.oneredshoe.net> <6.0.1.1.2.20031207165541.03e02340@imap.ecs.soton.ac.uk> Message-ID: <1070816983.4348.16.camel@alain.oneredshoe.net> On Sun, 2003-12-07 at 11:57, Julian Field wrote: > It looks like you may have made the comment line split itself over 2 lines. > Make sure it is only 1 line, or else put a # at the start of the 2nd line. The mail client just wrapped the line. The actual CustomConfig.pm has # Set these to be the location of your whitelist files and blacklist files all on the same line. -- Scott Tiret 04458494 Scott Tiret stiret AT oneredshoe DOT net Fingerprint = EA80 6414 79DC 6D7D 992F 2F98 F93C 9CB9 0445 8494 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031207/f25d2218/attachment.bin From Jan-Peter.Koopmann at SECEIDOS.DE Mon Dec 8 07:31:29 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:21:27 2006 Subject: Could not analyze. Message-ID: > At Fri Dec 5 08:37:00 2003 the virus scanner said: > Could not analyze message Can you give us any more input on the messages that cause this? Attachment yes/no? Encrypted yes/no? Etc. Regards, JP From john at zol.co.zw Mon Dec 8 08:22:33 2003 From: john at zol.co.zw (John Sheppard) Date: Thu Jan 12 21:21:27 2006 Subject: clamav-0.65 on RH7.3 Message-ID: <3FD450E9.17286.10DBD00@localhost> Hi all I am relatively new to this list so pardon me if this question has been asked and answered previously. I am trying to install clamav-0.65-2 and MS 4.24-5 on a RedHat 7.3 system. The kernel is 2.4.20-24.7 and the version of glibc is 2.2.5- 44. rpm -ivh clamav-0.65-2.i386.rpm gives me: error: failed dependencies libc.so.6 (GLIBC_2.3) is needed by clamav -0.65-2. On checking the RedHat site I see that glibc-2.3 is apparently not available for RH7.3 but is available for RH8.0 What next? Give up on RH7.3 and move to RH8? All comments gratefully received! Regards John Sheppard -- John Sheppard john@zol.co.zw 211 Harare Drive Cell: 011 704 220 Mount Pleasant Phone (263 4) 884783 HARARE Fax: (263 4) 850653 Zimbabwe From vinayak at THEARGONCOMPANY.COM Mon Dec 8 08:34:27 2003 From: vinayak at THEARGONCOMPANY.COM (Vinayakam Murugan) Date: Thu Jan 12 21:21:27 2006 Subject: MailScanner overrides HoldExpensive feature in Sendmail? Message-ID: <200312081404.27234.vinayak@theargoncompany.com> Hi We are using Sendmail 8.12.8 along with MailScanner 4.21. We would like to have the HoldExpensive feature enabled in Sendmail so that sendmail does not deliver mail immediately. However ever since we have started MailScanner, we notice that mail gets delivered immediately. Anybody faced this before? Any pointers on what settings could be tweaked? -- Warm Regards ~~~~~~~~~~~~~~~~~~~~~~~ Vinayakam Murugan Manager - Software The Argon Company 7th floor, Nanavati Mahalaya, 18, Homi Modi Street, Fort, Mumbai 400 023. Tel: 91-22 - 2288 2163 Ext 118 Help Desk: 91-22 - 2288 2774 Fax Number: 91-22 - 2288 2812 http://www.TheArgonCompany.com Viruses getting you down? Get your virus protected mailbox at http://www.tassm.com It's not just about natural talent ? it's about perseverance, about putting building blocks in place, about focusing on the processes not the results. From martinh at SOLID-STATE-LOGIC.COM Mon Dec 8 08:46:19 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:27 2006 Subject: Mailscanner/freebsd 5.1/postfix In-Reply-To: <200312060517.hB65HCfX013515@fili.jiscmail.ac.uk> References: <200312060517.hB65HCfX013515@fili.jiscmail.ac.uk> Message-ID: <3FD43A5B.3050507@solid-state-logic.com> Harry Hanson wrote: > Trying to get it setup. Have it all installed and configured, however I > can't seem to get MS to start. > > /usr/local/libexec/MailScanner: Permission denied > > Tho from docs I am unclear on how exaclty it needs to be set up to start. > > Any advice? Thanks. Harry check that the MailScanner script is executable and that /usr/bin/perl is installed (it's not by default on 5.x). Also the debug flag in MailScanner.conf can be helpful in trying to figure out what's happening, as are the log files in /var/log/maillog. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Mon Dec 8 08:48:04 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch Installation In-Reply-To: <1070816983.4348.16.camel@alain.oneredshoe.net> References: <1070814925.4347.13.camel@alain.oneredshoe.net> <6.0.1.1.2.20031207165541.03e02340@imap.ecs.soton.ac.uk> <1070816983.4348.16.camel@alain.oneredshoe.net> Message-ID: <3FD43AC4.5080103@solid-state-logic.com> Scott Tiret wrote: > On Sun, 2003-12-07 at 11:57, Julian Field wrote: > > >>It looks like you may have made the comment line split itself over 2 lines. >>Make sure it is only 1 line, or else put a # at the start of the 2nd line. > > > The mail client just wrapped the line. The actual CustomConfig.pm has > > # Set these to be the location of your whitelist files and blacklist > files > > all on the same line. > Scott take out the ' characters in the whitelist defns... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Mon Dec 8 08:51:00 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch Installation In-Reply-To: <1070816983.4348.16.camel@alain.oneredshoe.net> References: <1070814925.4347.13.camel@alain.oneredshoe.net> <6.0.1.1.2.20031207165541.03e02340@imap.ecs.soton.ac.uk> <1070816983.4348.16.camel@alain.oneredshoe.net> Message-ID: <3FD43B74.2050600@solid-state-logic.com> Scott Tiret wrote: > On Sun, 2003-12-07 at 11:57, Julian Field wrote: > > >>It looks like you may have made the comment line split itself over 2 lines. >>Make sure it is only 1 line, or else put a # at the start of the 2nd line. > > > The mail client just wrapped the line. The actual CustomConfig.pm has > > # Set these to be the location of your whitelist files and blacklist > files > > all on the same line. > Scott forget that last email - too little coffee (+ a call out at 7.30 this morning to fix a duff switch) :-) what have you got in the lines previous to the comment? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From raymond at PROLOCATION.NET Mon Dec 8 08:58:44 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:27 2006 Subject: clamav-0.65 on RH7.3 In-Reply-To: <3FD450E9.17286.10DBD00@localhost> Message-ID: Hi! > rpm -ivh clamav-0.65-2.i386.rpm gives me: > error: failed dependencies > libc.so.6 (GLIBC_2.3) is needed by clamav -0.65-2. > > On checking the RedHat site I see that glibc-2.3 is apparently not > available for RH7.3 but is available for RH8.0 > > What next? Give up on RH7.3 and move to RH8? All comments > gratefully received! Would be better to move to Fedora-1 or RedHat 9, but besides that, the Clam install is plain simple. I would suggest installing it from source. Or if there's a SRPMS also, make your own RPM out of it. Bye, Raymond. From Kevin.Spicer at BMRB.CO.UK Mon Dec 8 09:04:01 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:21:27 2006 Subject: clamav-0.65 on RH7.3 Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016498DB@pascal.priv.bmrb.co.uk> John Sheppard wrote: > What next? Give up on RH7.3 and move to RH8? All comments gratefully > received! Build from source (or rebuild the srpm) From mailscanner at ecs.soton.ac.uk Mon Dec 8 09:18:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:27 2006 Subject: MailScanner overrides HoldExpensive feature in Sendmail? In-Reply-To: <200312081404.27234.vinayak@theargoncompany.com> References: <200312081404.27234.vinayak@theargoncompany.com> Message-ID: <6.0.1.1.2.20031208091733.035ae5e8@imap.ecs.soton.ac.uk> At 08:34 08/12/2003, you wrote: >Hi > >We are using Sendmail 8.12.8 along with MailScanner 4.21. We would like to >have the HoldExpensive feature enabled in Sendmail so that sendmail does not >deliver mail immediately. However ever since we have started MailScanner, we >notice that mail gets delivered immediately. Anybody faced this before? Any >pointers on what settings could be tweaked? If you deliver the "expensive" mail to a separate outgoing queue using a MailScanner ruleset, that won't get the immediate delivery attempt. The other, simpler, route is to set Delivery Method = queue instead of batch. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From vinayak at THEARGONCOMPANY.COM Mon Dec 8 09:48:27 2003 From: vinayak at THEARGONCOMPANY.COM (Vinayakam Murugan) Date: Thu Jan 12 21:21:27 2006 Subject: MailScanner overrides HoldExpensive feature in Sendmail? In-Reply-To: <6.0.1.1.2.20031208091733.035ae5e8@imap.ecs.soton.ac.uk> References: <200312081404.27234.vinayak@theargoncompany.com> <6.0.1.1.2.20031208091733.035ae5e8@imap.ecs.soton.ac.uk> Message-ID: <200312081518.27491.vinayak@theargoncompany.com> That solves it. Thanks a ton, Julian On Monday 08 December 2003 14:48, you wrote: > The other, simpler, route is to set > Delivery Method = queue > instead of batch -- Warm Regards ~~~~~~~~~~~~~~~~~~~~~~~ Vinayakam Murugan Manager - Software The Argon Company 7th floor, Nanavati Mahalaya, 18, Homi Modi Street, Fort, Mumbai 400 023. Tel: 91-22 - 2288 2163 Ext 118 Help Desk: 91-22 - 2288 2774 Fax Number: 91-22 - 2288 2812 http://www.TheArgonCompany.com Viruses getting you down? Get your virus protected mailbox at http://www.tassm.com It's not just about natural talent ? it's about perseverance, about putting building blocks in place, about focusing on the processes not the results. From Rvdmerwe at MHG.CO.ZA Mon Dec 8 10:34:31 2003 From: Rvdmerwe at MHG.CO.ZA (Rabie van der Merwe) Date: Thu Jan 12 21:21:27 2006 Subject: ClamAV 0.65 Message-ID: <39B69D20AF5DD611BA7F00306E1E8F2E02B1395F@cptexc02.bankmed.co.za> ClamAV appears to be using /root/tmp to scan the mail passing through my box, any ideas on how to change this behaviour? Using MD9.2 ClamAV0.65 and MailScanner4.25-14 I'm currently not using the perl ClamAV module. Regards Rabie -----Original Message----- From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] Sent: 08 December 2003 11:04 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: clamav-0.65 on RH7.3 John Sheppard wrote: > What next? Give up on RH7.3 and move to RH8? All comments gratefully > received! Build from source (or rebuild the srpm) ********************************************************************** ------ NOTICE ------ This message contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates do not accept liability for any personal views expressed in this message. ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031208/7e8069c1/attachment.html From smilga at MIKROTIK.COM Mon Dec 8 12:51:41 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:27 2006 Subject: lock.pl References: <39B69D20AF5DD611BA7F00306E1E8F2E02B1395F@cptexc02.bankmed.co.za> Message-ID: <181301c3bd8a$06ea22d0$a500010a@martinsss> Untitled May be some one can say what meen this: (if i type /etc/init.d/mailscanner restart it hang up on restarting and logs say this ) I founf in mailscanner.conf but if I comment it is no matter again in logs I see this. What it can bee) Dec 8 15:57:55 frog MailScanner[7168]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees Config LockType = flock Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees have_module = 0 Dec 8 15:57:56 frog MailScanner[7168]: Using locktype = flock Martins -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031208/c126d2c6/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Mon Dec 8 12:55:28 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:27 2006 Subject: lock.pl In-Reply-To: <181301c3bd8a$06ea22d0$a500010a@martinsss> References: <39B69D20AF5DD611BA7F00306E1E8F2E02B1395F@cptexc02.bankmed.co.za> <181301c3bd8a$06ea22d0$a500010a@martinsss> Message-ID: <200312081255.28210.Antony@Soft-Solutions.co.uk> On Monday 08 December 2003 12:51 pm, Martins Smilga wrote: > May be some one can say what meen this: > (if i type /etc/init.d/mailscanner restart it hang up on restarting and > logs say this ) I founf in mailscanner.conf but if I comment it is no > matter again in logs I see this. What it can bee) > > Dec 8 15:57:55 frog MailScanner[7168]: MailScanner E-Mail Virus Scanner > version 4.24-5 starting... > Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees Config LockType = > flock > Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees have_module = 0 > Dec 8 15:57:56 frog MailScanner[7168]: Using locktype = flock What machine / OS / version are you using? Antony. -- 90% of networking problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. Please reply to the list; please don't CC me. From ccampbell at BRUEGGERS.COM Mon Dec 8 13:59:45 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box Message-ID: I'm planning to upgrade MailScanner on a production server, which I can't take down. I assume if I stop MailScanner, and leave Sendmail running, will sendmail keep accepting mail into it's queue while I'm upgrading MS which MS can process after upgrading? Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises, Inc. Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great... it does infinite loops in 5 seconds." -- Linus Torvalds From raymond at PROLOCATION.NET Mon Dec 8 14:02:00 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: Message-ID: Hi! > I'm planning to upgrade MailScanner on a production server, which I can't > take down. I assume if I stop MailScanner, and leave Sendmail running, will > sendmail keep accepting mail into it's queue while I'm upgrading MS which MS > can process after upgrading? Yes, thats basicly what the first sendmail process will do after upgrading anyway. bye, Raymond. From Antony at SOFT-SOLUTIONS.CO.UK Mon Dec 8 14:04:14 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: References: Message-ID: <200312081404.14929.Antony@Soft-Solutions.co.uk> On Monday 08 December 2003 1:59 pm, Christian Campbell wrote: > I'm planning to upgrade MailScanner on a production server, which I can't > take down. I assume if I stop MailScanner, and leave Sendmail running, > will sendmail keep accepting mail into its queue while I'm upgrading MS > which MS can process after upgrading? Indeed. Antony. -- Wanted: telepath. You know where to apply. Please reply to the list; please don't CC me. From smilga at MIKROTIK.COM Mon Dec 8 14:04:56 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:27 2006 Subject: lock.pl References: <39B69D20AF5DD611BA7F00306E1E8F2E02B1395F@cptexc02.bankmed.co.za> <181301c3bd8a$06ea22d0$a500010a@martinsss> <200312081255.28210.Antony@Soft-Solutions.co.uk> Message-ID: <192a01c3bd94$425daa30$a500010a@martinsss> Hello, I have Debian testing version. Also SMTP is not working may this is related. ----- Original Message ----- From: "Antony Stone" To: Sent: Monday, December 08, 2003 2:55 PM Subject: Re: lock.pl > On Monday 08 December 2003 12:51 pm, Martins Smilga wrote: > > > May be some one can say what meen this: > > (if i type /etc/init.d/mailscanner restart it hang up on restarting and > > logs say this ) I founf in mailscanner.conf but if I comment it is no > > matter again in logs I see this. What it can bee) > > > > Dec 8 15:57:55 frog MailScanner[7168]: MailScanner E-Mail Virus Scanner > > version 4.24-5 starting... > > Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees Config LockType = > > flock > > Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees have_module = 0 > > Dec 8 15:57:56 frog MailScanner[7168]: Using locktype = flock > > What machine / OS / version are you using? > > Antony. > > -- > 90% of networking problems are routing problems. > 9 of the remaining 10% are routing problems in the other direction. > The remaining 1% might be something else, but check the routing anyway. > > Please reply to the list; > please don't CC me. From pndiku at DSMAGIC.COM Mon Dec 8 14:12:55 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch & clamav module Message-ID: <1070892774.5970.29.camel@mufasa.ds.co.ug> If you're using the clamav module, you may want to add the following line to /var/www/html/mailscanner/functions.php to correctly parse virus reports: define(VIRUS_REGEX, '/(.+) infected: (\S+)/'); // ClamAVModule A Patch file is attached -- Peter C. Ndikuwera Digital Solutions Ltd -------------- next part -------------- --- functions.php.old 2003-12-08 17:12:18.285244256 +0300 +++ functions.php 2003-12-08 17:11:16.093698808 +0300 @@ -42,8 +42,9 @@ // Regex to pick up the virus names from the reports. //// Change this to match the output of one of your scanners. -define(VIRUS_REGEX, '/(\S+) was infected by (\S+)/'); // SophosSAVI +//define(VIRUS_REGEX, '/(\S+) was infected by (\S+)/'); // SophosSAVI //define(VIRUS_REGEX, '/(.+) contains (\S+)/'); // ClamAV +define(VIRUS_REGEX, '/(.+) infected: (\S+)/'); // ClamAVModule //define(VIRUS_REGEX, '/(>>>) Virus \'(.+)\' found/'); // Sophos //define(VIRUS_REGEX, '/(.+) Infection: (\S+)/'; // F-prot //define(VIRUS_REGEX, '/(.+) Found the (\S+) virus !!!/'); // McAfee From michele at BLACKNIGHTSOLUTIONS.COM Mon Dec 8 14:17:10 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: Message-ID: You don't really need to stop anything. We upgrade on production boxes all the time. Basically ignore the running instance of MailScanner completely, run the install script make the upgrade to the .conf files and then restart it. No mail will be lost Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Christian Campbell > Sent: 08 December 2003 14:00 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Upgrade Production Box > > > I'm planning to upgrade MailScanner on a production server, which I can't > take down. I assume if I stop MailScanner, and leave Sendmail > running, will > sendmail keep accepting mail into it's queue while I'm upgrading > MS which MS > can process after upgrading? > > Christian > > Christian P. Campbell > Systems Engineer > Information Technology Department > Bruegger's Enterprises, Inc. > Desk: (802) 652-9270 > Cell: (802) 734-5023 > Email: ccampbell at brueggers dot com > Registered Linux User #319324 > > PGP public key available via PGP keyservers > or http://www2.brueggers.com/pgp/ccampbell.html > > "We all know Linux is great... > it does infinite loops in 5 seconds." > -- Linus Torvalds > From Antony at SOFT-SOLUTIONS.CO.UK Mon Dec 8 14:22:41 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: References: Message-ID: <200312081422.41764.Antony@Soft-Solutions.co.uk> On Monday 08 December 2003 2:17 pm, Michele Neylon :: Blacknight Solutions wrote: > You don't really need to stop anything. We upgrade on production boxes all > the time. > Basically ignore the running instance of MailScanner completely, run the > install script make the upgrade to the .conf files and then restart it. I think the reliability of this depends on how long you take to do the upgrade. If MailScanner decides to kill off an old child and restart a new one, or does its periodic reload of the conf file, whilst you're halfway through the upgrade, it might do something you hadn't expected / intended. Safer I think to shutdown, upgrade, restart. > No mail will be lost True enough, but some of it could get processed in a way you hadn't anticipated. Antony. -- "Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know." - Donald Rumsfeld, US Secretary of Defence Please reply to the list; please don't CC me. From mailscanner at ecs.soton.ac.uk Mon Dec 8 14:29:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: References: Message-ID: <6.0.1.1.2.20031208142836.0371b4e0@imap.ecs.soton.ac.uk> At 13:59 08/12/2003, you wrote: >I'm planning to upgrade MailScanner on a production server, which I can't >take down. I assume if I stop MailScanner, and leave Sendmail running, will >sendmail keep accepting mail into it's queue while I'm upgrading MS which MS >can process after upgrading? You don't say what OS/Version you are running, so it's hard to precise. If you are running one of the RPM-based systems, then service MailScanner stop service MailScanner startin will leave it just running the incoming sendmail but nothing else. Then when you are finished upgrading, service MailScanner restart to get it all going again. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ccampbell at BRUEGGERS.COM Mon Dec 8 14:44:37 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box Message-ID: > > At 13:59 08/12/2003, you wrote: > >I'm planning to upgrade MailScanner on a production server, > which I can't > >take down. I assume if I stop MailScanner, and leave > Sendmail running, will > >sendmail keep accepting mail into it's queue while I'm > upgrading MS which MS > >can process after upgrading? > > You don't say what OS/Version you are running, so it's hard > to precise. > If you are running one of the RPM-based systems, then > service MailScanner stop > service MailScanner startin > will leave it just running the incoming sendmail but nothing else. > Then when you are finished upgrading, > service MailScanner restart > to get it all going again. Thanks for the reply Julian. Should I use the ./install.sh script to do the installation, or do an rpm -Uvh on all the packages individually? Christian From newsgroup2 at SPACELINK.COM.AU Mon Dec 8 14:42:40 2003 From: newsgroup2 at SPACELINK.COM.AU (Stuart Clark) Date: Thu Jan 12 21:21:27 2006 Subject: per_user prefs not working ? Message-ID: Hi I am trying to get the per_user preferences working I set SpamAssassin User State Dir = ~/.spamassassin/ in /etc/MailScanner.conf I then created a .spamassassin directory in my home dir I then create a file user_prefs in this directory inside the user_prefs file i put required_hits 10 i then chown and chmod accordingly Restart MailScanner and send a test spam. The headers still tell me it is working on a required hits of 5 What am i doing wrong? Regards Stuart Clark RHCE Spacelink Communications Pty Ltd From tsevy at EPX.COM Mon Dec 8 14:56:51 2003 From: tsevy at EPX.COM (Tom Sevy) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: <6.0.1.1.2.20031208142836.0371b4e0@imap.ecs.soton.ac.uk> Message-ID: Will the cron job affect this? Or is only checking for a missing process? > From: Julian Field > Reply-To: MailScanner mailing list > Date: Mon, 8 Dec 2003 14:29:53 +0000 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Upgrade Production Box > > At 13:59 08/12/2003, you wrote: >> I'm planning to upgrade MailScanner on a production server, which I can't >> take down. I assume if I stop MailScanner, and leave Sendmail running, will >> sendmail keep accepting mail into it's queue while I'm upgrading MS which MS >> can process after upgrading? > > You don't say what OS/Version you are running, so it's hard to precise. > If you are running one of the RPM-based systems, then > service MailScanner stop > service MailScanner startin > will leave it just running the incoming sendmail but nothing else. > Then when you are finished upgrading, > service MailScanner restart > to get it all going again. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From HancockS at MORGANCO.COM Mon Dec 8 16:30:28 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:21:27 2006 Subject: Exim queue running cron.d fragment? recomplie cron? - debian Message-ID: <3EA1A302A4978A4C970D2C63F327156E02406C97@worc-mail2.int.morganco.com> >> 08,23,38,53 * * * * mail if [ -x /usr/lib/exim/exim3 -a -f >/etc/exim/exim_send.conf ]; then /usr/lib/exim/exim3 -C >/etc/exim/exim_send.conf /-q ; fi > >This is mentioned in the docs somewhere, isn't it? I could have sworn I >mentioned it in there somewhere... You did. ******************************************************** /usr/exim/bin/exim_tidydb /var/spool/exim.in callout > /dev/null /usr/exim/bin/exim_tidydb /var/spool/exim.in retry > /dev/null /usr/exim/bin/exim_tidydb /var/spool/exim.in reject > /dev/null /usr/exim/bin/exim_tidydb /var/spool/exim.in wait-smtp > /dev/null Instead of running Exim as a daemon, some people run it from inetd (for incoming SMTP) and cron (for queue runs), though this disables some of Exim's load management features. If you do this then you do not need to change inetd.conf, but you do need to modify the queue running command in the crontab to /usr/exim/bin/exim -q -C /usr/exim/configure.out ********************************************************** > >That would be correct. Debian's cron no longer uses -odi in testing and >unstable distributions, so when sarge releases (soon, I hope :-) ), it >will be >sorted. But yes, just get rid of the -odi. > I see the fix in the change logs now (after a week off). I was looking at the original package .tar. >> My retry and remote db on the listening side are about 500 MB each when >they should be empty. > >Have you added the cron job to empty them (also in the docs)? > I believe so if you're referring to the above lines from the install page. If not please advise. Sorry for the bother. It was a matter of understanding and applying the notes on my part. I was under the gun at the time of the last email and should have walked away before sending. Thanks for taking the time. Scott From dan.farmer at PHONEDIR.COM Mon Dec 8 16:55:11 2003 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:21:28 2006 Subject: Could not analyze. In-Reply-To: References: Message-ID: <494CEDE6-299F-11D8-971D-0030656E138E@phonedir.com> On Dec 8, 2003, at 12:31 AM, Jan-Peter Koopmann wrote: >> At Fri Dec 5 08:37:00 2003 the virus scanner said: >> Could not analyze message > > > Can you give us any more input on the messages that cause this? > Attachment yes/no? Encrypted yes/no? Etc. > > Regards, > JP I've just recently had the same thing, here is the report: The following e-mail messages were found to have viruses in them: Sender: xxxxx@phonedir.com IP Address: xxx.xxx.x.xx Recipient: xxxxxxxxxx@aol.com Subject: MessageID: hB8FQg329094 Report: Could not analyze message When I checked the quarantined message, it looks like a folder of 391 files was attached (7.5MB encoded - all word docs, I think), here's the jist of the message: --Apple-Mail-32-248296212 Content-Disposition: attachment; filename=Ad_Analysis_Sheets Content-Type: multipart/x-folder; boundary=Apple-Mail-33-248296213; x-unix-mode=0777; name="Ad_Analysis_Sheets" --Apple-Mail-33-248296213 Content-Disposition: attachment; filename=LUGGAGE.DOC Content-Transfer-Encoding: base64 Content-Type: application/msword; x-unix-mode=0755; name="LUGGAGE.DOC" (250-300 lines of base64 encoding) --Apple-Mail-33-248296213 Content-Disposition: attachment; filename=NEXTFILE.DOC Content-Transfer-Encoding: base64 Content-Type: application/msword; x-unix-mode=0755; name="NEXTFILE.DOC" (250-300 lines of base64 encoding) (repeat 389 more different filenames...) I've called the user and left a message, so I can try and get him to stuff/zip the folder before sending to see if it'll go through that way (especially since AOL would probably reject a 7.5MB attachment if it made it through MS/ClamAV). My relay is RH AS 2.1, w/MS 4.24-5, ClamAV 0.65, SA 2.60. Any ideas? dan From steve.freegard at LBSLTD.CO.UK Mon Dec 8 17:03:27 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:21:28 2006 Subject: Mailwatch & clamav module Message-ID: <67D9E7698329D411936E00508B6590B902773D33@neelix.lbsltd.co.uk> Hi Peter, This is already in MailWatch CVS, but thanks anyway. Kind regards, Steve. -----Original Message----- From: Peter C. Ndikuwera [mailto:pndiku@DSMAGIC.COM] Sent: 08 December 2003 14:13 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailwatch & clamav module If you're using the clamav module, you may want to add the following line to /var/www/html/mailscanner/functions.php to correctly parse virus reports: define(VIRUS_REGEX, '/(.+) infected: (\S+)/'); // ClamAVModule A Patch file is attached -- Peter C. Ndikuwera Digital Solutions Ltd -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at ecs.soton.ac.uk Mon Dec 8 16:04:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: Upgrade Production Box In-Reply-To: References: Message-ID: <6.0.1.1.2.20031208160326.03883480@imap.ecs.soton.ac.uk> At 14:44 08/12/2003, you wrote: > > > > At 13:59 08/12/2003, you wrote: > > >I'm planning to upgrade MailScanner on a production server, > > which I can't > > >take down. I assume if I stop MailScanner, and leave > > Sendmail running, will > > >sendmail keep accepting mail into it's queue while I'm > > upgrading MS which MS > > >can process after upgrading? > > > > You don't say what OS/Version you are running, so it's hard > > to precise. > > If you are running one of the RPM-based systems, then > > service MailScanner stop > > service MailScanner startin > > will leave it just running the incoming sendmail but nothing else. > > Then when you are finished upgrading, > > service MailScanner restart > > to get it all going again. > >Thanks for the reply Julian. Should I use the ./install.sh script to do the >installation, or do an rpm -Uvh on all the packages individually? You can't rpm -Uvh the packages as most of them are SRPMs and not RPMs. So use install.sh. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 8 16:04:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: Upgrade Production Box In-Reply-To: References: <6.0.1.1.2.20031208142836.0371b4e0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031208160403.038a62d0@imap.ecs.soton.ac.uk> At 14:56 08/12/2003, you wrote: >Will the cron job affect this? Or is only checking for a missing process? If you do service MailScanner stop it tells the cron to disable itself until you do a service MailScanner start or "restart". > > From: Julian Field > > Reply-To: MailScanner mailing list > > Date: Mon, 8 Dec 2003 14:29:53 +0000 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Upgrade Production Box > > > > At 13:59 08/12/2003, you wrote: > >> I'm planning to upgrade MailScanner on a production server, which I can't > >> take down. I assume if I stop MailScanner, and leave Sendmail > running, will > >> sendmail keep accepting mail into it's queue while I'm upgrading MS > which MS > >> can process after upgrading? > > > > You don't say what OS/Version you are running, so it's hard to precise. > > If you are running one of the RPM-based systems, then > > service MailScanner stop > > service MailScanner startin > > will leave it just running the incoming sendmail but nothing else. > > Then when you are finished upgrading, > > service MailScanner restart > > to get it all going again. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.freegard at LBSLTD.CO.UK Mon Dec 8 17:02:12 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:21:28 2006 Subject: per_user prefs not working ? Message-ID: <67D9E7698329D411936E00508B6590B902773D32@neelix.lbsltd.co.uk> Hi Stuart, This doesn't work as you expect because MailScanner runs as a daemon under the account specified by 'Run As User/Run As Group' settings in MailScanner.conf (default=root) so will pick-up the home directory set-up for that account (~/.spamassassin/ is the default). I'm not sure that the Advanced SpamAssassin Settings are able to handle a ruleset as I've never tried this (and don't plan to) - but you *might* be able to do this to get it to work as you want: E.g. SpamAssassin User State Dir = /etc/MailScanner/rules/sa_prefs.rules Which contains: FromOrTo: your@e-mail.address.here /home/test/.spamassassin/ FromOrTo: default /root/.spamassassin/ You'll soon know if this value isn't able to handle a ruleset as MailScanner should complain on start if not. Hope this helps. Kind regards, Steve. -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -----Original Message----- From: Stuart Clark [mailto:newsgroup2@SPACELINK.COM.AU] Sent: 08 December 2003 14:43 To: MAILSCANNER@JISCMAIL.AC.UK Subject: per_user prefs not working ? Hi I am trying to get the per_user preferences working I set SpamAssassin User State Dir = ~/.spamassassin/ in /etc/MailScanner.conf I then created a .spamassassin directory in my home dir I then create a file user_prefs in this directory inside the user_prefs file i put required_hits 10 i then chown and chmod accordingly Restart MailScanner and send a test spam. The headers still tell me it is working on a required hits of 5 What am i doing wrong? Regards Stuart Clark RHCE Spacelink Communications Pty Ltd -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at ecs.soton.ac.uk Mon Dec 8 17:05:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: Could not analyze. In-Reply-To: <494CEDE6-299F-11D8-971D-0030656E138E@phonedir.com> References: <494CEDE6-299F-11D8-971D-0030656E138E@phonedir.com> Message-ID: <6.0.1.1.2.20031208170533.0388e510@imap.ecs.soton.ac.uk> That's the 200 attachments per message limit kicking in. See MailScanner.conf. At 16:55 08/12/2003, you wrote: >On Dec 8, 2003, at 12:31 AM, Jan-Peter Koopmann wrote: > >>>At Fri Dec 5 08:37:00 2003 the virus scanner said: >>> Could not analyze message >> >> >>Can you give us any more input on the messages that cause this? >>Attachment yes/no? Encrypted yes/no? Etc. >> >>Regards, >> JP > >I've just recently had the same thing, here is the report: > >The following e-mail messages were found to have viruses in them: > > Sender: xxxxx@phonedir.com >IP Address: xxx.xxx.x.xx > Recipient: xxxxxxxxxx@aol.com > Subject: > MessageID: hB8FQg329094 > Report: Could not analyze message > >When I checked the quarantined message, it looks like a folder of 391 >files was attached (7.5MB encoded - all word docs, I think), here's the >jist of the message: > >--Apple-Mail-32-248296212 >Content-Disposition: attachment; > filename=Ad_Analysis_Sheets >Content-Type: multipart/x-folder; > boundary=Apple-Mail-33-248296213; > x-unix-mode=0777; > name="Ad_Analysis_Sheets" > > >--Apple-Mail-33-248296213 >Content-Disposition: attachment; > filename=LUGGAGE.DOC >Content-Transfer-Encoding: base64 >Content-Type: application/msword; > x-unix-mode=0755; > name="LUGGAGE.DOC" > >(250-300 lines of base64 encoding) > >--Apple-Mail-33-248296213 >Content-Disposition: attachment; > filename=NEXTFILE.DOC >Content-Transfer-Encoding: base64 >Content-Type: application/msword; > x-unix-mode=0755; > name="NEXTFILE.DOC" > >(250-300 lines of base64 encoding) > >(repeat 389 more different filenames...) > >I've called the user and left a message, so I can try and get him to >stuff/zip the folder before sending to see if it'll go through that way >(especially since AOL would probably reject a 7.5MB attachment if it >made it through MS/ClamAV). My relay is RH AS 2.1, w/MS 4.24-5, ClamAV >0.65, SA 2.60. Any ideas? > >dan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Antony at SOFT-SOLUTIONS.CO.UK Mon Dec 8 17:08:53 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:28 2006 Subject: Could not analyze. In-Reply-To: <6.0.1.1.2.20031208170533.0388e510@imap.ecs.soton.ac.uk> References: <494CEDE6-299F-11D8-971D-0030656E138E@phonedir.com> <6.0.1.1.2.20031208170533.0388e510@imap.ecs.soton.ac.uk> Message-ID: <200312081708.53020.Antony@Soft-Solutions.co.uk> On Monday 08 December 2003 5:05 pm, Julian Field wrote: > That's the 200 attachments per message limit kicking in. Sounds more than reasonable to me :) Antony. > See MailScanner.conf. > > At 16:55 08/12/2003, you wrote: > >On Dec 8, 2003, at 12:31 AM, Jan-Peter Koopmann wrote: > >>>At Fri Dec 5 08:37:00 2003 the virus scanner said: > >>> Could not analyze message > >> > >>Can you give us any more input on the messages that cause this? > >>Attachment yes/no? Encrypted yes/no? Etc. > >> > >>Regards, > >> JP > > > >I've just recently had the same thing, here is the report: > > > >The following e-mail messages were found to have viruses in them: > > > > Sender: xxxxx@phonedir.com > >IP Address: xxx.xxx.x.xx > > Recipient: xxxxxxxxxx@aol.com > > Subject: > > MessageID: hB8FQg329094 > > Report: Could not analyze message > > > >When I checked the quarantined message, it looks like a folder of 391 > >files was attached (7.5MB encoded - all word docs, I think), here's the > >jist of the message: > > > >--Apple-Mail-32-248296212 > >Content-Disposition: attachment; > > filename=Ad_Analysis_Sheets > >Content-Type: multipart/x-folder; > > boundary=Apple-Mail-33-248296213; > > x-unix-mode=0777; > > name="Ad_Analysis_Sheets" > > > > > >--Apple-Mail-33-248296213 > >Content-Disposition: attachment; > > filename=LUGGAGE.DOC > >Content-Transfer-Encoding: base64 > >Content-Type: application/msword; > > x-unix-mode=0755; > > name="LUGGAGE.DOC" > > > >(250-300 lines of base64 encoding) > > > >--Apple-Mail-33-248296213 > >Content-Disposition: attachment; > > filename=NEXTFILE.DOC > >Content-Transfer-Encoding: base64 > >Content-Type: application/msword; > > x-unix-mode=0755; > > name="NEXTFILE.DOC" > > > >(250-300 lines of base64 encoding) > > > >(repeat 389 more different filenames...) > > > >I've called the user and left a message, so I can try and get him to > >stuff/zip the folder before sending to see if it'll go through that way > >(especially since AOL would probably reject a 7.5MB attachment if it > >made it through MS/ClamAV). My relay is RH AS 2.1, w/MS 4.24-5, ClamAV > >0.65, SA 2.60. Any ideas? > > > >dan -- The idea that Bill Gates appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams in The Guardian, 25th August 1995 Please reply to the list; please don't CC me. From steve.freegard at LBSLTD.CO.UK Mon Dec 8 17:18:02 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:21:28 2006 Subject: Upgrade Production Box Message-ID: <67D9E7698329D411936E00508B6590B902773D34@neelix.lbsltd.co.uk> Hi Julian, Did this change on a semi-recent version as I upgraded my remaining box to 4.25-14 from 4.24-5 today - I did: service MailScanner stop service MailScanner startin service MailScanner start But MailScanner was restarted mid-upgrade by the hourly cron job?? - did I do something stupid, or was this introduced in a later version?? Cheers, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 08 December 2003 16:05 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Upgrade Production Box At 14:56 08/12/2003, you wrote: >Will the cron job affect this? Or is only checking for a missing >process? If you do service MailScanner stop it tells the cron to disable itself until you do a service MailScanner start or "restart". > > From: Julian Field > > Reply-To: MailScanner mailing list > > Date: Mon, 8 Dec 2003 14:29:53 +0000 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Upgrade Production Box > > > > At 13:59 08/12/2003, you wrote: > >> I'm planning to upgrade MailScanner on a production server, which I > >> can't take down. I assume if I stop MailScanner, and leave > >> Sendmail > running, will > >> sendmail keep accepting mail into it's queue while I'm upgrading MS > which MS > >> can process after upgrading? > > > > You don't say what OS/Version you are running, so it's hard to > > precise. If you are running one of the RPM-based systems, then > > service MailScanner stop > > service MailScanner startin > > will leave it just running the incoming sendmail but nothing else. > > Then when you are finished upgrading, > > service MailScanner restart > > to get it all going again. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From listas at VIRUSATTACK.COM.AR Mon Dec 8 17:22:12 2003 From: listas at VIRUSATTACK.COM.AR (Ignacio M. Sbampato) Date: Thu Jan 12 21:21:28 2006 Subject: Trustix & MailScanner References: <6.0.1.1.2.20031208160326.03883480@imap.ecs.soton.ac.uk> Message-ID: <002b01c3bdaf$dc8165a0$010010ac@fibertel.com.ar> People, i'm wondering if MailScanner is able to run under Trustix Secure Linux 2.0, working with Trustix Mail Server 4.0 (this system use Postfix as MTA), could you tell me if it's possible? Any experience with this combo? Best regards, Ignacio From gdoris at rogers.com Mon Dec 8 18:03:31 2003 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:21:28 2006 Subject: mailscanner-mrtg question Message-ID: <53113.129.80.22.143.1070906611.squirrel@tiger.dorfam.ca> I'm been struggling to make a small change to the mailscanner-mrtg.cfg file but am obviously missing something rather basic. I only have a few MB of mail running through my server daily. If I use the cfg as released I get a couple of large step functions for the graph that displays the number of MB of mail received. I'd prefer to display smaller values so that the graph is a little more meaningful. No matter what I do I can't seem to change the scale of the graph to something smaller. I'd like to display KB of mail. How is that done? Gerry From mailscanner at ecs.soton.ac.uk Mon Dec 8 18:12:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: Upgrade Production Box In-Reply-To: <67D9E7698329D411936E00508B6590B902773D34@neelix.lbsltd.co. uk> References: <67D9E7698329D411936E00508B6590B902773D34@neelix.lbsltd.co.uk> Message-ID: <6.0.1.1.2.20031208181150.028b0700@imap.ecs.soton.ac.uk> Curious. I have a nasty feeling that the rpm -Uvh mailscanner.... does a "service MailScanner restart" at the end, though not quite sure why I wrote that :( At 17:18 08/12/2003, you wrote: >Hi Julian, > >Did this change on a semi-recent version as I upgraded my remaining box to >4.25-14 from 4.24-5 today - I did: > >service MailScanner stop >service MailScanner startin > >service MailScanner start > >But MailScanner was restarted mid-upgrade by the hourly cron job?? - did I >do something stupid, or was this introduced in a later version?? > >Cheers, >Steve. > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 08 December 2003 16:05 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Upgrade Production Box > > >At 14:56 08/12/2003, you wrote: > >Will the cron job affect this? Or is only checking for a missing > >process? > >If you do > service MailScanner stop >it tells the cron to disable itself until you do a > service MailScanner start >or "restart". > > > > > From: Julian Field > > > Reply-To: MailScanner mailing list > > > Date: Mon, 8 Dec 2003 14:29:53 +0000 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Upgrade Production Box > > > > > > At 13:59 08/12/2003, you wrote: > > >> I'm planning to upgrade MailScanner on a production server, which I > > >> can't take down. I assume if I stop MailScanner, and leave > > >> Sendmail > > running, will > > >> sendmail keep accepting mail into it's queue while I'm upgrading MS > > which MS > > >> can process after upgrading? > > > > > > You don't say what OS/Version you are running, so it's hard to > > > precise. If you are running one of the RPM-based systems, then > > > service MailScanner stop > > > service MailScanner startin > > > will leave it just running the incoming sendmail but nothing else. > > > Then when you are finished upgrading, > > > service MailScanner restart > > > to get it all going again. > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Mon Dec 8 18:24:13 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:28 2006 Subject: Upgrade Production Box In-Reply-To: <6.0.1.1.2.20031208181150.028b0700@imap.ecs.soton.ac.uk> Message-ID: Hi! > I have a nasty feeling that the rpm -Uvh mailscanner.... does a "service > MailScanner restart" at the end, though not quite sure why I wrote that :( Yes it does. Noticed that several times during upgrading... :) > >But MailScanner was restarted mid-upgrade by the hourly cron job?? - did I > >do something stupid, or was this introduced in a later version?? Bye, Raymond. From kevin at KEVINSPICER.CO.UK Mon Dec 8 18:49:07 2003 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:28 2006 Subject: mailscanner-mrtg question In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B80B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B80B@pascal.priv.bmrb.co.uk> Message-ID: <1070909347.16923.7.camel@bach.kevinspicer.co.uk> On Mon, 2003-12-08 at 18:03, Gerry Doris wrote: >No matter what I do I can't seem to change the scale of the graph to >something smaller. I'd like to display KB of mail. How is that done? This is scaled by mailscanner-mrtg itself so needs to be altered in the mailscanner-mrtg script. Assuming you are running the latest version... Find the following fragment in /usr/sbin/mailscanner-mrtg (around line 666) if ($_[0] =~ /mailbytes/){ # Mod to convert in MB $Total /= 1024 * 1024; } And change it to... if ($_[0] =~ /mailbytes/){ # Mod to convert in MB $Total /= 1024; } You'll also need to change the mrtg cfg lines in /etc/mrtg/mailscanner-mrtg.cfg (about line 36 onwards...) - hopefully this should be fairly obvious (ustb turn all refernces to Mbytes in Kbytes. I hope to find a more graceful solution to this issue for the next release. -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031208/cda7b16d/attachment.bin From jones at ODENSE.KOLLEGIENET.DK Mon Dec 8 19:54:39 2003 From: jones at ODENSE.KOLLEGIENET.DK (Jonas Bardino) Date: Thu Jan 12 21:21:28 2006 Subject: DoS, locale, spool file and unrar log noise Message-ID: <20031208195439.GI1461@bardino.dk> Hi! We're using the latest Debian Testing MailScanner package which is based on a 4.24 version. At the moment it uses SpamAssassin with Pyzor and Razor2 for spam and ClamAV for virus scanning. Exim 3 is used as MTA and almost everything seems to be working fine. The average daily load is about 10000 mails, which does not overburden the server in any way. However, there's quite a bit of "noise" in the logs. We have searched google and the archives for solutions, but so far without any luck. We keep getting a few DoS warnings every day about mails that appear to be quite harmless: Dec 7 14:55:10 cindy MailScanner[27894]: Commercial scanner clamav timed out! Dec 7 14:55:10 cindy MailScanner[27894]: Virus Scanning: Denial Of Service attack detected! (Btw, the clam developers may not like being called commercial :-) Unfortunately the attachments aren't quarantined when that happens, so it's a bit hard to reproduce the problem. According to a google search the default setting related to DoS checks are: max-files = 500, max-size = 10000 (=10 MB), max-recursion = 5 We tried increasing the DoS prevention arguments to ClamAV by adding the following line in /etc/MailScanner/wrapper/clamav-wrapper: ExtraScanOptions="--max-files=10000 --max-space=100000 --max-recursion=20 $ExtraScanOptions" But we still see the DoS warnings. Did anyone find a good way around that, or is it necessary to completely disable the limits? Other occasional log entries include: Dec 3 03:48:42 cindy MailScanner[4208]: Don't know what to do with line 'Content-type :text/html; charset:iso-8859-1' in header array! Is that due to some kind of missing internationalization or a broken client? Dec 8 20:01:46 cindy exim[28643]: 2003-12-08 20:01:46 1ATQby-0007K8-00 Spool file 1ATQby-0007K8-00-D not found Google gives a few hits but no answers (we're not running eximon as one of the answers talks about). Another issue is the use of unrar. We used to get log entries like the following occasionally: Dec 7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: RAR module failure. Dec 7 19:06:59 cindy MailScanner[16206]: UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal Dec 7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal". Please contact the authors! Dec 7 19:06:59 cindy MailScanner[16206]: Extracting from /var/spool/MailScanner/incoming/16206/./1AT3Ib-0000ex-00/Renusse.part2.rar Dec 7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "Extracting from /var/spool/MailScanner/incoming/16206/./1AT3Ib-0000ex-00/Renusse.part2.rar". Please contact the authors! Dec 7 19:06:59 cindy MailScanner[16206]: Unknown method in Billede073.jpg Dec 7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "Unknown method in Billede 073.jpg". Please contact the authors! ...repeated for every file in the archive... Dec 7 19:06:59 cindy MailScanner[16206]: No files to extract Dec 7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "No files to extract". Please contact the authors! The default unrar package in Debian testing is based on a version 2.71, which, like clam itself, does not support 3.x rar archives. That seems to be the reason for most of the above junk in the logs. After installing a backported version 3.1.3 of unrar, only the module failure notice from Clam's internal extractor as well as the "Copyright" and "Extracting" notices remain. Is that a Debian specific problem? The internal RAR module failure can probably be removed by adding "--disable-archive" to the clamav wrapper, but we're not sure if that's a good idea, since it disables all unpacking features of Clam. Some of the output from the separate unrar binary should probably be ignored in SweepViruses.pm. We've tried adding code for that and it appears to work in the installed version. Version 4.25-14 does not seem to change that part of the code, so it is probably only a difference in line numbers. Diffs against the Debian version 4.24.5-1 and the general version 4.25-14 are attached. Can someone please confirm if they do the job? Thanks! ...and sorry if this mail is a too long and messy. Kind regards, Jonas ..and the rest of the FKO Server admins -------------- next part -------------- --- SweepViruses.pm 2003-12-08 15:25:42.000000000 +0100 +++ SweepViruses.pm.fix_debian_rar 2003-12-08 14:52:06.000000000 +0100 @@ -1835,6 +1835,10 @@ return 0; } + # Ignore unrar freeware version info similar to: + # "UNRAR 3.10 freeware Copyright (c) 1993-2002 Eugene Roshal" + return 0 if $line =~ /^UNRAR \d+\.\d+ freeware/; + # clamscan currently stops as soon as one virus is found # therefore there is little point saying which part # it's still a start mind! @@ -1846,6 +1850,13 @@ $clamav_archive = $1; return 0; } + # Catch unrar extracting info on the form: + # "Extracting from INCOMING_PATH/rarfail.rar" + if (/^Extracting from (.*)$/) + { + $clamav_archive = $1; + return 0; + } return 0 if /Empty file.$/; # Normally means you just havn't asked for it if (/: (\S+ module failure\.)/) @@ -1854,6 +1865,9 @@ return 0; } return 0 if /^ /; # " inflating", " deflating.." from --unzip + # Ignore "Extracting FILE COMPRESSIONRATE OK " lines from --unrar + return 0 if /^Extracting .*OK $/; + return 0 if /^$/; # blank lines from --unrar if ($clamav_archive && /^$clamav_archive:/) { $clamav_archive = ""; -------------- next part -------------- --- SweepViruses.pm 2003-12-01 17:37:12.000000000 +0100 +++ SweepViruses.pm.rar_fix 2003-12-08 15:27:32.000000000 +0100 @@ -2089,6 +2089,10 @@ # therefore there is little point saying which part # it's still a start mind! + # Ignore unrar freeware version info similar to: + # "UNRAR 3.10 freeware Copyright (c) 1993-2002 Eugene Roshal" + return 0 if $line =~ /^UNRAR \d+\.\d+ freeware/; + # Only tested with --unzip since only windows boxes get viruses ;-) if (/^Archive: (.*)$/) @@ -2096,6 +2100,13 @@ $clamav_archive = $1; return 0; } + # Catch unrar extracting info on the form: + # "Extracting from INCOMING_PATH/rarfail.rar" + if (/^Extracting from (.*)$/) + { + $clamav_archive = $1; + return 0; + } return 0 if /Empty file.$/; # Normally means you just havn't asked for it if (/: (\S+ module failure\.)/) @@ -2104,6 +2115,9 @@ return 0; } return 0 if /^ /; # " inflating", " deflating.." from --unzip + # Ignore "Extracting FILE COMPRESSIONRATE OK " lines from --unrar + return 0 if /^Extracting .*OK $/; + return 0 if /^$/; # blank lines from --unrar if ($clamav_archive && /^$clamav_archive:/) { $clamav_archive = ""; From kmoss at DHOS.NET Mon Dec 8 20:54:21 2003 From: kmoss at DHOS.NET (Ken Moss) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner, Suse 9, and Sendmail Problems Message-ID: <001301c3bdcd$747f7000$0b0c000a@Hospital.dhos.net> I am trying to run MailScanner on SuSe 9. I downloaded the most recent release from the web site and tried to install. I had to manually install a few of the dependencies off the SuSe CD's. I have also installed SendMail and uninstalled postfix as I prefer SendMail. It appeared everything was going to work properly but when I tried to run the .rc file it tries to run my setup as a "postfix" system. I looked at the .rc and .conf files and they both are set as the MTA being SendMail. Any Ideas??? Ken Moss Information Services/Technology Doctors Hospital of Springfield 2828 N National Ave Springfield, MO 65803 (417) 837-4019 Fax: (417) 837-4109 kmoss@dhos.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031208/f80937dc/attachment.html From Kevin_Miller at CI.JUNEAU.AK.US Mon Dec 8 21:26:25 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner, Suse 9, and Sendmail Problems Message-ID: <08146035CA49D6119A36009027AC822A0264EB31@CITY-EXCH-NTS> Check /etc/sysconfig/MailScanner (if memory serves)... ...Kevin ------------------- Kevin Miller CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: Ken Moss [mailto:kmoss@DHOS.NET] Sent: Monday, December 08, 2003 11:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner, Suse 9, and Sendmail Problems I am trying to run MailScanner on SuSe 9. I downloaded the most recent release from the web site and tried to install. I had to manually install a few of the dependencies off the SuSe CD's. I have also installed SendMail and uninstalled postfix as I prefer SendMail. It appeared everything was going to work properly but when I tried to run the .rc file it tries to run my setup as a "postfix" system. I looked at the .rc and .conf files and they both are set as the MTA being SendMail. Any Ideas??? Ken Moss Information Services/Technology Doctors Hospital of Springfield 2828 N National Ave Springfield, MO 65803 (417) 837-4019 Fax: (417) 837-4109 kmoss@dhos.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031208/5b998dd2/attachment.html From mike at TC3NET.COM Mon Dec 8 15:15:52 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:28 2006 Subject: per_user prefs not working ? In-Reply-To: References: Message-ID: <1070896552.14580.31.camel@mike-new2.tc3net.com> MailScanner won't use per user spamassassin preferences, it uses the prefs file specified in MailScanner.conf for all users or /root/.spamassassin, since MailScanner runs as root. I faced this issue myself when I migrated my spam scanning to MailScanner, my solution was to create a procmail ruleset, which duplicates all my users individual spamassassin user_prefs behaviors (hit threshold, spam tag, whitelist, blacklist). I just have MailScanner check the spamlevel and such. I'll post the recipe here (I'm still working on making the whitelist/blacklist work better). Scanning all messages through MailScanner and filtering via a procmail ruleset, has lowered my load averages tremendously, as opposed to calling spamc via a procmail ruleset. INCLUDERC=$HOME/.procmail/.spamprefs WHITELIST=$HOME/.procmail/.whitelist BLACKLIST=$HOME/.procmail/.blacklist :0 * < 20000 { :0 * ?egrep --silent --file $WHITELIST $DEFAULT :0 * ?egrep --silent --file $BLACKLIST /dev/null :0 *$ ^X-TC3Net-Level: $SPAMLEVEL { :0 * ^Subject:[ ]*\/[^ ].* { SUBJECT=$MATCH } :0 fw | formail -I "Subject: $SPAMTAG $SUBJECT" :0 $SPAMBOX } } Where .whitelist and .blacklist are just list of email addresses, and .spamprefs contains a few variable definitions used in the recipe. SPAMLEVEL=xxxxxxxxxx SPAMTAG=*****SPAM***** SPAMBOX=.maildir/ Regards MIKE > Hi > > I am trying to get the per_user preferences working > > I set SpamAssassin User State Dir = ~/.spamassassin/ > in /etc/MailScanner.conf > > I then created a .spamassassin directory in my home dir > > I then create a file user_prefs in this directory > > inside the user_prefs file i put required_hits 10 > > i then chown and chmod accordingly > > Restart MailScanner and send a test spam. > > The headers still tell me it is working on a required hits of 5 > > What am i doing wrong? > > Regards > > Stuart Clark RHCE > Spacelink Communications Pty Ltd > From mailscanner at ecs.soton.ac.uk Tue Dec 9 08:55:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: per_user prefs not working ? In-Reply-To: <1070896552.14580.31.camel@mike-new2.tc3net.com> References: <1070896552.14580.31.camel@mike-new2.tc3net.com> Message-ID: <6.0.1.1.2.20031209085503.03d1e130@imap.ecs.soton.ac.uk> You can do all the user_prefs mentioned below in MailScanner rulesets. No need for procmail hacks. See /etc/MailScanner/rules/* At 15:15 08/12/2003, you wrote: >MailScanner won't use per user spamassassin preferences, it uses the >prefs file specified in MailScanner.conf for all users or >/root/.spamassassin, since MailScanner runs as root. I faced this issue >myself when I migrated my spam scanning to MailScanner, my solution was >to create a procmail ruleset, which duplicates all my users individual >spamassassin user_prefs behaviors (hit threshold, spam tag, whitelist, >blacklist). I just have MailScanner check the spamlevel and such. I'll >post the recipe here (I'm still working on making the >whitelist/blacklist work better). Scanning all messages through >MailScanner and filtering via a procmail ruleset, has lowered my load >averages tremendously, as opposed to calling spamc via a procmail >ruleset. > > >INCLUDERC=$HOME/.procmail/.spamprefs >WHITELIST=$HOME/.procmail/.whitelist >BLACKLIST=$HOME/.procmail/.blacklist > >:0 >* < 20000 >{ > :0 > * ?egrep --silent --file $WHITELIST > $DEFAULT > :0 > * ?egrep --silent --file $BLACKLIST > /dev/null > :0 > *$ ^X-TC3Net-Level: $SPAMLEVEL > { > :0 > * ^Subject:[ ]*\/[^ ].* > { > SUBJECT=$MATCH > } > :0 fw > | formail -I "Subject: $SPAMTAG $SUBJECT" > :0 > $SPAMBOX > } >} > >Where .whitelist and .blacklist are just list of email addresses, and >.spamprefs contains a few variable definitions used in the recipe. > >SPAMLEVEL=xxxxxxxxxx >SPAMTAG=*****SPAM***** >SPAMBOX=.maildir/ > >Regards >MIKE > > > Hi > > > > I am trying to get the per_user preferences working > > > > I set SpamAssassin User State Dir = ~/.spamassassin/ > > in /etc/MailScanner.conf > > > > I then created a .spamassassin directory in my home dir > > > > I then create a file user_prefs in this directory > > > > inside the user_prefs file i put required_hits 10 > > > > i then chown and chmod accordingly > > > > Restart MailScanner and send a test spam. > > > > The headers still tell me it is working on a required hits of 5 > > > > What am i doing wrong? > > > > Regards > > > > Stuart Clark RHCE > > Spacelink Communications Pty Ltd > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Tue Dec 9 09:21:16 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:28 2006 Subject: SpamAssassin 2.61 Released In-Reply-To: <67D9E7698329D411936E00508B6590B902773D38@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773D38@neelix.lbsltd.co.uk> Message-ID: <3FD5940C.1030701@solid-state-logic.com> Steve Freegard wrote: > Hi All, > > The announcement was on the sa-list earlier - I've installed the tar.gz on > one of my MailScanner boxes with no problems so far. > > Kind regards, > Steve. > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. Steve Just check CPAN and it's not showing just yet. Prob be tomorrow I guess... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From gioia at bclink.it Tue Dec 9 10:18:22 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:28 2006 Subject: Postfix and Mailscanner not working Message-ID: I guys, I've a bog problem on my mail server running postfix 2.0.15 and Mailscanner 2.24.5 on a Slack 9.1 it has been working for a couple of days, and now it's no longer working, I cant'see ANYTHING on my Maillog, it is all frozen from sunday at 16.56 .. I can send messages, I have no error shown or logged, but at the end I can't receive anything ..!! What I found out is that Mailscanner is not running, so it can't send out the messagges sent .. doing a ps-aux here's what I get : SER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 727 0.0 0.4 1408 540 ? S 09:48 0:00 /usr/sbin/inetd root 730 0.0 1.1 3080 1416 ? S 09:48 0:00 /usr/sbin/sshd root 734 0.0 2.1 4716 2732 ? S 09:48 0:01 /usr/sbin/named root 745 0.0 0.4 1500 592 ? S 09:48 0:00 /usr/sbin/crond - daemon 747 0.0 0.5 1504 644 ? S 09:48 0:00 /usr/sbin/atd -b root 846 0.0 3.3 74244 4256 ? S 09:48 0:00 /usr/sbin/httpd nobody 862 0.0 7.5 81052 9596 ? S 09:48 0:02 /usr/sbin/httpd nobody 863 0.0 7.6 81068 9632 ? S 09:48 0:02 /usr/sbin/httpd nobody 864 0.0 7.5 81068 9612 ? S 09:48 0:01 /usr/sbin/httpd nobody 865 0.0 7.5 81064 9612 ? S 09:48 0:01 /usr/sbin/httpd nobody 866 0.0 7.5 81044 9588 ? S 09:48 0:01 /usr/sbin/httpd root 872 0.0 0.3 1368 480 tty2 S 09:48 0:00 /sbin/agetty 3840 root 873 0.0 0.3 1368 480 tty3 S 09:48 0:00 /sbin/agetty 3840 root 874 0.0 0.3 1368 480 tty4 S 09:48 0:00 /sbin/agetty 3840 root 875 0.0 0.3 1368 480 tty5 S 09:48 0:00 /sbin/agetty 3840 root 877 0.0 0.3 1368 480 tty6 S 09:48 0:00 /sbin/agetty 3840 nobody 878 0.0 7.6 81120 9644 ? S 09:48 0:00 /usr/sbin/httpd root 1262 0.0 0.7 2320 888 ? S 10:20 0:00 /usr/libexec/post postfix 1263 0.0 0.6 2276 824 ? S 10:20 0:00 pickup -l -t fifo postfix 1264 0.0 0.7 2328 940 ? S 10:20 0:00 qmgr -l -t fifo - postfix 1713 0.0 0.6 2292 832 ? S 11:09 0:00 trivial-rewrite - postfix 1715 0.0 0.6 2296 852 ? S 11:09 0:00 bounce -z -n defe postfix 1716 0.0 0.6 2288 848 ? S 11:09 0:00 flush -z -t unix root 1724 0.0 0.3 1368 480 tty1 S 11:09 0:00 /sbin/agetty 3840 postfix 1771 0.0 0.8 2420 1028 ? S 11:11 0:00 smtpd -n smtp -t postfix 1772 0.0 0.7 2352 948 ? S 11:11 0:00 cleanup -z -t uni root 1823 0.0 0.6 2280 860 ? S 11:11 0:00 /usr/libexec/post postfix 1826 0.0 0.6 2272 824 ? S 11:11 0:00 pickup -l -t fifo postfix 1827 0.0 0.6 2308 852 ? S 11:11 0:00 qmgr -l -t fifo - root 1864 0.0 0.6 2724 780 pts/0 R 11:13 0:00 ps -aux postfix 1890 1.0 7.8 11240 9940 ? S 11:15 0:00 /usr/bin/perl -I/opt/MailScanner/lib postfix 1891 3.0 0.0 0 0 ? Z 11:15 0:00 [MailScanner ] thanks for the help From martinh at SOLID-STATE-LOGIC.COM Tue Dec 9 10:52:31 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:28 2006 Subject: R: [MAILSCANNER] Postfix and Mailscanner not working In-Reply-To: References: Message-ID: <3FD5A96F.7060902@solid-state-logic.com> Looks like the syslogd isn't very happy. Is there anything in /var/log/messages around the time MS stopped working? Is the filesystem containing /var/log full? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 gioia@bclink.it wrote: > Yes, I meant 4.24 .. :) > ok, using the debug mode now I get: > > Starting MailScanner... > In Debugging mode, not forking... > unix dgram connect: Connection refused at > /opt/MailScanner/lib/MailScanner/Log.pm line 132 > no connection to syslog available at /opt/MailScanner/lib/MailScanner/Log.pm > line 132 > > what does it mean ?! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From joshua.hirsh at PARTNERSOLUTIONS.CA Tue Dec 9 12:46:51 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:21:28 2006 Subject: Postfix and Mailscanner not working Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5E66@eqmail1.efni.vpn> > What I found out is that Mailscanner is not running, so it > can't send out the messagges sent .. What happens when you try and restart MailScanner? -Joshua From gioia at bclink.it Tue Dec 9 12:57:33 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:28 2006 Subject: R: Postfix and Mailscanner not working In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5E66@eqmail1.efni.vpn> Message-ID: I think I fix that, Running the check_mailscanner script in debug mode I had In Debugging mode, not forking... > unix dgram connect: Connection refused at > /opt/MailScanner/lib/MailScanner/Log.pm line 132 > no connection to syslog available at /opt/MailScanner/lib/MailScanner/Log.pm > line 132 checking LOG files what I found out was that the syslog LOG file became so big.. just renamed the old one, and create a new empty file .. now it's working.. thanks for the help :) -----Messaggio originale----- Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per conto di Hirsh, Joshua Inviato: marted? 9 dicembre 2003 13.47 A: MAILSCANNER@JISCMAIL.AC.UK Oggetto: Re: Postfix and Mailscanner not working > What I found out is that Mailscanner is not running, so it > can't send out the messagges sent .. What happens when you try and restart MailScanner? -Joshua From mike at CAMAROSS.NET Tue Dec 9 13:58:09 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:28 2006 Subject: Postfix Question In-Reply-To: Message-ID: <200312091351.hB9Dp1la030311@genesis.camaross.net> Ok...I was up until 3am working on this, but started getting foggy :) I have several domains that I scan mail for and pass on to other mail servers. Other domains are delivered locally. I have successfully gotten one domain to scan and forward on to another mail server. I can also scan and deliver a domain locally. The problem is this: I made SO many changes to my configs along the way that I'm not sure which ones made things work! Again, this is my first REAL experience with postfix, so a little guidance would be appreciated. I'd be happy to take this off the list if someone is willing to help me. I've created an /etc/postfix/transport|virtual, an /etc/postfix.in/transport|virtual Which one belongs where? Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Robin M. > Sent: Monday, December 08, 2003 9:56 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Postfix Question > > On Mon, 8 Dec 2003, Mike Kercher wrote: > > > For relay_domains and my local delivery domains, these are also > > specified in my /etc/postfix.in/main.cf as well? > > > yes. this will be the file which you will make all your edits > to for restrictions and such. > From david at PLATFORMHOSTING.COM Tue Dec 9 13:55:15 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:21:28 2006 Subject: MS not using spam.assassin.prefs.conf In-Reply-To: References: Message-ID: <3FD5D443.6000607@platformhosting.com> Hi, I've just recently noticed that Mail Scanner has stopped parsing all the rules in my spam.assassin.prefs.conf I do have quite a few, but none are overly complex. Does anyone have a suggestion as to why this would be happening? I've gone through the rules with a fine toothed comb, but can't find any reason for it. Regards, David Hooton Senior Partner Platform Hosting www.platformhosting.com ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From mailscanner at ecs.soton.ac.uk Tue Dec 9 14:02:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: MS not using spam.assassin.prefs.conf In-Reply-To: <3FD5D443.6000607@platformhosting.com> References: <3FD5D443.6000607@platformhosting.com> Message-ID: <6.0.1.1.2.20031209140225.072bd1d0@imap.ecs.soton.ac.uk> At 13:55 09/12/2003, you wrote: >Hi, > >I've just recently noticed that Mail Scanner has stopped parsing all the >rules in my spam.assassin.prefs.conf I do have quite a few, but none are >overly complex. > >Does anyone have a suggestion as to why this would be happening? I've >gone through the rules with a fine toothed comb, but can't find any >reason for it. You haven't got any dashes in any rule names have you? You can only use _ and not - -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From RKearney at AZERTY.COM Tue Dec 9 14:42:04 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:28 2006 Subject: MS not using spam.assassin.prefs.conf Message-ID: <210DF55DED65B547896F728FB057F3B2019C4A44@seaver.ussco.com> try .. spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf you generally will see errors if there are any in your rules. -rob -----Original Message----- From: David Hooton [mailto:david@PLATFORMHOSTING.COM] Sent: Tuesday, December 09, 2003 8:55 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MS not using spam.assassin.prefs.conf Hi, I've just recently noticed that Mail Scanner has stopped parsing all the rules in my spam.assassin.prefs.conf I do have quite a few, but none are overly complex. Does anyone have a suggestion as to why this would be happening? I've gone through the rules with a fine toothed comb, but can't find any reason for it. Regards, David Hooton Senior Partner Platform Hosting www.platformhosting.com ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From sysadmins at ENHTECH.COM Tue Dec 9 15:05:15 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:28 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <200312090520.hB95KGfX032392@fili.jiscmail.ac.uk> References: <200312090520.hB95KGfX032392@fili.jiscmail.ac.uk> Message-ID: <6.0.0.22.0.20031209095912.02b5fb70@mail.enhtech.com> At 12:19 AM 12/9/2003, Harry Hanson wrote: >Is this due to mailscanner or MTA (sendmail)? Does it simply hold the queue >to rescan later? Is there some tuning that can be done to alleviate this? > >Thanks. > > >Dec 8 18:34:31 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: >load average: 52 >Dec 8 18:34:49 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: >load average: 40 >Dec 8 18:35:04 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: >load average: 31 >Dec 8 18:35:19 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: >load average: 24 This behavior is set in the sendmail.mc/.cf file. It basically tells the daemon at to stop accepting connections at a certain load average. One setting also tells the daemon to only begin only queuing messages at a certain LA. Those settings are defined in your .mc as: confQUEUE_LA confREFUSE_LA In your .cf they are: # load average at which we just queue messages O QueueLA # load average at which we refuse connections O RefuseLA The load average on your systems can be determined by using 'uptime' or top. Best Regards, Errol Neal From gareth at GRIFFIN.NET.UK Tue Dec 9 15:24:38 2003 From: gareth at GRIFFIN.NET.UK (Gareth Campling) Date: Thu Jan 12 21:21:28 2006 Subject: Advanced function in spam.actions.rules Message-ID: <4116B9E82087024DB2755B25BB4B494C742196@msx.network.griffin.net.uk> Hi All Wonder if anyone can help were running Mailscanner and Postfix with mysql backend and at present we just tag email and send it on, except for certain domains which are deleted or forward, but for messages that appear in a RBL we are wanting to dump these but not sure exactly how to specify this in spam.actions.rules Hopefully this makes sense for example When a message comes up like this smtp-1 MailScanner[29251]: RBL cheks: 7D26825806D found in NJABL, spamcop.net When found in appears we would like to dump or forward elsewhere. -- Gareth Campling Griffin Internet www.griffin.com Tel : 0870 000 7100 Fax : 0870 000 7101 Network Status : Tel: 0870 000 7099 Web: http://status.griffin.com From xpoint at JUNC.ORG Tue Dec 9 16:07:19 2003 From: xpoint at JUNC.ORG (Benny Pedersen) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: References: Message-ID: <1070986039.7381.9.camel@home.junc.org> On Mon, 2003-12-01 at 15:57, Raymond Dijkxhoorn wrote: > RH doesnt support is anymore and wont make new errata either. I would > stronly advise not to install new MS projects on a box like that ... :) # Fedora Linux repositories for Red Hat Linux 8.0 repository # University of Hawaii Honolulu, Hawaii, USA rpm http://download.fedora.us/fedora/ redhat/8.0/i386 os updates stable rpm-src http://download.fedora.us/fedora/ redhat/8.0/i386 os updates stable why change ? it works well here with apt-get only up2date will die, apt-get will live forever :-) well lets go on with postfix, will mailscanner change to use content filter style of postfix ? From mailscanner at ecs.soton.ac.uk Tue Dec 9 16:35:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <1070986039.7381.9.camel@home.junc.org> References: <1070986039.7381.9.camel@home.junc.org> Message-ID: <6.0.1.1.2.20031209163432.028a4008@imap.ecs.soton.ac.uk> At 16:07 09/12/2003, you wrote: >On Mon, 2003-12-01 at 15:57, Raymond Dijkxhoorn wrote: > > > RH doesnt support is anymore and wont make new errata either. I would > > stronly advise not to install new MS projects on a box like that ... :) > ># Fedora Linux repositories for Red Hat Linux 8.0 repository ># University of Hawaii Honolulu, Hawaii, USA >rpm http://download.fedora.us/fedora/ redhat/8.0/i386 os updates stable >rpm-src http://download.fedora.us/fedora/ redhat/8.0/i386 os updates stable One of you is misreading/mistyping. Are we talking about RedHat 8 or RedHat 6? >well lets go on with postfix, will mailscanner change to use content >filter style of postfix ? Unlikely. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Tue Dec 9 16:54:18 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:28 2006 Subject: could not analyze/too many attachments Message-ID: Julian, I know there was a thread recently about "Could not analyze message" coming out in the virus report, when the issue is really "too many attachments" from the "Maximum Attachments Per Message" setting. I did a bonehead move of setting this to 20 instead of 200, and then had to quarantine the problem message after the sender complained, stare at it and MS code, and figure out the problem. Will this "Could not analyze" message be clearer in the next version? Jeff Earickson Colby College From xpoint at JUNC.ORG Tue Dec 9 17:19:22 2003 From: xpoint at JUNC.ORG (Benny Pedersen) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <6.0.1.1.2.20031209163432.028a4008@imap.ecs.soton.ac.uk> References: <1070986039.7381.9.camel@home.junc.org> <6.0.1.1.2.20031209163432.028a4008@imap.ecs.soton.ac.uk> Message-ID: <1070990362.8142.4.camel@home.junc.org> On Tue, 2003-12-09 at 17:35, Julian Field wrote: > One of you is misreading/mistyping. Are we talking about RedHat 8 or RedHat 6? sorry i readed 6.0 as 8.0 :( >>well lets go on with postfix, will mailscanner change to use content >>filter style of postfix ? > Unlikely. why not ? the mailscanner is imho okay for sendmail, but i have changed to use amavisd new to stay away for running postfix as sendmail, well maybe i just need to laern more about why :/ From Antony at SOFT-SOLUTIONS.CO.UK Tue Dec 9 18:13:29 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <1070990362.8142.4.camel@home.junc.org> References: <6.0.1.1.2.20031209163432.028a4008@imap.ecs.soton.ac.uk> <1070990362.8142.4.camel@home.junc.org> Message-ID: <200312091813.29497.Antony@Soft-Solutions.co.uk> On Tuesday 09 December 2003 5:19 pm, Benny Pedersen wrote: > On Tue, 2003-12-09 at 17:35, Julian Field wrote: > > One of you is misreading/mistyping. Are we talking about RedHat 8 or > > RedHat 6? > > sorry i readed 6.0 as 8.0 :( > > >>well lets go on with postfix, will mailscanner change to use content > >>filter style of postfix ? > > > > Unlikely. > > why not ? > > the mailscanner is imho okay for sendmail, but i have changed to use > amavisd new to stay away for running postfix as sendmail, well maybe i > just need to laern more about why :/ Perhaps someone can explain to me what the advantage of postfix is over sendmail or exim? I've only ever used sendmail, and I believe that exim is a convenient replacement for higher performance on the same hardware. What would be the advantage of choosing postfix instead? Not trying to start a religious flame war here - just curious, looking for information. Antony. -- RTFM may be the appropriate reply, but please specify exactly which FM to R. Please reply to the list; please don't CC me. From mailscanner at ecs.soton.ac.uk Tue Dec 9 18:24:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: Translation request Message-ID: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Hi all! Please can you translate Too many attachments in message into all your favourite languages. It is used as a report in a message that contains more file attachments than are permitted in MailScanner.conf. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 9 18:23:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: could not analyze/too many attachments In-Reply-To: References: Message-ID: <6.0.1.1.2.20031209181211.035c7f28@imap.ecs.soton.ac.uk> At 16:54 09/12/2003, you wrote: >Julian, > I know there was a thread recently about "Could not >analyze message" coming out in the virus report, when the >issue is really "too many attachments" from the >"Maximum Attachments Per Message" setting. I did a bonehead >move of setting this to 20 instead of 200, and then had to >quarantine the problem message after the sender complained, >stare at it and MS code, and figure out the problem. Will >this "Could not analyze" message be clearer in the next >version? You can already change the error message, but only for all unparsable messages. It's in your languages.conf file, the line that starts "CantAnalyze". However, I agree that it should be separate from that error message. The fix will be in the next release, but attached are patches to Message.pm, MessageBatch.pm and languages.conf (English only right now) which will implement it. -------------- next part -------------- A non-text attachment was scrubbed... Name: en.languages.conf.patch Type: application/octet-stream Size: 381 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031209/010d8335/en.languages.conf.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.patch Type: application/octet-stream Size: 1383 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031209/010d8335/Message.pm.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: MessageBatch.pm.patch Type: application/octet-stream Size: 710 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031209/010d8335/MessageBatch.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Tue Dec 9 18:35:39 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:28 2006 Subject: Translation request In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: Hi! > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. Dutch: Te veel bijlagen in bericht Bye, Raymond. From jen at AH.DK Tue Dec 9 19:01:26 2003 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:21:28 2006 Subject: Svar: Translation request - danish Message-ID: "For mange bilag i brevet" or "For mange bilag i mail'en" I perfer the last, but the first one is "more" correct danish. Jan Elmqvist Nielsen >>> mailscanner@ECS.SOTON.AC.UK 09-12-03 19:24 >>> Hi all! Please can you translate Too many attachments in message into all your favourite languages. It is used as a report in a message that contains more file attachments than are permitted in MailScanner.conf. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From listas at VIRUSATTACK.COM.AR Tue Dec 9 19:00:22 2003 From: listas at VIRUSATTACK.COM.AR (Ignacio M. Sbampato) Date: Thu Jan 12 21:21:28 2006 Subject: Translation request References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <000a01c3be86$b379b9a0$010010ac@fibertel.com.ar> Spanish: "Demasiados archivos adjuntos en el mensaje". Bye! ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, December 09, 2003 3:24 PM Subject: Translation request > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 9 19:17:53 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <200312091813.29497.Antony@Soft-Solutions.co.uk> Message-ID: <007301c3be89$24e99270$0501a8c0@darkside> >What would be the advantage of choosing postfix instead? This isn't the answer you were looking for, but here it is anyway... Sometimes it's not a matter of choosing. We run a packaged server that is a open source based Exchange replacement. The system is an all in one bundle that includes Postfix. While I'm sure I could change things around to use Sendmail or Exim, it's not broke so I'm not fixing it. Well, I guess that is a choice, but you get what I'm saying, hopefully. :) --J(K) From Antony at SOFT-SOLUTIONS.CO.UK Tue Dec 9 19:24:49 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <007301c3be89$24e99270$0501a8c0@darkside> References: <007301c3be89$24e99270$0501a8c0@darkside> Message-ID: <200312091924.49673.Antony@Soft-Solutions.co.uk> On Tuesday 09 December 2003 7:17 pm, Jason Balicki wrote: > >What would be the advantage of choosing postfix instead? > > This isn't the answer you were looking for, but here it is > anyway... > > Sometimes it's not a matter of choosing. We run a packaged > server that is a open source based Exchange replacement. > > The system is an all in one bundle that includes Postfix. > > While I'm sure I could change things around to use Sendmail > or Exim, it's not broke so I'm not fixing it. Well, I guess > that is a choice, but you get what I'm saying, hopefully. :) Indeed - I understand what you're saying. Hopefully some others on the list can contribute their opinions on why someone would choose postfix over sendmail or exim, assuming the opportunity for choice exists. I'm still curious to know postfix's advantages. Thanks for the response. Just out of interest, what is the bundled solution you are using? Antony. -- Most people are aware that the Universe is big. - Paul Davies, Professor of Theoretical Physics Please reply to the list; please don't CC me. From esandquist at IHMS.NET Tue Dec 9 19:22:30 2003 From: esandquist at IHMS.NET (Eric Sandquist) Date: Thu Jan 12 21:21:28 2006 Subject: Postfix configuration/efficiency.... Message-ID: Periodically I see reference to setting up MailScanner with a single instance of Postfix, instead of the standard 2 Postfix install described in the instructions. Is there any advantage in doing this? Memory savings? Server load? I need to maximize the efficiency of this machine... Are there any instructions for this type of installation? or for converting from a working standard installation? Are there any drawbacks to this type of installation? Currently, we are running Dual PIII 500, 512Megs Ram... I've worked very hard to get the server load down to about 4.... It has been as high as 10... We are processing about 40,000 mails per day.... I realize that the best soution is a more powerful machine than this, but the client company won't do it (until this one dies).... -------------------------------------------------------------------------- Eric Sandquist Systems Engineer ICQ#: 10274846 Current ICQ status: + More ways to contact me www.ihms.net www.messianicgroups.com www.nazarene.net www.amazinggroups.com www.613commandments.com www.hebrew-roots.com www.netzarim.cc www.momsonthego.us -------------------------------------------------------------------------- Home Business Opportunity!! - Travel, Taxes, Health, and More -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031209/b6b556d1/attachment.html From Denis.Beauchemin at USHERBROOKE.CA Tue Dec 9 18:49:22 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:28 2006 Subject: Translation request (French) In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <1070995762.16734.54.camel@dbeauchemin.sti.usherbrooke.ca> Message contenant trop de pi?ces jointes Denis Le mar 09/12/2003 ? 13:24, Julian Field a ?crit : > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 9 19:59:46 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:28 2006 Subject: OT: RE: MailScanner and RedHat 6.0 In-Reply-To: <200312091924.49673.Antony@Soft-Solutions.co.uk> Message-ID: <007c01c3be8e$fe969220$0501a8c0@darkside> >Thanks for the response. Just out of interest, what is the >bundled solution >you are using? Bynari Insight server. http://www.bynari.net -- I wrote a MailScanner howto for them, so now they have a MailScanner link on their page. Insight is pretty good. It is a commercial product, but it costs much less than Exchange. The real benefit is the Insight Connector which is a plugin for Outlook that lets you store outlook data in any IMAP server. So if you've got an IMAP server that supports folder sharing and ACLs you can use this plugin for outlook and share all your data, including contacts and calendars. The only drawback I've had is that because it's a packaged deal your changes don't stick. They have a web interface that controls everything and if you do something outside of it and then upgrade your changes are lost. So every time I upgrade the server (via RPM) I have to go back in and install MailScanner and Sophos and ClamAV and make any changes I had again. It's not as big a problem as I make it out to be though, since it's really just some config files that I have to restore -- and they're backed up automaticaly anyway. --J(K) From mailscanner at SMITS.CO.UK Tue Dec 9 23:12:08 2003 From: mailscanner at SMITS.CO.UK (Bart J. Smit) Date: Thu Jan 12 21:21:28 2006 Subject: Translation request Dutch References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <000a01c3bea9$dead36b0$8f14a8c0@clumpton.homeip.net> Teveel bijvoegsels in boodschap ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, December 09, 2003 6:24 PM Subject: Translation request > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mike at CAMAROSS.NET Tue Dec 9 20:14:16 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:29 2006 Subject: Rules Question Message-ID: <200312092007.hB9K77Jq021918@genesis.camaross.net> I about to write a php interface to allow users to manage their own whitelists and blacklists. Is the CaSe of the strings inside a ruleset a consideration or does notaspammer@domain.org look the same as NotaSpammer@domain.ORG to MailScanner? Mike _\|/_ (@ @) -----oOOo-(_)-oOOo----- From Antony at SOFT-SOLUTIONS.CO.UK Tue Dec 9 20:17:38 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:29 2006 Subject: Rules Question In-Reply-To: <200312092007.hB9K77Jq021918@genesis.camaross.net> References: <200312092007.hB9K77Jq021918@genesis.camaross.net> Message-ID: <200312092017.38518.Antony@Soft-Solutions.co.uk> On Tuesday 09 December 2003 8:14 pm, Mike Kercher wrote: > I about to write a php interface to allow users to manage their own > whitelists and blacklists. Is the CaSe of the strings inside a ruleset a > consideration or does notaspammer@domain.org look the same as > NotaSpammer@domain.ORG to MailScanner? MailScanner is case insensitive. Antony. -- This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour, or irrational religious beliefs. If you have received this email in error, you are required to shred it immediately, add some nutmeg, three egg whites and a dessertspoonful of caster sugar. Whisk until soft peaks form, then place in a warm oven for 40 minutes. Remove promptly and let stand for 2 hours before adding some decorative kiwi fruit and cream. Then notify me immediately by return email and eat the original message. Please reply to the list; please don't CC me. From dafydd.tomos at IMAGINET.CO.UK Tue Dec 9 20:53:12 2003 From: dafydd.tomos at IMAGINET.CO.UK (Dafydd Tomos) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <20031209205312.GA21319@imaginet.co.uk> On Dec 09, 2003, Julian Field wrote: > Hi all! > > Please can you translate > Too many attachments in message Welsh: Gormod o atodiadau yn y neges -- Dafydd Tomos Systems Administrator Gweinyddwr Systemau Imaginet Ltd http://www.imaginet.co.uk/ From gebhard at EPOST.DE Tue Dec 9 20:56:11 2003 From: gebhard at EPOST.DE (Holger) Date: Thu Jan 12 21:21:29 2006 Subject: Syslog MailScanner Question Message-ID: Hi Julian, hi Group, i just upgraded my System to MailScanner Version 4.25-14... All works fine, but there are some unusually Entries in Syslog. When a Message processed by MailScanner with more than one Recipient to my Domain the Syslog shows something like this when the RBL-Checks are done: RBL-Checks: "Mail-ID" found in sorbs, spamcop, sorbs, spamcop, sorbs, etc. In Previous Versions there was only one entry per RBL-List... Is this intended??? Thanks for help Holger From harryh at CET.COM Tue Dec 9 21:11:46 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <200312060517.hB65HCfX013515@fili.jiscmail.ac.uk> Message-ID: <200312092112.hB9LCKfX016449@fili.jiscmail.ac.uk> Is this due to mailscanner or MTA (sendmail)? Does it simply hold the queue to rescan later? Is there some tuning that can be done to alleviate this? Thanks. Dec 8 18:12:30 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 249 Dec 8 18:12:45 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 194 Dec 8 18:13:02 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 151 Dec 8 18:13:17 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 108 Dec 8 18:13:35 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 84 Dec 8 18:13:50 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 66 Dec 8 18:14:05 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 52 Dec 8 18:14:23 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 37 Dec 8 18:14:38 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 27 Dec 8 18:20:30 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 24 Dec 8 18:32:59 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 229 Dec 8 18:33:16 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 179 Dec 8 18:33:31 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 139 Dec 8 18:33:46 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 109 Dec 8 18:34:01 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 85 Dec 8 18:34:16 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 66 Dec 8 18:34:31 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 52 Dec 8 18:34:49 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 40 Dec 8 18:35:04 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 31 Dec 8 18:35:19 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 24 From pete at eatathome.com.au Tue Dec 9 21:12:40 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:29 2006 Subject: Postfix Question In-Reply-To: <200312091351.hB9Dp1la030311@genesis.camaross.net> References: <200312091351.hB9Dp1la030311@genesis.camaross.net> Message-ID: <3FD63AC8.9040007@eatathome.com.au> Mike Kercher wrote: >Ok...I was up until 3am working on this, but started getting foggy :) > >I have several domains that I scan mail for and pass on to other mail >servers. Other domains are delivered locally. I have successfully gotten >one domain to scan and forward on to another mail server. I can also scan >and deliver a domain locally. The problem is this: > >I made SO many changes to my configs along the way that I'm not sure which >ones made things work! Again, this is my first REAL experience with >postfix, so a little guidance would be appreciated. I'd be happy to take >this off the list if someone is willing to help me. > >I've created an /etc/postfix/transport|virtual, an >/etc/postfix.in/transport|virtual Which one belongs where? > >Mike > > > > >>-----Original Message----- >>From: MailScanner mailing list >>[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Robin M. >>Sent: Monday, December 08, 2003 9:56 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Postfix Question >> >>On Mon, 8 Dec 2003, Mike Kercher wrote: >> >> >> >>>For relay_domains and my local delivery domains, these are also >>>specified in my /etc/postfix.in/main.cf as well? >>> >>> >>> >>yes. this will be the file which you will make all your edits >>to for restrictions and such. >> >> >> > > > > > I have 2 virtual domains - i have made these changes to /etc/postfix.in/main.cf (incoming) and /etc/postfix.main.cf (outgoing) created /etc/postfix/transport and /etc/postfix.in/relay - these changes block all mail not addressed to *@domain1.com.au and *@domain2.com.au and deliver to the SMTP server for each domain, after scanning etc has occured. It works flawlessly and i am very new to postfix and mailscanner too. You can make a bundle of other changes and have all kinds of security and relay/user options, but start with these and get your set up working - once working then begin to add stuff like RBL checking - if your site is not hugely busy, just get SA tio do all the RBL checks and let MS use these to score the mail, it much neater and simple and will work great, i think i have 1 report of an actual spam message getting through this system and almost no false positives now bayes is working - remember you arent going to cure spam altogether (without getting false positives) your goal should be to reduce spam and have a gateway system that requires minimal maintenance. /etc/postfix.in/main.cf - Incoming defer_transports = smtp local virtual relay smtpd_recipient_restrictions = permit_auth_destination, reject_unauth_destination smtpd_banner = $myhostname SMTP queue_directory = /var/spool/postfix.in myhostname = mail01.mygatewaydomain.com.au relay_domains = /etc/postfix.in/relay alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases /etc/postfix.in/relay - Incoming domain1.com.au domain2.com.au /etc/postfix/main.cf - Outgoing transport_maps = hash:/etc/postfix/transport queue_directory = /var/spool/postfix alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases /etc/postfix/transport - Outgoing domain1.com.au smtp:192.64.54.20 domain2.com.au smtp:192.64.54.15 From pete at eatathome.com.au Tue Dec 9 21:15:33 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:29 2006 Subject: Postfix configuration/efficiency.... In-Reply-To: References: Message-ID: <3FD63B75.4080903@eatathome.com.au> Eric Sandquist wrote: > Periodically I see reference to setting up MailScanner with a single > instance of Postfix, instead of the standard 2 Postfix install > described in the instructions. > > Is there any advantage in doing this? Memory savings? Server load? I > need to maximize the efficiency of this machine... Are there any > instructions for this type of installation? or for converting from a > working standard installation? Are there any drawbacks to this type > of installation? > > Currently, we are running Dual PIII 500, 512Megs Ram... I've worked > very hard to get the server load down to about 4.... It has been as > high as 10... > > We are processing about 40,000 mails per day.... > > I realize that the best soution is a more powerful machine than this, > but the client company won't do it (until this one dies).... > ------------------------------------------------------------------------ > *Eric Sandquist* > *Systems Engineer* > *ICQ#: 10274846* > *Current ICQ status:* > > *+* *More ways to contact me * > www.ihms.net > www.messianicgroups.com > www.nazarene.net > www.amazinggroups.com > www.613commandments.com > www.hebrew-roots.com > www.netzarim.cc > www.momsonthego.us > ------------------------------------------------------------------------ > > *Home Business Opportunity!! > *- Travel, Taxes, Health, and More > > I am no expert - but Julian has repeatedly posted he believes that Sendmail and Exim are much faster than postfix when used with mailscanner. From raymond at PROLOCATION.NET Tue Dec 9 21:19:32 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <200312092112.hB9LCKfX016449@fili.jiscmail.ac.uk> Message-ID: Hi! > Dec 8 18:12:30 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: > load average: 249 Dec 8 18:12:45 mx01 sm-mta-in[11584]: rejecting > connections on daemon MSA: load average: 194 Dec 8 18:13:02 mx01 > sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 151 Dec > 8 18:13:17 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load > average: 108 Dec 8 18:13:35 mx01 sm-mta-in[11584]: rejecting connections on > daemon MSA: load average: 84 Dec 8 18:13:50 mx01 sm-mta-in[11584]: With this load its most likely a undersized system. Reduce spam checks, disable SA and so on, to see where your problem is located. What system is it and whats your mail volume ? Bye, Raymond. From esandquist at IHMS.NET Tue Dec 9 21:17:03 2003 From: esandquist at IHMS.NET (Eric Sandquist) Date: Thu Jan 12 21:21:29 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <200312091924.49673.Antony@Soft-Solutions.co.uk> Message-ID: Well, I run Postfix on one server because it was the default in the Mandrake install... Also, the configuration was much easier than the cryptic .cf files in sendmail... I have a RH7.2 server running sendmail and it seems to run at a much lower load than Postfix does... Both are running MailScanner and SpamAssassin and ClamAV... Both running Apache, Squirelmail, and Sympa... The RH7.2 is handling about 28 domains, and about 100 users... The Mandrake 9.1 machine is running 1 domain and about 300 users... The Mandrake machine is a dual PIII 500, 512megs ram, raid 5 array - server load never goes below 3, almost always 6, sometimes higher.. The RH7.2 is a 800mhz Celeron, 128meg ram, single IDE drive - Server load is almost never 1... usually about .1-.5 Wish I could get the Postfix machine to perform like that... :( Don't know why the difference in performance is so great... Been beating this horse for while now... I would have expected the Mandrake machine to outperform the RH machine based on the higher end hardware... Eric -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Antony Stone Sent: Tuesday, December 09, 2003 1:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner and RedHat 6.0 On Tuesday 09 December 2003 7:17 pm, Jason Balicki wrote: > >What would be the advantage of choosing postfix instead? > > This isn't the answer you were looking for, but here it is > anyway... > > Sometimes it's not a matter of choosing. We run a packaged > server that is a open source based Exchange replacement. > > The system is an all in one bundle that includes Postfix. > > While I'm sure I could change things around to use Sendmail > or Exim, it's not broke so I'm not fixing it. Well, I guess > that is a choice, but you get what I'm saying, hopefully. :) Indeed - I understand what you're saying. Hopefully some others on the list can contribute their opinions on why someone would choose postfix over sendmail or exim, assuming the opportunity for choice exists. I'm still curious to know postfix's advantages. Thanks for the response. Just out of interest, what is the bundled solution you are using? Antony. -- Most people are aware that the Universe is big. - Paul Davies, Professor of Theoretical Physics Please reply to the list; please don't CC me. From sysadmins at ENHTECH.COM Tue Dec 9 22:26:21 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:29 2006 Subject: Upgrading on RPM based system Message-ID: <6.0.0.22.0.20031209172357.02c1d670@mail.enhtech.com> Hi folks, I'm using RH 7.3 and I am using one MailScanner release below the most current version; installed from RPM. When upgrading MailScanner from RPM, is the configuration from my existing install merged into the new install? Or do I need to pretty much go through and reconfigure everything again? Best Regards, Errol Neal From peter at UCGBOOK.COM Tue Dec 9 22:41:42 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request - Swedish In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <3FD64FA6.5010501@ucgbook.com> "F?r m?nga bilagor i meddelandet" /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11, SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829 Julian Field wrote: > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From KCollins at NESBITTENGINEERING.COM Tue Dec 9 23:57:08 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:21:29 2006 Subject: Slackware 9.1, Postfix, and MailScanner Message-ID: <2B1F39EA56FA7643A328F66521D41B760EAB@magellan.nesbitt.local> Ok, I've tried for about 7 hours to get the above combination to work. I've been successful with the first two. My box sends e-mail with Postfix just fine, I've even have it so it relay's to my Exchange box. So far so good. But I can't get MailScanner to check any of the mails. Here is a piece of the maillog. ---------------------------------------------------------------------------- ----- Dec 9 13:22:52 freedom MailScanner[8244]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 9 13:22:52 freedom MailScanner[8244]: Using locktype = flock Dec 9 13:23:03 freedom postfix/pickup[8155]: 17EAA2A9F5: uid=0 from= Dec 9 13:23:03 freedom postfix/cleanup[8248]: 17EAA2A9F5: message-id=<20031209182303.GA8240@freedom.nesbittengineering.com> Dec 9 13:23:03 freedom postfix/qmgr[8156]: 17EAA2A9F5: from=, size=470, nrcpt=1 (queue active) Dec 9 13:23:03 freedom postfix/smtp[8250]: 17EAA2A9F5: to=, relay=magellan.nesbitt.local[10.200.8.252], delay=0, status=sent (250 OK) ---------------------------------------------------------------------------- ----- As you can see MailScanner is running, and Postfix properly picks up and delivers the e-mail. But MailScanner never touches it. I followed the following websites direction to setup Postfix and MailScanner: MailScanner Install: http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml MailScanner with Postfix Configuration: http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml So my question is this: What have I got screwed to cause this kind of behavior? As of right now, I've just got MailScanner and Postfix installed. Once I get the scanning taking place - i.e. I get a "Scanned" added to the subject line of my e-mails - I'm going to add SpamAssassin and ClamAV to the mix. If there are additional pieces of information needed, just let me know. I'll pass that along as I can. -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. From pete at eatathome.com.au Wed Dec 10 01:03:17 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:29 2006 Subject: Slackware 9.1, Postfix, and MailScanner In-Reply-To: <2B1F39EA56FA7643A328F66521D41B760EAB@magellan.nesbitt.local> References: <2B1F39EA56FA7643A328F66521D41B760EAB@magellan.nesbitt.local> Message-ID: <3FD670D5.8020509@eatathome.com.au> Collins, Kevin wrote: >Ok, I've tried for about 7 hours to get the above combination to work. I've >been successful with the first two. My box sends e-mail with Postfix just >fine, I've even have it so it relay's to my Exchange box. So far so good. > >But I can't get MailScanner to check any of the mails. Here is a piece of >the maillog. > >---------------------------------------------------------------------------- >----- >Dec 9 13:22:52 freedom MailScanner[8244]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 9 13:22:52 freedom MailScanner[8244]: Using locktype = flock >Dec 9 13:23:03 freedom postfix/pickup[8155]: 17EAA2A9F5: uid=0 from= >Dec 9 13:23:03 freedom postfix/cleanup[8248]: 17EAA2A9F5: >message-id=<20031209182303.GA8240@freedom.nesbittengineering.com> >Dec 9 13:23:03 freedom postfix/qmgr[8156]: 17EAA2A9F5: >from=, size=470, nrcpt=1 (queue active) >Dec 9 13:23:03 freedom postfix/smtp[8250]: 17EAA2A9F5: >to=, >relay=magellan.nesbitt.local[10.200.8.252], delay=0, status=sent (250 OK) >---------------------------------------------------------------------------- >----- > >As you can see MailScanner is running, and Postfix properly picks up and >delivers the e-mail. But MailScanner never touches it. > >I followed the following websites direction to setup Postfix and >MailScanner: > >MailScanner Install: >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml > >MailScanner with Postfix Configuration: >http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml > > >So my question is this: What have I got screwed to cause this kind of >behavior? > >As of right now, I've just got MailScanner and Postfix installed. Once I >get the scanning taking place - i.e. I get a "Scanned" added to the subject >line of my e-mails - I'm going to add SpamAssassin and ClamAV to the mix. > >If there are additional pieces of information needed, just let me know. >I'll pass that along as I can. > >-- >Kevin L. Collins, MCSE >Systems Manager >Nesbitt Engineering, Inc. > > > > > I am no expert - but it looks like you are sending mail from the local machine - mailscanner wont be scanning this mail - get a mail client on another machine, make the outbound SMTP addy your mailscanner machine and send your new mail - have a tail -f /var/yourlogfilepath console running to watch what happens. From kodak at FRONTIERHOMEMORTGAGE.COM Wed Dec 10 01:04:16 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:29 2006 Subject: Slackware 9.1, Postfix, and MailScanner In-Reply-To: <2B1F39EA56FA7643A328F66521D41B760EAB@magellan.nesbitt.local> Message-ID: <000401c3beb9$88d34440$0501a8c0@darkside> > >If there are additional pieces of information needed, just let me know. >I'll pass that along as I can. Post *both* of your main.cf files. You should have one in /etc/postfix.in and /etc/postfix. Please label as to which is which. (Nothing personal, just experience... :) --J(K) From harryh at CET.COM Wed Dec 10 02:17:26 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high In-Reply-To: Message-ID: <200312100217.hBA2HlfX000445@fili.jiscmail.ac.uk> Dual 1.6 xeon, 1gb memory, 10k rpm u320 scsi drives in raid0 config, 1gb ram. Freebsd 5.1 It would seem to me either an I/O issue, as the cpu rarely exceeds 5% useage, or perhaps I have something set too low? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn > Sent: Tuesday, December 09, 2003 1:20 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Skipping queue run -- load average too high > > Hi! > > > Dec 8 18:12:30 mx01 sm-mta-in[11584]: rejecting > connections on daemon MSA: > > load average: 249 Dec 8 18:12:45 mx01 sm-mta-in[11584]: rejecting > > connections on daemon MSA: load average: 194 Dec 8 18:13:02 mx01 > > sm-mta-in[11584]: rejecting connections on daemon MSA: load > average: > > 151 Dec > > 8 18:13:17 mx01 sm-mta-in[11584]: rejecting connections on > daemon MSA: > > load > > average: 108 Dec 8 18:13:35 mx01 sm-mta-in[11584]: rejecting > > connections on daemon MSA: load average: 84 Dec 8 18:13:50 > mx01 sm-mta-in[11584]: > > With this load its most likely a undersized system. Reduce > spam checks, disable SA and so on, to see where your problem > is located. > > What system is it and whats your mail volume ? > > Bye, > Raymond. > From ugob at CAMO-ROUTE.COM Wed Dec 10 03:02:44 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE281@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Harry Hanson [mailto:harryh@CET.COM] > Envoy? : Tuesday, December 09, 2003 9:17 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Skipping queue run -- load average too high > > > Dual 1.6 xeon, 1gb memory, 10k rpm u320 scsi drives in raid0 > config, 1gb > ram. What is your daily mail volume? > > Freebsd 5.1 > > It would seem to me either an I/O issue, as the cpu rarely exceeds 5% > useage, or perhaps I have something set too low? > If you've got vmstat on freebsd, use it... type vmstat 1. this will tell you if you have processes waiting for I/O. (see man vmstat) > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn > > Sent: Tuesday, December 09, 2003 1:20 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Skipping queue run -- load average too high > > > > Hi! > > > > > Dec 8 18:12:30 mx01 sm-mta-in[11584]: rejecting > > connections on daemon MSA: > > > load average: 249 Dec 8 18:12:45 mx01 sm-mta-in[11584]: rejecting > > > connections on daemon MSA: load average: 194 Dec 8 18:13:02 mx01 > > > sm-mta-in[11584]: rejecting connections on daemon MSA: load > > average: > > > 151 Dec > > > 8 18:13:17 mx01 sm-mta-in[11584]: rejecting connections on > > daemon MSA: > > > load > > > average: 108 Dec 8 18:13:35 mx01 sm-mta-in[11584]: rejecting > > > connections on daemon MSA: load average: 84 Dec 8 18:13:50 > > mx01 sm-mta-in[11584]: > > > > With this load its most likely a undersized system. Reduce > > spam checks, disable SA and so on, to see where your problem > > is located. > > > > What system is it and whats your mail volume ? > > > > Bye, > > Raymond. > > > From hahanson at COMCAST.NET Wed Dec 10 04:32:29 2003 From: hahanson at COMCAST.NET (Harry Hanson) Date: Thu Jan 12 21:21:29 2006 Subject: MailScanner (Batch: Found invalid qf queue file..) Message-ID: <002801c3bed6$a16a1a70$6800a8c0@elebrin> all fo the sudden started seeing these types of errors.. Dec 9 18:10:05 mx01 MailScanner[96276]: Batch: Found invalid qf queue file for message hB926xWh038695 Dec 9 18:10:05 mx01 MailScanner[96276]: Batch: Found invalid qf queue file for message hB927GWh038481 Dec 9 18:10:05 mx01 MailScanner[96543]: Batch: Found invalid qf queue file for message hB926xWh038695 Dec 9 18:10:05 mx01 MailScanner[96543]: Batch: Found invalid qf queue file for message hB927GWh038481 Dec 9 18:10:05 mx01 MailScanner[96416]: Virus and Content Scanning: Starting Dec 9 18:10:05 mx01 MailScanner[96160]: Batch: Found invalid qf queue file for message hB926xWh038695 Dec 9 18:10:05 mx01 MailScanner[96160]: Batch: Found invalid qf queue file for message hB927GWh038481 Dec 9 18:10:06 mx01 MailScanner[96696]: Batch: Found invalid qf queue file for message hB926xWh038695 Dec 9 18:10:06 mx01 MailScanner[96696]: Batch: Found invalid qf queue file for message hB927GWh038481 any ideas what might be causing these, or why? thanks. From harryh at CET.COM Wed Dec 10 05:47:19 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE281@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200312100547.hBA5lhfX007571@fili.jiscmail.ac.uk> > > -----Message d'origine----- > > De : Harry Hanson [mailto:harryh@CET.COM] Envoy? : Tuesday, > December > > 09, 2003 9:17 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: > Skipping > > queue run -- load average too high > > > > > > Dual 1.6 xeon, 1gb memory, 10k rpm u320 scsi drives in > raid0 config, > > 1gb ram. > > What is your daily mail volume? Here's and example from midnight to current time: Log starts at Dec 9 00 00:01 and ends at Dec 9 21 41:42 Total bytes transferred: 1496649 Total bytes In: 0 Messages Out: 33742 Messages In: 0 Messages per hour (each dot is 181 messages) ________________ 0: 827 .... 1: 838 .... 2: 745 .... 3: 793 .... 4: 778 .... 5: 804 .... 6: 805 .... 7: 856 .... 8: 781 .... 9: 839 .... 10: 748 .... 11: 871 .... 12: 799 .... 13: 778 .... 14: 823 .... 15: 9056 .................................................. 16: 6625 .................................... 17: 1462 ........ 18: 1478 ........ 19: 1383 ....... 20: 1364 ....... 21: 1056 ..... 22: 0 23: 0 > > > > Freebsd 5.1 > > > > It would seem to me either an I/O issue, as the cpu rarely > exceeds 5% > > useage, or perhaps I have something set too low? > > > If you've got vmstat on freebsd, use it... type vmstat 1. > > this will tell you if you have processes waiting for I/O. > (see man vmstat) My apoligies; I am rather a newbie with freebsd; this is my first. Here's a current snapshot (tho I have to read the man page more; it scrolls coninually and not sure how to interpret the output): procs memory page disks faults cpu r b w avm fre flt re pi po fr sr aa0 aa1 in sy cs us sy id 0 0 0 224380 314004 11724 0 0 0 10377 0 17 0 533 0 2964 34 28 38 0 1 0 224896 313344 147 0 0 0 41 0 3 57 688 0 1570 2 11 87 0 0 1 221424 315056 48 0 0 0 469 0 0 5 445 0 595 0 4 96 0 1 1 224296 313860 331 0 0 0 80 0 0 26 553 0 927 1 5 94 0 0 1 224332 313400 124 0 0 0 43 0 0 32 626 0 1106 1 5 94 0 0 1 226080 312884 5447 0 0 0 4632 0 8 32 660 0 1577 16 13 71 0 0 1 222444 314720 178 0 0 0 685 0 0 56 714 0 1401 1 8 91 0 0 1 222940 314612 292 0 0 0 305 0 0 30 492 0 782 0 4 96 0 0 1 223712 314196 113 0 0 0 13 0 0 0 404 0 488 0 4 96 0 0 3 233728 311680 5302 0 0 0 4153 0 10 0 490 0 981 9 15 76 0 0 1 220824 315280 3880 0 0 0 4300 0 2 0 593 0 1151 14 10 76 0 0 1 219360 315836 266 0 0 0 436 0 0 24 553 0 929 1 4 95 0 2 1 220908 315104 468 0 0 0 315 0 0 7 607 0 1027 1 7 92 0 0 1 219352 316120 256 0 0 0 557 0 0 43 602 0 1086 1 5 94 0 1 2 224964 313308 6070 0 0 0 4839 0 20 9 518 0 1083 11 16 72 0 0 0 221508 315068 3038 0 0 0 3045 0 0 17 641 0 1304 16 8 76 0 0 0 221552 315000 135 0 0 0 130 0 0 11 496 0 744 0 6 94 0 0 0 220272 315616 117 0 0 0 303 0 11 36 540 0 914 1 4 95 0 0 0 220264 315652 362 0 0 0 387 0 0 9 517 0 777 1 4 95 0 1 1 223036 314032 4288 0 0 0 3483 0 12 19 567 0 1294 11 13 76 0 0 0 218800 316340 2958 0 0 0 3155 0 0 57 797 0 3355 13 18 69 0 0 0 215380 318212 488 0 0 0 971 0 0 9 540 0 855 0 7 92 procs memory page disks faults cpu From gioia at bclink.it Wed Dec 10 07:59:57 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:29 2006 Subject: R: Translation request - italian In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: - Troppi allegati nel messaggio - -----Messaggio originale----- Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per conto di Julian Field Inviato: marted? 9 dicembre 2003 19.25 A: MAILSCANNER@JISCMAIL.AC.UK Oggetto: Translation request Hi all! Please can you translate Too many attachments in message into all your favourite languages. It is used as a report in a message that contains more file attachments than are permitted in MailScanner.conf. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mike at TC3NET.COM Tue Dec 9 13:42:24 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:29 2006 Subject: per_user prefs not working ? In-Reply-To: <6.0.1.1.2.20031209085503.03d1e130@imap.ecs.soton.ac.uk> References: <1070896552.14580.31.camel@mike-new2.tc3net.com> <6.0.1.1.2.20031209085503.03d1e130@imap.ecs.soton.ac.uk> Message-ID: <1070977344.18391.17.camel@mike-new2.tc3net.com> Ok, I looked in the rulesets, still not sure, how to go about it, can you give me an example, of what needs to be set in MailScanner and a default ruleset (I read on the list it doesn't work, so I stopped trying). I imagine the ruleset would look like To: test@domain.com /home/users/test/.spamassassin/user_prefs FromOrTo: default /etc/MailScanner/user_prefs In MailScanner.conf I would point SpamAssassin Prefs File to this ruleset? What about Spamassassin User State Dir, I have that set to nothing, should the ruleset go here? Should this look up each individual's ~/.spamassassin/user_prefs by default? If there is an easy way to do this I'd prefer it. Regards MIKE > You can do all the user_prefs mentioned below in MailScanner rulesets. No > need for procmail hacks. > See /etc/MailScanner/rules/* > > At 15:15 08/12/2003, you wrote: > >MailScanner won't use per user spamassassin preferences, it uses the > >prefs file specified in MailScanner.conf for all users or > >/root/.spamassassin, since MailScanner runs as root. I faced this issue > >myself when I migrated my spam scanning to MailScanner, my solution was > >to create a procmail ruleset, which duplicates all my users individual > >spamassassin user_prefs behaviors (hit threshold, spam tag, whitelist, > >blacklist). I just have MailScanner check the spamlevel and such. I'll > >post the recipe here (I'm still working on making the > >whitelist/blacklist work better). Scanning all messages through > >MailScanner and filtering via a procmail ruleset, has lowered my load > >averages tremendously, as opposed to calling spamc via a procmail > >ruleset. > > > > > >INCLUDERC=$HOME/.procmail/.spamprefs > >WHITELIST=$HOME/.procmail/.whitelist > >BLACKLIST=$HOME/.procmail/.blacklist > > > >:0 > >* < 20000 > >{ > > :0 > > * ?egrep --silent --file $WHITELIST > > $DEFAULT > > :0 > > * ?egrep --silent --file $BLACKLIST > > /dev/null > > :0 > > *$ ^X-TC3Net-Level: $SPAMLEVEL > > { > > :0 > > * ^Subject:[ ]*\/[^ ].* > > { > > SUBJECT=$MATCH > > } > > :0 fw > > | formail -I "Subject: $SPAMTAG $SUBJECT" > > :0 > > $SPAMBOX > > } > >} > > > >Where .whitelist and .blacklist are just list of email addresses, and > >.spamprefs contains a few variable definitions used in the recipe. > > > >SPAMLEVEL=xxxxxxxxxx > >SPAMTAG=*****SPAM***** > >SPAMBOX=.maildir/ > > > >Regards > >MIKE > > > > > Hi > > > > > > I am trying to get the per_user preferences working > > > > > > I set SpamAssassin User State Dir = ~/.spamassassin/ > > > in /etc/MailScanner.conf > > > > > > I then created a .spamassassin directory in my home dir > > > > > > I then create a file user_prefs in this directory > > > > > > inside the user_prefs file i put required_hits 10 > > > > > > i then chown and chmod accordingly > > > > > > Restart MailScanner and send a test spam. > > > > > > The headers still tell me it is working on a required hits of 5 > > > > > > What am i doing wrong? > > > > > > Regards > > > > > > Stuart Clark RHCE > > > Spacelink Communications Pty Ltd > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From andersjk at SOL-INVICTUS.ORG Wed Dec 10 09:03:30 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: Zu viele Anh?nge in e-mail. thanks, k On Tue, 9 Dec 2003, Julian Field wrote: > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From martinh at SOLID-STATE-LOGIC.COM Wed Dec 10 09:09:26 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <200312100547.hBA5lhfX007571@fili.jiscmail.ac.uk> References: <200312100547.hBA5lhfX007571@fili.jiscmail.ac.uk> Message-ID: <3FD6E2C6.1080902@solid-state-logic.com> Harry Hanson wrote: >>>-----Message d'origine----- >>>De : Harry Hanson [mailto:harryh@CET.COM] Envoy? : Tuesday, >> >>December >> >>>09, 2003 9:17 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: >> >>Skipping >> >>>queue run -- load average too high >>> >>> >>>Dual 1.6 xeon, 1gb memory, 10k rpm u320 scsi drives in >> >>raid0 config, >> >>>1gb ram. >> >>What is your daily mail volume? > > > Here's and example from midnight to current time: > > Log starts at Dec 9 00 00:01 and ends at Dec 9 21 41:42 > > Total bytes transferred: 1496649 > Total bytes In: 0 > Messages Out: 33742 > Messages In: 0 > > Messages per hour (each dot is 181 messages) > ________________ > 0: 827 .... > 1: 838 .... > 2: 745 .... > 3: 793 .... > 4: 778 .... > 5: 804 .... > 6: 805 .... > 7: 856 .... > 8: 781 .... > 9: 839 .... > 10: 748 .... > 11: 871 .... > 12: 799 .... > 13: 778 .... > 14: 823 .... > 15: 9056 .................................................. > 16: 6625 .................................... > 17: 1462 ........ > 18: 1478 ........ > 19: 1383 ....... > 20: 1364 ....... > 21: 1056 ..... > 22: 0 > 23: 0 > > > >>>Freebsd 5.1 >>> >>>It would seem to me either an I/O issue, as the cpu rarely >> >>exceeds 5% >> >>>useage, or perhaps I have something set too low? >>> >> >>If you've got vmstat on freebsd, use it... type vmstat 1. >> >>this will tell you if you have processes waiting for I/O. >>(see man vmstat) > > > My apoligies; I am rather a newbie with freebsd; this is my first. Here's a > current snapshot (tho I have to read the man page more; it scrolls > coninually and not sure how to interpret the output): > > > procs memory page disks faults cpu > r b w avm fre flt re pi po fr sr aa0 aa1 in sy cs us sy > id > 0 0 0 224380 314004 11724 0 0 0 10377 0 17 0 533 0 2964 34 > 28 38 > 0 1 0 224896 313344 147 0 0 0 41 0 3 57 688 0 1570 2 11 > 87 > 0 0 1 221424 315056 48 0 0 0 469 0 0 5 445 0 595 0 4 > 96 > 0 1 1 224296 313860 331 0 0 0 80 0 0 26 553 0 927 1 5 > 94 > 0 0 1 224332 313400 124 0 0 0 43 0 0 32 626 0 1106 1 5 > 94 > 0 0 1 226080 312884 5447 0 0 0 4632 0 8 32 660 0 1577 16 13 > 71 > 0 0 1 222444 314720 178 0 0 0 685 0 0 56 714 0 1401 1 8 > 91 > 0 0 1 222940 314612 292 0 0 0 305 0 0 30 492 0 782 0 4 > 96 > 0 0 1 223712 314196 113 0 0 0 13 0 0 0 404 0 488 0 4 > 96 > 0 0 3 233728 311680 5302 0 0 0 4153 0 10 0 490 0 981 9 15 > 76 > 0 0 1 220824 315280 3880 0 0 0 4300 0 2 0 593 0 1151 14 10 > 76 > 0 0 1 219360 315836 266 0 0 0 436 0 0 24 553 0 929 1 4 > 95 > 0 2 1 220908 315104 468 0 0 0 315 0 0 7 607 0 1027 1 7 > 92 > 0 0 1 219352 316120 256 0 0 0 557 0 0 43 602 0 1086 1 5 > 94 > 0 1 2 224964 313308 6070 0 0 0 4839 0 20 9 518 0 1083 11 16 > 72 > 0 0 0 221508 315068 3038 0 0 0 3045 0 0 17 641 0 1304 16 8 > 76 > 0 0 0 221552 315000 135 0 0 0 130 0 0 11 496 0 744 0 6 > 94 > 0 0 0 220272 315616 117 0 0 0 303 0 11 36 540 0 914 1 4 > 95 > 0 0 0 220264 315652 362 0 0 0 387 0 0 9 517 0 777 1 4 > 95 > 0 1 1 223036 314032 4288 0 0 0 3483 0 12 19 567 0 1294 11 13 > 76 > 0 0 0 218800 316340 2958 0 0 0 3155 0 0 57 797 0 3355 13 18 > 69 > 0 0 0 215380 318212 488 0 0 0 971 0 0 9 540 0 855 0 7 > 92 > procs memory page disks faults cpu hmm seems to be page faulting quite a bit, which is unusual for something relatively high CPU/memory wise. what checks have you got on SA and MS? Esp what checks are running for RBL's and pyzor? sendmail is saying the machine is too busy to process mail, hence the log messages.. you say you've got the disk configured as RAID 0 (striping), is this hardware or software RAID (vinum?). have you turned on softupdates on the filesystem containing the spool files - this can make alot of difference as regards I/O. How have you split up the filesystems? single / or /, /usr, /home and /var? Just wondering why you choose FreeBSD 5.1 as this is still considered 'unstable'? The current 'stable' release is 4.9. But my tests seem to indicate 5.x tree is much faster than 4.8... I run FreeBSD 4.8 with Exim 4.24 and MS 4.24 (no RBL's/pyzor) using Sophos-Savi and ClamAV with Mailwatch and the mysql DB all on the same machine - celeron 600mhz, single ATA1-100 disk and a single / partition. runs 9,000 messages a day without breaking above 1.5 on load average. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Wed Dec 10 09:11:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: Upgrading on RPM based system In-Reply-To: <6.0.0.22.0.20031209172357.02c1d670@mail.enhtech.com> References: <6.0.0.22.0.20031209172357.02c1d670@mail.enhtech.com> Message-ID: <6.0.1.1.2.20031210091049.03a3a988@imap.ecs.soton.ac.uk> Do the "./install.sh" and then type "upgrade_MailScanner_conf". At 22:26 09/12/2003, you wrote: >Hi folks, > >I'm using RH 7.3 and I am using one MailScanner release below the most >current version; installed from RPM. When upgrading MailScanner from RPM, >is the configuration from my existing install merged into the new install? >Or do I need to pretty much go through and reconfigure everything again? > > >Best Regards, > > >Errol Neal -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From joan.bryan at KCL.AC.UK Wed Dec 10 10:31:34 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:21:29 2006 Subject: Solaris with stats options In-Reply-To: <1070936884.3fd533348e7fc@webemail.bsd.uchicago.edu> References: <1070936884.3fd533348e7fc@webemail.bsd.uchicago.edu> Message-ID: Hi Ian I have mailscanner-mrtg running on solaris 9. However the graphs for ethernet traffic and memory are not working as there are no easy way of gathering these statisistics, and I have not had time to look at this further. Also I had to slightly alter the option for the number of mailscanners running in /usr/sbin/mailscanner-mrtg from ps -oe to ps -ef, as for some reason it gave a blank line for the mailscanner processes and possibly other processes. I did not have to do this for the number of mailscanners - a solaris bug! Feel free to contact me off list. Joan On Mon, 8 Dec 2003 20:28:04 -0600 Ian Miller wrote: > Has anyone had any luck setting up mailscanner-mrtg on solaris? > I am running solaris 9 and only get alot of error in the cronlog and nothing on > the stats page. > > > -- > Ian Miller > Sr. Systems Engineer > University of Chicago > imiller@bsd.uchicago.edu ---------------------- Joan Bryan Unix Systems Administrator Information Systems Telephone: +44 (0) 20 7848 2671 mailto:joan.bryan@kcl.ac.uk From prandal at HEREFORDSHIRE.GOV.UK Wed Dec 10 10:32:49 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:29 2006 Subject: could not analyze/too many attachments Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefordshire.gov.uk> On the subject of confusing error messages, the following is starting to get a tad irritating: Subject: Warning: E-mail viruses detected Body: The following e-mail messages were found to have viruses in them: Sender: a@b.c.d IP Address: 10.2.3.4 Recipient: me@here Subject: Whatever MessageID: xxxxxxxxxxxxxx Report: MailScanner: No AVI movies allowed (worldcup1.avi) Excuse me, it's not a virus! I've had a quick peek at the report files and it seems that there is no clear delineation between viruses and other blocked attachments. Am I missing something obvious here? Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 09 December 2003 18:23 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: could not analyze/too many attachments > > > At 16:54 09/12/2003, you wrote: > >Julian, > > I know there was a thread recently about "Could not > >analyze message" coming out in the virus report, when the > >issue is really "too many attachments" from the > >"Maximum Attachments Per Message" setting. I did a bonehead > >move of setting this to 20 instead of 200, and then had to > >quarantine the problem message after the sender complained, > >stare at it and MS code, and figure out the problem. Will > >this "Could not analyze" message be clearer in the next > >version? > > You can already change the error message, but only for all unparsable > messages. It's in your languages.conf file, the line that > starts "CantAnalyze". > > However, I agree that it should be separate from that error > message. The > fix will be in the next release, but attached are patches to > Message.pm, > MessageBatch.pm and languages.conf (English only right now) which will > implement it. > From mailscanner at ecs.soton.ac.uk Wed Dec 10 11:04:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: could not analyze/too many attachments In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20031210110312.08f21b78@imap.ecs.soton.ac.uk> If you don't like it, change it. Read languages.conf and you will see there is a "NoticeSubject" entry in there. As a general point, before posting stuff like this to the list *please* check that you can't configure the setting you don't like. Repeatedly saying RTFM is getting kinda tedious. At 10:32 10/12/2003, you wrote: >On the subject of confusing error messages, the following is starting to get >a tad irritating: > >Subject: Warning: E-mail viruses detected > >Body: > >The following e-mail messages were found to have viruses in them: > > Sender: a@b.c.d >IP Address: 10.2.3.4 > Recipient: me@here > Subject: Whatever > MessageID: xxxxxxxxxxxxxx > Report: MailScanner: No AVI movies allowed (worldcup1.avi) > >Excuse me, it's not a virus! > >I've had a quick peek at the report files and it seems that there is no >clear delineation between viruses and other blocked attachments. Am I >missing something obvious here? > >Cheers, > >Phil >--------------------------------------------- >Phil Randal >Network Engineer >Herefordshire Council >Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: 09 December 2003 18:23 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: could not analyze/too many attachments > > > > > > At 16:54 09/12/2003, you wrote: > > >Julian, > > > I know there was a thread recently about "Could not > > >analyze message" coming out in the virus report, when the > > >issue is really "too many attachments" from the > > >"Maximum Attachments Per Message" setting. I did a bonehead > > >move of setting this to 20 instead of 200, and then had to > > >quarantine the problem message after the sender complained, > > >stare at it and MS code, and figure out the problem. Will > > >this "Could not analyze" message be clearer in the next > > >version? > > > > You can already change the error message, but only for all unparsable > > messages. It's in your languages.conf file, the line that > > starts "CantAnalyze". > > > > However, I agree that it should be separate from that error > > message. The > > fix will be in the next release, but attached are patches to > > Message.pm, > > MessageBatch.pm and languages.conf (English only right now) which will > > implement it. > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From james.ogley at PINNACLE.CO.UK Wed Dec 10 11:25:34 2003 From: james.ogley at PINNACLE.CO.UK (James Ogley) Date: Thu Jan 12 21:21:29 2006 Subject: could not analyze/too many attachments In-Reply-To: <6.0.1.1.2.20031210110312.08f21b78@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefordshire.gov.uk> <6.0.1.1.2.20031210110312.08f21b78@imap.ecs.soton.ac.uk> Message-ID: <1071055533.5589.28.camel@jogley.pinnacle.co.uk> > If you don't like it, change it. > Read languages.conf and you will see there is a "NoticeSubject" entry in there. > >I've had a quick peek at the report files and it seems that there is no > >clear delineation between viruses and other blocked attachments. Am I > >missing something obvious here? That's not what he was asking, the point he was making was that there isn't a delineation between virii and other reasons for blocking messages, and he's right. When it's a virus, yes, you want the Subject to read "Virus blah blah" When it's a video, you want it to read "Video blah blah", when it's a large file, you want "Large file blah" etc etc... -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc Work: james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Personal: james@rubberturnip.org.uk www.rubberturnip.org.uk Updated GNOME RPMs for SuSE Linux: www.usr-local-bin.org *********************************************************************** CONFIDENTIALITY. This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance Plc. If you have received this e-mail in error please immediately notify our Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From dh at UPTIME.AT Wed Dec 10 11:23:59 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: References: Message-ID: <3FD7024F.4090204@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Kevin Anderson wrote: > Zu viele Anh?nge in e-mail. > Don't get me wrong Kevin but that is awefully bad german *winks* Something like: Zu hohe Anzahl an Anh?ngen or Eine zu hohe Anzahl an Attachments wurde gefunden make a lot more sense. Translating into german in a literal approach often yields a bad result as you sure know :) - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/1wJPPMoaMn4kKR4RA5YcAJ9yJQx8Ly3clVzj+VZpr2lSsXAWkACghK8N XlIzArI7P3pSHIRifX19iQM= =Nsil -----END PGP SIGNATURE----- From dh at UPTIME.AT Wed Dec 10 11:26:11 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <3FD7024F.4090204@uptime.at> References: <3FD7024F.4090204@uptime.at> Message-ID: <3FD702D3.40600@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 David H. wrote: Ok, please overlook my blunt mistakes. Geezes I cannot type nor spell today. - -d - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/1wLTPMoaMn4kKR4RA24DAJ4hDKPWyegV7Ho3vHA54OBIoa1tvgCbBe73 dYVRWHjCruigmZTXj6IYGOI= =fHn9 -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Wed Dec 10 11:35:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <3FD7024F.4090204@uptime.at> References: <3FD7024F.4090204@uptime.at> Message-ID: <6.0.1.1.2.20031210113501.03826f68@imap.ecs.soton.ac.uk> Can we have some agreement on this please? Suggesting 2 or 3 alternatives doesn't help when I don't know what any of them say... At 11:23 10/12/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Kevin Anderson wrote: > >>Zu viele Anh?nge in e-mail. >Don't get me wrong Kevin but that is awefully bad german *winks* Something >like: > >Zu hohe Anzahl an Anh?ngen > >or > >Eine zu hohe Anzahl an Attachments wurde gefunden > >make a lot more sense. Translating into german in a literal approach often >yields a bad result as you sure know :) > >- -d > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.3 (Darwin) > >iD8DBQE/1wJPPMoaMn4kKR4RA5YcAJ9yJQx8Ly3clVzj+VZpr2lSsXAWkACghK8N >XlIzArI7P3pSHIRifX19iQM= >=Nsil >-----END PGP SIGNATURE----- > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 10 11:34:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: could not analyze/too many attachments In-Reply-To: <1071055533.5589.28.camel@jogley.pinnacle.co.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefordshire.gov.uk> <6.0.1.1.2.20031210110312.08f21b78@imap.ecs.soton.ac.uk> <1071055533.5589.28.camel@jogley.pinnacle.co.uk> Message-ID: <6.0.1.1.2.20031210113145.08eb9b40@imap.ecs.soton.ac.uk> At 11:25 10/12/2003, you wrote: > > If you don't like it, change it. > > Read languages.conf and you will see there is a "NoticeSubject" entry > in there. > > >I've had a quick peek at the report files and it seems that there is no > > >clear delineation between viruses and other blocked attachments. Am I > > >missing something obvious here? > >That's not what he was asking, the point he was making was that there >isn't a delineation between virii and other reasons for blocking >messages, and he's right. > >When it's a virus, yes, you want the Subject to read "Virus blah blah" > >When it's a video, you want it to read "Video blah blah", when it's a >large file, you want "Large file blah" etc etc... I never intended anyone to actually read every notice. I intentionally kept the subject the same so that it was easy to automatically filter into a mailbox from which you could gather statistics from time to time. The Admininstrator Notices were never intended to be read by a customer. If you want to read every notice by hand, you should probably get out more :o) If you want to separate the notices into different types, why not just filter on the contents of the message? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Wed Dec 10 11:44:57 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:29 2006 Subject: could not analyze/too many attachments Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C7@jessica.herefordshire.gov.uk> Thanks Julian, I'll take a look at the option of filtering. In the meantime, I've changed the text to: NoticeSubject = Warning: E-mail viruses or illegal attachments detected and NoticeHeading = The following e-mail messages were found to have viruses or illegal attachments in them Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 10 December 2003 11:35 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: could not analyze/too many attachments > > > At 11:25 10/12/2003, you wrote: > > > If you don't like it, change it. > > > Read languages.conf and you will see there is a > "NoticeSubject" entry > > in there. > > > >I've had a quick peek at the report files and it seems > that there is no > > > >clear delineation between viruses and other blocked > attachments. Am I > > > >missing something obvious here? > > > >That's not what he was asking, the point he was making was that there > >isn't a delineation between virii and other reasons for blocking > >messages, and he's right. > > > >When it's a virus, yes, you want the Subject to read "Virus > blah blah" > > > >When it's a video, you want it to read "Video blah blah", when it's a > >large file, you want "Large file blah" etc etc... > > I never intended anyone to actually read every notice. I > intentionally kept > the subject the same so that it was easy to automatically > filter into a > mailbox from which you could gather statistics from time to time. The > Admininstrator Notices were never intended to be read by a > customer. If you > want to read every notice by hand, you should probably get > out more :o) > > If you want to separate the notices into different types, why not just > filter on the contents of the message? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From andersjk at SOL-INVICTUS.ORG Wed Dec 10 11:55:35 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031210113501.03826f68@imap.ecs.soton.ac.uk> Message-ID: well, being Canadian... and just wanting to help... Zu viele Anh?nge in e-mail wurde gefunden. is ok... On Wed, 10 Dec 2003, Julian Field wrote: > Can we have some agreement on this please? Suggesting 2 or 3 alternatives > doesn't help when I don't know what any of them say... > > At 11:23 10/12/2003, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: RIPEMD160 > > > >Kevin Anderson wrote: > > > >>Zu viele Anh?nge in e-mail. > >Don't get me wrong Kevin but that is awefully bad german *winks* Something > >like: > > > >Zu hohe Anzahl an Anh?ngen > > > >or > > > >Eine zu hohe Anzahl an Attachments wurde gefunden > > > >make a lot more sense. Translating into german in a literal approach often > >yields a bad result as you sure know :) > > > >- -d > > > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.2.3 (Darwin) > > > >iD8DBQE/1wJPPMoaMn4kKR4RA5YcAJ9yJQx8Ly3clVzj+VZpr2lSsXAWkACghK8N > >XlIzArI7P3pSHIRifX19iQM= > >=Nsil > >-----END PGP SIGNATURE----- > > > > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From henker at S-H-COM.DE Wed Dec 10 11:52:45 2003 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031210113501.03826f68@imap.ecs.soton.ac.uk> References: <3FD7024F.4090204@uptime.at> <6.0.1.1.2.20031210113501.03826f68@imap.ecs.soton.ac.uk> Message-ID: On Wed, 10 Dec 2003, Julian Field wrote: > Can we have some agreement on this please? Suggesting 2 or 3 alternatives > doesn't help when I don't know what any of them say... Uh, sorry, I read your request yesterday and thought I'd better reply off-list, but didn't because I was thinking somebody sure sent you a pm already. Maybe it's time for an alias like languages@ to avoid language discussions/suggestions on the list ? I hope, no one is bothered by this one. > >Kevin Anderson wrote: > > > >>Zu viele Anh?nge in e-mail. Personally, I would write something like "Zu viele Anh?nge in der Email." > >Don't get me wrong Kevin but that is awefully bad german *winks* Something > >like: > >Zu hohe Anzahl an Anh?ngen > >or > >Eine zu hohe Anzahl an Attachments wurde gefunden These are *very* formal from my POV, but of course correct. Regards, Steffan From Uwe.Krause at FEP.FHG.DE Wed Dec 10 12:00:56 2003 From: Uwe.Krause at FEP.FHG.DE (Krause, Uwe) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) Message-ID: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> Es wurden zu viele Anh?nge in der e-mail gefunden. Ciao from Germany :-) Uwe From mailscanner at ecs.soton.ac.uk Wed Dec 10 12:18:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> Message-ID: <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> 1) Es wurden zu viele Anh?nge in der e-mail gefunden 2) Zu viele Anh?nge in e-mail wurde gefunden 3) Zu viele Anh?nge in e-mail 4) Zu viele Anh?nge in der Email 5) Zu hohe Anzahl an Anh?ngen 6) Eine zu hohe Anzahl an Attachments wurde gefunden Votes for the above please. By number. Only native German speakers please. If you didn't learn "gaah gaah" in German before the age of 1 then please don't vote. And I thought the Spanish could never agree on anything... ;-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dh at UPTIME.AT Wed Dec 10 12:25:03 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> Message-ID: <3FD7109F.4030505@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Julian Field wrote: > 1) Es wurden zu viele Anh?nge in der e-mail gefunden > 2) Zu viele Anh?nge in e-mail wurde gefunden > 3) Zu viele Anh?nge in e-mail > 4) Zu viele Anh?nge in der Email > 5) Zu hohe Anzahl an Anh?ngen > 6) Eine zu hohe Anzahl an Attachments wurde gefunden > I may complicate this even further? I just looked it up and in this special case one apprently has to write "Zuviele" not "Zu viele" I vote for 6 though since it is the most formal and anyone from 10 to 60 will understand it properly - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/1xCkPMoaMn4kKR4RA7b0AKCX2quz/1sa4ffpaEU1JJ7bmLHntgCeKUSn XuQ9ylTQt9qYfOK+vuEKiA8= =AeS0 -----END PGP SIGNATURE----- From Heinz.Knutzen at DZSH.DE Wed Dec 10 12:24:03 2003 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:21:29 2006 Subject: AW: Translation request (German) Message-ID: I vote for (4) Viele Gr??e -- Heinz -----Urspr?ngliche Nachricht----- Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im Auftrag von Julian Field Gesendet am: Mittwoch, 10. Dezember 2003 13:18 An: MAILSCANNER@JISCMAIL.AC.UK Betreff: Re: Translation request (German) 1) Es wurden zu viele Anh?nge in der e-mail gefunden 2) Zu viele Anh?nge in e-mail wurde gefunden 3) Zu viele Anh?nge in e-mail 4) Zu viele Anh?nge in der Email 5) Zu hohe Anzahl an Anh?ngen 6) Eine zu hohe Anzahl an Attachments wurde gefunden Votes for the above please. By number. Only native German speakers please. If you didn't learn "gaah gaah" in German before the age of 1 then please don't vote. And I thought the Spanish could never agree on anything... ;-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From henker at S-H-COM.DE Wed Dec 10 12:44:52 2003 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <3FD7109F.4030505@uptime.at> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> <3FD7109F.4030505@uptime.at> Message-ID: On Wed, 10 Dec 2003, David H. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Julian Field wrote: > > > 1) Es wurden zu viele Anh?nge in der e-mail gefunden > > 2) Zu viele Anh?nge in e-mail wurde gefunden > > 3) Zu viele Anh?nge in e-mail > > 4) Zu viele Anh?nge in der Email > > 5) Zu hohe Anzahl an Anh?ngen > > 6) Eine zu hohe Anzahl an Attachments wurde gefunden > > > > I may complicate this even further? > I just looked it up and in this special case one apprently has to write > "Zuviele" not "Zu viele" > I vote for 6 though since it is the most formal and anyone from 10 to 60 > will understand it properly Uh, oh, I was thinking about "zu viele" and "zuviele"... From m.sapsed at BANGOR.AC.UK Wed Dec 10 12:45:25 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request - Welsh References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <3FD71565.4010708@bangor.ac.uk> Julian Field wrote: > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. Gormod o atodiadau yn y neges Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Uwe.Krause at FEP.FHG.DE Wed Dec 10 12:51:56 2003 From: Uwe.Krause at FEP.FHG.DE (Krause, Uwe) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) Message-ID: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAFD@midgard.fep.fhg.de> 1 > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Wednesday, December 10, 2003 1:18 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Translation request (German) > > > 1) Es wurden zu viele Anh?nge in der e-mail gefunden > 2) Zu viele Anh?nge in e-mail wurde gefunden > 3) Zu viele Anh?nge in e-mail > 4) Zu viele Anh?nge in der Email > 5) Zu hohe Anzahl an Anh?ngen > 6) Eine zu hohe Anzahl an Attachments wurde gefunden > > Votes for the above please. By number. > > Only native German speakers please. If you didn't learn "gaah > gaah" in > German before the age of 1 then please don't vote. > > And I thought the Spanish could never agree on anything... ;-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From Peter.Bates at LSHTM.AC.UK Wed Dec 10 13:23:59 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:21:29 2006 Subject: Bayesian horrors Message-ID: Hello all... MailScanner, SpamAssassin (2.60) and Postfix 2... I upgraded today using the RPM version to 4.25(14)... after the upgrade/rebuild of this and that, MS started up happily with my old configuration. (One point I'd like to throw in is can we have a switch to 'install.sh' to build MailScanner and friends, but not necessarily kick it into place?) While I worked on upgrading my configuration to add in the new bits, etc. I noticed the queues building up... Eventually, tracking down a load of 'bayes.lock' files in /var/spool/spamassassin, I gathered that all was not well in the world of Bayes. I quickly uncommented the 'use_bayes 0' in the default spam.assassin.prefs.conf, and things flowed happily. Looking at the new configuration, I see: SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin So, I have a few problems. Firstly, is it possible my Bayes DB is corrupt, and if so, what do I do? Does SA use this 'User State Dir' to look for the Bayes DBs, or is that tied to the 'bayes_path' setting in spam.assassin.prefs.conf? And finally, should I upgrade to SA 2.61 anyway? Any advice would be appreciated! ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From shrek-m at GMX.DE Wed Dec 10 13:34:30 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> <3FD7109F.4030505@uptime.at> Message-ID: <3FD720E6.3000005@gmx.de> Steffan Henke wrote: >On Wed, 10 Dec 2003, David H. wrote: > > >>Julian Field wrote: >> >>>1) Es wurden zu viele Anh?nge in der e-mail gefunden >>>2) Zu viele Anh?nge in e-mail wurde gefunden >>>3) Zu viele Anh?nge in e-mail >>>4) Zu viele Anh?nge in der Email >>>5) Zu hohe Anzahl an Anh?ngen >>>6) Eine zu hohe Anzahl an Attachments wurde gefunden >>> >>> >According to David's correction, it should be written as >"Es wurden zuviele Anh?nge in der e-mail gefunden." >For simplicity, #4 "Zuviele Anh?nge in der Email". > if it should be be a complete sentence "1" with the correction "zuviele" if it should be a short report "4" with the correction "Zuviele" -- shrek-m From m.sapsed at bangor.ac.uk Wed Dec 10 13:21:42 2003 From: m.sapsed at bangor.ac.uk (Martin Sapsed) Date: Thu Jan 12 21:21:29 2006 Subject: netiquette Message-ID: <3FD71DE6.3050607@bangor.ac.uk> Hi Julian, Just found this in my Spam folder. Have you had words about the HTML stuff/advertising sig? Martin -------- Original Message -------- Subject: {Spam?} Postfix configuration/efficiency.... Date: Tue, 9 Dec 2003 13:22:30 -0600 From: "Eric Sandquist" To: Periodically I see reference to setting up MailScanner with a single instance of Postfix, instead of the standard 2 Postfix install described in the instructions. Is there any advantage in doing this? Memory savings? Server load? I need to maximize the efficiency of this machine... Are there any instructions for this type of installation? or for converting from a working standard installation? Are there any drawbacks to this type of installation? Currently, we are running Dual PIII 500, 512Megs Ram... I've worked very hard to get the server load down to about 4.... It has been as high as 10... We are processing about 40,000 mails per day.... I realize that the best soution is a more powerful machine than this, but the client company won't do it (until this one dies).... ------------------------------------------------------------------------ Eric Sandquist Systems Engineer ICQ#: 10274846 Current ICQ status: + More ways to contact me www.ihms.net www.messianicgroups.com www.nazarene.net www.amazinggroups.com www.613commandments.com www.hebrew-roots.com www.netzarim.cc www.momsonthego.us ------------------------------------------------------------------------ Home Business Opportunity!! - Travel, Taxes, Health, and More From mailscanner at ecs.soton.ac.uk Wed Dec 10 13:50:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: Bayesian horrors In-Reply-To: References: Message-ID: <6.0.1.1.2.20031210134916.0383d9b8@imap.ecs.soton.ac.uk> At 13:23 10/12/2003, you wrote: >Looking at the new configuration, I see: >SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin That must have been in your previous MailScanner.conf, it is undefined by default. >So, I have a few problems. > >Firstly, is it possible my Bayes DB is corrupt, and if so, what do I >do? sa-learn --rebuilddb (I think. Run sa-learn on its own and it should print its help) >And finally, should I upgrade to SA 2.61 anyway? Yes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 10 13:47:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031210134650.08eaab20@imap.ecs.soton.ac.uk> I clearly missed something from the original voting request. This is not some fancy transferrable vote system. You have 1 vote only. If I don't get a clear result I will pick one at random :) At 12:18 10/12/2003, you wrote: >1) Es wurden zu viele Anh?nge in der e-mail gefunden >2) Zu viele Anh?nge in e-mail wurde gefunden >3) Zu viele Anh?nge in e-mail >4) Zu viele Anh?nge in der Email >5) Zu hohe Anzahl an Anh?ngen >6) Eine zu hohe Anzahl an Attachments wurde gefunden > >Votes for the above please. By number. > >Only native German speakers please. If you didn't learn "gaah gaah" in >German before the age of 1 then please don't vote. > >And I thought the Spanish could never agree on anything... ;-) >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ugob at CAMO-ROUTE.COM Wed Dec 10 14:33:37 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high Message-ID: <54C38A0B814C8E438EF73FC76F3629273132BF@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Harry Hanson [mailto:harryh@CET.COM] > Envoy? : Wednesday, December 10, 2003 12:47 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Skipping queue run -- load average too high > > > > > -----Message d'origine----- > > > De : Harry Hanson [mailto:harryh@CET.COM] Envoy? : Tuesday, > > December > > > 09, 2003 9:17 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: > > Skipping > > > queue run -- load average too high > > > > > > > > > Dual 1.6 xeon, 1gb memory, 10k rpm u320 scsi drives in > > raid0 config, > > > 1gb ram. > > > > What is your daily mail volume? > > Here's and example from midnight to current time: > > Log starts at Dec 9 00 00:01 and ends at Dec 9 21 41:42 > > Total bytes transferred: 1496649 > Total bytes In: 0 > Messages Out: 33742 > Messages In: 0 > > Messages per hour (each dot is 181 messages) > ________________ > 0: 827 .... > 1: 838 .... > 2: 745 .... > 3: 793 .... > 4: 778 .... > 5: 804 .... > 6: 805 .... > 7: 856 .... > 8: 781 .... > 9: 839 .... > 10: 748 .... > 11: 871 .... > 12: 799 .... > 13: 778 .... > 14: 823 .... > 15: 9056 .................................................. > 16: 6625 .................................... > 17: 1462 ........ > 18: 1478 ........ > 19: 1383 ....... > 20: 1364 ....... > 21: 1056 ..... > 22: 0 > 23: 0 > > > > > > > > Freebsd 5.1 > > > > > > It would seem to me either an I/O issue, as the cpu rarely > > exceeds 5% > > > useage, or perhaps I have something set too low? > > > > > If you've got vmstat on freebsd, use it... type vmstat 1. > > > > this will tell you if you have processes waiting for I/O. > > (see man vmstat) > > My apoligies; I am rather a newbie with freebsd; this is my > first. Here's a > current snapshot (tho I have to read the man page more; it scrolls > coninually and not sure how to interpret the output): You have to stop it with ctrl-c. To interpret the output, see the manpage for vmstat. The first column I check is usually the second one (b). And in your case, is seems ok, because it is 0 or 1 (there is one or zero process waiting for I/O). I don't have a freebsd box here, so I can't interpret everything. > > > procs memory page disks > faults cpu > r b w avm fre flt re pi po fr sr aa0 aa1 in > sy cs us sy > id > 0 0 0 224380 314004 11724 0 0 0 10377 0 17 0 > 533 0 2964 34 > 28 38 > 0 1 0 224896 313344 147 0 0 0 41 0 3 57 688 > 0 1570 2 11 > 87 > 0 0 1 221424 315056 48 0 0 0 469 0 0 5 445 > 0 595 0 4 > 96 > 0 1 1 224296 313860 331 0 0 0 80 0 0 26 553 > 0 927 1 5 > 94 > 0 0 1 224332 313400 124 0 0 0 43 0 0 32 626 > 0 1106 1 5 > 94 > 0 0 1 226080 312884 5447 0 0 0 4632 0 8 32 660 > 0 1577 16 13 > 71 > 0 0 1 222444 314720 178 0 0 0 685 0 0 56 714 > 0 1401 1 8 > 91 > 0 0 1 222940 314612 292 0 0 0 305 0 0 30 492 > 0 782 0 4 > 96 > 0 0 1 223712 314196 113 0 0 0 13 0 0 0 404 > 0 488 0 4 > 96 > 0 0 3 233728 311680 5302 0 0 0 4153 0 10 0 490 > 0 981 9 15 > 76 > 0 0 1 220824 315280 3880 0 0 0 4300 0 2 0 593 > 0 1151 14 10 > 76 > 0 0 1 219360 315836 266 0 0 0 436 0 0 24 553 > 0 929 1 4 > 95 > 0 2 1 220908 315104 468 0 0 0 315 0 0 7 607 > 0 1027 1 7 > 92 > 0 0 1 219352 316120 256 0 0 0 557 0 0 43 602 > 0 1086 1 5 > 94 > 0 1 2 224964 313308 6070 0 0 0 4839 0 20 9 518 > 0 1083 11 16 > 72 > 0 0 0 221508 315068 3038 0 0 0 3045 0 0 17 641 > 0 1304 16 8 > 76 > 0 0 0 221552 315000 135 0 0 0 130 0 0 11 496 > 0 744 0 6 > 94 > 0 0 0 220272 315616 117 0 0 0 303 0 11 36 540 > 0 914 1 4 > 95 > 0 0 0 220264 315652 362 0 0 0 387 0 0 9 517 > 0 777 1 4 > 95 > 0 1 1 223036 314032 4288 0 0 0 3483 0 12 19 567 > 0 1294 11 13 > 76 > 0 0 0 218800 316340 2958 0 0 0 3155 0 0 57 797 > 0 3355 13 18 > 69 > 0 0 0 215380 318212 488 0 0 0 971 0 0 9 540 > 0 855 0 7 > 92 > procs memory page disks > faults cpu > From Janssen at RZ.UNI-FRANKFURT.DE Wed Dec 10 14:39:15 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> Message-ID: On Wed, 10 Dec 2003, Julian Field wrote: > 1) Es wurden zu viele Anh?nge in der e-mail gefunden > 2) Zu viele Anh?nge in e-mail wurde gefunden > 3) Zu viele Anh?nge in e-mail > 4) Zu viele Anh?nge in der Email > 5) Zu hohe Anzahl an Anh?ngen > 6) Eine zu hohe Anzahl an Attachments wurde gefunden > > Votes for the above please. By number. 4) The spelling of "Email" is another problem. "Email" seems actually preferred in reports/de but "Email" (beside e-mail and e-Mail) was a german word long before the net has occoured: enamel ("gloss paint on metal"). Therefore correct spelling (as suggested by e.g. http://dict.leo.org/?p=lURE.&search=e-mail) is E-Mail (which is not easy to type, so people type something like e-Mail, eMail, e-mail (plain good english) or Email) The good thing is, Email in the sense of enamel isn't used a lot and especially not with computers ;-) People who cooks, might have trubble. Michael PS: google and dict.leo.org want "zu viele" in two words. > > Only native German speakers please. If you didn't learn "gaah gaah" in > German before the age of 1 then please don't vote. > > And I thought the Spanish could never agree on anything... ;-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From Uwe.Krause at FEP.FHG.DE Wed Dec 10 13:58:12 2003 From: Uwe.Krause at FEP.FHG.DE (Krause, Uwe) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) Message-ID: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAFF@midgard.fep.fhg.de> Hallo, > if it should be be a complete sentence > "1" with the correction "zuviele" Musste grad im Duden nachschaun, aber zuviel wird nach neuer dt. Rechtschreibung auseinander geschrieben :-). > if it should be a short report > "4" with the correction "Zuviele" > > -- > shrek-m Tschau Uwe From m.sapsed at bangor.ac.uk Wed Dec 10 14:35:18 2003 From: m.sapsed at bangor.ac.uk (Martin Sapsed) Date: Thu Jan 12 21:21:29 2006 Subject: netiquette References: <3FD71DE6.3050607@bangor.ac.uk> <6.0.1.1.2.20031210134042.0901dcf0@imap.ecs.soton.ac.uk> Message-ID: <3FD72F26.6010604@bangor.ac.uk> Julian Field wrote: > No, I haven't. I'm not sure it's necessarily worth the bother. If the > silly bloke winds up in your spam folder, I would leave him there. Yeah - fair point. > But feel free to drop him a line asking him to remove all the commercial > stuff from his sig just in case he doesn't realise he is getting > filtered out by people. I guess he might say something useful... :-) He might also realise that no-one's replying to his messages... Noticed you getting a bit ratty yesterday/today - chill man! Have a beer! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From KCollins at NESBITTENGINEERING.COM Wed Dec 10 14:45:55 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:21:29 2006 Subject: Slackware 9.1, Postfix, and MailScanner Message-ID: <2B1F39EA56FA7643A328F66521D41B760EAC@magellan.nesbitt.local> > I am no expert - but it looks like you are sending mail from > the local machine - mailscanner wont be scanning this mail - > get a mail client on another machine, make the outbound SMTP > addy your mailscanner machine and send your new mail - have a > tail -f /var/yourlogfilepath console running to watch what happens. Thanks for replying. Yes you're right, I was sending from the local machine. I was not aware that MailScanner wouldn't scan e-mails when delivered this way - you live and learn. So I set up a machine on my LAN that uses "Freedom" (my new MS Box) as an SMTP host, and I've been able to verify that MailScanner is actually working. Thanks for your help. Kevin From KCollins at NESBITTENGINEERING.COM Wed Dec 10 14:47:27 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:21:29 2006 Subject: Slackware 9.1, Postfix, and MailScanner Message-ID: <2B1F39EA56FA7643A328F66521D41B760EAD@magellan.nesbitt.local> > > > >If there are additional pieces of information needed, just > let me know. > >I'll pass that along as I can. > > Post *both* of your main.cf files. You should have one in > /etc/postfix.in and /etc/postfix. Please label as to which > is which. (Nothing personal, just experience... :) > > --J(K) > Jason, I actually was sending e-mail from the MailScanner machine itself and that's what was throwing me off. Another poster "Pete" pointed this out to me. Thanks for the reply and the willingness to help. Kevin From john at TRADOC.FR Wed Dec 10 15:49:05 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:21:29 2006 Subject: Skipped; still being delivered - even in 4.25 In-Reply-To: References: <6.0.1.1.2.20031120103306.03ba1df8@imap.ecs.soton.ac.uk> Message-ID: On Thu, 20 Nov 2003 11:47:08 +0100, John Wilcock wrote: > On Thu, 20 Nov 2003 10:33:32 +0000, Julian Field wrote: > > On what version of what OS? > > RedHat 9 with all the latest up2date patches. > > > Does your latest ChangeLog mention Postfix fix for Solaris? > > Assuming you mean the MailScanner ChangeLog, then no, no mention of a > postfix fix for Solaris. Just spotted three more occurrences of this, after two weeks with not a single case. I'm now on MS 4.25-14 (i.e. with the postfix fix "for Solaris") and Postfix 2.0.16-7, still on RH9 for i386. Any more ideas, Julian? (not that the problem bothers me much - I'd rather have the occasional mail twice than not at all - but there must be something slightly amiss). Any other postfix users out there still seeing this? John. -- -- Over 2000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From gdoris at rogers.com Wed Dec 10 16:28:39 2003 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:21:29 2006 Subject: New SpamAssassin - Big Jump in CPU Utilization Message-ID: <50188.129.80.22.143.1071073719.squirrel@tiger.dorfam.ca> Last night I upgraded SpamAssassin from 2.60 to the latest 2.61. I noticed that Razor2 didn't appear to be running so I did a discover command which seemed to get it working again. Other than that all seemed to be working as advertised. I just noticed that the box's CPU utilization has jumped from around 5% to more than 50% on average and as high as 90% at peaks (thanks to graphs from mailscanner-mrtg). The increase started at exactly the same time I performed the SpamAssassin upgrade. Other than the increase in utilization everything still seems to be working correctly. Has anyone else noticed anything like this? Gerry From Wilfred.Bolten at TOMMY-EUROPE.COM Wed Dec 10 16:21:16 2003 From: Wilfred.Bolten at TOMMY-EUROPE.COM (Wilfred Bolten) Date: Thu Jan 12 21:21:29 2006 Subject: MailScanner installation problems Message-ID: <022DE3728F924649909E989B955E68F8040A58@NLDAMS0139.Tommy-Europe.com> Hi, I haven't done a awfull lot with Linux before so this is probably the reason why I am having problems with the installation of the MailScanner. I have Linux Suse 9 with Sendmail running. I can send emails through my Exchange organization to this Senmail box and deliver them to the remote hosts. Also incoming email works fine. So I am pretty sure the SendMail part if working. To add virus scanning and anti-SPAM measurements I want to add MailScanner to sendmail. For this I have downloaded MailScanner-4.25-14.suse.tar and performed the steps described on http://www.sng.ecs.soton.ac.uk/MailScanner/Install but I am not getting the response I am expecting from the system I ran the tar xvf MailScanner-4.25-14.suse.tar and I got the directories and files listed as it should. The bit about the TNEF I don't really understand. Can somebody help me out here? For the rest I followed the steps to change the lines that are needed to start sendmail but again. What is described on the website is different from my information. This bit on the website does not make any sense to me http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml Currently, your copy of sendmail will be started by a script such as /etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script will be the command to start sendmail itself. This should look like this: sendmail -bd -q15m You should change this to the following two lines: sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in sendmail -q15m I don't have the line sendmail -bd -q15m But have # Description: Start the Sendmail MTA ### END INIT INFO test -s /etc/sysconfig/mail && \ . /etc/sysconfig/mail test -s /etc/sysconfig/sendmail && \ . /etc/sysconfig/sendmail if test -z "$SENDMAIL_ARGS" ; then SENDMAIL_ARGS="-L sendmail -Am -bd -q15m -om" fi if test -z "$SENDMAIL_CLIENT_ARGS" ; then SENDMAIL_CLIENT_ARGS="-L sendmail-client -Ac -qp30m" fi if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then SENDMAIL_ARGS="-O DaemonPortOptions=Addr=127.0.0.1 $SENDMAIL_ARGS" fi msppid=/var/spool/clientmqueue/sm-client.pid srvpid=/var/run/sendmail.pid What do I need to change now? Many thanks Wilfred ******************************************************* Confidentiality: This e-mail and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please reply to this e-mail and highlight the error. Security Warning: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and observe this lack of security when e-mailing us. Viruses: Although we have taken steps to ensure that this e-mail and attachments are free from any virus. We advise that in keeping with good computing practice the recipient should ensure they are actually virus free. From m.sapsed at bangor.ac.uk Wed Dec 10 16:53:42 2003 From: m.sapsed at bangor.ac.uk (Martin Sapsed) Date: Thu Jan 12 21:21:29 2006 Subject: netiquette References: <3FD71DE6.3050607@bangor.ac.uk> <6.0.1.1.2.20031210134042.0901dcf0@imap.ecs.soton.ac.uk> <3FD72F26.6010604@bangor.ac.uk> <6.0.1.1.2.20031210164108.08f6fa98@imap.ecs.soton.ac.uk> Message-ID: <3FD74F96.5010309@bangor.ac.uk> Julian Field wrote: > At 14:35 10/12/2003, you wrote: > >> Noticed you getting a bit ratty yesterday/today - chill man! Have a beer! > > Thanks for telling me, you are quite right. Been living on painkillers, > tends to make me very dopey. It's nasty stuff called "oxycodone" which > is the same strength as morphine. Real painkillers, not Smarties :-) I should have added that it was mostly justified. Too many people who can't be bothered to Read The Friendly Manual or search the archives. The painkillers sound heavy - this recent or a long term thing? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Kevin_Miller at CI.JUNEAU.AK.US Wed Dec 10 17:14:02 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:29 2006 Subject: MailScanner installation problems Message-ID: <08146035CA49D6119A36009027AC822A0264EB4C@CITY-EXCH-NTS> >-----Original Message----- >From: Wilfred Bolten [mailto:Wilfred.Bolten@TOMMY-EUROPE.COM] >Sent: Wednesday, December 10, 2003 7:21 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: MailScanner installation problems > > >Hi, > >I haven't done a awfull lot with Linux before so this is probably the >reason why I am having problems with the installation of the >MailScanner. > >I have Linux Suse 9 with Sendmail running. I can send emails through my >Exchange organization to this Senmail box and deliver them to >the remote >hosts. Also incoming email works fine. So I am pretty sure the SendMail >part if working. > >To add virus scanning and anti-SPAM measurements I want to add >MailScanner to sendmail. > >For this I have downloaded MailScanner-4.25-14.suse.tar and performed >the steps described on >http://www.sng.ecs.soton.ac.uk/MailScanner/Install but I am not getting >the response I am expecting from the system > >I ran the tar xvf MailScanner-4.25-14.suse.tar and I got the >directories >and files listed as it should. > >The bit about the TNEF I don't really understand. Can somebody help me >out here? > >For the rest I followed the steps to change the lines that are >needed to >start sendmail but again. What is described on the website is different >from my information. > >This bit on the website does not make any sense to me >http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml > >Currently, your copy of sendmail will be started by a script such as >/etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script >will be the command to start sendmail itself. This should look like >this: > > sendmail -bd -q15m >You should change this to the following two lines: > sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly >-OQueueDirectory=/var/spool/mqueue.in > sendmail -q15m > >I don't have the line > sendmail -bd -q15m > >But have ># Description: Start the Sendmail MTA >### END INIT INFO > >test -s /etc/sysconfig/mail && \ >. /etc/sysconfig/mail > >test -s /etc/sysconfig/sendmail && \ >. /etc/sysconfig/sendmail > >if test -z "$SENDMAIL_ARGS" ; then >SENDMAIL_ARGS="-L sendmail -Am -bd -q15m -om" >fi >if test -z "$SENDMAIL_CLIENT_ARGS" ; then >SENDMAIL_CLIENT_ARGS="-L sendmail-client -Ac -qp30m" >fi >if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then >SENDMAIL_ARGS="-O DaemonPortOptions=Addr=127.0.0.1 $SENDMAIL_ARGS" >fi >msppid=/var/spool/clientmqueue/sm-client.pid >srvpid=/var/run/sendmail.pid > >What do I need to change now? > >Many thanks >Wilfred Don't worry about the missing sendmail line in the /etc/init.d/sendmail script. The proper parameters are set in /etc/sysconfig/MailScanner, or in the /etc/init.d/MailScanner script. Make sure that in /etc/sysconfig/MailScanner that you have the proper MTA selected - it's the first couple of lines. By default it's Postfix; I had to comment that out and uncomment sendmail. Just go to the command line and enter: chkconfig sendmail off which will insure that sendmail doesn't start on it's own. When you're happy that everything is working fine, enter chkconfig MailScanner on to enable it to start automatically at boot. To control it, use rcMailScanner [stop, start, reload, etc.] Redhat nomenclature would be "service MailScanner [stop, start...]" so if you see that in the docs or elsewhere just mentally substitute the rcSCRIPTNAME verbage instead. FWIW, that works for all the scripts so you can say rcsendmail as well. You may have already done it, but in /etc/sysconfig/mail you want to set the following: MAIL_CREATE_CONFIG="no" SMTPD_LISTEN_REMOTE="yes" The first turns keeps SuSEConfig from clobbering your customizations, and the second tells sendmail to accept mail from other hosts. By default it will only accept mail from itself. SuSE seems to have changed things around a bit in sendmail. If you want to alter your /etc/sendmail.cf file, edit the linux.mc file in /etc/mail then do the m4 magic that turns all the various .mc files into the sendmail.cf file. I forget the syntax off the top of my head. I think that outta about cover it. Good luck... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From greyhair at GREYHAIR.NET Wed Dec 10 17:32:36 2003 From: greyhair at GREYHAIR.NET (greyhair) Date: Thu Jan 12 21:21:29 2006 Subject: DNS based block lists and the like question. Message-ID: <3FD758B4.5050806@greyhair.net> Hi. If I use a dnsbl like SORBS (www.sorbs.net) in MailScanner, do I also need to set the same dnsbl in sendmail, or any MTA in general? If no, what happens if there is a dnsbl listing in the MTA? Thanks. greyhair From raymond at PROLOCATION.NET Wed Dec 10 17:41:20 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:29 2006 Subject: DNS based block lists and the like question. In-Reply-To: <3FD758B4.5050806@greyhair.net> Message-ID: Hi! > If I use a dnsbl like SORBS (www.sorbs.net) in MailScanner, do I also > need to set the same dnsbl in sendmail, or any MTA in general? If no, > what happens if there is a dnsbl listing in the MTA? If you block in your MTA you wont ever have any use of using the list in MailScanner, since you dont get those mails :) Bye, Raymond. From ugob at CAMO-ROUTE.COM Wed Dec 10 17:44:47 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:29 2006 Subject: DNS based block lists and the like question. Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE285@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : greyhair [mailto:greyhair@GREYHAIR.NET] > Envoy? : Wednesday, December 10, 2003 12:33 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : DNS based block lists and the like question. > > > Hi. > If I use a dnsbl like SORBS (www.sorbs.net) in MailScanner, > do I also > need to set the same dnsbl in sendmail, or any MTA in general? If no, > what happens if there is a dnsbl listing in the MTA? > > Thanks. > > greyhair > Block list in MTA: messages are not accepted Block list in MS: messages are tagged and treated as spam Block list in SA: messages are give an increased score. Cpu usage grows from Mta to SA, apparently. From jones at ODENSE.KOLLEGIENET.DK Wed Dec 10 17:49:04 2003 From: jones at ODENSE.KOLLEGIENET.DK (Jonas Bardino) Date: Thu Jan 12 21:21:30 2006 Subject: DNS based block lists and the like question. In-Reply-To: <3FD758B4.5050806@greyhair.net> References: <3FD758B4.5050806@greyhair.net> Message-ID: <20031210174904.GA2723@bardino.dk> * greyhair [Dec 10. 2003 18:33]: > Hi. > If I use a dnsbl like SORBS (www.sorbs.net) in MailScanner, do I also > need to set the same dnsbl in sendmail, or any MTA in general? If no, > what happens if there is a dnsbl listing in the MTA? > > Thanks. > > greyhair That depends on what strategy you wan't to use with respect to rejecting messages. The FAQ at http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/157.html may help you. Kind regards, Jonas From jfraley at glenraven.com Wed Dec 10 18:33:41 2003 From: jfraley at glenraven.com (Jon Fraley) Date: Thu Jan 12 21:21:30 2006 Subject: mailscanner Message-ID: <1071081220.2033.30.camel@jfraleyx.glenraven.com> I will be adding MailScanner to a server already running SpamAssassin 2.60 that has been running for awhile now. I am looking for the best way to integrate the two together. I would like to keep using the current config files and directories for SA if possible. Or, is it best to move all our stuff in local.cf to spam.assassin.prefs.conf? This is on a mail gateway so the bayes DB and auto-whitelist are at /home/stopspam/.spamassassin/. I definitely need to keep these as is. Do the setting in MailScanner.conf override what is in local.cf? I have gone through MailScanner.conf and am not sure exactly what needs to be set. Thanks, Jon From m.sapsed at BANGOR.AC.UK Wed Dec 10 18:36:30 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem Message-ID: <3FD767AE.2050006@bangor.ac.uk> Hi all, I've received this via the UK academic network security team. -------------- An issue was identified yesterday with Internet Explorer and the way it displays URLs in the address bar. >From the original Bugtraq posting: "By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a 0x01 character after the "@" character. Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain. " Proof of Concept http://www.zapthedingbat.com/security/ex01/vun1.htm This is particularly pertinent given the recent spate of emails from fraudulent online banking sites, such as those pretending to be Natwest. This problem makes these types of scams a great deal harder for end users to spot, as it is now possible to have eg www.natwest.com appear in the address bar when the end user is looking at a fraudulent site. There is as yet no fix from Microsoft for this issue, nor is there a workaround for Internet Explorer. As soon as one becomes available we'll let you know. ------------- Would I be right in thinking that the only way MailScanner could do anything about this type of thing in an e-mail would be to use MCP or would a simple addition to the SpamAssassin rules do the trick? I guess though if you modify the normal SA rules you might end up marking it as Spam whereas actually, you want to identify it as malicious. Any thoughts anyone? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mkettler at EVI-INC.COM Wed Dec 10 19:09:23 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:30 2006 Subject: Bayesian horrors In-Reply-To: References: Message-ID: <6.0.0.22.0.20031210140446.024a0a90@xanadu.evi-inc.com> At 08:23 AM 12/10/2003, Peter Bates wrote: >Firstly, is it possible my Bayes DB is corrupt, and if so, what do I >do? It's possible.. you can check it by doing a sa-learn -D --rebuild. If that can't successfully do a rebuild, delete the bayes_* files and start over. >Does SA use this 'User State Dir' to look for the Bayes DBs, or is that >tied to the 'bayes_path' setting in spam.assassin.prefs.conf? It's tied to bayes_path. By default, bayes_path is ~/.spamassasssin/bayes. Thus, on most MailScanner setups, the bayes DB winds up in root's home dir. You can force it someplace else, just be sure to RTFM about bayes_path.. it's important to know the last part isn't a directory, it's part of a filename. Thus ~/.spamassassin/bayes causes it to create ~/.spamasassin/bayes_toks, not ~/.spamassassin/bayes/bayes_toks. >And finally, should I upgrade to SA 2.61 anyway? If you're using bayes, yes.. the reduced memory footprint during expiry is VERY helpful at preventing SA from killing a server. From jacques at MONACO.NET Wed Dec 10 19:17:55 2003 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:21:30 2006 Subject: Skipped; still being delivered - even in 4.25 In-Reply-To: References: Message-ID: <200312102017.55502.jacques@monaco.net> Le Mercredi 10 D?cembre 2003 16:49, John Wilcock a ?crit : > Any other postfix users out there still seeing this? Yes, indeed : apparently, it's the old ? MailScanner picks mail in the wrong queue ? bug that persists (have a look at my last message at ). For the moment, I've just setup a cron job to do a daily restart of MS, so it doesn't die and clog the incoming queue. But that's a real kludge. If someone has an idea about what could be tried to mitigate the problem, I'm interested, too (else, I'll try to research the matter further, but this will have to wait for the moment)... Greetings, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From jones at ODENSE.KOLLEGIENET.DK Wed Dec 10 19:28:42 2003 From: jones at ODENSE.KOLLEGIENET.DK (Jonas Bardino) Date: Thu Jan 12 21:21:30 2006 Subject: DoS, locale, spool file and unrar log noise In-Reply-To: <20031208195439.GI1461@bardino.dk> References: <20031208195439.GI1461@bardino.dk> Message-ID: <20031210192842.GB2723@bardino.dk> * Jonas Bardino [Dec 08. 2003 21:06]: > Hi! Hate to reply to my own mail, but we got a bit closer to the solution. --- cut: server specs --- > We keep getting a few DoS warnings every day about mails that appear to > be quite harmless: > Dec 7 14:55:10 cindy MailScanner[27894]: Commercial scanner clamav timed out! > Dec 7 14:55:10 cindy MailScanner[27894]: Virus Scanning: Denial Of Service attack detected! > (Btw, the clam developers may not like being called commercial :-) > Unfortunately the attachments aren't quarantined when that happens, so > it's a bit hard to reproduce the problem. Further analysis indicates that the quarantined message did in fact include a RAR file! It just didn't show up as a separate file in the quarantine dir. > According to a google search the default setting related to DoS checks are: > max-files = 500, max-size = 10000 (=10 MB), max-recursion = 5 > We tried increasing the DoS prevention arguments to ClamAV by adding the > following line in /etc/MailScanner/wrapper/clamav-wrapper: > ExtraScanOptions="--max-files=10000 --max-space=100000 --max-recursion=20 $ExtraScanOptions" > But we still see the DoS warnings. > Did anyone find a good way around that, or is it necessary to > completely disable the limits? Manual runs of "clamscan --mbox message" goes on forever unless the internal ClamAV unpacking functions are disabled. Therefore they have now been disabled in MailScanner by adding: ExtraScanOptions="--disable-archive $ExtraScanOptions" to /etc/MailScanner/wrapper/clamav-wrapper. So far it seems to have solved the "DoS warning" problem. Indeed it also removed the "RAR module failure" log entries. So that's one down, three to go. I still hope that someone can help with those or point us in the right direction. Thanks in advance! Kind regards, Jonas From chris at FRACTALWEB.COM Wed Dec 10 19:35:55 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD767AE.2050006@bangor.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> Message-ID: <1431.24.83.44.30.1071084955.squirrel@www.fractalweb.com> > Would I be right in thinking that the only way MailScanner could do > anything about this type of thing in an e-mail would be to use MCP or > would a simple addition to the SpamAssassin rules do the trick? I guess > though if you modify the normal SA rules you might end up marking it as > Spam whereas actually, you want to identify it as malicious. I agree that this is a serious exploit indeed. It certainly wouldn't take a genius to build a site the looks "just like a specific bank" or "exactly like eBay" or "exactly like Visa" etc. I've known about the exploit for a while, but wasn't aware of the "%01" variation. Perhaps someone (Julian?) can create a patch that will restrict this exploit much the same way as MailScanner currently finds malicious I-Frame tags and such. I'm not certain if the regex would be as simple as searching for "\.[a-zA-Z]{2,3,4}%01@" within the body of a message, or if that would catch too much. It's frustrating that Microsoft, who has more cash than most countries, leaves its users open to things like this. It's interesting to note that Mozilla (1.5) doesn't display this vulnerability. Cheers, Chris Yuzik From mkettler at EVI-INC.COM Wed Dec 10 19:49:12 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:30 2006 Subject: mailscanner In-Reply-To: <1071081220.2033.30.camel@jfraleyx.glenraven.com> References: <1071081220.2033.30.camel@jfraleyx.glenraven.com> Message-ID: <6.0.0.22.0.20031210144317.0251e4f0@xanadu.evi-inc.com> At 01:33 PM 12/10/2003, Jon Fraley wrote: >Or, is it best to move all our stuff in local.cf to >spam.assassin.prefs.conf? Don't bother. >Do the setting in MailScanner.conf override what is in local.cf? I have >gone through MailScanner.conf and am not sure exactly what needs to be >set. No, spam.assassin.prefs.conf replaces your user_prefs file, it does not replace local.cf. Personally I do most of my custom work at the user_prefs level, not the local.cf level. I like to use a non-prived users "user_prefs" file as a test-case for configurations. I make my edits to the user_prefs file, then run spamassassin --lint to make sure it runs clean, then do some test emails through the command-line tool. After I'm satisfied the tweaks work as expected, I su and copy that user_prefs over top of my spam.assassin.prefs.conf, and restart MailScanner. This gives me a great amount of "test and try" flexibility, but I do have to keep to the pattern, if I edit spam.assassin.prefs.conf directly, I then have to back-port those changes to the unprived user's user_prefs file.. but why would I ever want to load an untested conf file?? :) Since MS uses SA directly, it's not subject to the "no rules in user_prefs" restrictions imposed by spamd/spamc, so you can do custom rules this way. It also always uses the same user_prefs file, so provided it's only root writable, it's not a security concern. From dbird at SGHMS.AC.UK Wed Dec 10 19:46:29 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD767AE.2050006@bangor.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> Message-ID: <3FD77815.2070206@sghms.ac.uk> Martin Sapsed wrote: > Hi all, > > I've received this via the UK academic network security team. > > > > Any thoughts anyone? > Off the top of my head, could you not do a simple SA rule like so: describe IE_VULN Body of email contains %01@ in a url uri IE_VULN / %01@/ score IE_VULN 10.0 Which would look for that pattern in a url. Of course I could be wrong -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Antony at SOFT-SOLUTIONS.CO.UK Wed Dec 10 19:55:20 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD77815.2070206@sghms.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> Message-ID: <200312101955.20491.Antony@Soft-Solutions.co.uk> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: > Off the top of my head, could you not do a simple SA rule like so: > > describe IE_VULN Body of email contains %01@ in a url > uri IE_VULN / %01@/ > score IE_VULN 10.0 > > Which would look for that pattern in a url. The above isn't specific to finding the pattern in a URL - although admittedly I can't think of a valid reason why you'd expect to see a %01 anywhere, URL or not. Note by the way that the original notification referred to the %01 being *after* the @ sign, not before it (before too many people go off and concoct various pattern matches for the wrong pattern!) Antony. -- Ramdisk is not an installation procedure. Please reply to the list; please don't CC me. From dbird at SGHMS.AC.UK Wed Dec 10 20:05:36 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <200312101955.20491.Antony@Soft-Solutions.co.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> Message-ID: <3FD77C90.5060705@sghms.ac.uk> Antony Stone wrote: >On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: > > > >>Off the top of my head, could you not do a simple SA rule like so: >> >>describe IE_VULN Body of email contains %01@ in a url >>uri IE_VULN / %01@/ >>score IE_VULN 10.0 >> >>Which would look for that pattern in a url. >> >> > >The above isn't specific to finding the pattern in a URL > Agreed > - although admittedly >I can't think of a valid reason why you'd expect to see a %01 anywhere, URL >or not. > >Note by the way that the original notification referred to the %01 being >*after* the @ sign, not before it (before too many people go off and concoct >various pattern matches for the wrong pattern!) > > Indeed, that's what I thought. But looking at the html source of the proof of concept, the following is used: Obviously the pattern could be extended to look for a-z,0-9 etc after the @ Dan >Antony. > >-- >Ramdisk is not an installation procedure. > > Please reply to the list; > please don't CC me. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From chris at FRACTALWEB.COM Wed Dec 10 20:10:09 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <200312101955.20491.Antony@Soft-Solutions.co.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> Message-ID: <1559.24.83.44.30.1071087009.squirrel@www.fractalweb.com> > On Wednesday 10 December 2003 7:46 pm, Antony wrote: > Note by the way that the original notification referred to the %01 being > *after* the @ sign, not before it (before too many people go off and > concoct various pattern matches for the wrong pattern!) I believe the *after* is a typo on the vulnerability proof of concept page. If you click the link or view the html source you'll note that the link goes to: http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm If you try it *after* the @ then it doesn't work at all. http://www.microsoft.com@%01zapthedingbat.com/security/ex01/vun2.htm Cheers, Chris From kevins at BMRB.CO.UK Wed Dec 10 20:10:58 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B87C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B87C@pascal.priv.bmrb.co.uk> Message-ID: <1071087058.30309.86.camel@bach.kevinspicer.co.uk> On Wed, 2003-12-10 at 19:55, Antony Stone wrote: >Note by the way that the original notification referred to the %01 >being >*after* the @ sign, not before it (before too many people go off and >concoct >various pattern matches for the wrong pattern!) Yes, but the proof of concept has the %01 before the @. (I'm not sure which you were saying was wrong though). It is worth noting that since the %01 hides anything after it the @ need not follow immediately, for example www.amazon.com%01Iwantallyourmoney@www.evil.com From dbird at SGHMS.AC.UK Wed Dec 10 20:11:47 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD77C90.5060705@sghms.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> Message-ID: <3FD77E03.3010209@sghms.ac.uk> Daniel Bird wrote: > Antony Stone wrote: > >> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >> >> >> >>> Off the top of my head, could you not do a simple SA rule like so: >>> >>> describe IE_VULN Body of email contains %01@ in a url >>> uri IE_VULN / %01@/ >>> score IE_VULN 10.0 >>> >>> Which would look for that pattern in a url. >>> >>> >> >> The above isn't specific to finding the pattern in a URL >> > Agreed > >> - although admittedly >> I can't think of a valid reason why you'd expect to see a %01 >> anywhere, URL >> or not. >> >> Note by the way that the original notification referred to the %01 being >> *after* the @ sign, not before it (before too many people go off and >> concoct >> various pattern matches for the wrong pattern!) >> >> > Indeed, that's what I thought. But looking at the html source of the > proof of concept, the following is used: > > > > Obviously the pattern could be extended to look for a-z,0-9 etc after > the @ Ignore the *'s in the above URL. My MUA decided to replace the bold with * (must have sent plain text only) sorry. Should be : http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm > > Dan > >> Antony. >> >> -- >> Ramdisk is not an installation procedure. >> >> Please reply to >> the list; >> please >> don't CC me. >> >> >> > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Dec 10 20:27:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD77C90.5060705@sghms.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> At 20:05 10/12/2003, you wrote: >Antony Stone wrote: >>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>>Off the top of my head, could you not do a simple SA rule like so: >>> >>>describe IE_VULN Body of email contains %01@ in a url >>>uri IE_VULN / %01@/ >>>score IE_VULN 10.0 >>> >>>Which would look for that pattern in a url. >>> >> >>The above isn't specific to finding the pattern in a URL >Agreed > >>- although admittedly >>I can't think of a valid reason why you'd expect to see a %01 anywhere, URL >>or not. >> >>Note by the way that the original notification referred to the %01 being >>*after* the @ sign, not before it (before too many people go off and concoct >>various pattern matches for the wrong pattern!) >> >Indeed, that's what I thought. But looking at the html source of the >proof of concept, the following is used: > > > >Obviously the pattern could be extended to look for a-z,0-9 etc after the @ Should uri IE_VULN /%01.*@/ score IE_VULN 10.0 describe IE_VULN Internet Explorer vulnerability work? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dbird at SGHMS.AC.UK Wed Dec 10 20:25:08 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <1071087058.30309.86.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B87C@pascal.priv.bmrb.co.uk> <1071087058.30309.86.camel@bach.kevinspicer.co.uk> Message-ID: <3FD78124.2030101@sghms.ac.uk> Kevin Spicer wrote: >On Wed, 2003-12-10 at 19:55, Antony Stone wrote: > > > >>Note by the way that the original notification referred to the %01 >>being >>*after* the @ sign, not before it (before too many people go off and >>concoct >>various pattern matches for the wrong pattern!) >> >> > >Yes, but the proof of concept has the %01 before the @. (I'm not sure >which you were saying was wrong though). > >It is worth noting that since the %01 hides anything after it the @ need >not follow immediately, for example > >www.amazon.com%01Iwantallyourmoney@www.evil.com > > > so how about the regexp: \%01.+@.+\ ? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at PACIFIC.NET Wed Dec 10 20:32:22 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD77C90.5060705@sghms.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> Message-ID: <3FD782D6.4050007@pacific.net> So, combining the suggestions so far - are we getting close? describe IE6_URL_VULN Body of email contains %01@ in a url uri IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/ score IE6_URL_VULN 10.0 Ken A. Pacific.Net Daniel Bird wrote: > Antony Stone wrote: > >> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >> >> >> >>> Off the top of my head, could you not do a simple SA rule like so: >>> >>> describe IE_VULN Body of email contains %01@ in a url >>> uri IE_VULN / %01@/ >>> score IE_VULN 10.0 >>> >>> Which would look for that pattern in a url. >>> >>> >> >> The above isn't specific to finding the pattern in a URL >> > Agreed > >> - although admittedly >> I can't think of a valid reason why you'd expect to see a %01 >> anywhere, URL >> or not. >> >> Note by the way that the original notification referred to the %01 being >> *after* the @ sign, not before it (before too many people go off and >> concoct >> various pattern matches for the wrong pattern!) >> >> > Indeed, that's what I thought. But looking at the html source of the > proof of concept, the following is used: > > > > Obviously the pattern could be extended to look for a-z,0-9 etc after the @ > > Dan > >> Antony. >> >> -- >> Ramdisk is not an installation procedure. >> >> Please reply to >> the list; >> please don't >> CC me. >> >> >> > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From ka at PACIFIC.NET Wed Dec 10 20:34:11 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD78124.2030101@sghms.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B87C@pascal.priv.bmrb.co.uk> <1071087058.30309.86.camel@bach.kevinspicer.co.uk> <3FD78124.2030101@sghms.ac.uk> Message-ID: <3FD78343.2020109@pacific.net> Daniel Bird wrote: > Kevin Spicer wrote: > >> On Wed, 2003-12-10 at 19:55, Antony Stone wrote: >> >> >> >>> Note by the way that the original notification referred to the %01 >>> being >>> *after* the @ sign, not before it (before too many people go off and >>> concoct >>> various pattern matches for the wrong pattern!) >>> >>> >> >> Yes, but the proof of concept has the %01 before the @. (I'm not sure >> which you were saying was wrong though). >> >> It is worth noting that since the %01 hides anything after it the @ need >> not follow immediately, for example >> >> www.amazon.com%01Iwantallyourmoney@www.evil.com >> >> >> > so how about the regexp: > > \%01.+@.+\ > > ? I think the .+ could gobble up quite a bit of text looking for an '@' Ken A. Pacific.Net > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From ka at PACIFIC.NET Wed Dec 10 20:37:59 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> Message-ID: <3FD78427.9050801@pacific.net> Julian Field wrote: > At 20:05 10/12/2003, you wrote: > >> Antony Stone wrote: >> >>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>> >>>> Off the top of my head, could you not do a simple SA rule like so: >>>> >>>> describe IE_VULN Body of email contains %01@ in a url >>>> uri IE_VULN / %01@/ >>>> score IE_VULN 10.0 >>>> >>>> Which would look for that pattern in a url. >>>> >>> >>> The above isn't specific to finding the pattern in a URL >> >> Agreed >> >>> - although admittedly >>> I can't think of a valid reason why you'd expect to see a %01 >>> anywhere, URL >>> or not. >>> >>> Note by the way that the original notification referred to the %01 being >>> *after* the @ sign, not before it (before too many people go off and >>> concoct >>> various pattern matches for the wrong pattern!) >>> >> Indeed, that's what I thought. But looking at the html source of the >> proof of concept, the following is used: >> >> >> >> Obviously the pattern could be extended to look for a-z,0-9 etc after >> the @ > > > Should > > uri IE_VULN /%01.*@/ > score IE_VULN 10.0 > describe IE_VULN Internet Explorer vulnerability > > work? consider a recipe.. Add chemical X to a %01 solution of Sugar and Spice and Everything Nice Bake @ 400 degrees. Send off to capture Mojo Jo Jo. I think it would match. Ken A. > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From Antony at SOFT-SOLUTIONS.CO.UK Wed Dec 10 20:39:13 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD78343.2020109@pacific.net> References: <5C0296D26910694BB9A9BBFC577E7AB00188B87C@pascal.priv.bmrb.co.uk> <3FD78124.2030101@sghms.ac.uk> <3FD78343.2020109@pacific.net> Message-ID: <200312102039.13075.Antony@Soft-Solutions.co.uk> On Wednesday 10 December 2003 8:34 pm, Ken Anderson wrote: > Daniel Bird wrote: > > > so how about the regexp: > > > > \%01.+@.+\ > > > > ? > > I think the .+ could gobble up quite a bit of text looking for an '@' Good point. Depends how likely it is you'll find the opening %01 in the first place. Could form the basis of a DoS attack, though. Antony. -- RTFM may be the appropriate reply, but please specify exactly which FM to R. Please reply to the list; please don't CC me. From dbird at SGHMS.AC.UK Wed Dec 10 20:40:19 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD782D6.4050007@pacific.net> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <3FD782D6.4050007@pacific.net> Message-ID: <3FD784B3.5090204@sghms.ac.uk> Ken Anderson wrote: > So, combining the suggestions so far - are we getting close? > > describe IE6_URL_VULN Body of email contains %01@ in a url > uri IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/ > score IE6_URL_VULN 10.0 Just ran that through Regex coach and could not find any false matches, or character combos that would be missed, so I say yay! Dan > > Ken A. > Pacific.Net > > Daniel Bird wrote: > >> Antony Stone wrote: >> >>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>> >>> >>> >>>> Off the top of my head, could you not do a simple SA rule like so: >>>> >>>> describe IE_VULN Body of email contains %01@ in a url >>>> uri IE_VULN / %01@/ >>>> score IE_VULN 10.0 >>>> >>>> Which would look for that pattern in a url. >>>> >>>> >>> >>> The above isn't specific to finding the pattern in a URL >>> >> Agreed >> >>> - although admittedly >>> I can't think of a valid reason why you'd expect to see a %01 >>> anywhere, URL >>> or not. >>> >>> Note by the way that the original notification referred to the %01 >>> being >>> *after* the @ sign, not before it (before too many people go off and >>> concoct >>> various pattern matches for the wrong pattern!) >>> >>> >> Indeed, that's what I thought. But looking at the html source of the >> proof of concept, the following is used: >> >> >> >> Obviously the pattern could be extended to look for a-z,0-9 etc after >> the @ >> >> Dan >> >>> Antony. >>> >>> -- >>> Ramdisk is not an installation procedure. >>> >>> Please reply to >>> the list; >>> please don't >>> CC me. >>> >>> >>> >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Dec 10 20:50:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD78427.9050801@pacific.net> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <3FD78427.9050801@pacific.net> Message-ID: <6.0.1.1.2.20031210204536.027d22b0@imap.ecs.soton.ac.uk> At 20:37 10/12/2003, you wrote: >Julian Field wrote: > >>At 20:05 10/12/2003, you wrote: >> >>>Antony Stone wrote: >>> >>>>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>>> >>>>>Off the top of my head, could you not do a simple SA rule like so: >>>>> >>>>>describe IE_VULN Body of email contains %01@ in a url >>>>>uri IE_VULN / %01@/ >>>>>score IE_VULN 10.0 >>>>> >>>>>Which would look for that pattern in a url. >>>> >>>>The above isn't specific to finding the pattern in a URL >>> >>>Agreed >>> >>>>- although admittedly >>>>I can't think of a valid reason why you'd expect to see a %01 >>>>anywhere, URL >>>>or not. >>>> >>>>Note by the way that the original notification referred to the %01 being >>>>*after* the @ sign, not before it (before too many people go off and >>>>concoct >>>>various pattern matches for the wrong pattern!) >>>Indeed, that's what I thought. But looking at the html source of the >>>proof of concept, the following is used: >>> >>> >>> >>>Obviously the pattern could be extended to look for a-z,0-9 etc after >>>the @ >> >> >>Should >> >>uri IE_VULN /%01.*@/ >>score IE_VULN 10.0 >>describe IE_VULN Internet Explorer vulnerability >> >>work? > >consider a recipe.. > >Add chemical X to a %01 solution of Sugar and Spice and Everything Nice >Bake @ 400 degrees. >Send off to capture Mojo Jo Jo. > >I think it would match. No it shouldn't. That's why I made it a URI test and not just a body or rawbody test. From the SA docs: The 'uri' in this case is a list of all the URIs in the body of the email, and the test will be run on each and every one of those URIs, adjusting the score if a match is found. Use this test instead of one of the body tests when you need to match a URI, as it is more accurately bound to the start/end points of the URI, and will also be faster. And it needs to be a * and not a + as you don't need any text between %01 and @. I don't see the need to try to match a country code before the %01 either, what happens when they put in a space %20 or other unprintable (or nearly invisible) character? I feel you are adding restrictions to the test, which the hacker can easily work around. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 10 20:53:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD784B3.5090204@sghms.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <3FD782D6.4050007@pacific.net> <3FD784B3.5090204@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031210205221.0287fad8@imap.ecs.soton.ac.uk> At 20:40 10/12/2003, you wrote: >Ken Anderson wrote: > >>So, combining the suggestions so far - are we getting close? >> >>describe IE6_URL_VULN Body of email contains %01@ in a url >>uri IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/ >>score IE6_URL_VULN 10.0 > >Just ran that through Regex coach and could not find any false matches, >or character combos that would be missed, so I say yay! How about this: http://www.microsoft.com%20%01%20@nasty.hacker.com/hohoho That will appear to be http://www.microsoft.com and yet you won't catch it. >Dan > >> >>Ken A. >>Pacific.Net >> >>Daniel Bird wrote: >> >>>Antony Stone wrote: >>> >>>>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>>> >>>> >>>> >>>>>Off the top of my head, could you not do a simple SA rule like so: >>>>> >>>>>describe IE_VULN Body of email contains %01@ in a url >>>>>uri IE_VULN / %01@/ >>>>>score IE_VULN 10.0 >>>>> >>>>>Which would look for that pattern in a url. >>>>> >>>> >>>>The above isn't specific to finding the pattern in a URL >>>Agreed >>> >>>>- although admittedly >>>>I can't think of a valid reason why you'd expect to see a %01 >>>>anywhere, URL >>>>or not. >>>> >>>>Note by the way that the original notification referred to the %01 >>>>being >>>>*after* the @ sign, not before it (before too many people go off and >>>>concoct >>>>various pattern matches for the wrong pattern!) >>>> >>>Indeed, that's what I thought. But looking at the html source of the >>>proof of concept, the following is used: >>> >>> >>> >>>Obviously the pattern could be extended to look for a-z,0-9 etc after >>>the @ >>> >>>Dan >>> >>>>Antony. >>>> >>>>-- >>>>Ramdisk is not an installation procedure. >>>> >>>> Please reply to >>>>the list; >>>> please don't >>>>CC me. >>>> >>>> >>> >>> >>> >>>-- >>>This message has been scanned for viruses and >>>dangerous content by MailScanner, and is >>>believed to be clean. >>> > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From chris at fractalweb.com Wed Dec 10 20:52:23 2003 From: chris at fractalweb.com (chris@fractalweb.com) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> Message-ID: <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> > At 20:05 10/12/2003, you wrote: > Should > > uri IE_VULN /%01.*@/ > score IE_VULN 10.0 > describe IE_VULN Internet Explorer vulnerability > > work? Julian, Wouldn't this only mark the message as spam? Maybe I'm alone on this, but I think that this presents a far more serious threat than just spam. If someone opens the spam anyways and sees a message from their bank, requesting verification of online banking information, they might be tempted to follow the links AND complain to me that this important message from their bank was marked as spam. My thought is that this should fall under the same general area of the flowchart as the I-Frame exploits, if possible. Your thoughts? Chris From chris at FRACTALWEB.COM Wed Dec 10 20:52:23 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> Message-ID: <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> > At 20:05 10/12/2003, you wrote: > Should > > uri IE_VULN /%01.*@/ > score IE_VULN 10.0 > describe IE_VULN Internet Explorer vulnerability > > work? Julian, Wouldn't this only mark the message as spam? Maybe I'm alone on this, but I think that this presents a far more serious threat than just spam. If someone opens the spam anyways and sees a message from their bank, requesting verification of online banking information, they might be tempted to follow the links AND complain to me that this important message from their bank was marked as spam. My thought is that this should fall under the same general area of the flowchart as the I-Frame exploits, if possible. Your thoughts? Chris From ka at PACIFIC.NET Wed Dec 10 20:59:13 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031210204536.027d22b0@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <3FD78427.9050801@pacific.net> <6.0.1.1.2.20031210204536.027d22b0@imap.ecs.soton.ac.uk> Message-ID: <3FD78921.3060603@pacific.net> Julian Field wrote: > At 20:37 10/12/2003, you wrote: > >> Julian Field wrote: >> >>> At 20:05 10/12/2003, you wrote: >>> >>>> Antony Stone wrote: >>>> >>>>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>>>> >>>>>> Off the top of my head, could you not do a simple SA rule like so: >>>>>> >>>>>> describe IE_VULN Body of email contains %01@ in a url >>>>>> uri IE_VULN / %01@/ >>>>>> score IE_VULN 10.0 >>>>>> >>>>>> Which would look for that pattern in a url. >>>>> >>>>> >>>>> The above isn't specific to finding the pattern in a URL >>>> >>>> >>>> Agreed >>>> >>>>> - although admittedly >>>>> I can't think of a valid reason why you'd expect to see a %01 >>>>> anywhere, URL >>>>> or not. >>>>> >>>>> Note by the way that the original notification referred to the %01 >>>>> being >>>>> *after* the @ sign, not before it (before too many people go off and >>>>> concoct >>>>> various pattern matches for the wrong pattern!) >>>> >>>> Indeed, that's what I thought. But looking at the html source of the >>>> proof of concept, the following is used: >>>> >>>> >>>> >>>> Obviously the pattern could be extended to look for a-z,0-9 etc after >>>> the @ >>> >>> >>> >>> Should >>> >>> uri IE_VULN /%01.*@/ >>> score IE_VULN 10.0 >>> describe IE_VULN Internet Explorer vulnerability >>> >>> work? >> >> >> consider a recipe.. >> >> Add chemical X to a %01 solution of Sugar and Spice and Everything Nice >> Bake @ 400 degrees. >> Send off to capture Mojo Jo Jo. >> >> I think it would match. > > > No it shouldn't. > That's why I made it a URI test and not just a body or rawbody test. From > the SA docs: > The 'uri' in this case is a list of all the URIs in the body > of the > email, and the test will be run on each and every one of those > URIs, adjusting the score if a match is found. Use this test > instead of one of the body tests when you need to match a > URI, as > it is more accurately bound to the start/end points of the > URI, and > will also be faster. > And it needs to be a * and not a + as you don't need any text between %01 > and @. I don't see the need to try to match a country code before the %01 > either, what happens when they put in a space %20 or other unprintable (or > nearly invisible) character? I feel you are adding restrictions to the > test, which the hacker can easily work around. Good catch! Thanks for the info about uri test. Ken A. Pacific.Net > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From dbird at SGHMS.AC.UK Wed Dec 10 20:58:55 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031210205221.0287fad8@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <3FD782D6.4050007@pacific.net> <3FD784B3.5090204@sghms.ac.uk> <6.0.1.1.2.20031210205221.0287fad8@imap.ecs.soton.ac.uk> Message-ID: <3FD7890F.5050107@sghms.ac.uk> Julian Field wrote: > At 20:40 10/12/2003, you wrote: > >> Ken Anderson wrote: >> >>> So, combining the suggestions so far - are we getting close? >>> >>> describe IE6_URL_VULN Body of email contains %01@ in a url >>> uri IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/ >>> score IE6_URL_VULN 10.0 >> >> >> Just ran that through Regex coach and could not find any false matches, >> or character combos that would be missed, so I say yay! > > > How about this: > http://www.microsoft.com%20%01%20@nasty.hacker.com/hohoho > That will appear to be > http://www.microsoft.com > and yet you won't catch it. > > Yep, just worked that one out! I thin the URI match on your original rule would be best: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dbird at SGHMS.AC.UK Wed Dec 10 21:05:04 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> Message-ID: <3FD78A80.9030109@sghms.ac.uk> Chris Yuzik wrote: >>At 20:05 10/12/2003, you wrote: >> >> > > > >>Should >> >>uri IE_VULN /%01.*@/ >>score IE_VULN 10.0 >>describe IE_VULN Internet Explorer vulnerability >> >>work? >> >> > >Julian, > >Wouldn't this only mark the message as spam? Maybe I'm alone on this, but >I think that this presents a far more serious threat than just spam. If >someone opens the spam anyways and sees a message from their bank, >requesting verification of online banking information, they might be >tempted to follow the links AND complain to me that this important message >from their bank was marked as spam. > >My thought is that this should fall under the same general area of the >flowchart as the I-Frame exploits, if possible. > >Your thoughts? > > My 2 pennith : IF a rule in SA can catch it (without FP's), it can simply be scored really high (say 100) and just run the high scoreing pam actions on it. For us that would be no notifications, nada. I can see a reason for something simialr to the IFrame stuff if you wanted MS to do other stuff with it, like rule sets etc, but this you really want bin. Dan >Chris > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Dec 10 21:22:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> Message-ID: <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> At 20:52 10/12/2003, you wrote: > > At 20:05 10/12/2003, you wrote: > > > Should > > > > uri IE_VULN /%01.*@/ > > score IE_VULN 10.0 > > describe IE_VULN Internet Explorer vulnerability > > > > work? > >Julian, > >Wouldn't this only mark the message as spam? Maybe I'm alone on this, but >I think that this presents a far more serious threat than just spam. If >someone opens the spam anyways and sees a message from their bank, >requesting verification of online banking information, they might be >tempted to follow the links AND complain to me that this important message >from their bank was marked as spam. > >My thought is that this should fall under the same general area of the >flowchart as the I-Frame exploits, if possible. I don't want to do what SA already does very well, nor do I want to write code that is part of the arms race, I've probably done too much of that already. So I would prefer SA to do this. Maybe it is time to "plug" MCP rather more, and do more testing of it. From the people who have tried it, does it work? I am particularly interested in hearing if you have had problems making MCP and the normal SA code work together. There's a bug in SA that I haven't found yet that causes problems here. I *believe* I have worked around it, but I'm not sure. There's a performance hit in running them both because of this bug. For docs on MCP, see www.sng.ecs.soton.ac.uk/mailscanner/install/mcp -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From pete at eatathome.com.au Wed Dec 10 21:22:25 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:30 2006 Subject: Slackware 9.1, Postfix, and MailScanner In-Reply-To: <2B1F39EA56FA7643A328F66521D41B760EAC@magellan.nesbitt.local> References: <2B1F39EA56FA7643A328F66521D41B760EAC@magellan.nesbitt.local> Message-ID: <3FD78E91.2070106@eatathome.com.au> Collins, Kevin wrote: >>I am no expert - but it looks like you are sending mail from >>the local machine - mailscanner wont be scanning this mail - >>get a mail client on another machine, make the outbound SMTP >>addy your mailscanner machine and send your new mail - have a >>tail -f /var/yourlogfilepath console running to watch what happens. >> >> > >Thanks for replying. Yes you're right, I was sending from the local >machine. I was not aware that MailScanner wouldn't scan e-mails when >delivered this way - you live and learn. > >So I set up a machine on my LAN that uses "Freedom" (my new MS Box) as an >SMTP host, and I've been able to verify that MailScanner is actually >working. > >Thanks for your help. > >Kevin > So Glad i was able to help - have recieved so much help from folks on here and really happy i was able assist some one else :) Pete From pete at eatathome.com.au Wed Dec 10 21:36:05 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:30 2006 Subject: Effort to manage MailScanner Message-ID: <3FD791C5.2010102@eatathome.com.au> Sorry i couldnt think of a better subject heading. I have had MS running now for a full month and it appears to be working perfectly - in our ORg we cannot be too agressive as false positives would a lot of criticsm, so i have used almost defaults settings, but we get no UCEs delivered to staff or students and have had only one false positive so far. We have 600-700 mail accounts but only recieve 1500 emails a day %30 being spam. I have noticed on these forums a lot of people spending a lot of time changing settings, adding RBLs, upgrading every new release or beta and i wanted to know what benifits these folks recieves vs thier effort - its starting to make me feel like i shouold be upgrading to latest too - except i dont want to have my head buried in MS config every day for the next month - i thought this and install, config and forget type system, which is how i have been treating it (though i check quarrantine daily at the momment), are you guys getting some benifit that i am not, or is because you ahve far greater volumes of mail that you get more spam through MS aqnd have to work harder to stop it? I suppose its my cautious, no downtime nature that keeps us a few versions behind with alsmot all of my systems... From ka at PACIFIC.NET Wed Dec 10 21:57:03 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:30 2006 Subject: Effort to manage MailScanner In-Reply-To: <3FD791C5.2010102@eatathome.com.au> References: <3FD791C5.2010102@eatathome.com.au> Message-ID: <3FD796AF.2030107@pacific.net> Pete wrote: > Sorry i couldnt think of a better subject heading. > > I have had MS running now for a full month and it appears to be working > perfectly - in our ORg we cannot be too agressive as false positives > would a lot of criticsm, so i have used almost defaults settings, but we > get no UCEs delivered to staff or students and have had only one false > positive so far. > > We have 600-700 mail accounts but only recieve 1500 emails a day %30 > being spam. > > I have noticed on these forums a lot of people spending a lot of time > changing settings, adding RBLs, upgrading every new release or beta and > i wanted to know what benifits these folks recieves vs thier effort - > its starting to make me feel like i shouold be upgrading to latest too - > except i dont want to have my head buried in MS config every day for the > next month - i thought this and install, config and forget type system, > which is how i have been treating it (though i check quarrantine daily > at the momment), are you guys getting some benifit that i am not, or is > because you ahve far greater volumes of mail that you get more spam > through MS aqnd have to work harder to stop it? > > I suppose its my cautious, no downtime nature that keeps us a few > versions behind with alsmot all of my systems... > > "If it ain't broke, don't fix it" and "The squeaky wheel gets the grease" and other similar sayings apply to most open source software and related email lists respectively. MailScanner is a great piece of software, and your experience is a good testimony to that. The list is populated by people who love this stuff, love adding features and making tweaks to make MS work better in a given environment. If you have a problem, you can find the answer here. Sometimes it's necessary to make performance tweaks, but it's probably a waste of your time if you are just scanning 1500 emails a day. We scan 600,000 messages a day using 2 machines and get about 50% spam. Performance tweaks are important! But, we don't upgrade unless there's a new feature in MS we need, a new SA version. Ken A. Pacific.Net From mailscanner at ecs.soton.ac.uk Thu Dec 11 08:22:24 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:30 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312110822.hBB8MOOa006991@seer.ecs.soton.ac.uk> New Guestbook-Entry from Wayne MailScanner unable detect the zip file viruses From greyhair at GREYHAIR.NET Wed Dec 10 22:07:14 2003 From: greyhair at GREYHAIR.NET (greyhair) Date: Thu Jan 12 21:21:30 2006 Subject: DNS based block lists and the like question. In-Reply-To: <20031210174904.GA2723@bardino.dk> References: <3FD758B4.5050806@greyhair.net> <20031210174904.GA2723@bardino.dk> Message-ID: <3FD79912.3060506@greyhair.net> Thanks to you all that responded!! I love this list for their quick, accurate and friendly responses! Thanks again, It really helps. greyhair. Jonas Bardino wrote: >* greyhair [Dec 10. 2003 18:33]: > > >>Hi. >> If I use a dnsbl like SORBS (www.sorbs.net) in MailScanner, do I also >>need to set the same dnsbl in sendmail, or any MTA in general? If no, >>what happens if there is a dnsbl listing in the MTA? >> >>Thanks. >> >>greyhair >> >> > >That depends on what strategy you wan't to use with respect to rejecting >messages. > >The FAQ at >http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/157.html >may help you. > >Kind regards, Jonas > > > > From brian at SOLUSCORP.COM Wed Dec 10 08:37:05 2003 From: brian at SOLUSCORP.COM (Brian Wells) Date: Thu Jan 12 21:21:30 2006 Subject: Blacklist file changes getting removed by something Message-ID: <076001c3bef8$cb44dac0$d700600a@merlintest.net> Hi, Much to my annoyance, I noticed after I had entered by hand a bunch of hosts to my blacklist file, that my changes had been removed and a new blacklist file was in place. Looking at the timestamp on the file, it is getting replaced once an hour. I searched quite a bit for an explanation for this behaviour. Something like the auto whitelist feature except for the blacklist file. But I could not find anything. Does anyone have an explanation for this and how to turn it off? Thanks, Brian Wells Merlin Internet Solutions -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031210/6668457c/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Wed Dec 10 23:30:41 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:30 2006 Subject: Blacklist file changes getting removed by something In-Reply-To: <076001c3bef8$cb44dac0$d700600a@merlintest.net> References: <076001c3bef8$cb44dac0$d700600a@merlintest.net> Message-ID: <200312102330.41858.Antony@Soft-Solutions.co.uk> On Wednesday 10 December 2003 8:37 am, Brian Wells wrote: > Hi, > > Much to my annoyance, I noticed after I had entered by hand a bunch of > hosts to my blacklist file, that my changes had been removed and a new > blacklist file was in place. Looking at the timestamp on the file, it is > getting replaced once an hour. > > I searched quite a bit for an explanation for this behaviour. Something > like the auto whitelist feature except for the blacklist file. But I could > not find anything. Does anyone have an explanation for this and how to > turn it off? Does the timestamp on the file coincide with any cron jobs you have running? Antony -- Software development can be quick, high quality, or low cost. The customer gets to pick any two out of three. Please reply to the list; please don't CC me. From john at TRADOC.FR Thu Dec 11 08:04:24 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:21:30 2006 Subject: Skipped; still being delivered - even in 4.25 In-Reply-To: <200312102017.55502.jacques@monaco.net> References: <200312102017.55502.jacques@monaco.net> Message-ID: On Wed, 10 Dec 2003 20:17:55 +0100, Jacques Caruso wrote: > Yes, indeed : apparently, it's the old ? MailScanner picks mail in the > wrong queue ? bug that persists (have a look at my last message at > ). I don't see MS dying as described in that message. I simply (very occasionally) get duplicate mails - usually one with a body and one without, though I have seen cases where both copies have a body - during otherwise normal MS operation. The dupes correspond to a postfix "Skipped, still being delivered" message in the logs. John. -- -- Over 2000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From harryh at CET.COM Thu Dec 11 10:36:12 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:30 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <3FD6E2C6.1080902@solid-state-logic.com> Message-ID: <200312111036.hBBAaifX031425@fili.jiscmail.ac.uk> > hmm seems to be page faulting quite a bit, which is unusual > for something relatively high CPU/memory wise. > > what checks have you got on SA and MS? Esp what checks are > running for RBL's and pyzor? During that time SA was disabled. Most MS settings are default, as I felt it best to ask for advice from this list before making any changes. RBL's are not being used via mailscanner; they are rejected by sendmail, so those that are listed don't even make it thru MA for processing. > sendmail is saying the machine is too busy to process mail, > hence the log messages.. > > you say you've got the disk configured as RAID 0 (striping), > is this hardware or software RAID (vinum?). It is hardware raid. > have you turned on softupdates on the filesystem containing > the spool files - this can make alot of difference as regards I/O. I am unfamiliar with this.. How would I check? > How have you split up the filesystems? single / or /, /usr, > /home and /var? Yes, /var is on different physical drives. > Just wondering why you choose FreeBSD 5.1 as this is still > considered 'unstable'? The current 'stable' release is 4.9. > But my tests seem to indicate 5.x tree is much faster than 4.8... Honeslty, this was not my choice, but I figured since it was already there, and most of what I read indicated it's quite stable, I decided to stick with it and check it out. > I run FreeBSD 4.8 with Exim 4.24 and MS 4.24 (no RBL's/pyzor) > using Sophos-Savi and ClamAV with Mailwatch and the mysql DB > all on the same machine - celeron 600mhz, single ATA1-100 > disk and a single / partition. > runs 9,000 messages a day without breaking above 1.5 on load average. load averages: 0.28, 0.27, 0.23 Yes, this seems unusual, which is why I am deferring to the mailing list members hoping someone has some useful insight :) > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > From harryh at CET.COM Thu Dec 11 10:38:31 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:30 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273132BF@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200312111039.hBBAd0fX031682@fili.jiscmail.ac.uk> > You have to stop it with ctrl-c. To interpret the output, > see the manpage for vmstat. The first column I check is > usually the second one (b). And in your case, is seems ok, > because it is 0 or 1 (there is one or zero process waiting > for I/O). I don't have a freebsd box here, so I can't > interpret everything. Ahh.. Yes, I knew how to stop it, but wasn't quite understanding the output. Thanks :) From martinh at SOLID-STATE-LOGIC.COM Thu Dec 11 11:01:07 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:30 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <200312111036.hBBAaifX031425@fili.jiscmail.ac.uk> References: <200312111036.hBBAaifX031425@fili.jiscmail.ac.uk> Message-ID: <3FD84E73.9060605@solid-state-logic.com> Harry Hanson wrote: >>hmm seems to be page faulting quite a bit, which is unusual >>for something relatively high CPU/memory wise. >> >>what checks have you got on SA and MS? Esp what checks are >>running for RBL's and pyzor? > > > During that time SA was disabled. > > Most MS settings are default, as I felt it best to ask for advice from this > list before making any changes. > > RBL's are not being used via mailscanner; they are rejected by sendmail, so > those that are listed don't even make it thru MA for processing. > > >>sendmail is saying the machine is too busy to process mail, >>hence the log messages.. >> >>you say you've got the disk configured as RAID 0 (striping), >>is this hardware or software RAID (vinum?). > > > It is hardware raid. > > >>have you turned on softupdates on the filesystem containing >>the spool files - this can make alot of difference as regards I/O. > > > I am unfamiliar with this.. How would I check? > > >>How have you split up the filesystems? single / or /, /usr, >>/home and /var? > > > Yes, /var is on different physical drives. > > >>Just wondering why you choose FreeBSD 5.1 as this is still >>considered 'unstable'? The current 'stable' release is 4.9. >>But my tests seem to indicate 5.x tree is much faster than 4.8... > > > Honeslty, this was not my choice, but I figured since it was already there, > and most of what I read indicated it's quite stable, I decided to stick with > it and check it out. > > >>I run FreeBSD 4.8 with Exim 4.24 and MS 4.24 (no RBL's/pyzor) >>using Sophos-Savi and ClamAV with Mailwatch and the mysql DB >>all on the same machine - celeron 600mhz, single ATA1-100 >>disk and a single / partition. >>runs 9,000 messages a day without breaking above 1.5 on load average. > > > load averages: 0.28, 0.27, 0.23 > > Yes, this seems unusual, which is why I am deferring to the mailing list > members hoping someone has some useful insight :) > OK check out tunefs to turn on softupdates for the /var filesystem (you'll need to unmount it first. so you're prob going have to drop to single user mode..) Would be interesting to see what iostat and vmstat report when run at the same time. Also getting a dump from 'top' and netstat might help to see what's occurring at the time things go awry. the default for sendmail to stop accepting mail is when the load average goes about 12 (and to queue at load avg above 8)..so perhaps sendmail is getting the load average wrong??/ from the sendmail.cf - default FreeBSD 5.1...(/etc/mail/sendmail.cf) # load average at which we just queue messages #O QueueLA=8 # load average at which we refuse connections #O RefuseLA=12 I'd check that these are still correct.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 11 11:14:23 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: After installing a new firewall we seem to have run into a number of issues regarding required ports. Can anybody help/advise? We are using: MailScanner with SA, Razor, Pyzor, DCC and the RBLs (of course) THanks M Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland From Kevin.Spicer at BMRB.CO.UK Thu Dec 11 11:19:44 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016498FC@pascal.priv.bmrb.co.uk> Michele Neylon :: Blacknight Solutions wrote: > After installing a new firewall we seem to have run into a number of > issues regarding required ports. > Can anybody help/advise? > We are using: > MailScanner > with SA, Razor, Pyzor, DCC and the RBLs (of course) > I _think_ this is in the FAQ From Antony at SOFT-SOLUTIONS.CO.UK Thu Dec 11 11:26:57 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used In-Reply-To: References: Message-ID: <200312111126.57799.Antony@Soft-Solutions.co.uk> On Thursday 11 December 2003 11:14 am, Michele Neylon :: Blacknight Solutions wrote: > After installing a new firewall we seem to have run into a number of issues > regarding required ports. > Can anybody help/advise? > We are using: > MailScanner > with SA, Razor, Pyzor, DCC and the RBLs (of course) Presumably you mean that the firewall is blocking traffic because appropriate rules haven't been added, and therefore some of the above are not able to work? If you can't easily find out what protocols/ports the above services use, the best way to solve the problem is to put a Log rule at the end of your firewall rules, just before the default Drop of all other packets (I'm using netfilter terminology here, but the same principle applies to any packet filtering firewall), and then look at what gets logged when one of the services fails. The log entry will tell you what protocol and port you need to add a rule for, and once you've done that enough times that nothing gets logged, you will be allowing exactly what you need to. Regards, Antony. -- If the human brain were so simple that we could understand it, we'd be so simple that we couldn't. Please reply to the list; please don't CC me. From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 11 11:27:24 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016498FC@pascal.priv.bmrb.co.uk> Message-ID: I can't see any reference to it in the FAQ :( Help!! Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Spicer, Kevin > Sent: 11 December 2003 11:20 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Michele Neylon :: Blacknight Solutions wrote: > > After installing a new firewall we seem to have run into a number of > > issues regarding required ports. > > Can anybody help/advise? > > We are using: > > MailScanner > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > I _think_ this is in the FAQ > From prandal at HEREFORDSHIRE.GOV.UK Thu Dec 11 11:42:57 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CA@jessica.herefordshire.gov.uk> Razor: 7/tcp and 2703/tcp DCC: 6277/udp pyzor: 24441/udp Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Michele Neylon :: Blacknight Solutions > Sent: 11 December 2003 11:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > I can't see any reference to it in the FAQ :( > Help!! > > Mr. Michele Neylon > Blacknight Internet Solutions Ltd > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > Tel. + 353 (0)59 9137101 > Lowest price domains in Ireland > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Spicer, Kevin > > Sent: 11 December 2003 11:20 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > After installing a new firewall we seem to have run into > a number of > > > issues regarding required ports. > > > Can anybody help/advise? > > > We are using: > > > MailScanner > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > I _think_ this is in the FAQ > > > From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 11 11:48:47 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CA@jessica.herefordshire.gov.uk> Message-ID: Thanks :) You may turn out to be my lifesaver! It's a managed firewall, so we do not have direct access to the configuration :( M Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Randal, Phil > Sent: 11 December 2003 11:43 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Razor: 7/tcp and 2703/tcp > > DCC: 6277/udp > > pyzor: 24441/udp > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michele Neylon :: Blacknight Solutions > > Sent: 11 December 2003 11:27 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > I can't see any reference to it in the FAQ :( > > Help!! > > > > Mr. Michele Neylon > > Blacknight Internet Solutions Ltd > > http://www.blacknightsolutions.ie/ > > http://www.search.ie/ > > Tel. + 353 (0)59 9137101 > > Lowest price domains in Ireland > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Spicer, Kevin > > > Sent: 11 December 2003 11:20 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > After installing a new firewall we seem to have run into > > a number of > > > > issues regarding required ports. > > > > Can anybody help/advise? > > > > We are using: > > > > MailScanner > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > > > > I _think_ this is in the FAQ > > > > > > From Kevin.Spicer at BMRB.CO.UK Thu Dec 11 11:52:40 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016498FE@pascal.priv.bmrb.co.uk> Michele Neylon :: Blacknight Solutions wrote: > I can't see any reference to it in the FAQ :( > Help!! http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/125.html From dean.plant at ROKE.CO.UK Thu Dec 11 12:26:33 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: FYI - the Razor ports are only required outbound. -----Original Message----- From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] Sent: 11 December 2003 11:43 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Firewall woes - ports to be used Razor: 7/tcp and 2703/tcp DCC: 6277/udp pyzor: 24441/udp Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Michele Neylon :: Blacknight Solutions > Sent: 11 December 2003 11:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > I can't see any reference to it in the FAQ :( > Help!! > > Mr. Michele Neylon > Blacknight Internet Solutions Ltd > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > Tel. + 353 (0)59 9137101 > Lowest price domains in Ireland > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Spicer, Kevin > > Sent: 11 December 2003 11:20 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > After installing a new firewall we seem to have run into > a number of > > > issues regarding required ports. > > > Can anybody help/advise? > > > We are using: > > > MailScanner > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > I _think_ this is in the FAQ > > > -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From Antony at SOFT-SOLUTIONS.CO.UK Thu Dec 11 12:29:48 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used In-Reply-To: References: Message-ID: <200312111229.48130.Antony@Soft-Solutions.co.uk> On Thursday 11 December 2003 12:26 pm, Plant, Dean wrote: > FYI - the Razor ports are only required outbound. I should hope that is true of all of them!? (Assuming your firewall allows in reply packets - but none of the services should be initiated from outside....) Antony. > -----Original Message----- > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > Sent: 11 December 2003 11:43 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Razor: 7/tcp and 2703/tcp > > DCC: 6277/udp > > pyzor: 24441/udp > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michele Neylon :: Blacknight Solutions > > Sent: 11 December 2003 11:27 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > I can't see any reference to it in the FAQ :( > > Help!! > > > > Mr. Michele Neylon > > Blacknight Internet Solutions Ltd > > http://www.blacknightsolutions.ie/ > > http://www.search.ie/ > > Tel. + 353 (0)59 9137101 > > Lowest price domains in Ireland > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Spicer, Kevin > > > Sent: 11 December 2003 11:20 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > After installing a new firewall we seem to have run into > > > > a number of > > > > > > issues regarding required ports. > > > > Can anybody help/advise? > > > > We are using: > > > > MailScanner > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > I _think_ this is in the FAQ -- This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour, or irrational religious beliefs. If you have received this email in error, you are required to shred it immediately, add some nutmeg, three egg whites and a dessertspoonful of caster sugar. Whisk until soft peaks form, then place in a warm oven for 40 minutes. Remove promptly and let stand for 2 hours before adding some decorative kiwi fruit and cream. Then notify me immediately by return email and eat the original message. Please reply to the list; please don't CC me. From Q.G.Campbell at NEWCASTLE.AC.UK Thu Dec 11 12:44:17 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:21:30 2006 Subject: Unexpected whitelisting behaviour Message-ID: <74BC2BBF06470148911E64E2B48FE13964C5F9@pinewood.ncl.ac.uk> A colleague here sent me a message from the Dilbert website. It was a message containing a link to a cartoon I might enjoy. The message itself was unexceptional. However I noticed that the message headers did not contain the usual X-Newcastle-MailScanner-SpamScore: ss... header. This implies that the envelope sender domain/IP was whitelisted. Am I correct in this supposition? Both the message headers and the Sendmail logs show that the envelope sender address is "A.N.Other@ncl.ac.uk". Ignore the local part which I have changed and focus on the domain part which is one of our mail domains. The message clearly originated at the Dilbert web site as is evident from both the Sendmail logs and the message headers but the Dilbert site apparently allows the user to specify their own reply address and that it makes this address the envelope sender address. So far so good. Now here is the curious thing: I whitelist all mail originating at this site by IP address and NOT by domain. So I am perplexed as to how this message from an off-site IP address, but containing our domain in the envelope sender address, was apparently whitelisted when it was received by our mail relays. It should not have been whitelisted! I have got the user to repeat what she did and received a similar message showing the same behaviour via another one of our MX hosts. So it appears to be a consistent fault. I am running with MS 4.24-5 and Sendmail. Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), University of Newcastle, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From m.sapsed at BANGOR.AC.UK Thu Dec 11 12:48:16 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> Message-ID: <3FD86790.3050407@bangor.ac.uk> Julian Field wrote: > At 20:52 10/12/2003, you wrote: >> Wouldn't this only mark the message as spam? Maybe I'm alone on this, but >> I think that this presents a far more serious threat than just spam. If >> someone opens the spam anyways and sees a message from their bank, >> requesting verification of online banking information, they might be >> tempted to follow the links AND complain to me that this important >> message >> from their bank was marked as spam. >> >> My thought is that this should fall under the same general area of the >> flowchart as the I-Frame exploits, if possible. I was thinking this but have added Julian's rules to my SA prefs for now anyway. "Owt's better than nowt!" springs to mind... > I don't want to do what SA already does very well, nor do I want to write > code that is part of the arms race, I've probably done too much of that > already. So I would prefer SA to do this. Maybe it is time to "plug" MCP > rather more, and do more testing of it. > > For docs on MCP, see > www.sng.ecs.soton.ac.uk/mailscanner/install/mcp I will have a look at this - Julian, have you got patches for SA 2.61 yet? (The page says to ask for patches for new versions of SA!! ;-) (Also, btw, there are still some references to TCP rather than MCP in that page.) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Thu Dec 11 13:47:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Unexpected whitelisting behaviour In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964C5F9@pinewood.ncl.ac.uk> References: <74BC2BBF06470148911E64E2B48FE13964C5F9@pinewood.ncl.ac.uk> Message-ID: <6.0.1.1.2.20031211134709.03ab3fe0@imap.ecs.soton.ac.uk> At 12:44 11/12/2003, you wrote: >A colleague here sent me a message from the Dilbert website. It was a >message containing a link to a cartoon I might enjoy. The message itself >was unexceptional. > >However I noticed that the message headers did not contain the usual > > X-Newcastle-MailScanner-SpamScore: ss... That will only happen if MS thinks it is spam. >header. This implies that the envelope sender domain/IP was whitelisted. >Am I correct in this supposition? No. If it would have been spam, but was whitelisted, then it would say it was whitelisted. >Both the message headers and the Sendmail logs show that the envelope >sender address is "A.N.Other@ncl.ac.uk". Ignore the local part which I >have changed and focus on the domain part which is one of our mail >domains. > >The message clearly originated at the Dilbert web site as is evident >from both the Sendmail logs and the message headers but the Dilbert site >apparently allows the user to specify their own reply address and that >it makes this address the envelope sender address. So far so good. > >Now here is the curious thing: I whitelist all mail originating at this >site by IP address and NOT by domain. So I am perplexed as to how this >message from an off-site IP address, but containing our domain in the >envelope sender address, was apparently whitelisted when it was received >by our mail relays. It should not have been whitelisted! > >I have got the user to repeat what she did and received a similar >message showing the same behaviour via another one of our MX hosts. So >it appears to be a consistent fault. I am running with MS 4.24-5 and >Sendmail. > >Quentin >--- >PHONE: +44 191 222 8209 Information Systems and Services (ISS), > University of Newcastle, > Newcastle upon Tyne, >FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >------------------------------------------------------------------------ >"Any opinion expressed above is mine. The University can get its own." -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 11 13:49:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD86790.3050407@bangor.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> Message-ID: <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> At 12:48 11/12/2003, you wrote: >Julian Field wrote: >>At 20:52 10/12/2003, you wrote: >>>Wouldn't this only mark the message as spam? Maybe I'm alone on this, but >>>I think that this presents a far more serious threat than just spam. If >>>someone opens the spam anyways and sees a message from their bank, >>>requesting verification of online banking information, they might be >>>tempted to follow the links AND complain to me that this important >>>message >>>from their bank was marked as spam. >>> >>>My thought is that this should fall under the same general area of the >>>flowchart as the I-Frame exploits, if possible. > >I was thinking this but have added Julian's rules to my SA prefs for now >anyway. "Owt's better than nowt!" springs to mind... What I have done is set the score of the rule to 100, set my high scoring threshold to 100, and set the high scoring spam actions to "delete". That way the users never knew they were going to get it. >>I don't want to do what SA already does very well, nor do I want to write >>code that is part of the arms race, I've probably done too much of that >>already. So I would prefer SA to do this. Maybe it is time to "plug" MCP >>rather more, and do more testing of it. >> >>For docs on MCP, see >>www.sng.ecs.soton.ac.uk/mailscanner/install/mcp > >I will have a look at this - Julian, have you got patches for SA 2.61 >yet? (The page says to ask for patches for new versions of SA!! ;-) Not yet, but will do that this afternoon (nearly end of term here so actually have my head above water for once!). >(Also, btw, there are still some references to TCP rather than MCP in >that page.) Will take a look. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 11 14:04:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> At 13:49 11/12/2003, you wrote: >>>I don't want to do what SA already does very well, nor do I want to write >>>code that is part of the arms race, I've probably done too much of that >>>already. So I would prefer SA to do this. Maybe it is time to "plug" MCP >>>rather more, and do more testing of it. >>> >>>For docs on MCP, see >>>www.sng.ecs.soton.ac.uk/mailscanner/install/mcp >> >>I will have a look at this - Julian, have you got patches for SA 2.61 >>yet? (The page says to ask for patches for new versions of SA!! ;-) > >Not yet, but will do that this afternoon (nearly end of term here so >actually have my head above water for once!). They are there now. >>(Also, btw, there are still some references to TCP rather than MCP in >>that page.) > >Will take a look. Fixed. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From t.d.lee at DURHAM.AC.UK Thu Dec 11 14:22:12 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 11 Dec 2003, Julian Field wrote: > What I have done is set the score of the rule to 100, set my high scoring > threshold to 100, and set the high scoring spam actions to "delete". That > way the users never knew they were going to get it. Julian: There was a massive overnight discussion about what the "rule" should be, and I must confess to not having absorbed every last detail or two (or three or four... thousand). Could you summarise the consensus SA rule etc., please? Thanks. > >I will have a look at this - Julian, have you got patches for SA 2.61 > >yet? (The page says to ask for patches for new versions of SA!! ;-) > > Not yet, but will do that this afternoon (nearly end of term here so > actually have my head above water for once!). Julian: Could you get the SA folk to include your patches in their distributions? This is similar to an earlier discussion about MIME::Tools. MS is a great product, but this business of its requiring patches, over extended time periods, to other software can trip people up, and put them off, at the first hurdle (however understandble (or at least manageable) it might become to us n'th hurdle geeks). (Get back to me about the MIME::Tools one if you want to discuss it further.) Incidentally, we've been running the new SA 2.61 in full production for just over a day and it seems fine. (Hmmm, that's tempting fate...) Hope that helps. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From Q.G.Campbell at NEWCASTLE.AC.UK Thu Dec 11 14:34:23 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:21:30 2006 Subject: Unexpected whitelisting behaviour Message-ID: <74BC2BBF06470148911E64E2B48FE13964C616@pinewood.ncl.ac.uk> >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 11 December 2003 13:48 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Unexpected whitelisting behaviour > I said that: >>However I noticed that the message headers did not contain the usual >> >> X-Newcastle-MailScanner-SpamScore: ss... > and Julian replied: That will only happen if MS thinks it is spam. ------------------------------------------------ Julian At the cost of sounding a little dense could I ask you to please explain what you mean by that statement? Surely MS only thinks a message is "spam" if the spam score exceeds the SA threshold, currently 5.0 at this site, or the sender is in one of the RBL sites specified in the MS config file? Why, then, do I see most messages that have a spam score less than 5 (ie. Not spam) showing a "X-Newcastle-MailScanner-SpamScore:" header with 1 to 4 "s" characters? Are you saying that the message in question must have had a spam score less than or equal to zero or less than the -2.0 used by the Bayes auto-learn as the "ham" threshold? Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), University of Newcastle, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From RKearney at AZERTY.COM Thu Dec 11 14:40:56 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: <210DF55DED65B547896F728FB057F3B2019C4A59@seaver.ussco.com> Also, Pyzor discover requires port 80 for HTTP traffic. -rob -----Original Message----- From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] Sent: Thursday, December 11, 2003 6:43 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Firewall woes - ports to be used Razor: 7/tcp and 2703/tcp DCC: 6277/udp pyzor: 24441/udp Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Michele Neylon :: Blacknight Solutions > Sent: 11 December 2003 11:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > I can't see any reference to it in the FAQ :( > Help!! > > Mr. Michele Neylon > Blacknight Internet Solutions Ltd > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > Tel. + 353 (0)59 9137101 > Lowest price domains in Ireland > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Spicer, Kevin > > Sent: 11 December 2003 11:20 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > After installing a new firewall we seem to have run into > a number of > > > issues regarding required ports. > > > Can anybody help/advise? > > > We are using: > > > MailScanner > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > I _think_ this is in the FAQ > > > From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 11 14:50:05 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used In-Reply-To: <210DF55DED65B547896F728FB057F3B2019C4A59@seaver.ussco.com> Message-ID: Port 80 is fine (thankfully!) Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kearney, Rob > Sent: 11 December 2003 14:41 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Also, > > Pyzor discover requires port 80 for HTTP traffic. > > -rob > > -----Original Message----- > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > Sent: Thursday, December 11, 2003 6:43 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Razor: 7/tcp and 2703/tcp > > DCC: 6277/udp > > pyzor: 24441/udp > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michele Neylon :: Blacknight Solutions > > Sent: 11 December 2003 11:27 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > I can't see any reference to it in the FAQ :( > > Help!! > > > > Mr. Michele Neylon > > Blacknight Internet Solutions Ltd > > http://www.blacknightsolutions.ie/ > > http://www.search.ie/ > > Tel. + 353 (0)59 9137101 > > Lowest price domains in Ireland > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Spicer, Kevin > > > Sent: 11 December 2003 11:20 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > After installing a new firewall we seem to have run into > > a number of > > > > issues regarding required ports. > > > > Can anybody help/advise? > > > > We are using: > > > > MailScanner > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > > > > I _think_ this is in the FAQ > > > > > > From mailscanner at ecs.soton.ac.uk Thu Dec 11 14:59:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031211145853.038059c8@imap.ecs.soton.ac.uk> At 14:22 11/12/2003, you wrote: >On Thu, 11 Dec 2003, Julian Field wrote: > > > What I have done is set the score of the rule to 100, set my high scoring > > threshold to 100, and set the high scoring spam actions to "delete". That > > way the users never knew they were going to get it. > >Julian: There was a massive overnight discussion about what the "rule" >should be, and I must confess to not having absorbed every last detail or >two (or three or four... thousand). > >Could you summarise the consensus SA rule etc., please? Thanks. # JKF 11/12/2003 # This next rule provides some protection against the latest IE vulnerability uri IE_VULN /%01.*@/ score IE_VULN 100.0 describe IE_VULN Internet Explorer vulnerability > > >I will have a look at this - Julian, have you got patches for SA 2.61 > > >yet? (The page says to ask for patches for new versions of SA!! ;-) > > > > Not yet, but will do that this afternoon (nearly end of term here so > > actually have my head above water for once!). > >Julian: Could you get the SA folk to include your patches in their >distributions? I've tried before, to no avail. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 11 15:04:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Unexpected whitelisting behaviour In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964C616@pinewood.ncl.ac.uk> References: <74BC2BBF06470148911E64E2B48FE13964C616@pinewood.ncl.ac.uk> Message-ID: <6.0.1.1.2.20031211150008.08ceb858@imap.ecs.soton.ac.uk> At 14:34 11/12/2003, you wrote: > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: 11 December 2003 13:48 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Unexpected whitelisting behaviour > > > >I said that: > > >>However I noticed that the message headers did not contain the usual > >> > >> X-Newcastle-MailScanner-SpamScore: ss... > > >and Julian replied: > >That will only happen if MS thinks it is spam. > >------------------------------------------------ > >Julian > >At the cost of sounding a little dense could I ask you to please explain >what you mean by that statement? Surely MS only thinks a message is >"spam" if the spam score exceeds the SA threshold, currently 5.0 at this >site, or the sender is in one of the RBL sites specified in the MS >config file? > >Why, then, do I see most messages that have a spam score less than 5 >(ie. Not spam) showing a "X-Newcastle-MailScanner-SpamScore:" header >with 1 to 4 "s" characters? Sounds like I must be talking rubbish then. This week, that really wouldn't surprise me. From the code, it looks like it adds the "SpamScore" header if the score > 0. However, the main Spam Header (SpamCheck) is only added if it is actually spam, or would be spam if it wasn't whitelisted (I think). Too much oxycodone ==> fried brain :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From campbell at CNPAPERS.COM Thu Dec 11 15:27:08 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:21:30 2006 Subject: Patches for SA 2.61 References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> Message-ID: <000f01c3bffb$3d848f60$2b01a8c0@cnpapers.net> I have looked around and can no references of any page suggesting patches. Can someone point me to the SA or MS "page" and "where" they are now? >>>I will have a look at this - Julian, have you got patches for SA 2.61 >>>yet? (The page says to ask for patches for new versions of SA!! ;-) >> >>Not yet, but will do that this afternoon (nearly end of term here so >>actually have my head above water for once!). > >They are there now. Thanks, Steve Campbell campbell@cnpapers.com Charleston Newspapers From mailscanner at ecs.soton.ac.uk Thu Dec 11 15:27:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Patches for SA 2.61 In-Reply-To: <000f01c3bffb$3d848f60$2b01a8c0@cnpapers.net> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> <000f01c3bffb$3d848f60$2b01a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20031211152713.08c5ace0@imap.ecs.soton.ac.uk> At 15:27 11/12/2003, you wrote: >I have looked around and can no references of any page suggesting patches. >Can someone point me to the SA or MS "page" and "where" they are now? http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 11 15:34:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CC@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CC@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20031211153242.03716920@imap.ecs.soton.ac.uk> At 15:27 11/12/2003, you wrote: >%0[0-9] would be better (or something like that). %[01][0-9a-fA-F] instead of %01 perhaps? I would imagine that the guy who found this exploit tested other characters too and found them not to be vulnerable. So %01 is probably good enough. >Or, any obfuscated "unprintable" ASCII code which isn't legitimate. >I'd hazard a guess that anything other than %20 is dodgy, but I'm no expert. > >Phil > >--------------------------------------------- >Phil Randal >Network Engineer >Herefordshire Council >Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: 11 December 2003 14:59 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Internet Explorer URL Display problem > > > > > > At 14:22 11/12/2003, you wrote: > > >On Thu, 11 Dec 2003, Julian Field wrote: > > > > > > > What I have done is set the score of the rule to 100, set > > my high scoring > > > > threshold to 100, and set the high scoring spam actions > > to "delete". That > > > > way the users never knew they were going to get it. > > > > > >Julian: There was a massive overnight discussion about what > > the "rule" > > >should be, and I must confess to not having absorbed every > > last detail or > > >two (or three or four... thousand). > > > > > >Could you summarise the consensus SA rule etc., please? Thanks. > > > > # JKF 11/12/2003 > > # This next rule provides some protection against the latest > > IE vulnerability > > uri IE_VULN /%01.*@/ > > score IE_VULN 100.0 > > describe IE_VULN Internet Explorer vulnerability > > > > > > >I will have a look at this - Julian, have you got > > patches for SA 2.61 > > > > >yet? (The page says to ask for patches for new versions > > of SA!! ;-) > > > > > > > > Not yet, but will do that this afternoon (nearly end of > > term here so > > > > actually have my head above water for once!). > > > > > >Julian: Could you get the SA folk to include your patches in their > > >distributions? > > > > I've tried before, to no avail. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Antony at SOFT-SOLUTIONS.CO.UK Thu Dec 11 15:42:25 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031211153242.03716920@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CC@jessica.herefordshire.gov.uk> <6.0.1.1.2.20031211153242.03716920@imap.ecs.soton.ac.uk> Message-ID: <200312111542.26004.Antony@Soft-Solutions.co.uk> On Thursday 11 December 2003 3:34 pm, Julian Field wrote: > At 15:27 11/12/2003, you wrote: > >%0[0-9] would be better (or something like that). > > %[01][0-9a-fA-F] > instead of > %01 > perhaps? > > I would imagine that the guy who found this exploit tested other characters > too and found them not to be vulnerable. So %01 is probably good enough. The report at http://www.secunia.com/advisories/10395 mentions that %00 at least is also effective. Antony. -- If you want to be happy for an hour, get drunk. If you want to be happy for a year, get married. If you want to be happy for a lifetime, get a garden. Please reply to the list; please don't CC me. From nathan at TCPNETWORKS.NET Thu Dec 11 15:44:13 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:21:31 2006 Subject: Updating HTML::Parser and ExtUtils::MakeMaker Message-ID: Hello all, I'm in the process of building a new system around MailScanner, installing Razor, DCC, SpamAssassin, MailScanner, etc. and all of the appropriate perl modules. I started off my installing MailScanner using the install script to make sure I get all of the appropriate perl modules and patches. The system is fully functional, but I noticed that the SpamAssassin 2.6x documentation recommends HTML::Parser > 3.29 and ExtUtils::MakeMaker > 6.16. To satisfy this recommendation, I used CPAN to update these modules to versions 3.34 and 6.21 respectively. Things still appear to work fine, but I have a few questions after the fact: * I'm assuming MailScanner doesn't have compatibility problems with the latest versions of these modules? HTML::Parser 3.26 is included with MailScanner and ExtUtils::MakeMaker was updated to version 6.05 during the install process. Obviously, I'm a few iterations beyond these versions and wanted to make sure I'm not introducing any potential issues. * After updating, I remembered that HTML::Parser was installed via rpm. I did not remove this rpm before updating the module. Will this cause any problems? Nathan From mailscanner at ecs.soton.ac.uk Thu Dec 11 21:27:15 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:31 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312112127.hBBLRFls012870@seer.ecs.soton.ac.uk> New Guestbook-Entry from Ken This is really a fantastic product when used in conjunction with spamassassin. Extrememly easy to configure and highly cutomizable with tons of options. Keep up the good work From prandal at HEREFORDSHIRE.GOV.UK Thu Dec 11 15:27:45 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CC@jessica.herefordshire.gov.uk> %0[0-9] would be better (or something like that). Or, any obfuscated "unprintable" ASCII code which isn't legitimate. I'd hazard a guess that anything other than %20 is dodgy, but I'm no expert. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 11 December 2003 14:59 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet Explorer URL Display problem > > > At 14:22 11/12/2003, you wrote: > >On Thu, 11 Dec 2003, Julian Field wrote: > > > > > What I have done is set the score of the rule to 100, set > my high scoring > > > threshold to 100, and set the high scoring spam actions > to "delete". That > > > way the users never knew they were going to get it. > > > >Julian: There was a massive overnight discussion about what > the "rule" > >should be, and I must confess to not having absorbed every > last detail or > >two (or three or four... thousand). > > > >Could you summarise the consensus SA rule etc., please? Thanks. > > # JKF 11/12/2003 > # This next rule provides some protection against the latest > IE vulnerability > uri IE_VULN /%01.*@/ > score IE_VULN 100.0 > describe IE_VULN Internet Explorer vulnerability > > > > >I will have a look at this - Julian, have you got > patches for SA 2.61 > > > >yet? (The page says to ask for patches for new versions > of SA!! ;-) > > > > > > Not yet, but will do that this afternoon (nearly end of > term here so > > > actually have my head above water for once!). > > > >Julian: Could you get the SA folk to include your patches in their > >distributions? > > I've tried before, to no avail. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From dean.plant at ROKE.CO.UK Thu Dec 11 17:00:11 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:21:31 2006 Subject: Firewall woes - ports to be used Message-ID: The information from the Spamassassin docs (below) show two rules, is only the outbound rule required? Also note that DCC requires that you open your firewall for DCC reply packets on UDP port 6277. DCC uses UDP packets when replying, which are blocked by most firewalls by default. As a result, it requires that you open your firewall for DCC reply packets on UDP port 6277. Here's sample firewall rules required: allow udp local gt 1023 to remote 6277 allow udp remote 6277 to local gt 1023 -----Original Message----- From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] Sent: 11 December 2003 12:30 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Firewall woes - ports to be used On Thursday 11 December 2003 12:26 pm, Plant, Dean wrote: > FYI - the Razor ports are only required outbound. I should hope that is true of all of them!? (Assuming your firewall allows in reply packets - but none of the services should be initiated from outside....) Antony. > -----Original Message----- > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > Sent: 11 December 2003 11:43 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Razor: 7/tcp and 2703/tcp > > DCC: 6277/udp > > pyzor: 24441/udp > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michele Neylon :: Blacknight Solutions > > Sent: 11 December 2003 11:27 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > I can't see any reference to it in the FAQ :( > > Help!! > > > > Mr. Michele Neylon > > Blacknight Internet Solutions Ltd > > http://www.blacknightsolutions.ie/ > > http://www.search.ie/ > > Tel. + 353 (0)59 9137101 > > Lowest price domains in Ireland > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Spicer, Kevin > > > Sent: 11 December 2003 11:20 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > After installing a new firewall we seem to have run into > > > > a number of > > > > > > issues regarding required ports. > > > > Can anybody help/advise? > > > > We are using: > > > > MailScanner > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > I _think_ this is in the FAQ -- This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour, or irrational religious beliefs. If you have received this email in error, you are required to shred it immediately, add some nutmeg, three egg whites and a dessertspoonful of caster sugar. Whisk until soft peaks form, then place in a warm oven for 40 minutes. Remove promptly and let stand for 2 hours before adding some decorative kiwi fruit and cream. Then notify me immediately by return email and eat the original message. Please reply to the list; please don't CC me. -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From Antony at SOFT-SOLUTIONS.CO.UK Thu Dec 11 17:43:21 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:31 2006 Subject: Firewall woes - ports to be used In-Reply-To: References: Message-ID: <200312111743.21870.Antony@Soft-Solutions.co.uk> On Thursday 11 December 2003 5:00 pm, Plant, Dean wrote: > The information from the Spamassassin docs (below) show two rules, is only > the outbound rule required? Depends whether your firewall is stateful or not (ie: whether it can allow "reply packets" without needing to be told explicitly what those are going to be). In the Linux world, if you're using the old ipchains, you need two rules per service, one for the outbound requests, and one for the inbound replies. If you're using the new iptables, you need one rule for the outbound request, and a single generic rule allowing reply packets (in response to anything going out of the firewall), which is not specific to DCC, Razor, Pyzor, or whatever. Stateful (iptables) is more secure, because it does not allow packets in from remote servers to high ports on local machines unless they are replies to something you were happy to allow out in the first place. Stateless (ipchains) will allow external systems more opportunity to port scan your network, and possibly even access some services, depending on what port numbers you're running them on (eg Squid on 3128 falls into the high range). Stateful is also simpler, because you need N+1 rules to support N services. Stateless requires 2N rules. If you want more detail on this I can recommend the netfilter mailing list - about as busy as this one and almost as friendly :) Antony. > Also note that DCC requires that you open your firewall for DCC reply > packets on UDP port 6277. DCC uses UDP packets when replying, which > are blocked by most firewalls by default. As a result, it requires > that you open your firewall for DCC reply packets on UDP port 6277. > Here's sample firewall rules required: > > allow udp local gt 1023 to remote 6277 > allow udp remote 6277 to local gt 1023 > > > -----Original Message----- > From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] > Sent: 11 December 2003 12:30 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > On Thursday 11 December 2003 12:26 pm, Plant, Dean wrote: > > FYI - the Razor ports are only required outbound. > > I should hope that is true of all of them!? > > (Assuming your firewall allows in reply packets - but none of the services > should be initiated from outside....) > > Antony. > > > -----Original Message----- > > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > > Sent: 11 December 2003 11:43 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > Razor: 7/tcp and 2703/tcp > > > > DCC: 6277/udp > > > > pyzor: 24441/udp > > > > Cheers, > > > > Phil > > > > --------------------------------------------- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Michele Neylon :: Blacknight Solutions > > > Sent: 11 December 2003 11:27 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > > I can't see any reference to it in the FAQ :( > > > Help!! > > > > > > Mr. Michele Neylon > > > Blacknight Internet Solutions Ltd > > > http://www.blacknightsolutions.ie/ > > > http://www.search.ie/ > > > Tel. + 353 (0)59 9137101 > > > Lowest price domains in Ireland > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > Behalf Of Spicer, Kevin > > > > Sent: 11 December 2003 11:20 > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > > After installing a new firewall we seem to have run into > > > > > > a number of > > > > > > > > issues regarding required ports. > > > > > Can anybody help/advise? > > > > > We are using: > > > > > MailScanner > > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > > I _think_ this is in the FAQ -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery Please reply to the list; please don't CC me. From sysadmins at ENHTECH.COM Thu Dec 11 17:44:54 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:31 2006 Subject: barracudanetworks devices Message-ID: <6.0.0.22.0.20031211124451.02bb2e30@mail.enhtech.com> Anybody heard of these devices? http://www.barracudanetworks.com/products_key_features.php Dedicated 1u spam filtering devices? I wonder how they stack up to MailScanner. Errol Neal From Antony at SOFT-SOLUTIONS.CO.UK Thu Dec 11 17:56:01 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:31 2006 Subject: barracudanetworks devices In-Reply-To: <6.0.0.22.0.20031211124451.02bb2e30@mail.enhtech.com> References: <6.0.0.22.0.20031211124451.02bb2e30@mail.enhtech.com> Message-ID: <200312111756.01777.Antony@Soft-Solutions.co.uk> On Thursday 11 December 2003 5:44 pm, Errol Neal wrote: > Anybody heard of these devices? > > http://www.barracudanetworks.com/products_key_features.php > > I wonder how they stack up to MailScanner. Reading from the features on their website: > Blacklisting of websites & domains If you can still find a working DNS RBL, MailScanner will do this. > Keyword scanning of emails Use the new MCP and MailScanner will do this (as well as the default keyword/phrase checking which SpamAssassin does) > Checksum technology Razor, Pyzor, DCC > Message authenticity checking MTA reverse MX lookup. > Blacklists and Whitelists MailScanner does these. > Rate controls I seem to recall there's a new feature in MailScanner for this, even if you're not already doing it in sendmail. > File type attachment blocking MailScanner does this (I bet Barrauda does it by file extension only, not by file content type as well :) I think it's interesting that they're offering an anti-spam solution without any mention of anti-virus - seems a strange omission? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac Please reply to the list; please don't CC me. From brian at SOLUSCORP.COM Thu Dec 11 03:50:28 2003 From: brian at SOLUSCORP.COM (Brian Wells) Date: Thu Jan 12 21:21:31 2006 Subject: Blacklist file changes getting removed by something References: <076001c3bef8$cb44dac0$d700600a@merlintest.net> <200312102330.41858.Antony@Soft-Solutions.co.uk> Message-ID: <07a601c3bf99$ee250190$d700600a@merlintest.net> Yes, check_mailscanner runs at the time that the files are being changed. Then I guess my question is why is check_mailscanner replacing my blacklist.rules file? Brian ----- Original Message ----- From: "Antony Stone" To: Sent: Wednesday, December 10, 2003 6:30 PM Subject: Re: Blacklist file changes getting removed by something > On Wednesday 10 December 2003 8:37 am, Brian Wells wrote: > > > Hi, > > > > Much to my annoyance, I noticed after I had entered by hand a bunch of > > hosts to my blacklist file, that my changes had been removed and a new > > blacklist file was in place. Looking at the timestamp on the file, it is > > getting replaced once an hour. > > > > I searched quite a bit for an explanation for this behaviour. Something > > like the auto whitelist feature except for the blacklist file. But I could > > not find anything. Does anyone have an explanation for this and how to > > turn it off? > > Does the timestamp on the file coincide with any cron jobs you have running? > > Antony > > -- > Software development can be quick, high quality, or low cost. > > The customer gets to pick any two out of three. > > Please reply to the list; > please don't CC me. > From tristanr at CI.GRANDJCT.CO.US Thu Dec 11 18:54:28 2003 From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes) Date: Thu Jan 12 21:21:31 2006 Subject: barracudanetworks devices Message-ID: These products do scan for viruses. It looks like they even use two anti-virus engines... Look at the flowchart at the bottom of this page... http://www.barracudanetworks.com/products.php I agree, Mailscanner and its numerous helper applications can attain the same functionality. It would be nice if all the applications were bundled up in a single package, though. Perhaps Mailscanner Enterprise Edition from Fortress will provide this capability when it is released??? On a side note, Mailscanner Basic Edition is listed in Network World Fusion's Anti-spam buyers guide. Apparently it takes a commercial entity to be listed in this guide. :( - (Mailscanner Basic Edition is free) :) http://www.nwfusion.com/bg/2003/spam/details.jsp?_tablename=antispam&name='MailScanner+Basic+Edition' Also found a reference to Mailscanner Basic Edition on the SpamHelp.org website. http://www.spamhelp.org/software/software.php?cat=3 I look forward to future Mailscanner-based products created by Fortress. Tristan Rhodes >>> Antony@SOFT-SOLUTIONS.CO.UK 12/11/03 10:56AM >>> On Thursday 11 December 2003 5:44 pm, Errol Neal wrote: > Anybody heard of these devices? > > http://www.barracudanetworks.com/products_key_features.php > > I wonder how they stack up to MailScanner. Reading from the features on their website: > Blacklisting of websites & domains If you can still find a working DNS RBL, MailScanner will do this. > Keyword scanning of emails Use the new MCP and MailScanner will do this (as well as the default keyword/phrase checking which SpamAssassin does) > Checksum technology Razor, Pyzor, DCC > Message authenticity checking MTA reverse MX lookup. > Blacklists and Whitelists MailScanner does these. > Rate controls I seem to recall there's a new feature in MailScanner for this, even if you're not already doing it in sendmail. > File type attachment blocking MailScanner does this (I bet Barrauda does it by file extension only, not by file content type as well :) I think it's interesting that they're offering an anti-spam solution without any mention of anti-virus - seems a strange omission? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac Please reply to the list; please don't CC me. From mikea at MIKEA.ATH.CX Thu Dec 11 21:06:08 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:21:31 2006 Subject: (slightly OT) "Gaven Stubberfield" arrested Message-ID: <20031211150608.A83136@mikea.ath.cx> for more info. Up to 5 years jail time and/or $2500 per count. I think it wouldn't be difficult to come up with a few thousand Stubberfield spams. Could be my spam load will go down a little bit. And this is promising: "Kilgore said although these are the first indictments, it is likely his computer crimes unit will be busy for an extended period to come." So mote it be! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From steve.swaney at FSL.COM Thu Dec 11 21:14:42 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:31 2006 Subject: (slightly OT) "Gaven Stubberfield" arrested In-Reply-To: <20031211150608.A83136@mikea.ath.cx> Message-ID: <20031211211429.64E3321C3C9@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of mikea > Sent: Thursday, December 11, 2003 4:06 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: (slightly OT) "Gaven Stubberfield" arrested > > > > for more info. > > Up to 5 years jail time and/or $2500 per count. I think it wouldn't be > difficult to come up with a few thousand Stubberfield spams. > Unfortunately I believe that when the can-sapm bill is signed by president bush, the tougher state laws, i.e. California and Virginia, are superceded by the weaker Federal law and no longer in force. Stubberfield's arrest by authorities in Virginia wouldn't be possible. > Could be my spam load will go down a little bit. > > And this is promising: "Kilgore said although these are the first > indictments, it is likely his computer crimes unit will be busy for an > extended period to come." > > So mote it be! > > -- > Mike Andrews > mikea@mikea.ath.cx > Tired old sysadmin Stephen Swaney President Fortress Systems Ltd. steve.swaney@fsl.com From mkettler at EVI-INC.COM Thu Dec 11 21:45:49 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:31 2006 Subject: (slightly OT) "Gaven Stubberfield" arrested In-Reply-To: <20031211211429.64E3321C3C9@mail.fsl.com> References: <20031211150608.A83136@mikea.ath.cx> <20031211211429.64E3321C3C9@mail.fsl.com> Message-ID: <6.0.0.22.0.20031211163553.0242bdc8@xanadu.evi-inc.com> At 04:14 PM 12/11/2003, Stephen Swaney wrote: >Unfortunately I believe that when the can-sapm bill is signed by president >bush, the tougher state laws, i.e. California and Virginia, are superceded >by the weaker Federal law and no longer in force. > >Stubberfield's arrest by authorities in Virginia wouldn't be possible. Well he was arrested in NC by authorities in NC, and is being extradited to VA, not arrested in VA. Even the weak federal law still enacts penalties against forged sender addresses, which is the part of the VA law they are being charged with. Had he committed the same act post can-spam, he'd be facing a federal offense instead of a state one. Not to say that can-spam isn't full of holes to the point of being useless, but his exact acts are illegal under can-spam's provisions per 1037(a)(3). He probably violated (a)(2) and (a)(4) as well. See page 13 of http://www.cauce.org/S877.pdf. Of course, post can-spam, he'd have just modified his spam tactics slightly and be more-or-less home free :( From mikea at MIKEA.ATH.CX Thu Dec 11 22:05:12 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:21:31 2006 Subject: (slightly OT) "Gaven Stubberfield" arrested In-Reply-To: <20031211211429.64E3321C3C9@mail.fsl.com>; from steve.swaney@FSL.COM on Thu, Dec 11, 2003 at 04:14:42PM -0500 References: <20031211150608.A83136@mikea.ath.cx> <20031211211429.64E3321C3C9@mail.fsl.com> Message-ID: <20031211160512.A83501@mikea.ath.cx> On Thu, Dec 11, 2003 at 04:14:42PM -0500, Stephen Swaney wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of mikea > > Sent: Thursday, December 11, 2003 4:06 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: (slightly OT) "Gaven Stubberfield" arrested > > > > > > > > for more info. > > > > Up to 5 years jail time and/or $2500 per count. I think it wouldn't be > > difficult to come up with a few thousand Stubberfield spams. > > > Unfortunately I believe that when the can-sapm bill is signed by president > bush, the tougher state laws, i.e. California and Virginia, are superceded > by the weaker Federal law and no longer in force. > Stubberfield's arrest by authorities in Virginia wouldn't be possible. > > Could be my spam load will go down a little bit. > > > > And this is promising: "Kilgore said although these are the first > > indictments, it is likely his computer crimes unit will be busy for an > > extended period to come." Erm ... I _really_ don't want to drag this out here; it's getting lots and lots of publicity in SPAM-l, and no doubt on nana* as well. But a lawyer friend did an analysis, and concluded that since the .va.us laws treat what Stubberfield & Co. did as _trespassing_ in various ways, it's a series of Class 6 felonies and _not_ pre-empted by You-Can-Spam. I'll be watching the bonfires and the torchlight parade on SPAM-l and nana*. Y'all have fun, y'heah? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From brose at MED.WAYNE.EDU Fri Dec 12 03:16:49 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:21:31 2006 Subject: MailScanner and SA Config Message-ID: I don't think this was realized until now but since MailScanner calls SA with the specified config file option, then SA doesn't read all the .cf files in /etc/mail/spamassassin I only found out recently on the SA lists that SA would do this. SA will read in every cf file located there. The benefit is that you don't have to keep modifying one file for example using the frequently updated evil rules found on the SA custom rule emporium http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm Can the next Mailscanner have the ability to specify a file or path or turn off the sa conf option? -=Bobby From ryan.finnesey at CORPDSG.COM Fri Dec 12 05:31:59 2003 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:21:31 2006 Subject: barracudanetworks devices Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BCA3@dc012.corpdsg.com> What does Mailscanner Enterprise Edition do that Basic can not do? Ryan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tristan Rhodes Sent: Thursday, December 11, 2003 1:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: barracudanetworks devices These products do scan for viruses. It looks like they even use two anti-virus engines... Look at the flowchart at the bottom of this page... http://www.barracudanetworks.com/products.php I agree, Mailscanner and its numerous helper applications can attain the same functionality. It would be nice if all the applications were bundled up in a single package, though. Perhaps Mailscanner Enterprise Edition from Fortress will provide this capability when it is released??? On a side note, Mailscanner Basic Edition is listed in Network World Fusion's Anti-spam buyers guide. Apparently it takes a commercial entity to be listed in this guide. :( - (Mailscanner Basic Edition is free) :) http://www.nwfusion.com/bg/2003/spam/details.jsp?_tablename=antispam&nam e='MailScanner+Basic+Edition' Also found a reference to Mailscanner Basic Edition on the SpamHelp.org website. http://www.spamhelp.org/software/software.php?cat=3 I look forward to future Mailscanner-based products created by Fortress. Tristan Rhodes >>> Antony@SOFT-SOLUTIONS.CO.UK 12/11/03 10:56AM >>> On Thursday 11 December 2003 5:44 pm, Errol Neal wrote: > Anybody heard of these devices? > > http://www.barracudanetworks.com/products_key_features.php > > I wonder how they stack up to MailScanner. Reading from the features on their website: > Blacklisting of websites & domains If you can still find a working DNS RBL, MailScanner will do this. > Keyword scanning of emails Use the new MCP and MailScanner will do this (as well as the default keyword/phrase checking which SpamAssassin does) > Checksum technology Razor, Pyzor, DCC > Message authenticity checking MTA reverse MX lookup. > Blacklists and Whitelists MailScanner does these. > Rate controls I seem to recall there's a new feature in MailScanner for this, even if you're not already doing it in sendmail. > File type attachment blocking MailScanner does this (I bet Barrauda does it by file extension only, not by file content type as well :) I think it's interesting that they're offering an anti-spam solution without any mention of anti-virus - seems a strange omission? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac Please reply to the list; please don't CC me. From Q.G.Campbell at NEWCASTLE.AC.UK Fri Dec 12 08:37:52 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:21:31 2006 Subject: Unexpected whitelisting behaviour Message-ID: <74BC2BBF06470148911E64E2B48FE13964C650@pinewood.ncl.ac.uk> [snip] >From the code, it looks like it adds the "SpamScore" header >if the score > 0. >However, the main Spam Header (SpamCheck) is only added if it >is actually spam, or would be spam if it wasn't whitelisted (I think). Julian I have done some further tests and the code for the "SpamCore" header seems to work more or less as you describe above. If the score is < 1.0 there is no "SpamScore" header. If the score is >= 1.0 then the number of "s" characters in the "SpamScore" header appears to be the score rounded down to the nearest integer. Quentin From mailscanner at ecs.soton.ac.uk Fri Dec 12 08:22:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Blacklist file changes getting removed by something In-Reply-To: <07a601c3bf99$ee250190$d700600a@merlintest.net> References: <076001c3bef8$cb44dac0$d700600a@merlintest.net> <200312102330.41858.Antony@Soft-Solutions.co.uk> <07a601c3bf99$ee250190$d700600a@merlintest.net> Message-ID: <6.0.1.1.2.20031212082135.038e4a60@imap.ecs.soton.ac.uk> At 03:50 11/12/2003, you wrote: >Yes, check_mailscanner runs at the time that the files are being changed. >Then I guess my question is why is check_mailscanner replacing my >blacklist.rules file? It's not. Something else must be happening too. Take a look at the code of check_mailscanner and you won't find any reference to any rules files. >Brian >----- Original Message ----- >From: "Antony Stone" >To: >Sent: Wednesday, December 10, 2003 6:30 PM >Subject: Re: Blacklist file changes getting removed by something > > > > On Wednesday 10 December 2003 8:37 am, Brian Wells wrote: > > > > > Hi, > > > > > > Much to my annoyance, I noticed after I had entered by hand a bunch of > > > hosts to my blacklist file, that my changes had been removed and a new > > > blacklist file was in place. Looking at the timestamp on the file, it >is > > > getting replaced once an hour. > > > > > > I searched quite a bit for an explanation for this behaviour. Something > > > like the auto whitelist feature except for the blacklist file. But I >could > > > not find anything. Does anyone have an explanation for this and how to > > > turn it off? > > > > Does the timestamp on the file coincide with any cron jobs you have >running? > > > > Antony > > > > -- > > Software development can be quick, high quality, or low cost. > > > > The customer gets to pick any two out of three. > > > > Please reply to the >list; > > please don't CC >me. > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dean.plant at ROKE.CO.UK Fri Dec 12 09:25:06 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:21:31 2006 Subject: Firewall woes - ports to be used Message-ID: Thanks for the info. -----Original Message----- From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] Sent: 11 December 2003 17:43 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Firewall woes - ports to be used On Thursday 11 December 2003 5:00 pm, Plant, Dean wrote: > The information from the Spamassassin docs (below) show two rules, is only > the outbound rule required? Depends whether your firewall is stateful or not (ie: whether it can allow "reply packets" without needing to be told explicitly what those are going to be). In the Linux world, if you're using the old ipchains, you need two rules per service, one for the outbound requests, and one for the inbound replies. If you're using the new iptables, you need one rule for the outbound request, and a single generic rule allowing reply packets (in response to anything going out of the firewall), which is not specific to DCC, Razor, Pyzor, or whatever. Stateful (iptables) is more secure, because it does not allow packets in from remote servers to high ports on local machines unless they are replies to something you were happy to allow out in the first place. Stateless (ipchains) will allow external systems more opportunity to port scan your network, and possibly even access some services, depending on what port numbers you're running them on (eg Squid on 3128 falls into the high range). Stateful is also simpler, because you need N+1 rules to support N services. Stateless requires 2N rules. If you want more detail on this I can recommend the netfilter mailing list - about as busy as this one and almost as friendly :) Antony. > Also note that DCC requires that you open your firewall for DCC reply > packets on UDP port 6277. DCC uses UDP packets when replying, which > are blocked by most firewalls by default. As a result, it requires > that you open your firewall for DCC reply packets on UDP port 6277. > Here's sample firewall rules required: > > allow udp local gt 1023 to remote 6277 > allow udp remote 6277 to local gt 1023 > > > -----Original Message----- > From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] > Sent: 11 December 2003 12:30 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > On Thursday 11 December 2003 12:26 pm, Plant, Dean wrote: > > FYI - the Razor ports are only required outbound. > > I should hope that is true of all of them!? > > (Assuming your firewall allows in reply packets - but none of the services > should be initiated from outside....) > > Antony. > > > -----Original Message----- > > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > > Sent: 11 December 2003 11:43 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > Razor: 7/tcp and 2703/tcp > > > > DCC: 6277/udp > > > > pyzor: 24441/udp > > > > Cheers, > > > > Phil > > > > --------------------------------------------- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Michele Neylon :: Blacknight Solutions > > > Sent: 11 December 2003 11:27 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > > I can't see any reference to it in the FAQ :( > > > Help!! > > > > > > Mr. Michele Neylon > > > Blacknight Internet Solutions Ltd > > > http://www.blacknightsolutions.ie/ > > > http://www.search.ie/ > > > Tel. + 353 (0)59 9137101 > > > Lowest price domains in Ireland > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > Behalf Of Spicer, Kevin > > > > Sent: 11 December 2003 11:20 > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > > After installing a new firewall we seem to have run into > > > > > > a number of > > > > > > > > issues regarding required ports. > > > > > Can anybody help/advise? > > > > > We are using: > > > > > MailScanner > > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > > I _think_ this is in the FAQ -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery Please reply to the list; please don't CC me. -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 12 10:23:44 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D4@jessica.herefordshire.gov.uk> When in doubt, consult the RFCs. RFC 1738 (http://www.faqs.org/rfcs/rfc1738.html) says: "3.3. HTTP The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol). The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form: http://:/? where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed." Interesting! I wonder what would break if we were that strict? Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Antony Stone > Sent: 11 December 2003 15:42 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet Explorer URL Display problem > > > On Thursday 11 December 2003 3:34 pm, Julian Field wrote: > > > At 15:27 11/12/2003, you wrote: > > >%0[0-9] would be better (or something like that). > > > > %[01][0-9a-fA-F] > > instead of > > %01 > > perhaps? > > > > I would imagine that the guy who found this exploit tested > other characters > > too and found them not to be vulnerable. So %01 is probably > good enough. > > The report at http://www.secunia.com/advisories/10395 > mentions that %00 at > least is also effective. > > Antony. > > -- > If you want to be happy for an hour, get drunk. > If you want to be happy for a year, get married. > If you want to be happy for a lifetime, get a garden. > > Please > reply to the list; > > please don't CC me. > From nejc.skoberne at guest.arnes.si Fri Dec 12 10:28:29 2003 From: nejc.skoberne at guest.arnes.si (Nejc Skoberne) Date: Thu Jan 12 21:21:31 2006 Subject: Defining messages to be spamchecked Message-ID: <1196863268.20031212112829@guest.arnes.si> Hi, list. Currently my server checks all mail (from all the domains) for spam. I would like it to check just specific domains (defined by me) for spam. Where could I do that? Thanks. -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si From mailscanner at ecs.soton.ac.uk Fri Dec 12 10:35:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Defining messages to be spamchecked In-Reply-To: <1196863268.20031212112829@guest.arnes.si> References: <1196863268.20031212112829@guest.arnes.si> Message-ID: <6.0.1.1.2.20031212103502.07cd23e8@imap.ecs.soton.ac.uk> Please read up about rulesets in /etc/MailScanner/rules/* and on the FAQ. At 10:28 12/12/2003, you wrote: >Hi, list. > >Currently my server checks all mail (from all the domains) for spam. I >would like it to check just specific domains (defined by me) for spam. > >Where could I do that? > >Thanks. > >-- >Nejc Skoberne >Grajska 5 >SI-5220 Tolmin >E-mail: nejc.skoberne@guest.arnes.si -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Fri Dec 12 10:31:34 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:31 2006 Subject: Defining messages to be spamchecked In-Reply-To: <1196863268.20031212112829@guest.arnes.si> Message-ID: Hi! > Currently my server checks all mail (from all the domains) for spam. I > would like it to check just specific domains (defined by me) for spam. > > Where could I do that? Have a look on the included ruleset examples. You can pick the up very easilly i think. Bye, Raymond. From jrawcliffe at LONDON.EDU Fri Dec 12 11:16:24 2003 From: jrawcliffe at LONDON.EDU (Julian Rawcliffe) Date: Thu Jan 12 21:21:31 2006 Subject: Filename scanning preference order Message-ID: <1071227784.16528.249.camel@isd92.lbs.ac.uk> I am having a number of users complain about attachments being quarantined (and confusing this with virus infection) because of double extension filenames, eg. file.tmp.pdf. There is no reason to block these files. Can I get away with specifying a filename rule to allow any .pdf file whilst still keeping the generic mulitple extension deny rule in place. Would something like, allow \.pdf$ be suficient or do the deny rules take precedence over allows? -- Julian Rawcliffe London Business School, Sussex Place, Regents Park, London. NW1 4SA t: +44 (0)20 7000 7782 direct --- Helpdesk t: +44 (0)20 7000 7700 m: +44 (0)7966 90 7782 mobile --- Helpdesk f: +44 (0)20 7724 6300 mailto:jrawcliffe@london.edu --- http://www.london.edu/technology/ From mailscanner at ecs.soton.ac.uk Fri Dec 12 11:35:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Filename scanning preference order In-Reply-To: <1071227784.16528.249.camel@isd92.lbs.ac.uk> References: <1071227784.16528.249.camel@isd92.lbs.ac.uk> Message-ID: <6.0.1.1.2.20031212113526.0395f9a0@imap.ecs.soton.ac.uk> At 11:16 12/12/2003, you wrote: >I am having a number of users complain about attachments being >quarantined (and confusing this with virus infection) because >of double extension filenames, eg. file.tmp.pdf. There is >no reason to block these files. > >Can I get away with specifying a filename rule to allow any >.pdf file whilst still keeping the generic mulitple extension >deny rule in place. Would something like, >allow \.pdf$ >be suficient or do the deny rules take precedence over allows? Yes, that's fine. The rules are strictly checked in the order they are in the file. The first rule that matches produces the result. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 12 11:47:22 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> Oops, egg on face time... RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. Sorry for the noise, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Randal, Phil > Sent: 12 December 2003 10:24 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet Explorer URL Display problem > > > When in doubt, consult the RFCs. RFC 1738 > (http://www.faqs.org/rfcs/rfc1738.html) > says: > > "3.3. HTTP > > The HTTP URL scheme is used to designate Internet resources > accessible using HTTP (HyperText Transfer Protocol). > > The HTTP protocol is specified elsewhere. This specification only > describes the syntax of HTTP URLs. > > An HTTP URL takes the form: > > http://:/? > > where and are as described in Section 3.1. If : > is omitted, the port defaults to 80. No user name or password is > allowed." > > Interesting! I wonder what would break if we were that strict? > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Antony Stone > > Sent: 11 December 2003 15:42 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Internet Explorer URL Display problem > > > > > > On Thursday 11 December 2003 3:34 pm, Julian Field wrote: > > > > > At 15:27 11/12/2003, you wrote: > > > >%0[0-9] would be better (or something like that). > > > > > > %[01][0-9a-fA-F] > > > instead of > > > %01 > > > perhaps? > > > > > > I would imagine that the guy who found this exploit tested > > other characters > > > too and found them not to be vulnerable. So %01 is probably > > good enough. > > > > The report at http://www.secunia.com/advisories/10395 > > mentions that %00 at > > least is also effective. > > > > Antony. > > > > -- > > If you want to be happy for an hour, get drunk. > > If you want to be happy for a year, get married. > > If you want to be happy for a lifetime, get a garden. > > > > Please > > reply to the list; > > > > please don't CC me. > > > From tristanr at CI.GRANDJCT.CO.US Fri Dec 12 15:44:07 2003 From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes) Date: Thu Jan 12 21:21:31 2006 Subject: barracudanetworks devices (and MailScanner products from Fortress) Message-ID: I do not have much information, except what is posted on their website. Perhaps a representative from Fortress could explain it better. http://www.fsl.com/store.htm ------------------------------------------- MailScanner Basic: Free Download. In addition to the binary or source distributions, our basic edition download includes some extras: * Expanded documentation for installation and configuration * Configuration file examples * Optional packages such as DCC, Pyzor and Razor MailScanner Enterprise Edition: Download will be available for a fee. In addition to the all of the Basic Edition features, this enhanced edition includes tools and utilities for the multiple mail scanner configurations typically required for a large enterprise: * Centralized configuration databases for MTAs, MailScanner, SpamAssassin and User Preferences * Performance monitoring tools for email gateways * Automated reporting tools * Update service * Web Support service MailScanner and SpamAssassin Updates: Keep your email gateways current with the latest editions of MailScanner, SpamAssassin and our custom spam filtering rules. You will receive email notifications of available updates after the new releases have been thoroughly tested on our email gateways. Timely spam filter updates will be released as spammers change tactics to avoid detection. One year of this service is included in the download fee for the Enterprise Edition and will be available for a fee with the Basic Edition of MailScanner. ------------------------------------------- I do not think the enterprise edition is available yet, and from what I can tell the basic edition is simply a list of links to download Mailscanner and its helper applications. ( Note: This list is outdated, using versions from several releases back, such as SpamAssassin 2.55) Tristan Rhodes >>> ryan.finnesey@CORPDSG.COM 12/11/03 10:31PM >>> What does Mailscanner Enterprise Edition do that Basic can not do? Ryan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tristan Rhodes Sent: Thursday, December 11, 2003 1:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: barracudanetworks devices These products do scan for viruses. It looks like they even use two anti-virus engines... Look at the flowchart at the bottom of this page... http://www.barracudanetworks.com/products.php I agree, Mailscanner and its numerous helper applications can attain the same functionality. It would be nice if all the applications were bundled up in a single package, though. Perhaps Mailscanner Enterprise Edition from Fortress will provide this capability when it is released??? On a side note, Mailscanner Basic Edition is listed in Network World Fusion's Anti-spam buyers guide. Apparently it takes a commercial entity to be listed in this guide. :( - (Mailscanner Basic Edition is free) :) http://www.nwfusion.com/bg/2003/spam/details.jsp?_tablename=antispam&nam e='MailScanner+Basic+Edition' Also found a reference to Mailscanner Basic Edition on the SpamHelp.org website. http://www.spamhelp.org/software/software.php?cat=3 I look forward to future Mailscanner-based products created by Fortress. Tristan Rhodes >>> Antony@SOFT-SOLUTIONS.CO.UK 12/11/03 10:56AM >>> On Thursday 11 December 2003 5:44 pm, Errol Neal wrote: > Anybody heard of these devices? > > http://www.barracudanetworks.com/products_key_features.php > > I wonder how they stack up to MailScanner. Reading from the features on their website: > Blacklisting of websites & domains If you can still find a working DNS RBL, MailScanner will do this. > Keyword scanning of emails Use the new MCP and MailScanner will do this (as well as the default keyword/phrase checking which SpamAssassin does) > Checksum technology Razor, Pyzor, DCC > Message authenticity checking MTA reverse MX lookup. > Blacklists and Whitelists MailScanner does these. > Rate controls I seem to recall there's a new feature in MailScanner for this, even if you're not already doing it in sendmail. > File type attachment blocking MailScanner does this (I bet Barrauda does it by file extension only, not by file content type as well :) I think it's interesting that they're offering an anti-spam solution without any mention of anti-virus - seems a strange omission? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac Please reply to the list; please don't CC me. From tristanr at CI.GRANDJCT.CO.US Fri Dec 12 15:53:56 2003 From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail Message-ID: Since we were talking about AOL's anti-spam tactics, here is some info about Yahoo. "The company is developing code, called DomainKeys, that's compatible with Sendmail and qmail, two popular E-mail transmission programs known as message transfer agents. It anticipates release sometime next year. DomainKeys will use public key cryptography to digitally sign outgoing messages to reassure a public now suspicious of E-mail. " http://www.linuxpipeline.com/news/showArticle.jhtml;jsessionid=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123 What do you think of this strategy? Tristan From ka at PACIFIC.NET Fri Dec 12 16:05:45 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail In-Reply-To: References: Message-ID: <3FD9E759.1080708@pacific.net> It's not going to limit spam, but I think it's a step in the right direction. It will also take some significant cpu power to handle the DomainKeys, but it will certainly be nice to be able to trust that mail FROM Yahoo.com and any other often impersonated domain that implements this system actually came FROM that domain. It will also have the effect of making domain whitelists (allow *.mydomain.com) very useful. Ken Pacific.Net Tristan Rhodes wrote: > Since we were talking about AOL's anti-spam tactics, here is some info about Yahoo. > > "The company is developing code, called DomainKeys, that's compatible with Sendmail and qmail, two popular E-mail transmission programs known as message transfer agents. It anticipates release sometime next year. DomainKeys will use public key cryptography to digitally sign outgoing messages to reassure a public now suspicious of E-mail. " > > http://www.linuxpipeline.com/news/showArticle.jhtml;jsessionid=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123 > > What do you think of this strategy? > > Tristan > > From mailscanner at ecs.soton.ac.uk Fri Dec 12 16:26:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail In-Reply-To: <3FD9E759.1080708@pacific.net> References: <3FD9E759.1080708@pacific.net> Message-ID: <6.0.1.1.2.20031212162002.07d88530@imap.ecs.soton.ac.uk> Unfortunately it suffers from the same problem affecting pretty much all such systems being mooted at the moment. They seem to think that a ==> b is the same as not a ==> not b (where "==>" is "implies") The presence of a correct version of this domainkeys header does indeed imply that the message came from Yahoo server. But plenty of mail from perfectly valid Yahoo accounts is not sent from Yahoo servers. I, for example, send mail from "jules@mailscanner.info" from servers belonging to "ecs.soton.ac.uk". And I send mail from "mailscanner@ecs.soton.ac.uk" from servers belonging to BT Openworld. The lack of a correct Yahoo domainkeys header does *not* imply that the mail is not from a perfectly valid Yahoo user. So when you get a mail without a correct domainkeys header, you know absolutely nothing about its validity. You may like to think you know it is not a valid Yahoo account, but you are wrong. You have absolutely no information about whether it is valid or not. The press don't appear to understand this, and the companies' marketing teams don't either. They are trying to sell systems which are next to useless. Just my 2p worth... At 16:05 12/12/2003, you wrote: >It's not going to limit spam, but I think it's a step in the right >direction. It will also take some significant cpu power to handle the >DomainKeys, but it will certainly be nice to be able to trust that mail >FROM Yahoo.com and any other often impersonated domain that implements >this system actually came FROM that domain. It will also have the effect >of making domain whitelists (allow *.mydomain.com) very useful. > >Ken >Pacific.Net > > >Tristan Rhodes wrote: > >>Since we were talking about AOL's anti-spam tactics, here is some info >>about Yahoo. >> >>"The company is developing code, called DomainKeys, that's compatible >>with Sendmail and qmail, two popular E-mail transmission programs known >>as message transfer agents. It anticipates release sometime next year. >>DomainKeys will use public key cryptography to digitally sign outgoing >>messages to reassure a public now suspicious of E-mail. " >> >>http://www.linuxpipeline.com/news/showArticle.jhtml;jsessionid=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123 >> >>What do you think of this strategy? >> >>Tristan >> -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.swaney at FSL.COM Fri Dec 12 16:40:10 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:31 2006 Subject: FW: barracudanetworks devices Message-ID: <20031212163955.6633721C3D3@mail.fsl.com> I would not normally post commercial product information to a support list but Julian asked me to respond to your query. > What does MailScanner Enterprise Edition do that Basic can not do? The actual answer is - Nothing. There is and always will be one code tree for MailScanner. Any improvements contributions to core MailScanner code will remain open source. What we are adding is: A web interface for configuration and user preferences A web interface for setting user preferences A MySQL database for storing configuration changes and MailWatch data An LDAP backend for MailScanner and SpamAssassin configuration data Packaging and configuring: MailScanner SpamAssassin MailWatch LDAP Pyzor Razor DCC ClamAV And all the supporting packages they require along with new, expanded documentation. There will also be a very simple installation procedure and an automated update service will be available by subscription. We plan to ship the first produce sometime in January. What we are doing is simply attempting to make MailScanner easier to use and more "acceptable" to the non Linux shops and providing the commercial support that many firms require before implementing open source software. I think that many will be glad to hear that a substantial portion of our business is coming from previously all Microsoft shops. Obviously we welcome inquires but please send these to me and not clutter up this excellent support list. Steve Stephen Swaney President Fortress Systems Ltd. steve.swaney@fsl.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Ryan Finnesey > Sent: Friday, December 12, 2003 12:32 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: barracudanetworks devices > > What does Mailscanner Enterprise Edition do that Basic can not do? > > > Ryan > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Tristan Rhodes > Sent: Thursday, December 11, 2003 1:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: barracudanetworks devices > > These products do scan for viruses. It looks like they even use two > anti-virus engines... > > Look at the flowchart at the bottom of this page... > http://www.barracudanetworks.com/products.php > > I agree, Mailscanner and its numerous helper applications can attain the > same functionality. It would be nice if all the applications were > bundled up in a single package, though. > > Perhaps Mailscanner Enterprise Edition from Fortress will provide this > capability when it is released??? > > On a side note, Mailscanner Basic Edition is listed in Network World > Fusion's Anti-spam buyers guide. Apparently it takes a commercial > entity to be listed in this guide. :( - (Mailscanner Basic Edition is > free) :) > http://www.nwfusion.com/bg/2003/spam/details.jsp?_tablename=antispam&nam > e='MailScanner+Basic+Edition' > > Also found a reference to Mailscanner Basic Edition on the SpamHelp.org > website. > http://www.spamhelp.org/software/software.php?cat=3 > > I look forward to future Mailscanner-based products created by Fortress. > > Tristan Rhodes > > >>> Antony@SOFT-SOLUTIONS.CO.UK 12/11/03 10:56AM >>> > On Thursday 11 December 2003 5:44 pm, Errol Neal wrote: > > > Anybody heard of these devices? > > > > http://www.barracudanetworks.com/products_key_features.php > > > > I wonder how they stack up to MailScanner. > > Reading from the features on their website: > > > Blacklisting of websites & domains > > If you can still find a working DNS RBL, MailScanner will do this. > > > Keyword scanning of emails > > Use the new MCP and MailScanner will do this (as well as the default > keyword/phrase checking which SpamAssassin does) > > > Checksum technology > > Razor, Pyzor, DCC > > > Message authenticity checking > > MTA reverse MX lookup. > > > Blacklists and Whitelists > > MailScanner does these. > > > Rate controls > > I seem to recall there's a new feature in MailScanner for this, even if > you're > not already doing it in sendmail. > > > File type attachment blocking > > MailScanner does this (I bet Barrauda does it by file extension only, > not by > file content type as well :) > > I think it's interesting that they're offering an anti-spam solution > without > any mention of anti-virus - seems a strange omission? > > Antony. > > -- > In science, one tries to tell people > in such a way as to be understood by everyone > something that no-one ever knew before. > > In poetry, it is the exact opposite. > > - Paul Dirac > > Please reply to the > list; > please don't > CC me. From mailscanner at CARLO65.DE Fri Dec 12 16:42:15 2003 From: mailscanner at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:21:31 2006 Subject: Sophos Install warnings In-Reply-To: References: Message-ID: <3FD9EFE7.4080305@carlo65.de> Hi. Baccari, Lou schrieb: > I'm just finishing installing sophos using /usr/sbin/Sophos.install and > recieved the following two warnings > Warning: $PATH does not include /usr/local/Sophos/bin > To run Sophos Anti-Virus you need to set environment variable > $PATH so > that it includes /usr/local/Sophos/bin. > Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include > /usr/local/Sophos/lib. > How do I correct these warnings? corrections as follows: 1. Enter as root the following command: export PATH=$PATH:/usr/local/Sophos/bin 2. Find the file /etc/ld.so.conf and append /usr/local/Sophos/lib to it. Regards, Roland From chris at fractalweb.com Fri Dec 12 17:09:19 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> Message-ID: <1071248959.3568.14.camel@localhost.localdomain> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. I only skimmed the spec. But what I gathered, unless I completely misunderstood the document is that characters from %00 through %1F inclusive and %7F are control characters and shouldn't be in a URI. Although they are disallowed within the URI syntax, we include here a description of those US-ASCII characters that have been excluded and the reasons for their exclusion. The control characters in the US-ASCII coded character set are not used within a URI, both because they are non-printable and because they are likely to be misinterpreted by some control mechanisms. control = So how much trouble would we cause if we just disallowed the entire range of control characters from URIs? Can anyone think of a real website that legitimately uses any of these control codes within their URIs? I'm particularly concerned about shopping sites with their massive URIs. I still think I would rather have MailScanner do the checking for this so we can notify the recipient properly, rather than just marking the message as high spam and/or deleting the message altogether. Perhaps we could even have MailScanner remove the link code altogether but still deliver the rest of the message. Thoughts? Chris From mailscanner at ecs.soton.ac.uk Fri Dec 12 17:27:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Sophos Install warnings In-Reply-To: <3FD9EFE7.4080305@carlo65.de> References: <3FD9EFE7.4080305@carlo65.de> Message-ID: <6.0.1.1.2.20031212172615.07db0888@imap.ecs.soton.ac.uk> At 16:42 12/12/2003, you wrote: >Hi. > >Baccari, Lou schrieb: >>I'm just finishing installing sophos using /usr/sbin/Sophos.install and >>recieved the following two warnings >>Warning: $PATH does not include /usr/local/Sophos/bin >> To run Sophos Anti-Virus you need to set environment variable >>$PATH so >> that it includes /usr/local/Sophos/bin. >>Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include >> /usr/local/Sophos/lib. >>How do I correct these warnings? > >corrections as follows: >1. Enter as root the following command: export >PATH=$PATH:/usr/local/Sophos/bin > >2. Find the file /etc/ld.so.conf and append /usr/local/Sophos/lib to it. Neither of these 2 changes are required to make MailScanner work properly. It drives Sophos via a short script which avoids any editing of configuration files on your system. You only want these 2 changes if you want to be able to call the "sweep" program directly from the command-line on your system. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 12 17:29:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <1071248959.3568.14.camel@localhost.localdomain> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> Message-ID: <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> At 17:09 12/12/2003, you wrote: >On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: > > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. > >I only skimmed the spec. But what I gathered, unless I completely >misunderstood the document is that characters from %00 through %1F >inclusive and %7F are control characters and shouldn't be in a URI. > > Although they are disallowed within the URI syntax, we include here a > description of those US-ASCII characters that have been excluded and > the reasons for their exclusion. > > The control characters in the US-ASCII coded character set are not > used within a URI, both because they are non-printable and because > they are likely to be misinterpreted by some control mechanisms. > > control = > >So how much trouble would we cause if we just disallowed the entire >range of control characters from URIs? Can anyone think of a real website >that legitimately uses any of these control codes within their URIs? I'm >particularly concerned about shopping sites with their massive URIs. Sounds good to me. >I still think I would rather have MailScanner do the checking for this >so we can notify the recipient properly, rather than just marking >the message as high spam and/or deleting the message altogether. Perhaps >we could even have MailScanner remove the link code altogether but still >deliver the rest of the message. Spotting the occurrence of these inside URIs is very hard to do reliably. SpamAssassin goes to considerable lengths to do this, and I don't want to attempt to duplicate their work. So I still say do it in SpamAssassin, but probably in the MCP code which is used for direct actions on mail, rather than the spam detection which is really just attempting to qualify the message. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lou.baccari at HP.COM Fri Dec 12 16:31:09 2003 From: lou.baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:21:31 2006 Subject: Sophos Install warnings Message-ID: I'm just finishing installing sophos using /usr/sbin/Sophos.install and recieved the following two warnings Warning: $PATH does not include /usr/local/Sophos/bin To run Sophos Anti-Virus you need to set environment variable $PATH so that it includes /usr/local/Sophos/bin. Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include /usr/local/Sophos/lib. How do I correct these warnings? From TGFurnish at HERFF-JONES.COM Fri Dec 12 16:43:08 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF037335C7@inex1.herffjones.hj-int> I for one would be quite willing to consider the ability to send email as domains you aren't authoritative for as a casualty of war. Ie if your server won't accept mail for yahoo.com, then I have no problem with the idea of rejecting email you claim to be delivering on behalf of someone @yahoo.com. I would expect their implementation to be just an extension of that idea - ie if you didn't sign the message with a valid "domainkey" for yahoo.com, then you aren't really yahoo.com and shouldn't be sending email purporting to be from that domain. Is that a loss of functionality for many people? Yes. Is that loss acceptable? IMO, yes. If you are the admin of all systems involved (ie mailscanner.info and ecs.soton.ac.uk), then making the needed arrangements to allow both of these domains to be served by your servers should be within your authority and capability. I haven't seen any details on the technical implementation they're proposing - has anyone got a link to more extensive info? -- Trever > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Friday, December 12, 2003 11:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Yahoo Developing Open Source Server Software For > Spam-Resistant E-Mail > > > Unfortunately it suffers from the same problem affecting > pretty much all > such systems being mooted at the moment. > > They seem to think that > a ==> b > is the same as > not a ==> not b > (where "==>" is "implies") > > The presence of a correct version of this domainkeys header > does indeed > imply that the message came from Yahoo server. But plenty of mail from > perfectly valid Yahoo accounts is not sent from Yahoo servers. I, for > example, send mail from "jules@mailscanner.info" from servers > belonging to > "ecs.soton.ac.uk". And I send mail from > "mailscanner@ecs.soton.ac.uk" from > servers belonging to BT Openworld. > > The lack of a correct Yahoo domainkeys header does *not* > imply that the > mail is not from a perfectly valid Yahoo user. > > So when you get a mail without a correct domainkeys header, you know > absolutely nothing about its validity. You may like to think > you know it is > not a valid Yahoo account, but you are wrong. You have absolutely no > information about whether it is valid or not. > > The press don't appear to understand this, and the companies' > marketing > teams don't either. They are trying to sell systems which are > next to useless. > > Just my 2p worth... > > At 16:05 12/12/2003, you wrote: > >It's not going to limit spam, but I think it's a step in the right > >direction. It will also take some significant cpu power to handle the > >DomainKeys, but it will certainly be nice to be able to > trust that mail > >FROM Yahoo.com and any other often impersonated domain that > implements > >this system actually came FROM that domain. It will also > have the effect > >of making domain whitelists (allow *.mydomain.com) very useful. > > > >Ken > >Pacific.Net > > > > > >Tristan Rhodes wrote: > > > >>Since we were talking about AOL's anti-spam tactics, here > is some info > >>about Yahoo. > >> > >>"The company is developing code, called DomainKeys, that's > compatible > >>with Sendmail and qmail, two popular E-mail transmission > programs known > >>as message transfer agents. It anticipates release sometime > next year. > >>DomainKeys will use public key cryptography to digitally > sign outgoing > >>messages to reassure a public now suspicious of E-mail. " > >> > >>http://www.linuxpipeline.com/news/showArticle.jhtml;jsession id=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123 >> >>What do you think of this strategy? >> >>Tristan >> -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ka at PACIFIC.NET Fri Dec 12 17:45:28 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF037335C7@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF037335C7@inex1.herffjones.hj-int> Message-ID: <3FD9FEB8.2050905@pacific.net> Furnish, Trever G wrote: > I for one would be quite willing to consider the ability to send email as > domains you aren't authoritative for as a casualty of war. > > Ie if your server won't accept mail for yahoo.com, then I have no problem > with the idea of rejecting email you claim to be delivering on behalf of > someone @yahoo.com. I would expect their implementation to be just an > extension of that idea - ie if you didn't sign the message with a valid > "domainkey" for yahoo.com, then you aren't really yahoo.com and shouldn't be > sending email purporting to be from that domain. > > Is that a loss of functionality for many people? Yes. Is that loss > acceptable? IMO, yes. > > If you are the admin of all systems involved (ie mailscanner.info and > ecs.soton.ac.uk), then making the needed arrangements to allow both of these > domains to be served by your servers should be within your authority and > capability. > > I haven't seen any details on the technical implementation they're proposing > - has anyone got a link to more extensive info? > > -- > Trever I would have to agree as well. The problem requires some changes be made that are not going to be easy, but are worth it. The domainkeys system will need to call for authentication or trust relationships between mailservers, so that users on one A.com can send outgoing mail through B.com as user@B.com, or mailserver MX.A.com can pretend to be B.com for user@B.com. It's not impossible, but it's definitely got some difficulties as Julian pointed out. Ken A. Pacific.Net > > >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: Friday, December 12, 2003 11:26 AM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Yahoo Developing Open Source Server Software For >>Spam-Resistant E-Mail >> >> >>Unfortunately it suffers from the same problem affecting >>pretty much all >>such systems being mooted at the moment. >> >>They seem to think that >> a ==> b >>is the same as >> not a ==> not b >>(where "==>" is "implies") >> >>The presence of a correct version of this domainkeys header >>does indeed >>imply that the message came from Yahoo server. But plenty of mail from >>perfectly valid Yahoo accounts is not sent from Yahoo servers. I, for >>example, send mail from "jules@mailscanner.info" from servers >>belonging to >>"ecs.soton.ac.uk". And I send mail from >>"mailscanner@ecs.soton.ac.uk" from >>servers belonging to BT Openworld. >> >>The lack of a correct Yahoo domainkeys header does *not* >>imply that the >>mail is not from a perfectly valid Yahoo user. >> >>So when you get a mail without a correct domainkeys header, you know >>absolutely nothing about its validity. You may like to think >>you know it is >>not a valid Yahoo account, but you are wrong. You have absolutely no >>information about whether it is valid or not. >> >>The press don't appear to understand this, and the companies' >>marketing >>teams don't either. They are trying to sell systems which are >>next to useless. >> >>Just my 2p worth... >> >>At 16:05 12/12/2003, you wrote: >> >>>It's not going to limit spam, but I think it's a step in the right >>>direction. It will also take some significant cpu power to handle the >>>DomainKeys, but it will certainly be nice to be able to >> >>trust that mail >>>FROM Yahoo.com and any other often impersonated domain that >>implements >> >>>this system actually came FROM that domain. It will also >> >>have the effect >> >>>of making domain whitelists (allow *.mydomain.com) very useful. >>> >>>Ken >>>Pacific.Net >>> >>> >>>Tristan Rhodes wrote: >>> >>> >>>>Since we were talking about AOL's anti-spam tactics, here >> >>is some info >> >>>>about Yahoo. >>>> >>>>"The company is developing code, called DomainKeys, that's >> >>compatible >> >>>>with Sendmail and qmail, two popular E-mail transmission >> >>programs known >> >>>>as message transfer agents. It anticipates release sometime >> >>next year. >> >>>>DomainKeys will use public key cryptography to digitally >> >>sign outgoing >> >>>>messages to reassure a public now suspicious of E-mail. " >>>> >>>>http://www.linuxpipeline.com/news/showArticle.jhtml;jsession > > id=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123 > >>>What do you think of this strategy? >>> >>>Tristan >>> > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From robin at PRIMUS.CA Fri Dec 12 19:49:11 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:31 2006 Subject: cpu utilization Message-ID: Is there any way to set the nice value of MailScanner processes. I notice that when it runs top reports that MailScanner uses 99% of the cpu. I have a small mailserver which only does about 2000 messages per 24 hours. I currently have set the Queue Scan Interval = 60 Max Children = 4 The box is a powerful dual Xeon 3gigs RAM but has a very busy mod_perl/mysql website on it as well From RKearney at AZERTY.COM Fri Dec 12 20:08:46 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:31 2006 Subject: cpu utilization Message-ID: <210DF55DED65B547896F728FB057F3B2019C4A7E@seaver.ussco.com> you can use nice or renice.. renice will "renice" a process that is currently running nice will set the nice value of a command you specify . i.e. nice -20 /usr/sbin/MailScanner will give it the highest priority nice 19 /usr/sbin/MailScanner will give it the lowest priority check the man pages out. you may also only need 1 worker, so setting Max Children to 1 might not bge a bad idea. -rob -----Original Message----- From: Robin M. [mailto:robin@PRIMUS.CA] Sent: Friday, December 12, 2003 2:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: cpu utilization Is there any way to set the nice value of MailScanner processes. I notice that when it runs top reports that MailScanner uses 99% of the cpu. I have a small mailserver which only does about 2000 messages per 24 hours. I currently have set the Queue Scan Interval = 60 Max Children = 4 The box is a powerful dual Xeon 3gigs RAM but has a very busy mod_perl/mysql website on it as well From Kevin_Miller at CI.JUNEAU.AK.US Fri Dec 12 21:12:32 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:31 2006 Subject: RBL defluglery... Message-ID: <08146035CA49D6119A36009027AC822A0264EB75@CITY-EXCH-NTS> I have a couple RBLs in the MailScanner.conf and they caught some non-spam the other day. bl.spamcop.net had blacklisted a server at a local architect's firm, and ORDB dinged another outfit down in Washington. Turns out that the local firm has been an open relay for the past 26 days, and the other was listed as an open relay a couple years ago and apparently never cleared. Probably a fly-by-night that did their spamming then moved on and didn't care, leaving a tainted IP address block behind. For some reason, the senders of the message were never notified that they had been RBLed. Bummer. Spam action is forward to "Alphonse Spamdog" on our internal server, and delete. I thought that the RBLed messages would generate a notice to the sender. What/where do I set that? We caught one via glancing at the messages in the Alphonse inbox, and the other because an internal user complained. I sure don't want to send "you're blocked" messages to normal spammers, but it seems like it's important to send RBL notifications to hapless legitimate users who's servers are open so they can do a beat-up on their mail administrators to close them... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From DARYL at MONM.EDU Fri Dec 12 21:46:55 2003 From: DARYL at MONM.EDU (Carr, Daryl B.) Date: Thu Jan 12 21:21:31 2006 Subject: Which Virus Scanner Product Message-ID: <995C465EA5BB0D42A493986D8D2E07508936@ntmail2.monm.edu> I'm new. I've scoured the archives. The chart of anti-virus products for UNIX in the installation area is helpful but I can't determine which particular product to purchase. For example; which Sophos anti-virus product should I purchase? Also, which product from which vendor do you prefer? Thanks, Daryl Daryl Carr Monmouth College Monmouth, IL 61462 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031212/044e3e11/attachment.html From kodak at FRONTIERHOMEMORTGAGE.COM Fri Dec 12 22:06:01 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:31 2006 Subject: Which Virus Scanner Product In-Reply-To: <995C465EA5BB0D42A493986D8D2E07508936@ntmail2.monm.edu> Message-ID: <005101c3c0fc$210df400$0501a8c0@darkside> >I'm new. I've scoured the archives. The chart of anti-virus products for UNIX in the installation >area is helpful but I can't determine which particular product to purchase. There's no "right" one -- that's what the chart was for. You find which license works best for your situation. Any one that works with MS is going to be OK. It's best to use multiple scanners though, as no one scanner catches everything. And one of those multiples might as well be clamav, since it's very good and it's free (in that order.) >For example; which Sophos anti-virus product should I purchase? Also, which product from which >vendor do you prefer? Sophos is kind of a weird beast. When I bought it they didn't have a "one off" license so I had to buy a package that included licenses for the client machines on my network. I'm glad I did, since I'm really happy with Sophos, but you may not need that. They may have a "mailserver" version by now, I don't know -- you may want to check with a reseller. HTH, --J(K) From jburzenski at AMERICANHM.COM Fri Dec 12 22:32:21 2003 From: jburzenski at AMERICANHM.COM (Jason Burzenski) Date: Thu Jan 12 21:21:31 2006 Subject: Effort to manage MailScanner Message-ID: <9BDD6D4AD0795C46974D7D46C17883B809185A27@ahm_exchange2> I have faced similar situations regarding false positives. One method that I found useful was to DELETE high scoring spam and DELIVER normal spam. Using this model you can set your spam score more aggressively because users still receive the mail with a {Spam?} or similar markup in the subject line. High scoring spam (which you can keep at a high score) is rarely a false positive but I usually opt to forward to a review account to keep an eye on it. Once you have a configuration like this in place you would either want to instruct your help desk to show users how to setup a mail rule to drop subjects containing {spam?} into a spam review folder or distribute a document to your users with the procedure. I found this method to allow me to catch more spam while lowering the risk of true false positives. Seeing all the {Spam?} messages also lets the user populace know that the filter is working (nice side effect). Another process I like to use (with caution) is to setup a mailbox for spam issues that users can send mail to. Most of these messages turn out to be "please black list this message, it is spam" with an occasional "please white list this domain" or even a "thank you so much, I can now get through my inbox in less than 8 hours!" Once a week you can go through the messages, document your white list, black list and possibly rules modifications, fill out your change control form (you do practice proper change management, right?) and you're all set. This administrative mailbox is the main drive for my tweaking. NOTE: I also do not upgrade unless there is a feature I need or want. > -----Original Message----- > From: Pete [mailto:pete@eatathome.com.au] > Sent: Wednesday, December 10, 2003 4:36 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Effort to manage MailScanner > > > Sorry i couldnt think of a better subject heading. > > I have had MS running now for a full month and it appears to > be working perfectly - in our ORg we cannot be too agressive > as false positives would a lot of criticsm, so i have used > almost defaults settings, but we get no UCEs delivered to > staff or students and have had only one false positive so far. > > We have 600-700 mail accounts but only recieve 1500 emails a > day %30 being spam. > > I have noticed on these forums a lot of people spending a lot > of time changing settings, adding RBLs, upgrading every new > release or beta and i wanted to know what benifits these > folks recieves vs thier effort - its starting to make me feel > like i shouold be upgrading to latest too - except i dont > want to have my head buried in MS config every day for the > next month - i thought this and install, config and forget > type system, which is how i have been treating it (though i > check quarrantine daily at the momment), are you guys getting > some benifit that i am not, or is because you ahve far > greater volumes of mail that you get more spam through MS > aqnd have to work harder to stop it? > > I suppose its my cautious, no downtime nature that keeps us a > few versions behind with alsmot all of my systems... > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031212/b4cc5055/attachment.html From dbird at SGHMS.AC.UK Sat Dec 13 01:08:35 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> Message-ID: <3FDA6693.909@sghms.ac.uk> Julian Field wrote: >> I still think I would rather have MailScanner do the checking for this >> so we can notify the recipient properly, rather than just marking >> the message as high spam and/or deleting the message altogether. Perhaps >> we could even have MailScanner remove the link code altogether but still >> deliver the rest of the message. > for info, SA (I'm running 2.61 - not sure about previous) already has a rule to catch these: in 20_uri_test.cf: # Have gotten FPs off this, and whitespace can't be in the host, so... # % Visit my homepage: http://i.like.foo.com % uri HTTP_ESCAPED_HOST /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/ describe HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname So the score could just be ramped up spam.assassin.prefs.conf so it hits above high spam actions or (I'm presuming ) that test included in MCP config. Julian, as an aside could I (say) score HTTP_ESCAPED_HOST 100 simply be added to mcp.spam.assassin.prefs.conf or would the rule also have to be added to a .cf file in the MCP directory? Regards -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nupur at THEARGONCOMPANY.COM Sat Dec 13 09:33:13 2003 From: nupur at THEARGONCOMPANY.COM (Nupur Dave) Date: Thu Jan 12 21:21:31 2006 Subject: Problem deleting virtual site on RaQ550 Message-ID: <200312131503.13764.nupur@theargoncompany.com> Hi , I have a Cobalt RaQ550 with MailScanner-4.24-5 and clamav 0.60 installed on it. I have noticed 2 problems while deleting a virtual site. 1. MailScanner stops functioning and hence the viruses are not trapped. 2. The /etc /proftpd.conf file is overwritten due to which my ftp settings are messed up. Can anybody provide me a link to understand why this is happening? OR Can anyone help me to undertand this problem ? -- Regards Nupur Dave Engineer-Technical Support The Argon Company 7th Floor,Nanavati Mahalaya, Fort,Mumbai-400023. Tel Number: +91-22-22882160 Helpdesk: +91-22-22882774 Website:www.theargoncompany.com From mailscanner at ecs.soton.ac.uk Sat Dec 13 10:14:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail In-Reply-To: <3FD9FEB8.2050905@pacific.net> References: <8FFC76593085ED4A80D3601BC41EFCDF037335C7@inex1.herffjones.hj-int> <3FD9FEB8.2050905@pacific.net> Message-ID: <6.0.1.1.2.20031213101258.027f6760@imap.ecs.soton.ac.uk> At 17:45 12/12/2003, you wrote: >Furnish, Trever G wrote: >>I for one would be quite willing to consider the ability to send email as >>domains you aren't authoritative for as a casualty of war. I think all of the (possibly millions) of people around the world who own a domain while not owning an outgoing mail server would disagree. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 13 10:23:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> At 17:29 12/12/2003, you wrote: >At 17:09 12/12/2003, you wrote: >>On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: >> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. >> >>I only skimmed the spec. But what I gathered, unless I completely >>misunderstood the document is that characters from %00 through %1F >>inclusive and %7F are control characters and shouldn't be in a URI. >> >> Although they are disallowed within the URI syntax, we include here a >> description of those US-ASCII characters that have been excluded and >> the reasons for their exclusion. >> >> The control characters in the US-ASCII coded character set are not >> used within a URI, both because they are non-printable and because >> they are likely to be misinterpreted by some control mechanisms. >> >> control = >> >>So how much trouble would we cause if we just disallowed the entire >>range of control characters from URIs? Can anyone think of a real website >>that legitimately uses any of these control codes within their URIs? I'm >>particularly concerned about shopping sites with their massive URIs. > >Sounds good to me. The pattern for matching this is therefore /%([01][0-9a-f]|7f).*@/i so add this to spam.assassin.prefs.conf: uri IE_VULN /%([01][0-9a-f]|7f).*@/i score IE_VULN 100.0 describe IE_VULN Internet Explorer vulnerability and then restart MailScanner. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 13 10:26:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FDA6693.909@sghms.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> <3FDA6693.909@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031213102627.03b1bbe8@imap.ecs.soton.ac.uk> At 01:08 13/12/2003, you wrote: >Julian Field wrote: > >>>I still think I would rather have MailScanner do the checking for this >>>so we can notify the recipient properly, rather than just marking >>>the message as high spam and/or deleting the message altogether. Perhaps >>>we could even have MailScanner remove the link code altogether but still >>>deliver the rest of the message. >for info, SA (I'm running 2.61 - not sure about previous) already has a >rule to catch these: > >in 20_uri_test.cf: > ># Have gotten FPs off this, and whitespace can't be in the host, so... ># % Visit my homepage: http://i.like.foo.com % >uri HTTP_ESCAPED_HOST >/^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/ >describe HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname > >So the score could just be ramped up spam.assassin.prefs.conf so it hits >above high spam actions or (I'm presuming ) that test included in MCP >config. > >Julian, as an aside could I (say) > >score HTTP_ESCAPED_HOST 100 > >simply be added to mcp.spam.assassin.prefs.conf or would the rule also >have to be added to a .cf file in the MCP directory? You need to add it to a .cf file in the MCP directory. MCP starts off with no rules at all. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From tsevy at EPX.COM Sat Dec 13 12:46:58 2003 From: tsevy at EPX.COM (Tom Sevy) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> Message-ID: Is there a minimum version of MS & SA that is required for this to work? > From: Julian Field > Reply-To: MailScanner mailing list > Date: Sat, 13 Dec 2003 10:23:38 +0000 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet Explorer URL Display problem > > At 17:29 12/12/2003, you wrote: >> At 17:09 12/12/2003, you wrote: >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: >>>> RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. >>> >>> I only skimmed the spec. But what I gathered, unless I completely >>> misunderstood the document is that characters from %00 through %1F >>> inclusive and %7F are control characters and shouldn't be in a URI. >>> >>> Although they are disallowed within the URI syntax, we include here a >>> description of those US-ASCII characters that have been excluded and >>> the reasons for their exclusion. >>> >>> The control characters in the US-ASCII coded character set are not >>> used within a URI, both because they are non-printable and because >>> they are likely to be misinterpreted by some control mechanisms. >>> >>> control = >>> >>> So how much trouble would we cause if we just disallowed the entire >>> range of control characters from URIs? Can anyone think of a real website >>> that legitimately uses any of these control codes within their URIs? I'm >>> particularly concerned about shopping sites with their massive URIs. >> >> Sounds good to me. > > The pattern for matching this is therefore > > /%([01][0-9a-f]|7f).*@/i > > so add this to spam.assassin.prefs.conf: > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i > score IE_VULN 100.0 > describe IE_VULN Internet Explorer vulnerability > > and then restart MailScanner. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From eja at URBAKKEN.DK Sat Dec 13 15:16:57 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:31 2006 Subject: Patch. Message-ID: <3FDB2D69.7040501@urbakken.dk> Hi I install MailScanner on a new server. The following is shown using the ./install.sh. What patch is it that is asking for ?. [root@gateway root]# cd /opt/MailScanner-4.25-14 [root@gateway MailScanner-4.25-14]# ./install.sh You need to install the patch command from your Linux distribution. Once you have done that, please try running this script again. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From dbird at SGHMS.AC.UK Sat Dec 13 15:15:16 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:31 2006 Subject: MaliScanner config in LDAP Message-ID: <3FDB2D04.7020605@sghms.ac.uk> Hi, I noticed in the "barracudanetworks devices" thread a refrence to storing the config in LDAP. Also, I've seen some code in Config.pm that will seach for values from an LDAP server. My question is are there any docs on setting it up? Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From evertjan at VANRAMSELAAR.NL Sat Dec 13 15:30:41 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:21:31 2006 Subject: Patch. In-Reply-To: <3FDB2D69.7040501@urbakken.dk> References: <3FDB2D69.7040501@urbakken.dk> Message-ID: <32787.10.10.0.101.1071329441.squirrel@intranet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erik Jakobsen said: > Hi I install MailScanner on a new server. The following is shown using > the ./install.sh. What patch is it that is asking for ?. > You need to install the patch command from your Linux distribution. > Once you have done that, please try running this script again. It is the "patch" command itself it is asking for. The command is either not on your system or cannot be found in your PATH. - -- Evert Jan van Ramselaar Van Ramselaar Info Tech Internet Consultancy & Webdesign Mail pgpkey@vanramselaar.nl to get my G/PGP Public Key. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/2zCYtQzUJRIC2pURAsyNAJ0V/lFyiggnq2Ts36ESTLChVrk8MwCg2T9h 1kCTQudoS2/FSG/zlkjEFd0= =2xV7 -----END PGP SIGNATURE----- From robin at PRIMUS.CA Sat Dec 13 15:24:02 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:31 2006 Subject: graceful shutdown Message-ID: What is the best way to hut MailScanner down. the check_mailscanner does not seem to take a stop argument. If I do kill `/usr/sbin/check_mailscanner` will this cause a problem with mail that it is currently working on ? From eja at URBAKKEN.DK Sat Dec 13 15:48:24 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:31 2006 Subject: Patch. In-Reply-To: <32787.10.10.0.101.1071329441.squirrel@intranet> References: <3FDB2D69.7040501@urbakken.dk> <32787.10.10.0.101.1071329441.squirrel@intranet> Message-ID: <3FDB34C8.9050706@urbakken.dk> Evert Jan van Ramselaar wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Erik Jakobsen said: > >>Hi I install MailScanner on a new server. The following is shown using >>the ./install.sh. What patch is it that is asking for ?. >>You need to install the patch command from your Linux distribution. >>Once you have done that, please try running this script again. > > > It is the "patch" command itself it is asking for. The command is either > not on your system or cannot be found in your PATH. Ok thank you for this nice information, and have a nice evening. > - -- > Evert Jan van Ramselaar > Van Ramselaar Info Tech > Internet Consultancy & Webdesign > > Mail pgpkey@vanramselaar.nl to get my G/PGP Public Key. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE/2zCYtQzUJRIC2pURAsyNAJ0V/lFyiggnq2Ts36ESTLChVrk8MwCg2T9h > 1kCTQudoS2/FSG/zlkjEFd0= > =2xV7 > -----END PGP SIGNATURE----- > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From mkettler at EVI-INC.COM Sat Dec 13 17:22:58 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:31 2006 Subject: graceful shutdown In-Reply-To: References: Message-ID: <6.0.0.22.0.20031213122133.022f0708@xanadu.evi-inc.com> At 10:24 AM 12/13/2003, Robin M. wrote: >What is the best way to hut MailScanner down. >the check_mailscanner does not seem to take a stop argument. Most current versions come with an init script... run that and pass it "stop". Where exactly init scripts go is a bit dependant on your OS vendor.. typicaly /etc/init.d and /etc/rc.d/init.d are good candidates to check on linux boxes. /etc/init.d/MailScanner stop From rgutlon at YAHOO.COM Sat Dec 13 17:13:00 2003 From: rgutlon at YAHOO.COM (Rick G) Date: Thu Jan 12 21:21:32 2006 Subject: MailScanner and FormMail Exploits Message-ID: I've noticed in our maillog that when web-based email forms are submitted they do not pass through MailScanner. I bring this up as a site I host recently had a spammer exploit (what was reported to be) a hack-proof perl based FormMail script. I became aware of this when the bounces and rejections started to arrive in the postmaster mailbox. In looking at the content of the spam message, it would have been caught as spam had it been intercepted by MailScanner. Is there a way to configure MailScanner and/or any of the rulesets so that submitted web-based forms run through the typical MailScanner checks? Rick From steve.swaney at FSL.COM Sat Dec 13 17:26:37 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:32 2006 Subject: graceful shutdown In-Reply-To: Message-ID: <20031213172618.D1B1321C27B@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Robin M. > Sent: Saturday, December 13, 2003 10:24 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: graceful shutdown > > If I do > kill `/usr/sbin/check_mailscanner` > will this cause a problem with mail that it is currently working on ? This will not work. Mail will still be received but since MailScanner is not running, this mail will just pile up in the incoming mail queue. It will not be processed, delivered or relayed. Steve Stephen Swaney President Fortress Systems Ltd. steve.swaney@fsl.com www.FSL.com From mailscanner at ecs.soton.ac.uk Sat Dec 13 17:38:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: MaliScanner config in LDAP In-Reply-To: <3FDB2D04.7020605@sghms.ac.uk> References: <3FDB2D04.7020605@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031213173801.0282e4f0@imap.ecs.soton.ac.uk> At 15:15 13/12/2003, you wrote: >Hi, I noticed in the "barracudanetworks devices" thread a refrence to >storing the config in LDAP. Also, I've seen some code in Config.pm that >will seach for values from an LDAP server. > >My question is are there any docs on setting it up? Not yet, sorry. I will get around to it some time... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 13 17:46:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: MailScanner and FormMail Exploits In-Reply-To: References: Message-ID: <6.0.1.1.2.20031213174348.028a4e68@imap.ecs.soton.ac.uk> At 17:13 13/12/2003, you wrote: >I've noticed in our maillog that when web-based email forms are submitted >they do not pass through MailScanner. > >I bring this up as a site I host recently had a spammer exploit (what was >reported to be) a hack-proof perl based FormMail script. I became aware of >this when the bounces and rejections started to arrive in the postmaster >mailbox. In looking at the content of the spam message, it would have been >caught as spam had it been intercepted by MailScanner. > >Is there a way to configure MailScanner and/or any of the rulesets so that >submitted web-based forms run through the typical MailScanner checks? Your problem is that you are running a fairly old sendmail and the form handler code is invoking the sendmail binary directly. You either need to configure it so that it talks SMTP to localhost to send its mail, or else upgrade to a more recent sendmail that has the clientmqueue stuff. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 13 17:37:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: Internet Explorer URL Display problem In-Reply-To: References: <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031213173717.028221b8@imap.ecs.soton.ac.uk> No. At 12:46 13/12/2003, you wrote: >Is there a minimum version of MS & SA that is required for this to work? > > > so add this to spam.assassin.prefs.conf: > > > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i > > score IE_VULN 100.0 > > describe IE_VULN Internet Explorer vulnerability > > > > and then restart MailScanner. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 13 17:43:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: graceful shutdown In-Reply-To: <20031213172618.D1B1321C27B@mail.fsl.com> References: <20031213172618.D1B1321C27B@mail.fsl.com> Message-ID: <6.0.1.1.2.20031213173956.02892e60@imap.ecs.soton.ac.uk> At 17:26 13/12/2003, you wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Robin M. > > Sent: Saturday, December 13, 2003 10:24 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: graceful shutdown > > > > If I do > > kill `/usr/sbin/check_mailscanner` > > will this cause a problem with mail that it is currently working on ? > >This will not work. Mail will still be received but since MailScanner is not >running, this mail will just pile up in the incoming mail queue. It will not >be processed, delivered or relayed. In the MailScanner.conf file, there is a definition "PID file" which is the name of the file that holds the main PID. Kill that process and give it 10 to 15 seconds to shut down tidily, at the end of which there should be no MailScanner processes running. However, as Steve says, the incoming and outgoing sendmails will still be running, so your system is still accepting mail but doing nothing with it. So it will just collect in the mqueue.in and will not be delivered. If you want to stop MailScanner and start your original mail configuration so that mail is still delivered, but not scanned, then service MailScanner stop sleep 15 service sendmail start mv /var/spool/mqueue.in/* /var/spool/mqueue -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From robin at PRIMUS.CA Sat Dec 13 17:49:12 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:32 2006 Subject: graceful shutdown In-Reply-To: <20031213172618.D1B1321C27B@mail.fsl.com> References: <20031213172618.D1B1321C27B@mail.fsl.com> Message-ID: On Sat, 13 Dec 2003, Stephen Swaney wrote: > > If I do > > kill `/usr/sbin/check_mailscanner` > > will this cause a problem with mail that it is currently working on ? > > This will not work. Mail will still be received but since MailScanner is not > running, this mail will just pile up in the incoming mail queue. It will not > be processed, delivered or relayed. > Thats ok I have a separate script for the postfix in and out, and one just for MailScanner. I do not have a redhat/suse linux so I want to just issue the command that will gracefully stop just MailScanner. Having the queue pile up is not a concern but I just do not want MailScanner to be interuppted in the middle of processing a message and then possibly delete or corrupt it. Looking through the rpm I see the line killproc MailScanner -15 killproc is a redhat/suse function and it appears that it will basically do kill -15 `/usr/sbin/check_mailscanner` as long as MailScanner is running the output of /usr/sbin/check_mailscanner is to print out the pids. From mailscanner at ecs.soton.ac.uk Sat Dec 13 18:57:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: graceful shutdown In-Reply-To: References: <20031213172618.D1B1321C27B@mail.fsl.com> Message-ID: <6.0.1.1.2.20031213185333.0289e108@imap.ecs.soton.ac.uk> At 17:49 13/12/2003, you wrote: >On Sat, 13 Dec 2003, Stephen Swaney wrote: > > > If I do > > > kill `/usr/sbin/check_mailscanner` > > > will this cause a problem with mail that it is currently working on ? > > > > This will not work. Mail will still be received but since MailScanner > is not > > running, this mail will just pile up in the incoming mail queue. It > will not > > be processed, delivered or relayed. > > >Thats ok I have a separate script for the postfix in and out, and one just >for MailScanner. I do not have a redhat/suse linux so I want to just issue >the command that will gracefully stop just MailScanner. Having the queue >pile up is not a concern but I just do not want MailScanner to be >interuppted in the middle of processing a message and then possibly delete >or corrupt it. Don't worry, that can't happen. MailScanner never actually takes ownership of a message at all. You can kill the MailScanner processes any way you like, but if you do it with a simple "kill" command then they will tidy up all their temporary working directories before shutting down, so you don't leave stray temp dirs behind. >Looking through the rpm I see the line >killproc MailScanner -15 > >killproc is a redhat/suse function and it appears that it will basically >do > >kill -15 `/usr/sbin/check_mailscanner` It's a bit more complicated than that, as running check_mailscanner will output some words other than the actual list of PIDs. It prints out "MailScanner running with pid" as well as the PIDs themselves. So you could do kill `/usr/sbin/check_mailscanner | sed -e 's/^MailScanner running with pid//'` -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From faq at mailscanner.info Sun Dec 14 00:28:05 2003 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:21:32 2006 Subject: Faq-O-Matic Error Log Message-ID: <200312140028.hBE0S56V025881@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2003-12-08-05-51-22 2.717 error faq 26352 <(noID)> The file (16>) doesn't exist. From rgutlon at YAHOO.COM Sat Dec 13 20:08:38 2003 From: rgutlon at YAHOO.COM (Rick G) Date: Thu Jan 12 21:21:32 2006 Subject: MailScanner and FormMail Exploits Message-ID: Thank you Julian. As a quick fix I switched the forms to SMTP and noticed the submissions are being intercepted and run through the normal checks by MailScanner. On Sat, 13 Dec 2003 17:46:15 +0000, Julian Field wrote: >Your problem is that you are running a fairly old sendmail and the form >handler code is invoking the sendmail binary directly. You either need to >configure it so that it talks SMTP to localhost to send its mail, or else >upgrade to a more recent sendmail that has the clientmqueue stuff. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jon.Beets at PACER.COM Sat Dec 13 20:37:13 2003 From: Jon.Beets at PACER.COM (Jon Beets) Date: Thu Jan 12 21:21:32 2006 Subject: IPBlock and RaQ Message-ID: <000601c3c1b8$e40e1fe0$6401a8c0@pgx01> I apologize in advance for being an idiot.. :) I have MailScanner 4.26-1 installed on my RaQ 550.. I cannot locate the IPBlock settings on any of the .conf files.. Am I still looking in the wrong place or does it not exist in the MailScanner version I am running? I have already searched the archives.. ( I am a relative newbie to *nix). Jon Beets From ryan.egeland at OXAMER.COM Sat Dec 13 20:41:28 2003 From: ryan.egeland at OXAMER.COM (Ryan D. Egeland) Date: Thu Jan 12 21:21:32 2006 Subject: Oversight in MailScanner's Bayes Implementation? Message-ID: <6.0.1.1.2.20031213202239.04ac3818@egeland.net> It appears the Bayes feature available through spamassassin specifically the way MailScanner implements it evaluates all incoming mail in a bulk fashion, i.e. each individual user does not have his own Bayes database. Is my assumption correct? If so, it seems the power of the Bayes analysis seems markedly reduced through the default MailScanner configuration. As the accuracy of the Bayes algorithm relies upon the specific patterns unique to each individual user's collection of spam and ham, processing all incoming mail to a single Bayes database seems less powerful than per-user databases. Of course, with a small number of users receiving similar types of incoming ham and spam, the decrease in Bayes accuracy might not be noticable. But with larger variations in incoming mail between users, could this not reduce the power of the Bayes implementation to the standard of the traditional spamassassin rules? My own experience seems to suggest so. A recent addition of a user with quite different spam and ham patterns from others on the same server seemed to qualitatively increase the false negatives for all users. Migration of his account to a seperate server immediately restored the spam detection accuracy. I'm sure per-user databases would be possible through a hack of MailScanner, but might their default availability in a future release enhance MailScanner's sophistication? From isp-list at TULSACONNECT.COM Sat Dec 13 21:45:25 2003 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:21:32 2006 Subject: Oversight in MailScanner's Bayes Implementation? In-Reply-To: <6.0.1.1.2.20031213202239.04ac3818@egeland.net> Message-ID: <5.2.1.1.2.20031213154310.070d0ea0@securemail.tulsaconnect.com> At 08:41 PM 12/13/2003 +0000, Ryan D. Egeland wrote: >It appears the Bayes feature available through spamassassin specifically >the way MailScanner implements it evaluates all incoming mail in a bulk >fashion, i.e. each individual user does not have his own Bayes database. > >Is my assumption correct? Yes. >If so, it seems the power of the Bayes analysis seems markedly reduced >through the default MailScanner configuration. Somewhat, maybe. However, there is no practical/scalable way to implement a per-user Bayes database that MailScanner (or rather, SA) checks that I can think of. The best approach is to use MailScanner+SA at the relays and let the user do a second line of Bayesian filtering on their mail client (many of which are adding Bayesian stuff, e.g. Mozilla Mail/Thunderbird, Eudora 6.0, SpamBayes for Outlook, and others..) --------------------------------------- Mike Bacher / mike@sparklogic.com SparkLogic Development / ISP Consulting Use OptiGold ISP? Check out OptiSkin! http://www.sparklogic.com/optiskin/ --------------------------------------- From mkettler at EVI-INC.COM Sat Dec 13 21:59:53 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:32 2006 Subject: Oversight in MailScanner's Bayes Implementation? In-Reply-To: <6.0.1.1.2.20031213202239.04ac3818@egeland.net> References: <6.0.1.1.2.20031213202239.04ac3818@egeland.net> Message-ID: <6.0.0.22.0.20031213164609.02307e88@xanadu.evi-inc.com> At 03:41 PM 12/13/2003, Ryan D. Egeland wrote: >t appears the Bayes feature available through spamassassin specifically >the way MailScanner implements it evaluates all incoming mail in a bulk >fashion, i.e. each individual user does not have his own Bayes database. > >Is my assumption correct? Yes, that is correct. However, the default manner in which SA processes bayes makes per-user bayes an impossiblity on many mailservers. You see, in order to do per-user bayes the way SA does it, you need an account for every user on your server. Many mailservers that run MailScanner are relaying servers, like mine. This means that my mailserver doesn't have accounts or home directories per-user. Yes, it's well known you get reduced accuracy by doing an aggregate bayes database, but it's not THAT significant in most real-world cases. In fact, in some real-world cases you get *better* accuracy, because some users get too little mail to ever have enough tokens in their bayes DB, and thus can't reap the benefits if the implementation is per-user. The only significant case where per-user matters a lot is where all your users get enough mail to have large bayes DBs, and you have two sub-groups which have conflicting spam/nonspam email patterns. ie: if you bayes together a bunch of sysadmins and a bunch of mortgage brokers, you're going to have problems. It's theoretically possible for MailScanner to do per-user bayes with some substantial work on Julian's part, but I'd question the value of it. If you realistically think it's that big a deal, do some side-by-side tests with corpii, and generate some hard factual statistics that show just how bad it is.. But I can tell you from my real-world experience using bayes with mailscanner in a site-wide mode for a 100ish-user corporate network, it works quite well. From mailscanner at ecs.soton.ac.uk Sun Dec 14 11:31:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: IPBlock and RaQ In-Reply-To: <000601c3c1b8$e40e1fe0$6401a8c0@pgx01> References: <000601c3c1b8$e40e1fe0$6401a8c0@pgx01> Message-ID: <6.0.1.1.2.20031214112850.028acaf8@imap.ecs.soton.ac.uk> Read /usr/lib/MailScanner/MailScanner/CustomConfig.pm and search for IPBlock. There is a bunch of docs in there that will tell you how to add this feature very simply. I haven't made it into a mainstream feature as it currently only works with sendmail. If anyone wants to take a look at it and work out how to do similar controls for postfix, zmailer and exim, I would very much appreciate it. At 20:37 13/12/2003, you wrote: >I apologize in advance for being an idiot.. :) > >I have MailScanner 4.26-1 installed on my RaQ 550.. I cannot locate the >IPBlock settings on any of the .conf files.. Am I still looking in the wrong >place or does it not exist in the MailScanner version I am running? I have >already searched the archives.. ( I am a relative newbie to *nix). > >Jon Beets -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From wppiphoto at wppi.com Sun Dec 14 18:03:18 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails Message-ID: <005301c3c26c$8d9dee60$3a95a644@Toshiba> I've installed Mailscanner 4.25-14 on a Raq3 server but I think I did something wrong because e-mails are not being scanned by mailscanner (no e-mail headers are being added X-MailScanner). I've checked to make sure mailscanner is running and everything seems fine: [root@ns1 admin]# ps auxw | grep -i mail root 690 0.0 4.1 11728 10596 ? S 03:26 0:00 perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/Ma root 693 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner ] root 809 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner ] root 813 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner ] root 821 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner ] root 25062 0.0 0.5 2364 1344 ? S 11:31 0:00 sendmail: server pcp03455749pcs.csouth01.va.comcast.net [68.57.171.42 root 25083 0.0 0.5 2388 1404 ? S 11:31 0:00 sendmail: LAA25083 pcp03455749pcs.csouth01.va.comcast.net [68.57.171. root 26616 0.0 0.8 3284 2124 ? S 12:01 0:00 perl /usr/lib/MailScanner/f-prot-autoupdate /usr/local/f-prot root 26892 0.0 0.4 2048 1072 ? S 12:04 0:00 sendmail: accepting connections on port 25 root 27853 0.0 0.5 2640 1396 ? S 12:25 0:00 sendmail: MAA27851 mail.labalaba.com.: user open root 28090 0.0 0.5 2640 1412 ? S 12:30 0:00 sendmail: MAA28088 c240.dsg.uniroma1.it.: user open root 28466 21.0 0.0 0 0 ? Z 12:37 0:00 [MailScanner ] root 28468 0.0 0.1 1196 472 pts/0 S 12:37 0:00 grep -i mail I think my problem occured when I tried to follow the instructions I followed ( ) about moving the mqueue/q*/* etc. Can someone help on what I should have in sendmail.conf and Mailscanner.conf to scan e-mails. BTW, I also installed f-prot and spamassassin on this machine to work with mailscanner. Thanks, SW From Jon.Beets at PACER.COM Sun Dec 14 17:44:24 2003 From: Jon.Beets at PACER.COM (Jon Beets) Date: Thu Jan 12 21:21:32 2006 Subject: IPBlock and RaQ - Fixed.. But now a new problem In-Reply-To: <6.0.1.1.2.20031214112850.028acaf8@imap.ecs.soton.ac.uk> Message-ID: <003001c3c26b$3d83c180$6401a8c0@pgx01> I did find it and have it working Thanks... My problem now is after upgrading sendmail and restarting MailScanner I get a SASL warningit: incoming sendmail: Warning: Option: AuthMechanisms requires SASL support (-DSASL) Warning: Option: CACERTPath requires TLS support ok outgoing sendmail: Warning: Option: AuthMechanisms requires SASL support (-DSASL) Warning: Option: CACERTPath requires TLS support ok I found what appears to be a fix but am weary of doing it since it seems somewhat involved and requires cyrus-ssl to be installed... Jon -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Sunday, December 14, 2003 5:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: IPBlock and RaQ Read /usr/lib/MailScanner/MailScanner/CustomConfig.pm and search for IPBlock. There is a bunch of docs in there that will tell you how to add this feature very simply. I haven't made it into a mainstream feature as it currently only works with sendmail. If anyone wants to take a look at it and work out how to do similar controls for postfix, zmailer and exim, I would very much appreciate it. At 20:37 13/12/2003, you wrote: >I apologize in advance for being an idiot.. :) > >I have MailScanner 4.26-1 installed on my RaQ 550.. I cannot locate the >IPBlock settings on any of the .conf files.. Am I still looking in the wrong >place or does it not exist in the MailScanner version I am running? I have >already searched the archives.. ( I am a relative newbie to *nix). > >Jon Beets -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Sun Dec 14 18:21:45 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails In-Reply-To: <005301c3c26c$8d9dee60$3a95a644@Toshiba> Message-ID: Hi! > /usr/lib/MailScanner/f-prot-autoupdate /usr/local/f-prot > root 26892 0.0 0.4 2048 1072 ? S 12:04 0:00 sendmail: > accepting connections on port 25 > root 27853 0.0 0.5 2640 1396 ? S 12:25 0:00 sendmail: > MAA27851 mail.labalaba.com.: user open > root 28090 0.0 0.5 2640 1412 ? S 12:30 0:00 sendmail: > MAA28088 c240.dsg.uniroma1.it.: user open > root 28466 21.0 0.0 0 0 ? Z 12:37 0:00 [MailScanner > ] > root 28468 0.0 0.1 1196 472 pts/0 S 12:37 0:00 grep -i mail > > I think my problem occured when I tried to follow the instructions I > followed ( ) about moving the mqueue/q*/* etc. Can someone help on what I > should have in sendmail.conf and Mailscanner.conf to scan e-mails. > > BTW, I also installed f-prot and spamassassin on this machine to work with > mailscanner. Analyze this step by step. Take out SpamAssassin in your config and restart. Most likely you have a configuration isse... Bye, Raymond. From mailscanner at ecs.soton.ac.uk Sun Dec 14 18:31:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails In-Reply-To: <005301c3c26c$8d9dee60$3a95a644@Toshiba> References: <005301c3c26c$8d9dee60$3a95a644@Toshiba> Message-ID: <6.0.1.1.2.20031214182955.03694250@imap.ecs.soton.ac.uk> At 18:03 14/12/2003, you wrote: >root 693 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 809 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 813 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 821 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] Take a look at MailScanner entries in your maillog. Looks like a configuration error. Best idea is to start from a default setup with no local tweaks at all, then slowly introduce the extras. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From wppiphoto at wppi.com Sun Dec 14 18:38:21 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails References: Message-ID: <00a701c3c271$73228140$3a95a644@Toshiba> Raymond, I've tried that, Mailscanner never really scanned any e-mails. It starts fine and runs but it deosn't scan any incoming or outgoing e-mails. This is why i think I something is wrong w/ where mailscanner looks for incoming/outgoing e-mails and where cobalt sendmail puts them. Also, when I try to run /etc/rc.d/init.d/Mailscanner stop or stop, I get the following error message: [root@ns1 admin]# /etc/rc.d/init.d/MailScanner start Starting MailScanner daemons: incoming sendmail: 554 readcf: unknown option name PidFile ok outgoing sendmail: readcf: unknown option name PidFile ok MailScanner: ok [root@ns1 admin]# /etc/rc.d/init.d/MailScanner stop Shutting down MailScanner daemons: MailScanner: MailScanner ok incoming sendmail: head: /var/run/sendmail.in.pid: No such file or directory ok outgoing sendmail: head: /var/run/sendmail.out.pid: No such file or directory ok I've read some e-mails which say that is due to Cobalt using sendmail v. 8.9.3. Thanks, SW ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Sunday, December 14, 2003 1:21 PM Subject: Re: Mailscanner not scanning e-mails Hi! > /usr/lib/MailScanner/f-prot-autoupdate /usr/local/f-prot > root 26892 0.0 0.4 2048 1072 ? S 12:04 0:00 sendmail: > accepting connections on port 25 > root 27853 0.0 0.5 2640 1396 ? S 12:25 0:00 sendmail: > MAA27851 mail.labalaba.com.: user open > root 28090 0.0 0.5 2640 1412 ? S 12:30 0:00 sendmail: > MAA28088 c240.dsg.uniroma1.it.: user open > root 28466 21.0 0.0 0 0 ? Z 12:37 0:00 [MailScanner > ] > root 28468 0.0 0.1 1196 472 pts/0 S 12:37 0:00 grep -i mail > > I think my problem occured when I tried to follow the instructions I > followed ( ) about moving the mqueue/q*/* etc. Can someone help on what I > should have in sendmail.conf and Mailscanner.conf to scan e-mails. > > BTW, I also installed f-prot and spamassassin on this machine to work with > mailscanner. Analyze this step by step. Take out SpamAssassin in your config and restart. Most likely you have a configuration isse... Bye, Raymond. From wppiphoto at wppi.com Sun Dec 14 19:08:52 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails References: <005301c3c26c$8d9dee60$3a95a644@Toshiba> <6.0.1.1.2.20031214182955.03694250@imap.ecs.soton.ac.uk> Message-ID: <00c601c3c275$c0327400$3a95a644@Toshiba> Julian, Yeap, you were right. It seemed that in mailscanner.conf, virus scanners = I was missing the 's' at the end of scanners. I fixed that and now in my logs I see the following: Dec 14 13:45:22 ns1 MailScanner[697]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 14 13:45:23 ns1 sendmail[730]: starting daemon (8.9.3): SMTP+queueing@01:00:00 Dec 14 13:45:32 ns1 MailScanner[810]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 14 13:45:33 ns1 MailScanner[697]: Using locktype = flock Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, 4618 bytes Dec 14 13:45:33 ns1 MailScanner[697]: Spam Checks: Starting Dec 14 13:45:38 ns1 MailScanner[810]: Using locktype = flock Dec 14 13:45:42 ns1 MailScanner[819]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 14 13:45:43 ns1 MailScanner[697]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 Dec 14 13:45:49 ns1 MailScanner[819]: Using locktype = flock Dec 14 13:45:53 ns1 MailScanner[838]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 14 13:45:53 ns1 MailScanner[697]: Virus and Content Scanning: Starting Dec 14 13:45:55 ns1 MailScanner[697]: Uninfected: Delivered 4 messages Dec 14 13:46:00 ns1 MailScanner[838]: Using locktype = flock Dec 14 13:46:02 ns1 MailScanner[870]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 14 13:46:08 ns1 MailScanner[870]: Using locktype = flock But still no header info in the e-mails. I think Mailscanner is looking somewhere where there are 4 old messges which it scans but are not delivered. Does this make any sense? The RBL check failing is I think due to our firewall which blocks entire IP blocks. I need to check what IP it uses and port to allow traffic out/in thru our firewall. Thanks for all the help! SW ----- Original Message ----- From: "Julian Field" To: Sent: Sunday, December 14, 2003 1:31 PM Subject: Re: Mailscanner not scanning e-mails At 18:03 14/12/2003, you wrote: >root 693 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 809 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 813 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 821 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] Take a look at MailScanner entries in your maillog. Looks like a configuration error. Best idea is to start from a default setup with no local tweaks at all, then slowly introduce the extras. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Dec 14 19:49:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails In-Reply-To: <00c601c3c275$c0327400$3a95a644@Toshiba> References: <005301c3c26c$8d9dee60$3a95a644@Toshiba> <6.0.1.1.2.20031214182955.03694250@imap.ecs.soton.ac.uk> <00c601c3c275$c0327400$3a95a644@Toshiba> Message-ID: <6.0.1.1.2.20031214194839.03730ec0@imap.ecs.soton.ac.uk> If you are running 8.9.3, then MailScanner won't scan mail created by invoking the sendmail binary directly. You need to tell whatever you are using to send mail via an SMTP server called localhost. At 19:08 14/12/2003, you wrote: >Julian, > >Yeap, you were right. It seemed that in mailscanner.conf, virus scanners = >I was missing the 's' at the end of scanners. I fixed that and now in my >logs I see the following: > >Dec 14 13:45:22 ns1 MailScanner[697]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 14 13:45:23 ns1 sendmail[730]: starting daemon (8.9.3): >SMTP+queueing@01:00:00 >Dec 14 13:45:32 ns1 MailScanner[810]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 14 13:45:33 ns1 MailScanner[697]: Using locktype = flock >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, 4618 >bytes >Dec 14 13:45:33 ns1 MailScanner[697]: Spam Checks: Starting >Dec 14 13:45:38 ns1 MailScanner[810]: Using locktype = flock >Dec 14 13:45:42 ns1 MailScanner[819]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 14 13:45:43 ns1 MailScanner[697]: RBL Check ORDB-RBL timed out and was >killed, consecutive failure 1 of 7 >Dec 14 13:45:49 ns1 MailScanner[819]: Using locktype = flock >Dec 14 13:45:53 ns1 MailScanner[838]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 14 13:45:53 ns1 MailScanner[697]: Virus and Content Scanning: Starting >Dec 14 13:45:55 ns1 MailScanner[697]: Uninfected: Delivered 4 messages >Dec 14 13:46:00 ns1 MailScanner[838]: Using locktype = flock >Dec 14 13:46:02 ns1 MailScanner[870]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 14 13:46:08 ns1 MailScanner[870]: Using locktype = flock > >But still no header info in the e-mails. I think Mailscanner is looking >somewhere where there are 4 old messges which it scans but are not >delivered. Does this make any sense? > >The RBL check failing is I think due to our firewall which blocks entire IP >blocks. I need to check what IP it uses and port to allow traffic out/in >thru our firewall. > >Thanks for all the help! > >SW >----- Original Message ----- >From: "Julian Field" >To: >Sent: Sunday, December 14, 2003 1:31 PM >Subject: Re: Mailscanner not scanning e-mails > > >At 18:03 14/12/2003, you wrote: > >root 693 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner > >] > >root 809 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner > >] > >root 813 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner > >] > >root 821 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner > >] > >Take a look at MailScanner entries in your maillog. Looks like a >configuration error. Best idea is to start from a default setup with no >local tweaks at all, then slowly introduce the extras. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From drew at THEMARSHALLS.CO.UK Sun Dec 14 20:33:34 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:32 2006 Subject: Postfix message duplication - again! Message-ID: <3FDCC91E.9070902@themarshalls.co.uk> I have read many threads on both the MailScanner mailing list and the Postfix groups about this problem but haven't yet seen a solution. I guess the first question is, is there a solution? I love MS and have done since I first deployed it on my first trip to Linux (On Sendmail) and latterly, having got fed up with the patching required, on Postfix (When the MS for Postfix first was released). I have only recently been having these duplication problems and started looking for answers to find the author of Postfix says not to use MailScanner as it 'Gropes mail files from the active queue'. While understandable from his point of view, not helpful to me, an inexperienced *nix admin just looking to implement easy, fast and safe computing for my users (Hence my love for Postfix and MailScanner, both excellent, fast and simple to administer). I have played with Exim but disliked it's config setup and seemed very complex to set up to use my MySQL alias database, domain list etc. I also played with AMAVIS- new (For two hours and gave up when I found the full extent of the feature set!) which is 'approved for Postfix use'. If there is not current cure for the POstfix problem, is there any way to pipe the mail to MailScanner or even bolt a SMTP engine to it to receive the mail like AMAVIS (Which would then extend MS for use with all MTAs?!)? Sorry for the long post but I am quite passionate about this one ;-) Regards From mark.carbonaro at IT.ALSTOM.COM.AU Sun Dec 14 21:28:55 2003 From: mark.carbonaro at IT.ALSTOM.COM.AU (Mark Carbonaro) Date: Thu Jan 12 21:21:32 2006 Subject: Nested rulesets or Multiple ruleset conditions Message-ID: I have a need to use a nested ruleset within MS. Is this possible? I am unable to find anything in the documentation about this. To help understand my reason here is my scenario... One division of my company needs to relay (almost) all email off a third party (they provide virus scanning services, its political & not something I can change). We have a central SMTP server that runs Postfix & MS and I am able to send route all email successfully by having 2 outbound Postfix queues (and 2 instances of outbound postfix), the first queue delivers directly while the second sends all email to the relay (for scanning etc). I did this by using a ruleset on the outbound queue config line (works great), all email from that server (192.168.0.29) is put in the second queue and off she goes. The problem is that there is one mailbox on that server that should not be sent via the second queue (I can't go into details why, it just can't :-), that server is running MSExchange 5.5 so my email routing options are very limited. My way of thinking is to implement a nested ruleset that looks like this... ruleset1.rules From: 192.168.0.29 /opt/MailScanner/etc/rules/ruleset2.rules FromorTo: default /var/spool/postfix/incoming ruleset2.rules From: *@mycompany.com /var/spool/postfix.thirdparty/incoming FromOrTo: default /var/spool/postfix/incoming To avoid mail routing loops (if that's possible) I don't want to just have one ruleset with *@mycompany.com as some of our monitoring equipment uses an @mycompany.com email address and they are sent to @mycompany.com addresses. Or is it possible to have multiple conditions in the ruleset, e.g. From: 192.168.0.29 AND *@mycompany.com? I hope that all makes sense, maybe I'm just looking at this the wrong way, please feel free to provide suggestions on how I might do this better. Thank you for your time. Cheers, Mark _____________________________________________________________________ CONFIDENTIALITY: This e-mail and any attachments are confidential and may be privileged. If you are not a named recipient,please notify the sender immediately and do not disclose the contents to another person, use it for any purpose or store or copy the information in any medium. From csm-lists at CSMA.BIZ Sun Dec 14 23:04:56 2003 From: csm-lists at CSMA.BIZ (Corey S. McFadden) Date: Thu Jan 12 21:21:32 2006 Subject: OT: Linux Exchange Server Message-ID: <6.0.0.22.0.20031214175838.027ac7a8@mail.csma.biz> Sorry for the OT post, but I wanted to solicit some informed opinions and couldn't think of a better group... I was wondering what experiences anyone has had with some of the 3rd-party MS Exchange Server simulators for Linux. We evaluated a couple of solutions about a year ago without going very far with it, but are going to be revisiting the subject for a new client. (Have you seen Exchange Server 2003 CAL costs?!) In the past, OpenExchange looked very attractive, but we don't have any practical experience with it. Anyhow, if anyone can offer any personal experience with OpenExchange or any of the other products (off-list if you like) I would appreciate it! -Corey -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From mike at CAMAROSS.NET Sun Dec 14 23:09:06 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:32 2006 Subject: Linux Exchange Server In-Reply-To: <6.0.0.22.0.20031214175838.027ac7a8@mail.csma.biz> Message-ID: <200312142308.hBEN8vxC016091@avwall.bladeware.com> I run 3 OpenExchange servers and like them very well. None of them accept email from the internet though. I run a MailScanner box in front of them and forward on using mailertable. I've had no problems with reliability or connection with MUA's. I'm pleased with the outcome. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden > Sent: Sunday, December 14, 2003 5:05 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: OT: Linux Exchange Server > > Sorry for the OT post, but I wanted to solicit some informed > opinions and couldn't think of a better group... > > I was wondering what experiences anyone has had with some of > the 3rd-party MS Exchange Server simulators for Linux. We > evaluated a couple of solutions about a year ago without > going very far with it, but are going to be revisiting the > subject for a new client. (Have you seen Exchange Server > 2003 CAL costs?!) In the past, OpenExchange looked very > attractive, but we don't have any practical experience with it. > > Anyhow, if anyone can offer any personal experience with > OpenExchange or any of the other products (off-list if you > like) I would appreciate it! > > -Corey > > > > -- > Corey S. McFadden & Associates, > Technology Consultants > main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - > www.csma.biz > > > ********************************************* > This message has been scanned for viruses and dangerous > content, and is believed to be clean. > From mike at TC3NET.COM Sun Dec 14 23:12:07 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:32 2006 Subject: Linux Exchange Server In-Reply-To: <200312142308.hBEN8vxC016091@avwall.bladeware.com> References: <200312142308.hBEN8vxC016091@avwall.bladeware.com> Message-ID: <1071443526.1697.15.camel@localhost.localdomain> Check out the bynari connector, http://www.bynari.net and ExchangeIT http://net-itech.com/america/products/pd_exchangeit.htm, of course Samsung Contact is out there, and one other one I can't remember which showed promise, openexchange isn't exactly low cost. Regards MIKE > I run 3 OpenExchange servers and like them very well. None of them accept > email from the internet though. I run a MailScanner box in front of them > and forward on using mailertable. I've had no problems with reliability or > connection with MUA's. I'm pleased with the outcome. > > Mike > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden > > Sent: Sunday, December 14, 2003 5:05 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: OT: Linux Exchange Server > > > > Sorry for the OT post, but I wanted to solicit some informed > > opinions and couldn't think of a better group... > > > > I was wondering what experiences anyone has had with some of > > the 3rd-party MS Exchange Server simulators for Linux. We > > evaluated a couple of solutions about a year ago without > > going very far with it, but are going to be revisiting the > > subject for a new client. (Have you seen Exchange Server > > 2003 CAL costs?!) In the past, OpenExchange looked very > > attractive, but we don't have any practical experience with it. > > > > Anyhow, if anyone can offer any personal experience with > > OpenExchange or any of the other products (off-list if you > > like) I would appreciate it! > > > > -Corey > > > > > > > > -- > > Corey S. McFadden & Associates, > > Technology Consultants > > main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - > > www.csma.biz > > > > > > ********************************************* > > This message has been scanned for viruses and dangerous > > content, and is believed to be clean. > > > From sevans at FOUNDATION.SDSU.EDU Mon Dec 15 00:31:05 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:21:32 2006 Subject: Linux Exchange Server Message-ID: <3A411846CD3C0D4CB3D8704F937353701641BB@be-00.foundation.sdsu.edu> I'm assuming you've done more research on the price of the CAL's than the Microsoft Exchange website? I don't anyone pays the $67 list price. Steve Evans SDSU Foundation -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden Sent: Sunday, December 14, 2003 3:05 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: Linux Exchange Server Sorry for the OT post, but I wanted to solicit some informed opinions and couldn't think of a better group... I was wondering what experiences anyone has had with some of the 3rd-party MS Exchange Server simulators for Linux. We evaluated a couple of solutions about a year ago without going very far with it, but are going to be revisiting the subject for a new client. (Have you seen Exchange Server 2003 CAL costs?!) In the past, OpenExchange looked very attractive, but we don't have any practical experience with it. Anyhow, if anyone can offer any personal experience with OpenExchange or any of the other products (off-list if you like) I would appreciate it! -Corey -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From csm-lists at CSMA.BIZ Mon Dec 15 00:49:56 2003 From: csm-lists at CSMA.BIZ (Corey S. McFadden) Date: Thu Jan 12 21:21:32 2006 Subject: Linux Exchange Server In-Reply-To: <3A411846CD3C0D4CB3D8704F937353701641BB@be-00.foundation.sd su.edu> References: <3A411846CD3C0D4CB3D8704F937353701641BB@be-00.foundation.sdsu.edu> Message-ID: <6.0.0.22.0.20031214194612.03827380@mail.csma.biz> Sure. :-) I think it's easily half the list price when you get into any serious volume, but it's still based on a hard-count of devices or users. Some larger clients have expressed interest in concurrent (or unlimited...) license models, so we're looking into alternatives. Anyhow, thanks for the responses. -Corey At 07:31 PM 12/14/2003, you wrote: >I'm assuming you've done more research on the price of the CAL's than >the Microsoft Exchange website? I don't anyone pays the $67 list price. > > > >Steve Evans >SDSU Foundation -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From sevans at FOUNDATION.SDSU.EDU Mon Dec 15 00:57:28 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:21:32 2006 Subject: Linux Exchange Server Message-ID: <3A411846CD3C0D4CB3D8704F937353701641BC@be-00.foundation.sdsu.edu> There is the external connector license. But it sounds like that probably wouldn't apply to your situation. Impossible to say without knowing anything about your scenario. I think one of the best ways I've heard someone justify the cost of Exchange is, "When your paying your employee $x0,000 a year, another $50 to make them productive isn't a big deal." Hope I didn't start an Exchange/Anti-Exchange flame war. Steve Evans SDSU Foundation -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden Sent: Sunday, December 14, 2003 4:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Linux Exchange Server Sure. :-) I think it's easily half the list price when you get into any serious volume, but it's still based on a hard-count of devices or users. Some larger clients have expressed interest in concurrent (or unlimited...) license models, so we're looking into alternatives. Anyhow, thanks for the responses. -Corey At 07:31 PM 12/14/2003, you wrote: >I'm assuming you've done more research on the price of the CAL's than >the Microsoft Exchange website? I don't anyone pays the $67 list price. > > > >Steve Evans >SDSU Foundation -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From robin at PRIMUS.CA Mon Dec 15 01:01:22 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:32 2006 Subject: OT: Linux Exchange Server In-Reply-To: <6.0.0.22.0.20031214175838.027ac7a8@mail.csma.biz> References: <6.0.0.22.0.20031214175838.027ac7a8@mail.csma.biz> Message-ID: On Sun, 14 Dec 2003, Corey S. McFadden wrote: > Sorry for the OT post, but I wanted to solicit some informed opinions and > couldn't think of a better group... > > I was wondering what experiences anyone has had with some of the 3rd-party > MS Exchange Server simulators for Linux. We evaluated a couple of > solutions about a year ago without going very far with it, but are going to > be revisiting the subject for a new client. (Have you seen Exchange Server > 2003 CAL costs?!) In the past, OpenExchange looked very attractive, but we > don't have any practical experience with it. > > Anyhow, if anyone can offer any personal experience with OpenExchange or > any of the other products (off-list if you like) I would appreciate it! > > -Corey > > There are a few products that do this. At the heart of it all is the cyrus imap server as it does access control lists which can be used to create shared folders per user. Each vendor complements the cyrus server with other software such as squirrelmail with enhancements, smartsieve, phpical, postnuke/phpnuke/metadot etc.. etc.. Most of the server side stuff is all open source except for a resource management software, which is when you schedule meetings with resources such as boardrooms and they automatically accept or decline. The biggest difference between vendors is really the client code which is a plugin which you install for use with outlook. I have tried the bynari plugin and it seems to be the most advanced and everything does seem to work properly. I do not beleive that SuSE has their own outlook connector plugin and you have to additionally use the Ximian plugin. I could be wrong. The Bynari server does not come budled with very many features but it is quite easy to add any other components. I have installed a bynari server for a customer and installed MailScanner onto it and it works perfectly fine. They also actually promote MailScanner on their site. From ryan.finnesey at CORPDSG.COM Mon Dec 15 01:58:40 2003 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:21:33 2006 Subject: Linux Exchange Server Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BCD4@dc012.corpdsg.com> I also hope that I do not start an Exchange/Anti-Exchange flame war. But one other thing you can look into is licensing Exchange via an ASP model. I do not know how many users you need to support but Diversified and many other company's offer hosted Exchange for about $20 a user and can get as low as $14 per user monthly. This will include your Microsoft Outlook client license, Microsoft Exchange CAL, Backup services, Active Directory ect... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Evans Sent: Sunday, December 14, 2003 7:57 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Linux Exchange Server There is the external connector license. But it sounds like that probably wouldn't apply to your situation. Impossible to say without knowing anything about your scenario. I think one of the best ways I've heard someone justify the cost of Exchange is, "When your paying your employee $x0,000 a year, another $50 to make them productive isn't a big deal." Hope I didn't start an Exchange/Anti-Exchange flame war. Steve Evans SDSU Foundation -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden Sent: Sunday, December 14, 2003 4:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Linux Exchange Server Sure. :-) I think it's easily half the list price when you get into any serious volume, but it's still based on a hard-count of devices or users. Some larger clients have expressed interest in concurrent (or unlimited...) license models, so we're looking into alternatives. Anyhow, thanks for the responses. -Corey At 07:31 PM 12/14/2003, you wrote: >I'm assuming you've done more research on the price of the CAL's than >the Microsoft Exchange website? I don't anyone pays the $67 list price. > > > >Steve Evans >SDSU Foundation -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From jaearick at COLBY.EDU Mon Dec 15 02:02:42 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:33 2006 Subject: IPBlock and RaQ - Fixed.. But now a new problem In-Reply-To: <003001c3c26b$3d83c180$6401a8c0@pgx01> References: <003001c3c26b$3d83c180$6401a8c0@pgx01> Message-ID: Hi, This is a sendmail issue, not a mailscanner issue. Pull out your copy of the Bat Book and look inside, or google for this phrase to find out where it might come from in sendamil. Unless Raq is strange/special, you shouldn't need TLS and/or SASL to run sendmail. Jeff Earickson Colby College On Sun, 14 Dec 2003, Jon Beets wrote: > Date: Sun, 14 Dec 2003 11:44:24 -0600 > From: Jon Beets > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: IPBlock and RaQ - Fixed.. But now a new problem > > I did find it and have it working Thanks... My problem now is after > upgrading sendmail and restarting MailScanner I get a SASL warningit: > > incoming sendmail: Warning: Option: AuthMechanisms requires SASL support > (-DSASL) > Warning: Option: CACERTPath requires TLS support > ok > outgoing sendmail: Warning: Option: AuthMechanisms requires SASL support > (-DSASL) > Warning: Option: CACERTPath requires TLS support > ok > > I found what appears to be a fix but am weary of doing it since it seems > somewhat involved and requires cyrus-ssl to be installed... > > Jon > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Sunday, December 14, 2003 5:31 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: IPBlock and RaQ > > > Read /usr/lib/MailScanner/MailScanner/CustomConfig.pm and search for > IPBlock. There is a bunch of docs in there that will tell you how to add > this feature very simply. > > I haven't made it into a mainstream feature as it currently only works with > sendmail. If anyone wants to take a look at it and work out how to do > similar controls for postfix, zmailer and exim, I would very much > appreciate it. > > At 20:37 13/12/2003, you wrote: > >I apologize in advance for being an idiot.. :) > > > >I have MailScanner 4.26-1 installed on my RaQ 550.. I cannot locate the > >IPBlock settings on any of the .conf files.. Am I still looking in the > wrong > >place or does it not exist in the MailScanner version I am running? I have > >already searched the archives.. ( I am a relative newbie to *nix). > > > >Jon Beets > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From vanhorn at WHIDBEY.COM Mon Dec 15 09:12:48 2003 From: vanhorn at WHIDBEY.COM (G. Armour Van Horn) Date: Thu Jan 12 21:21:33 2006 Subject: Ignore outbound mail In-Reply-To: References: Message-ID: <3FDD7B10.1050102@whidbey.com> I know I've asked this in the distant past, at which point I don't think it was possible. However, I'd still very much like to have MailScanner completely ignore mail generated on localhost. The machine doesn't accept mail from users, but I do have a large daily mailing that goes out every night, and the mailing takes far too long and causes MS/SA to use far too many resources. I was planning on moving all mail clients off to another machine so I could run without MS on this server, but it just isn't practical. So I'd like to revisit this if I may. Van Currently running MailScanner 4.23-11, but I suppose I could upgrade easily enough if that would help. From mailscanner at ecs.soton.ac.uk Mon Dec 15 09:10:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Nested rulesets or Multiple ruleset conditions In-Reply-To: References: Message-ID: <6.0.1.1.2.20031215084151.035c75e8@imap.ecs.soton.ac.uk> At 21:28 14/12/2003, you wrote: >I have a need to use a nested ruleset within MS. Is this possible? Not directly in a ruleset, no. Sorry about that. What you would need is a short Custom Function to do it. There are plenty of examples in CustomConfig.pm, the shortest of which is at the start of the file (a skeleton framework to work from). You would end up with something like this: my $OutgoingQueueDefault = '/var/spool/postfix/incoming'; my $OutgoingQueueSpecial = '/var/spool/postfix.thirdparty/incoming'; my $OutgoingQueueSpecialIP = '192.168.0.29'; my $OutgoingQueueMyDomain = 'mycompany.com'; sub InitOutgoingQueue { # No initialisation needs doing here at all. MailScanner::Log::InfoLog("Initialising OutgoingQueue to %s", $OutgoingQueueSpecial); } sub EndOutgoingQueue { # No shutdown code needed here at all. # This function could log total stats, close databases, etc. MailScanner::Log::InfoLog("Ending OutgoingQueue"); } # This will return 1 for all messages except those generated by this # computer. sub OutgoingQueue{ my($message) = @_; return $OutgoingQueueDefault unless $message; # Default if no message passed in return $OutgoingQueueSpecial if $message->{clientip} eq $OutgoingQueueSpecialIP && $message->{fromdomain} eq $OutgoingQueueMyDomain; return $OutgoingQueueDefault; } Then in your MailScanner.conf set this: OutgoingQueueDir = &OutgoingQueue Notes ===== a) my mail client will probably have wrapped that in all sorts of nasty places, so you'll need to be careful. b) I haven't tested this code at all. If you are really lucky it might even compile (do a "perl -c CustomConfig.pm" to iron out the syntax errors before you try running it). c) You don't have the call the functions "OutgoingQueue". "Fred" will work just as well. But you do need "sub InitFred", "sub EndFred" and "sub Fred" itself. > I am >unable to find anything in the documentation about this. > >To help understand my reason here is my scenario... > >One division of my company needs to relay (almost) all email off a third >party (they provide virus scanning services, its political & not something I >can change). We have a central SMTP server that runs Postfix & MS and I am >able to send route all email successfully by having 2 outbound Postfix >queues (and 2 instances of outbound postfix), the first queue delivers >directly while the second sends all email to the relay (for scanning etc). >I did this by using a ruleset on the outbound queue config line (works >great), all email from that server (192.168.0.29) is put in the second queue >and off she goes. The problem is that there is one mailbox on that server >that should not be sent via the second queue (I can't go into details why, >it just can't :-), that server is running MSExchange 5.5 so my email routing >options are very limited. >My way of thinking is to implement a nested ruleset that looks like this... > >ruleset1.rules >From: 192.168.0.29 >/opt/MailScanner/etc/rules/ruleset2.rules >FromorTo: default /var/spool/postfix/incoming > >ruleset2.rules >From: *@mycompany.com /var/spool/postfix.thirdparty/incoming >FromOrTo: default /var/spool/postfix/incoming > >To avoid mail routing loops (if that's possible) I don't want to just have >one ruleset with *@mycompany.com as some of our monitoring equipment uses an >@mycompany.com email address and they are sent to @mycompany.com addresses. > >Or is it possible to have multiple conditions in the ruleset, e.g. From: >192.168.0.29 AND *@mycompany.com? > >I hope that all makes sense, maybe I'm just looking at this the wrong way, >please feel free to provide suggestions on how I might do this better. >Thank you for your time. > >Cheers, >Mark > > >_____________________________________________________________________ >CONFIDENTIALITY: This e-mail and any attachments are confidential and may >be privileged. If you are not a named recipient,please notify the sender >immediately and do not disclose the contents to another person, use it for >any purpose or store or copy the information in any medium. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 09:14:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: OT: Linux Exchange Server In-Reply-To: References: <6.0.0.22.0.20031214175838.027ac7a8@mail.csma.biz> Message-ID: <6.0.1.1.2.20031215091236.03746920@imap.ecs.soton.ac.uk> Once this conversation has quietened down, it would be very handy if someone could turn the good bits into an entry in the FAQ. It's a question that I get asked about quite a lot, but know nearly nothing about. At 01:01 15/12/2003, you wrote: >On Sun, 14 Dec 2003, Corey S. McFadden wrote: > > Sorry for the OT post, but I wanted to solicit some informed opinions and > > couldn't think of a better group... > > > > I was wondering what experiences anyone has had with some of the 3rd-party > > MS Exchange Server simulators for Linux. We evaluated a couple of > > solutions about a year ago without going very far with it, but are going to > > be revisiting the subject for a new client. (Have you seen Exchange Server > > 2003 CAL costs?!) In the past, OpenExchange looked very attractive, but we > > don't have any practical experience with it. > > > > Anyhow, if anyone can offer any personal experience with OpenExchange or > > any of the other products (off-list if you like) I would appreciate it! > > > > -Corey > > > > >There are a few products that do this. At the heart of it all is the >cyrus imap server as it does access control lists which can be used to >create shared folders per user. Each vendor complements the cyrus server >with other software such as squirrelmail with enhancements, smartsieve, >phpical, postnuke/phpnuke/metadot etc.. etc.. >Most of the server side stuff is all open source except for a resource >management software, which is when you schedule meetings with resources >such as boardrooms and they automatically accept or decline. > >The biggest difference between vendors is really the client code which is >a plugin which you install for use with outlook. I have tried the bynari >plugin and it seems to be the most advanced and everything does seem to >work properly. I do not beleive that SuSE has their own outlook connector >plugin and you have to additionally use the Ximian plugin. I could be >wrong. The Bynari server does not come budled with very many features but >it is quite easy to add any other components. I have installed a bynari >server for a customer and installed MailScanner onto it and it works >perfectly fine. They also actually promote MailScanner on their site. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 09:27:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Ignore outbound mail In-Reply-To: <3FDD7B10.1050102@whidbey.com> References: <3FDD7B10.1050102@whidbey.com> Message-ID: <6.0.1.1.2.20031215091903.03e71a18@imap.ecs.soton.ac.uk> At 09:12 15/12/2003, you wrote: >I know I've asked this in the distant past, at which point I don't think >it was possible. However, I'd still very much like to have MailScanner >completely ignore mail generated on localhost. The machine doesn't >accept mail from users, but I do have a large daily mailing that goes >out every night, and the mailing takes far too long and causes MS/SA to >use far too many resources. > >I was planning on moving all mail clients off to another machine so I >could run without MS on this server, but it just isn't practical. So I'd >like to revisit this if I may. > >Van > >Currently running MailScanner 4.23-11, but I suppose I could upgrade >easily enough if that would help. Yet another ruleset application. In MailScanner.conf set this: Virus Scanning = /etc/MailScanner/rules/not.localhost.rules Spam Checks = /etc/MailScanner/rules/not.localhost.rules and then in /etc/MailScanner/rules/not.localhost.rules put this: From: 127.0.0.1 no From: 10.11.12.13 no FromOrTo: default yes (where the IP address of the server is 10.11.12.13). Simple as that. We should start collecting these together into a lovely great library of example ruleset applications. Another job for a part-time FAQ maintainer/author perhaps? Any offers? It would really help and requires no great programming knowledge or anything like that. Thanks folks! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martyn at INVICTAWIZ.COM Mon Dec 15 10:42:25 2003 From: martyn at INVICTAWIZ.COM (InvictaWiz Customer Support) Date: Thu Jan 12 21:21:33 2006 Subject: odd errors Message-ID: Over the weekend, I upgraded to 4.25-14. Since then I have seen quite a few messages with SA score of 0 as below. Does anyone have any ideas as to why (the messages are probably 5+ in reality) Date: Mon, 15 Dec 2003 04:30:53 -0500 Message-ID: <1071480653.9711@thedealsmaster.com> From: Reduce and Save Reply-To: Subject: Tackle Your Debt X-MimeOLE: Prodigy Compatibility V 4.1bdd2391 or later Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MailScanner-Information: Please contact sales@invictawiz.com for more information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0, required 5) Status: Martyn Routley ----------------------------------------------------------------- InvictaWiz - The Internet in Plain English, Guaranteed http://www.invictawiz.com martyn@invictawiz.com phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service. Ask us how you could save money on your telephone bill. ----------------------------------------------------------------- ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From slwatts at WINCKWORTHS.CO.UK Mon Dec 15 10:47:13 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:21:33 2006 Subject: [OT]RE: Linux Exchange Server Message-ID: We too are looking at the possibility of moving away from the MS Exchange platform. I have not spent much time looking at the opensource/linux options. Openexchange looked very good, and yes it uses the ximian plugin to allow outlook access. Whilst I am always looking at the price - for us its not the overriding factor. We need a messaging platform that allows easy sharing of knowledge contained within those emails, meetings and tasks. Exchange locks all this away. From initial glances, cyrus does the same. I would be interested in what you find out from your testing..... Sam -----Original Message----- From: Corey S. McFadden [mailto:csm-lists@CSMA.BIZ] Sent: 14 December 2003 23:05 To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: Linux Exchange Server Sorry for the OT post, but I wanted to solicit some informed opinions and couldn't think of a better group... I was wondering what experiences anyone has had with some of the 3rd-party MS Exchange Server simulators for Linux. We evaluated a couple of solutions about a year ago without going very far with it, but are going to be revisiting the subject for a new client. (Have you seen Exchange Server 2003 CAL costs?!) In the past, OpenExchange looked very attractive, but we don't have any practical experience with it. Anyhow, if anyone can offer any personal experience with OpenExchange or any of the other products (off-list if you like) I would appreciate it! -Corey -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From P.G.M.Peters at utwente.nl Mon Dec 15 11:01:57 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:33 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail In-Reply-To: <6.0.1.1.2.20031212162002.07d88530@imap.ecs.soton.ac.uk> References: <3FD9E759.1080708@pacific.net> <6.0.1.1.2.20031212162002.07d88530@imap.ecs.soton.ac.uk> Message-ID: On Fri, 12 Dec 2003 16:26:24 +0000, you wrote: >So when you get a mail without a correct domainkeys header, you know >absolutely nothing about its validity. You may like to think you know it is >not a valid Yahoo account, but you are wrong. You have absolutely no >information about whether it is valid or not. It also won't block spam that is injected by a compromised system using as from-header the domain of that system (or perhaps pulled from the mailer on that system). -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Mon Dec 15 11:19:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail In-Reply-To: References: <3FD9E759.1080708@pacific.net> <6.0.1.1.2.20031212162002.07d88530@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031215111506.037d4440@imap.ecs.soton.ac.uk> At 11:01 15/12/2003, you wrote: >On Fri, 12 Dec 2003 16:26:24 +0000, you wrote: > > >So when you get a mail without a correct domainkeys header, you know > >absolutely nothing about its validity. You may like to think you know it is > >not a valid Yahoo account, but you are wrong. You have absolutely no > >information about whether it is valid or not. > >It also won't block spam that is injected by a compromised system using >as from-header the domain of that system (or perhaps pulled from the >mailer on that system). And then there's the little matter of verifying all these domainkeys headers. Is every vendor really going to add this feature to their mail client? Are Hotmail and AOL going to start helping Yahoo users by verifying the domainkeys, when it doesn't really help their users much? I can see it being a feature that people just see the headers and assume "it's got a domainkeys header and therefore must be valid" while never actually bothering to check the validity because they have no way of doing so. All the spammers add likely-looking random strings as a domainkeys header in all the mail they send, and all you have succeeded in doing is making every spam message a bit bigger. Or maybe I'm just a cynical old sod and the world really is pink, fluffy and full of people who aren't trying to make money... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From pete at eatathome.com.au Mon Dec 15 11:32:54 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:33 2006 Subject: Linux Exchange Server In-Reply-To: <1071443526.1697.15.camel@localhost.localdomain> References: <200312142308.hBEN8vxC016091@avwall.bladeware.com> <1071443526.1697.15.camel@localhost.localdomain> Message-ID: <3FDD9BE6.7090202@eatathome.com.au> Michael Baird wrote: >Check out the bynari connector, http://www.bynari.net and ExchangeIT >http://net-itech.com/america/products/pd_exchangeit.htm, of course >Samsung Contact is out there, and one other one I can't remember which >showed promise, openexchange isn't exactly low cost. > >Regards >MIKE > > > >>I run 3 OpenExchange servers and like them very well. None of them accept >>email from the internet though. I run a MailScanner box in front of them >>and forward on using mailertable. I've had no problems with reliability or >>connection with MUA's. I'm pleased with the outcome. >> >>Mike >> >> >> >> >>>-----Original Message----- >>>From: MailScanner mailing list >>>[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden >>>Sent: Sunday, December 14, 2003 5:05 PM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: OT: Linux Exchange Server >>> >>>Sorry for the OT post, but I wanted to solicit some informed >>>opinions and couldn't think of a better group... >>> >>>I was wondering what experiences anyone has had with some of >>>the 3rd-party MS Exchange Server simulators for Linux. We >>>evaluated a couple of solutions about a year ago without >>>going very far with it, but are going to be revisiting the >>>subject for a new client. (Have you seen Exchange Server >>>2003 CAL costs?!) In the past, OpenExchange looked very >>>attractive, but we don't have any practical experience with it. >>> >>>Anyhow, if anyone can offer any personal experience with >>>OpenExchange or any of the other products (off-list if you >>>like) I would appreciate it! >>> >>>-Corey >>> >>> >>> >>>-- >>>Corey S. McFadden & Associates, >>>Technology Consultants >>>main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - >>>www.csma.biz >>> >>> >>>********************************************* >>>This message has been scanned for viruses and dangerous >>>content, and is believed to be clean. >>> >>> >>> > > > > > None of those thing look low/no cost - but they do look very very nice. I dont wanna hi jack, but if of you knowledgable folks know - what is a good all in one, MTA/IMAP/webmail server that will provide the obvious MTA features, IMAP and webmail, but if a user can be found in the access map (generated via perl from the active directory) but hasnt previously recieved mail, a new user, the server will check they exist, create approriate files, permissions and deliver the mail? I have most of this thrown together with courier and postfix - but i failt to understand some basic bits, so i need an allin one solution. Hope some one can help, email is fine... From chris at TRUDEAU.ORG Mon Dec 15 12:49:48 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:21:33 2006 Subject: Postfix message duplication - again! References: <3FDCC91E.9070902@themarshalls.co.uk> Message-ID: <009201c3c309$ed26a280$4e19000a@ATLCPW13671> > I have read many threads on both the MailScanner mailing list and the > Postfix groups about this problem but haven't yet seen a solution. I > guess the first question is, is there a solution? To my knowledge in answering your question, "NO" there has not been a fix released for this that I am aware of. I WAS able to get MYSQL logging working with no duplication, but that was repaired in the perl components of the MAILWATCH packages, NOT the internals of MailScanner. The resulting problem was that duplicate notification email messages are still a problem etc... > I love MS and have done since I first deployed it on my first trip to > Linux (On Sendmail) and latterly, having got fed up with the patching > required, on Postfix (When the MS for Postfix first was released). I > have only recently been having these duplication problems and started > looking for answers to find the author of Postfix says not to use > MailScanner as it 'Gropes mail files from the active queue'. While > understandable from his point of view, not helpful to me, an > inexperienced *nix admin just looking to implement easy, fast and safe > computing for my users (Hence my love for Postfix and MailScanner, both > excellent, fast and simple to administer). I simply took the route of every other non-developer in the world and realized that support of MailScanner on Exim or Sendmail would make my life easier in the long run. Even with the inherent insecurities and complexities of maintaining sendmail. The resulting scenario leaves me in a much better place. I have side-by-side instances of postfix/MS/SA/DCC/Razor/Sophos/ClamAV AND sendmail/MS/SA/DCC/Razor/Sophos/ClamAV and sendmail is by far easier to maintain and less prone to trivial mail handling problems. (if you have high traffic server, postfix/MS will butcher messages and do other unpredictable things. > I have played with Exim but disliked it's config setup and seemed very > complex to set up to use my MySQL alias database, domain list etc. ME TOO! While I know its supposed to be more secure and flexible and perform a bit better than sendmail....I have just never had the time or the patience to learn the configuration ins and outs of yet another MTA. > I also played with AMAVIS- new (For two hours and gave up when I found > the full extent of the feature set!) which is 'approved for Postfix use'. I started out with amavisd-new and ditched it after learning about the functionality offered in MailScanner (approved or not) > If there is not current cure for the POstfix problem, is there any way > to pipe the mail to MailScanner or even bolt a SMTP engine to it to > receive the mail like AMAVIS (Which would then extend MS for use with > all MTAs?!)? I haven't seen anything like that...not sure I could use the functionality myself. I would prefer to use postfix, but decided long ago, that Julian's level of support here far surpasses anything you can find on postfix mailing lists. In addition, Julian doesn't make a regular habit of demeaning those who are less learned about his software. From P.G.M.Peters at utwente.nl Mon Dec 15 13:20:15 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:33 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail In-Reply-To: <6.0.1.1.2.20031215111506.037d4440@imap.ecs.soton.ac.uk> References: <3FD9E759.1080708@pacific.net> <6.0.1.1.2.20031212162002.07d88530@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031215111506.037d4440@imap.ecs.soton.ac.uk> Message-ID: On Mon, 15 Dec 2003 11:19:00 +0000, you wrote: >I can see it being a feature that people just see the headers and assume >"it's got a domainkeys header and therefore must be valid" while never >actually bothering to check the validity because they have no way of doing >so. All the spammers add likely-looking random strings as a domainkeys >header in all the mail they send, and all you have succeeded in doing is >making every spam message a bit bigger. At first I would (especially with Yahoo involved) start tagging messages with domainkey headers as supicisous. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From gioia at bclink.it Mon Dec 15 13:52:53 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:33 2006 Subject: F-prot update script Message-ID: Hi all! how can I disable the f-prot-autoupdate script option to not send email notifications if it did not need to be updated ? I wouldn't receive this every hour.. ------------------------ FTP address for retrieving files is ftp://us-3.updates.f-prot.com/pub/ File SIGN.DEF is already up to date. File SIGN2.DEF is already up to date. File MACRO.DEF is already up to date. Nothing to be done. ------------------------ I've had some experiences with Sophos Antivirus too, and I noticed that it downloads new ide files as soon as they were realeased .. it's not possible to have the same feature with other Antivirus software as f-prot and Antivir ?! thanks for the help From peter at UCGBOOK.COM Mon Dec 15 13:54:59 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:21:33 2006 Subject: Postfix message duplication - again! In-Reply-To: <009201c3c309$ed26a280$4e19000a@ATLCPW13671> References: <3FDCC91E.9070902@themarshalls.co.uk> <009201c3c309$ed26a280$4e19000a@ATLCPW13671> Message-ID: <3FDDBD33.2080501@ucgbook.com> >>I love MS and have done since I first deployed it on my first trip to >>Linux (On Sendmail) and latterly, having got fed up with the patching >>required, on Postfix (When the MS for Postfix first was released). > Even with the inherent insecurities and > complexities of maintaining sendmail. Isn't this a little exaggerated these days? If I remember correctly I have updated Sendmail twice this year and even if you might want to reply that you haven't updated Postfix at all I don't feel bad about the one hour I spent doing those two updates. If you want Postfix as your internet facing MTA for security reasons, can't you put up a simple relay machine with Postfix that delivers to a MS/Sendmail-machine? Best of both worlds..? /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11, SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829 From jacques at MONACO.NET Mon Dec 15 14:28:02 2003 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:21:33 2006 Subject: Bogus "denial of service" messages, and postdrop not working Message-ID: <200312151528.02031.jacques@monaco.net> Hi, I'm encountering (surprise?!?:-) some new problems. Some legitimate messages get their attachments scrubbed by MS with the mention that they contain a ??denial of service attack??. I looked at the documentation, the FAQ, the mailing-list archives (even grepped the source code files for the 'DOSAttack' string), to no avail. I can't seem to find what triggers those denial of service alerts, and how to deactivate them... Another problem is that I've thus far failed to reinject a message into the queue by conventional means. I quarantine messages with?: Quarantine Infections = yes Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = yes When I use postdrop on a quarantined message, I get a cryptic error message?: [root@sceuzi][/var/spool/MailScanner/quarantine/20031213/3CC271B8114]# postdrop < 3CC271B8114 queue_idEB92220C06Bpostdrop: fatal: uid=0: unexpected record type: 67 The only clue I've been able to find is a message where this behaviour was attributed to a version discrepancy between postfix and the postdrop command. Of course, I double-checked all my commands come from the same version, thus I'm in the dark. A postcat on the same file works fine, so I've for the moment settled on a script which parses the postcat output and reinjects it on the internal Postfix instance, but it's a truly lousy solution. Can someone point me to where I should look to get rid of this problem?? BTW, my MailScanner.conf (without comments) is at . I don't know if it can help in understanding what happens, but then, better safe than sorry... Greets, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From mailscanner at ecs.soton.ac.uk Mon Dec 15 14:24:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: F-prot update script In-Reply-To: References: Message-ID: <6.0.1.1.2.20031215142347.037d2530@imap.ecs.soton.ac.uk> At 13:52 15/12/2003, you wrote: >Hi all! > >how can I disable the f-prot-autoupdate script option to not send email >notifications if it did not need to be updated ? >I wouldn't receive this every hour.. > >------------------------ >FTP address for retrieving files is ftp://us-3.updates.f-prot.com/pub/ >File SIGN.DEF is already up to date. >File SIGN2.DEF is already up to date. >File MACRO.DEF is already up to date. >Nothing to be done. >------------------------ Is your cron job calling update_virus_scanners or calling f-prot-autoupdate directly? >I've had some experiences with Sophos Antivirus too, and I noticed that it >downloads new ide files as soon as they were realeased .. >it's not possible to have the same feature with other Antivirus software as >f-prot and Antivir ?! My sophos-autoupdate script just updates hourly, the same as all the others. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From chris at TRUDEAU.ORG Mon Dec 15 15:00:09 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:21:33 2006 Subject: Postfix message duplication - again! References: <3FDCC91E.9070902@themarshalls.co.uk> <009201c3c309$ed26a280$4e19000a@ATLCPW13671> <3FDDBD33.2080501@ucgbook.com> Message-ID: <012501c3c31c$221ca8b0$4e19000a@ATLCPW13671> > > Even with the inherent insecurities and > > complexities of maintaining sendmail. > > Isn't this a little exaggerated these days? If I remember correctly I > have updated Sendmail twice this year and even if you might want to > reply that you haven't updated Postfix at all I don't feel bad about the > one hour I spent doing those two updates. > > If you want Postfix as your internet facing MTA for security reasons, > can't you put up a simple relay machine with Postfix that delivers to a > MS/Sendmail-machine? Best of both worlds..? Yep definite possibility...bit expensive (twice) and introduces another point of failure to worry about. I think you missed my point. I was advising to USE sendmail instead of postfix when considering the issues related to postfix/mailscanner functionally....vs the effort involved in maintaining sendmail....I've migrated to sendmail...and just accepted the possibility of security/reliability issues with sendmail (if any arise) CT From gioia at bclink.it Mon Dec 15 15:01:56 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:33 2006 Subject: R: F-prot update script In-Reply-To: <6.0.1.1.2.20031215142347.037d2530@imap.ecs.soton.ac.uk> Message-ID: I'm running the f-prot-autoupdate script, if I run the update_virus_scanners script I receive no emails, but I wish to use the f-prot-autoupdate script directly to run separately the updates for both f-prot and Antivir .. -----Messaggio originale----- Da: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Inviato: luned? 15 dicembre 2003 15.25 A: gioia@bclink.it Cc: mailscanner@jiscmail.ac.uk Oggetto: Re: F-prot update script At 13:52 15/12/2003, you wrote: >Hi all! > >how can I disable the f-prot-autoupdate script option to not send email >notifications if it did not need to be updated ? >I wouldn't receive this every hour.. > >------------------------ >FTP address for retrieving files is ftp://us-3.updates.f-prot.com/pub/ >File SIGN.DEF is already up to date. >File SIGN2.DEF is already up to date. >File MACRO.DEF is already up to date. >Nothing to be done. >------------------------ Is your cron job calling update_virus_scanners or calling f-prot-autoupdate directly? >I've had some experiences with Sophos Antivirus too, and I noticed that it >downloads new ide files as soon as they were realeased .. >it's not possible to have the same feature with other Antivirus software as >f-prot and Antivir ?! My sophos-autoupdate script just updates hourly, the same as all the others. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 15:07:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: R: F-prot update script In-Reply-To: References: <6.0.1.1.2.20031215142347.037d2530@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031215150639.03e77438@imap.ecs.soton.ac.uk> Search through the script for the logging lines that produce the output you don't want and comment them out. At 15:01 15/12/2003, you wrote: >I'm running the f-prot-autoupdate script, >if I run the update_virus_scanners script I receive no emails, but I wish to >use the f-prot-autoupdate script directly to run separately the updates for >both f-prot and Antivir .. > > >-----Messaggio originale----- >Da: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] >Inviato: luned? 15 dicembre 2003 15.25 >A: gioia@bclink.it >Cc: mailscanner@jiscmail.ac.uk >Oggetto: Re: F-prot update script > > >At 13:52 15/12/2003, you wrote: > >Hi all! > > > >how can I disable the f-prot-autoupdate script option to not send email > >notifications if it did not need to be updated ? > >I wouldn't receive this every hour.. > > > >------------------------ > >FTP address for retrieving files is ftp://us-3.updates.f-prot.com/pub/ > >File SIGN.DEF is already up to date. > >File SIGN2.DEF is already up to date. > >File MACRO.DEF is already up to date. > >Nothing to be done. > >------------------------ > >Is your cron job calling update_virus_scanners or calling f-prot-autoupdate >directly? > > >I've had some experiences with Sophos Antivirus too, and I noticed that it > >downloads new ide files as soon as they were realeased .. > >it's not possible to have the same feature with other Antivirus software as > >f-prot and Antivir ?! > >My sophos-autoupdate script just updates hourly, the same as all the others. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 15:08:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Bogus "denial of service" messages, and postdrop not working In-Reply-To: <200312151528.02031.jacques@monaco.net> References: <200312151528.02031.jacques@monaco.net> Message-ID: <6.0.1.1.2.20031215150744.03d19fa0@imap.ecs.soton.ac.uk> At 14:28 15/12/2003, you wrote: >Hi, > >I'm encountering (surprise ! :-) some new problems. Some legitimate >messages get their attachments scrubbed by MS with the mention that they >contain a ? denial of service attack ?. I looked at the documentation, >the FAQ, the mailing-list archives (even grepped the source code files >for the 'DOSAttack' string), to no avail. I can't seem to find what >triggers those denial of service alerts, and how to deactivate them... The DOS attack detection happens when either ClamAV thinks the zip file expands too big, or else the virus scanner (whichever one it is) never returns within the timeout period it is given to run in (usually 5 or 10 minutes). >Another problem is that I've thus far failed to reinject a message into >the queue by conventional means. I quarantine messages with : > >Quarantine Infections = yes >Quarantine Whole Message = yes >Quarantine Whole Messages As Queue Files = yes > >When I use postdrop on a quarantined message, I get a cryptic error >message : > >[root@sceuzi][/var/spool/MailScanner/quarantine/20031213/3CC271B8114]# >postdrop < 3CC271B8114 >queue_idEB92220C06Bpostdrop: fatal: uid=0: unexpected record type: 67 > >The only clue I've been able to find is a message where this behaviour >was attributed to a version discrepancy between postfix and the postdrop >command. Of course, I double-checked all my commands come from the same >version, thus I'm in the dark. A postcat on the same file works fine, so >I've for the moment settled on a script which parses the postcat output >and reinjects it on the internal Postfix instance, but it's a truly >lousy solution. Can someone point me to where I should look to get rid >of this problem ? > >BTW, my MailScanner.conf (without comments) is at >. I don't know >if it can help in understanding what happens, but then, better safe than >sorry... > >Greets, >-- >[ Jacques Caruso D?veloppeur PHP ] >[ Monaco Internet http://monaco-internet.mc/ ] >[ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] >[ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Mon Dec 15 15:11:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:33 2006 Subject: R: F-prot update script In-Reply-To: Message-ID: Hi! > I'm running the f-prot-autoupdate script, > if I run the update_virus_scanners script I receive no emails, but I wish to > use the f-prot-autoupdate script directly to run separately the updates for > both f-prot and Antivir .. Check your cron job, you can make it noisy there. Its now (default) directed to /dev/null. Bye, Raymond. From dh at UPTIME.AT Mon Dec 15 15:11:09 2003 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:21:33 2006 Subject: Postfix message duplication - again! In-Reply-To: <012501c3c31c$221ca8b0$4e19000a@ATLCPW13671> References: <3FDCC91E.9070902@themarshalls.co.uk> <009201c3c309$ed26a280$4e19000a@ATLCPW13671> <3FDDBD33.2080501@ucgbook.com> <012501c3c31c$221ca8b0$4e19000a@ATLCPW13671> Message-ID: <3FDDCF0D.1020509@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Chris Trudeau wrote: | and just accepted the possibility of | security/reliability issues with sendmail (if any arise) | Dear Mister Trudeau. I can assure you that the likelyhood of finding reliabilty issues with sendmail is minimal to none. I have been running sendmail for a _very_ long time and even though security might be an issues (as one could expect with a project that has such a huge, old and grown source base, I have never had to worry about teh reliabilty of my mail services. This is just ment to reassure you of your choice. - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQE/3c8MPMoaMn4kKR4RA+sRAJj8FLD2CdMU42vmQaibQp0lublFAJ9QPV0A KBlTyvA3ifHDf+sjj67y7A== =Oo1I -----END PGP SIGNATURE----- From drew at THEMARSHALLS.CO.UK Mon Dec 15 15:22:20 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:33 2006 Subject: Postfix message duplication - again! In-Reply-To: <012501c3c31c$221ca8b0$4e19000a@ATLCPW13671> References: <3FDCC91E.9070902@themarshalls.co.uk> <009201c3c309$ed26a280$4e19000a@ATLCPW13671> <3FDDBD33.2080501@ucgbook.com> <012501c3c31c$221ca8b0$4e19000a@ATLCPW13671> Message-ID: <41828.194.70.180.170.1071501740.squirrel@net.themarshalls.co.uk> >> > Even with the inherent insecurities and >> > complexities of maintaining sendmail. >> >> Isn't this a little exaggerated these days? If I remember correctly I >> have updated Sendmail twice this year and even if you might want to >> reply that you haven't updated Postfix at all I don't feel bad about the >> one hour I spent doing those two updates. >> >> If you want Postfix as your internet facing MTA for security reasons, >> can't you put up a simple relay machine with Postfix that delivers to a >> MS/Sendmail-machine? Best of both worlds..? > > Yep definite possibility...bit expensive (twice) and introduces another > point of failure to worry about. I have to agree, I wouldn't run both. Seems a mite excessive :) > > I think you missed my point. I was advising to USE sendmail instead of > postfix when considering the issues related to postfix/mailscanner > functionally....vs the effort involved in maintaining sendmail....I've > migrated to sendmail...and just accepted the possibility of > security/reliability issues with sendmail (if any arise) I guess that's the option. It's a shame as I have found Postfix easier to set up and since I last used Sendmail I have made the setup more complex including maildir's, MySQL user list, virtual domains etc. > CT > I have to agree that Julian offers much better support than the Postfix forums and doesn't just enforce the 'that's the way it works' attitude. It's just frustrating that two good programs just can't quite 'get it together' in all situations (It worked fine on my Slackware box until I move to Gentoo. No logic really). Drew From jacques at MONACO.NET Mon Dec 15 15:25:17 2003 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:21:33 2006 Subject: Bogus "denial of service" messages, and postdrop not working In-Reply-To: <6.0.1.1.2.20031215150744.03d19fa0@imap.ecs.soton.ac.uk> References: <200312151528.02031.jacques@monaco.net> <6.0.1.1.2.20031215150744.03d19fa0@imap.ecs.soton.ac.uk> Message-ID: <200312151625.17026.jacques@monaco.net> Le Lundi 15 D?cembre 2003 16:08, Julian Field a ?crit?: > The DOS attack detection happens when either ClamAV thinks the zip > file expands too big, or else the virus scanner (whichever one it is) > never returns within the timeout period it is given to run in > (usually 5 or 10 minutes). Is there an option to force the delivery of these messages?? Or do I need to modify the source directly?? If so, in what file should I make the changes?? -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From wppiphoto at wppi.com Mon Dec 15 15:32:19 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:33 2006 Subject: Mailscanner not scanning e-mails Message-ID: <00b601c3c320$a0c01ae0$3a95a644@Toshiba> (I'm not sure if this made it to the mailing list...so I'm sending again) Julian, OK, did exactly what you said by making the delivery method = queue it seems that /var/spool/mqueue/q* files seem to have the Mailscanner header added to them. But here is a new problem, the mail is not being delivered. It just sits in the mqueue directory. Can you help? Thanks, SW ----- Original Message ----- From: "Julian Field" To: "SW" Sent: Sunday, December 14, 2003 3:53 PM Subject: Re: Mailscanner not scanning e-mails Sounds like it is scanning them. Set the Delivery Method = queue and look in your /var/spool/mqueue/q* files for MailScanner headers (they are text files, you can just "cat" them). You should find any MailScanner headers towards the end of each of the q* files. At 20:09 14/12/2003, you wrote: >Julian, > >Any ideas how to do this? I'm not that verstial w/ sendmail and I don't want >to break something. :-) > >BTW, why does my log files show mailscanner scanning e-mails? Or did I read >them incorrectly: > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, 4618 >bytes > >Thanks, > >SW >----- Original Message ----- >From: "Julian Field" >To: "SW" >Cc: >Sent: Sunday, December 14, 2003 2:49 PM >Subject: Re: Mailscanner not scanning e-mails > > >If you are running 8.9.3, then MailScanner won't scan mail created by >invoking the sendmail binary directly. You need to tell whatever you are >using to send mail via an SMTP server called localhost. > >At 19:08 14/12/2003, you wrote: > >Julian, > > > >Yeap, you were right. It seemed that in mailscanner.conf, virus scanners = > >I was missing the 's' at the end of scanners. I fixed that and now in my > >logs I see the following: > > > >Dec 14 13:45:22 ns1 MailScanner[697]: MailScanner E-Mail Virus Scanner > >version 4.25-14 starting... > >Dec 14 13:45:23 ns1 sendmail[730]: starting daemon (8.9.3): > >SMTP+queueing@01:00:00 > >Dec 14 13:45:32 ns1 MailScanner[810]: MailScanner E-Mail Virus Scanner > >version 4.25-14 starting... > >Dec 14 13:45:33 ns1 MailScanner[697]: Using locktype = flock > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, 4618 > >bytes > >Dec 14 13:45:33 ns1 MailScanner[697]: Spam Checks: Starting > >Dec 14 13:45:38 ns1 MailScanner[810]: Using locktype = flock > >Dec 14 13:45:42 ns1 MailScanner[819]: MailScanner E-Mail Virus Scanner > >version 4.25-14 starting... > >Dec 14 13:45:43 ns1 MailScanner[697]: RBL Check ORDB-RBL timed out and was > >killed, consecutive failure 1 of 7 > >Dec 14 13:45:49 ns1 MailScanner[819]: Using locktype = flock > >Dec 14 13:45:53 ns1 MailScanner[838]: MailScanner E-Mail Virus Scanner > >version 4.25-14 starting... > >Dec 14 13:45:53 ns1 MailScanner[697]: Virus and Content Scanning: Starting > >Dec 14 13:45:55 ns1 MailScanner[697]: Uninfected: Delivered 4 messages > >Dec 14 13:46:00 ns1 MailScanner[838]: Using locktype = flock > >Dec 14 13:46:02 ns1 MailScanner[870]: MailScanner E-Mail Virus Scanner > >version 4.25-14 starting... > >Dec 14 13:46:08 ns1 MailScanner[870]: Using locktype = flock > > > >But still no header info in the e-mails. I think Mailscanner is looking > >somewhere where there are 4 old messges which it scans but are not > >delivered. Does this make any sense? > > > >The RBL check failing is I think due to our firewall which blocks entire IP > >blocks. I need to check what IP it uses and port to allow traffic out/in > >thru our firewall. > > > >Thanks for all the help! > > > >SW > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Sunday, December 14, 2003 1:31 PM > >Subject: Re: Mailscanner not scanning e-mails > > > > > >At 18:03 14/12/2003, you wrote: > > >root 693 0.0 0.0 0 0 ? Z 03:26 0:00 >[MailScanner > > >] > > >root 809 0.0 0.0 0 0 ? Z 03:26 0:00 >[MailScanner > > >] > > >root 813 0.0 0.0 0 0 ? Z 03:26 0:00 >[MailScanner > > >] > > >root 821 0.0 0.0 0 0 ? Z 03:26 0:00 >[MailScanner > > >] > > > >Take a look at MailScanner entries in your maillog. Looks like a > >configuration error. Best idea is to start from a default setup with no > >local tweaks at all, then slowly introduce the extras. > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ From mailscanner at ecs.soton.ac.uk Mon Dec 15 15:32:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Bogus "denial of service" messages, and postdrop not working In-Reply-To: <200312151625.17026.jacques@monaco.net> References: <200312151528.02031.jacques@monaco.net> <6.0.1.1.2.20031215150744.03d19fa0@imap.ecs.soton.ac.uk> <200312151625.17026.jacques@monaco.net> Message-ID: <6.0.1.1.2.20031215153134.0a125e10@imap.ecs.soton.ac.uk> At 15:25 15/12/2003, you wrote: >Le Lundi 15 D?cembre 2003 16:08, Julian Field a ?crit : > > The DOS attack detection happens when either ClamAV thinks the zip > > file expands too big, or else the virus scanner (whichever one it is) > > never returns within the timeout period it is given to run in > > (usually 5 or 10 minutes). > >Is there an option to force the delivery of these messages ? Or do I >need to modify the source directly ? If so, in what file should I make >the changes ? How you solve it depends on why it is happening. Are you using ClamAV, and if so does it complain about expanding a zip file when you try to scan one of the quarantined attachments? Or is your virus scanner taking 10 minutes to scan a file? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 15:35:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Mailscanner not scanning e-mails In-Reply-To: <00b601c3c320$a0c01ae0$3a95a644@Toshiba> References: <00b601c3c320$a0c01ae0$3a95a644@Toshiba> Message-ID: <6.0.1.1.2.20031215153338.0a1e9180@imap.ecs.soton.ac.uk> At 15:32 15/12/2003, you wrote: >(I'm not sure if this made it to the mailing list...so I'm sending again) > >Julian, > >OK, did exactly what you said by making the delivery method = queue In your /etc/MailScanner/MailScanner.conf, set Delivery Method = queue instead of the normal Delivery Method = batch This just helps when peering at the outgoing queue as it doesn't tell sendmail to immediately deliver messages that have been processed by MailScanner. >it seems >that /var/spool/mqueue/q* files seem to have the Mailscanner header added to >them. Good, in which case MailScanner is processing all your mail fine. > But here is a new problem, the mail is not being delivered. It just >sits in the mqueue directory. Can you help? See explanation of "batch" versus "queue" above. >Thanks, > >SW >----- Original Message ----- >From: "Julian Field" >To: "SW" >Sent: Sunday, December 14, 2003 3:53 PM >Subject: Re: Mailscanner not scanning e-mails > > >Sounds like it is scanning them. Set the Delivery Method = queue and look >in your /var/spool/mqueue/q* files for MailScanner headers (they are text >files, you can just "cat" them). You should find any MailScanner headers >towards the end of each of the q* files. > >At 20:09 14/12/2003, you wrote: > >Julian, > > > >Any ideas how to do this? I'm not that verstial w/ sendmail and I don't >want > >to break something. :-) > > > >BTW, why does my log files show mailscanner scanning e-mails? Or did I read > >them incorrectly: > > > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, 4618 > >bytes > > > >Thanks, > > > >SW > >----- Original Message ----- > >From: "Julian Field" > >To: "SW" > >Cc: > >Sent: Sunday, December 14, 2003 2:49 PM > >Subject: Re: Mailscanner not scanning e-mails > > > > > >If you are running 8.9.3, then MailScanner won't scan mail created by > >invoking the sendmail binary directly. You need to tell whatever you are > >using to send mail via an SMTP server called localhost. > > > >At 19:08 14/12/2003, you wrote: > > >Julian, > > > > > >Yeap, you were right. It seemed that in mailscanner.conf, virus scanners >= > > >I was missing the 's' at the end of scanners. I fixed that and now in my > > >logs I see the following: > > > > > >Dec 14 13:45:22 ns1 MailScanner[697]: MailScanner E-Mail Virus Scanner > > >version 4.25-14 starting... > > >Dec 14 13:45:23 ns1 sendmail[730]: starting daemon (8.9.3): > > >SMTP+queueing@01:00:00 > > >Dec 14 13:45:32 ns1 MailScanner[810]: MailScanner E-Mail Virus Scanner > > >version 4.25-14 starting... > > >Dec 14 13:45:33 ns1 MailScanner[697]: Using locktype = flock > > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting > > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, >4618 > > >bytes > > >Dec 14 13:45:33 ns1 MailScanner[697]: Spam Checks: Starting > > >Dec 14 13:45:38 ns1 MailScanner[810]: Using locktype = flock > > >Dec 14 13:45:42 ns1 MailScanner[819]: MailScanner E-Mail Virus Scanner > > >version 4.25-14 starting... > > >Dec 14 13:45:43 ns1 MailScanner[697]: RBL Check ORDB-RBL timed out and >was > > >killed, consecutive failure 1 of 7 > > >Dec 14 13:45:49 ns1 MailScanner[819]: Using locktype = flock > > >Dec 14 13:45:53 ns1 MailScanner[838]: MailScanner E-Mail Virus Scanner > > >version 4.25-14 starting... > > >Dec 14 13:45:53 ns1 MailScanner[697]: Virus and Content Scanning: >Starting > > >Dec 14 13:45:55 ns1 MailScanner[697]: Uninfected: Delivered 4 messages > > >Dec 14 13:46:00 ns1 MailScanner[838]: Using locktype = flock > > >Dec 14 13:46:02 ns1 MailScanner[870]: MailScanner E-Mail Virus Scanner > > >version 4.25-14 starting... > > >Dec 14 13:46:08 ns1 MailScanner[870]: Using locktype = flock > > > > > >But still no header info in the e-mails. I think Mailscanner is looking > > >somewhere where there are 4 old messges which it scans but are not > > >delivered. Does this make any sense? > > > > > >The RBL check failing is I think due to our firewall which blocks entire >IP > > >blocks. I need to check what IP it uses and port to allow traffic out/in > > >thru our firewall. > > > > > >Thanks for all the help! > > > > > >SW > > >----- Original Message ----- > > >From: "Julian Field" > > >To: > > >Sent: Sunday, December 14, 2003 1:31 PM > > >Subject: Re: Mailscanner not scanning e-mails > > > > > > > > >At 18:03 14/12/2003, you wrote: > > > >root 693 0.0 0.0 0 0 ? Z 03:26 0:00 > >[MailScanner > > > >] > > > >root 809 0.0 0.0 0 0 ? Z 03:26 0:00 > >[MailScanner > > > >] > > > >root 813 0.0 0.0 0 0 ? Z 03:26 0:00 > >[MailScanner > > > >] > > > >root 821 0.0 0.0 0 0 ? Z 03:26 0:00 > >[MailScanner > > > >] > > > > > >Take a look at MailScanner entries in your maillog. Looks like a > > >configuration error. Best idea is to start from a default setup with no > > >local tweaks at all, then slowly introduce the extras. > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >__________________________________ >Do you Yahoo!? >Free Pop-Up Blocker - Get it now >http://companion.yahoo.com/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dnsadmin at 1BIGTHINK.COM Mon Dec 15 15:45:09 2003 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:21:33 2006 Subject: MailScanner/SpamAssassin on RaQ3; help?! Message-ID: <5.2.1.1.0.20031215104430.04bd1858@mail.1bigthink.com> Hello All, I have MailScanner and SpamAssassin installed on a RaQ3 and performing okay, believe it or not! It was a very complicated install. It took me a week to figure out how it was working even with some background, but still don't know how to tweak it the way I want. The problem is that I cannot get SpamAssassin to work except for plugging it in through a procmailrc script: DROPPRIVS=yes # :0fw * < 256000 | spamc This script forces mail through spamc which connects to the spamd daemno in performing my spam checks. However, this setup does not allow for any global configurations through the MailScanner facility. All my configuration options have to be set at the user account level in ~*/.spamassassin/user_prefs. Ultimately, I would like to affect global configurations at the MailScanner level and then override configurations on individual accounts at ~*/.spamassassin/user_prefs. I'm sure this is probably specific to the Cobalt OS. Can anyone help? Thanks, Glenn Parsons From gioia at bclink.it Mon Dec 15 16:11:30 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:33 2006 Subject: R: R: F-prot update script In-Reply-To: Message-ID: /opt/MailScanner/lib/f-prot-autoupdate 1> /dev/null thanks Raymond and thanks Julian ! Bye -----Messaggio originale----- Da: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] Inviato: luned? 15 dicembre 2003 16.11 A: Gioia Bastioni Cc: MAILSCANNER@jiscmail.ac.uk Oggetto: Re: R: F-prot update script Hi! > I'm running the f-prot-autoupdate script, > if I run the update_virus_scanners script I receive no emails, but I wish to > use the f-prot-autoupdate script directly to run separately the updates for > both f-prot and Antivir .. Check your cron job, you can make it noisy there. Its now (default) directed to /dev/null. Bye, Raymond. From jacques at MONACO.NET Mon Dec 15 16:16:39 2003 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:21:33 2006 Subject: Bogus "denial of service" messages, and postdrop not working In-Reply-To: <6.0.1.1.2.20031215153134.0a125e10@imap.ecs.soton.ac.uk> References: <200312151528.02031.jacques@monaco.net> <200312151625.17026.jacques@monaco.net> <6.0.1.1.2.20031215153134.0a125e10@imap.ecs.soton.ac.uk> Message-ID: <200312151716.39574.jacques@monaco.net> [repost. Sorry, my mailer sent the message at the wrong address] Le Lundi 15 D?cembre 2003 16:32, Julian Field a ?crit?: > How you solve it depends on why it is happening. Are you using > ClamAV, and if so does it complain about expanding a zip file when Yes, I am using ClamAV version 0.60+CVS20030916 > you try to scan one of the quarantined attachments? > > Or is your virus scanner taking 10 minutes to scan a file? No, but I've greatly reduced the timeout (and the incriminated attachment was over 10 MB, which of course took too much time to scan). The server is quite overloaded, and I don't want to have batches of messages lingering there while new messages clog up the queue. Probably the best solution (short of upgrading the server) would be to avoid scanning large messages (IIRC, SpamAssassin has this very behaviour). Is there a way to prevent messages over a certain size to be passed through the antivirus scanner?? -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From TGFurnish at HERFF-JONES.COM Mon Dec 15 16:42:05 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:21:33 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF037335CE@inex1.herffjones.hj-int> > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Saturday, December 13, 2003 5:14 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Yahoo Developing Open Source Server Software For > Spam-Resista nt E-Mail > > > At 17:45 12/12/2003, you wrote: > >Furnish, Trever G wrote: > >>I for one would be quite willing to consider the ability to > send email as > >>domains you aren't authoritative for as a casualty of war. > > I think all of the (possibly millions) of people around the > world who own a > domain while not owning an outgoing mail server would disagree. I am operating under the assumption that if you own a domain, then you will have the authority and capability to control which servers are designated as mail senders within your domain, even if your domain is hosted by an ISP. You seem to be making the exact opposite assumption (and you may be right, given that I've seen no technical details on this implementation). Not allowing for such a set-up would indeed make such a system next to worthless. Again though, more technical details on the implementation are needed. -- Trever From Kevin_Miller at CI.JUNEAU.AK.US Mon Dec 15 17:05:58 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:33 2006 Subject: Blindsided... Message-ID: <08146035CA49D6119A36009027AC822A0264EB82@CITY-EXCH-NTS> I got a note from a user that she had been unsubscribed from HTMLQUICKNEWS from cnn. I have an iframe.whitelist.rules which I've edited so future emails can pass, but it would have been handy if postmaster (or even she) had gotten a notice from MS to the effect that these were being filtered. She'll probably have to resubscribe. She got several notices, but ignored the first couple. With so much nonsense coming into users mailboxes these days (even w/the filters up) I can understand why she didn't pay much attention but it would have been nice to have been told after the first notice. Sigh. I checked the logs this morning, but that's tedious and it's easy to miss things. If there was an automatic notice then when a non-whitelisted iframe tag or whatever comes through, the mail administrator or user would immediately know it, and could either whitelist it or not depending on the appropriateness rather than waiting for the user to get a notice (if one actually comes) from the originator. I used to get a lot of object-codebase tags, until I upgraded to the 4.25-14. Now I disarm them (which is great) and no more messages in the postmaster mailbox. I also used to allow all i-frames but now whitelist them which is just dapper too. For those not whitelisted a message to the postmaster would have been quite handy. Or maybe there's a way to do that already & I'm just a bonehead? Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mailscanner at ecs.soton.ac.uk Mon Dec 15 17:40:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Blindsided... In-Reply-To: <08146035CA49D6119A36009027AC822A0264EB82@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EB82@CITY-EXCH-NTS> Message-ID: <6.0.1.1.2.20031215173937.03c6ce38@imap.ecs.soton.ac.uk> At 17:05 15/12/2003, you wrote: >I also used to allow all i-frames but now whitelist >them which is just dapper too. For those not whitelisted a message to the >postmaster would have been quite handy. Or maybe there's a way to do that >already & I'm just a bonehead? Just auto-filter your postmaster notices based on some strings in the body of the message, as well as just using the headers. The message report is in the notice, you just need to use it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 17:38:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF037335CE@inex1.herffjones. hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF037335CE@inex1.herffjones.hj-int> Message-ID: <6.0.1.1.2.20031215173348.03c1c8b0@imap.ecs.soton.ac.uk> At 16:42 15/12/2003, you wrote: > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Saturday, December 13, 2003 5:14 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Yahoo Developing Open Source Server Software For > > Spam-Resista nt E-Mail > > > > > > At 17:45 12/12/2003, you wrote: > > >Furnish, Trever G wrote: > > >>I for one would be quite willing to consider the ability to > > send email as > > >>domains you aren't authoritative for as a casualty of war. > > > > I think all of the (possibly millions) of people around the > > world who own a > > domain while not owning an outgoing mail server would disagree. > >I am operating under the assumption that if you own a domain, >then you will have the authority and capability to control >which servers are designated as mail senders within your domain, >even if your domain is hosted by an ISP. You seem to be making >the exact opposite assumption (and you may be right, given that >I've seen no technical details on this implementation). Your assumption is fine for little ISPs. But what about the Yahoos and AOLs of this world? They would have to manage thousands and thousands of domains for their customers. They are also using dynamic IP allocation, so they would have to allow all their IP addresses to send mail as coming from any customer-owned domain name. So user1 has "friendly.com" and user2 is a spammer. User2 can send mail from "friendly.com" and there's not much you can do to stop him. The only chance is to change all the DNS records, saying who can send what from where, every time a user logs in and logs out. Impossible. I have yet to see any solution to this problem which (a) actually works, even in theory (most are based on broken logic) (b) scales to large ISPs >Not allowing for such a set-up would indeed make such a system >next to worthless. Again though, more technical details on the >implementation are needed. > >-- >Trever -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin_Miller at CI.JUNEAU.AK.US Mon Dec 15 17:36:25 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:33 2006 Subject: Slightly OT: humor Message-ID: <08146035CA49D6119A36009027AC822A0264EB84@CITY-EXCH-NTS> Just something to brighten a Monday morning. I got an email the other day (at home) advertising a spam filter. The subject: "Stop email just like this one". Nothing like truth in advertising I guess... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From michele at BLACKNIGHTSOLUTIONS.COM Mon Dec 15 17:38:45 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:33 2006 Subject: Slightly OT: humor In-Reply-To: <08146035CA49D6119A36009027AC822A0264EB84@CITY-EXCH-NTS> Message-ID: Heh Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kevin Miller > Sent: 15 December 2003 17:36 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Slightly OT: humor > > > Just something to brighten a Monday morning. I got an email the other day > (at home) advertising a spam filter. The subject: "Stop email just like > this one". > > Nothing like truth in advertising I guess... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Administrator, Mail > Administrator > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > From dustin.baer at IHS.COM Mon Dec 15 17:38:22 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:21:33 2006 Subject: Blindsided... References: <08146035CA49D6119A36009027AC822A0264EB82@CITY-EXCH-NTS> Message-ID: <3FDDF18E.B1968984@ihs.com> Kevin Miller wrote: > > I got a note from a user that she had been unsubscribed from HTMLQUICKNEWS > from cnn. I have an iframe.whitelist.rules which I've edited so future > emails can pass, but it would have been handy if postmaster [had gotten a > notice from MS] Doesn't setting the following do this? I (postmaster) am notified of all IFrame quarantined messages. # Notify the local system administrators ("Notices To") when any infections # are found? # This can also be the filename of a ruleset. Send Notices = yes > (or even she) > had gotten a notice from MS to the effect that these were being filtered. Doesn't one of the "Notify Senders..." config entries do this? I see logs of IFrames that were quarantined, but the user was notified. > Or maybe there's a way to do that already & I'm just a bonehead? Check the above settings, and see what happens. I am using 4.23-11 Dustin From steve.swaney at FSL.COM Mon Dec 15 17:41:16 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:33 2006 Subject: Slightly OT: humor In-Reply-To: <08146035CA49D6119A36009027AC822A0264EB84@CITY-EXCH-NTS> Message-ID: <20031215174113.E9AC921C293@mail.fsl.com> Sally, I don't know why but the credit card transaction has been declined. I'd like to know why if you can find out I'd appreciate it. Thanks, Steve Transaction 516224685 has been DECLINED by the system. Below is a summary: Transaction ID: 516224685 Payment Method: XXXX7466 Amount: 240.00 Customer Name: Sally Pryor Do not click the BACK button on your browser to enter a new transaction. Click here to enter a new transaction Stephen Swaney President Fortress Systems Ltd. Phone: 202 338-1670 Fax: 202 448-2969 steve.swaney@fsl.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Kevin Miller > Sent: Monday, December 15, 2003 12:36 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Slightly OT: humor > > Just something to brighten a Monday morning. I got an email the other day > (at home) advertising a spam filter. The subject: "Stop email just like > this one". > > Nothing like truth in advertising I guess... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Administrator, Mail > Administrator > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 From prandal at HEREFORDSHIRE.GOV.UK Mon Dec 15 17:43:06 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:33 2006 Subject: Slightly OT: humor Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3E1@jessica.herefordshire.gov.uk> Just after I started implementing MailScanner here I got an email from a vendor trying to sell me some proprietary software to do the same thing. At the bottom of the email was a notice asking me to click on the link below to reclassify the message as spam/nonspam. The link in question started: http://192.168. They got a curt reply back suggesting that if they wanted to make any sales they should learn how to configure the product they were peddling. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kevin Miller > Sent: 15 December 2003 17:36 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Slightly OT: humor > > > Just something to brighten a Monday morning. I got an email > the other day > (at home) advertising a spam filter. The subject: "Stop > email just like > this one". > > Nothing like truth in advertising I guess... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Administrator, Mail > Administrator > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > From steve.swaney at FSL.COM Mon Dec 15 17:55:05 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:33 2006 Subject: Slightly OT: humor In-Reply-To: <20031215174113.E9AC921C293@mail.fsl.com> Message-ID: <20031215175504.EC28B21C293@mail.fsl.com> Sorry for this post. Obviously something went amiss. Stephen Swaney President Fortress Systems Ltd. steve.swaney@fsl.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Stephen Swaney > Sent: Monday, December 15, 2003 12:41 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Slightly OT: humor > > Sally, > > I don't know why but the credit card transaction has been declined. I'd > like > to know why if you can find out I'd appreciate it. > > Thanks, > > Steve > > Transaction 516224685 has been DECLINED by the system. > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Kevin Miller > > Sent: Monday, December 15, 2003 12:36 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Slightly OT: humor > > > > Just something to brighten a Monday morning. I got an email the other > day > > (at home) advertising a spam filter. The subject: "Stop email just > like > > this one". > > > > Nothing like truth in advertising I guess... > > > > ...Kevin > > -- > > Kevin Miller Registered Linux User No: 307357 > > CBJ MIS Dept. Network Systems Administrator, Mail > > Administrator > > 155 South Seward Street ph: (907) 586-0242 > > Juneau, Alaska 99801 fax: (907 586-4500 From nick at TTP.CO.UK Mon Dec 15 18:05:13 2003 From: nick at TTP.CO.UK (Nick Thompson) Date: Thu Jan 12 21:21:33 2006 Subject: Install or Not Message-ID: I am trying to (re) install MailScanner 4.26-1 on a Raq4, after deleting it because my version of sendmail was not up to date. Although I have deleted all the MailScanner files I can find, when I run install.sh I get a message: package mailscanner 4.26-1 is already installed. Is there any way I can force the installation, or where is it finding the reference saying it's already installed ? Thanks in advance Nick Thompson From rcooper at DIMENSION-FLM.COM Mon Dec 15 18:17:18 2003 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:21:33 2006 Subject: R: F-prot update script In-Reply-To: <6.0.1.1.2.20031215150639.03e77438@imap.ecs.soton.ac.uk> Message-ID: It would appear from looking at the code that he should be able to call the script with the cron or quiet options (as with the standard f-prot autoupdate) foreach (@ARGV) { if (/cron/i) { $cron = 1; } elsif (/quiet/i) { $quiet = 1; } else { BailOut("Invalid command-line option \"$_\""); } } but when you use quiet||cron you get Installation dir "quiet||cron" does not exist! Cannot cd quiet||cron, No such file or directory at ./f-prot-autoupdate line 361. because of the use of shift on line 38 (checking for the update_virus_scanners supplied PackageDir) I have attached a patch that will let the script function as intended with the following command line convention. If you are calling the script with a non-standard package dir (not /usr/local/f-prot) then it must come first (to maintain compatability with update_virus_scanners ) with the "quiet" or "cron" option following: /opt/MailScanner/lib/f-prot-autoupdate /some/other/dir cron|quiet if the package dir is /usr/local/f-prot then /opt/MailScanner/lib/f-prot-autoupdate cron|quiet cron option = don't print to stderr unless there is an error or an update quiet option = don't print to stderr unless there is an error ( the patch also fixes the "Nothing to be done" message so it doesn't print with the quiet option) Something I noticed but did not "fix" because I didn't know if it was on purpose or not, The update_virus_scanners script logs to mail.info but the f-prot autoupdate script just logges to info so it ends up in the standard syslog (messages for me), and it also doesn't log quite the same info so it's not aligned... if that is a mistake then changing line 231 to Sys::Syslog::syslog('mail.info', $updated?"update.virus.scanners: F-Prot successfully updated.":"update.virus.scanners: F-Prot did not need updating."); Addresses both of those issues > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Monday, December 15, 2003 10:07 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: R: F-prot update script > > > Search through the script for the logging lines that > produce the output you > don't want and comment them out. > > At 15:01 15/12/2003, you wrote: > >I'm running the f-prot-autoupdate script, > >if I run the update_virus_scanners script I receive > no emails, but I wish to > >use the f-prot-autoupdate script directly to run > separately the updates for > >both f-prot and Antivir .. > > > > > >-----Messaggio originale----- > >Da: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] > >Inviato: luned? 15 dicembre 2003 15.25 > >A: gioia@bclink.it > >Cc: mailscanner@jiscmail.ac.uk > >Oggetto: Re: F-prot update script > > > > > >At 13:52 15/12/2003, you wrote: > > >Hi all! > > > > > >how can I disable the f-prot-autoupdate script > option to not send email > > >notifications if it did not need to be updated ? > > >I wouldn't receive this every hour.. > > > > > >------------------------ > > >FTP address for retrieving files is > ftp://us-3.updates.f-prot.com/pub/ > > >File SIGN.DEF is already up to date. > > >File SIGN2.DEF is already up to date. > > >File MACRO.DEF is already up to date. > > >Nothing to be done. > > >------------------------ > > > >Is your cron job calling update_virus_scanners or > calling f-prot-autoupdate > >directly? > > > > >I've had some experiences with Sophos Antivirus > too, and I noticed that it > > >downloads new ide files as soon as they were realeased .. > > >it's not possible to have the same feature with > other Antivirus software as > > >f-prot and Antivir ?! > > > >My sophos-autoupdate script just updates hourly, the > same as all the others. > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 > 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: fpauto.patch Type: application/octet-stream Size: 343 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031215/f5e45bf6/fpauto.obj From mailscanner at ecs.soton.ac.uk Mon Dec 15 18:31:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Install or Not In-Reply-To: References: Message-ID: <6.0.1.1.2.20031215183037.0281c1d0@imap.ecs.soton.ac.uk> At 18:05 15/12/2003, you wrote: >I am trying to (re) install MailScanner 4.26-1 on a Raq4, after deleting >it because my version of sendmail was not up to date. > >Although I have deleted all the MailScanner files I can find, when I run >install.sh I get a message: > >package mailscanner 4.26-1 is already installed. > >Is there any way I can force the installation, or where is it finding the >reference saying it's already installed ? You should have removed MailScanner by using "rpm -e" commands to remove the packages. Do rpm -e mailscanner -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ka at PACIFIC.NET Mon Dec 15 18:46:30 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:33 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> Message-ID: <3FDE0186.6060208@pacific.net> Seeing a false positive from a weatherbug spam using this re. > /%([01][0-9a-f]|7f).*@/i It's coming from this mailto link: mailto:community@isabel.weatherbug.com?Subject=Photo%20Submission&Body=Step%201%20-%20Safely%20take%20photos%20you%27d%20like%20to%2 0share%20with%20the%20community%20before%2C%20during%20or%20after%20the%20storm.%0D%0A%0D%0AStep%202%20-%20Send%20this%20email%20wit h%20your%20photos%20attached%20to%3A%20community@isabel.weatherbug.com Any ideas? Thanks, Ken A. Pacific.Net Julian Field wrote: > At 17:29 12/12/2003, you wrote: > >> At 17:09 12/12/2003, you wrote: >> >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: >>> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. >>> >>> I only skimmed the spec. But what I gathered, unless I completely >>> misunderstood the document is that characters from %00 through %1F >>> inclusive and %7F are control characters and shouldn't be in a URI. >>> >>> Although they are disallowed within the URI syntax, we include here a >>> description of those US-ASCII characters that have been excluded and >>> the reasons for their exclusion. >>> >>> The control characters in the US-ASCII coded character set are not >>> used within a URI, both because they are non-printable and because >>> they are likely to be misinterpreted by some control mechanisms. >>> >>> control = >>> >>> So how much trouble would we cause if we just disallowed the entire >>> range of control characters from URIs? Can anyone think of a real >>> website >>> that legitimately uses any of these control codes within their URIs? I'm >>> particularly concerned about shopping sites with their massive URIs. >> >> >> Sounds good to me. > > > The pattern for matching this is therefore > > /%([01][0-9a-f]|7f).*@/i > > so add this to spam.assassin.prefs.conf: > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i > score IE_VULN 100.0 > describe IE_VULN Internet Explorer vulnerability > > and then restart MailScanner. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From Kevin_Miller at CI.JUNEAU.AK.US Mon Dec 15 18:55:25 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:33 2006 Subject: Blindsided... Message-ID: <08146035CA49D6119A36009027AC822A0264EB88@CITY-EXCH-NTS> OK. I guess I'll eat crow for breakfast this morning. I waded through old warnings and discovered the following: ============================================================================ ==== The following e-mail messages were found to have viruses in them: Sender: owner-htmlquicknews*some_user**ci*-juneau*-ak*-us@cnnimail23.cnn.com IP Address: 64.236.25.79 Recipient: some_user@ci.juneau.ak.us Subject: Vaccine runs low with flu peak yet to come MessageID: hBBBJZXX021840 Report: MailScanner: Found dangerous IFrame tag in HTML message Full headers are: Return-Path: Received: from cnnimail22.cnn.com (cnnimail22.cnn.com [64.236.25.79]) by mis-mxg-lnx.ci.juneau.ak.us (8.12.3/8.12.3/SuSE Linux 0.6) with SMTP id hBBBJZXX021840 for ; Thu, 11 Dec 2003 02:20:52 -0900 Message-Id: <200312111120.hBBBJZXX021840@mis-mxg-lnx.ci.juneau.ak.us> Received: from cnnimail23 (cnnimail23.turner.com) by cnnimail22.cnn.com (LSMTP for Windows NT v1.1b) with SMTP id <23.00016276@cnnimail22.cnn.com>; Thu, 11 Dec 2003 6:18:10 -0500 X-mailed-to: some_user@CI.JUNEAU.AK.US From: CNN AM QuickNews To: some_user@CI.JUNEAU.AK.US Date: Thu, 11 Dec 2003 06:18:06 -0500 Subject: Vaccine runs low with flu peak yet to come Content-type: text/html ============================================================================ ==== I didn't think I was getting iframe warnings, but obviously I am, so I guess I was just asleep at the wheel. What else is new? Sorry, & thanks for the quick responses... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Monday, December 15, 2003 8:41 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Blindsided... > > >At 17:05 15/12/2003, you wrote: >>I also used to allow all i-frames but now whitelist >>them which is just dapper too. For those not whitelisted a >message to the >>postmaster would have been quite handy. Or maybe there's a >way to do that >>already & I'm just a bonehead? > >Just auto-filter your postmaster notices based on some strings >in the body >of the message, as well as just using the headers. The message >report is in >the notice, you just need to use it. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From kevins at BMRB.CO.UK Mon Dec 15 19:00:22 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:33 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B935@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B935@pascal.priv.bmrb.co.uk> Message-ID: <1071514822.8053.28.camel@bach.kevinspicer.co.uk> On Mon, 2003-12-15 at 18:46, Ken Anderson wrote: >Seeing a false positive from a weatherbug spam using this re. > > /%([01][0-9a-f]|7f).*@/i Hmmm, perhaps.... /%^[^?]*([01][0-9a-f]|7f).*@/i If my brains working right this will only match if the %01 comes before the first ? (which marks the end of the address part of the URL) From mailscanner at SMITS.CO.UK Tue Dec 16 00:44:47 2003 From: mailscanner at SMITS.CO.UK (Bart J. Smit) Date: Thu Jan 12 21:21:33 2006 Subject: Migrate bayes database to new machine Message-ID: <000c01c3c36d$e7d05e70$1c06a8c0@bart> I have built a new MS machine to relieve the strain on the humble hardware of the old relay. Prior to cutting over, I would like to migrate the bayes database to give the new box a running start. I tried these commands: on the old box: sa-learn --dump all > /tmp/badump copy this file to the new box and do: sa-learn --import /tmp/badump This comes back with: # bayes upgrade_old_dbm_files: unable to find bayes_toks and bayes_seen, stopping I have tried with pointing both sa-learn commands to their respective database paths (/root/.spammassasin/bayes) and preferences (/etc/MailScanner/spam.assassin.prefs.conf). I have rebuilt the latest spamassasin (2.61-1) from source RPM and upgraded it on both boxes, but still I get the error. I'm obviously missing something simple. Any clues? Bart... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031216/6f85ebc8/attachment.html From dan.farmer at PHONEDIR.COM Mon Dec 15 19:36:24 2003 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:21:33 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <1071514822.8053.28.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B935@pascal.priv.bmrb.co.uk> <1071514822.8053.28.camel@bach.kevinspicer.co.uk> Message-ID: On Dec 15, 2003, at 12:00 PM, Kevin Spicer wrote: > On Mon, 2003-12-15 at 18:46, Ken Anderson wrote: > >> Seeing a false positive from a weatherbug spam using this re. >>> /%([01][0-9a-f]|7f).*@/i > > Hmmm, perhaps.... > > /%^[^?]*([01][0-9a-f]|7f).*@/i ^- shouldn't the % stay here? /^[^?]*%(.... > > If my brains working right this will only match if the %01 comes before > the first ? (which marks the end of the address part of the URL) > From kevins at BMRB.CO.UK Mon Dec 15 19:54:06 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:33 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B938@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B938@pascal.priv.bmrb.co.uk> Message-ID: <1071518046.8055.34.camel@bach.kevinspicer.co.uk> On Mon, 2003-12-15 at 19:36, Dan Farmer wrote: >> /%^[^?]*([01][0-9a-f]|7f).*@/i ^- shouldn't the % stay here? >/^[^?]*%(.... Yes, (dunno about my brains working, but I need to do something about my eyesight and fingers!) So to be clear that should have been.... /^[^?]*%([01][0-9a-f]|7f).*@/i From ugob at CAMO-ROUTE.COM Mon Dec 15 20:12:10 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:33 2006 Subject: Ignore outbound mail Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2A0@mtlnt501fs.CAMOROUTE.COM> Ok, Julian. I'll post that one on the FAQ's as soon as my end-of-semester-student-life allows me to :). And I volunteer for the FAQ maintainer, as my time allows, but I can do at least the rulesets. It bug me to see you repeating all the time. Thanks, Ugo > -----Message d'origine----- > De : Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Envoy? : Monday, December 15, 2003 4:28 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Ignore outbound mail > > > At 09:12 15/12/2003, you wrote: > >I know I've asked this in the distant past, at which point I > don't think > >it was possible. However, I'd still very much like to have > MailScanner > >completely ignore mail generated on localhost. The machine doesn't > >accept mail from users, but I do have a large daily mailing that goes > >out every night, and the mailing takes far too long and > causes MS/SA to > >use far too many resources. > > > >I was planning on moving all mail clients off to another machine so I > >could run without MS on this server, but it just isn't > practical. So I'd > >like to revisit this if I may. > > > >Van > > > >Currently running MailScanner 4.23-11, but I suppose I could upgrade > >easily enough if that would help. > > Yet another ruleset application. > > In MailScanner.conf set this: > > Virus Scanning = /etc/MailScanner/rules/not.localhost.rules > Spam Checks = /etc/MailScanner/rules/not.localhost.rules > > and then in /etc/MailScanner/rules/not.localhost.rules put this: > > From: 127.0.0.1 no > From: 10.11.12.13 no > FromOrTo: default yes > > (where the IP address of the server is 10.11.12.13). > > Simple as that. > > We should start collecting these together into a lovely great > library of > example ruleset applications. Another job for a part-time FAQ > maintainer/author perhaps? Any offers? It would really help > and requires no > great programming knowledge or anything like that. > > Thanks folks! > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From TGFurnish at HERFF-JONES.COM Mon Dec 15 20:43:59 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:21:33 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF037335CF@inex1.herffjones.hj-int> > > > At 17:45 12/12/2003, you wrote: > > > >Furnish, Trever G wrote: > > > >>I for one would be quite willing to consider the ability to > > > send email as > > > >>domains you aren't authoritative for as a casualty of war. > > > > > > Julian wrote: > > > I think all of the (possibly millions) of people around the > > > world who own a > > > domain while not owning an outgoing mail server would disagree. > > > >I am operating under the assumption that if you own a domain, > >then you will have the authority and capability to control > >which servers are designated as mail senders within your domain, > >even if your domain is hosted by an ISP. You seem to be making > >the exact opposite assumption (and you may be right, given that > >I've seen no technical details on this implementation). > > Your assumption is fine for little ISPs. But what about the > Yahoos and AOLs > of this world? They would have to manage thousands and > thousands of domains > for their customers. They are also using dynamic IP > allocation, so they > would have to allow all their IP addresses to send mail as > coming from any > customer-owned domain name. I respect your opinion, Julian, but I'm either not understanding you or we just don't agree on this point. :-) In any event, thanks for continuing the discussion. I take it you feel that if you obtain smtp relaying service through, e.g. AOL's SMTP servers by virtue of subscribing to their service, then that service should include the ability to send email as any address. I understand that the loss of that ability would be a pain for those users who are accustomed to it, but I don't think it's an unreasonable problem to cause. Perhaps I'm missing something, but I would expect the number of people legitimately relaying mail "from" a domain without using that domain's smtp servers to be small relative to the total number of people sending email. If you're an AOL subscriber, chances are you're connected through AOL's network and using the AOL mail relays. No problem. If you're an AOL subscriber sending email from someone else's computer, use their web form if they have one - otherwise, wait till you get back to their network. If you're the owner of smalldomain.com and you don't run your own smtp relay, relay your outbound mail through the servers provided by your registrar or work out an arrangement with your ISP for an additional fee. If you're sending email directly to destination SMTP servers from a dynamic ip address assigned by an ISP, well, chances are I'm already going to reject email from you based on a DUL zone - use your ISP's mail relays and designate them as valid for your domain after getting permission from your ISP. Did those cases cover the particular problem case you think is unmanageable? If not, what situation am I missing? Maybe we should just postpone the rest of this discussion till there's an actual implementation available to dig into. :-) -- Trever From chris at fractalweb.com Mon Dec 15 21:13:35 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:21:33 2006 Subject: best way to get stats? Message-ID: <1071522815.20726.12.camel@localhost.localdomain> I would like to have some hard statistics on how much spam is being detected, viruses, etc. I assume there are probably a few programs already in existence that do this; no need to reinvent the wheel by me. I'm running Redhat 7.3 and something called Ensim Webppliance Pro. What does everyone recommend? Thanks, Chris From dpowell at LSSI.NET Mon Dec 15 21:23:57 2003 From: dpowell at LSSI.NET (Darrin) Date: Thu Jan 12 21:21:33 2006 Subject: best way to get stats? In-Reply-To: <1071522815.20726.12.camel@localhost.localdomain> References: <1071522815.20726.12.camel@localhost.localdomain> Message-ID: <1071523437.1283.0.camel@powell> Mailwatch http://sourceforge.net/projects/mailwatch/ On Mon, 2003-12-15 at 16:13, Chris Yuzik wrote: > I would like to have some hard statistics on how much spam is being > detected, viruses, etc. I assume there are probably a few programs > already in existence that do this; no need to reinvent the wheel by me. > > I'm running Redhat 7.3 and something called Ensim Webppliance Pro. > > What does everyone recommend? > > Thanks, > Chris -- Darrin Powell LSSi Corp (919) 466-6803 www.lssi.net/~dpowell From henker at S-H-COM.DE Mon Dec 15 21:25:58 2003 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:21:33 2006 Subject: best way to get stats? In-Reply-To: <1071522815.20726.12.camel@localhost.localdomain> References: <1071522815.20726.12.camel@localhost.localdomain> Message-ID: On Mon, 15 Dec 2003, Chris Yuzik wrote: > I would like to have some hard statistics on how much spam is being > detected, viruses, etc. I assume there are probably a few programs mailstats, http://www.while.homeunix.net/mailstats/ Regards, Steffan From Denis.Beauchemin at USHERBROOKE.CA Mon Dec 15 21:33:50 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:33 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FDE0186.6060208@pacific.net> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> <3FDE0186.6060208@pacific.net> Message-ID: <1071524029.27233.23.camel@dbeauchemin.sti.usherbrooke.ca> I also got some false positives with the same regex. I couldn't figure out why because the emails contained no %... they had attached documents though, coded in base64. I changed the regex to: /https?:\/\/.*%([01][0-9a-f]|7f).*@/i Denis Le lun 15/12/2003 ? 13:46, Ken Anderson a ?crit : > Seeing a false positive from a weatherbug spam using this re. > > /%([01][0-9a-f]|7f).*@/i > > It's coming from this mailto link: > > mailto:community@isabel.weatherbug.com?Subject=Photo%20Submission&Body=Step%201%20-%20Safely%20take%20photos%20you%27d%20like%20to%2 > 0share%20with%20the%20community%20before%2C%20during%20or%20after%20the%20storm.%0D%0A%0D%0AStep%202%20-%20Send%20this%20email%20wit > h%20your%20photos%20attached%20to%3A%20community@isabel.weatherbug.com > > Any ideas? > > Thanks, > Ken A. > Pacific.Net > > > > > > > > Julian Field wrote: > > > At 17:29 12/12/2003, you wrote: > > > >> At 17:09 12/12/2003, you wrote: > >> > >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: > >>> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. > >>> > >>> I only skimmed the spec. But what I gathered, unless I completely > >>> misunderstood the document is that characters from %00 through %1F > >>> inclusive and %7F are control characters and shouldn't be in a URI. > >>> > >>> Although they are disallowed within the URI syntax, we include here a > >>> description of those US-ASCII characters that have been excluded and > >>> the reasons for their exclusion. > >>> > >>> The control characters in the US-ASCII coded character set are not > >>> used within a URI, both because they are non-printable and because > >>> they are likely to be misinterpreted by some control mechanisms. > >>> > >>> control = > >>> > >>> So how much trouble would we cause if we just disallowed the entire > >>> range of control characters from URIs? Can anyone think of a real > >>> website > >>> that legitimately uses any of these control codes within their URIs? I'm > >>> particularly concerned about shopping sites with their massive URIs. > >> > >> > >> Sounds good to me. > > > > > > The pattern for matching this is therefore > > > > /%([01][0-9a-f]|7f).*@/i > > > > so add this to spam.assassin.prefs.conf: > > > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i > > score IE_VULN 100.0 > > describe IE_VULN Internet Explorer vulnerability > > > > and then restart MailScanner. > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From jwilliams at COURTESYMORTGAGE.COM Mon Dec 15 21:49:01 2003 From: jwilliams at COURTESYMORTGAGE.COM (Jason Williams) Date: Thu Jan 12 21:21:33 2006 Subject: Few general questions about Mailscanner Message-ID: <5.2.1.1.0.20031215134440.02da5370@pop.courtesymortgage.com> Hello everyone. Im new to the list as well as Mailscanner. A friend of mine told me that I might be interested in using mailscanner for our company email. After reading a few of the docs on the site, I have to say, I am very interested about the possiblity of using mailscanner for our mail gateway. I do have just a few questions that I was hoping to ask here and get some feedback. If I do use mailscanner, it will be running on FreeBSD 4.9. I see it is already built into the ports tree and has the latest version. (Ports make life so easy. :) ) Anyway, the server it would be running on has the following specs: PIII 1ghz 2gig RAM 2 18gig SCSI drives We have about 40 users at the moment, and that will most likely grow to 60-80 in a year or so. With that in mind, what type of specs are required by Mailscanner? Is it CPU or resource intensive? I would imagine, putting on a virus scanner of some sort would require a higher amount of resource usage. I'd also like to check out spamassassin as well. Just wanted to get some ideas of the performance I could expect on a system like this. (I would guess that we receive around 1,000-3,000 emails a day) Also, anyone care to share a partion scheme? I always like talking about partitions. Thanks for the help. Cheers, Jason From Kevin_Miller at CI.JUNEAU.AK.US Mon Dec 15 22:02:40 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:33 2006 Subject: Few general questions about Mailscanner Message-ID: <08146035CA49D6119A36009027AC822A0264EB92@CITY-EXCH-NTS> I'm catching mail for around 300-400 users on a 500 mhz box w/512 mb RAM. Has yet to break a sweat. What you have is way overkill. Nothing to worry about at all... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Jason Williams [mailto:jwilliams@COURTESYMORTGAGE.COM] >Sent: Monday, December 15, 2003 12:49 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Few general questions about Mailscanner > > >Hello everyone. Im new to the list as well as Mailscanner. > >A friend of mine told me that I might be interested in using >mailscanner >for our company email. After reading a few of the docs on the >site, I have >to say, I am very interested about the possiblity of using >mailscanner for >our mail gateway. > >I do have just a few questions that I was hoping to ask here >and get some >feedback. > >If I do use mailscanner, it will be running on FreeBSD 4.9. I see it is >already built into the ports tree and has the latest version. >(Ports make >life so easy. :) ) > >Anyway, the server it would be running on has the following specs: > >PIII 1ghz >2gig RAM >2 18gig SCSI drives > >We have about 40 users at the moment, and that will most likely grow to >60-80 in a year or so. > >With that in mind, what type of specs are required by >Mailscanner? Is it >CPU or resource intensive? I would imagine, putting on a virus >scanner of >some sort would require a higher amount of resource usage. I'd >also like to >check out spamassassin as well. > >Just wanted to get some ideas of the performance I could >expect on a system >like this. (I would guess that we receive around 1,000-3,000 >emails a day) > >Also, anyone care to share a partion scheme? I always like >talking about >partitions. > >Thanks for the help. > >Cheers, > >Jason > From jwilliams at COURTESYMORTGAGE.COM Mon Dec 15 22:07:16 2003 From: jwilliams at COURTESYMORTGAGE.COM (Jason Williams) Date: Thu Jan 12 21:21:33 2006 Subject: Few general questions about Mailscanner In-Reply-To: <08146035CA49D6119A36009027AC822A0264EB92@CITY-EXCH-NTS> Message-ID: <5.2.1.1.0.20031215140627.02d9bd80@pop.courtesymortgage.com> Hello again >I'm catching mail for around 300-400 users on a 500 mhz box w/512 mb RAM. >Has yet to break a sweat. What you have is way overkill. Nothing to worry >about at all... Wow. Very nice. I a happier now. Is that using a virus scanner as well as a spam detector? What OS are you running it on if you dont mind me asking? I appreciate it. Jason From nick at TTP.CO.UK Mon Dec 15 22:36:55 2003 From: nick at TTP.CO.UK (Nick Thompson) Date: Thu Jan 12 21:21:33 2006 Subject: Error messages Message-ID: When I start MailScanner : chkconfig sendmail off chkconfig --level 2345 MailScanner on /etc/rc.d/init.d/MailScanner start I get a number of error messages sendmail[27295]: gethostbyaddr failed: 1 repeated for all the IP addresses on the raq. sendmail[25862]: daemon MTA: problem creating SMTP socket sendmail[25862]: NOQUEUE SYSERR(root): opendaemonsocket:daemon MTA: server SMTP socket wedged: exiting sendmail[25862]: NOQUEUE SYSERR(root): opendaemonsocket:daemon MTA: cannot bind: Address already in use After these messages are repeated a number of times, mail seems to be passed through, but the 'X-MailScanner: ' is not inserted into the e-mail header. If I try to send an e-mail through the SMTP server I get the following: sendmail[28494]: NOQUEUE: localhost {127.0.0.1] did not issue MAIL/EXPN/VRFY/ESMTP, during connection to MTA Then the e-mail is sent. Has anyone any idea when these messages mean ? or why the header information is not inserted I am attempting to run f-prot, but despite saying it's started, it still lets virus infected mail through. Regards From chris at fractalweb.com Mon Dec 15 22:39:20 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:21:34 2006 Subject: Few general questions about Mailscanner In-Reply-To: <5.2.1.1.0.20031215134440.02da5370@pop.courtesymortgage.com> References: <5.2.1.1.0.20031215134440.02da5370@pop.courtesymortgage.com> Message-ID: <1071527960.20726.49.camel@localhost.localdomain> Jason, I don't think you'll even notice Mailscanner running on a box like that. I've got 150+ email users on my 1.7 GHz Celeron system, and I average about 1,100 emails a day. I have MailScanner running with Spamassassin, DCC, Razor2, and ClamAV (for antivirus). I also have Bayes running, which eats CPU cycles, but even with that, I have any problems. Go for it...you won't look back. Cheers, Chris From james at grayonline.id.au Mon Dec 15 22:44:09 2003 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:21:34 2006 Subject: Few general questions about Mailscanner In-Reply-To: <5.2.1.1.0.20031215134440.02da5370@pop.courtesymortgage.com> References: <5.2.1.1.0.20031215134440.02da5370@pop.courtesymortgage.com> Message-ID: <200312160943.55310.james@grayonline.id.au> On Tue, 16 Dec 2003 08:49 am, Jason Williams wrote: > Hello everyone. Im new to the list as well as Mailscanner. > > A friend of mine told me that I might be interested in using mailscanner > for our company email. After reading a few of the docs on the site, I > have to say, I am very interested about the possiblity of using > mailscanner for our mail gateway. > > I do have just a few questions that I was hoping to ask here and get some > feedback. > > If I do use mailscanner, it will be running on FreeBSD 4.9. I see it is > already built into the ports tree and has the latest version. (Ports make > life so easy. :) ) > > Anyway, the server it would be running on has the following specs: > > PIII 1ghz > 2gig RAM > 2 18gig SCSI drives That's a nice box :) Our mail gateway is a Compaq DL360 with 1.2GHz Xeon, 1Gb RAM and a 36Gb hardware RAID 0+1 (with a 128Mb cache on the RAID controller and a hot spare). We're running FreeBSD 4.6 and MailScanner (the ports version - 4.23 IIRC). We're also running NAI VirusScan 7 for fBSD and SpamAssassin 2.6 (ports version again) with MailScanner. Interesting to note that we never use ANY swap space - the whole thing runs in RAM. You've got double our RAM so unless you change your mind and run Windows, you'll be seeing similar numbers to us. Our gateway also runs an IMAP server on it's internal interface as a backup for I.T. people (I.T staff have two mail stores, just in case the Exchange box goes bang). The gateway currently handles 7 domains and about 35,000 messages a day totalling about 2.5-3Gb. We catch about 25,000 spam messages a day and roughly 1500 viruses with a total false positive/false negative rate of less than 0.01%. I have 16 pending filter modifications after being on leave for 2 weeks - 14 days and approx 490,000 messages with 16 false +ve's/-ve's = 0.003%. Pretty good! The system load rarely breaks past 0.5 and usually sits at about 0.05-0.1 :) Given that your machine is a very similar spec, I doubt your numbers will be very different to ours. I found the hardest part of our config was getting all the Perl crap sorted for SpamAssassin. My suggestion is use ports to install Perl 5.8, then track down the correct ports packages for the perl modules SpamAssassin needs. If there are any modules not in the ports tree (there might be 1 or 2) use CPAN last to grab them. Other than that the whole thing was a piece of cake! --James __________________________________ A random quote of nothing: "Largely because it is so tangible and exciting a program and as such will serve to keep alive the interest and enthusiasm of the whole spectrum of society...It is justified because...the program can give a sense of shared adventure and achievement to the society at large." - Dr. Colin S. Pittendrigh, in "The History of Manned Space Flight" From m.althoff at BROMBERG.DEMON.NL Mon Dec 15 23:29:22 2003 From: m.althoff at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:21:34 2006 Subject: A virus message saved as spam Message-ID: os : RedHat 9 mailserver: sendmail mailscanner : 4.25-14 spamassassin: 2.60 Today I found four messages coming in and containing viruses which are saved as spam instead of a seperate virus directory under quarantine. Two other messages coming in are properly contained as virus. Where is what going wrong? Dec 15 16:50:12 bromberg sendmail[25427]: hBFFo9u5025427: from=, size=145631, class=0, nrcpts=1, msgid=<200312151542.hBFFghov012337@ms-smtp-03- eri0.southeast.rr.com>, proto=ESMTP, daemon=MTA, relay= localhost [127.0.0.1] Dec 15 16:50:25 bromberg MailScanner[16434]: Message hBFFo9u5025427 from 127.0.0.1 (bcauthen1@carolina.rr.com) to bromberg.demon.nl is spam, SpamAssassin (score=9.033, required 5, HTML_30_40 0.81, HTML_MESSAGE 0.00, HTML_RELAYING_FRAME 0.30, MICROSOFT_EXECUTABLE 0.10, MIME_HTML_NO_CHARSET 0.72, MIME_HTML_ONLY 0.10, MIME_HTML_ ONLY_MULTI 1.10,MIME_MISSING_BOUNDARY 0.80, MIME_SUSPECT_NAME 0.10, RCVD_IN_RR_BLACKHOLES 5.00) Dec 15 16:50:25 bromberg MailScanner[16434]: Spam Actions: message hBFFo9u5025427 actions are store $ uvscan hBFFo9u5025427 /var/spool/MailScanner/quarantine/20031215/spam/hBFFo9u5025427 Found the Exploit-MIME.gen.exe virus !!! ================================== Return-Path: <> Received: from localhost (localhost [127.0.0.1]) by ******* (8.12.8/8.12.8) with ESMTP id hBFFo9u5025427 for <******>; Mon, 15 Dec 2003 16:50:11 +0100 Received: from pop3.demon.nl by localhost with POP3 (fetchmail-6.2.0) for ***** (multi-drop); Mon, 15 Dec 2003 16:50:11 +0100 (CET) Received: from store-20.mail.nl.demon.net by mailstore for ****** id 1AVutO-0008gI-1x-0008gM; Mon, 15 Dec 2003 15:44:18 +0000 Received: from incoming-21.mail.nl.demon.net ([194.159.73.161]:4783) by store-20.mail.nl.demon.net with esmtp (Exim 4.24) id 1AVutO-0008gI-1x; Mon, 15 Dec 2003 15:44:18 +0000 Received: from ms-smtp-03-lbl.southeast.rr.com ([24.25.9.102]:62954 helo=ms-smtp-03-eri0.southeast.rr.com) by incoming-21.mail.nl.demon.net with esmtp (Exim 4.24) id 1AVutM-000Cat-Op; Mon, 15 Dec 2003 15:44:16 +0000 Received: from myyj (cpe-069-132-036-069.carolina.rr.com [69.132.36.69]) by ms-smtp-03-eri0.southeast.rr.com (8.12.10/8.12.7) with SMTP id hBFFghov012337; Mon, 15 Dec 2003 10:42:43 -0500 (EST) Date: Mon, 15 Dec 2003 10:42:43 -0500 (EST) Message-Id: <200312151542.hBFFghov012337@ms-smtp-03-eri0.southeast.rr.com> FROM: "MS Net Delivery System" TO: "mail user" SUBJECT: Undeliverable Message: User unknown Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="xjuuzni" ================================== From Kevin_Miller at CI.JUNEAU.AK.US Mon Dec 15 23:32:09 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:34 2006 Subject: Few general questions about Mailscanner Message-ID: <08146035CA49D6119A36009027AC822A0264EB95@CITY-EXCH-NTS> Yeah - I'm running f-prot on that box, Suse 8.0, sendmail, MS 4.25-14, Spamassassin 2.60... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Jason Williams [mailto:jwilliams@COURTESYMORTGAGE.COM] >Sent: Monday, December 15, 2003 1:07 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Few general questions about Mailscanner > > >Hello again > >>I'm catching mail for around 300-400 users on a 500 mhz box >w/512 mb RAM. >>Has yet to break a sweat. What you have is way overkill. >Nothing to worry >>about at all... > >Wow. Very nice. I a happier now. >Is that using a virus scanner as well as a spam detector? > >What OS are you running it on if you dont mind me asking? > >I appreciate it. > >Jason > From michele at BLACKNIGHTSOLUTIONS.COM Mon Dec 15 23:54:28 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:34 2006 Subject: Error messages In-Reply-To: Message-ID: Sounds like you've got sendmail AND mailscanner running. Make sure sendmail is off, as MS will start it Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Nick Thompson > Sent: 15 December 2003 22:37 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Error messages > > > When I start MailScanner : > > chkconfig sendmail off > chkconfig --level 2345 MailScanner on > /etc/rc.d/init.d/MailScanner start > > I get a number of error messages > > sendmail[27295]: gethostbyaddr failed: 1 > repeated for all the IP addresses on the raq. > > sendmail[25862]: daemon MTA: problem creating SMTP socket > > sendmail[25862]: NOQUEUE SYSERR(root): opendaemonsocket:daemon MTA: server > SMTP socket wedged: exiting > > sendmail[25862]: NOQUEUE SYSERR(root): opendaemonsocket:daemon MTA: cannot > bind: Address already in use > > After these messages are repeated a number of times, mail seems to be > passed through, but the 'X-MailScanner: ' is not inserted into the e-mail > header. > > If I try to send an e-mail through the SMTP server I get the following: > > sendmail[28494]: NOQUEUE: localhost {127.0.0.1] did not > issue MAIL/EXPN/VRFY/ESMTP, during connection to MTA > > Then the e-mail is sent. > > Has anyone any idea when these messages mean ? or why the header > information is not inserted > > I am attempting to run f-prot, but despite saying it's started, it still > lets virus infected mail through. > > Regards > From brose at MED.WAYNE.EDU Mon Dec 15 23:55:55 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:21:34 2006 Subject: MailScanner and SA Config Bug Message-ID: The solution to the problem below is to also define "site_rules_filename" when creating the Mail::SpamAssassin object. I added $settings{site_rules_filename} = "/etc/mail/spamassassin"; to the SA.pm in the initialise subroutine. What this will do is allow MailScanner to read all the rules from /etc/mail/spamassassin. Of cource since the spam.assassin.prefs.conf is being defined as the user_prefs, it's the last rules read in and will trump any settings/rules from the site rules. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Thursday, December 11, 2003 10:17 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner and SA Config I don't think this was realized until now but since MailScanner calls SA with the specified config file option, then SA doesn't read all the .cf files in /etc/mail/spamassassin I only found out recently on the SA lists that SA would do this. SA will read in every cf file located there. The benefit is that you don't have to keep modifying one file for example using the frequently updated evil rules found on the SA custom rule emporium http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm Can the next Mailscanner have the ability to specify a file or path or turn off the sa conf option? -=Bobby From Jon.Beets at PACER.COM Tue Dec 16 02:09:07 2003 From: Jon.Beets at PACER.COM (Jon Beets) Date: Thu Jan 12 21:21:34 2006 Subject: Dial-up User List Message-ID: <001501c3c379$96d645f0$6401a8c0@pgx01> Are there any free listings like the commercial "MAPS Dial-up User List"? I am already using RBL and DNSBL listings but would like to add a Dial-up User Listing. Jon Beets From raymond at PROLOCATION.NET Tue Dec 16 02:28:31 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:34 2006 Subject: Dial-up User List In-Reply-To: <001501c3c379$96d645f0$6401a8c0@pgx01> Message-ID: Hi! > Are there any free listings like the commercial "MAPS Dial-up User List"? I > am already using RBL and DNSBL listings but would like to add a Dial-up User > Listing. SORBS-DUL. Bye, Raymond. From nathan at TCPNETWORKS.NET Tue Dec 16 05:05:16 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:21:34 2006 Subject: Migrate bayes database to new machine Message-ID: I recently migrated a bayes db to a new server. The following worked for me: 1) Install the same version of SpamAssassin on both machines. You also want to make sure the DB_FIle perl module is at (or near) the same version number, as well as any associated DB3 packages. I migrated from RH 7.2 to RHEL ES 2.1, so my perl installations and other packages were almost identical. 2) Shutdown the MailScanner service and rebuild the bayes db on the old machine. I used the following command: sa-learn -D -p /etc/MailScanner/spam.assassin.prefs.conf --rebuild 3) Copy the bayes db to the same location on the new machine (make sure the permissions match). I store bayes in /var/spool/spamassassin/bayes and indicated this in spam.assassin.prefs.conf. 4) Start the MailScanner services and check the logs for BAYES scores. You can also run the above sa-learn command again (with the -D switch) to check for any possible errors. That's it! Nathan -----Original Message----- From: Bart J. Smit [mailto:mailscanner@SMITS.CO.UK] Sent: Monday, December 15, 2003 4:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Migrate bayes database to new machine I have built a new MS machine to relieve the strain on the humble hardware of the old relay. Prior to cutting over, I would like to migrate the bayes database to give the new box a running start. I tried these commands: on the old box: sa-learn --dump all > /tmp/badump copy this file to the new box and do: sa-learn --import /tmp/badump This comes back with: # bayes upgrade_old_dbm_files: unable to find bayes_toks and bayes_seen, stopping I have tried with pointing both sa-learn commands to their respective database paths (/root/.spammassasin/bayes) and preferences (/etc/MailScanner/spam.assassin.prefs.conf). I have rebuilt the latest spamassasin (2.61-1) from source RPM and upgraded it on both boxes, but still I get the error. I'm obviously missing something simple. Any clues? Bart... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031215/4eb7a3dd/attachment.html From mailscanner at ecs.soton.ac.uk Tue Dec 16 08:57:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:34 2006 Subject: Error messages In-Reply-To: References: Message-ID: <6.0.1.1.2.20031216085542.038cd328@imap.ecs.soton.ac.uk> You need to do /etc/rc.d/init.d/sendmail stop to actually kill all the sendmail processes before you start MailScanner. The "chkconfig" commands merely tell it what to do at boot-time, they don't alter the current state of the system at all. When you do ps ax | grep -i mail you should get no MailScanner processes or sendmail processes. Kill off any left running. Then do /etc/rc.d/init.d/MailScanner start to start everything up properly. At 22:36 15/12/2003, you wrote: >When I start MailScanner : > >chkconfig sendmail off >chkconfig --level 2345 MailScanner on >/etc/rc.d/init.d/MailScanner start > >I get a number of error messages > > sendmail[27295]: gethostbyaddr failed: 1 >repeated for all the IP addresses on the raq. > >sendmail[25862]: daemon MTA: problem creating SMTP socket > >sendmail[25862]: NOQUEUE SYSERR(root): opendaemonsocket:daemon MTA: server >SMTP socket wedged: exiting > >sendmail[25862]: NOQUEUE SYSERR(root): opendaemonsocket:daemon MTA: cannot >bind: Address already in use > >After these messages are repeated a number of times, mail seems to be >passed through, but the 'X-MailScanner: ' is not inserted into the e-mail >header. > >If I try to send an e-mail through the SMTP server I get the following: > > sendmail[28494]: NOQUEUE: localhost {127.0.0.1] did not >issue MAIL/EXPN/VRFY/ESMTP, during connection to MTA > >Then the e-mail is sent. > >Has anyone any idea when these messages mean ? or why the header >information is not inserted > >I am attempting to run f-prot, but despite saying it's started, it still >lets virus infected mail through. > >Regards -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 16 08:51:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:34 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <1071524029.27233.23.camel@dbeauchemin.sti.usherbrooke.ca> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> <3FDE0186.6060208@pacific.net> <1071524029.27233.23.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <6.0.1.1.2.20031216085036.0389fc28@imap.ecs.soton.ac.uk> This is starting to look awfully familiar. See the SA rule "HTTP_ESCAPED_HOST" which uses this: /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/ Do we want to scrap the custom rule altogether and just increase the score of http_escaped_host? At 21:33 15/12/2003, you wrote: >I also got some false positives with the same regex. I couldn't figure >out why because the emails contained no %... they had attached >documents though, coded in base64. > >I changed the regex to: /https?:\/\/.*%([01][0-9a-f]|7f).*@/i > >Denis > >Le lun 15/12/2003 ? 13:46, Ken Anderson a ?crit : > > Seeing a false positive from a weatherbug spam using this re. > > > /%([01][0-9a-f]|7f).*@/i > > > > It's coming from this mailto link: > > > > > mailto:community@isabel.weatherbug.com?Subject=Photo%20Submission&Body=Step%201%20-%20Safely%20take%20photos%20you%27d%20like%20to%2 > > > 0share%20with%20the%20community%20before%2C%20during%20or%20after%20the%20storm.%0D%0A%0D%0AStep%202%20-%20Send%20this%20email%20wit > > h%20your%20photos%20attached%20to%3A%20community@isabel.weatherbug.com > > > > Any ideas? > > > > Thanks, > > Ken A. > > Pacific.Net > > > > > > > > > > > > > > > > Julian Field wrote: > > > > > At 17:29 12/12/2003, you wrote: > > > > > >> At 17:09 12/12/2003, you wrote: > > >> > > >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: > > >>> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. > > >>> > > >>> I only skimmed the spec. But what I gathered, unless I completely > > >>> misunderstood the document is that characters from %00 through %1F > > >>> inclusive and %7F are control characters and shouldn't be in a URI. > > >>> > > >>> Although they are disallowed within the URI syntax, we include > here a > > >>> description of those US-ASCII characters that have been excluded and > > >>> the reasons for their exclusion. > > >>> > > >>> The control characters in the US-ASCII coded character set are not > > >>> used within a URI, both because they are non-printable and because > > >>> they are likely to be misinterpreted by some control mechanisms. > > >>> > > >>> control = > > >>> > > >>> So how much trouble would we cause if we just disallowed the entire > > >>> range of control characters from URIs? Can anyone think of a real > > >>> website > > >>> that legitimately uses any of these control codes within their > URIs? I'm > > >>> particularly concerned about shopping sites with their massive URIs. > > >> > > >> > > >> Sounds good to me. > > > > > > > > > The pattern for matching this is therefore > > > > > > /%([01][0-9a-f]|7f).*@/i > > > > > > so add this to spam.assassin.prefs.conf: > > > > > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i > > > score IE_VULN 100.0 > > > describe IE_VULN Internet Explorer vulnerability > > > > > > and then restart MailScanner. > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dbird at SGHMS.AC.UK Tue Dec 16 11:00:57 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:34 2006 Subject: Internet Explorer URL Display problem References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> <3FDE0186.6060208@pacific.net> <1071524029.27233.23.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031216085036.0389fc28@imap.ecs.soton.ac.uk> Message-ID: <3FDEE5E9.3040108@sghms.ac.uk> Julian Field wrote: > This is starting to look awfully familiar. See the SA rule > "HTTP_ESCAPED_HOST" which uses this: > /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/ > > Do we want to scrap the custom rule altogether and just increase the > score of http_escaped_host? We've been using that rule for a few days now with a MCP score of 10 , and I haven't seen any Fp's as yet. Dan > > > At 21:33 15/12/2003, you wrote: > >> I also got some false positives with the same regex. I couldn't figure >> out why because the emails contained no %... they had attached >> documents though, coded in base64. >> >> I changed the regex to: /https?:\/\/.*%([01][0-9a-f]|7f).*@/i >> >> Denis >> >> Le lun 15/12/2003 ? 13:46, Ken Anderson a ?crit : >> > Seeing a false positive from a weatherbug spam using this re. >> > > /%([01][0-9a-f]|7f).*@/i >> > >> > It's coming from this mailto link: >> > >> > >> mailto:community@isabel.weatherbug.com?Subject=Photo%20Submission&Body=Step%201%20-%20Safely%20take%20photos%20you%27d%20like%20to%2 >> >> > >> 0share%20with%20the%20community%20before%2C%20during%20or%20after%20the%20storm.%0D%0A%0D%0AStep%202%20-%20Send%20this%20email%20wit >> >> > h%20your%20photos%20attached%20to%3A%20community@isabel.weatherbug.com >> > >> > Any ideas? >> > >> > Thanks, >> > Ken A. >> > Pacific.Net >> > >> > >> > >> > >> > >> > >> > >> > Julian Field wrote: >> > >> > > At 17:29 12/12/2003, you wrote: >> > > >> > >> At 17:09 12/12/2003, you wrote: >> > >> >> > >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: >> > >>> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises >> URIs. >> > >>> >> > >>> I only skimmed the spec. But what I gathered, unless I completely >> > >>> misunderstood the document is that characters from %00 through %1F >> > >>> inclusive and %7F are control characters and shouldn't be in a >> URI. >> > >>> >> > >>> Although they are disallowed within the URI syntax, we >> include here a >> > >>> description of those US-ASCII characters that have been >> excluded and >> > >>> the reasons for their exclusion. >> > >>> >> > >>> The control characters in the US-ASCII coded character set >> are not >> > >>> used within a URI, both because they are non-printable and >> because >> > >>> they are likely to be misinterpreted by some control >> mechanisms. >> > >>> >> > >>> control = > hexadecimal> >> > >>> >> > >>> So how much trouble would we cause if we just disallowed the >> entire >> > >>> range of control characters from URIs? Can anyone think of a real >> > >>> website >> > >>> that legitimately uses any of these control codes within their >> URIs? I'm >> > >>> particularly concerned about shopping sites with their massive >> URIs. >> > >> >> > >> >> > >> Sounds good to me. >> > > >> > > >> > > The pattern for matching this is therefore >> > > >> > > /%([01][0-9a-f]|7f).*@/i >> > > >> > > so add this to spam.assassin.prefs.conf: >> > > >> > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i >> > > score IE_VULN 100.0 >> > > describe IE_VULN Internet Explorer vulnerability >> > > >> > > and then restart MailScanner. >> > > -- >> > > Julian Field >> > > www.MailScanner.info >> > > Professional Support Services at www.MailScanner.biz >> > > MailScanner thanks transtec Computers for their support >> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > > >> > > >> -- >> Denis Beauchemin, analyste >> Universit? de Sherbrooke, S.T.I. >> T: 819.821.8000x2252 F: 819.821.8045 > > -- ____________________________________ Daniel Bird Network and Systems Manager Department Of Information Services St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Everything is possible....except skiing through a revolving door -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From joan.bryan at KCL.AC.UK Tue Dec 16 11:11:45 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:21:34 2006 Subject: Messages stuck in inbound queue Message-ID: I upgraded MailScanner from MailScanner from 4.24-5 to 4.25-14 yesterday but the number of messages in our inbound queue built up steadily, although some messages were still being processed. Stopping mailscanner and restarting did not help. Reverting back to 4.25-5 cleared the 22,000 messages that had built up. This configuration is using exim 4.30 with exiscan with split inbound and outbound queues on Solaris 9. Any ideas as to the problem Thanks as always for the great support Joan ---------------------- Joan Bryan Unix Systems Administrator Information Systems Telephone: +44 (0) 20 7848 2671 mailto:joan.bryan@kcl.ac.uk From martinh at SOLID-STATE-LOGIC.COM Tue Dec 16 11:19:43 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:34 2006 Subject: Messages stuck in inbound queue In-Reply-To: References: Message-ID: <3FDEEA4F.8050705@solid-state-logic.com> Joan Bryan wrote: > I upgraded MailScanner from MailScanner from 4.24-5 to 4.25-14 > yesterday but the number of messages in our inbound queue built up > steadily, although some messages were still being processed. Stopping > mailscanner and restarting did not help. Reverting back to 4.25-5 > cleared the 22,000 messages that had built up. This configuration is > using exim 4.30 with exiscan with split inbound and outbound queues on > Solaris 9. > > Any ideas as to the problem > > Thanks as always for the great support > > Joan > ---------------------- > Joan Bryan > Unix Systems Administrator > Information Systems > Telephone: +44 (0) 20 7848 2671 > mailto:joan.bryan@kcl.ac.uk Joan what did the log files say? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dbird at SGHMS.AC.UK Tue Dec 16 11:38:07 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:34 2006 Subject: MCP quarantine error Message-ID: <3FDEEE9F.1090401@sghms.ac.uk> Julian, Just noticed this in my logs: Dec 16 11:21:19 mailhub4 MailScanner[12096]: writing to /var/spool/MailScanner/quarantine/20031216/mcp/1AWDFU-00036t-Qk: No such file or directory It looks like the MCP code is not creating the mcp directory in the quarantine area. I did an mkdir and all was fine. I'm running 4.25-14. Dan -- ____________________________________ Daniel Bird Network and Systems Manager Department Of Information Services St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Everything is possible....except skiing through a revolving door -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From eja at URBAKKEN.DK Tue Dec 16 14:07:48 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:34 2006 Subject: Uninstall ?. Message-ID: <3FDF1FC4.8878.36E082@localhost> Hello. I I want to uninstall MailScanner is it to be done with RPM -e ?. Erik From joan.bryan at KCL.AC.UK Tue Dec 16 14:14:40 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:21:34 2006 Subject: Messages stuck in inbound queue In-Reply-To: <3FDEEA4F.8050705@solid-state-logic.com> References: <3FDEEA4F.8050705@solid-state-logic.com> Message-ID: Message-ID: Priority: NORMAL X-Mailer: Execmail for Win32 5.1.1 Build (10) MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" On Tue, 16 Dec 2003 11:19:43 +0000 Martin Hepworth wrote: > Joan Bryan wrote: > > I upgraded MailScanner from MailScanner from 4.24-5 to 4.25-14 > > yesterday but the number of messages in our inbound queue built up > > steadily, although some messages were still being processed. Stopping > > mailscanner and restarting did not help. Reverting back to 4.25-5 > > cleared the 22,000 messages that had built up. This configuration is > > using exim 4.30 with exiscan with split inbound and outbound queues on > > Solaris 9. > > > > Any ideas as to the problem > > > > Thanks as always for the great support > > > > Joan > > what did the log files say? > Okay here are the log messages for one mailscanner thread:- Dec 16 00:04:42 elder MailScanner.conf.relay1[23411]: MailScanner E-Mail Virus Scanner version 4.25-14 starti ng... Dec 16 00:04:44 elder MailScanner.conf.relay1[23411]: Using locktype = posix Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: ) doesn't begin with LWSP -- using it anyway!! Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: Header continuation (X-KCLRealSpamScore: -4.8 <-Above 2 lines repeated with slightly different info 88 times -> Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: New Batch: Found 5660 messages waiting Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: New Batch: Scanning 60 messages, 688182 bytes Dec 16 00:04:59 elder MailScanner.conf.relay1[23411]: Virus and Content Scanning: Starting Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i n 1AW2g2-0001Vm-1Z Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i n 1AW2g0-0001Qw-Gx Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i n 1AW2f4-00067T-PI Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i n 1AW2g4-0001ez-Jb Dec 16 00:05:03 elder MailScanner.conf.relay1[23411]: Uninfected: Delivered 60 messages Dec 16 00:05:03 elder MailScanner.conf.relay1[23411]: Header continuation (X-KCLRealSpamScore: 24.5 Dec 16 00:05:03 elder MailScanner.conf.relay1[23411]: ) doesn't begin with LWSP -- using it anyway!! The LWSP message appears to be benign has these were in the previous version. The 4.25-14 version appears to be processing the queues very slowly, the 4.24-5 version had no trouble. Joan ---------------------- Joan Bryan Unix Systems Administrator Information Systems Telephone: +44 (0) 20 7848 2671 mailto:joan.bryan@kcl.ac.uk From nick at ttp.co.uk Tue Dec 16 14:23:52 2003 From: nick at ttp.co.uk (Nick Thompson (home)) Date: Thu Jan 12 21:21:34 2006 Subject: Error messages In-Reply-To: <6.0.1.1.2.20031216085542.038cd328@imap.ecs.soton.ac.uk> Message-ID: Julian, Thanks, I thought it would be something simple. I am still getting sendmail[27295]: gethostbyaddr failed: 1 for every virtual domain every time an e-mail comes in. Any other ideas ? Regards Nick > You need to do > /etc/rc.d/init.d/sendmail stop > to actually kill all the sendmail processes before you start MailScanner. > The "chkconfig" commands merely tell it what to do at boot-time, > they don't > alter the current state of the system at all. > When you do > ps ax | grep -i mail > you should get no MailScanner processes or sendmail processes. > Kill off any > left running. > Then do --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003 From ivan at NUCCI.COM.BR Tue Dec 16 14:22:18 2003 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:21:34 2006 Subject: [OT] RDNS (TO: Res - ausics.net) In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> <3FD0B0B9.4000908@nucci.com.br> Message-ID: <3FDF151A.3080604@nucci.com.br> Hi Res, Sorry to post this message to the mailing list, but I couldn't?t send you e-mail because I think my SMTP has been blocked in yours. I asked to my ISP to fix the RDNS problem and now I do have a PTR record for my IP. Anyway - Could you check that my DNS configuration is correct and remove the blocking of my IP in your systems? Also, I like to know if anyone knows a free DNSBL list for dynamic IPs that I can use in sendmail. Most of them are payed services and the exchange ratio here in Brazil is 1:3, so it gets sort of expensive to the company I work for. Thanks, Ivan Res wrote: >Hi Ivan, > >On Fri, 5 Dec 2003, Ivan Mirisola wrote: > > > >>fact reject mail based on RDNS we are just forcing those who have a >>bronken DNS configuration to fix their RR records, that?s all. >> >> > >The vast majority of spam in this region comes from Asia/Europe, and the >majority of them have no PTR, our spam levels dropped like you'd never believe >when we implimented these checks. > >However the use of a DNSBL that checks for residential IP/Hostname >groups would be advantageous to you. > > >-- >Regards, >Res >Network Administrator >Postmaster / Abusemaster / Flamemaster >http://www.ausics.net Australian Hosting Services > > > From dot at DOTAT.AT Tue Dec 16 14:24:17 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:21:34 2006 Subject: Postfix message duplication - again! In-Reply-To: Message-ID: Drew Marshall wrote: >I have read many threads on both the MailScanner mailing list and the >Postfix groups about this problem but haven't yet seen a solution. I >guess the first question is, is there a solution? I suspect there is a problem with file locking lurking somewhere. The Unix locking system calls are really shit -- if you open and close a file that you already have open and locked then you lose the lock, even though (from the point of view of your program) the open/close has nothing to do with the locked open! Tony. -- f.a.n.finch http://dotat.at/ LYME REGIS TO LANDS END INCLUDING THE ISLES OF SCILLY: SOUTH TO SOUTHEAST 3 OR 4 OCCASIONALLY 5 FRESHENING 4 OR 5 THEN BACKING SOUTHEAST 3 OR 4 OCCASIONALLY 5. PATCHY RAIN OR DRIZZLE IN THE WEST CLEARING OVERNIGHT. MODERATE OR GOOD. MODERATE OR ROUGH DECAYING MODERATE. From martinh at SOLID-STATE-LOGIC.COM Tue Dec 16 14:39:01 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:34 2006 Subject: Messages stuck in inbound queue In-Reply-To: References: <3FDEEA4F.8050705@solid-state-logic.com> Message-ID: <3FDF1905.2070208@solid-state-logic.com> Joan Bryan wrote: > Message-ID: > Priority: NORMAL > X-Mailer: Execmail for Win32 5.1.1 Build (10) > MIME-Version: 1.0 > Content-Type: Text/Plain; charset="us-ascii" > > > On Tue, 16 Dec 2003 11:19:43 +0000 Martin Hepworth > wrote: > > >>Joan Bryan wrote: >> >>>I upgraded MailScanner from MailScanner from 4.24-5 to 4.25-14 >>>yesterday but the number of messages in our inbound queue built up >>>steadily, although some messages were still being processed. Stopping >>>mailscanner and restarting did not help. Reverting back to 4.25-5 >>>cleared the 22,000 messages that had built up. This configuration is >>>using exim 4.30 with exiscan with split inbound and outbound queues on >>>Solaris 9. >>> >>>Any ideas as to the problem >>> >>>Thanks as always for the great support >>> >>>Joan > > >>what did the log files say? >> > > > Okay here are the log messages for one mailscanner thread:- > > Dec 16 00:04:42 elder MailScanner.conf.relay1[23411]: MailScanner E-Mail Virus Scanner version 4.25-14 starti > ng... > Dec 16 00:04:44 elder MailScanner.conf.relay1[23411]: Using locktype = posix > Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: ) doesn't begin with LWSP -- using it anyway!! > Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: Header > continuation (X-KCLRealSpamScore: -4.8 > > <-Above 2 lines repeated with slightly different info 88 times -> > > Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: New Batch: Found 5660 messages waiting > Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: New Batch: Scanning 60 messages, 688182 bytes > Dec 16 00:04:59 elder MailScanner.conf.relay1[23411]: Virus and Content Scanning: Starting > Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i > n 1AW2g2-0001Vm-1Z > Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i > n 1AW2g0-0001Qw-Gx > Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i > n 1AW2f4-00067T-PI > Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i > n 1AW2g4-0001ez-Jb > Dec 16 00:05:03 elder MailScanner.conf.relay1[23411]: Uninfected: Delivered 60 messages > Dec 16 00:05:03 elder MailScanner.conf.relay1[23411]: Header continuation (X-KCLRealSpamScore: 24.5 > Dec 16 00:05:03 elder MailScanner.conf.relay1[23411]: ) doesn't begin with LWSP -- using it anyway!! > > The LWSP message appears to be benign has these were in the previous > version. The 4.25-14 version appears to be processing the queues > very slowly, the 4.24-5 version had no trouble. > > > Joan > M > > ---------------------- > Joan Bryan > Unix Systems Administrator > Information Systems > Telephone: +44 (0) 20 7848 2671 > mailto:joan.bryan@kcl.ac.uk hi Ok in your MailScanner.conf what does it say about the header modifications??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From hmkash at ARL.ARMY.MIL Tue Dec 16 14:41:31 2003 From: hmkash at ARL.ARMY.MIL (Kash, Howard (Civ,ARL/CISD)) Date: Thu Jan 12 21:21:34 2006 Subject: MailScanner/Postfix message duplication - possible fix Message-ID: <229A346E44379140A59A48951B56E0C0D405C5@ARLABML01.DS.ARL.ARMY.MIL> Here is a solution Julian proposed to the postfix/still being delivered/duplicate message problem back in September. Based on my analysis of the Postfix code and logs from actual occurrences of the bug, I think this is along the right track. However, postfix postdates messages that it moves into the deferred queue by 1000 seconds (minimal_backoff_time default value). My version of this patch is: next if ($ModDate{$file} + 10) > (time + 1000); or more efficiently: next if $ModDate{$file} > (time + 990); This accounts for the 1000 second postdate period and adds 10 seconds to get around the apparent race condition. In every occurrence that I've seen of the bug, MailScanner starts it's scan just as a message is being processed (moved into the deferred queue) by postfix. I think there is a brief instance when postfix does not have a lock on the file and MailScanner picks it up (and locks it). Then postfix tries to lock the file. Seeing that it is already locked, it generates the "skipped, still being delivered" message and backs off for 60 seconds (see nqmgr/qmgr_active.c:qmgr_active_feed()) and then re-queues the message again. You will need to adjust the 1000 second value if you have changed the default postfix setting for minimal_backoff_time. You may also want to play around with the 10 second delay if it's too long or short. Since the bug is very difficult to reproduce and occurs so infrequently, it's hard to say yet if this is actually working. If others could try it out and let the list know if it seems to be working for them, maybe Julian can add it to the next release. The only side affect of adding this line will be a 10 second delay in mail delivery. Howard -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, September 04, 2003 6:45 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner+PostFix ---- try this Here's a patch to Postfix.pm. I know it's not exactly a neat solution to the problem, but if it fixes it I will know I have found the problem. --- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 +++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 @@ -1132,6 +1132,9 @@ #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; while(defined($file = shift @SortedFiles) && $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { + # Yes I know this is a hack but it will help isolate the problem + next if $ModDate{$file} > time-3; + # must separate next two lines or $1 gets re-tainted by being part of # same expression as $file [mumble mumble grrr mumble mumble] #print STDERR "Reading file $file from list\n"; From drew at THEMARSHALLS.CO.UK Tue Dec 16 14:55:16 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:34 2006 Subject: MailScanner/Postfix message duplication - possible fix In-Reply-To: <229A346E44379140A59A48951B56E0C0D405C5@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C0D405C5@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <43221.194.70.180.170.1071586516.squirrel@net.themarshalls.co.uk> Thanks, I'll give it a go. Am I right in assuming this is a Postfix patch not a MailScanner patch? Drew Kash, Howard (Civ,ARL/CISD) said: > Here is a solution Julian proposed to the postfix/still being > delivered/duplicate message problem back in September. Based on my > analysis of the Postfix code and logs from actual occurrences of the > bug, I think this is along the right track. However, postfix postdates > messages that it moves into the deferred queue by 1000 seconds > (minimal_backoff_time default value). My version of this patch is: > > next if ($ModDate{$file} + 10) > (time + 1000); > > or more efficiently: > > next if $ModDate{$file} > (time + 990); > > This accounts for the 1000 second postdate period and adds 10 seconds to > get around the apparent race condition. In every occurrence that I've > seen of the bug, MailScanner starts it's scan just as a message is being > processed (moved into the deferred queue) by postfix. I think there is > a brief instance when postfix does not have a lock on the file and > MailScanner picks it up (and locks it). Then postfix tries to lock the > file. Seeing that it is already locked, it generates the "skipped, > still being delivered" message and backs off for 60 seconds (see > nqmgr/qmgr_active.c:qmgr_active_feed()) and then re-queues the message > again. > > You will need to adjust the 1000 second value if you have changed the > default postfix setting for minimal_backoff_time. You may also want to > play around with the 10 second delay if it's too long or short. Since > the bug is very difficult to reproduce and occurs so infrequently, it's > hard to say yet if this is actually working. If others could try it out > and let the list know if it seems to be working for them, maybe Julian > can add it to the next release. The only side affect of adding this > line will be a 10 second delay in mail delivery. > > > > Howard > > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Thursday, September 04, 2003 6:45 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner+PostFix ---- try this > > > Here's a patch to Postfix.pm. I know it's not exactly a neat solution to > the problem, but if it fixes it I will know I have found the problem. > > --- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 > +++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 > @@ -1132,6 +1132,9 @@ > #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; > while(defined($file = shift @SortedFiles) && > $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { > + # Yes I know this is a hack but it will help isolate the > problem > + next if $ModDate{$file} > time-3; > + > # must separate next two lines or $1 gets re-tainted by being > part of > # same expression as $file [mumble mumble grrr mumble mumble] > #print STDERR "Reading file $file from list\n"; > From eja at URBAKKEN.DK Tue Dec 16 14:59:20 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:34 2006 Subject: Error Message-ID: <3FDF2BD8.13669.6611D7@localhost> Hi. I can see, that in /var/log/boot.log I have the following error. What is the reason for that ?. Dec 16 15:41:48 gateway MailScanner: /etc/rc3.d/S- 1MailScanner: line 103: /etc/rc.status: No such file or directory Dec 16 15:41:48 gateway MailScanner: /etc/rc3.d/S- 1MailScanner: line 104: rc_reset: command not found Dec 16 15:41:48 gateway MailScanner: Initializing incoming postfix Dec 16 15:41:48 gateway MailScanner: /etc/rc3.d/S- 1MailScanner: line 68: rc_status: command not found Dec 16 15:41:48 gateway MailScanner: Initializing outgoing postfix Dec 16 15:41:48 gateway MailScanner: /etc/rc3.d/S- 1MailScanner: line 88: rc_status: command not found Dec 16 15:41:48 gateway MailScanner: Initializing MailScanner Dec 16 15:41:48 gateway MailScanner: /etc/rc3.d/S- 1MailScanner: line 100: rc_status: command not found Dec 16 15:41:48 gateway MailScanner: /etc/rc3.d/S- 1MailScanner: line 117: startproc: command not found Dec 16 15:41:48 gateway MailScanner: /etc/rc3.d/S- 1MailScanner: line 182: rc_exit: command not found Dec 16 15:41:48 gateway rc: Starting MailScanner: failed Regards, Erik -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031216/9346105c/attachment.html From joan.bryan at KCL.AC.UK Tue Dec 16 15:31:42 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:21:34 2006 Subject: Messages stuck in inbound queue In-Reply-To: <3FDF1905.2070208@solid-state-logic.com> References: <3FDF1905.2070208@solid-state-logic.com> <3FDEEA4F.8050705@solid-state-logic.com> Message-ID: Message-ID: Priority: NORMAL X-Mailer: Execmail for Win32 5.1.1 Build (10) MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" On Tue, 16 Dec 2003 14:39:01 +0000 Martin Hepworth wrote: > Joan Bryan wrote: > > Message-ID: > > Priority: NORMAL > > X-Mailer: Execmail for Win32 5.1.1 Build (10) > > MIME-Version: 1.0 > > Content-Type: Text/Plain; charset="us-ascii" > > > > > > On Tue, 16 Dec 2003 11:19:43 +0000 Martin Hepworth > > wrote: > > > > > >>Joan Bryan wrote: > >> > >>>I upgraded MailScanner from MailScanner from 4.24-5 to 4.25-14 > >>>yesterday but the number of messages in our inbound queue built up > >>>steadily, although some messages were still being processed. Stopping > >>>mailscanner and restarting did not help. Reverting back to 4.25-5 > >>>cleared the 22,000 messages that had built up. This configuration is > >>>using exim 4.30 with exiscan with split inbound and outbound queues on > >>>Solaris 9. > >>> > >>>Any ideas as to the problem > >>> > >>>Thanks as always for the great support > >>> > >>>Joan > > > > > >>what did the log files say? > >> > > > > > > Okay here are the log messages for one mailscanner thread:- > > > > Dec 16 00:04:42 elder MailScanner.conf.relay1[23411]: MailScanner E-Mail Virus Scanner version 4.25-14 starti > > ng... > > Dec 16 00:04:44 elder MailScanner.conf.relay1[23411]: Using locktype = posix > > Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: ) doesn't begin with LWSP -- using it anyway!! > > Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: Header > > continuation (X-KCLRealSpamScore: -4.8 > > > > <-Above 2 lines repeated with slightly different info 88 times -> > > > > Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: New Batch: Found 5660 messages waiting > > Dec 16 00:04:45 elder MailScanner.conf.relay1[23411]: New Batch: Scanning 60 messages, 688182 bytes > > Dec 16 00:04:59 elder MailScanner.conf.relay1[23411]: Virus and Content Scanning: Starting > > Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i > > n 1AW2g2-0001Vm-1Z > > Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i > > n 1AW2g0-0001Qw-Gx > > Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i > > n 1AW2f4-00067T-PI > > Dec 16 00:05:02 elder MailScanner.conf.relay1[23411]: Content Checks: Detected and will disarm HTML message i > > n 1AW2g4-0001ez-Jb > > Dec 16 00:05:03 elder MailScanner.conf.relay1[23411]: Uninfected: Delivered 60 messages > > Dec 16 00:05:03 elder MailScanner.conf.relay1[23411]: Header continuation (X-KCLRealSpamScore: 24.5 > > Dec 16 00:05:03 elder MailScanner.conf.relay1[23411]: ) doesn't begin with LWSP -- using it anyway!! > > > > The LWSP message appears to be benign has these were in the previous > > version. The 4.25-14 version appears to be processing the queues > > very slowly, the 4.24-5 version had no trouble. > > > > > > Joan > > M > > > > ---------------------- > > Joan Bryan > > Unix Systems Administrator > > Information Systems > > Telephone: +44 (0) 20 7848 2671 > > mailto:joan.bryan@kcl.ac.uk > > hi > Ok in your MailScanner.conf what does it say about the header > modifications??? > Okay our spam header modification is being done in exim not in MailScanner - I'm sorry I don't really follow what you mean. ---------------------- Joan Bryan Unix Systems Administrator Information Systems Telephone: +44 (0) 20 7848 2671 mailto:joan.bryan@kcl.ac.uk From sw at INTERNETX.DE Tue Dec 16 15:31:26 2003 From: sw at INTERNETX.DE (Sebastian Wiesinger) Date: Thu Jan 12 21:21:34 2006 Subject: Lost qf-Files Message-ID: <20031216153126.GA3414@lain.intern.internetx.de> Hi! I noticed that Mailscanner(4.25-14) is leaving qf-Files in mqueue.in after scanning and delivering the message: #v+ -rw-r----- 1 root smmsp 1382 Dec 15 17:33 qfhBFGXOGU001499 -rw-r----- 1 root smmsp 2958 Dec 15 18:43 qfhBFHhaGU002424 -rw-r----- 1 root smmsp 4031 Dec 15 19:05 qfhBFI5lGU002736 -rw-r----- 1 root smmsp 2480 Dec 15 20:32 qfhBFJWbGU003562 -rw-r----- 1 root smmsp 2782 Dec 15 23:07 qfhBFM7bGU005048 -rw-r----- 1 root smmsp 1295 Dec 15 23:50 qfhBFMoHGU005473 -rw-r----- 1 root smmsp 4575 Dec 16 00:40 qfhBFNeGGU005991 -rw-r----- 1 root smmsp 2279 Dec 16 00:57 qfhBFNvZGU006190 -rw-r----- 1 root smmsp 4145 Dec 16 10:09 qfhBG99PGU011002 -rw-r----- 1 root smmsp 3569 Dec 16 15:23 qfhBGENbGU014248 -rw-r----- 1 root smmsp 2238 Dec 16 15:34 qfhBGEYsGU014396 -rw-r----- 1 root smmsp 2384 Dec 16 15:48 qfhBGEmKGU014542 #v- The df-Files are deleted. Does anyone know why that happens? Greetings Sebastian From ka at PACIFIC.NET Tue Dec 16 15:45:22 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:34 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FDEE5E9.3040108@sghms.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> <3FDE0186.6060208@pacific.net> <1071524029.27233.23.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031216085036.0389fc28@imap.ecs.soton.ac.uk> <3FDEE5E9.3040108@sghms.ac.uk> Message-ID: <3FDF2892.7060409@pacific.net> Sure enough, these messages are triggering HTTP_ESCAPED_HOST too. Dec 16 07:19:01 63.162.241.10 MailScanner[1740]: Message hBGFJ4OG011177 from 218.188.47.114 (verification@paypal.com) to something.com is spam, SpamAssassin (score=56.47, required 4, BAYES_30 -0.90, CLICK_BELOW 0.10, HTML_IMAGE_ONLY_06 1.44, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51, IE6_URL_VULN 50.00, MIME_HTML_ONLY 0.32, USERPASS 3.81) Yesterday it was ebay, today they are pretending to be from Paypal. Tomorrow it will be e-voting in Florida... Thanks, Ken A. Pacific.Net Daniel Bird wrote: > Julian Field wrote: > >> This is starting to look awfully familiar. See the SA rule >> "HTTP_ESCAPED_HOST" which uses this: >> /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/ >> >> Do we want to scrap the custom rule altogether and just increase the >> score of http_escaped_host? > > > > We've been using that rule for a few days now with a MCP score of 10 , > and I haven't seen any Fp's as yet. > > Dan > >> >> >> At 21:33 15/12/2003, you wrote: >> >>> I also got some false positives with the same regex. I couldn't figure >>> out why because the emails contained no %... they had attached >>> documents though, coded in base64. >>> >>> I changed the regex to: /https?:\/\/.*%([01][0-9a-f]|7f).*@/i >>> >>> Denis >>> >>> Le lun 15/12/2003 ? 13:46, Ken Anderson a ?crit : >>> > Seeing a false positive from a weatherbug spam using this re. >>> > > /%([01][0-9a-f]|7f).*@/i >>> > >>> > It's coming from this mailto link: >>> > >>> > >>> mailto:community@isabel.weatherbug.com?Subject=Photo%20Submission&Body=Step%201%20-%20Safely%20take%20photos%20you%27d%20like%20to%2 >>> >>> > >>> 0share%20with%20the%20community%20before%2C%20during%20or%20after%20the%20storm.%0D%0A%0D%0AStep%202%20-%20Send%20this%20email%20wit >>> >>> > h%20your%20photos%20attached%20to%3A%20community@isabel.weatherbug.com >>> > >>> > Any ideas? >>> > >>> > Thanks, >>> > Ken A. >>> > Pacific.Net >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > Julian Field wrote: >>> > >>> > > At 17:29 12/12/2003, you wrote: >>> > > >>> > >> At 17:09 12/12/2003, you wrote: >>> > >> >>> > >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: >>> > >>> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises >>> URIs. >>> > >>> >>> > >>> I only skimmed the spec. But what I gathered, unless I completely >>> > >>> misunderstood the document is that characters from %00 through %1F >>> > >>> inclusive and %7F are control characters and shouldn't be in a >>> URI. >>> > >>> >>> > >>> Although they are disallowed within the URI syntax, we >>> include here a >>> > >>> description of those US-ASCII characters that have been >>> excluded and >>> > >>> the reasons for their exclusion. >>> > >>> >>> > >>> The control characters in the US-ASCII coded character set >>> are not >>> > >>> used within a URI, both because they are non-printable and >>> because >>> > >>> they are likely to be misinterpreted by some control >>> mechanisms. >>> > >>> >>> > >>> control = >> hexadecimal> >>> > >>> >>> > >>> So how much trouble would we cause if we just disallowed the >>> entire >>> > >>> range of control characters from URIs? Can anyone think of a real >>> > >>> website >>> > >>> that legitimately uses any of these control codes within their >>> URIs? I'm >>> > >>> particularly concerned about shopping sites with their massive >>> URIs. >>> > >> >>> > >> >>> > >> Sounds good to me. >>> > > >>> > > >>> > > The pattern for matching this is therefore >>> > > >>> > > /%([01][0-9a-f]|7f).*@/i >>> > > >>> > > so add this to spam.assassin.prefs.conf: >>> > > >>> > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i >>> > > score IE_VULN 100.0 >>> > > describe IE_VULN Internet Explorer vulnerability >>> > > >>> > > and then restart MailScanner. >>> > > -- >>> > > Julian Field >>> > > www.MailScanner.info >>> > > Professional Support Services at www.MailScanner.biz >>> > > MailScanner thanks transtec Computers for their support >>> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> > > >>> > > >>> -- >>> Denis Beauchemin, analyste >>> Universit? de Sherbrooke, S.T.I. >>> T: 819.821.8000x2252 F: 819.821.8045 >> >> >> > From t.d.lee at DURHAM.AC.UK Tue Dec 16 16:07:19 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:21:34 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FDF2892.7060409@pacific.net> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> <3FDE0186.6060208@pacific.net> <1071524029.27233.23.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031216085036.0389fc28@imap.ecs.soton.ac.uk> <3FDEE5E9.3040108@sghms.ac.uk> <3FDF2892.7060409@pacific.net> Message-ID: On Tue, 16 Dec 2003, Ken Anderson wrote: > Sure enough, these messages are triggering HTTP_ESCAPED_HOST too. > > Dec 16 07:19:01 63.162.241.10 MailScanner[1740]: Message hBGFJ4OG011177 > from 218.188.47.114 (verification@paypal.com) to something.com is spam, > SpamAssassin (score=56.47, required 4, BAYES_30 -0.90, CLICK_BELOW 0.10, > HTML_IMAGE_ONLY_06 1.44, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10, > HTTP_ESCAPED_HOST 1.51, IE6_URL_VULN 50.00, MIME_HTML_ONLY 0.32, > USERPASS 3.81) I see that, too. Our two main inbound campus mailrelays each handle about 50,000 messages per day. We use SA 2.61 as close as possible to "as delivered". A "grep" on the log files for the last week shows 15 occurences of a local "IE_VULN" (our pattern, following Julian's suggestion a few days ago, is "/%01.*@/") and each instance also shows SA's own "HTTP_ESCAPED_HOST". Whilst the sample size (15) is small, it suggests that SA2.61's own configuration is along the right lines for catching this, although their score (1.51) might want to be higher. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From hmkash at ARL.ARMY.MIL Tue Dec 16 16:24:21 2003 From: hmkash at ARL.ARMY.MIL (Kash, Howard (Civ,ARL/CISD)) Date: Thu Jan 12 21:21:34 2006 Subject: MailScanner/Postfix message duplication - possible fix Message-ID: <229A346E44379140A59A48951B56E0C0D405CA@ARLABML01.DS.ARL.ARMY.MIL> No, it's a MailScanner patch to the file /usr/lib/Mailscanner/Mailscanner/Postfix.pm. Howard -----Original Message----- From: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] Sent: Tuesday, December 16, 2003 9:55 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner/Postfix message duplication - possible fix Thanks, I'll give it a go. Am I right in assuming this is a Postfix patch not a MailScanner patch? Drew From lou.baccari at HP.COM Tue Dec 16 16:34:17 2003 From: lou.baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:21:34 2006 Subject: MajorSophos error Message-ID: Hello, I'm trying to use the MajorSophos.sh script from http://www.tippingmar.com/majorsophos/ and I'm receiving the error listed below, any ideas as to how to correct the problem? Thanks, Lou Starting the MailScanner Sophos installation script + '[' no = yes ']' + /usr/sbin/Sophos.install Clearing out old default Sophos installation libraries Uncompressing Sophos distribution /usr/sbin/Sophos.install: line 28: uncompress: command not found Please cd into the directory containing the Sophos install.sh script and run this command again. + sweepVer + '[' -f /usr/lib/MailScanner/sophos-wrapper ']' + '[' -f /usr/local/Sophos/bin/sweep ']' + printout 'Current Sophos version information follows:' + '[' no = no ']' + echo Current Sophos version information follows: Current Sophos version information follows: ++ /usr/lib/MailScanner/sophos-wrapper /usr/local/Sophos -v ++ egrep 'Product|Released' Error initialising detection engine - missing main virus data From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 16 16:39:11 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:34 2006 Subject: MajorSophos error In-Reply-To: Message-ID: <002801c3c3f3$22632ce0$0501a8c0@darkside> > >Starting the MailScanner Sophos installation script >+ '[' no = yes ']' >+ /usr/sbin/Sophos.install >Clearing out old default Sophos installation libraries >Uncompressing Sophos distribution >/usr/sbin/Sophos.install: line 28: uncompress: command not found The command "uncompress" is either not on your system, or not in your path. I don't know what OS you're using, so I can't help you further, but a quick google search should help you out... --J(K) From Kevin_Miller at CI.JUNEAU.AK.US Tue Dec 16 16:45:57 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:34 2006 Subject: Internet Explorer URL Display problem Message-ID: <08146035CA49D6119A36009027AC822A0264EB9B@CITY-EXCH-NTS> >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >This is starting to look awfully familiar. See the SA rule >"HTTP_ESCAPED_HOST" which uses this: >/^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/ > >Do we want to scrap the custom rule altogether and just >increase the score of http_escaped_host? Sounds like a plan to me - can always add in a custom rule later if the SA flavor doesn't do something it outta. Having never done it before, let me ask just to be sure: we simply need to add score HTTP_ESCAPED_HOST 10 to /etc/MailScanner/spam.assassin.prefs.conf and it'll override the default? TIA... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From lou.baccari at HP.COM Tue Dec 16 16:58:31 2003 From: lou.baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:21:34 2006 Subject: MajorSophos error Message-ID: Sorry for the mail, but I figured it out. Sophos.install is looking for the uncompress command so I created a link "ln -s /bin/gunzip /bin/uncompress" and that appears to have corrected the problems. I'm now able to run 'MajorSophos.sh -install' without errors. Thanks, Lou. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Baccari, Lou Sent: Tuesday, December 16, 2003 11:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MajorSophos error Hello, I'm trying to use the MajorSophos.sh script from http://www.tippingmar.com/majorsophos/ and I'm receiving the error listed below, any ideas as to how to correct the problem? Thanks, Lou Starting the MailScanner Sophos installation script + '[' no = yes ']' + /usr/sbin/Sophos.install Clearing out old default Sophos installation libraries Uncompressing Sophos distribution /usr/sbin/Sophos.install: line 28: uncompress: command not found Please cd into the directory containing the Sophos install.sh script and run this command again. + sweepVer + '[' -f /usr/lib/MailScanner/sophos-wrapper ']' + '[' -f /usr/local/Sophos/bin/sweep ']' + printout 'Current Sophos version information follows:' + '[' no = no ']' + echo Current Sophos version information follows: Current Sophos version information follows: ++ /usr/lib/MailScanner/sophos-wrapper /usr/local/Sophos -v ++ egrep 'Product|Released' Error initialising detection engine - missing main virus data From dbird at SGHMS.AC.UK Tue Dec 16 16:59:02 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:34 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <08146035CA49D6119A36009027AC822A0264EB9B@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EB9B@CITY-EXCH-NTS> Message-ID: <3FDF39D6.3070506@sghms.ac.uk> Kevin Miller wrote: >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >> >> > > > >>This is starting to look awfully familiar. See the SA rule >>"HTTP_ESCAPED_HOST" which uses this: >>/^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/ >> >>Do we want to scrap the custom rule altogether and just >>increase the score of http_escaped_host? >> >> > >Sounds like a plan to me - can always add in a custom rule later if the SA >flavor doesn't do something it outta. > >Having never done it before, let me ask just to be sure: we simply need to >add > > score HTTP_ESCAPED_HOST 10 > >to /etc/MailScanner/spam.assassin.prefs.conf and it'll override the default? > > Yes, assuming this would push the score over your high scoring spam actions. Otherwise you could set up MCP as described @ http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp You would need to copy the HTTP_ESCAPED_HOST rule from /usr/share/spamassassin/20_uri_test.cf into your mcp cf file if you use MCP... Dan >TIA... > >...Kevin >-- >Kevin Miller Registered Linux User No: 307357 >CBJ MIS Dept. Network Systems Administrator, Mail >Administrator >155 South Seward Street ph: (907) 586-0242 >Juneau, Alaska 99801 fax: (907 586-4500 > > > -- ____________________________________ Daniel Bird Network and Systems Manager Department Of Information Services St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Everything is possible....except skiing through a revolving door. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at CI.JUNEAU.AK.US Tue Dec 16 17:07:38 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:34 2006 Subject: Internet Explorer URL Display problem Message-ID: <08146035CA49D6119A36009027AC822A0264EB9D@CITY-EXCH-NTS> >-----Original Message----- >From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] >Yes, assuming this would push the score over your high scoring spam >actions. Otherwise you could set up MCP as described @ >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp > >You would need to copy the HTTP_ESCAPED_HOST rule from >/usr/share/spamassassin/20_uri_test.cf into your mcp cf file >if you use >MCP... Thanks Dan - in my case I treat high scoring and normal spam the same, but obviously others don't. One more quick question: does it matter if one uses spaces in the score line, or does it require tabs like various other settings like in the *.rules files? Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mailscanner at ecs.soton.ac.uk Tue Dec 16 17:20:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:34 2006 Subject: Uninstall ?. In-Reply-To: <3FDF1FC4.8878.36E082@localhost> References: <3FDF1FC4.8878.36E082@localhost> Message-ID: <6.0.1.1.2.20031216172035.03742a48@imap.ecs.soton.ac.uk> Yes. At 14:07 16/12/2003, you wrote: >Hello. > >I I want to uninstall MailScanner is it to be done with RPM -e ?. > >Erik -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 16 17:25:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:34 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <08146035CA49D6119A36009027AC822A0264EB9D@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EB9D@CITY-EXCH-NTS> Message-ID: <6.0.1.1.2.20031216172503.0906fc88@imap.ecs.soton.ac.uk> At 17:07 16/12/2003, you wrote: > >-----Original Message----- > >From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] > > >Yes, assuming this would push the score over your high scoring spam > >actions. Otherwise you could set up MCP as described @ > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp > > > >You would need to copy the HTTP_ESCAPED_HOST rule from > >/usr/share/spamassassin/20_uri_test.cf into your mcp cf file > >if you use > >MCP... > >Thanks Dan - in my case I treat high scoring and normal spam the same, but >obviously others don't. One more quick question: does it matter if one uses >spaces in the score line, or does it require tabs like various other >settings like in the *.rules files? Spaces are fine. The only files that require tabs are filename.rules.conf and filetype.rules.conf. Everything else can handle spaces just fine. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 16 17:23:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:34 2006 Subject: Lost qf-Files In-Reply-To: <20031216153126.GA3414@lain.intern.internetx.de> References: <20031216153126.GA3414@lain.intern.internetx.de> Message-ID: <6.0.1.1.2.20031216172307.03747e90@imap.ecs.soton.ac.uk> These are almost certainly message fragments where the remote SMTP client didn't completely send you the message. Just delete the orphaned files. At 15:31 16/12/2003, you wrote: >Hi! > >I noticed that Mailscanner(4.25-14) is leaving qf-Files in mqueue.in after >scanning and delivering the message: > >#v+ >-rw-r----- 1 root smmsp 1382 Dec 15 17:33 qfhBFGXOGU001499 >-rw-r----- 1 root smmsp 2958 Dec 15 18:43 qfhBFHhaGU002424 >-rw-r----- 1 root smmsp 4031 Dec 15 19:05 qfhBFI5lGU002736 >-rw-r----- 1 root smmsp 2480 Dec 15 20:32 qfhBFJWbGU003562 >-rw-r----- 1 root smmsp 2782 Dec 15 23:07 qfhBFM7bGU005048 >-rw-r----- 1 root smmsp 1295 Dec 15 23:50 qfhBFMoHGU005473 >-rw-r----- 1 root smmsp 4575 Dec 16 00:40 qfhBFNeGGU005991 >-rw-r----- 1 root smmsp 2279 Dec 16 00:57 qfhBFNvZGU006190 >-rw-r----- 1 root smmsp 4145 Dec 16 10:09 qfhBG99PGU011002 >-rw-r----- 1 root smmsp 3569 Dec 16 15:23 qfhBGENbGU014248 >-rw-r----- 1 root smmsp 2238 Dec 16 15:34 qfhBGEYsGU014396 >-rw-r----- 1 root smmsp 2384 Dec 16 15:48 qfhBGEmKGU014542 >#v- > >The df-Files are deleted. Does anyone know why that happens? > >Greetings >Sebastian -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 16 17:21:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:34 2006 Subject: Error messages In-Reply-To: References: <6.0.1.1.2.20031216085542.038cd328@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031216172129.03e42d70@imap.ecs.soton.ac.uk> Your hostname resolution isn't working properly. It is lacking the reverse PTR records for whatever it is trying to look up. At 14:23 16/12/2003, you wrote: >Julian, > >Thanks, I thought it would be something simple. > >I am still getting > sendmail[27295]: gethostbyaddr failed: 1 >for every virtual domain every time an e-mail comes in. > >Any other ideas ? > >Regards > >Nick > > > > You need to do > > /etc/rc.d/init.d/sendmail stop > > to actually kill all the sendmail processes before you start MailScanner. > > The "chkconfig" commands merely tell it what to do at boot-time, > > they don't > > alter the current state of the system at all. > > When you do > > ps ax | grep -i mail > > you should get no MailScanner processes or sendmail processes. > > Kill off any > > left running. > > Then do > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at CPYOU.COM Tue Dec 16 18:31:15 2003 From: mailscanner at CPYOU.COM (J. Bishop) Date: Thu Jan 12 21:21:34 2006 Subject: Effort to manage MailScanner Message-ID: I have been using MailScanner on a half dozen or more mail servers for almost a year now... On all systems I try to use the latest MailScanner, SpamAssassin, DCC, Razor, Pyzor. I also have between 2 and 5 listed RBL's in MailScanner and use at least 2 virus scanners per system, black and whitelists with somewhat similar configurations on all. The hardware used is typically from low end 2 year old servers to junk pseudo-servers. On some I have set spam level as low as 2 and high-scoring spam as low as 3. On other systems I have them set to 6 and 10. I am not sure why but based on the type of messages received I find I need to ratchet back the levels on some systems to avoid false positives and on others I can lower the #'s way down to improve spam detection with no false positives at all. I spend a total of at least a couple of hours per week updating spam software, reading this list and changing config entries to maintain the systems. For some servers I forward possible and definite spam and review it semi-regularly, and on other systems it get deleted immediately. I have only ever checked the quarantine a couple of times and only pulled a file from it once, I contemplated writing a cron script to delete the last months quarantine each month. Some of these servers get ~400 emails per day and others get 12,000+ and the spam rates vary from 20% up to 75% of total messages received so I guess these variances are why a standard config wont cover all bases all the time... I used to be in a no downtime environment (telco) but now have some freedom to upgrade somewhat at leisure and I can really appreciate the 'only upgrade if needed' attitude but it does cost somewhat in other ways... I think spam filtering at this point in time is both art and science. Thanks to Julian and others users can again use email as a method of communications. >>>>>>>>>>>>>>> On Thu, 11 Dec 2003 08:36:05 +1100, Pete wrote: are you guys getting some benifit that i am not, or is because you ahve far greater volumes of mail that you get more spam through MS aqnd have to work harder to stop it? From eja at URBAKKEN.DK Tue Dec 16 17:29:57 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:34 2006 Subject: Uninstall ?. In-Reply-To: <6.0.1.1.2.20031216172035.03742a48@imap.ecs.soton.ac.uk> References: <3FDF1FC4.8878.36E082@localhost> Message-ID: <3FDF4F25.106.EFFC43@localhost> On 16 Dec 2003 at 17:20, Julian Field wrote: > Yes. Thank you Julian. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Erik. From jones at ODENSE.KOLLEGIENET.DK Tue Dec 16 17:30:19 2003 From: jones at ODENSE.KOLLEGIENET.DK (Jonas Bardino) Date: Thu Jan 12 21:21:34 2006 Subject: Dial-up User List In-Reply-To: References: <001501c3c379$96d645f0$6401a8c0@pgx01> Message-ID: <20031216173019.GB10053@bardino.dk> * Raymond Dijkxhoorn [Dec 16. 2003 03:29]: > Hi! > > > Are there any free listings like the commercial "MAPS Dial-up User List"? I > > am already using RBL and DNSBL listings but would like to add a Dial-up User > > Listing. > > SORBS-DUL. > > Bye, > Raymond. ... or perhaps the one from njabl.org (http://njabl.org/use.html) In case you're using SpamAssassin it's already there as RCVD_IN_NJABL_DIALUP. Regards, Jonas From mark at TIPPINGMAR.COM Tue Dec 16 18:27:28 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:21:34 2006 Subject: MajorSophos error In-Reply-To: Message-ID: <3FDEDE10.5053.1E576A6E@localhost> On 16 Dec 2003 at 11:58, Baccari, Lou wrote: > Sorry for the mail, but I figured it out. Sophos.install is looking for the uncompress command so I created a link "ln -s /bin/gunzip /bin/uncompress" and that appears to have corrected the problems. I'm now able to run 'MajorSophos.sh -install' without errors. > On RedHat, "uncompress" is part of the rpm package named "ncompress". Mark From dustin.baer at IHS.COM Tue Dec 16 18:47:13 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:21:34 2006 Subject: A virus message saved as spam References: Message-ID: <3FDF5331.37B40F28@ihs.com> Matthijs Althoff wrote: > > > Today I found four messages coming in and containing > viruses which are saved as spam instead of a seperate > virus directory under quarantine. Two other messages > coming in are properly contained as virus. Where is > what going wrong? Matthijs, If I remember correctly, spam checking is done before virus scanning, so nothing went wrong. Dustin From m.sapsed at BANGOR.AC.UK Tue Dec 16 19:05:24 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:34 2006 Subject: MCP (Was: Re: Internet Explorer URL Display problem) References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> Message-ID: <3FDF5774.1090705@bangor.ac.uk> Julian Field wrote: > At 13:49 11/12/2003, you wrote: > >>>> For docs on MCP, see >>>> www.sng.ecs.soton.ac.uk/mailscanner/install/mcp >>> >>> I will have a look at this - Julian, have you got patches for SA 2.61 >>> yet? (The page says to ask for patches for new versions of SA!! ;-) > > They are there now. Ta >>> (Also, btw, there are still some references to TCP rather than MCP in >>> that page.) > > Fixed. Apart from the HTML Page title!! ;-) Had a bit of a play with this but got a bit stuck. Changed some of the conf entries on the web page which looked promising. Thought changing MCP Checks from no to yes would be a good start! ;-) Bit puzzled though now about what MS does if something fails the MCP tests. Tried MCP Actions = store High Scoring MCP Actions = store but that seemed to hit the bit-bucket? Tried using deliver instead and that got through with the extra headers so it's working. With deliver, the log noted that it was to be delivered, but with store - nothing in the log. Wasn't sure what the Is Definitely stuff and the Report things were about though...? I guess the defaults in your examples follow the usual protocol of playing safe and not activating things without the user wanting them. Trouble is I want to and haven't worked out how yet!!! Sorry if I'm being thick! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From ralexand at HOODINDUSTRIES.COM Tue Dec 16 19:31:51 2003 From: ralexand at HOODINDUSTRIES.COM (Richard Alexander) Date: Thu Jan 12 21:21:34 2006 Subject: Upgrading MailScanner and SpamAssassin Message-ID: I'm currently running MS(4.20-3) and SA(2.44) on a Red Hat Linux 9.0 server for our company. I wanted to install the latest release of each product to try and get a little better filtering. I have downloaded the RPMS for MS(4.25-14) and SA(2.61-1). I was wondering if there was anything in particular I need to do before installing the new versions? Which program should be installed first, etc. Thanks in advance for the help. From kevins at BMRB.CO.UK Tue Dec 16 19:49:07 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:34 2006 Subject: Upgrading MailScanner and SpamAssassin In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B976@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B976@pascal.priv.bmrb.co.uk> Message-ID: <1071604150.24502.5.camel@bach.kevinspicer.co.uk> On Tue, 2003-12-16 at 19:31, Richard Alexander wrote: >I'm currently running MS(4.20-3) and SA(2.44) on a Red Hat Linux 9.0 >server for our company. I wanted to install the latest release of each >product to try and get a little better filtering. I have downloaded >the >RPMS for MS(4.25-14) and SA(2.61-1). I was wondering if there was >anything in particular I need to do before installing the new versions? >Which program should be installed first, etc. This has been discussed recently, so check the archives for more detail. In your specific case the order probably isn't important, but as a general guide its probably best to upgrade MailScanner first, then the other ancillary programs (my reasoning being that where ancillary programs have changed their API or output that you may need the latest MailScanner to handle them correctly). I'd also suggest doing MailScanner first (use the upgrade_MailScanner_conf to do what it says on the tin) then leaving it for a while before upgrading SA (so that if you do have problems you know which upgrade caused them). From hmkash at ARL.ARMY.MIL Tue Dec 16 19:55:21 2003 From: hmkash at ARL.ARMY.MIL (Kash, Howard (Civ,ARL/CISD)) Date: Thu Jan 12 21:21:34 2006 Subject: MailScanner/Postfix message duplication - possible fix Message-ID: <229A346E44379140A59A48951B56E0C0D405CD@ARLABML01.DS.ARL.ARMY.MIL> I just got nailed with a few more duplicates, and it was up to 40 seconds between the postfix "(deferred transport)" log entry and the "skipped, still being delivered" log entry. So I'm going to change the waiting period on my system to 60 seconds (time + 940) and see how it goes. Howard -----Original Message----- From: Kash, Howard (Civ,ARL/CISD) Sent: Tuesday, December 16, 2003 9:42 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner/Postfix message duplication - possible fix Here is a solution Julian proposed to the postfix/still being delivered/duplicate message problem back in September. Based on my analysis of the Postfix code and logs from actual occurrences of the bug, I think this is along the right track. However, postfix postdates messages that it moves into the deferred queue by 1000 seconds (minimal_backoff_time default value). My version of this patch is: next if ($ModDate{$file} + 10) > (time + 1000); or more efficiently: next if $ModDate{$file} > (time + 990); This accounts for the 1000 second postdate period and adds 10 seconds to get around the apparent race condition. In every occurrence that I've seen of the bug, MailScanner starts it's scan just as a message is being processed (moved into the deferred queue) by postfix. I think there is a brief instance when postfix does not have a lock on the file and MailScanner picks it up (and locks it). Then postfix tries to lock the file. Seeing that it is already locked, it generates the "skipped, still being delivered" message and backs off for 60 seconds (see nqmgr/qmgr_active.c:qmgr_active_feed()) and then re-queues the message again. You will need to adjust the 1000 second value if you have changed the default postfix setting for minimal_backoff_time. You may also want to play around with the 10 second delay if it's too long or short. Since the bug is very difficult to reproduce and occurs so infrequently, it's hard to say yet if this is actually working. If others could try it out and let the list know if it seems to be working for them, maybe Julian can add it to the next release. The only side affect of adding this line will be a 10 second delay in mail delivery. Howard -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, September 04, 2003 6:45 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner+PostFix ---- try this Here's a patch to Postfix.pm. I know it's not exactly a neat solution to the problem, but if it fixes it I will know I have found the problem. --- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 +++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 @@ -1132,6 +1132,9 @@ #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; while(defined($file = shift @SortedFiles) && $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { + # Yes I know this is a hack but it will help isolate the problem + next if $ModDate{$file} > time-3; + # must separate next two lines or $1 gets re-tainted by being part of # same expression as $file [mumble mumble grrr mumble mumble] #print STDERR "Reading file $file from list\n"; From drew at THEMARSHALLS.CO.UK Tue Dec 16 20:12:52 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:35 2006 Subject: MailScanner/Postfix message duplication - possible fix In-Reply-To: <229A346E44379140A59A48951B56E0C0D405C5@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C0D405C5@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <3FDF6744.4070703@themarshalls.co.uk> Thanks very much. I have applied that and I'll let you know how I get on. Drew Kash, Howard (Civ,ARL/CISD) wrote: >Here is a solution Julian proposed to the postfix/still being >delivered/duplicate message problem back in September. Based on my >analysis of the Postfix code and logs from actual occurrences of the >bug, I think this is along the right track. However, postfix postdates >messages that it moves into the deferred queue by 1000 seconds >(minimal_backoff_time default value). My version of this patch is: > > next if ($ModDate{$file} + 10) > (time + 1000); > >or more efficiently: > > next if $ModDate{$file} > (time + 990); > >This accounts for the 1000 second postdate period and adds 10 seconds to >get around the apparent race condition. In every occurrence that I've >seen of the bug, MailScanner starts it's scan just as a message is being >processed (moved into the deferred queue) by postfix. I think there is >a brief instance when postfix does not have a lock on the file and >MailScanner picks it up (and locks it). Then postfix tries to lock the >file. Seeing that it is already locked, it generates the "skipped, >still being delivered" message and backs off for 60 seconds (see >nqmgr/qmgr_active.c:qmgr_active_feed()) and then re-queues the message >again. > >You will need to adjust the 1000 second value if you have changed the >default postfix setting for minimal_backoff_time. You may also want to >play around with the 10 second delay if it's too long or short. Since >the bug is very difficult to reproduce and occurs so infrequently, it's >hard to say yet if this is actually working. If others could try it out >and let the list know if it seems to be working for them, maybe Julian >can add it to the next release. The only side affect of adding this >line will be a 10 second delay in mail delivery. > > > >Howard > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, September 04, 2003 6:45 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner+PostFix ---- try this > > >Here's a patch to Postfix.pm. I know it's not exactly a neat solution to >the problem, but if it fixes it I will know I have found the problem. > >--- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 >+++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 >@@ -1132,6 +1132,9 @@ > #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; > while(defined($file = shift @SortedFiles) && > $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { >+ # Yes I know this is a hack but it will help isolate the >problem >+ next if $ModDate{$file} > time-3; >+ > # must separate next two lines or $1 gets re-tainted by being >part of > # same expression as $file [mumble mumble grrr mumble mumble] > #print STDERR "Reading file $file from list\n"; > > From drew at THEMARSHALLS.CO.UK Tue Dec 16 22:53:31 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:35 2006 Subject: MailScanner/Postfix message duplication - possible fix In-Reply-To: <229A346E44379140A59A48951B56E0C0D405CD@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C0D405CD@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <3FDF8CEB.7020109@themarshalls.co.uk> I wonder if this is only part of the story. Not being a programmer (Or even someone who 'tinkers with code'!) please forgive me if I am being stupid or just plain don't understand :-) The queue manager runs the queues when it's either called by receipt of a 1byte message from another part of Postfix or when it's inactivity timer times out (As set in the master.cf file). I had a play with this to start with and when I set the idle timer to 28 days I still got duplicates and the 'skipped' log entry from when MailScanner happened to be picking up a queued file and the queue runner had been called by smtpd because it had just received a message. In some instances (One larger message of 9Mb) this meant on my slow system that I didn't just get duplicates but I got the damn thing 5 times, in various states of delivery as it spooled into the deferred queue. Now my gamble is that moving your times to 40 seconds or even more will probably not cure the problem as if your system is fairly busy the queue runner will be almost continuously running through the deferred queue as it collects mail and checks for messages that are due for attempted redelivery (I guess this happens on every visit to the queue to ensure that ageing messages are not left in deferred for too long). It's that check that could be the problem. If MS is just about to collect the message when the queue runner inspects the message for age (Not worth locking for? Don't know?) then the two paps collide and cause the situation as seen. It won't matter how long you tell MS to leave the message there for, the queue runner could still bump into the collection. On my much quieter system it will probably work more reliably for longer as the queue runner will be called less by smtpd an more by the inactivity timer. One way round this could be to send the messages to the hold queue as the queue runner never runs in there. Now just to get the messages there... As I say I could be talking rubbish and I'll go away and keep going with what ever experiment people want to fix this issue but I though it was worth knocking some thoughts about. Regards Drew Ash, Howard (Iv,URL/CID) wrote: >I just got nailed with a few more duplicates, and it was up to 40 >seconds between the postfix "(deferred transport)" log entry and the >"skipped, still being delivered" log entry. So I'm going to change the >waiting period on my system to 60 seconds (time + 940) and see how it >goes. > > >Howard > > > >-----Original Message----- >From: Kash, Howard (Civ,ARL/CISD) >Sent: Tuesday, December 16, 2003 9:42 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: MailScanner/Postfix message duplication - possible fix > > >Here is a solution Julian proposed to the postfix/still being >delivered/duplicate message problem back in September. Based on my >analysis of the Postfix code and logs from actual occurrences of the >bug, I think this is along the right track. However, postfix postdates >messages that it moves into the deferred queue by 1000 seconds >(minimal_backoff_time default value). My version of this patch is: > > next if ($ModDate{$file} + 10) > (time + 1000); > >or more efficiently: > > next if $ModDate{$file} > (time + 990); > >This accounts for the 1000 second postdate period and adds 10 seconds to >get around the apparent race condition. In every occurrence that I've >seen of the bug, MailScanner starts it's scan just as a message is being >processed (moved into the deferred queue) by postfix. I think there is >a brief instance when postfix does not have a lock on the file and >MailScanner picks it up (and locks it). Then postfix tries to lock the >file. Seeing that it is already locked, it generates the "skipped, >still being delivered" message and backs off for 60 seconds (see >nqmgr/qmgr_active.c:qmgr_active_feed()) and then re-queues the message >again. > >You will need to adjust the 1000 second value if you have changed the >default postfix setting for minimal_backoff_time. You may also want to >play around with the 10 second delay if it's too long or short. Since >the bug is very difficult to reproduce and occurs so infrequently, it's >hard to say yet if this is actually working. If others could try it out >and let the list know if it seems to be working for them, maybe Julian >can add it to the next release. The only side affect of adding this >line will be a 10 second delay in mail delivery. > > > >Howard > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, September 04, 2003 6:45 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner+PostFix ---- try this > > >Here's a patch to Postfix.pm. I know it's not exactly a neat solution to >the problem, but if it fixes it I will know I have found the problem. > >--- Postfix.pm.old 2003-09-01 12:28:21.000000000 +0100 >+++ Postfix.pm 2003-09-04 11:49:17.000000000 +0100 >@@ -1132,6 +1132,9 @@ > #print STDERR "Files are " . join(', ', @SortedFiles) . "\n"; > while(defined($file = shift @SortedFiles) && > $HitLimit1+$HitLimit2+$HitLimit3+$HitLimit4<1) { >+ # Yes I know this is a hack but it will help isolate the >problem >+ next if $ModDate{$file} > time-3; >+ > # must separate next two lines or $1 gets re-tainted by being >part of > # same expression as $file [mumble mumble grrr mumble mumble] > #print STDERR "Reading file $file from list\n"; > > From lists at SAHARA.CO.ZA Wed Dec 17 08:06:28 2003 From: lists at SAHARA.CO.ZA (Gary Alexander) Date: Thu Jan 12 21:21:35 2006 Subject: OT: Suggestions on IMAP daemon and Webmail server Message-ID: <200312170806.hBH86SUK025754@sol.saharajhb.lan> Hi All I am currently looking at implementing IMAP and a Webmail facility on a server running Sendmail / MailScanner / SpamAssassin I would require the facility for storage of folders and subfolders within the IMAP store as well as the Webmail server to connect to this IMAP store. Any suggestions from people that have implemented this already? I am busy installing Courier IMAP and Squirrelmail at the moment to test. Thanks Gary - PLEASE NOTE - This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Sahara Computers (Pty) Ltd. Finally, while Sahara Computers attempts to ensure that all email is virus-free, Sahara Computers accepts no liability for any damage caused by any virus transmitted by this email. Sahara Computers (PTY) Ltd 89 Gazelle Avenue, Corporate Park, Midrand, South Africa Private Bag X180, Halfway House, 1685, South Africa ----- Scanned and protected by MailScanner @ mail.sahara.co.za From mailscanner at ecs.soton.ac.uk Wed Dec 17 08:28:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:35 2006 Subject: MCP (Was: Re: Internet Explorer URL Display problem) In-Reply-To: <3FDF5774.1090705@bangor.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> <3FDF5774.1090705@bangor.ac.uk> Message-ID: <6.0.1.1.2.20031217082623.028b4710@imap.ecs.soton.ac.uk> At 19:05 16/12/2003, you wrote: >Julian Field wrote: >>At 13:49 11/12/2003, you wrote: >> >>>>>For docs on MCP, see >>>>>www.sng.ecs.soton.ac.uk/mailscanner/install/mcp >>>> >>>>I will have a look at this - Julian, have you got patches for SA 2.61 >>>>yet? (The page says to ask for patches for new versions of SA!! ;-) >> >>They are there now. > >Ta > >>>>(Also, btw, there are still some references to TCP rather than MCP in >>>>that page.) >> >>Fixed. > >Apart from the HTML Page title!! ;-) > >Had a bit of a play with this but got a bit stuck. Changed some of the >conf entries on the web page which looked promising. Thought changing >MCP Checks from no to yes would be a good start! ;-) Bit puzzled though >now about what MS does if something fails the MCP tests. Tried > >MCP Actions = store >High Scoring MCP Actions = store > >but that seemed to hit the bit-bucket? Tried using deliver instead and >that got through with the extra headers so it's working. With deliver, >the log noted that it was to be delivered, but with store - nothing in >the log. Looks like the MCP quarantining doesn't work. I need to spend a few hours on the MCP code applying any/all of the changes I have made to the SA and Message code. Watch this space... >Wasn't sure what the Is Definitely stuff and the Report things were >about though...? I guess the defaults in your examples follow the usual >protocol of playing safe and not activating things without the user >wanting them. Trouble is I want to and haven't worked out how yet!!! > >Sorry if I'm being thick! You're not being thick. I never got as far as writing any MCP docs at all, I wanted to get it working first, but haven't touched it in quite a while. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Wed Dec 17 10:40:08 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:35 2006 Subject: OT: Virus request Message-ID: Hi all I was wondering if any of you could possibly send me some of your 'nasties' to info@irishfreelance.com - the domain is registered to me etc etc., we just need to stress test a new server. Does anybody know where we can get our hands on the zip file test? Michele Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland From m.sapsed at BANGOR.AC.UK Wed Dec 17 11:06:58 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:35 2006 Subject: MCP (Was: Re: Internet Explorer URL Display problem) References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> <3FDF5774.1090705@bangor.ac.uk> <6.0.1.1.2.20031217082623.028b4710@imap.ecs.soton.ac.uk> Message-ID: <3FE038D2.3060702@bangor.ac.uk> Julian Field wrote: > At 19:05 16/12/2003, you wrote: > Looks like the MCP quarantining doesn't work. I need to spend a few hours > on the MCP code applying any/all of the changes I have made to the SA and > Message code. > Watch this space... Caught one message overnight using MCP but caught 2 others because of mcpsatimedout... >> Sorry if I'm being thick! > > You're not being thick. I never got as far as writing any MCP docs at all, > I wanted to get it working first, but haven't touched it in quite a while. Phew! Let me know when there's something more to play with... In the meantime I presume I can just turn it off again with MCP Checks = no ? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Wed Dec 17 11:50:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:35 2006 Subject: MCP (Was: Re: Internet Explorer URL Display problem) In-Reply-To: <3FE038D2.3060702@bangor.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> <3FDF5774.1090705@bangor.ac.uk> <6.0.1.1.2.20031217082623.028b4710@imap.ecs.soton.ac.uk> <3FE038D2.3060702@bangor.ac.uk> Message-ID: <6.0.1.1.2.20031217115014.03d678c0@imap.ecs.soton.ac.uk> At 11:06 17/12/2003, you wrote: >Julian Field wrote: >>At 19:05 16/12/2003, you wrote: >>Looks like the MCP quarantining doesn't work. I need to spend a few hours >>on the MCP code applying any/all of the changes I have made to the SA and >>Message code. >>Watch this space... > >Caught one message overnight using MCP but caught 2 others because of >mcpsatimedout... > >>>Sorry if I'm being thick! >> >>You're not being thick. I never got as far as writing any MCP docs at all, >>I wanted to get it working first, but haven't touched it in quite a while. > >Phew! Let me know when there's something more to play with... > >In the meantime I presume I can just turn it off again with >MCP Checks = no Correct. >? > >Cheers, > >Martin > >-- >Martin Sapsed >Information Services "Who do you say I am?" >University of Wales, Bangor Jesus of Nazareth -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From newslists at pessimists.net Wed Dec 17 12:34:51 2003 From: newslists at pessimists.net (Andy Sutton) Date: Thu Jan 12 21:21:35 2006 Subject: OT: Virus request In-Reply-To: References: Message-ID: <1071664491.3992.0.camel@andy.pessimists.net> http://www.eicar.org/ has the test files. -Andy On Wed, 2003-12-17 at 05:40, Michele Neylon :: Blacknight Solutions wrote: > Hi all > > I was wondering if any of you could possibly send me some of your 'nasties' > to info@irishfreelance.com - the domain is registered to me etc etc., we > just need to stress test a new server. > > Does anybody know where we can get our hands on the zip file test? > > Michele > > Mr. Michele Neylon > Blacknight Internet Solutions Ltd > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > Tel. + 353 (0)59 9137101 > Lowest price domains in Ireland Andy "I figure if I survive this thing... I can just about do anything I want. If I don't survive, I don't have to pay taxes anymore. So it's a win-win situation." Brian Walker, Project RUSH - X Prize Competitor From mailscanner at ecs.soton.ac.uk Wed Dec 17 15:19:12 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:35 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312171519.hBHFJCSp012967@seer.ecs.soton.ac.uk> New Guestbook-Entry from Net Medix This is a well thought solution to a huge problem. Excellent product. The world needs solutions like this. From mailscanner at ecs.soton.ac.uk Wed Dec 17 17:18:08 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:35 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312171718.hBHHI8KT009536@seer.ecs.soton.ac.uk> New Guestbook-Entry from Brad Alpert Am using your product here at a public utility in eastern Kansas, USA. 500-seat,

Windows 2000 environment, Exchange 5.5 is the mail server.



I configured a RedHat 9 server with sendmail, spamassassin, and MailScanner

and it sits in front of the Exchange machine, which is on a private IP. The

linux machine handles inbound, scanning, forwarding, accepting back for

outbound from Exchange, and sending outbound.



As a bonus, we\'\'re running ClamAV on it, too.



Works great! I used this solution to replace a W2k product called \"Surf

Control\" and have enjoyed a much better hit rate on spam.

From JEN at AH.DK Wed Dec 17 17:42:59 2003 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:21:35 2006 Subject: MailScanner restarting - mail stuck in mqueue.in Message-ID: Hi Al mail are stuck in mqueue.in an MailScanner is restarting al the time >From maillog Dec 17 18:34:54 ms MailScanner[762]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:34:54 ms MailScanner[762]: Config: calling custom init function MailWatchLogging Dec 17 18:34:54 ms MailScanner[762]: Initialising database connection Dec 17 18:34:54 ms MailScanner[762]: Finished initialising database connection Dec 17 18:34:59 ms sendmail[765]: hBHHYx400765: from=, size=36821, class=0, nrcpts=1, msgid=<200312171734.hBHHYx400765@ms.ah.dk>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=qmailr@ip075.noname4us.com [193.12.248.75] (may be forged) Dec 17 18:34:59 ms sendmail[765]: hBHHYx400765: to=, delay=00:00:00, mailer=esmtp, pri=66821, stat=queued Dec 17 18:35:05 ms MailScanner[774]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:35:10 ms MailScanner[774]: Config: calling custom init function MailWatchLogging Dec 17 18:35:10 ms MailScanner[774]: Initialising database connection Dec 17 18:35:11 ms MailScanner[774]: Finished initialising database connection Dec 17 18:35:14 ms MailScanner[776]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:35:14 ms MailScanner[776]: Config: calling custom init function MailWatchLogging Dec 17 18:35:14 ms MailScanner[776]: Initialising database connection Dec 17 18:35:14 ms MailScanner[776]: Finished initialising database connection Dec 17 18:35:24 ms MailScanner[779]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:35:24 ms MailScanner[779]: Config: calling custom init function MailWatchLogging Dec 17 18:35:24 ms MailScanner[779]: Initialising database connection Dec 17 18:35:24 ms MailScanner[779]: Finished initialising database connection I have try: Disable mysql logging From mailscanner at ecs.soton.ac.uk Wed Dec 17 17:52:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:35 2006 Subject: MailScanner restarting - mail stuck in mqueue.in In-Reply-To: References: Message-ID: <6.0.1.1.2.20031217175143.03a77380@imap.ecs.soton.ac.uk> At 17:42 17/12/2003, you wrote: >Hi > >Al mail are stuck in mqueue.in an MailScanner is restarting al the >time > >I have try: >Disable mysql logging > From batch to queue > >Mails are coming in but are not scanned by MailScanner and Spamassassin >(2.55) Set Debug = yes in MailScanner.conf, then kill all the MailScanner processes. Then run check_mailscanner and see if it outputs any error messages. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From JEN at AH.DK Wed Dec 17 18:07:56 2003 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:21:35 2006 Subject: Svar: MailScanner restarting - mail stuck in mqueue.in Message-ID: Hi Juilan debug=yes Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: In Debugging mode, not forking... /usr/sbin/check_MailScanner: line 113: 2477 File size limit exceeded$process $config [ OK ] ?? which file size limit? >>> JEN@AH.DK 17-12-2003 18:42:59 >>> Hi Al mail are stuck in mqueue.in an MailScanner is restarting al the time >From maillog Dec 17 18:34:54 ms MailScanner[762]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:34:54 ms MailScanner[762]: Config: calling custom init function MailWatchLogging Dec 17 18:34:54 ms MailScanner[762]: Initialising database connection Dec 17 18:34:54 ms MailScanner[762]: Finished initialising database connection Dec 17 18:34:59 ms sendmail[765]: hBHHYx400765: from=, size=36821, class=0, nrcpts=1, msgid=<200312171734.hBHHYx400765@ms.ah.dk>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=qmailr@ip075.noname4us.com [193.12.248.75] (may be forged) Dec 17 18:34:59 ms sendmail[765]: hBHHYx400765: to=, delay=00:00:00, mailer=esmtp, pri=66821, stat=queued Dec 17 18:35:05 ms MailScanner[774]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:35:10 ms MailScanner[774]: Config: calling custom init function MailWatchLogging Dec 17 18:35:10 ms MailScanner[774]: Initialising database connection Dec 17 18:35:11 ms MailScanner[774]: Finished initialising database connection Dec 17 18:35:14 ms MailScanner[776]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:35:14 ms MailScanner[776]: Config: calling custom init function MailWatchLogging Dec 17 18:35:14 ms MailScanner[776]: Initialising database connection Dec 17 18:35:14 ms MailScanner[776]: Finished initialising database connection Dec 17 18:35:24 ms MailScanner[779]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:35:24 ms MailScanner[779]: Config: calling custom init function MailWatchLogging Dec 17 18:35:24 ms MailScanner[779]: Initialising database connection Dec 17 18:35:24 ms MailScanner[779]: Finished initialising database connection I have try: Disable mysql logging From JEN at AH.DK Wed Dec 17 19:38:33 2003 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:21:35 2006 Subject: Svar: MailScanner restarting - mail stuck in mqueue.in Message-ID: It's seem to be a Spamassassin problem! If I disable Spamassassin i MailScanner.conf, MailScanner is starting fine! Any ideas? /Jan Elmqvist Nielsen >>> JEN@ah.dk 17-12-2003 19:07:56 >>> Hi Juilan debug=yes Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: In Debugging mode, not forking... /usr/sbin/check_MailScanner: line 113: 2477 File size limit exceeded$process $config [ OK ] ?? which file size limit? >>> JEN@AH.DK 17-12-2003 18:42:59 >>> Hi Al mail are stuck in mqueue.in an MailScanner is restarting al the time >From maillog Dec 17 18:34:54 ms MailScanner[762]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:34:54 ms MailScanner[762]: Config: calling custom init function MailWatchLogging Dec 17 18:34:54 ms MailScanner[762]: Initialising database connection Dec 17 18:34:54 ms MailScanner[762]: Finished initialising database connection Dec 17 18:34:59 ms sendmail[765]: hBHHYx400765: from=, size=36821, class=0, nrcpts=1, msgid=<200312171734.hBHHYx400765@ms.ah.dk>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=qmailr@ip075.noname4us.com [193.12.248.75] (may be forged) Dec 17 18:34:59 ms sendmail[765]: hBHHYx400765: to=, delay=00:00:00, mailer=esmtp, pri=66821, stat=queued Dec 17 18:35:05 ms MailScanner[774]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:35:10 ms MailScanner[774]: Config: calling custom init function MailWatchLogging Dec 17 18:35:10 ms MailScanner[774]: Initialising database connection Dec 17 18:35:11 ms MailScanner[774]: Finished initialising database connection Dec 17 18:35:14 ms MailScanner[776]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:35:14 ms MailScanner[776]: Config: calling custom init function MailWatchLogging Dec 17 18:35:14 ms MailScanner[776]: Initialising database connection Dec 17 18:35:14 ms MailScanner[776]: Finished initialising database connection Dec 17 18:35:24 ms MailScanner[779]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Dec 17 18:35:24 ms MailScanner[779]: Config: calling custom init function MailWatchLogging Dec 17 18:35:24 ms MailScanner[779]: Initialising database connection Dec 17 18:35:24 ms MailScanner[779]: Finished initialising database connection I have try: Disable mysql logging From kevins at BMRB.CO.UK Wed Dec 17 20:08:22 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:35 2006 Subject: Svar: MailScanner restarting - mail stuck in mqueue.in In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B984@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B984@pascal.priv.bmrb.co.uk> Message-ID: <1071691706.14144.1.camel@bach.kevinspicer.co.uk> On Wed, 2003-12-17 at 19:38, Jan Elmqvist Nielsen wrote: >It's seem to be a Spamassassin problem! >If I disable Spamassassin i MailScanner.conf, MailScanner is starting >fine! >Any ideas? Have you checked the size of bayes databases, auto-whitelist files (if you use it) etc... From sysadmins at ENHTECH.COM Wed Dec 17 20:14:22 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:35 2006 Subject: Svar: MailScanner restarting - mail stuck in mqueue.in In-Reply-To: References: Message-ID: <6.0.0.22.0.20031217151324.02ddf568@mail.enhtech.com> At 02:38 PM 12/17/2003, you wrote: >It's seem to be a Spamassassin problem! >If I disable Spamassassin i MailScanner.conf, MailScanner is starting >fine! > >Any ideas? > >/Jan Elmqvist Nielsen > > > >>> JEN@ah.dk 17-12-2003 19:07:56 >>> >Hi Juilan > >debug=yes > >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: In Debugging mode, not forking... >/usr/sbin/check_MailScanner: line 113: 2477 File size limit >exceeded$process $config > [ OK ] Please post your MailScanner.conf file. Errol Neal From raymond at PROLOCATION.NET Wed Dec 17 20:26:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:35 2006 Subject: Svar: MailScanner restarting - mail stuck in mqueue.in In-Reply-To: Message-ID: Hi! > It's seem to be a Spamassassin problem! > If I disable Spamassassin i MailScanner.conf, MailScanner is starting > fine! > outgoing sendmail: [ OK ] > MailScanner: In Debugging mode, not forking... > /usr/sbin/check_MailScanner: line 113: 2477 File size limit > exceeded$process $config Are your bayes files the problem? Bye, Raymond. From JEN at AH.DK Wed Dec 17 20:28:00 2003 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:21:35 2006 Subject: Svar: MailScanner restarting - mail stuck in mqueue.in Message-ID: It is working now??? I made a rebuild af sendmail, becouse I got a lot of sendmail socket errors. Then a rebuild of the bayes database When MailScanner seems to be working fine (with a mailscanner.conf from another server) I try with the orig. conf file. And it's working - don't ask why! /Jan Elmqvist Nielsen >>> sysadmins@ENHTECH.COM 17-12-2003 21:14:22 >>> At 02:38 PM 12/17/2003, you wrote: >It's seem to be a Spamassassin problem! >If I disable Spamassassin i MailScanner.conf, MailScanner is starting >fine! > >Any ideas? > >/Jan Elmqvist Nielsen > > > >>> JEN@ah.dk 17-12-2003 19:07:56 >>> >Hi Juilan > >debug=yes > >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: In Debugging mode, not forking... >/usr/sbin/check_MailScanner: line 113: 2477 File size limit >exceeded$process $config > [ OK ] Please post your MailScanner.conf file. Errol Neal From raymond at PROLOCATION.NET Wed Dec 17 20:29:06 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:35 2006 Subject: Svar: MailScanner restarting - mail stuck in mqueue.in In-Reply-To: Message-ID: Hi! > I made a rebuild af sendmail, becouse I got a lot of sendmail socket > errors. Then a rebuild of the bayes database > > When MailScanner seems to be working fine (with a mailscanner.conf from > another server) I try with the orig. conf file. > And it's working - don't ask why! I assume it was your bayes stuff, not the first time that causes trouble :) What version SA are you running ? Bye, Raymond. From JEN at AH.DK Wed Dec 17 20:39:31 2003 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:21:35 2006 Subject: Svar: MailScanner restarting - mail stuck in mqueue.in Message-ID: sa 2.55 >>> raymond@PROLOCATION.NET 17-12-2003 21:29:06 >>> Hi! > I made a rebuild af sendmail, becouse I got a lot of sendmail socket > errors. Then a rebuild of the bayes database > > When MailScanner seems to be working fine (with a mailscanner.conf from > another server) I try with the orig. conf file. > And it's working - don't ask why! I assume it was your bayes stuff, not the first time that causes trouble :) What version SA are you running ? Bye, Raymond. From raymond at PROLOCATION.NET Wed Dec 17 20:40:06 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:35 2006 Subject: Svar: MailScanner restarting - mail stuck in mqueue.in In-Reply-To: Message-ID: Hi! > sa 2.55 > I assume it was your bayes stuff, not the first time that causes > trouble :) What version SA are you running ? You might want to upgrade, 2.6x is more reliable with the bayes updates. Bye, Raymond. From gdoris at rogers.com Wed Dec 17 21:02:00 2003 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:21:35 2006 Subject: OT: Virus request In-Reply-To: References: Message-ID: <49416.129.80.22.133.1071694920.squirrel@tiger.dorfam.ca> > Hi all > > I was wondering if any of you could possibly send me some of your > 'nasties' > to info@irishfreelance.com - the domain is registered to me etc etc., we > just need to stress test a new server. Oh, sure...that domain probably belongs to the guy that cut you off on the way to work this morning . Gerry From dpowell at LSSI.NET Wed Dec 17 21:05:56 2003 From: dpowell at LSSI.NET (Darrin) Date: Thu Jan 12 21:21:35 2006 Subject: spam_bayes score not showing up for some email? Message-ID: <1071695155.1283.325.camel@powell> I have spam_bayes setup with mailscanner version 4.24-5 spam_bayes seemed to be working fine, until today. I am receiving spam without a spam_bayes listed? LSSI-SpamCheck: not spam, SpamAssassin (score=0.1, required 6, HTML_MESSAGE 0.10) Has anyone seen this? Thanks -- Darrin Powell LSSi Corp (919) 466-6803 www.lssi.net/~dpowell From mkettler at EVI-INC.COM Wed Dec 17 21:39:54 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:35 2006 Subject: spam_bayes score not showing up for some email? In-Reply-To: <1071695155.1283.325.camel@powell> References: <1071695155.1283.325.camel@powell> Message-ID: <6.0.0.22.0.20031217163817.024e2300@xanadu.evi-inc.com> At 04:05 PM 12/17/2003, Darrin wrote: >spam_bayes seemed to be working fine, until today. I am receiving spam >without a spam_bayes listed? > > >LSSI-SpamCheck: not spam, SpamAssassin (score=0.1, required 6, >HTML_MESSAGE 0.10) > > >Has anyone seen this? Yes, it's normal. SpamAssassin reports no bayes at all when there are 0 token matches. (whereas it will report BAYES_50 if there's an even number of spam/nonspam matches). Older versions of SA (2.5x) will report no bayes match for either of the above cases, and won't report BAYES_50. From chrisk at OS-IT.NET Wed Dec 17 21:33:15 2003 From: chrisk at OS-IT.NET (Chris Kissinger) Date: Thu Jan 12 21:21:35 2006 Subject: spam_bayes score not showing up for some email? In-Reply-To: <1071695155.1283.325.camel@powell> Message-ID: Try a spamassassin -D --lint and see what it says about bayes. Chris -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Darrin Sent: Wednesday, December 17, 2003 1:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: spam_bayes score not showing up for some email? I have spam_bayes setup with mailscanner version 4.24-5 spam_bayes seemed to be working fine, until today. I am receiving spam without a spam_bayes listed? LSSI-SpamCheck: not spam, SpamAssassin (score=0.1, required 6, HTML_MESSAGE 0.10) Has anyone seen this? Thanks -- Darrin Powell LSSi Corp (919) 466-6803 www.lssi.net/~dpowell From res at AUSICS.NET Wed Dec 17 21:53:22 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:35 2006 Subject: [OT] RDNS (TO: Res - ausics.net) In-Reply-To: <3FDF151A.3080604@nucci.com.br> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> <3FD0B0B9.4000908@nucci.com.br> <3FDF151A.3080604@nucci.com.br> Message-ID: Ivan, On Tue, 16 Dec 2003, Ivan Mirisola wrote: > you e-mail because I think my SMTP has been blocked in yours. I asked to > my ISP to fix the RDNS problem and now I do have a PTR record for my IP. > Anyway - Could you check that my DNS configuration is correct and remove > the blocking of my IP in your systems? Looks good :) > Also, I like to know if anyone knows a free DNSBL list for dynamic IPs > that I can use in sendmail. Most of them are payed services and the FEATURE(`dnsbl',`dynablock.njabl.org')dnl They have taken over the easynet ones, easynet were excellent as an RBL so if these guys maintain it like they did, it should help. Note, if you use dnsbl.njabl.org it doesnt look at the above zone, thats gota be added in as extra I understand. Res From peter at UCGBOOK.COM Wed Dec 17 22:48:13 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:21:35 2006 Subject: Filetypes not working in 4.25-14? Message-ID: <3FE0DD2D.5030202@ucgbook.com> I just did a major upgrade from the below: MailScanner 4.23-11, SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829 to the following: MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP I did the MailScanner part last and all the previous stuff worked separately and with 4.23-11 when I upgraded them one after another. Then I prepped all the configs, reports and rules for 4.25-14 and switched over. All of a sudden I don't get logs for denied filetypes any more. I have the same configs regarding that: Filetype Rules = %etc-dir%/filetype.rules.conf Log Permitted Filetypes = no File Command = /usr/bin/file File Timeout = 20 Filetype Rules = %etc-dir%/filetype.rules.conf Up until I switched MS version I got double logs, one from filename and one from filetype and after the switch I only get the one from denied filenames. The above rules file is the same as the old one. Any ideas? /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From sysadmins at ENHTECH.COM Wed Dec 17 22:51:12 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:35 2006 Subject: OT: Suggestions on IMAP daemon and Webmail server In-Reply-To: <200312170806.hBH86SUK025754@sol.saharajhb.lan> References: <200312170806.hBH86SUK025754@sol.saharajhb.lan> Message-ID: <6.0.0.22.0.20031217174738.02df00d0@mail.enhtech.com> At 03:06 AM 12/17/2003, you wrote: >Hi All > >I am currently looking at implementing IMAP and a Webmail facility on a >server running Sendmail / MailScanner / SpamAssassin > >I would require the facility for storage of folders and subfolders within >the IMAP store as well as the Webmail server to connect to this IMAP store. > >Any suggestions from people that have implemented this already? I am busy >installing Courier IMAP and Squirrelmail at the moment to test. I've used IMP/HORDE and cyrus for a number of years now. Has always worked well. Very customizable and easy to deploy and configure. In addition, it has alot of modules built off of the horde framework that provide a number of features such as address book, calander, etc.. The CVS version even allows one to administrate mail functions such as adding and removing users, managing quotas and etc. http://www.horde.org Errol Neal Errol U. Neal Jr., Systems Administrator Enhanced Technologies, Inc. - The Business Grade Hosting Specialists http://www.enhtech.com 703-924-0301 or 800-368-3249 703-997-0839 Fax From sysadmins at ENHTECH.COM Thu Dec 18 00:22:44 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:35 2006 Subject: Rejecting Mail at RCPT Message-ID: <6.0.0.22.0.20031217191920.02de9560@mail.enhtech.com> Does anybody know of a way to get Sendmail to check with a remote SMTP server to see if a user is valid at the RCPT TO:? At my site, a good portion of the spam we get is to invalid users. If i can get Sendmail to check with the Remote SMTP server before it queues it, that would reduce the amount of spam on my site by at least 30%! Thanks in advance. Errol Neal Errol U. Neal Jr., Systems Administrator Enhanced Technologies, Inc. - The Business Grade Hosting Specialists http://www.enhtech.com 703-924-0301 or 800-368-3249 703-997-0839 Fax From raymond at PROLOCATION.NET Thu Dec 18 00:46:30 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:35 2006 Subject: Rejecting Mail at RCPT In-Reply-To: <6.0.0.22.0.20031217191920.02de9560@mail.enhtech.com> Message-ID: Hi! > Does anybody know of a way to get Sendmail to check with a remote SMTP > server to see if a user is valid at the RCPT TO:? > At my site, a good portion of the spam we get is to invalid users. If i can > get Sendmail to check with the Remote SMTP server > before it queues it, that would reduce the amount of spam on my site by at > least 30%! Put your users in LDAP and check with LDAP on your frontend servers. Bye, Raymond From pages at ntin.net Thu Dec 18 02:24:39 2003 From: pages at ntin.net (Nortex PageGuys) Date: Thu Jan 12 21:21:35 2006 Subject: Bayes scoring working wrong Message-ID: <1595140687.20031217202439@ntin.net> Hello , > Return-Path: > Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) > with PIPE id 32188222; Wed, 17 Dec 2003 19:41:13 -0600 > Received: from [12.158.34.221] (HELO psmtp.com) > by mailadmin.nortex.net (CommuniGate Pro SMTP 4.1.5) > with SMTP id 32188182 for **REMOVED FOR SECURITY**; Wed, 17 Dec 2003 19:41:00 -0600 > Received: from source ([218.235.30.213]) by exprod5mx69.postini.com ([12.158.34.245]) with SMTP; > Wed, 17 Dec 2003 17:40:57 PST > Received: from [218.235.30.213] by rx357.comIP with HTTP; > Thu, 18 Dec 2003 05:36:45 +0500 > From: "Riddle Eric" > To: **REMOVED FOR SECURITY** > Subject: Re: %RND_UC_CHAR[2-8], the promised kurolesov > Mime-Version: 1.0 > X-Mailer: mPOP Web-Mail 2.19 > X-Originating-IP: [rx357.comIP] > Date: Wed, 17 Dec 2003 23:40:45 -0100 > Reply-To: "Riddle Eric" > Content-Type: multipart/alternative; > boundary="--ALT--ETNX79061549236218" > Message-Id: > X-NTIN-MailScanner-Information: Please contact support@ntin.net for more information > X-NTIN-MailScanner: Found to be clean > X-NTIN-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.399, > required 5, BAYES_00 -4.90, DNS_FROM_RFCI_DSN 0.29, > HTML_MESSAGE 0.10, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, > RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_PROXY 0.50, RCVD_IN_SORBS 0.10, > RCVD_IN_SORBS_MISC 1.20) > > Banned CD Government don't want me to sell it. See Now % > > membrane prostrate drive identity gyroscope teleconference hideout appetite beirut gravestone ellipsometer breakaway reluctant suffice angling dynastic caricature culver mathematic > thrice whirlwind aspirate conversation beverage swanlike exempt montmartre balboa bowmen > earnest barbara identical e tetravalent depreciable chateau abbreviate mcfadden rena alberto dispensate honda playback cecropia exception haitian pinxter bittersweet dairyman dewitt > isaacson candlestick formic neff conferring duncan > aircraft coextensive willis nazism desk gastrointestinal straddle gab conner scoop malaise satyr ammonia ndjamena annoyance > laramie laughter tint inseminate disaccharide massey apostrophe advent prep levulose owl adamant asterisk eloise solemn dichotomy amperage thorstein afoot plasm triennial > consternate aerogene carbon > apropos prestidigitate reversion mound social cotman carmichael largesse quintet barb caper lime crosswort prolongate transistor monrovia talisman ganges angstrom canvasback > crosshatch barbudo auburn disquisition comeback > peat psaltery keel petition cayenne take validate prima avery releasable carboy horrendous oblivious simpleminded another best britten bell abdominal rostrum rapt > luftwaffe gosh buck rigel technic waterbury arthur coruscate admonish notate physician rightward accreditation chautauqua usage ionic bias simplectic sticky > omnibus whiz implicate illustrious bunkmate laplacian like fortify swarthout arcade flexible pigpen workpiece inbreed ow doll negroes carbide charlotte dicotyledon cyrus lewis > rumania differential flinty elliott brethren blew chef tacit exasperater splash prune > backyard despondent escort byzantium storeroom corpsman dahlia aquarium betide jimmy brett domenico trackage automorphism descent inherent > doctorate passband beriberi gondola involute strong peccary oatmeal slimy aboriginal > splat rubicund evaluate finland cholesterol duration appendices isolate rye unify wildfire vermont birch angry nitty muskoxen > > > I have fed the Bayes engine in SpamAssassin lots of spam and ham emails over the past 8 months, and this the result of all my work, its reversing valid spam as not spam. Any suggestions on what I can do to improve spamassassins scoring on this? -- Best regards, Nortex mailto:pages@ntin.net From james at grayonline.id.au Thu Dec 18 02:49:30 2003 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:21:35 2006 Subject: Bayes scoring working wrong In-Reply-To: <1595140687.20031217202439@ntin.net> References: <1595140687.20031217202439@ntin.net> Message-ID: <200312181349.30492.james@grayonline.id.au> On Thu, 18 Dec 2003 01:24 pm, Nortex PageGuys wrote: > Hello , > > > Return-Path: > > Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) > > with PIPE id 32188222; Wed, 17 Dec 2003 19:41:13 -0600 > > Received: from [12.158.34.221] (HELO psmtp.com) > > by mailadmin.nortex.net (CommuniGate Pro SMTP 4.1.5) > > with SMTP id 32188182 for **REMOVED FOR SECURITY**; Wed, 17 Dec 2003 > > 19:41:00 -0600 Received: from source ([218.235.30.213]) by > > exprod5mx69.postini.com ([12.158.34.245]) with SMTP; Wed, 17 Dec 2003 > > 17:40:57 PST > > Received: from [218.235.30.213] by rx357.comIP with HTTP; > > Thu, 18 Dec 2003 05:36:45 +0500 > > From: "Riddle Eric" > > To: **REMOVED FOR SECURITY** > > Subject: Re: %RND_UC_CHAR[2-8], the promised kurolesov **snipped** > I have fed the Bayes engine in SpamAssassin lots of spam and ham > emails over the past 8 months, and this the result of all my work, its > reversing valid spam as not spam. > > Any suggestions on what I can do to improve spamassassins scoring on > this? > Best regards, > Nortex mailto:pages@ntin.net Not a lot we can do about Bayes poisoning :( except create a couple of customised rules: header FROM_SPAMMER01 From =~ /\@.*hongkong\.com/i describe FROM_SPAMMER01 Known spam source 'hongkong.com' score FROM_SPAMMER01 3.5 body BODY_BAN_CD /Banned CD/i describe BODY_BAN_CD Mentions 'banned CD' score BODY_BAN_CD 2.0 Now unless my math is out: 3.5 + 2.0 - 0.399 = 5.101 Bingo :) Of course you'll need to keep creating rules for each forged address :-/ Not exactly ideal but it works. Plus with perl's powerful regex, you'll find after a while that most spammers are creatures of habit and you can create some pretty powerful filters based on common themes, like domains that only have numbers (eg, 12345.biz in perl would be /[0-9]{5}\.biz/i etc) or common obfuscating patterns (eg, /([a-zA-Z](?:\_|\ |-|\.)){3,}/i would catch any sequence of 3 or more letters separated by either "_", " ", "-" or ".") As I said in a post recently our mail filter at work has a combined false +ve/-ve rate of less that 0.01%. We also have two guys (myself and the other Unix guy) managing the filters. We currently have created 1523 custom rules to tailor the filters to our specific needs. This number will only ever increase :( However, if you're interested, I'm happy to share them (in a modified form - without all our internal business-specific stuff. There's too many internal addresses/lists to just "put them up on an ftp somewhere"). Contact me off-list if anyone is interested :) --James __________________________________ A random quote of nothing: BOFH excuse #295: The Token fell out of the ring. Call us when you find it. From p.vanbrouwershaven at NETWORKING4ALL.COM Thu Dec 18 07:14:04 2003 From: p.vanbrouwershaven at NETWORKING4ALL.COM (Paul van Brouwershaven) Date: Thu Jan 12 21:21:35 2006 Subject: Return-Path: <> Message-ID: <3FE153BC.5020102@networking4all.com> Is there a way to set the Return-Path, in all the bounced messages that MailScanner send the Return-Path is set like this: Return-Path: <> Thanks, Paul From dh at UPTIME.AT Thu Dec 18 07:08:58 2003 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:21:35 2006 Subject: SPF was->(Re: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail) In-Reply-To: <20031218064645.GM12080@hoiho.nz.lemon-computing.com> References: <8FFC76593085ED4A80D3601BC41EFCDF037335CE@inex1.herffjones.hj-int> <6.0.1.1.2.20031215173348.03c1c8b0@imap.ecs.soton.ac.uk> <20031218064645.GM12080@hoiho.nz.lemon-computing.com> Message-ID: <3FE1528A.8020303@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Nick Phillips wrote: | On Mon, Dec 15, 2003 at 05:38:48PM +0000, Julian Field wrote: | | |>Your assumption is fine for little ISPs. But what about the Yahoos and AOLs |>of this world? They would have to manage thousands and thousands of domains |>for their customers. They are also using dynamic IP allocation, so they |>would have to allow all their IP addresses to send mail as coming from any |>customer-owned domain name. |> |>So user1 has "friendly.com" and user2 is a spammer. User2 can send mail |>from "friendly.com" and there's not much you can do to stop him. The only |>chance is to change all the DNS records, saying who can send what from |>where, every time a user logs in and logs out. Impossible. |> |>I have yet to see any solution to this problem which |>(a) actually works, even in theory (most are based on broken logic) |>(b) scales to large ISPs | | | | Y'all pop by http://spf.pobox.com and have a look. It's kind of similar | to what Yahoo are trying to do, from what I've heard (or more like vice-versa). | Hello. As far as I can see this requires the use of SASL and SMTP AUTH. This is exactly where problems for very large ISP and even small time users start. In my humble opinion, even though I would like to see SMTP AUTH and SASL used more often, that is a cludge for mayn that are working at a huge ISP. First of all because I need to find a way to keep the SASL data synched over possibly 20 or more MailServer and I need to explain to every user how she/he can use SMTP-AUTH. Not to mention that some MUAs (no I am not looking at your MUAs Microso....) only support insecure authentication methods which I would not ever want to recommend to a roaming or even a remote user. While I find the idea interesting I simply think that this is the show-stopper. But them again, I would to be incorrect on this one. - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE/4VKKPMoaMn4kKR4RA+OQAKCX5inoho+GljQ2XdkBh8cHM6/zpQCdEqFk LDKwOkuRC4Yfliih26uZ4dA= =Zh9R -----END PGP SIGNATURE----- From Kevin.Spicer at BMRB.CO.UK Thu Dec 18 08:50:04 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:21:35 2006 Subject: Rejecting Mail at RCPT Message-ID: <5C0296D26910694BB9A9BBFC577E7AB00164992A@pascal.priv.bmrb.co.uk> Raymond Dijkxhoorn wrote: > Hi! > >> Does anybody know of a way to get Sendmail to check with a remote >> SMTP server to see if a user is valid at the RCPT TO:? >> At my site, a good portion of the spam we get is to invalid users. >> If i can get Sendmail to check with the Remote SMTP server >> before it queues it, that would reduce the amount of spam on my site >> by at least 30%! > > Put your users in LDAP and check with LDAP on your frontend servers. > Does anyone whether its possible to check against Active Directory (it is LDAP after all)? I tried once and failed - and never had the time to pursue it. If so, is there a howto anywhere? From vanhorn at WHIDBEY.COM Thu Dec 18 08:50:50 2003 From: vanhorn at WHIDBEY.COM (G. Armour Van Horn) Date: Thu Jan 12 21:21:35 2006 Subject: Ignore outbound mail In-Reply-To: <6.0.1.1.2.20031215091903.03e71a18@imap.ecs.soton.ac.uk> References: <3FDD7B10.1050102@whidbey.com> <6.0.1.1.2.20031215091903.03e71a18@imap.ecs.soton.ac.uk> Message-ID: <3FE16A6A.1030205@whidbey.com> Bravo! Thank you so much. I have a script that takes a text file for the mail and a text file of e-mail addresses and merges them to Sendmail. Actually, there are two, one for HTML subscribers and one for text subscribers. I launch them both at once, the text version doesn't take all that long because it is a smaller file and there are fewer subscribers. The last time I sent the mailing out in the normal mode it took 3:55 (h:mm) to run, after making your suggested changes it dropped to 0:47. Load average dropped from around 10 to consistently under 4. Van Julian Field wrote: > At 09:12 15/12/2003, you wrote: > >> I know I've asked this in the distant past, at which point I don't think >> it was possible. However, I'd still very much like to have MailScanner >> completely ignore mail generated on localhost. The machine doesn't >> accept mail from users, but I do have a large daily mailing that goes >> out every night, and the mailing takes far too long and causes MS/SA to >> use far too many resources. >> >> I was planning on moving all mail clients off to another machine so I >> could run without MS on this server, but it just isn't practical. So I'd >> like to revisit this if I may. >> >> Van >> >> Currently running MailScanner 4.23-11, but I suppose I could upgrade >> easily enough if that would help. > > > Yet another ruleset application. > > In MailScanner.conf set this: > > Virus Scanning = /etc/MailScanner/rules/not.localhost.rules > Spam Checks = /etc/MailScanner/rules/not.localhost.rules > > and then in /etc/MailScanner/rules/not.localhost.rules put this: > > From: 127.0.0.1 no > From: 10.11.12.13 no > FromOrTo: default yes > > (where the IP address of the server is 10.11.12.13). > > Simple as that. > > We should start collecting these together into a lovely great library of > example ruleset applications. Another job for a part-time FAQ > maintainer/author perhaps? Any offers? It would really help and > requires no > great programming knowledge or anything like that. > > Thanks folks! > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > . > From sw at INTERNETX.DE Thu Dec 18 09:07:02 2003 From: sw at INTERNETX.DE (Sebastian Wiesinger) Date: Thu Jan 12 21:21:35 2006 Subject: Lost qf-Files In-Reply-To: <6.0.1.1.2.20031216172307.03747e90@imap.ecs.soton.ac.uk> References: <20031216153126.GA3414@lain.intern.internetx.de> <6.0.1.1.2.20031216172307.03747e90@imap.ecs.soton.ac.uk> Message-ID: <20031218090702.GA1299@lain.intern.internetx.de> * Julian Field [2003-12-16 22:56]: > These are almost certainly message fragments where the remote SMTP client > didn't completely send you the message. Just delete the orphaned files. Will do so. :) Sebastian From mailscanner at ecs.soton.ac.uk Thu Dec 18 09:12:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:35 2006 Subject: Filetypes not working in 4.25-14? In-Reply-To: <3FE0DD2D.5030202@ucgbook.com> References: <3FE0DD2D.5030202@ucgbook.com> Message-ID: <6.0.1.1.2.20031218091212.0368ee00@imap.ecs.soton.ac.uk> Start by checking for /etc/MailScanner/filetype.rules.conf.rpmnew or .rpmsave files. At 22:48 17/12/2003, you wrote: >I just did a major upgrade from the below: > >MailScanner 4.23-11, SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829 > >to the following: > >MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP > >I did the MailScanner part last and all the previous stuff worked >separately and with 4.23-11 when I upgraded them one after another. Then >I prepped all the configs, reports and rules for 4.25-14 and switched >over. All of a sudden I don't get logs for denied filetypes any more. I >have the same configs regarding that: > >Filetype Rules = %etc-dir%/filetype.rules.conf >Log Permitted Filetypes = no >File Command = /usr/bin/file >File Timeout = 20 >Filetype Rules = %etc-dir%/filetype.rules.conf > >Up until I switched MS version I got double logs, one from filename and >one from filetype and after the switch I only get the one from denied >filenames. The above rules file is the same as the old one. > >Any ideas? > >/Peter Bonivart > >--Unix lovers do it in the Sun > >Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, >SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 18 09:18:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:35 2006 Subject: Owner 89. In-Reply-To: <3FE16F86.1020004@urbakken.dk> References: <3FE16F86.1020004@urbakken.dk> Message-ID: <6.0.1.1.2.20031218091823.03ed5f08@imap.ecs.soton.ac.uk> At 09:12 18/12/2003, you wrote: >Hi. > >On my server I have just installed MailScanner. The /var/spool/incoming >directory was not set by the installed, and I just made it myself. > >But the MailScanner tells me, that its not owned by user 89. > >I did a chmod 89 /var/spool/incoming, but had no luck. To change owner, use "chown" and "chgrp". "chmod" is for changing access permissions. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 18 09:18:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:35 2006 Subject: Filetypes not working in 4.25-14? In-Reply-To: <3FE0DD2D.5030202@ucgbook.com> References: <3FE0DD2D.5030202@ucgbook.com> Message-ID: <6.0.1.1.2.20031218091739.03e4f910@imap.ecs.soton.ac.uk> I just checked this, and the code appears to be working fine. At 22:48 17/12/2003, you wrote: >I just did a major upgrade from the below: > >MailScanner 4.23-11, SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829 > >to the following: > >MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP > >I did the MailScanner part last and all the previous stuff worked >separately and with 4.23-11 when I upgraded them one after another. Then >I prepped all the configs, reports and rules for 4.25-14 and switched >over. All of a sudden I don't get logs for denied filetypes any more. I >have the same configs regarding that: > >Filetype Rules = %etc-dir%/filetype.rules.conf >Log Permitted Filetypes = no >File Command = /usr/bin/file >File Timeout = 20 >Filetype Rules = %etc-dir%/filetype.rules.conf > >Up until I switched MS version I got double logs, one from filename and >one from filetype and after the switch I only get the one from denied >filenames. The above rules file is the same as the old one. > >Any ideas? > >/Peter Bonivart > >--Unix lovers do it in the Sun > >Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, >SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Thu Dec 18 09:34:38 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:35 2006 Subject: Owner 89. In-Reply-To: <6.0.1.1.2.20031218091823.03ed5f08@imap.ecs.soton.ac.uk> References: <3FE16F86.1020004@urbakken.dk> <6.0.1.1.2.20031218091823.03ed5f08@imap.ecs.soton.ac.uk> Message-ID: <3FE174AE.9030405@urbakken.dk> Julian Field wrote: > At 09:12 18/12/2003, you wrote: > >> Hi. >> >> On my server I have just installed MailScanner. The /var/spool/incoming >> directory was not set by the installed, and I just made it myself. >> >> But the MailScanner tells me, that its not owned by user 89. >> >> I did a chmod 89 /var/spool/incoming, but had no luck. > > > To change owner, use "chown" and "chgrp". "chmod" is for changing access > permissions. Thanks Julian. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From eja at URBAKKEN.DK Thu Dec 18 09:44:47 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:35 2006 Subject: Owner 89. In-Reply-To: <6.0.1.1.2.20031218091823.03ed5f08@imap.ecs.soton.ac.uk> References: <3FE16F86.1020004@urbakken.dk> <6.0.1.1.2.20031218091823.03ed5f08@imap.ecs.soton.ac.uk> Message-ID: <3FE1770F.4020301@urbakken.dk> Julian Field wrote: > At 09:12 18/12/2003, you wrote: > >> Hi. >> >> On my server I have just installed MailScanner. The /var/spool/incoming >> directory was not set by the installed, and I just made it myself. >> >> But the MailScanner tells me, that its not owned by user 89. >> >> I did a chmod 89 /var/spool/incoming, but had no luck. > > > To change owner, use "chown" and "chgrp". "chmod" is for changing access > permissions. Hi Julian. I have done the RTFM now, but who shall own the /incoming directory ?. In the examples in the FM there stands: chown bin.bin sampsoft This is as I understand it to use both chown and chgrp in one execution. As far as I understand it the above example gives the owner and group to bin. Tell me plase if I'm wrong, and if you would write me the syntax in my case ?. Sorry for writing trivial :-( -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From eja at URBAKKEN.DK Thu Dec 18 09:59:18 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:35 2006 Subject: Owner 89. In-Reply-To: <3FE1770F.4020301@urbakken.dk> References: <3FE16F86.1020004@urbakken.dk> <6.0.1.1.2.20031218091823.03ed5f08@imap.ecs.soton.ac.uk> <3FE1770F.4020301@urbakken.dk> Message-ID: <3FE17A76.50405@urbakken.dk> Erik Jakobsen wrote: > Julian Field wrote: > >> At 09:12 18/12/2003, you wrote: >> >>> Hi. >>> >>> On my server I have just installed MailScanner. The /var/spool/incoming >>> directory was not set by the installed, and I just made it myself. >>> >>> But the MailScanner tells me, that its not owned by user 89. >>> >>> I did a chmod 89 /var/spool/incoming, but had no luck. >> >> >> >> To change owner, use "chown" and "chgrp". "chmod" is for changing access >> permissions. > > > Hi Julian. > > I have done the RTFM now, but who shall own the /incoming directory ?. > > In the examples in the FM there stands: > chown bin.bin sampsoft > > This is as I understand it to use both chown and chgrp in one execution. > As far as I understand it the above example gives the owner and group to > bin. > > Tell me plase if I'm wrong, and if you would write me the syntax in my > case ?. > > Sorry for writing trivial :-( > > > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. > > I think it has been fixed using: chown 89.89 incoming. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From juan at SAREL.CO.IL Thu Dec 18 09:52:57 2003 From: juan at SAREL.CO.IL (=?windows-1255?Q?=E7=E5=E0=EF?=) Date: Thu Jan 12 21:21:35 2006 Subject: installing problem Message-ID: Hi ! I installed version 4.25-14. I read the install guide but I dont understand the following : You will then need to check the paths for your particular system setup. Check the paths in each of these files: /opt/MailScanner/bin/check_mailscanner /opt/MailScanner/bin/MailScanner (just line 1) /opt/MailScanner/lib/MailScanner/SystemDefs.pm /opt/MailScanner/etc/virus.scanners.conf /opt/MailScanner/etc/MailScanner.conf /opt/MailScanner/lib/* You should also compile the "tnef" binary for your system. The source code (and compiled versions for Solaris and Linux) are in the "bin" directory in the MailScanner tar file you downloaded. I advise you put the "tnef" program into somewhere such as /opt/MailScanner/bin/tnef. You will also need to check the MailScanner.conf file to ensure that the setting for "TNEF Expander" points to where you put the program my questions are : 1.what I need to check on the above paths in the above files? after I did ./install.sh from within MailScanner-4.25-14 foIder,I got another folder (/opt/mailscanner) and inside it there inst any /opt/MailScanner/bin/check_mailscanner file at all. 2. I didnt find any tnef in /opt/MailScanner/bin I did find it in /usr/bin tnef Is that what they mean in the install guide? thanks very much From juan at SAREL.CO.IL Thu Dec 18 10:20:00 2003 From: juan at SAREL.CO.IL (=?windows-1255?Q?=E7=E5=E0=EF?=) Date: Thu Jan 12 21:21:35 2006 Subject: another install problem Message-ID: Hi ! on the onlinr menual http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml ( I use RH 8 ) it says that I will find mailscanner.cong in/opt/mailscanner/etc/mailscanner.conf but I found it in /etc/Mailscanner. I downloaded Mailscanner-4.25-14.rpm.tar.gz to /opt and extracted this file also in /opt and run ./install.sh all from /opt without changing anything so how come mailscanner.conf is in /etc/mailscanner anf not in /opt/mailscanner? thanks From eja at URBAKKEN.DK Thu Dec 18 10:25:35 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:35 2006 Subject: More errors. In-Reply-To: <3FE17080.1030107@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> Message-ID: <3FE1809F.80501@urbakken.dk> Hi. I just entered the "alternate_config_directoies" in /etc/postfix/main.cf, and it seemed to nearly having cured it. But there's one more errors left: Erik Jakobsen wrote: > Hi. > > Unfortunately I have more errors: Dec 18 11:21:16 gateway MailScanner[7978]: Virus and Content Scanning: Starting Dec 18 11:21:17 gateway MailScanner[7978]: KickMessage failed as couldn't write to /var/spool/public/qmgr, No such file or directory Dec 18 11:21:17 gateway MailScanner[7978]: Uninfected: Delivered 1 messages. There's no /public/qmgr. How to get rid of it ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From prandal at HEREFORDSHIRE.GOV.UK Thu Dec 18 10:47:02 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:35 2006 Subject: Bayes scoring working wrong Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3EB@jessica.herefordshire.gov.uk> I've found that the BigEvil list, popcorn, and other rules from http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm really make a difference. And the detokenising rules from http://www.wot.no-ip.com/cgi-bin/detoken.pl help too. In the last two weeks using the standard SA rules plus the rules from the above pages and a few custom rules everything scoring over 11.0 here has been genuine spam. Our custom rules are below. NOTE: The WRONGCURRENCY Rule should only be used where the local currency is not dollars. header UNBELIEVABLE Subject =~ /unbelie?vable/i describe UNBELIEVABLE I cannot believe it is not spam score UNBELIEVABLE 4.0 header FREE_SHIPPING Subject =~ /free shipping/i describe FREE_SHIPPING Free shipping score FREE_SHIPPING 3.0 header NATWEST_SCAM Subject =~ /NatWest Bank Security Update/i describe NATWEST_SCAM I want your NatWest Password now! score NATWEST_SCAM 3.0 header WRONGCURRENCY Subject =~ /\$|dollar/i describe WRONGCURRENCY Wrong currency - dollar in subject score WRONGCURRENCY 4.0 header FROM_PANEL From =~ /sales\@panelwarehouse.com/i describe FROM_PANEL PanelWarehouse spam score FROM_PANEL 4.0 header TOO_GOOD Subject =~ /too good to miss/i describe TOO_GOOD Too good to not be spam score TOO_GOOD 4.0 # This next rule provides some protection against the latest IE vulnerability uri IE_VULN /https?:\/\/.*%([01][0-9a-f]|7f).*@/i score IE_VULN 100.0 describe IE_VULN Internet Explorer vulnerability header RCVD_IN_BNBL eval:check_rbl('bl', 'bl.blueshore.net.') describe RCVD_IN_BNBL Listed by BNBL tflags RCVD_IN_BNBL net score RCVD_IN_BNBL 2.0 header TO_MEET Subject =~ /wants? to meet you/i describe TO_MEET A spammer wants to meet you score TO_MEET 3.5 header FREE_LASER Subject =~ /Free Laser Eye Consultation/i describe FREE_LASER You can see this is spam score FREE_LASER 3.5 Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of James Gray > Sent: 18 December 2003 02:50 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Bayes scoring working wrong > > > On Thu, 18 Dec 2003 01:24 pm, Nortex PageGuys wrote: > > Hello , > > > > > Return-Path: > > > Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) > > > with PIPE id 32188222; Wed, 17 Dec 2003 19:41:13 -0600 > > > Received: from [12.158.34.221] (HELO psmtp.com) > > > by mailadmin.nortex.net (CommuniGate Pro SMTP 4.1.5) > > > with SMTP id 32188182 for **REMOVED FOR SECURITY**; > Wed, 17 Dec 2003 > > > 19:41:00 -0600 Received: from source ([218.235.30.213]) by > > > exprod5mx69.postini.com ([12.158.34.245]) with SMTP; Wed, > 17 Dec 2003 > > > 17:40:57 PST > > > Received: from [218.235.30.213] by rx357.comIP with HTTP; > > > Thu, 18 Dec 2003 05:36:45 +0500 > > > From: "Riddle Eric" > > > To: **REMOVED FOR SECURITY** > > > Subject: Re: %RND_UC_CHAR[2-8], the promised kurolesov > > **snipped** > > > I have fed the Bayes engine in SpamAssassin lots of spam and ham > > emails over the past 8 months, and this the result of all > my work, its > > reversing valid spam as not spam. > > > > Any suggestions on what I can do to improve spamassassins scoring on > > this? > > Best regards, > > Nortex mailto:pages@ntin.net > > Not a lot we can do about Bayes poisoning :( except create a couple of > customised rules: > > header FROM_SPAMMER01 From =~ /\@.*hongkong\.com/i > describe FROM_SPAMMER01 Known spam source 'hongkong.com' > score FROM_SPAMMER01 3.5 > > body BODY_BAN_CD /Banned CD/i > describe BODY_BAN_CD Mentions 'banned CD' > score BODY_BAN_CD 2.0 > > Now unless my math is out: 3.5 + 2.0 - 0.399 = 5.101 > > Bingo :) Of course you'll need to keep creating rules for each forged > address :-/ Not exactly ideal but it works. Plus with > perl's powerful > regex, you'll find after a while that most spammers are > creatures of habit > and you can create some pretty powerful filters based on > common themes, > like domains that only have numbers (eg, 12345.biz in perl would be > /[0-9]{5}\.biz/i etc) or common obfuscating patterns (eg, > /([a-zA-Z](?:\_|\ > |-|\.)){3,}/i would catch any sequence of 3 or more letters > separated by > either "_", " ", "-" or ".") > > As I said in a post recently our mail filter at work has a > combined false > +ve/-ve rate of less that 0.01%. We also have two guys > (myself and the > other Unix guy) managing the filters. We currently have created 1523 > custom rules to tailor the filters to our specific needs. > This number will > only ever increase :( However, if you're interested, I'm > happy to share > them (in a modified form - without all our internal business-specific > stuff. There's too many internal addresses/lists to just > "put them up on > an ftp somewhere"). Contact me off-list if anyone is interested :) > > --James > __________________________________ > A random quote of nothing: > > BOFH excuse #295: > > The Token fell out of the ring. Call us when you find it. > From prandal at HEREFORDSHIRE.GOV.UK Thu Dec 18 10:52:29 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:35 2006 Subject: Bayes scoring working wrong Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3EC@jessica.herefordshire.gov.uk> Oh, and I changed spam.assassin.prefs.conf score RCVD_IN_BL_SPAMCOP_NET 2.5 Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Randal, Phil > Sent: 18 December 2003 10:47 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Bayes scoring working wrong > > > I've found that the BigEvil list, popcorn, and other rules from > http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm > really make a > difference. > > And the detokenising rules from > http://www.wot.no-ip.com/cgi-bin/detoken.pl > help too. > > In the last two weeks using the standard SA rules plus the > rules from the > above pages and a few custom rules everything scoring over > 11.0 here has > been genuine spam. > > Our custom rules are below. > From pete at eatathome.com.au Thu Dec 18 10:56:50 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:35 2006 Subject: Rejecting Mail at RCPT In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00164992A@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00164992A@pascal.priv.bmrb.co.uk> Message-ID: <3FE187F2.2050003@eatathome.com.au> Spicer, Kevin wrote: >Raymond Dijkxhoorn wrote: > > >>Hi! >> >> >> >>>Does anybody know of a way to get Sendmail to check with a remote >>>SMTP server to see if a user is valid at the RCPT TO:? >>>At my site, a good portion of the spam we get is to invalid users. >>>If i can get Sendmail to check with the Remote SMTP server >>>before it queues it, that would reduce the amount of spam on my site >>>by at least 30%! >>> >>> >>Put your users in LDAP and check with LDAP on your frontend servers. >> >> >> >Does anyone whether its possible to check against Active Directory (it is LDAP after all)? I tried once and failed - and never had the time to pursue it. If so, is there a howto anywhere? > > > > > I have a great perl script that will pull all the email addresses from AD and make an access map for postfix - "user@domain.com OK" is the access map format for postfix, should be easy enough to change to whatever sendmail requires? Far better than doing a query on your AD for every new mail that arrives, and less prone to failure of delivery should the AD become unavailable, even if briefly. Will email you tomorrow if you like - does your AD have MS Exchange info? From pete at eatathome.com.au Thu Dec 18 11:01:08 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:35 2006 Subject: More errors. In-Reply-To: <3FE1809F.80501@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> Message-ID: <3FE188F4.9060307@eatathome.com.au> Erik Jakobsen wrote: > Hi. I just entered the "alternate_config_directoies" in > /etc/postfix/main.cf, and it seemed to nearly having cured it. > > But there's one more errors left: > > Erik Jakobsen wrote: > > Hi. > > > > Unfortunately I have more errors: > > Dec 18 11:21:16 gateway MailScanner[7978]: Virus and Content Scanning: > Starting > Dec 18 11:21:17 gateway MailScanner[7978]: KickMessage failed as > couldn't write to /var/spool/public/qmgr, No such file or directory > Dec 18 11:21:17 gateway MailScanner[7978]: Uninfected: Delivered 1 > messages. > > There's no /public/qmgr. > > How to get rid of it ?. > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. > > > Are you following a guide to get this working? if so tell us the link From pete at eatathome.com.au Thu Dec 18 11:03:49 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:36 2006 Subject: installing problem In-Reply-To: References: Message-ID: <3FE18995.10504@eatathome.com.au> ???? wrote: >Hi ! > >I installed version 4.25-14. > >I read the install guide but I dont understand the following : > > You will then need to check the paths for your particular system >setup. Check the paths in each of these files: > /opt/MailScanner/bin/check_mailscanner > /opt/MailScanner/bin/MailScanner (just line 1) > /opt/MailScanner/lib/MailScanner/SystemDefs.pm > /opt/MailScanner/etc/virus.scanners.conf > /opt/MailScanner/etc/MailScanner.conf > /opt/MailScanner/lib/* > You should also compile the "tnef" binary for your system. The >source code (and compiled versions for Solaris and Linux) are in the "bin" >directory in the MailScanner tar file you downloaded. I advise you put the >"tnef" program into somewhere such as /opt/MailScanner/bin/tnef. You will >also need to check the MailScanner.conf file to ensure that the setting for >"TNEF Expander" points to where you put the program > >my questions are : >1.what I need to check on the above paths in the above files? after I did >./install.sh from within MailScanner-4.25-14 foIder,I got another folder >(/opt/mailscanner) and inside it there inst any >/opt/MailScanner/bin/check_mailscanner file at all. > >2. I didnt find any tnef in /opt/MailScanner/bin I did find it in /usr/bin >tnef Is that what they mean in the install guide? > >thanks very much > > > > > What OS did you install this on? If you used Red Hat, then just do check_MailScanner or service MailScanner start etc and look in /etc/MailScanner/ for the conf files - do a locate -u and update the DB and then you can search for these files easily using locate filename From pete at eatathome.com.au Thu Dec 18 11:05:39 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:36 2006 Subject: another install problem In-Reply-To: References: Message-ID: <3FE18A03.9080608@eatathome.com.au> ???? wrote: >Hi ! > > on the onlinr menual >http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml >( I use RH 8 ) > >it says that I will find mailscanner.cong >in/opt/mailscanner/etc/mailscanner.conf > >but I found it in /etc/Mailscanner. > >I downloaded Mailscanner-4.25-14.rpm.tar.gz to /opt and extracted this file >also in /opt and run ./install.sh all from /opt without changing anything so >how come mailscanner.conf is in /etc/mailscanner anf not in >/opt/mailscanner? > >thanks > > > > > everything is good - on red Hat your files will be in /etc/MailScanner/ Julian most likely does not use RH. This is usual for linux distros, the manual is generic, you need to intepret some of the info to suit your system. From SJCJonker at SJC.NL Thu Dec 18 11:08:45 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:21:36 2006 Subject: Read Receipts [Re: More errors.] In-Reply-To: <3FE17080.1030107@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> Message-ID: <3FE18ABD.8080109@SJC.nl> Hello All, 2 Questions: 1) Please everybody remind to turn off the read receipts on emails to mailinglists. (I need to ack some for work etc, so I can't turn it off in thunderbird ;-)) 2) Is there a way for mailscanner to filter these based on rules? (Hmm, It might actually be neither the job of a MTA or MailScanner, it's in the body of an email (So not the MTA).. / It's not really an security issue. (And i don't want MS to generate an alert for every read receipt.) For those who don't know: Read Receipt is set by the header line: Disposition-Notification-To: Erik Jakobsen wrote: > Hi. > > Unfortunately I have more errors: > > Dec 18 10:13:36 gateway spamd[2606]: connection from > localhost.localdomain [127.0.0.1] at port 1038 > Dec 18 10:13:36 gateway spamd[3446]: info: setuid to filter succeeded > Dec 18 10:13:36 gateway spamd[3446]: processing message > <87u13yv68m.fsf@xyzzy.adsl.dk> for filter:100. > Dec 18 10:13:37 gateway spamd[3446]: clean message (0.0/5.0) for > filter:100 in 1.0 seconds, 2482 bytes. > Dec 18 10:13:37 gateway postfix/postdrop[3455]: error: untrusted > configuration directory name: /etc/postfix.in > Dec 18 10:13:37 gateway postfix/postdrop[3455]: fatal: specify > "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf > Dec 18 10:13:38 gateway postfix/sendmail[3454]: warning: premature > end-of-input from /usr/sbin/postdrop -r while reading input attribute name > Dec 18 10:13:38 gateway postfix/sendmail[3454]: fatal: > sslug-novice-return-27166-eja=urbakken.dk@sslug.dk(100): unable to > execute /usr/sbin/postdrop -r: Success > Dec 18 10:13:39 gateway postfix/pipe[3356]: 2CDD646D95: > to=, relay=ccfilter, delay=3, status=bounced (service > unavailable. Command output: postdrop: > error: untrusted configuration directory name: /etc/postfix.in postdrop: > fatal: specify "alternate_config_directories = /etc/postfix.in" in > /etc/postfix/main.cf sendm > ail: warning: premature end-of-input from /usr/sbin/postdrop -r while > reading input attribute name sendmail: fatal: > sslug-novice-return-27166-eja=urbakken.dk@sslug.dk > (100): unable to execute /usr/sbin/postdrop -r: Success ) > Dec 18 09:13:39 gateway postfix/cleanup[3407]: 9E77D46D99: > message-id=<20031218091339.9E77D46D99@gateway.urbakken.dk> > Dec 18 09:13:39 gateway postfix/nqmgr[2501]: 9E77D46D99: from=<>, > size=4927, nrcpt=1 (queue active) > Dec 18 09:13:39 gateway postfix/nqmgr[2501]: 9E77D46D99: > to=, relay=none, delay=0, status=deferred > (deferred transport) > Dec 18 10:13:40 gateway MailScanner[3468]: MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Dec 18 10:13:41 gateway MailScanner[3468]: /var/spool/incoming is not > owned by user 89 ! > Dec 18 10:13:51 gateway MailScanner[3469]: MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Dec 18 10:13:51 gateway MailScanner[3469]: /var/spool/incoming is not > owned by user 89 ! > Dec 18 10:14:01 gateway MailScanner[3470]: MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Dec 18 10:14:01 gateway MailScanner[3470]: /var/spool/incoming is not > owned by user 89 ! > Dec 18 10:14:11 gateway MailScanner[3471]: MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Dec 18 10:14:11 gateway MailScanner[3471]: /var/spool/incoming is not > owned by user 89 ! > Dec 18 10:14:15 gateway ipop3d[3474]: pop3 service init from 192.168.1.169 > Dec 18 10:14:15 gateway ipop3d[3474]: Login user=eja > host=[192.168.1.169] nmsgs=0/0 > Dec 18 10:14:18 gateway ipop3d[3474]: Logout user=eja > host=[192.168.1.169] nmsgs=0 ndele=0 > Dec 18 10:14:21 gateway MailScanner[3475]: MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Dec 18 10:14:21 gateway MailScanner[3475]: /var/spool/incoming is not > owned by user 89 ! > Dec 18 10:14:22 gateway ipop3d[3476]: pop3 service init from 192.168.1.169 > Dec 18 10:14:22 gateway ipop3d[3476]: Login user=erik > host=[192.168.1.169] nmsgs=0/0 > Dec 18 10:14:25 gateway ipop3d[3476]: Logout user=erik > host=[192.168.1.169] nmsgs=0 ndele=0 > Dec 18 10:14:31 gateway MailScanner[3553]: MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Dec 18 10:14:31 gateway MailScanner[3553]: /var/spool/incoming is not > owned by user 89 ! > Dec 18 09:14:32 gateway postfix/smtpd[3426]: connect from > unknown[195.41.53.68] > Dec 18 09:14:33 gateway postfix/smtpd[3426]: 3FC1C46D95: > client=unknown[195.41.53.68] > Dec 18 09:14:33 gateway postfix/cleanup[3407]: 3FC1C46D95: > message-id=<200312180914.hBI9E746013163@verbose.twistedhistory.com> > Dec 18 09:14:33 gateway postfix/smtpd[3426]: disconnect from > unknown[195.41.53.68] > Dec 18 09:14:33 gateway postfix/nqmgr[2501]: 3FC1C46D95: > from=, size=8694, nrcpt=1 (queue > active) > Dec 18 10:14:33 gateway spamd[2606]: connection from > localhost.localdomain [127.0.0.1] at port 1039 > Dec 18 10:14:33 gateway spamd[3556]: info: setuid to filter succeeded > Dec 18 10:14:33 gateway spamd[3556]: processing message > <200312180914.hBI9E746013163@verbose.twistedhistory.com> for filter:100. > Dec 18 10:14:41 gateway MailScanner[3568]: MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Dec 18 10:14:43 gateway MailScanner[3568]: /var/spool/incoming is not > owned by user 89 ! > > How can I solve those errors ?. > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker From eja at URBAKKEN.DK Thu Dec 18 11:27:28 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE188F4.9060307@eatathome.com.au> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> Message-ID: <3FE18F20.4020200@urbakken.dk> > Are you following a guide to get this working? if so tell us the link Oh you like to know it. I do follow the install guide being found in this URL: http://www.sng.esc.soton.ac.uk/mailscanner/install/postfix.shtml -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From eja at URBAKKEN.DK Thu Dec 18 11:32:03 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: Read Receipts [Re: More errors.] In-Reply-To: <3FE18ABD.8080109@SJC.nl> References: <3FE17080.1030107@urbakken.dk> <3FE18ABD.8080109@SJC.nl> Message-ID: <3FE19033.2090507@urbakken.dk> Don't quite understand what you mean. has it to do with one of my mails, that you copied to this message ?. Erik. Stijn Jonker wrote: > Hello All, > > 2 Questions: > > 1) Please everybody remind to turn off the read receipts on emails to > mailinglists. (I need to ack some for work etc, so I can't turn it off > in thunderbird ;-)) > > 2) Is there a way for mailscanner to filter these based on rules? (Hmm, > It might actually be neither the job of a MTA or MailScanner, it's in > the body of an email (So not the MTA).. / It's not really an security > issue. (And i don't want MS to generate an alert for every read receipt.) > > For those who don't know: Read Receipt is set by the header line: > Disposition-Notification-To: > > Erik Jakobsen wrote: > >> Hi. >> >> Unfortunately I have more errors: >> >> Dec 18 10:13:36 gateway spamd[2606]: connection from >> localhost.localdomain [127.0.0.1] at port 1038 >> Dec 18 10:13:36 gateway spamd[3446]: info: setuid to filter succeeded >> Dec 18 10:13:36 gateway spamd[3446]: processing message >> <87u13yv68m.fsf@xyzzy.adsl.dk> for filter:100. >> Dec 18 10:13:37 gateway spamd[3446]: clean message (0.0/5.0) for >> filter:100 in 1.0 seconds, 2482 bytes. >> Dec 18 10:13:37 gateway postfix/postdrop[3455]: error: untrusted >> configuration directory name: /etc/postfix.in >> Dec 18 10:13:37 gateway postfix/postdrop[3455]: fatal: specify >> "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf >> Dec 18 10:13:38 gateway postfix/sendmail[3454]: warning: premature >> end-of-input from /usr/sbin/postdrop -r while reading input attribute >> name >> Dec 18 10:13:38 gateway postfix/sendmail[3454]: fatal: >> sslug-novice-return-27166-eja=urbakken.dk@sslug.dk(100): unable to >> execute /usr/sbin/postdrop -r: Success >> Dec 18 10:13:39 gateway postfix/pipe[3356]: 2CDD646D95: >> to=, relay=ccfilter, delay=3, status=bounced (service >> unavailable. Command output: postdrop: >> error: untrusted configuration directory name: /etc/postfix.in postdrop: >> fatal: specify "alternate_config_directories = /etc/postfix.in" in >> /etc/postfix/main.cf sendm >> ail: warning: premature end-of-input from /usr/sbin/postdrop -r while >> reading input attribute name sendmail: fatal: >> sslug-novice-return-27166-eja=urbakken.dk@sslug.dk >> (100): unable to execute /usr/sbin/postdrop -r: Success ) >> Dec 18 09:13:39 gateway postfix/cleanup[3407]: 9E77D46D99: >> message-id=<20031218091339.9E77D46D99@gateway.urbakken.dk> >> Dec 18 09:13:39 gateway postfix/nqmgr[2501]: 9E77D46D99: from=<>, >> size=4927, nrcpt=1 (queue active) >> Dec 18 09:13:39 gateway postfix/nqmgr[2501]: 9E77D46D99: >> to=, relay=none, delay=0, status=deferred >> (deferred transport) >> Dec 18 10:13:40 gateway MailScanner[3468]: MailScanner E-Mail Virus >> Scanner version 4.24-5 starting... >> Dec 18 10:13:41 gateway MailScanner[3468]: /var/spool/incoming is not >> owned by user 89 ! >> Dec 18 10:13:51 gateway MailScanner[3469]: MailScanner E-Mail Virus >> Scanner version 4.24-5 starting... >> Dec 18 10:13:51 gateway MailScanner[3469]: /var/spool/incoming is not >> owned by user 89 ! >> Dec 18 10:14:01 gateway MailScanner[3470]: MailScanner E-Mail Virus >> Scanner version 4.24-5 starting... >> Dec 18 10:14:01 gateway MailScanner[3470]: /var/spool/incoming is not >> owned by user 89 ! >> Dec 18 10:14:11 gateway MailScanner[3471]: MailScanner E-Mail Virus >> Scanner version 4.24-5 starting... >> Dec 18 10:14:11 gateway MailScanner[3471]: /var/spool/incoming is not >> owned by user 89 ! >> Dec 18 10:14:15 gateway ipop3d[3474]: pop3 service init from >> 192.168.1.169 >> Dec 18 10:14:15 gateway ipop3d[3474]: Login user=eja >> host=[192.168.1.169] nmsgs=0/0 >> Dec 18 10:14:18 gateway ipop3d[3474]: Logout user=eja >> host=[192.168.1.169] nmsgs=0 ndele=0 >> Dec 18 10:14:21 gateway MailScanner[3475]: MailScanner E-Mail Virus >> Scanner version 4.24-5 starting... >> Dec 18 10:14:21 gateway MailScanner[3475]: /var/spool/incoming is not >> owned by user 89 ! >> Dec 18 10:14:22 gateway ipop3d[3476]: pop3 service init from >> 192.168.1.169 >> Dec 18 10:14:22 gateway ipop3d[3476]: Login user=erik >> host=[192.168.1.169] nmsgs=0/0 >> Dec 18 10:14:25 gateway ipop3d[3476]: Logout user=erik >> host=[192.168.1.169] nmsgs=0 ndele=0 >> Dec 18 10:14:31 gateway MailScanner[3553]: MailScanner E-Mail Virus >> Scanner version 4.24-5 starting... >> Dec 18 10:14:31 gateway MailScanner[3553]: /var/spool/incoming is not >> owned by user 89 ! >> Dec 18 09:14:32 gateway postfix/smtpd[3426]: connect from >> unknown[195.41.53.68] >> Dec 18 09:14:33 gateway postfix/smtpd[3426]: 3FC1C46D95: >> client=unknown[195.41.53.68] >> Dec 18 09:14:33 gateway postfix/cleanup[3407]: 3FC1C46D95: >> message-id=<200312180914.hBI9E746013163@verbose.twistedhistory.com> >> Dec 18 09:14:33 gateway postfix/smtpd[3426]: disconnect from >> unknown[195.41.53.68] >> Dec 18 09:14:33 gateway postfix/nqmgr[2501]: 3FC1C46D95: >> from=, size=8694, nrcpt=1 (queue >> active) >> Dec 18 10:14:33 gateway spamd[2606]: connection from >> localhost.localdomain [127.0.0.1] at port 1039 >> Dec 18 10:14:33 gateway spamd[3556]: info: setuid to filter succeeded >> Dec 18 10:14:33 gateway spamd[3556]: processing message >> <200312180914.hBI9E746013163@verbose.twistedhistory.com> for filter:100. >> Dec 18 10:14:41 gateway MailScanner[3568]: MailScanner E-Mail Virus >> Scanner version 4.24-5 starting... >> Dec 18 10:14:43 gateway MailScanner[3568]: /var/spool/incoming is not >> owned by user 89 ! >> >> How can I solve those errors ?. >> -- >> Med venlig hilsen - Best regards. >> Erik Jakobsen - eja@urbakken.dk. >> Licensed radioamateur with the callsign OZ4KK. >> SuSE Linux 8.2 Proff. >> Registered as user #319488 with the Linux Counter, http://counter.li.org. > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From mailscanner at ecs.soton.ac.uk Thu Dec 18 11:40:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:36 2006 Subject: MCP (Was: Re: Internet Explorer URL Display problem) In-Reply-To: <3FE038D2.3060702@bangor.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> <3FDF5774.1090705@bangor.ac.uk> <6.0.1.1.2.20031217082623.028b4710@imap.ecs.soton.ac.uk> <3FE038D2.3060702@bangor.ac.uk> Message-ID: <6.0.1.1.2.20031218113931.03884dc0@imap.ecs.soton.ac.uk> At 11:06 17/12/2003, you wrote: >Julian Field wrote: >>At 19:05 16/12/2003, you wrote: >>Looks like the MCP quarantining doesn't work. I need to spend a few hours >>on the MCP code applying any/all of the changes I have made to the SA and >>Message code. >>Watch this space... > >Caught one message overnight using MCP but caught 2 others because of >mcpsatimedout... > >>>Sorry if I'm being thick! >> >>You're not being thick. I never got as far as writing any MCP docs at all, >>I wanted to get it working first, but haven't touched it in quite a while. > >Phew! Let me know when there's something more to play with... I have just posted up a new beta: 4.26-3 which should address the outstanding MCP problems. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Thu Dec 18 13:01:01 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE188F4.9060307@eatathome.com.au> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> Message-ID: <3FE1A50D.8080802@urbakken.dk> >> couldn't write to /var/spool/public/qmgr, No such file or directory Hi. I have gone thru the install once again, but cannot find anything being wrong. I am sure qmgr stands for qmanager, and as far as I know, I'm not using it. So where can it come from ?. I use the Clarkconnect server based on Red Hat and postfix. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From tony.johansson at SVENSKAKYRKAN.SE Thu Dec 18 14:04:12 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:21:36 2006 Subject: Spam/bounce problem Message-ID: I have a problem with bounces at a school where I help support their MailScanner installation. It seems spammers use the schools domain name with faked usernames as a return address. I've seem this at a different site but it was just a dozen or so which could easily be entered into sendmails access.db The school now gets approx 8-10.000 of these bounces daily, which is about 80% of their total traffic. The return addresses are random so adding them to access.db is not an option. The machine running MailScanner is pretty low end and has problems keeping up with the queues. The flow is something like this: 1. Spammer sends spam to abc@domain.com, spam has the spoofed return address xyz@school.com 2. No such user at domain.com/mailbox full/disabled etc 3. Mail bounces to xyz@school.com (with return path "<>") 4. Smtpgate at school.com (running mailscanner) accepts message, forwards to internal server 5. Internal server sees that the address xyz@school.com is non-existant 6. Internal server tries to bounce the message, to xyz@school.com, but naturally it cannot be delivered 7. Message is sent to postmaster@school.com, "I tried to deliver a bounce message to this address, but the bounce bounced!" Does anyone have a remedy for this problem? I guess I could only accept messages (at #4) for legitimate users but that would probably attract some directory harvest attacks. Not to mention keeping the list up to date. Is it possible to run bounced messages (from:<>) in a different queue with lower priority? Any ideas on how to do this the MailScanner and sendmail? Regards, Tony From mailscanner at ecs.soton.ac.uk Thu Dec 18 14:14:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:36 2006 Subject: Spam/bounce problem In-Reply-To: References: Message-ID: <6.0.1.1.2.20031218141017.03a26828@imap.ecs.soton.ac.uk> At 14:04 18/12/2003, you wrote: >Is it possible to run bounced messages (from:<>) in a different queue with >lower priority? Any ideas on how to do this the MailScanner and sendmail? You can use a ruleset for the "Outgoing Queue Dir" setting. In MailScanner.conf put this: Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.queue.rules Then in outgoing.queue.rules put this: From: /^$/ /var/spool/mqueue.slow FromOrTo: default /var/spool/mqueue Then mkdir /var/spool/mqueue.slow nice sendmail -q60m -OQueueDirectory=/var/spool/mqueue.slow No immediate delivery attempt will be made on messages put into mqueue.slow. They will just attempt a delivery when the once-per-hour queue runner sweeps the queue. The "nice" will make that queue runner operate at a low CPU priority so it can't steal the machine when it sweeps the queue. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Thu Dec 18 14:24:25 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE1A50D.8080802@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> Message-ID: <3FE1B899.5080603@urbakken.dk> Erik Jakobsen wrote: >>> couldn't write to /var/spool/public/qmgr, No such file or directory > > > Hi. I have gone thru the install once again, but cannot find anything > being wrong. I am sure qmgr stands for qmanager, and as far as I know, > I'm not using it. So where can it come from ?. > > I use the Clarkconnect server based on Red Hat and postfix. > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. > > Where is the /var/spool/public/qmgr defined ?. I can find /var/spool/postfix/public/qmgr Or where is that defined ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From tony.johansson at SVENSKAKYRKAN.SE Thu Dec 18 14:26:03 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:21:36 2006 Subject: Spam/bounce problem Message-ID: The outgoing queue is fine. Once the mail has been scanned it gets delivered with no delay. Its mqueue.in that gets flooded. Is it possible to use "Incoming Queue Dir" in much the same way as the outgoing? How do I tell MailScanner to fetch messages from that queue when it has nothing better to do? Regards, Tony On Thu, 18 Dec 2003 14:14:49 +0000, Julian Field wrote: >At 14:04 18/12/2003, you wrote: >>Is it possible to run bounced messages (from:<>) in a different queue with >>lower priority? Any ideas on how to do this the MailScanner and sendmail? > >You can use a ruleset for the "Outgoing Queue Dir" setting. > >In MailScanner.conf put this: >Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.queue.rules > >Then in outgoing.queue.rules put this: > >From: /^$/ /var/spool/mqueue.slow >FromOrTo: default /var/spool/mqueue > >Then > mkdir /var/spool/mqueue.slow > nice sendmail -q60m -OQueueDirectory=/var/spool/mqueue.slow > >No immediate delivery attempt will be made on messages put into >mqueue.slow. They will just attempt a delivery when the once-per-hour queue >runner sweeps the queue. The "nice" will make that queue runner operate at >a low CPU priority so it can't steal the machine when it sweeps the queue. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dh at UPTIME.AT Thu Dec 18 14:31:09 2003 From: dh at UPTIME.AT (=?ISO-8859-15?Q?David_H=F6hn?=) Date: Thu Jan 12 21:21:36 2006 Subject: Spam/bounce problem In-Reply-To: References: Message-ID: <3FE1BA2D.1020802@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Tony Johansson wrote: | Does anyone have a remedy for this problem? | Since Julian showed you the "MailScanner" way of doing this, I will try to explain the Sendmail Way. | I guess I could only accept messages (at #4) for legitimate users but that | would probably attract some directory harvest attacks. Not to mention | keeping the list up to date. | First of all, to avoid "user Unknown" messages on a perimeter sendmail which has no idea about valid users you can deploy LDAP. With LDAP routing (which works very nicely in sendmail) even the remote SPMT gate knowns which users are valid and which aren't. Thus the Mail is rejected while it is still in transit. See doc/op/op.txt: LDAP section | Is it possible to run bounced messages (from:<>) in a different queue with | lower priority? Any ideas on how to do this the MailScanner and sendmail? | On multiple queues. Yes, you can have multiple queues which are based on Header information. Those queues can be invoked with different priorities and different amount of queue runners. See doc/op/op.txt: on "multiple queue" groups. comp.mail.sendmail also has valuable tips on the topic. | | Regards, Tony - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE/4botPMoaMn4kKR4RA59nAJ4u+8hP3TeSjy1TD2dPIGNQYNsXXACfa5nv //f46ahJJDJ8TYDHm/meODY= =GY4E -----END PGP SIGNATURE----- From llasad1 at YAHOO.COM Thu Dec 18 14:34:48 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:21:36 2006 Subject: Messages Stuck in /var/spool/mqueue.in Message-ID: <20031218143448.53532.qmail@web41403.mail.yahoo.com> My mail started getting stuck again late afternoon yesterday. This has happened before, but stopping and starting mailscanner a bunch of times did not work this time. I saw the previous post where spamassassin was causing the issue. -I'm already on 2.60. -I tried upgrading top 2.61 but keep getting an error: Makefile:94: *** missing separator. Stop. -I rebuilt the baye db with sa-learn --rebuild Still no go. I upgraded MailScanner to the latest. Here's what I get in my messages log: Dec 18 09:05:06 sammy last message repeated 4 times Dec 18 09:08:14 sammy named[981]: lame server resolving '70.62.6.69.in-addr.arpa' (in '62.6.69.in-addr.arpa'?): 69.6.25.84#53 Dec 18 09:08:15 sammy named[981]: lame server resolving '70.62.6.69.in-addr.arpa' (in '62.6.69.in-addr.arpa'?): 69.6.25.125#53 Dec 18 09:08:31 sammy named[981]: lame server resolving '162.180.156.161.in-addr.arpa' (in '156.161.in-addr.arpa'?): 206.74.254.2#53 Dec 18 09:08:31 sammy named[981]: lame server resolving '162.180.156.161.in-addr.arpa' (in '156.161.in-addr.arpa'?): 206.74.254.10#53 Dec 18 09:09:16 sammy MailScanner: succeeded Dec 18 09:09:18 sammy last message repeated 2 times Dec 18 09:10:45 sammy named[981]: lame server resolving '132.34.52.157.in-addr.arpa' (in '52.157.in-addr.arpa'?): 157.33.227.3#53 Dec 18 09:10:45 sammy named[981]: lame server resolving '132.34.52.157.in-addr.arpa' (in '52.157.in-addr.arpa'?): 157.33.227.4#53 Dec 18 09:11:12 sammy MailScanner: MailScanner -15 succeeded Dec 18 09:11:12 sammy MailScanner: succeeded Is my problem something with DNS? If so, what generally causes lame server resolving messages? Thanks, James --------------------------------- Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031218/0cc97cfd/attachment.html From eja at URBAKKEN.DK Thu Dec 18 14:59:05 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE1B899.5080603@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> Message-ID: <3FE1C0B9.6090505@urbakken.dk> > Where is the /var/spool/public/qmgr defined ?. > > I can find /var/spool/postfix/public/qmgr > > Or where is that defined ?. > Hi I try again in the hope, that someone can help me. Where is the MailScanner KickMessage defined to write to ? -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From sysadmins at ENHTECH.COM Thu Dec 18 15:18:27 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:36 2006 Subject: Rejecting Mail at RCPT In-Reply-To: References: <6.0.0.22.0.20031217191920.02de9560@mail.enhtech.com> Message-ID: <6.0.0.22.0.20031218101742.02dd8560@mail.enhtech.com> At 07:46 PM 12/17/2003, you wrote: >Put your users in LDAP and check with LDAP on your frontend servers. > >Bye, >Raymond I have not tested this, but does this work when sendmail is run in queueonly delivery mode? Errol Errol U. Neal Jr., Systems Administrator Enhanced Technologies, Inc. - The Business Grade Hosting Specialists http://www.enhtech.com 703-924-0301 or 800-368-3249 703-997-0839 Fax From ivan at NUCCI.COM.BR Thu Dec 18 15:16:42 2003 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:21:36 2006 Subject: [OT] RDNS (TO: Res - ausics.net) In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> <3FD0B0B9.4000908@nucci.com.br> <3FDF151A.3080604@nucci.com.br> Message-ID: <3FE1C4DA.4040205@nucci.com.br> Thanks Res, I had read on another e-mail about this DNSBL. I followed their policy and installed it successfully on mu system. I had to rsync some files with them and configure my DNS to forward requests to njabl.org on my localhost on port 953. There is a special daemon to resolve DNS queries that one should be running on that port. I have been running since yesterday and it caught a lot of spam already. Sadly, I had to remove the RDNS stuff out of my sendmail configuration because it was blocking legitimate e-mail from clients. There are a lot of broken configuration in DNS servers all over Brazil. So I think I will wait a while to implement this solution. One of the major ISPs here is TERRA NETWORKS and they are starting to test this kind of configuration on their systems. I bet that they are following in AOL?s path. Best regards, Thanks and Merry Christmas to all. Ivan Res wrote: >Ivan, > >On Tue, 16 Dec 2003, Ivan Mirisola wrote: > > > >>you e-mail because I think my SMTP has been blocked in yours. I asked to >>my ISP to fix the RDNS problem and now I do have a PTR record for my IP. >>Anyway - Could you check that my DNS configuration is correct and remove >>the blocking of my IP in your systems? >> >> > >Looks good :) > > > > >>Also, I like to know if anyone knows a free DNSBL list for dynamic IPs >>that I can use in sendmail. Most of them are payed services and the >> >> > >FEATURE(`dnsbl',`dynablock.njabl.org')dnl > >They have taken over the easynet ones, easynet were excellent as an RBL so >if these guys maintain it like they did, it should help. >Note, if you use dnsbl.njabl.org it doesnt look at the above zone, thats >gota be added in as extra I understand. > >Res > > > From ugob at CAMO-ROUTE.COM Thu Dec 18 15:16:32 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:36 2006 Subject: Messages Stuck in /var/spool/mqueue.in Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2B0@mtlnt501fs.CAMOROUTE.COM> -----Message d'origine----- De : lester lasad [mailto:llasad1@YAHOO.COM] Envoy? : Thursday, December 18, 2003 9:35 AM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Messages Stuck in /var/spool/mqueue.in My mail started getting stuck again late afternoon yesterday. This has happened before, but stopping and starting mailscanner a bunch of times did not work this time. I saw the previous post where spamassassin was causing the issue. -I'm already on 2.60. -I tried upgrading top 2.61 but keep getting an error: Makefile:94: *** missing separator. Stop. -I rebuilt the baye db with sa-learn --rebuild Still no go. I upgraded MailScanner to the latest. Here's what I get in my messages log: Dec 18 09:05:06 sammy last message repeated 4 times Dec 18 09:08:14 sammy named[981]: lame server resolving '70.62.6.69.in-addr.arpa' (in '62.6.69.in-addr.arpa'?): 69.6.25.84#53 Dec 18 09:08:15 sammy named[981]: lame server resolving '70.62.6.69.in-addr.arpa' (in '62.6.69.in-addr.arpa'?): 69.6.25.125#53 Dec 18 09:08:31 sammy named[981]: lame server resolving '162.180.156.161.in-addr.arpa' (in '156.161.in-addr.arpa'?): 206.74.254.2#53 Dec 18 09:08:31 sammy named[981]: lame server resolving '162.180.156.161.in-addr.arpa' (in '156.161.in-addr.arpa'?): 206.74.254.10#53 Dec 18 09:09:16 sammy MailScanner: succeeded Dec 18 09:09:18 sammy last message repeated 2 times Dec 18 09:10:45 sammy named[981]: lame server resolving '132.34.52.157.in-addr.arpa' (in '52.157.in-addr.arpa'?): 157.33.227.3#53 Dec 18 09:10:45 sammy named[981]: lame server resolving '132.34.52.157.in-addr.arpa' (in '52.157.in-addr.arpa'?): 157.33.227.4#53 Dec 18 09:11:12 sammy MailScanner: MailScanner -15 succeeded Dec 18 09:11:12 sammy MailScanner: succeeded Is my problem something with DNS? If so, what generally causes lame server resolving messages? Thanks, James --Ugo Hi there Please avoid HTML when posting to a mailing list. Lame server is usually not your responsiblilty. Do you get a lot these messages? Are you responsible for the "next" DNS server in line? http://www.mail-archive.com/isp-linux@isp-linux.com/msg04188.html Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing From mailscannerlist at TNJINFL.COM Thu Dec 18 15:44:31 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:21:36 2006 Subject: Messages Stuck in /var/spool/mqueue.in In-Reply-To: <20031218143448.53532.qmail@web41403.mail.yahoo.com> References: <20031218143448.53532.qmail@web41403.mail.yahoo.com> Message-ID: <1071762271.30736.9.camel@tweety.tnjinfl.com> On Thu, 2003-12-18 at 09:34, lester lasad wrote: > My mail started getting stuck again late afternoon yesterday. This has > happened before, but stopping and starting mailscanner a bunch of > times did not work this time. > > I saw the previous post where spamassassin was causing the issue. > > -I'm already on 2.60. > > -I tried upgrading top 2.61 but keep getting an error: Makefile:94: > *** missing separator. Stop. > > -I rebuilt the baye db with sa-learn --rebuild > > Still no go. I upgraded MailScanner to the latest. > > Here's what I get in my messages log: > > Dec 18 09:05:06 sammy last message repeated 4 times > > Dec 18 09:08:14 sammy named[981]: lame server resolving > '70.62.6.69.in-addr.arpa' (in '62.6.69.in-addr.arpa'?): 69.6.25.84#53 > > Dec 18 09:08:15 sammy named[981]: lame server resolving > '70.62.6.69.in-addr.arpa' (in '62.6.69.in-addr.arpa'?): 69.6.25.125#53 > > Dec 18 09:08:31 sammy named[981]: lame server resolving > '162.180.156.161.in-addr.arpa' (in '156.161.in-addr.arpa'?): > 206.74.254.2#53 > > Dec 18 09:08:31 sammy named[981]: lame server resolving > '162.180.156.161.in-addr.arpa' (in '156.161.in-addr.arpa'?): > 206.74.254.10#53 > > Dec 18 09:09:16 sammy MailScanner: succeeded > > Dec 18 09:09:18 sammy last message repeated 2 times > > Dec 18 09:10:45 sammy named[981]: lame server resolving > '132.34.52.157.in-addr.arpa' (in '52.157.in-addr.arpa'?): > 157.33.227.3#53 > > Dec 18 09:10:45 sammy named[981]: lame server resolving > '132.34.52.157.in-addr.arpa' (in '52.157.in-addr.arpa'?): > 157.33.227.4#53 > > Dec 18 09:11:12 sammy MailScanner: MailScanner -15 succeeded > > Dec 18 09:11:12 sammy MailScanner: succeeded > > Is my problem something with DNS? If so, what generally causes lame > server resolving messages? > > Thanks, > > James > > > > ______________________________________________________________________ > Do you Yahoo!? > New Yahoo! Photos - easier uploading and sharing I had someone post this message for me. My mail is now routing again, but what a pain in the ***. At around 5PM EST yesterday it all just stopped. After going through tons of mailscanner restarts trying different options, ie with spamassassin(2.60), without spamassassin, with spam checks, without spam checks, upgrade mailscanner, tried upgrading SpamAssassin, rebuild bayes database, on probably more I'm forgetting. It's finally delivering mail once I restarted the whole machine and had Spam Checks = no and Use SpamAssassin = no. Of course it delivered all my spam too... :-( I reenabled Spam Check and SpamAssassin and it's still delivering. I have no idea what happened and why, but it's fustrating when it does happen. (2nd or 3rd time now for me over the last year) Maybe the problem really was DNS since my mail server is also a DNS server and maybe restarting the box fixed that. I had not tried restarting the DNS service (wish I had). Normal lookups seemed ok since I could browse the net, etc. Maybe reverse lookups were screwed up. Thanks, James From jrudd at UCSC.EDU Thu Dec 18 16:00:30 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:36 2006 Subject: SPF was->(Re: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail) In-Reply-To: <3FE1528A.8020303@uptime.at> References: <8FFC76593085ED4A80D3601BC41EFCDF037335CE@inex1.herffjones.hj-int> <6.0.1.1.2.20031215173348.03c1c8b0@imap.ecs.soton.ac.uk> <20031218064645.GM12080@hoiho.nz.lemon-computing.com> <3FE1528A.8020303@uptime.at> Message-ID: <4E00B1A9-3173-11D8-B2D9-003065F939FE@ucsc.edu> On Dec 17, 2003, at 11:08 PM, David H?hn wrote: > As far as I can see this requires the use of SASL and SMTP AUTH. This > is > exactly where problems for very large ISP and even small time users > start. In my humble opinion, even though I would like to see SMTP AUTH > and SASL used more often, that is a cludge for mayn that are working at > a huge ISP. First of all because I need to find a way to keep the SASL > data synched over possibly 20 or more MailServer and I need to explain > to every user how she/he can use SMTP-AUTH. Not to mention that some > MUAs (no I am not looking at your MUAs Microso....) only support > insecure authentication methods which I would not ever want to > recommend > to a roaming or even a remote user. > > While I find the idea interesting I simply think that this is the > show-stopper. But them again, I would to be incorrect on this one. For insecure authentication methods, provide SMTP+SSL, allowing the authentication information to be protected by SSL if it's not being protected by a secure SASL. For password synchronization, use kerberos and multiple KDCs to distribute the authentication load. Hopefully both via plain text SMTP-AUTH (because there are too many MUAs that don't support kerberos) and via GSSAPI-SASL for SMTP-AUTH (for good MUAs). (here at UCSC, our new mail servers are using SMTP+SSL and plain text SMTP-AUTH, that is checked against the user's kerberos password; the MTA is CommuniGate Pro using an external authenticator that checks against kerberos) From ka at PACIFIC.NET Thu Dec 18 16:05:40 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:36 2006 Subject: Rejecting Mail at RCPT In-Reply-To: <3FE187F2.2050003@eatathome.com.au> References: <5C0296D26910694BB9A9BBFC577E7AB00164992A@pascal.priv.bmrb.co.uk> <3FE187F2.2050003@eatathome.com.au> Message-ID: <3FE1D054.8080906@pacific.net> Pete wrote: > Spicer, Kevin wrote: > >> Raymond Dijkxhoorn wrote: >> >> >>> Hi! >>> >>> >>> >>>> Does anybody know of a way to get Sendmail to check with a remote >>>> SMTP server to see if a user is valid at the RCPT TO:? >>>> At my site, a good portion of the spam we get is to invalid users. >>>> If i can get Sendmail to check with the Remote SMTP server >>>> before it queues it, that would reduce the amount of spam on my site >>>> by at least 30%! >>>> >>>> >>> Put your users in LDAP and check with LDAP on your frontend servers. >>> >>> >>> >> Does anyone whether its possible to check against Active Directory (it >> is LDAP after all)? I tried once and failed - and never had the time >> to pursue it. If so, is there a howto anywhere? >> >> >> >> >> > I have a great perl script that will pull all the email addresses from > AD and make an access map for postfix - "user@domain.com OK" is the > access map format for postfix, should be easy enough to change to > whatever sendmail requires? Far better than doing a query on your AD for > every new mail that arrives, and less prone to failure of delivery > should the AD become unavailable, even if briefly. Will email you > tomorrow if you like - does your AD have MS Exchange info? > > We use sendmail and had the same problem. I use a shell script on our mail hub to generate a file called accessMF that contains all valid local usernames and aliases. This works for a single domain only, so if your mailservers receive mail for more than 1 domain, your MS boxes must also have virtusertable that resolves address@virtdomain.com => localuser@yourdomain.com. It gets usernames out of the unix password file, and /etc/mail/aliases and prints out the accessMF file. accessMF get's scp'd over to our MS machines as /etc/mail/access. YMMV, as this script isn't very careful about what it does, and it has not been tested on any other systems. (also, watch the line wraps!) --- snip ---- #!/bin/sh cd /etc/mail/ cat /etc/passwd | \ awk -F : '{print "To:"$1"@domain.com\tRELAY"}' >> accessMF for i in `cat aliases | /bin/grep -v "^#" \ |awk -F : '{print $1}'`; do \ x=`/bin/grep "^$i:" /etc/passwd`; \ if($x) then \ echo "TO:$i@domain.com RELAY" >> accessMF ; \ fi; \ done echo "TO:domain.com ERROR:5.1.1:550 User unknown" >> accessMF; --- snip ---- See http://www.sendmail.org/m4/anti_spam.html#access_db_fine for more info. Ken A. Pacific.Net From eja at URBAKKEN.DK Thu Dec 18 16:12:12 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE1C0B9.6090505@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> Message-ID: <3FE1D1DC.5030302@urbakken.dk> Erik Jakobsen wrote: >> Where is the /var/spool/public/qmgr defined ?. >> >> I can find /var/spool/postfix/public/qmgr >> >> Or where is that defined ?. >> > > Hi I try again in the hope, that someone can help me. > > > > > Where is the MailScanner KickMessage defined to write to ? > I copied the /var/spool/postfix/public/qmgr to the /var/spool/public directory. I don't think its correct. My errors about a lacking qmgr file dissappeared, but unfortuantely my mail delivering oalso did :-( What can I do ?. Please give me some help -THANKS !. > > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From james at PCXPERIENCE.COM Thu Dec 18 16:16:42 2003 From: james at PCXPERIENCE.COM (James Pattie) Date: Thu Jan 12 21:21:36 2006 Subject: Spam/bounce problem In-Reply-To: References: Message-ID: <3FE1D2EA.4070002@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tony Johansson wrote: | I have a problem with bounces at a school where I help support their | MailScanner installation. | | It seems spammers use the schools domain name with faked usernames as a | return address. I've seem this at a different site but it was just a dozen | or so which could easily be entered into sendmails access.db | | The school now gets approx 8-10.000 of these bounces daily, which is about | 80% of their total traffic. The return addresses are random so adding them | to access.db is not an option. The machine running MailScanner is pretty | low end and has problems keeping up with the queues. | | The flow is something like this: | | 1. Spammer sends spam to abc@domain.com, spam has the spoofed return | address xyz@school.com | 2. No such user at domain.com/mailbox full/disabled etc | 3. Mail bounces to xyz@school.com (with return path "<>") | 4. Smtpgate at school.com (running mailscanner) accepts message, forwards | to internal server | 5. Internal server sees that the address xyz@school.com is non-existant | 6. Internal server tries to bounce the message, to xyz@school.com, but | naturally it cannot be delivered | 7. Message is sent to postmaster@school.com, "I tried to deliver a bounce | message to this address, but the bounce bounced!" | | Does anyone have a remedy for this problem? | use the sendmail double bounce suppression feature talked about recently on this list. in sendmail.mc: - ---- define(`confDOUBLE_BOUNCE_ADDRESS',`double-bounce')dnl - ---- rebuild sendmail.cf in aliases: - ---- double-bounce: /dev/null - ---- newaliases now any e-mails that bounced and the bounce message bounces will be delivered to /dev/null. :) - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/4dLptUXjwPIRLVERAqmcAJ9Y7bDmPIDP44MLyQDO6XwuozZ/ugCeIoh4 3zKSGmPR08Hy7bwWFI6yTUw= =j+S0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From Kevin.Spicer at BMRB.CO.UK Thu Dec 18 16:18:19 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:21:36 2006 Subject: Rejecting Mail at RCPT Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649935@pascal.priv.bmrb.co.uk> Pete wrote: > I have a great perl script that will pull all the email addresses from > AD and make an access map for postfix - "user@domain.com OK" is the > access map format for postfix, should be easy enough to change to > whatever sendmail requires? Far better than doing a query on your AD > for every new mail that arrives, and less prone to failure of delivery > should the AD become unavailable, even if briefly. Will email you > tomorrow if you like - does your AD have MS Exchange info? It does indeed. Sounds good to me - I'd love to see your script. Does it run on the MailScanner box , or does it go on the Exchange box and then just copy the file out? From mailscanner at ecs.soton.ac.uk Thu Dec 18 16:25:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE1D1DC.5030302@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> Message-ID: <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> At 16:12 18/12/2003, you wrote: >Erik Jakobsen wrote: >>>Where is the /var/spool/public/qmgr defined ?. >>>I can find /var/spool/postfix/public/qmgr >>>Or where is that defined ?. >> >>Where is the MailScanner KickMessage defined to write to ? > >I copied the /var/spool/postfix/public/qmgr to the /var/spool/public >directory. > >I don't think its correct. My errors about a lacking qmgr file >dissappeared, but unfortuantely my mail delivering oalso did :-( The qmgr isn't a normal file. Do an "ls -l" on it and you will see that it's a pipe, created by Postfix. MailScanner takes the outgoing queue directory (normally /var/spool/postfix/incoming), and replaces the last word with "public" then tacks "/qmgr" on the end. So you turn /var/spool/postfix/incoming into /var/spool/postfix/public/qmgr -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Thu Dec 18 09:12:38 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: Owner 89. Message-ID: <3FE16F86.1020004@urbakken.dk> Hi. On my server I have just installed MailScanner. The /var/spool/incoming directory was not set by the installed, and I just made it myself. But the MailScanner tells me, that its not owned by user 89. I did a chmod 89 /var/spool/incoming, but had no luck. How is that to be done ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From eja at URBAKKEN.DK Thu Dec 18 09:16:48 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. Message-ID: <3FE17080.1030107@urbakken.dk> Hi. Unfortunately I have more errors: Dec 18 10:13:36 gateway spamd[2606]: connection from localhost.localdomain [127.0.0.1] at port 1038 Dec 18 10:13:36 gateway spamd[3446]: info: setuid to filter succeeded Dec 18 10:13:36 gateway spamd[3446]: processing message <87u13yv68m.fsf@xyzzy.adsl.dk> for filter:100. Dec 18 10:13:37 gateway spamd[3446]: clean message (0.0/5.0) for filter:100 in 1.0 seconds, 2482 bytes. Dec 18 10:13:37 gateway postfix/postdrop[3455]: error: untrusted configuration directory name: /etc/postfix.in Dec 18 10:13:37 gateway postfix/postdrop[3455]: fatal: specify "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf Dec 18 10:13:38 gateway postfix/sendmail[3454]: warning: premature end-of-input from /usr/sbin/postdrop -r while reading input attribute name Dec 18 10:13:38 gateway postfix/sendmail[3454]: fatal: sslug-novice-return-27166-eja=urbakken.dk@sslug.dk(100): unable to execute /usr/sbin/postdrop -r: Success Dec 18 10:13:39 gateway postfix/pipe[3356]: 2CDD646D95: to=, relay=ccfilter, delay=3, status=bounced (service unavailable. Command output: postdrop: error: untrusted configuration directory name: /etc/postfix.in postdrop: fatal: specify "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf sendm ail: warning: premature end-of-input from /usr/sbin/postdrop -r while reading input attribute name sendmail: fatal: sslug-novice-return-27166-eja=urbakken.dk@sslug.dk (100): unable to execute /usr/sbin/postdrop -r: Success ) Dec 18 09:13:39 gateway postfix/cleanup[3407]: 9E77D46D99: message-id=<20031218091339.9E77D46D99@gateway.urbakken.dk> Dec 18 09:13:39 gateway postfix/nqmgr[2501]: 9E77D46D99: from=<>, size=4927, nrcpt=1 (queue active) Dec 18 09:13:39 gateway postfix/nqmgr[2501]: 9E77D46D99: to=, relay=none, delay=0, status=deferred (deferred transport) Dec 18 10:13:40 gateway MailScanner[3468]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 18 10:13:41 gateway MailScanner[3468]: /var/spool/incoming is not owned by user 89 ! Dec 18 10:13:51 gateway MailScanner[3469]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 18 10:13:51 gateway MailScanner[3469]: /var/spool/incoming is not owned by user 89 ! Dec 18 10:14:01 gateway MailScanner[3470]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 18 10:14:01 gateway MailScanner[3470]: /var/spool/incoming is not owned by user 89 ! Dec 18 10:14:11 gateway MailScanner[3471]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 18 10:14:11 gateway MailScanner[3471]: /var/spool/incoming is not owned by user 89 ! Dec 18 10:14:15 gateway ipop3d[3474]: pop3 service init from 192.168.1.169 Dec 18 10:14:15 gateway ipop3d[3474]: Login user=eja host=[192.168.1.169] nmsgs=0/0 Dec 18 10:14:18 gateway ipop3d[3474]: Logout user=eja host=[192.168.1.169] nmsgs=0 ndele=0 Dec 18 10:14:21 gateway MailScanner[3475]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 18 10:14:21 gateway MailScanner[3475]: /var/spool/incoming is not owned by user 89 ! Dec 18 10:14:22 gateway ipop3d[3476]: pop3 service init from 192.168.1.169 Dec 18 10:14:22 gateway ipop3d[3476]: Login user=erik host=[192.168.1.169] nmsgs=0/0 Dec 18 10:14:25 gateway ipop3d[3476]: Logout user=erik host=[192.168.1.169] nmsgs=0 ndele=0 Dec 18 10:14:31 gateway MailScanner[3553]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 18 10:14:31 gateway MailScanner[3553]: /var/spool/incoming is not owned by user 89 ! Dec 18 09:14:32 gateway postfix/smtpd[3426]: connect from unknown[195.41.53.68] Dec 18 09:14:33 gateway postfix/smtpd[3426]: 3FC1C46D95: client=unknown[195.41.53.68] Dec 18 09:14:33 gateway postfix/cleanup[3407]: 3FC1C46D95: message-id=<200312180914.hBI9E746013163@verbose.twistedhistory.com> Dec 18 09:14:33 gateway postfix/smtpd[3426]: disconnect from unknown[195.41.53.68] Dec 18 09:14:33 gateway postfix/nqmgr[2501]: 3FC1C46D95: from=, size=8694, nrcpt=1 (queue active) Dec 18 10:14:33 gateway spamd[2606]: connection from localhost.localdomain [127.0.0.1] at port 1039 Dec 18 10:14:33 gateway spamd[3556]: info: setuid to filter succeeded Dec 18 10:14:33 gateway spamd[3556]: processing message <200312180914.hBI9E746013163@verbose.twistedhistory.com> for filter:100. Dec 18 10:14:41 gateway MailScanner[3568]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 18 10:14:43 gateway MailScanner[3568]: /var/spool/incoming is not owned by user 89 ! How can I solve those errors ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From sevans at FOUNDATION.SDSU.EDU Thu Dec 18 16:39:15 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:21:36 2006 Subject: Rejecting Mail at RCPT Message-ID: <3A411846CD3C0D4CB3D8704F93735370164233@be-00.foundation.sdsu.edu> I'd like to see it to. Steve Evans SDSU Foundation -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Thursday, December 18, 2003 8:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Rejecting Mail at RCPT Pete wrote: > I have a great perl script that will pull all the email addresses from > AD and make an access map for postfix - "user@domain.com OK" is the > access map format for postfix, should be easy enough to change to > whatever sendmail requires? Far better than doing a query on your AD > for every new mail that arrives, and less prone to failure of delivery > should the AD become unavailable, even if briefly. Will email you > tomorrow if you like - does your AD have MS Exchange info? It does indeed. Sounds good to me - I'd love to see your script. Does it run on the MailScanner box , or does it go on the Exchange box and then just copy the file out? From raymond at PROLOCATION.NET Thu Dec 18 16:47:19 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:36 2006 Subject: Rejecting Mail at RCPT In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00164992A@pascal.priv.bmrb.co.uk> Message-ID: Hi! > >> Does anybody know of a way to get Sendmail to check with a remote > >> SMTP server to see if a user is valid at the RCPT TO:? > >> At my site, a good portion of the spam we get is to invalid users. > >> If i can get Sendmail to check with the Remote SMTP server > >> before it queues it, that would reduce the amount of spam on my site > >> by at least 30%! > > Put your users in LDAP and check with LDAP on your frontend servers. > Does anyone whether its possible to check against Active Directory (it > is LDAP after all)? I tried once and failed - and never had the time to > pursue it. If so, is there a howto anywhere? AD will allways be your 'master' but yes, you can still let it authenticate via LDAP. Bye, Raymond. From eja at URBAKKEN.DK Thu Dec 18 16:51:03 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> Message-ID: <3FE1DAF7.7000304@urbakken.dk> Julian Field wrote: > At 16:12 18/12/2003, you wrote: > >> Erik Jakobsen wrote: >> >>>> Where is the /var/spool/public/qmgr defined ?. >>>> I can find /var/spool/postfix/public/qmgr >>>> Or where is that defined ?. >>> >>> >>> Where is the MailScanner KickMessage defined to write to ? >> >> >> I copied the /var/spool/postfix/public/qmgr to the /var/spool/public >> directory. >> >> I don't think its correct. My errors about a lacking qmgr file >> dissappeared, but unfortuantely my mail delivering oalso did :-( > > > The qmgr isn't a normal file. Do an "ls -l" on it and you will see that > it's a pipe, created by Postfix. > MailScanner takes the outgoing queue directory (normally > /var/spool/postfix/incoming), and replaces the last word with "public" then > tacks "/qmgr" on the end. > So you turn > /var/spool/postfix/incoming > into > /var/spool/postfix/public/qmgr I have seen it Julian. its has pwr in the first 3 places if taking the ls -l. All understood but where do I turn the path ?. It asks for /var/spool/public/qmgr, but this is wrong I think. Thank you so much for your reply. I felt myself a bit trapped :-). By the way, I have downloaded the 2.0 postfix, but there seems not to be any scripts for chroot jail for Redhat, as I have read there should be in the install doc for MailScanner under Postfix. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From tony.johansson at SVENSKAKYRKAN.SE Thu Dec 18 16:49:29 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:21:36 2006 Subject: Spam/bounce problem Message-ID: On Thu, 18 Dec 2003 10:16:42 -0600, James Pattie wrote: >| >| The flow is something like this: >| >| 1. Spammer sends spam to abc@domain.com, spam has the spoofed return >| address xyz@school.com >| 2. No such user at domain.com/mailbox full/disabled etc >| 3. Mail bounces to xyz@school.com (with return path "<>") >| 4. Smtpgate at school.com (running mailscanner) accepts message, forwards >| to internal server >| 5. Internal server sees that the address xyz@school.com is non-existant >| 6. Internal server tries to bounce the message, to xyz@school.com, but >| naturally it cannot be delivered >| 7. Message is sent to postmaster@school.com, "I tried to deliver a bounce >| message to this address, but the bounce bounced!" >| >| Does anyone have a remedy for this problem? >| > >use the sendmail double bounce suppression feature talked about recently on this >list. Yes, but that would only help step 7. That step is no problem, apart from all the emails to postmaster. Its step 4 that has problems keeping up. Since its quite hard to separate "real" bounces from those described above, I think the best solution would be to somehow put all incoming bounces in a separate mqueue.in, putting real email in a higher priority queue. Question is, how?... Regards, Tony From sysadmin at FLEETONE.COM Thu Dec 18 16:44:26 2003 From: sysadmin at FLEETONE.COM (Rob Freeman) Date: Thu Jan 12 21:21:36 2006 Subject: SpamAssassin installation could not be found References: <5.2.1.1.0.20031215134440.02da5370@pop.courtesymortgage.com> Message-ID: <057301c3c586$328655e0$45a610ac@fleetone.com> We have just installed MailScanner 4.25.14 and spamassassin version 2.61 on RH9. We installed spamassassin first using the following rpm's: spamassassin-2.61-1.i386.rpm spamassassin-tools-2.61-1.i386.rpm perl-Mail-SpamAssassin-2.61-1.i386.rpm We are able to start and stop the spamassassin module. Next, we install MailScanner, performed the disableing of sendmail and fired up MailScanner. So far, so good. Next, we changed the setting in MailScanner.conf to use spamassassin. After starting up MailScanner, we get this in the /var/log/maillog: MailScanner[24656]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... farina MailScanner[24656]: SpamAssassin installation could not be found I checked the MailScanner faq, and found a similar issue, but we do not have the perl folder listed at /usr/lib/perl5/5.6.1/Mail. Anyone else have this problem? Thanks Rob From eja at URBAKKEN.DK Thu Dec 18 17:00:14 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE1DAF7.7000304@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> <3FE1DAF7.7000304@urbakken.dk> Message-ID: <3FE1DD1E.6070000@urbakken.dk> Erik Jakobsen wrote: > Julian Field wrote: > >> At 16:12 18/12/2003, you wrote: >> >>> Erik Jakobsen wrote: >>> >>>>> Where is the /var/spool/public/qmgr defined ?. >>>>> I can find /var/spool/postfix/public/qmgr >>>>> Or where is that defined ?. >>>> >>>> >>>> >>>> Where is the MailScanner KickMessage defined to write to ? >>> >>> >>> >>> I copied the /var/spool/postfix/public/qmgr to the /var/spool/public >>> directory. >>> >>> I don't think its correct. My errors about a lacking qmgr file >>> dissappeared, but unfortuantely my mail delivering oalso did :-( >> >> >> >> The qmgr isn't a normal file. Do an "ls -l" on it and you will see that >> it's a pipe, created by Postfix. >> MailScanner takes the outgoing queue directory (normally >> /var/spool/postfix/incoming), and replaces the last word with "public" >> then >> tacks "/qmgr" on the end. >> So you turn >> /var/spool/postfix/incoming >> into >> /var/spool/postfix/public/qmgr > Hi again Julian. I edited the /etc/MailScanner/MailScanner.conf file, but it complains about the qmgr in the final ?. > I have seen it Julian. its has pwr in the first 3 places if taking the > ls -l. > > All understood but where do I turn the path ?. It asks for > /var/spool/public/qmgr, but this is wrong I think. > > Thank you so much for your reply. I felt myself a bit trapped :-). > > By the way, I have downloaded the 2.0 postfix, but there seems not to be > any scripts for chroot jail for Redhat, as I have read there should be > in the install doc for MailScanner under Postfix. > >> -- >> Julian Field >> www.MailScanner.info >> MailScanner thanks transtec Computers for their support >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> > > > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From martinh at SOLID-STATE-LOGIC.COM Thu Dec 18 17:01:22 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:36 2006 Subject: SpamAssassin installation could not be found In-Reply-To: <057301c3c586$328655e0$45a610ac@fleetone.com> References: <5.2.1.1.0.20031215134440.02da5370@pop.courtesymortgage.com> <057301c3c586$328655e0$45a610ac@fleetone.com> Message-ID: <3FE1DD62.5070109@solid-state-logic.com> Rob did you install all the perl modules that MailScanner needs as well? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Rob Freeman wrote: > We have just installed MailScanner 4.25.14 and spamassassin version 2.61 on > RH9. We installed spamassassin first using the following rpm's: > > spamassassin-2.61-1.i386.rpm > spamassassin-tools-2.61-1.i386.rpm > perl-Mail-SpamAssassin-2.61-1.i386.rpm > > We are able to start and stop the spamassassin module. > > Next, we install MailScanner, performed the disableing of sendmail and fired > up MailScanner. So far, so good. > > Next, we changed the setting in MailScanner.conf to use spamassassin. After > starting up MailScanner, we get this in the /var/log/maillog: > > > MailScanner[24656]: MailScanner E-Mail Virus Scanner version 4.25-14 > starting... > farina MailScanner[24656]: SpamAssassin installation could not be found > > I checked the MailScanner faq, and found a similar issue, but we do not have > the perl folder listed at /usr/lib/perl5/5.6.1/Mail. > > Anyone else have this problem? > > Thanks > > Rob ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From raymond at PROLOCATION.NET Thu Dec 18 17:06:02 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:36 2006 Subject: Rejecting Mail at RCPT In-Reply-To: <6.0.0.22.0.20031218101742.02dd8560@mail.enhtech.com> Message-ID: Hi! > >Put your users in LDAP and check with LDAP on your frontend servers. > > > >Bye, > >Raymond > > > I have not tested this, but does this work when sendmail is run in > queueonly delivery mode? Its in queueonly, but still it should check RCPT, thats what it does now also. Your access file also still works :) Bye, Raymond. From sysadmin at FLEETONE.COM Thu Dec 18 17:05:31 2003 From: sysadmin at FLEETONE.COM (Rob Freeman) Date: Thu Jan 12 21:21:36 2006 Subject: SpamAssassin installation could not be found References: <5.2.1.1.0.20031215134440.02da5370@pop.courtesymortgage.com> <057301c3c586$328655e0$45a610ac@fleetone.com> <3FE1DD62.5070109@solid-state-logic.com> Message-ID: <058901c3c589$24a63690$45a610ac@fleetone.com> I ran the Update-MakeMaker.sh and the install.sh. Do those not install all the perl mods, or have I missed something? Rob ----- Original Message ----- From: "Martin Hepworth" To: Sent: Thursday, December 18, 2003 11:01 AM Subject: Re: SpamAssassin installation could not be found > Rob > > did you install all the perl modules that MailScanner needs as well? > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Rob Freeman wrote: > > We have just installed MailScanner 4.25.14 and spamassassin version 2.61 on > > RH9. We installed spamassassin first using the following rpm's: > > > > spamassassin-2.61-1.i386.rpm > > spamassassin-tools-2.61-1.i386.rpm > > perl-Mail-SpamAssassin-2.61-1.i386.rpm > > > > We are able to start and stop the spamassassin module. > > > > Next, we install MailScanner, performed the disableing of sendmail and fired > > up MailScanner. So far, so good. > > > > Next, we changed the setting in MailScanner.conf to use spamassassin. After > > starting up MailScanner, we get this in the /var/log/maillog: > > > > > > MailScanner[24656]: MailScanner E-Mail Virus Scanner version 4.25-14 > > starting... > > farina MailScanner[24656]: SpamAssassin installation could not be found > > > > I checked the MailScanner faq, and found a similar issue, but we do not have > > the perl folder listed at /usr/lib/perl5/5.6.1/Mail. > > > > Anyone else have this problem? > > > > Thanks > > > > Rob > > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** From raymond at PROLOCATION.NET Thu Dec 18 17:10:36 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:36 2006 Subject: SpamAssassin installation could not be found In-Reply-To: <057301c3c586$328655e0$45a610ac@fleetone.com> Message-ID: Hi! > spamassassin-2.61-1.i386.rpm > spamassassin-tools-2.61-1.i386.rpm > perl-Mail-SpamAssassin-2.61-1.i386.rpm > > We are able to start and stop the spamassassin module. > > Next, we install MailScanner, performed the disableing of sendmail and fired > up MailScanner. So far, so good. > > Next, we changed the setting in MailScanner.conf to use spamassassin. After > starting up MailScanner, we get this in the /var/log/maillog: Once more. Rebuild the SA RPMs from SRPM or install via CPAN. The plain RPM is known to cause trouble. Bye, Raymond. From dh at UPTIME.AT Thu Dec 18 17:38:02 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:36 2006 Subject: SPF was->(Re: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail) In-Reply-To: <4E00B1A9-3173-11D8-B2D9-003065F939FE@ucsc.edu> References: <8FFC76593085ED4A80D3601BC41EFCDF037335CE@inex1.herffjones.hj-int> <6.0.1.1.2.20031215173348.03c1c8b0@imap.ecs.soton.ac.uk> <20031218064645.GM12080@hoiho.nz.lemon-computing.com> <3FE1528A.8020303@uptime.at> <4E00B1A9-3173-11D8-B2D9-003065F939FE@ucsc.edu> Message-ID: <3FE1E5FA.5030806@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 John Rudd wrote: > > For insecure authentication methods, provide SMTP+SSL, allowing the > authentication information to be protected by SSL if it's not being > protected by a secure SASL. > This is exactly what I mean. It introduces hassels which are almost impossible to deal with in a very large setup. Especially with SSL on multiple Server. Each Server _should_ have a properly signed SSL Certificate. Self-signed Certificates might be an option in an enviroment where no trust is needed, but in this setup, I want the users to also trust the SSl Certificate they are seeing. > For password synchronization, use kerberos and multiple KDCs to > distribute the authentication load. Hopefully both via plain text > SMTP-AUTH (because there are too many MUAs that don't support kerberos) > and via GSSAPI-SASL for SMTP-AUTH (for good MUAs). Once more. Storing such data in LDAP or Kerberos is of course no "technical issue" but it quickly becomes an issue in very large setups. a) Who will be the administrator b) Who covers teh additional costs and so on. The problem whith prevention measures against SPAM is, that they cannot outweight the costs caused by bad Email. If it costs me 10K to stop Spam at a 99% level with MailScanner but it costs me 35K to run and administrate SPF, guess who will always win :) > > (here at UCSC, our new mail servers are using SMTP+SSL and plain text > SMTP-AUTH, that is checked against the user's kerberos password; the MTA > is CommuniGate Pro using an external authenticator that checks against > kerberos > ) How many point of failures do you see in that setup ? Once more an issue I pointed out above. The likelyhood thats omething goes "wrong" is increased by the complexity of the system. - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/4eX+PMoaMn4kKR4RA6BuAKCRvnco1zd8h/M88L/OZzVkAtL96wCfSHFd 1tmufmW25lk61sRba1oSnoA= =hrhF -----END PGP SIGNATURE----- From eja at URBAKKEN.DK Thu Dec 18 17:40:02 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE1DAF7.7000304@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> <3FE1DAF7.7000304@urbakken.dk> Message-ID: <3FE1E672.1000502@urbakken.dk> Latest info: From tail -f /var/log/maillog: Dec 18 18:37:26 gateway MailScanner[3404]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 18 18:37:27 gateway MailScanner[3404]: Could not read directory /var/spool/postfix/public/qmgr Dec 18 18:37:27 gateway MailScanner[3404]: Error in configuration file line 101, directory /var/spool/postfix/public/qmgr for incomingworkdir does not exist (or is not readable) Dec 18 18:37:30 gateway ipop3d[3405]: pop3 service init from 192.168.1.169 Dec 18 18:37:30 gateway ipop3d[3405]: Login user=eja host=[192.168.1.169] nmsgs=0/0 Dec 18 18:37:33 gateway ipop3d[3405]: Logout user=eja host=[192.168.1.169] nmsgs=0 ndele=0 Dec 18 18:37:36 gateway MailScanner[3428]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 18 18:37:37 gateway MailScanner[3428]: Could not read directory /var/spool/postfix/public/qmgr Dec 18 18:37:38 gateway MailScanner[3428]: Error in configuration file line 101, directory /var/spool/postfix/public/qmgr for incomingworkdir does not exist (or is not readable) And also mails cannot be fetched as shown in the logfile. From /etc/MailScanner/MailScanner.conf: # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/postfix/public/qmgr -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From eja at URBAKKEN.DK Thu Dec 18 17:43:45 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE1E672.1000502@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> <3FE1DAF7.7000304@urbakken.dk> <3FE1E672.1000502@urbakken.dk> Message-ID: <3FE1E751.6020006@urbakken.dk> Erik Jakobsen wrote: > Latest info: > > From tail -f /var/log/maillog: > > Dec 18 18:37:26 gateway MailScanner[3404]: MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Dec 18 18:37:27 gateway MailScanner[3404]: Could not read directory > /var/spool/postfix/public/qmgr > Dec 18 18:37:27 gateway MailScanner[3404]: Error in configuration file > line 101, directory /var/spool/postfix/public/qmgr for incomingworkdir > does not exist (or is not readable) > Dec 18 18:37:30 gateway ipop3d[3405]: pop3 service init from 192.168.1.169 > Dec 18 18:37:30 gateway ipop3d[3405]: Login user=eja > host=[192.168.1.169] nmsgs=0/0 > Dec 18 18:37:33 gateway ipop3d[3405]: Logout user=eja > host=[192.168.1.169] nmsgs=0 ndele=0 > Dec 18 18:37:36 gateway MailScanner[3428]: MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Dec 18 18:37:37 gateway MailScanner[3428]: Could not read directory > /var/spool/postfix/public/qmgr > Dec 18 18:37:38 gateway MailScanner[3428]: Error in configuration file > line 101, directory /var/spool/postfix/public/qmgr for incomingworkdir > does not exist (or is not readable) > > And also mails cannot be fetched as shown in the logfile. > > > From /etc/MailScanner/MailScanner.conf: > > # Set where to unpack incoming messages before scanning them > Incoming Work Dir = /var/spool/postfix/public/qmgr > ls -l shows: srw-rw-rw- 1 postfix postfix 0 Dec 18 18:40 cleanup srw-rw-rw- 1 postfix postfix 0 Dec 18 18:40 flush prw--w--w- 1 postfix postfix 0 Dec 18 18:42 pickup prw--w--w- 1 postfix postfix 0 Dec 18 18:42 qmgr srw-rw-rw- 1 postfix postfix 0 Dec 18 18:40 showq > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 18 17:49:12 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:36 2006 Subject: SpamAssassin installation could not be found In-Reply-To: Message-ID: Installing from the .tar.gz or CPAN is safest. If it's the first install on a fresh RH9 box watch out for the UTF error... Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Raymond Dijkxhoorn > Sent: 18 December 2003 17:11 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin installation could not be found > > > Hi! > > > spamassassin-2.61-1.i386.rpm > > spamassassin-tools-2.61-1.i386.rpm > > perl-Mail-SpamAssassin-2.61-1.i386.rpm > > > > We are able to start and stop the spamassassin module. > > > > Next, we install MailScanner, performed the disableing of > sendmail and fired > > up MailScanner. So far, so good. > > > > Next, we changed the setting in MailScanner.conf to use > spamassassin. After > > starting up MailScanner, we get this in the /var/log/maillog: > > Once more. > > Rebuild the SA RPMs from SRPM or install via CPAN. The plain RPM is known > to cause trouble. > > Bye, > Raymond. > From mailscanner at ecs.soton.ac.uk Thu Dec 18 17:54:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE1E672.1000502@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> <3FE1DAF7.7000304@urbakken.dk> <3FE1E672.1000502@urbakken.dk> Message-ID: <6.0.1.1.2.20031218175238.02839cf0@imap.ecs.soton.ac.uk> At 17:40 18/12/2003, you wrote: >Latest info: > > From tail -f /var/log/maillog: > >Dec 18 18:37:26 gateway MailScanner[3404]: MailScanner E-Mail Virus >Scanner version 4.24-5 starting... >Dec 18 18:37:27 gateway MailScanner[3404]: Could not read directory >/var/spool/postfix/public/qmgr >Dec 18 18:37:27 gateway MailScanner[3404]: Error in configuration file >line 101, directory /var/spool/postfix/public/qmgr for incomingworkdir >does not exist (or is not readable) >Dec 18 18:37:30 gateway ipop3d[3405]: pop3 service init from 192.168.1.169 >Dec 18 18:37:30 gateway ipop3d[3405]: Login user=eja >host=[192.168.1.169] nmsgs=0/0 >Dec 18 18:37:33 gateway ipop3d[3405]: Logout user=eja >host=[192.168.1.169] nmsgs=0 ndele=0 >Dec 18 18:37:36 gateway MailScanner[3428]: MailScanner E-Mail Virus >Scanner version 4.24-5 starting... >Dec 18 18:37:37 gateway MailScanner[3428]: Could not read directory >/var/spool/postfix/public/qmgr >Dec 18 18:37:38 gateway MailScanner[3428]: Error in configuration file >line 101, directory /var/spool/postfix/public/qmgr for incomingworkdir >does not exist (or is not readable) > >And also mails cannot be fetched as shown in the logfile. > > > From /etc/MailScanner/MailScanner.conf: > ># Set where to unpack incoming messages before scanning them >Incoming Work Dir = /var/spool/postfix/public/qmgr That's completely wrong. Please read the comment. Why would you want to unpack incoming messages into a pipe called qmgr? Surely unpacking into a directory would make more sense. I really do try to document these things as clearly as possible. Put it back to /var/spool/MailScanner/incoming like it was before you started tweaking. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From TGFurnish at HERFF-JONES.COM Thu Dec 18 17:55:44 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:21:36 2006 Subject: Return-Path: <> Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A606FE@inex1.herffjones.hj-int> The empty return path is intentional and appropriate. Bounce messages are things for which a "return" - a response from the person receiving the bounce - would be inappropriate, since they would be responding to a daemon. > -----Original Message----- > From: Paul van Brouwershaven > [mailto:p.vanbrouwershaven@NETWORKING4ALL.COM] > Sent: Thursday, December 18, 2003 2:14 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Return-Path: <> > > > Is there a way to set the Return-Path, in all the bounced > messages that > MailScanner send the Return-Path is set like this: > > Return-Path: <> > > Thanks, > > Paul > From sysadmin at FLEETONE.COM Thu Dec 18 17:58:51 2003 From: sysadmin at FLEETONE.COM (Rob Freeman) Date: Thu Jan 12 21:21:36 2006 Subject: SpamAssassin installation could not be found References: Message-ID: <05ad01c3c590$98093a90$45a610ac@fleetone.com> Worked like a charm using cpan. Thanks Rob ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Thursday, December 18, 2003 11:10 AM Subject: Re: SpamAssassin installation could not be found > Hi! > > > spamassassin-2.61-1.i386.rpm > > spamassassin-tools-2.61-1.i386.rpm > > perl-Mail-SpamAssassin-2.61-1.i386.rpm > > > > We are able to start and stop the spamassassin module. > > > > Next, we install MailScanner, performed the disableing of sendmail and fired > > up MailScanner. So far, so good. > > > > Next, we changed the setting in MailScanner.conf to use spamassassin. After > > starting up MailScanner, we get this in the /var/log/maillog: > > Once more. > > Rebuild the SA RPMs from SRPM or install via CPAN. The plain RPM is known > to cause trouble. > > Bye, > Raymond. From mailscanner at ecs.soton.ac.uk Thu Dec 18 18:02:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <6.0.1.1.2.20031218175238.02839cf0@imap.ecs.soton.ac.uk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> <3FE1DAF7.7000304@urbakken.dk> <3FE1E672.1000502@urbakken.dk> <6.0.1.1.2.20031218175238.02839cf0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031218180128.04249e28@imap.ecs.soton.ac.uk> At 17:54 18/12/2003, you wrote: >At 17:40 18/12/2003, you wrote: >>Latest info: >> >> From tail -f /var/log/maillog: >> >>Dec 18 18:37:26 gateway MailScanner[3404]: MailScanner E-Mail Virus >>Scanner version 4.24-5 starting... >>Dec 18 18:37:27 gateway MailScanner[3404]: Could not read directory >>/var/spool/postfix/public/qmgr >>Dec 18 18:37:27 gateway MailScanner[3404]: Error in configuration file >>line 101, directory /var/spool/postfix/public/qmgr for incomingworkdir >>does not exist (or is not readable) >>Dec 18 18:37:30 gateway ipop3d[3405]: pop3 service init from 192.168.1.169 >>Dec 18 18:37:30 gateway ipop3d[3405]: Login user=eja >>host=[192.168.1.169] nmsgs=0/0 >>Dec 18 18:37:33 gateway ipop3d[3405]: Logout user=eja >>host=[192.168.1.169] nmsgs=0 ndele=0 >>Dec 18 18:37:36 gateway MailScanner[3428]: MailScanner E-Mail Virus >>Scanner version 4.24-5 starting... >>Dec 18 18:37:37 gateway MailScanner[3428]: Could not read directory >>/var/spool/postfix/public/qmgr >>Dec 18 18:37:38 gateway MailScanner[3428]: Error in configuration file >>line 101, directory /var/spool/postfix/public/qmgr for incomingworkdir >>does not exist (or is not readable) >> >>And also mails cannot be fetched as shown in the logfile. >> >> >> From /etc/MailScanner/MailScanner.conf: >> >># Set where to unpack incoming messages before scanning them >>Incoming Work Dir = /var/spool/postfix/public/qmgr > >That's completely wrong. Please read the comment. Why would you want to >unpack incoming messages into a pipe called qmgr? Surely unpacking into a >directory would make more sense. I really do try to document these things >as clearly as possible. Put it back to /var/spool/MailScanner/incoming like >it was before you started tweaking. As the documentation clearly states, the changes you need to make for Postfix support are these, and only these: Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix.in/deferred Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Thu Dec 18 18:06:57 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <6.0.1.1.2.20031218180128.04249e28@imap.ecs.soton.ac.uk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> <3FE1DAF7.7000304@urbakken.dk> <3FE1E672.1000502@urbakken.dk> <6.0.1.1.2.20031218175238.02839cf0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031218180128.04249e28@imap.ecs.soton.ac.uk> Message-ID: <3FE1ECC1.8080203@urbakken.dk> Julian Field wrote: > At 17:54 18/12/2003, you wrote: > >> At 17:40 18/12/2003, you wrote: >> >>> Latest info: >>> >>> From tail -f /var/log/maillog: >>> >>> Dec 18 18:37:26 gateway MailScanner[3404]: MailScanner E-Mail Virus >>> Scanner version 4.24-5 starting... >>> Dec 18 18:37:27 gateway MailScanner[3404]: Could not read directory >>> /var/spool/postfix/public/qmgr >>> Dec 18 18:37:27 gateway MailScanner[3404]: Error in configuration file >>> line 101, directory /var/spool/postfix/public/qmgr for incomingworkdir >>> does not exist (or is not readable) >>> Dec 18 18:37:30 gateway ipop3d[3405]: pop3 service init from >>> 192.168.1.169 >>> Dec 18 18:37:30 gateway ipop3d[3405]: Login user=eja >>> host=[192.168.1.169] nmsgs=0/0 >>> Dec 18 18:37:33 gateway ipop3d[3405]: Logout user=eja >>> host=[192.168.1.169] nmsgs=0 ndele=0 >>> Dec 18 18:37:36 gateway MailScanner[3428]: MailScanner E-Mail Virus >>> Scanner version 4.24-5 starting... >>> Dec 18 18:37:37 gateway MailScanner[3428]: Could not read directory >>> /var/spool/postfix/public/qmgr >>> Dec 18 18:37:38 gateway MailScanner[3428]: Error in configuration file >>> line 101, directory /var/spool/postfix/public/qmgr for incomingworkdir >>> does not exist (or is not readable) >>> >>> And also mails cannot be fetched as shown in the logfile. >>> >>> >>> From /etc/MailScanner/MailScanner.conf: >>> >>> # Set where to unpack incoming messages before scanning them >>> Incoming Work Dir = /var/spool/postfix/public/qmgr >> >> >> That's completely wrong. Please read the comment. Why would you want to >> unpack incoming messages into a pipe called qmgr? Surely unpacking into a >> directory would make more sense. I really do try to document these things >> as clearly as possible. Put it back to /var/spool/MailScanner/incoming >> like >> it was before you started tweaking. > VERY sorry I did it wrong, but I didn't knew where I should turn /var/spool/postfix/incoming Into /var/spool/postfix/public/qmgr And I still not know where the line above to be turned are to be found ?. > As the documentation clearly states, the changes you need to make for > Postfix support are these, and only these: > Run As User = postfix > Run As Group = postfix > Incoming Queue Dir = /var/spool/postfix.in/deferred > Outgoing Queue Dir = /var/spool/postfix/incoming > MTA = postfix I had it so, before I got the above information. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From hmkash at ARL.ARMY.MIL Thu Dec 18 18:21:50 2003 From: hmkash at ARL.ARMY.MIL (Kash, Howard (Civ,ARL/CISD)) Date: Thu Jan 12 21:21:36 2006 Subject: MailScanner/Postfix message duplication - possible fix Message-ID: <229A346E44379140A59A48951B56E0C0D405D6@ARLABML01.DS.ARL.ARMY.MIL> I beginning to think you are correct. My patch doesn't seem to help. Here's is one method suggested by Peter Bates for putting messages in the hold queue: > I'm using MS with Postfix in a slightly 'non-standard' way, but which > is working fine for 13-15K messages we deal with (actually it might be > more, I never bothered counting our outgoing email!)... > > I'm using a 'header_check' like so: > > In main.cf - > header_checks = pcre:/etc/postfix/header_checks > > In header_checks - > > /^Received:.*by .*\.lshtm.ac.uk \(Postfix\)/ HOLD > > This puts the incoming mail in the 'hold' queue, and then > I have in MailScanner.conf - > > Incoming Queue Dir = /var/spool/postfix/hold > Outgoing Queue Dir = /var/spool/postfix/incoming I think I'll give this a try. Howard -----Original Message----- From: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] Sent: Tuesday, December 16, 2003 5:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner/Postfix message duplication - possible fix I wonder if this is only part of the story. Not being a programmer (Or even someone who 'tinkers with code'!) please forgive me if I am being stupid or just plain don't understand :-) The queue manager runs the queues when it's either called by receipt of a 1byte message from another part of Postfix or when it's inactivity timer times out (As set in the master.cf file). I had a play with this to start with and when I set the idle timer to 28 days I still got duplicates and the 'skipped' log entry from when MailScanner happened to be picking up a queued file and the queue runner had been called by smtpd because it had just received a message. In some instances (One larger message of 9Mb) this meant on my slow system that I didn't just get duplicates but I got the damn thing 5 times, in various states of delivery as it spooled into the deferred queue. Now my gamble is that moving your times to 40 seconds or even more will probably not cure the problem as if your system is fairly busy the queue runner will be almost continuously running through the deferred queue as it collects mail and checks for messages that are due for attempted redelivery (I guess this happens on every visit to the queue to ensure that ageing messages are not left in deferred for too long). It's that check that could be the problem. If MS is just about to collect the message when the queue runner inspects the message for age (Not worth locking for? Don't know?) then the two paps collide and cause the situation as seen. It won't matter how long you tell MS to leave the message there for, the queue runner could still bump into the collection. On my much quieter system it will probably work more reliably for longer as the queue runner will be called less by smtpd an more by the inactivity timer. One way round this could be to send the messages to the hold queue as the queue runner never runs in there. Now just to get the messages there... As I say I could be talking rubbish and I'll go away and keep going with what ever experiment people want to fix this issue but I though it was worth knocking some thoughts about. Regards Drew From sysadmins at ENHTECH.COM Thu Dec 18 18:37:33 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:36 2006 Subject: Rejecting Mail at RCPT In-Reply-To: References: <6.0.0.22.0.20031218101742.02dd8560@mail.enhtech.com> Message-ID: <6.0.0.22.0.20031218132154.02e10c18@mail.enhtech.com> At 12:06 PM 12/18/2003, you wrote: >Hi! > > > >Put your users in LDAP and check with LDAP on your frontend servers. > > > > > >Bye, > > >Raymond > > > > > > I have not tested this, but does this work when sendmail is run in > > queueonly delivery mode? > >Its in queueonly, but still it should check RCPT, thats what it does now >also. Your access file also still works :) Hmm. If you are saying that you have sendmail verifying the RCPT before q'ing the message apart from using the access lists or ldap, please may i see your .cf .mc? Other than that, i face numerous challenges. Errol Neal Errol U. Neal Jr., Systems Administrator Enhanced Technologies, Inc. - The Business Grade Hosting Specialists http://www.enhtech.com 703-924-0301 or 800-368-3249 703-997-0839 Fax From lindsay at pa.net Thu Dec 18 18:48:38 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:21:36 2006 Subject: MailScanner/Postfix message duplication - possible fix In-Reply-To: <229A346E44379140A59A48951B56E0C0D405D6@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C0D405D6@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <1071773318.8590.11.camel@localhost.localdomain> On Thu, 2003-12-18 at 13:21, Kash, Howard (Civ,ARL/CISD) wrote: > I beginning to think you are correct. My patch doesn't seem to help. > Here's is one method suggested by Peter Bates for putting messages in > the hold queue: > > > > I'm using MS with Postfix in a slightly 'non-standard' way, but which > > is working fine for 13-15K messages we deal with (actually it might be > > more, I never bothered counting our outgoing email!)... > > > > I'm using a 'header_check' like so: > > > > In main.cf - > > header_checks = pcre:/etc/postfix/header_checks > > > > In header_checks - > > > > /^Received:.*by .*\.lshtm.ac.uk \(Postfix\)/ HOLD > > > > This puts the incoming mail in the 'hold' queue, and then > > I have in MailScanner.conf - > > > > Incoming Queue Dir = /var/spool/postfix/hold > > Outgoing Queue Dir = /var/spool/postfix/incoming > > > I think I'll give this a try. We have been using the hold method here since Julian added postfix support. Our site is rather large and we use it across a couple of versions of postfix 2.x. So far, it has worked great. > > > Howard > > > -----Original Message----- > From: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] > Sent: Tuesday, December 16, 2003 5:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner/Postfix message duplication - possible fix > > > I wonder if this is only part of the story. Not being a programmer (Or > even someone who 'tinkers with code'!) please forgive me if I am being > stupid or just plain don't understand :-) > > The queue manager runs the queues when it's either called by receipt of > a 1byte message from another part of Postfix or when it's inactivity > timer times out (As set in the master.cf file). I had a play with this > to start with and when I set the idle timer to 28 days I still got > duplicates and the 'skipped' log entry from when MailScanner happened to > be picking up a queued file and the queue runner had been called by > smtpd because it had just received a message. In some instances (One > larger message of 9Mb) this meant on my slow system that I didn't just > get duplicates but I got the damn thing 5 times, in various states of > delivery as it spooled into the deferred queue. > > Now my gamble is that moving your times to 40 seconds or even more will > probably not cure the problem as if your system is fairly busy the queue > runner will be almost continuously running through the deferred queue as > it collects mail and checks for messages that are due for attempted > redelivery (I guess this happens on every visit to the queue to ensure > that ageing messages are not left in deferred for too long). It's that > check that could be the problem. If MS is just about to collect the > message when the queue runner inspects the message for age (Not worth > locking for? Don't know?) then the two paps collide and cause the > situation as seen. It won't matter how long you tell MS to leave the > message there for, the queue runner could still bump into the > collection. On my much quieter system it will probably work more > reliably for longer as the queue runner will be called less by smtpd an > more by the inactivity timer. > > One way round this could be to send the messages to the hold queue as > the queue runner never runs in there. Now just to get the messages > there... > > As I say I could be talking rubbish and I'll go away and keep going with > what ever experiment people want to fix this issue but I though it was > worth knocking some thoughts about. > > Regards > > Drew -- Lindsay Snider From sysadmins at ENHTECH.COM Thu Dec 18 18:57:54 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:36 2006 Subject: Rejecting Mail at RCPT In-Reply-To: <6.0.0.22.0.20031218132154.02e10c18@mail.enhtech.com> References: <6.0.0.22.0.20031218101742.02dd8560@mail.enhtech.com> <6.0.0.22.0.20031218132154.02e10c18@mail.enhtech.com> Message-ID: <6.0.0.22.0.20031218135607.02e0b768@mail.enhtech.com> At 01:37 PM 12/18/2003, you wrote: >At 12:06 PM 12/18/2003, you wrote: >>Hi! >> >> > >Put your users in LDAP and check with LDAP on your frontend servers. >> > > >> > >Bye, >> > >Raymond >> > >> > >> > I have not tested this, but does this work when sendmail is run in >> > queueonly delivery mode? >> >>Its in queueonly, but still it should check RCPT, thats what it does now >>also. Your access file also still works :) Along this subject. Can the access, mailertable and the ldaprouting feature all work together? Errol Neal Errol U. Neal Jr., Systems Administrator Enhanced Technologies, Inc. - The Business Grade Hosting Specialists http://www.enhtech.com 703-924-0301 or 800-368-3249 703-997-0839 Fax From jrudd at UCSC.EDU Thu Dec 18 19:03:02 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:36 2006 Subject: SPF was->(Re: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail) In-Reply-To: <3FE1E5FA.5030806@uptime.at> References: <8FFC76593085ED4A80D3601BC41EFCDF037335CE@inex1.herffjones.hj-int> <6.0.1.1.2.20031215173348.03c1c8b0@imap.ecs.soton.ac.uk> <20031218064645.GM12080@hoiho.nz.lemon-computing.com> <3FE1528A.8020303@uptime.at> <4E00B1A9-3173-11D8-B2D9-003065F939FE@ucsc.edu> <3FE1E5FA.5030806@uptime.at> Message-ID: On Dec 18, 2003, at 9:38 AM, David H. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > John Rudd wrote: > >> >> For insecure authentication methods, provide SMTP+SSL, allowing the >> authentication information to be protected by SSL if it's not being >> protected by a secure SASL. >> > This is exactly what I mean. It introduces hassels which are almost > impossible to deal with in a very large setup. Especially with SSL on > multiple Server. Each Server _should_ have a properly signed SSL > Certificate. > Self-signed Certificates might be an option in an enviroment where no > trust is needed, but in this setup, I want the users to also trust the > SSl Certificate they are seeing. I can see saying that getting an SSL cert might be expensive (for a small provider ... but it should be inconsequential for a large one), but a hassle? I don't see it. Managing SSL certs is trivial. The only "hassle" is that you sometimes have to wait a little while for the first one to arrive. After that, you just have to remember to apply for your renewal about 30 to 45 days before the current one expires. You deal with that once per year. No big deal. Even if you're putting them on to each mail server by hand, one at a time, that's still not a big deal for your example of 20 machines. But, that's what you get for not automating and centralizing your administrative model. CVS auto-updates and/or cfengine would be a good start to automate those sorts of updates. Even rsync (which isn't as dangerous once you're using kerberized rsync) is better than nothing. (in our case, CommuniGate Pro provides centralized administration of our mail cluster domains, so I update the cert on one machine and it automatically gets applied to all of them) >> For password synchronization, use kerberos and multiple KDCs to >> distribute the authentication load. Hopefully both via plain text >> SMTP-AUTH (because there are too many MUAs that don't support >> kerberos) >> and via GSSAPI-SASL for SMTP-AUTH (for good MUAs). > Once more. Storing such data in LDAP or Kerberos is of course no > "technical issue" but it quickly becomes an issue in very large setups. > a) Who will be the administrator > b) Who covers teh additional costs > > and so on. The problem whith prevention measures against SPAM is, that > they cannot outweight the costs caused by bad Email. > > If it costs me 10K to stop Spam at a 99% level with MailScanner but it > costs me 35K to run and administrate SPF, guess who will always win :) Our kerberos infrastructure has cost us less than $10k in hardware, and that's because my bosses prefer us to use full blown Solaris machines for it. I could have used ultra-cheap freebsd machines and spent probably 1/4 the money on it (and with that money, I'd probably be able to double, or more, our number of secondaries, as well). In administrator time, I've spent maybe 20 hours of my time on our actual kerberos servers in the 4 years I've been here. Some people would tell you that kerberos has a steep learning curve, but in my experience it's only on the development side, not on the administrator side (and there's a small and shallow learning curve on the user side). The _most_ difficult part of kerberos is actually finding commercial vendors that have embraced it. PAM is a god-send in that respect, if your OS PAM infrastructure is decent (Sun's kerberos-5 PAM module is pretty pathetic, but there are open source ones used for Linux and FreeBSD that are good). On the server side, UW-IMAP, Qpopper, and (Cyrus I think? the one that came out of CMU) can all do Kerberos. UW-IMAP and Qpopper will also do PAM (cyrus probably will, too, but I don't know as I've never used it). CommuniGate Pro (smtp, imap, pop, webmail, mailing lists) will can do Kerberos or PAM via its external authenticator (plain text password only, not tickets nor SASL). I'm not sure about sendmail, qmail, postfix, or courier. On the client side, pine, apple mail, eudora, and fetchmail can all work with kerberos tickets. And, if you've got a PAM module, or an external authenticator type module, on the server side, any client that can do plain text passwords can work with your kerberos password. I expect things will get better with vendor support now that MS has adopted Kerberos ... and, IIRC, it's also a requirement for NFSv4 that the platform support GSSAPI/Kerb5 in its secure-rpc infrastructure. >> (here at UCSC, our new mail servers are using SMTP+SSL and plain text >> SMTP-AUTH, that is checked against the user's kerberos password; the >> MTA >> is CommuniGate Pro using an external authenticator that checks against >> kerberos >> ) > How many point of failures do you see in that setup ? Once more an > issue > I pointed out above. The likelyhood thats omething goes "wrong" is > increased by the complexity of the system. We have 3 KDC's, one of which is a safety (it receives the key database, but doesn't serve it out to users). Last year, our primary KDC crashed hard (total failure of disk drives). It took me 30 minutes to promote the secondary to primary status, and then just some time for a DNS change so that "kerberos.ucsc.edu" now pointed at the secondary machine instead of the primary machine. During the time that took, the only thing you could do was: create new principles (user and host data), change passwords. The reason for that is that the primary runs the "kadmin" daemon, which is where all administrative stuff happens. Promotion from Secondary to Primary is literally just the process of setting up and bringing up the kadmind and then making the CNAME for your primary point to the new machine (you probably also want to remove the kpropd from your inetd.conf, as that's how secondaries receive the key database from the primary). If it happened again, it would take less than 30 minutes -- originally, I didn't put all of the necessary information on my secondaries, so I had to remember a few things in order to promote our secondary. Since then, I put all necessary information on all of the KDCs, so that it really is just a matter of starting kadmind, disabling kpropd, and then doing the DNS change. In terms of user authentication, there wouldn't be any interruption. Kerberos automatically fails over to the secondaries if it can't contact the primary. The first indication anyone outside of the sysadmin group had that the kerberos primary KDC was down was that someone tried to change their password and couldn't. And that was just during the DNS delay. We, in the sysadmin group, noticed it was down immediately because we monitor our hosts in BigBrother (though, we're moving to BigSister). From ugob at CAMO-ROUTE.COM Thu Dec 18 19:04:47 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2B1@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Erik Jakobsen [mailto:eja@URBAKKEN.DK] > Envoy? : Thursday, December 18, 2003 11:51 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: More errors. > > > Julian Field wrote: > > At 16:12 18/12/2003, you wrote: > > > >> Erik Jakobsen wrote: > >> > >>>> Where is the /var/spool/public/qmgr defined ?. > >>>> I can find /var/spool/postfix/public/qmgr > >>>> Or where is that defined ?. > >>> > >>> > >>> Where is the MailScanner KickMessage defined to write to ? > >> > >> > >> I copied the /var/spool/postfix/public/qmgr to the > /var/spool/public > >> directory. > >> > >> I don't think its correct. My errors about a lacking qmgr file > >> dissappeared, but unfortuantely my mail delivering oalso did :-( > > > > > > The qmgr isn't a normal file. Do an "ls -l" on it and you > will see that > > it's a pipe, created by Postfix. > > MailScanner takes the outgoing queue directory (normally > > /var/spool/postfix/incoming), and replaces the last word > with "public" then > > tacks "/qmgr" on the end. > > So you turn > > /var/spool/postfix/incoming > > into > > /var/spool/postfix/public/qmgr > > I have seen it Julian. its has pwr in the first 3 places if taking the > ls -l. > > All understood but where do I turn the path ?. It asks for > /var/spool/public/qmgr, but this is wrong I think. > > Thank you so much for your reply. I felt myself a bit trapped :-). > > By the way, I have downloaded the 2.0 postfix, but there > seems not to be > any scripts for chroot jail for Redhat, as I have read there should be > in the install doc for MailScanner under Postfix. I remember saying that chroot was not recommended by postfix's author in version 2. > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. From ugob at CAMO-ROUTE.COM Thu Dec 18 19:05:06 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2B2@mtlnt501fs.CAMOROUTE.COM> Sorry, not saying, seeing. Sorry. Ugo > -----Message d'origine----- > De : Erik Jakobsen [mailto:eja@URBAKKEN.DK] > Envoy? : Thursday, December 18, 2003 11:51 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: More errors. > > > Julian Field wrote: > > At 16:12 18/12/2003, you wrote: > > > >> Erik Jakobsen wrote: > >> > >>>> Where is the /var/spool/public/qmgr defined ?. > >>>> I can find /var/spool/postfix/public/qmgr > >>>> Or where is that defined ?. > >>> > >>> > >>> Where is the MailScanner KickMessage defined to write to ? > >> > >> > >> I copied the /var/spool/postfix/public/qmgr to the > /var/spool/public > >> directory. > >> > >> I don't think its correct. My errors about a lacking qmgr file > >> dissappeared, but unfortuantely my mail delivering oalso did :-( > > > > > > The qmgr isn't a normal file. Do an "ls -l" on it and you > will see that > > it's a pipe, created by Postfix. > > MailScanner takes the outgoing queue directory (normally > > /var/spool/postfix/incoming), and replaces the last word > with "public" then > > tacks "/qmgr" on the end. > > So you turn > > /var/spool/postfix/incoming > > into > > /var/spool/postfix/public/qmgr > > I have seen it Julian. its has pwr in the first 3 places if taking the > ls -l. > > All understood but where do I turn the path ?. It asks for > /var/spool/public/qmgr, but this is wrong I think. > > Thank you so much for your reply. I felt myself a bit trapped :-). > > By the way, I have downloaded the 2.0 postfix, but there > seems not to be > any scripts for chroot jail for Redhat, as I have read there should be > in the install doc for MailScanner under Postfix. > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. From eja at URBAKKEN.DK Thu Dec 18 19:10:39 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE2B1@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629273AE2B1@mtlnt501fs.CAMOROUTE.COM> Message-ID: <3FE1FBAF.8020206@urbakken.dk> Ugo Bellavance wrote: >>-----Message d'origine----- >>De : Erik Jakobsen [mailto:eja@URBAKKEN.DK] >>Envoy? : Thursday, December 18, 2003 11:51 AM >>? : MAILSCANNER@JISCMAIL.AC.UK >>Objet : Re: More errors. >> >> >>Julian Field wrote: >> >>>At 16:12 18/12/2003, you wrote: >>> >>> >>>>Erik Jakobsen wrote: >>>> >>>> >>>>>>Where is the /var/spool/public/qmgr defined ?. >>>>>>I can find /var/spool/postfix/public/qmgr >>>>>>Or where is that defined ?. >>>>> >>>>> >>>>>Where is the MailScanner KickMessage defined to write to ? >>>> >>>> >>>>I copied the /var/spool/postfix/public/qmgr to the >> >>/var/spool/public >> >>>>directory. >>>> >>>>I don't think its correct. My errors about a lacking qmgr file >>>>dissappeared, but unfortuantely my mail delivering oalso did :-( >>> >>> >>>The qmgr isn't a normal file. Do an "ls -l" on it and you >> >>will see that >> >>>it's a pipe, created by Postfix. >>>MailScanner takes the outgoing queue directory (normally >>>/var/spool/postfix/incoming), and replaces the last word >> >>with "public" then >> >>>tacks "/qmgr" on the end. >>>So you turn >>> /var/spool/postfix/incoming >>>into >>> /var/spool/postfix/public/qmgr >> >>I have seen it Julian. its has pwr in the first 3 places if taking the >>ls -l. >> >>All understood but where do I turn the path ?. It asks for >>/var/spool/public/qmgr, but this is wrong I think. >> >>Thank you so much for your reply. I felt myself a bit trapped :-). >> >>By the way, I have downloaded the 2.0 postfix, but there >>seems not to be >>any scripts for chroot jail for Redhat, as I have read there should be >>in the install doc for MailScanner under Postfix. > > > I remember saying that chroot was not recommended by postfix's author in version 2. Thank you Ugo for your information. I have seen the other mail, where saying was converted to seeing :-) -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From tom at SKYMAPPING.COM Thu Dec 18 19:01:18 2003 From: tom at SKYMAPPING.COM (Tom Schuetz) Date: Thu Jan 12 21:21:36 2006 Subject: Simple forwarding with exim? Message-ID: <000001c3c599$55c41d90$c200a8c0@windsock> We are running MailScanner 4.25-14 with Exim 4.24 on a redhat 8 box, 2.4.18-14, using the two-instances-of-Exim setup. This all works fine, until I put a .forward file in someone's home dir. That seems to hang MailScanner and Exim. So, I tried adding a forward rule in the /etc/MailScanner/rules dir, called test.rules, like this: To: joe@foo.com forward joe@bar.com That doesn't work; MailScanner simply ignores it. What am I missing? Thanks! Tom From eja at URBAKKEN.DK Thu Dec 18 19:24:16 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <6.0.1.1.2.20031218175238.02839cf0@imap.ecs.soton.ac.uk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> <3FE1DAF7.7000304@urbakken.dk> <3FE1E672.1000502@urbakken.dk> <6.0.1.1.2.20031218175238.02839cf0@imap.ecs.soton.ac.uk> Message-ID: <3FE1FEE0.1050105@urbakken.dk> > That's completely wrong. Please read the comment. Why would you want to > unpack incoming messages into a pipe called qmgr? Surely unpacking into a > directory would make more sense. I really do try to document these things > as clearly as possible. Put it back to /var/spool/MailScanner/incoming like > it was before you started tweaking. > Julian !. I'm now running with MailScanner.conf as it shall be set up. My /var/log/maillog now shows: Dec 18 20:21:32 gateway MailScanner[9776]: New Batch: Scanning 1 messages, 3887 bytes Dec 18 20:21:32 gateway MailScanner[9776]: Virus and Content Scanning: Starting Dec 18 20:21:33 gateway MailScanner[9609]: KickMessage failed as couldn't write to /var/spool/public/qmgr, No such file or directory Dec 18 20:21:33 gateway MailScanner[9609]: Uninfected: Delivered 1 messages Dec 18 20:21:33 gateway MailScanner[9776]: KickMessage failed as couldn't write to /var/spool/public/qmgr, No such file or directory Dec 18 20:21:33 gateway MailScanner[9776]: Uninfected: Delivered 1 messages Dec 18 20:21:39 gateway ipop3d[9927]: pop3 service init from 192.168.1.169 Dec 18 20:21:40 gateway ipop3d[9927]: Login user=eja host=[192.168.1.169] nmsgs=0/0 Dec 18 20:21:43 gateway ipop3d[9927]: Logout user=eja host=[192.168.1.169] nmsgs=0 ndele=0 Dec 18 20:21:46 gateway ipop3d[9939]: pop3 service init from 192.168.1.169 This should be ok, but I don't see, that it is. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From mailscanner at ecs.soton.ac.uk Thu Dec 18 19:30:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <3FE1FEE0.1050105@urbakken.dk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> <3FE1DAF7.7000304@urbakken.dk> <3FE1E672.1000502@urbakken.dk> <6.0.1.1.2.20031218175238.02839cf0@imap.ecs.soton.ac.uk> <3FE1FEE0.1050105@urbakken.dk> Message-ID: <6.0.1.1.2.20031218192936.03706b18@imap.ecs.soton.ac.uk> At 19:24 18/12/2003, you wrote: >>That's completely wrong. Please read the comment. Why would you want to >>unpack incoming messages into a pipe called qmgr? Surely unpacking into a >>directory would make more sense. I really do try to document these things >>as clearly as possible. Put it back to /var/spool/MailScanner/incoming like >>it was before you started tweaking. > >Julian !. > >I'm now running with MailScanner.conf as it shall be set up. > >My /var/log/maillog now shows: > >Dec 18 20:21:32 gateway MailScanner[9776]: New Batch: Scanning 1 >messages, 3887 bytes >Dec 18 20:21:32 gateway MailScanner[9776]: Virus and Content Scanning: >Starting >Dec 18 20:21:33 gateway MailScanner[9609]: KickMessage failed as >couldn't write to /var/spool/public/qmgr, No such file or directory >Dec 18 20:21:33 gateway MailScanner[9609]: Uninfected: Delivered 1 messages >Dec 18 20:21:33 gateway MailScanner[9776]: KickMessage failed as >couldn't write to /var/spool/public/qmgr, No such file or directory >Dec 18 20:21:33 gateway MailScanner[9776]: Uninfected: Delivered 1 messages >Dec 18 20:21:39 gateway ipop3d[9927]: pop3 service init from 192.168.1.169 >Dec 18 20:21:40 gateway ipop3d[9927]: Login user=eja >host=[192.168.1.169] nmsgs=0/0 >Dec 18 20:21:43 gateway ipop3d[9927]: Logout user=eja >host=[192.168.1.169] nmsgs=0 ndele=0 >Dec 18 20:21:46 gateway ipop3d[9939]: pop3 service init from 192.168.1.169 > >This should be ok, but I don't see, that it is. My guess would be that you have Outgoing Queue Dir = /var/spool/incoming where it should be Outgoing Queue Dir = /var/spool/postfix/incoming -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Thu Dec 18 19:46:06 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:36 2006 Subject: More errors. In-Reply-To: <6.0.1.1.2.20031218192936.03706b18@imap.ecs.soton.ac.uk> References: <3FE17080.1030107@urbakken.dk> <3FE1809F.80501@urbakken.dk> <3FE188F4.9060307@eatathome.com.au> <3FE1A50D.8080802@urbakken.dk> <3FE1B899.5080603@urbakken.dk> <3FE1C0B9.6090505@urbakken.dk> <3FE1D1DC.5030302@urbakken.dk> <6.0.1.1.2.20031218161856.03f63aa8@imap.ecs.soton.ac.uk> <3FE1DAF7.7000304@urbakken.dk> <3FE1E672.1000502@urbakken.dk> <6.0.1.1.2.20031218175238.02839cf0@imap.ecs.soton.ac.uk> <3FE1FEE0.1050105@urbakken.dk> <6.0.1.1.2.20031218192936.03706b18@imap.ecs.soton.ac.uk> Message-ID: <3FE203FE.20808@urbakken.dk> > My guess would be that you have > Outgoing Queue Dir = /var/spool/incoming > where it should be > Outgoing Queue Dir = /var/spool/postfix/incoming You were quite right. I have it such, that having seen on a thing hundreds of times make me blind :-) Sorry for the inconvenience. I have replied to your mail again. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From nathan at TCPNETWORKS.NET Thu Dec 18 20:10:46 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:21:36 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores Message-ID: Hello, A recent thread made brief reference to "bayes poisoning". We're currently using SpamAssassin 2.60 and will upgrade to version 2.61 shortly, but we have seen an increasing amount of spam slipping through the filters with negative BAYES scores. Very annoying: X-tcpnetworks-MailScanner: Found to be clean X-tcpnetworks-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.361, required 4, BAYES_00 -4.90, HTML_IMAGE_ONLY_06 1.44, HTML_MESSAGE 0.10) Is anyone else seeing this sort of thing? Any recommendations for combating it? I noted the links to BigEvil custom rules (posted earlier), but I'm starting to wonder if Bayes usefulness is starting to dwindle. Is there some way to prevent this poisoning? help too. Nathan From campbell at CNPAPERS.COM Thu Dec 18 20:39:59 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:21:36 2006 Subject: SIGPIPE log problem References: Message-ID: <069901c3c5a7$1be971c0$3f01a8c0@cnpapers.net> I looked back through the mail I keep for MailScanner, and found numerous responses about "I get these also", but no real solution to the problem of the 'SIGPIPE received - trying new log socket' maillog entries. This all started happening yesterday when I installed MailWatch. I had to upgrade PEAR, which broke my Horde/IMP, which required upgrading PHP and then upgrading Horde/IMP, (all because PEAR removed the isWarning function). What a day! I found one mailing that suggested removing a line from Log.pm, but I don't speak the language very well, so I'm not sure what to comment out. I am running MS 4.24-5 & SA 2.61 on a stock RH 7.3 box. Does anyone have a suggestion? I'm not ready to do anymore upgrades after yesterday, so MS 4.25 will just have to wait if that's the answer. While I'm here, MailWatch doesn't seem to be locating any virus being found. I use ClamAV. Sound familiar to anyone? Thanks Steve Campbell campbell@cnpapers.com Charleston Newspapers From ka at PACIFIC.NET Thu Dec 18 20:41:49 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:36 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores In-Reply-To: References: Message-ID: <3FE2110D.4000804@pacific.net> Just .02.. For most of these, the bayes poisoning seems to be done in the text/plain portion of the email, while the html part is spammy. SA should be able to ignore the text/plain part completely if there is a spammy html version. I'm not sure what/if anything has been done along these lines. Ken A. Pacific.Net Nathan Johanson wrote: > Hello, > > A recent thread made brief reference to "bayes poisoning". We're > currently using SpamAssassin 2.60 and will upgrade to version 2.61 > shortly, but we have seen an increasing amount of spam slipping through > the filters with negative BAYES scores. Very annoying: > > X-tcpnetworks-MailScanner: Found to be clean > X-tcpnetworks-MailScanner-SpamCheck: not spam, SpamAssassin > (score=-3.361, > required 4, BAYES_00 -4.90, HTML_IMAGE_ONLY_06 1.44, > HTML_MESSAGE 0.10) > > Is anyone else seeing this sort of thing? Any recommendations for > combating it? I noted the links to BigEvil custom rules (posted > earlier), but I'm starting to wonder if Bayes usefulness is starting to > dwindle. Is there some way to prevent this poisoning? > > > help too. > > Nathan > > From raymond at PROLOCATION.NET Thu Dec 18 20:58:29 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:36 2006 Subject: Rejecting Mail at RCPT In-Reply-To: <6.0.0.22.0.20031218132154.02e10c18@mail.enhtech.com> Message-ID: Hi! > > > I have not tested this, but does this work when sendmail is run in > > > queueonly delivery mode? > >Its in queueonly, but still it should check RCPT, thats what it does now > >also. Your access file also still works :) > > Hmm. If you are saying that you have sendmail verifying the RCPT before > using the access lists or ldap, please may i see your .cf .mc? Other than > that, i face numerous challenges. Currently i use exim to do this. So no, what problems are you facing ? Bye, Raymond. From peter at UCGBOOK.COM Thu Dec 18 20:59:10 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:21:36 2006 Subject: DrWeb permission problem in tar dist Message-ID: <3FE2151E.9020901@ucgbook.com> I started getting the following mails after upgrading to 4.25-14: >Your "cron" job on kleenex >/opt/MailScanner/bin/update_virus_scanners > >produced the following output: > >/opt/MailScanner/bin/update_virus_scanners: >/opt/MailScanner/lib/drweb-wrapper: bad interpreter: Permission denied The wrapper for DrWeb had 644 permissions, I changed it to 755 and all was fine. Just something small to fix in the next tar dist. /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From Kevin_Miller at CI.JUNEAU.AK.US Thu Dec 18 21:05:44 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:37 2006 Subject: Messages Stuck in /var/spool/mqueue.in Message-ID: <08146035CA49D6119A36009027AC822A0264EBC0@CITY-EXCH-NTS> In a nutshell, a lame server is where someone's DNS has a domain listed, but there's no info on it. In other words, a parent DNS server says that some other server is authoritative for a domain, but the other server doesn't exist (or is off line). Although they fill up *your* logs, the problem is actually at some other site. The errors occur when you try to contact them. At least that's my meager understanding... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: lester lasad [mailto:llasad1@YAHOO.COM] Sent: Thursday, December 18, 2003 5:35 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Messages Stuck in /var/spool/mqueue.in My mail started getting stuck again late afternoon yesterday. This has happened before, but stopping and starting mailscanner a bunch of times did not work this time. I saw the previous post where spamassassin was causing the issue. -I'm already on 2.60. -I tried upgrading top 2.61 but keep getting an error: Makefile:94: *** missing separator. Stop. -I rebuilt the baye db with sa-learn --rebuild Still no go. I upgraded MailScanner to the latest. Here's what I get in my messages log: Dec 18 09:05:06 sammy last message repeated 4 times Dec 18 09:08:14 sammy named[981]: lame server resolving '70.62.6.69.in-addr.arpa' (in '62.6.69.in-addr.arpa'?): 69.6.25.84#53 Dec 18 09:08:15 sammy named[981]: lame server resolving '70.62.6.69.in-addr.arpa' (in '62.6.69.in-addr.arpa'?): 69.6.25.125#53 Dec 18 09:08:31 sammy named[981]: lame server resolving '162.180.156.161.in-addr.arpa' (in '156.161.in-addr.arpa'?): 206.74.254.2#53 Dec 18 09:08:31 sammy named[981]: lame server resolving '162.180.156.161.in-addr.arpa' (in '156.161.in-addr.arpa'?): 206.74.254.10#53 Dec 18 09:09:16 sammy MailScanner: succeeded Dec 18 09:09:18 sammy last message repeated 2 times Dec 18 09:10:45 sammy named[981]: lame server resolving '132.34.52.157.in-addr.arpa' (in '52.157.in-addr.arpa'?): 157.33.227.3#53 Dec 18 09:10:45 sammy named[981]: lame server resolving '132.34.52.157.in-addr.arpa' (in '52.157.in-addr.arpa'?): 157.33.227.4#53 Dec 18 09:11:12 sammy MailScanner: MailScanner -15 succeeded Dec 18 09:11:12 sammy MailScanner: succeeded Is my problem something with DNS? If so, what generally causes lame server resolving messages? Thanks, James Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing From ballard at ENGR.WISC.EDU Thu Dec 18 21:36:29 2003 From: ballard at ENGR.WISC.EDU (Jeff Ballard) Date: Thu Jan 12 21:21:37 2006 Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK (fwd) Message-ID: <2009.1071783389@guinness> Could you switch me from ballard@cae.wisc.edu (or something similar to that) to ballard@engr.wisc.edu so I can post? Thanks, -Jeff ------- Forwarded Message Received: from cae.wisc.edu [144.92.240.11] by localhost with IMAP (fetchmail-5.9.11) for ballard@localhost (single-drop); Thu, 18 Dec 2003 14:43:41 -0600 (CST) Received: from engr.wisc.edu (snapple.engr.wisc.edu [144.92.12.24]) by cae.wisc.edu (8.12.9/8.12.9) with ESMTP id hBIKhKom020216 for ; Thu, 18 Dec 2003 14:43:20 -0600 (CST) Received: from smtp.jiscmail.ac.uk (smtp.jiscmail.ac.uk [130.246.192.48]) by engr.wisc.edu (8.11.6+Sun/8.11.6) with ESMTP id hBIKhDG26332 for ; Thu, 18 Dec 2003 14:43:13 -0600 (CST) Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <0.003CEB13@smtp.jiscmail.ac.uk>; Thu, 18 Dec 2003 20:43:13 +0000 Date: Thu, 18 Dec 2003 20:43:12 +0000 From: "L-Soft list server at JISCMAIL (1.8e)" Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK To: ballard@ENGR.WISC.EDU Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="GGXXCRNBEARXMZXEbCFGOUQLFROSeI" X-CAE-MailScanner: Found to be clean, Found to be clean X-CAE-MailScanner-Information: Please contact helpdesk@cae.wisc.edu for more information or to report problems. X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on starburst.cae.wisc.edu X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.61 X-Spam-Level: - --GGXXCRNBEARXMZXEbCFGOUQLFROSeI You are not authorized to send mail to the MAILSCANNER list from your ballard@ENGR.WISC.EDU account. You might be authorized to send to the list from another of your accounts, or perhaps when using another mail program which generates slightly different addresses, but LISTSERV has no way to associate this other account or address with yours. If you need assistance or if you have any question regarding the policy of the MAILSCANNER list, please contact the list owners: MAILSCANNER-request@JISCMAIL.AC.UK. - --GGXXCRNBEARXMZXEbCFGOUQLFROSeI Content-Type: message/rfc822 Return-Path: Received: from 130.246.192.53 by JISCMAIL.AC.UK (SMTPL release 1.0i) with TCP; Thu, 18 Dec 2003 20:43:12 GMT X-RAL-MFrom: X-RAL-Connect: Received: from cae.wisc.edu (starburst.cae.wisc.edu [144.92.240.2]) by fili.jiscmail.ac.uk (8.12.8/8.12.8) with ESMTP id hBIKhAYY027114 for ; Thu, 18 Dec 2003 20:43:10 GMT Received: from jalopy.cae.wisc.edu (root@jalopy.cae.wisc.edu [144.92.12.93]) by cae.wisc.edu (8.12.9/8.12.9) with ESMTP id hBIKh2om020116 for ; Thu, 18 Dec 2003 14:43:02 -0600 (CST) Received: from guinness.cae.wisc.edu (guinness.cae.wisc.edu [144.92.240.245]) (authenticated bits=0) by jalopy.cae.wisc.edu (8.12.3/8.12.3/Debian-6.6) with ESMTP id hBIKh11I005588 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for ; Thu, 18 Dec 2003 14:43:02 -0600 Received: from guinness.cae.wisc.edu (guinness [127.0.0.1]) by guinness.cae.wisc.edu (8.12.9/8.12.9/Debian-5) with ESMTP id hBIKh1j0031225 for ; Thu, 18 Dec 2003 14:43:01 -0600 Received: from guinness (ballard@localhost) by guinness.cae.wisc.edu (8.12.9/8.12.9/Debian-5) with ESMTP id hBIKh1Wt031220 for ; Thu, 18 Dec 2003 14:43:01 -0600 X-Mailer: exmh version 2.5 07/13/2001 (debian 2.5-1) with nmh-1.1-RC1 To: MailScanner mailing list Subject: Re: Bayes Poisoning? Spam with negative BAYES Scores In-reply-to: Your message of "Thu, 18 Dec 2003 12:10:46 PST." X-url: http://www.cae.wisc.edu/~ballard Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 18 Dec 2003 14:43:01 -0600 Message-ID: <31219.1071780181@guinness> From: Jeff Ballard X-CAE-MailScanner-Information: Please contact helpdesk@cae.wisc.edu for more information or to report problems. X-CAE-MailScanner: Found to be clean X-Scanned-By: MIMEDefang 2.38 On Thu, 18 Dec 2003 12:10:46 -0800 Nathan Johanson wrote: > Hello, > > A recent thread made brief reference to "bayes poisoning". We're [snip] > Is anyone else seeing this sort of thing? Any recommendations for > combating it? I noted the links to BigEvil custom rules (posted > earlier), but I'm starting to wonder if Bayes usefulness is starting to > dwindle. Is there some way to prevent this poisoning? Bayes is a good tool but you have to watch it. If SPAM is getting auto-learned as HAM, then the Bayes is acting in the wrong direction. This is exactly why I won't use Bayes on a system-wide level until I can find a clear way of allowing my users to retrain mismarked messages. I've watched this happen on one of my high-spam mailboxes and only after a bit of retraining Bayes was behaving as expected again. Bayes is not a aim once and fire forever type of weapon. - -Jeff - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =- Jeff Ballard 608-265-5090 Unix Systems Manager, Computer-Aided Engineering Center - --GGXXCRNBEARXMZXEbCFGOUQLFROSeI-- ------- End of Forwarded Message -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Jeff Ballard 608-265-5090 Unix Systems Manager, Computer-Aided Engineering Center From ugob at CAMO-ROUTE.COM Thu Dec 18 21:38:27 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:37 2006 Subject: SIGPIPE log problem Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2B3@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Stephe Campbell [mailto:campbell@CNPAPERS.COM] > Envoy? : Thursday, December 18, 2003 3:40 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : SIGPIPE log problem > > > I looked back through the mail I keep for MailScanner, and > found numerous > responses about "I get these also", but no real solution to > the problem of > the 'SIGPIPE received - trying new log socket' maillog entries. > I've read this is inoffensive. I haven't done anything about it yet. Everithing works ok. > This all started happening yesterday when I installed > MailWatch. I had to > upgrade PEAR, which broke my Horde/IMP, which required > upgrading PHP and > then upgrading Horde/IMP, (all because PEAR removed the > isWarning function). > What a day! > > I found one mailing that suggested removing a line from > Log.pm, but I don't > speak the language very well, so I'm not sure what to comment out. > > I am running MS 4.24-5 & SA 2.61 on a stock RH 7.3 box. Does > anyone have a > suggestion? I'm not ready to do anymore upgrades after > yesterday, so MS 4.25 > will just have to wait if that's the answer. > > While I'm here, MailWatch doesn't seem to be locating any > virus being found. > I use ClamAV. Sound familiar to anyone? > I use mailstat with clamav and it reports ok. > > Thanks > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > From aalsup at USDLA.COM Thu Dec 18 22:14:30 2003 From: aalsup at USDLA.COM (Andy Alsup) Date: Thu Jan 12 21:21:37 2006 Subject: RBL in MailScanner or Spamassassin? Message-ID: <3FE226C6.5050204@usdla.com> I am only getting one hit at a time in MailScanner with Spam List = ORDB-RBL spamhaus.org spamcop.net , and my RBL to HighScore is 2. Does this mean MScanner doesn't do anything with just one hit? With Spamassassin also doing RBL, I am seeing higher number of RBL hits (more RBLs I think) but the weighting seems to make more sense because even one hit increases the spam score. Should I use both, or is SpamAssassin the better placee to have it turned on? Thanks From peter at UCGBOOK.COM Thu Dec 18 22:40:42 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:21:37 2006 Subject: RBL in MailScanner or Spamassassin? In-Reply-To: <3FE226C6.5050204@usdla.com> References: <3FE226C6.5050204@usdla.com> Message-ID: <3FE22CEA.2020907@ucgbook.com> > Should I use both, or is SpamAssassin the better placee to have it > turned on? You should use just one, and remember that you can do it on your MTA too. Earlier is less resource intensive but later is more accurate. I run mine in SA. /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP From ugob at CAMO-ROUTE.COM Thu Dec 18 23:18:09 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:37 2006 Subject: RBL in MailScanner or Spamassassin? Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2B4@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Peter Bonivart [mailto:peter@UCGBOOK.COM] > Envoy? : Thursday, December 18, 2003 5:41 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: RBL in MailScanner or Spamassassin? > > > > Should I use both, or is SpamAssassin the better placee to have it > > turned on? > > You should use just one, and remember that you can do it on your MTA > too. Earlier is less resource intensive but later is more accurate. I > run mine in SA. > I also run them in SA only. I've got too many false positives using rbls in Mailscanner. I think I'll write a faq on this. > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, > SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP > From ugob at CAMO-ROUTE.COM Thu Dec 18 23:58:27 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:37 2006 Subject: RBL in MailScanner or Spamassassin? Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2B5@mtlnt501fs.CAMOROUTE.COM> Here is the FAQ http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/249.html Comments welcome. Ugo > -----Message d'origine----- > De : Ugo Bellavance > Envoy? : Thursday, December 18, 2003 6:18 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: RBL in MailScanner or Spamassassin? > > > > -----Message d'origine----- > > De : Peter Bonivart [mailto:peter@UCGBOOK.COM] > > Envoy? : Thursday, December 18, 2003 5:41 PM > > ? : MAILSCANNER@JISCMAIL.AC.UK > > Objet : Re: RBL in MailScanner or Spamassassin? > > > > > > > Should I use both, or is SpamAssassin the better placee > to have it > > > turned on? > > > > You should use just one, and remember that you can do it on your MTA > > too. Earlier is less resource intensive but later is more > accurate. I > > run mine in SA. > > > > I also run them in SA only. I've got too many false > positives using rbls in Mailscanner. I think I'll write a > faq on this. > > > /Peter Bonivart > > > > --Unix lovers do it in the Sun > > > > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, > > SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP > > > From matt at FILEHOLDER.NET Fri Dec 19 00:34:02 2003 From: matt at FILEHOLDER.NET (Matt) Date: Thu Jan 12 21:21:37 2006 Subject: Feature Wish Message-ID: <014c01c3c5c7$cd24a340$7801a8c0@matthew> An easier way to add a signature to all warning messages that are sent to end users. Going through every "report" file is slow and error prone. All the messages really need to indicate who the server belonged to that triggered the message. Matt From pete at eatathome.com.au Fri Dec 19 02:50:55 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:37 2006 Subject: SIGPIPE log problem In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE2B3@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629273AE2B3@mtlnt501fs.CAMOROUTE.COM> Message-ID: <3FE2678F.90408@eatathome.com.au> Ugo Bellavance wrote: >>-----Message d'origine----- >>De : Stephe Campbell [mailto:campbell@CNPAPERS.COM] >>Envoy? : Thursday, December 18, 2003 3:40 PM >>? : MAILSCANNER@JISCMAIL.AC.UK >>Objet : SIGPIPE log problem >> >> >>I looked back through the mail I keep for MailScanner, and >>found numerous >>responses about "I get these also", but no real solution to >>the problem of >>the 'SIGPIPE received - trying new log socket' maillog entries. >> >> >> >I've read this is inoffensive. I haven't done anything about it yet. Everithing works ok. > > > > >>This all started happening yesterday when I installed >>MailWatch. I had to >>upgrade PEAR, which broke my Horde/IMP, which required >>upgrading PHP and >>then upgrading Horde/IMP, (all because PEAR removed the >>isWarning function). >>What a day! >> >>I found one mailing that suggested removing a line from >>Log.pm, but I don't >>speak the language very well, so I'm not sure what to comment out. >> >>I am running MS 4.24-5 & SA 2.61 on a stock RH 7.3 box. Does >>anyone have a >>suggestion? I'm not ready to do anymore upgrades after >>yesterday, so MS 4.25 >>will just have to wait if that's the answer. >> >>While I'm here, MailWatch doesn't seem to be locating any >>virus being found. >>I use ClamAV. Sound familiar to anyone? >> >> >> >I use mailstat with clamav and it reports ok. > > > >>Thanks >> >>Steve Campbell >>campbell@cnpapers.com >>Charleston Newspapers >> >> >> > > > > > I ahve mail stat installed with postfix, but i only get spam reports, no mail or virus stats - is this normal for postfix and mailstat? SIgpipe message appears in my mail log for nearly every message, but doesnt appear to cause any problems - this has been covered a lot of time recently, a search of the archive would reveal all :) From pete at eatathome.com.au Fri Dec 19 02:53:11 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:37 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores In-Reply-To: <3FE2110D.4000804@pacific.net> References: <3FE2110D.4000804@pacific.net> Message-ID: <3FE26817.5070507@eatathome.com.au> Ken Anderson wrote: > Just .02.. > For most of these, the bayes poisoning seems to be done in the > text/plain portion of the email, while the html part is spammy. > SA should be able to ignore the text/plain part completely if there is a > spammy html version. I'm not sure what/if anything has been done along > these lines. > > Ken A. > Pacific.Net > > > Nathan Johanson wrote: > >> Hello, >> >> A recent thread made brief reference to "bayes poisoning". We're >> currently using SpamAssassin 2.60 and will upgrade to version 2.61 >> shortly, but we have seen an increasing amount of spam slipping through >> the filters with negative BAYES scores. Very annoying: >> >> X-tcpnetworks-MailScanner: Found to be clean >> X-tcpnetworks-MailScanner-SpamCheck: not spam, SpamAssassin >> (score=-3.361, >> required 4, BAYES_00 -4.90, HTML_IMAGE_ONLY_06 1.44, >> HTML_MESSAGE 0.10) >> >> Is anyone else seeing this sort of thing? Any recommendations for >> combating it? I noted the links to BigEvil custom rules (posted >> earlier), but I'm starting to wonder if Bayes usefulness is starting to >> dwindle. Is there some way to prevent this poisoning? >> >> >> help too. >> >> Nathan >> >> > > > I am starting to find that as the bayes DB is getting larger that more spam is starting to get through. I have only installed 6 weeks ago and in the last 2 weeks i have a steady increase in spam not being trapped - is there bayes maintenance i need to do? maybe its something completely unrelated, but it seemed logical to me. From eja at URBAKKEN.DK Fri Dec 19 05:32:51 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:37 2006 Subject: Webmin. Message-ID: <3FE28D83.20209@urbakken.dk> Hi. I have a nicely running MailScanner now. I would want to implement the webmin module for MailScanner. It seems that its doen ok. MailScanner is visble in webmin, but it complains about etiher the MailScanner is not running or the module is not installed. Both thing are ok AFAIK. But maybe there's somethin with the path's mentioned in the doc for the module: The following module configuration examples should be tailored to suite your installation: Full path to MailScanner program = /usr/lib/MailScanner/ Full path and filename of MailScanner config file = /etc/MailScanner/MailScanner.conf Full path to the MailScanner bin directory = /usr/sbin Full path and filename for the MailScanner pid file = /var/run/MailScanner.pid The following change should be made: "Command to start MailScanner" add "/etc/rc.d/init.d/MailScanner start" (without the quotes) instead of just run server. How can I test the path's, and how should the line in the above look ?. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From Jan-Peter.Koopmann at SECEIDOS.DE Fri Dec 19 08:38:40 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:21:37 2006 Subject: SIGPIPE log problem Message-ID: > While I'm here, MailWatch doesn't seem to be locating any > virus being found. > I use ClamAV. Sound familiar to anyone? Is ClamAV catching the viruses? If yes then your regex in MailWatch functions.php is probably wrong so MailWatch does not spot the virus messages. If not you are doing something substantially wrong and should enlighten us with your config. Regards, JP From mailscanner at ecs.soton.ac.uk Fri Dec 19 08:51:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:37 2006 Subject: DrWeb permission problem in tar dist In-Reply-To: <3FE2151E.9020901@ucgbook.com> References: <3FE2151E.9020901@ucgbook.com> Message-ID: <6.0.1.1.2.20031219085103.03c47608@imap.ecs.soton.ac.uk> At 20:59 18/12/2003, you wrote: >I started getting the following mails after upgrading to 4.25-14: > > >Your "cron" job on kleenex > >/opt/MailScanner/bin/update_virus_scanners > > > >produced the following output: > > > >/opt/MailScanner/bin/update_virus_scanners: > >/opt/MailScanner/lib/drweb-wrapper: bad interpreter: Permission denied > >The wrapper for DrWeb had 644 permissions, I changed it to 755 and all >was fine. Just something small to fix in the next tar dist. Fixed. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 19 08:49:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:37 2006 Subject: SIGPIPE log problem In-Reply-To: <069901c3c5a7$1be971c0$3f01a8c0@cnpapers.net> References: <069901c3c5a7$1be971c0$3f01a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20031219084521.035d8f50@imap.ecs.soton.ac.uk> At 20:39 18/12/2003, you wrote: >I looked back through the mail I keep for MailScanner, and found numerous >responses about "I get these also", but no real solution to the problem of >the 'SIGPIPE received - trying new log socket' maillog entries. > >I am running MS 4.24-5 & SA 2.61 on a stock RH 7.3 box. Does anyone have a >suggestion? I'm not ready to do anymore upgrades after yesterday, so MS 4.25 >will just have to wait if that's the answer. Take a look in /usr/lib/MailScanner/MailScanner/Log.pm. Right at the bottom you will find a "sub LogText". Replace that whole sub with this: sub LogText { my($logmessage, $level) = @_; return unless $LogType eq 'syslog'; foreach(split /\n/,$logmessage) { s/%/%%/g; Sys::Syslog::syslog($level, $_); } } 1; -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From pete at eatathome.com.au Fri Dec 19 09:22:49 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:37 2006 Subject: Webmin. In-Reply-To: <3FE28D83.20209@urbakken.dk> References: <3FE28D83.20209@urbakken.dk> Message-ID: <3FE2C369.2030705@eatathome.com.au> Erik Jakobsen wrote: > Hi. > > I have a nicely running MailScanner now. I would want to implement the > webmin module for MailScanner. It seems that its doen ok. MailScanner is > visble in webmin, but it complains about etiher the MailScanner is not > running or the module is not installed. Both thing are ok AFAIK. > > But maybe there's somethin with the path's mentioned in the doc for the > module: > > > The following module configuration examples should be tailored to suite > your installation: > Full path to MailScanner program = /usr/lib/MailScanner/ > Full path and filename of MailScanner config file = > /etc/MailScanner/MailScanner.conf > Full path to the MailScanner bin directory = /usr/sbin > Full path and filename for the MailScanner pid file = > /var/run/MailScanner.pid > > > The following change should be made: > "Command to start MailScanner" add "/etc/rc.d/init.d/MailScanner start" > (without the quotes) instead of just run server. > > How can I test the path's, and how should the line in the above look ?. > > -- > Med venlig hilsen - Best regards. > Erik Jakobsen - eja@urbakken.dk. > Licensed radioamateur with the callsign OZ4KK. > SuSE Linux 8.2 Proff. > Registered as user #319488 with the Linux Counter, http://counter.li.org. > > > The path to your config is /etc/MailScanner/MailScanner.conf and the bit that talks about the command to start the server, leave that blank. The webmin module isnt very usefull (IMO), i reckon your better off grabbing the guide on Julian's site for MailScanner.conf and changing the options manually. Post questions to list if you need help - this way you will actually learn to administer the software. Just my opinion of course as a newish user. From eja at URBAKKEN.DK Sat Dec 20 09:27:16 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:37 2006 Subject: Webmin. In-Reply-To: <3FE2C369.2030705@eatathome.com.au> References: <3FE28D83.20209@urbakken.dk> <3FE2C369.2030705@eatathome.com.au> Message-ID: <3FE415F4.1060308@urbakken.dk> Pete wrote: > Erik Jakobsen wrote: > >> Hi. >> >> I have a nicely running MailScanner now. I would want to implement the >> webmin module for MailScanner. It seems that its doen ok. MailScanner is >> visble in webmin, but it complains about etiher the MailScanner is not >> running or the module is not installed. Both thing are ok AFAIK. >> >> But maybe there's somethin with the path's mentioned in the doc for the >> module: >> >> >> The following module configuration examples should be tailored to suite >> your installation: >> Full path to MailScanner program = /usr/lib/MailScanner/ >> Full path and filename of MailScanner config file = >> /etc/MailScanner/MailScanner.conf >> Full path to the MailScanner bin directory = /usr/sbin >> Full path and filename for the MailScanner pid file = >> /var/run/MailScanner.pid >> >> >> The following change should be made: >> "Command to start MailScanner" add "/etc/rc.d/init.d/MailScanner start" >> (without the quotes) instead of just run server. >> >> How can I test the path's, and how should the line in the above look ?. >> >> -- >> Med venlig hilsen - Best regards. >> Erik Jakobsen - eja@urbakken.dk. >> Licensed radioamateur with the callsign OZ4KK. >> SuSE Linux 8.2 Proff. >> Registered as user #319488 with the Linux Counter, http://counter.li.org. >> >> >> > The path to your config is /etc/MailScanner/MailScanner.conf and the bit > that talks about the command to start the server, leave that blank. > > The webmin module isnt very usefull (IMO), i reckon your better off > grabbing the guide on Julian's site for MailScanner.conf and changing > the options manually. Post questions to list if you need help - this way > you will actually learn to administer the software. Just my opinion of > course as a newish user. > > Thank you Pete for your information, and you probably are right. It also takes sometimes much time to determine an option in webmin due to lack of knowledge about the certain(s) options. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From pmb1 at YORK.AC.UK Fri Dec 19 08:51:00 2003 From: pmb1 at YORK.AC.UK (Mike Brudenell) Date: Thu Jan 12 21:21:37 2006 Subject: Spam/bounce problem In-Reply-To: <3FE1D2EA.4070002@pcxperience.com> References: <3FE1D2EA.4070002@pcxperience.com> Message-ID: <2147483647.1071823860@pippin.york.ac.uk> Greetings - --On Thursday, December 18, 2003 10:16 am -0600 James Pattie wrote: > use the sendmail double bounce suppression feature talked about recently > on this > list. > > in sendmail.mc: > - ---- > define(`confDOUBLE_BOUNCE_ADDRESS',`double-bounce')dnl > - ---- I can't remember which version of Sendmail brought it in, but it is now possible to merely set this to an empty string to cause double-bounces to be dropped (no need for an additional alias): define(`confDOUBLE_BOUNCE_ADDRESS',`')dnl Cheers, Mike B-) -- The Computing Service, University of York, Heslington, York Yo10 5DD, UK Tel:+44-1904-433811 FAX:+44-1904-433740 * Unsolicited commercial e-mail is NOT welcome at this e-mail address. * From Uwe.Krause at FEP.FHG.DE Fri Dec 19 09:45:47 2003 From: Uwe.Krause at FEP.FHG.DE (Krause, Uwe) Date: Thu Jan 12 21:21:37 2006 Subject: question about logging ... Message-ID: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CB5F@midgard.fep.fhg.de> Hello, this can i find in my maillog : myserver sendmail[7099]: h8T9DHO07099: from=, size=957, class=0, nrcpts=1, msgid=<00007a817c97$00004821$00007aa1@hotmail.com>, proto=ESMTP, daemon=MTA, relay=mta.relay.de [xxx.xxx.x.x] myserver MailScanner[6012]: New Batch: Scanning 1 messages, 1501 bytes myserver MailScanner[6012]: Spam Checks: Starting myserver MailScanner[6012]: Message h8T9DHO07099 from xxx.xxx.x.xx (rsvp@blinddatefun.com) to MYDOMAIN is spam, SpamAssassin (score=27.133, required 5, BAYES_99 5.40, BLANK_LINES_70_80 2.13, CLICK_BELOW 0.10, DATE_IN_FUTURE_06_12 1.97, DCC_CHECK 2.91, FAKE_HELO_HOTMAIL 1.50, FORGED_HOTMAIL_RCVD 0.50, INVALID_DATE_TZ_ABSURD 1.78, MSGID_OUTLOOK_INVALID 4.10, MSGID_SPAM_ZEROES 4.10, RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK 1.05, REMOVE_PAGE 0.50) myserver MailScanner[6012]: Spam Checks: Found 1 spam messages myserver MailScanner[6012]: Spam Actions: message h8T9DHO07099 actions are delete myserver MailScanner[6012]: Virus and Content Scanning: Starting Where can i change : Message h8T9DHO07099 from xxx.xxx.x.xx (rsvp@blinddatefun.com) to MYDOMAIN is spam into : Message h8T9DHO07099 from xxx.xxx.x.xx (rsvp@blinddatefun.com) to USER@MYDOMAIN is spam ? thanks Uwe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031219/5c0e9e03/attachment.html From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 19 10:26:21 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:37 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3F5@jessica.herefordshire.gov.uk> Remember that spammers have access to SpamAssassin too... We're seeing some obvious stuff slipping through here. I think the solution is keeping one's eye on what's getting through and writing custom rules to clobber it. I've also found that the bigevil.cf list helps (http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm) Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Pete > Sent: 19 December 2003 02:53 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Bayes Poisoning? Spam with negative BAYES Scores > > > Ken Anderson wrote: > > > Just .02.. > > For most of these, the bayes poisoning seems to be done in the > > text/plain portion of the email, while the html part is spammy. > > SA should be able to ignore the text/plain part completely > if there is a > > spammy html version. I'm not sure what/if anything has been > done along > > these lines. > > > > Ken A. > > Pacific.Net > > > > > > Nathan Johanson wrote: > > > >> Hello, > >> > >> A recent thread made brief reference to "bayes poisoning". We're > >> currently using SpamAssassin 2.60 and will upgrade to version 2.61 > >> shortly, but we have seen an increasing amount of spam > slipping through > >> the filters with negative BAYES scores. Very annoying: > >> > >> X-tcpnetworks-MailScanner: Found to be clean > >> X-tcpnetworks-MailScanner-SpamCheck: not spam, SpamAssassin > >> (score=-3.361, > >> required 4, BAYES_00 -4.90, HTML_IMAGE_ONLY_06 1.44, > >> HTML_MESSAGE 0.10) > >> > >> Is anyone else seeing this sort of thing? Any recommendations for > >> combating it? I noted the links to BigEvil custom rules (posted > >> earlier), but I'm starting to wonder if Bayes usefulness > is starting to > >> dwindle. Is there some way to prevent this poisoning? > >> > >> > >> help too. > >> > >> Nathan > >> > >> > > > > > > > I am starting to find that as the bayes DB is getting larger that more > spam is starting to get through. I have only installed 6 weeks ago and > in the last 2 weeks i have a steady increase in spam not > being trapped - > is there bayes maintenance i need to do? maybe its something > completely > unrelated, but it seemed logical to me. > From smilga at MIKROTIK.COM Fri Dec 19 12:01:52 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:37 2006 Subject: Problem with clamav datebase update References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3F5@jessica.herefordshire.gov.uk> Message-ID: <099c01c3c627$e3ea1960$6700010a@martinsss> Hello, When I run " /etc/MailScanner/autoupdate/clamav-autoupdate" I get error: ERROR: Can't open new file ./ec01e19365fe7b00 to write open: Permission denied ERROR: Can't download viruses.db from clamav.elektrapro.com May be someone know what it mean and how can I fix it. I have Debian 3 testing version. Thanks Martins From mailscanner at ecs.soton.ac.uk Fri Dec 19 12:13:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:37 2006 Subject: Problem with clamav datebase update In-Reply-To: <099c01c3c627$e3ea1960$6700010a@martinsss> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3F5@jessica.herefordshire.gov.uk> <099c01c3c627$e3ea1960$6700010a@martinsss> Message-ID: <6.0.1.1.2.20031219121351.0395fd38@imap.ecs.soton.ac.uk> Are you running this as root? At 12:01 19/12/2003, you wrote: >Hello, > >When I run " /etc/MailScanner/autoupdate/clamav-autoupdate" >I get error: > ERROR: Can't open new file ./ec01e19365fe7b00 to write >open: Permission denied >ERROR: Can't download viruses.db from clamav.elektrapro.com > >May be someone know what it mean and how can I fix it. >I have Debian 3 testing version. > >Thanks > >Martins -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From smilga at MIKROTIK.COM Fri Dec 19 12:18:22 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:37 2006 Subject: Problem with clamav datebase update References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3F5@jessica.herefordshire.gov.uk> <099c01c3c627$e3ea1960$6700010a@martinsss> <6.0.1.1.2.20031219121351.0395fd38@imap.ecs.soton.ac.uk> Message-ID: <0a4401c3c62a$321922a0$6700010a@martinsss> Hello, Yes, this is on server side or on my side. Which free antivirus for mailscanner you suggest. Martins ----- Original Message ----- From: "Julian Field" To: Sent: Friday, December 19, 2003 2:13 PM Subject: Re: Problem with clamav datebase update > Are you running this as root? > > At 12:01 19/12/2003, you wrote: > >Hello, > > > >When I run " /etc/MailScanner/autoupdate/clamav-autoupdate" > >I get error: > > ERROR: Can't open new file ./ec01e19365fe7b00 to write > >open: Permission denied > >ERROR: Can't download viruses.db from clamav.elektrapro.com > > > >May be someone know what it mean and how can I fix it. > >I have Debian 3 testing version. > > > >Thanks > > > >Martins > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From P.G.M.Peters at utwente.nl Fri Dec 19 12:20:36 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:37 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores In-Reply-To: <3FE26817.5070507@eatathome.com.au> References: <3FE2110D.4000804@pacific.net> <3FE26817.5070507@eatathome.com.au> Message-ID: On Fri, 19 Dec 2003 13:53:11 +1100, you wrote: >I am starting to find that as the bayes DB is getting larger that more >spam is starting to get through. I have only installed 6 weeks ago and >in the last 2 weeks i have a steady increase in spam not being trapped - >is there bayes maintenance i need to do? maybe its something completely >unrelated, but it seemed logical to me. I save undetected spam and feed that into sa-learn. I am working on filters that do the same with spam that is detected but has a negative bayes score. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at SMITS.CO.UK Fri Dec 19 13:45:28 2003 From: mailscanner at SMITS.CO.UK (Bart J. Smit) Date: Thu Jan 12 21:21:37 2006 Subject: block message on IP Message-ID: <001001c3c636$5cd98a00$8f14a8c0@clumpton.homeip.net> I would like to implement a feedback feature where users can send false negatives and positives to a set of mailboxes, say spam and nospam. These would be scanned by sa-learn every hour on a cron job. Of course it is far too easy for a spammer to submit their spam to nospam@mailscanner so I want to restrict the IP addresses that can submit mail to that box to the mail servers where my users are on. The MailScanner.conf doesn't seem to offer an option for blocking messages in a ruleset. The closest I have seen is to block encrypted and unencrypted messages on the same ruleset. Does this indeed block all messages? Is there perhaps an easier way to do this in sendmail? Thanks Bart... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031219/f31b6e4b/attachment.html From martinh at SOLID-STATE-LOGIC.COM Fri Dec 19 13:49:56 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:37 2006 Subject: block message on IP In-Reply-To: <001001c3c636$5cd98a00$8f14a8c0@clumpton.homeip.net> References: <001001c3c636$5cd98a00$8f14a8c0@clumpton.homeip.net> Message-ID: <3FE30204.80106@solid-state-logic.com> Bart J. Smit wrote: > I would like to implement a feedback feature where users can send false > negatives and positives to a set of mailboxes, say spam and nospam. > These would be scanned by sa-learn every hour on a cron job. > > Of course it is far too easy for a spammer to submit their spam to > nospam@mailscanner so I want to restrict the > IP addresses that can submit mail to that box to the mail servers where > my users are on. > > The MailScanner.conf doesn't seem to offer an option for blocking > messages in a ruleset. The closest I have seen is to block encrypted and > unencrypted messages on the same ruleset. > > Does this indeed block all messages? Is there perhaps an easier way to > do this in sendmail? > > Thanks > > Bart... Bart I use a shared folder under Courier imap (should be able to do the same thing in MS-Exchange), and a script a I posted a few weeks ago the drag this into SA-learn. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 19 13:52:14 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:37 2006 Subject: block message on IP Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3FA@jessica.herefordshire.gov.uk> If you "send" these messages via MS Outlook the headers will be mangled and will be useless for spamassassin training. Drag and drop the messages into public folders on your exchange server and get them via IMAP for spamassassin training. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Bart J. Smit Sent: 19 December 2003 13:45 To: MAILSCANNER@JISCMAIL.AC.UK Subject: block message on IP I would like to implement a feedback feature where users can send false negatives and positives to a set of mailboxes, say spam and nospam. These would be scanned by sa-learn every hour on a cron job. Of course it is far too easy for a spammer to submit their spam to nospam@mailscanner so I want to restrict the IP addresses that can submit mail to that box to the mail servers where my users are on. The MailScanner.conf doesn't seem to offer an option for blocking messages in a ruleset. The closest I have seen is to block encrypted and unencrypted messages on the same ruleset. Does this indeed block all messages? Is there perhaps an easier way to do this in sendmail? Thanks Bart... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031219/d34c9412/attachment.html From campbell at CNPAPERS.COM Fri Dec 19 13:55:33 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:21:37 2006 Subject: SIGPIPE log problem References: <069901c3c5a7$1be971c0$3f01a8c0@cnpapers.net> <6.0.1.1.2.20031219084521.035d8f50@imap.ecs.soton.ac.uk> Message-ID: <008601c3c637$c57fe4e0$d401a8c0@cnpapers.net> Thank you very much, Mr. Field. That seemed to fix it without me finding a way to break anything else (as far as I have determined). Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Friday, December 19, 2003 3:49 AM Subject: Re: SIGPIPE log problem > At 20:39 18/12/2003, you wrote: > >I looked back through the mail I keep for MailScanner, and found numerous > >responses about "I get these also", but no real solution to the problem of > >the 'SIGPIPE received - trying new log socket' maillog entries. > > > >I am running MS 4.24-5 & SA 2.61 on a stock RH 7.3 box. Does anyone have a > >suggestion? I'm not ready to do anymore upgrades after yesterday, so MS 4.25 > >will just have to wait if that's the answer. > > Take a look in /usr/lib/MailScanner/MailScanner/Log.pm. Right at the bottom > you will find a "sub LogText". Replace that whole sub with this: > > sub LogText { > my($logmessage, $level) = @_; > > return unless $LogType eq 'syslog'; > > foreach(split /\n/,$logmessage) { > s/%/%%/g; > Sys::Syslog::syslog($level, $_); > } > } > > 1; > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From pete at eatathome.com.au Fri Dec 19 14:20:40 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:37 2006 Subject: block message on IP In-Reply-To: <001001c3c636$5cd98a00$8f14a8c0@clumpton.homeip.net> References: <001001c3c636$5cd98a00$8f14a8c0@clumpton.homeip.net> Message-ID: <3FE30938.3070506@eatathome.com.au> Bart J. Smit wrote: > I would like to implement a feedback feature where users can send > false negatives and positives to a set of mailboxes, say spam and > nospam. These would be scanned by sa-learn every hour on a cron job. > > Of course it is far too easy for a spammer to submit their spam to > nospam@mailscanner so I want to restrict > the IP addresses that can submit mail to that box to the mail servers > where my users are on. > > The MailScanner.conf doesn't seem to offer an option for blocking > messages in a ruleset. The closest I have seen is to block encrypted > and unencrypted messages on the same ruleset. > > Does this indeed block all messages? Is there perhaps an easier way to > do this in sendmail? > > Thanks > > Bart... Tis the job of the MTA to accept or not accept mail based on IP or address, not mailscanner? Far more efficiant in your case where you will probably only want 1 or a small amount of subnets/sender domains to be able to send to it? What mail system your clients using? From campbell at CNPAPERS.COM Fri Dec 19 15:52:45 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:21:37 2006 Subject: Include files option in spam.assassin.prefs References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3F5@jessica.herefordshire.gov.uk> Message-ID: <001401c3c648$250782a0$d401a8c0@cnpapers.net> Mr. Randal provided a link to a list that provided a lot of SA rules. I would assume that it would be a good idea to review them before inserting any of them into my files, but anyone who has looked at the list will realize that the list is very long and REGEXP is cryptically mesmerizing to view. Thank you very much Mr. Randal. My questions are short - Has any one tried this list of insertions as provided and what were the results? Is there a way to "#include" this file without copy/paste or any other common way to get these entries into the spam.assassin.prefs file? The "#include" option would provide a great way to maintain or test this without deleting and repasting every time the list changes, if it were to be used. Thanks Steve Campbell campbell@cnpapers.com Charleston Newspapers From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 19 15:56:57 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:37 2006 Subject: Include files option in spam.assassin.prefs Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C400@jessica.herefordshire.gov.uk> When you run spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint it lists near the start the directories it includes .cf files from. Normally, you'd expect to put additional site-wide rules in /etc/mail/spamassin We're using bigevil.cf, popcornonly.cf, weeds.cf, nov2rules.cf and Obfu1.cf plus a few other custom rules here. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Stephe Campbell > Sent: 19 December 2003 15:53 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Include files option in spam.assassin.prefs > > > Mr. Randal provided a link to a list that provided a lot of > SA rules. I > would assume that it would be a good idea to review them > before inserting > any of them into my files, but anyone who has looked at the list will > realize that the list is very long and REGEXP is cryptically > mesmerizing to > view. Thank you very much Mr. Randal. > > My questions are short - > > Has any one tried this list of insertions as provided and > what were the > results? > > Is there a way to "#include" this file without copy/paste or any other > common way to get these entries into the spam.assassin.prefs file? The > "#include" option would provide a great way to maintain or > test this without > deleting and repasting every time the list changes, if it > were to be used. > > Thanks > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 19 16:00:07 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:37 2006 Subject: Include files option in spam.assassin.prefs Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C402@jessica.herefordshire.gov.uk> oops, can't type. /etc/mail/spamassassin and weedsonly.cf, not weeds.cf. The .cf files come from http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm, in case anyone is bewildfered and missed my earlier post. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: Randal, Phil > Sent: 19 December 2003 15:57 > To: 'MailScanner mailing list' > Subject: RE: Include files option in spam.assassin.prefs > > > When you run > > spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint > > it lists near the start the directories it includes .cf files from. > > Normally, you'd expect to put additional site-wide rules in > /etc/mail/spamassin > > We're using bigevil.cf, popcornonly.cf, weeds.cf, > nov2rules.cf and Obfu1.cf plus a few other custom rules here. > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Stephe Campbell > > Sent: 19 December 2003 15:53 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Include files option in spam.assassin.prefs > > > > > > Mr. Randal provided a link to a list that provided a lot of > > SA rules. I > > would assume that it would be a good idea to review them > > before inserting > > any of them into my files, but anyone who has looked at the > list will > > realize that the list is very long and REGEXP is cryptically > > mesmerizing to > > view. Thank you very much Mr. Randal. > > > > My questions are short - > > > > Has any one tried this list of insertions as provided and > > what were the > > results? > > > > Is there a way to "#include" this file without copy/paste > or any other > > common way to get these entries into the > spam.assassin.prefs file? The > > "#include" option would provide a great way to maintain or > > test this without > > deleting and repasting every time the list changes, if it > > were to be used. > > > > Thanks > > > > Steve Campbell > > campbell@cnpapers.com > > Charleston Newspapers > > > From martinh at SOLID-STATE-LOGIC.COM Fri Dec 19 15:57:23 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:37 2006 Subject: Include files option in spam.assassin.prefs In-Reply-To: <001401c3c648$250782a0$d401a8c0@cnpapers.net> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3F5@jessica.herefordshire.gov.uk> <001401c3c648$250782a0$d401a8c0@cnpapers.net> Message-ID: <3FE31FE3.3010707@solid-state-logic.com> Stephe Campbell wrote: > Mr. Randal provided a link to a list that provided a lot of SA rules. I > would assume that it would be a good idea to review them before inserting > any of them into my files, but anyone who has looked at the list will > realize that the list is very long and REGEXP is cryptically mesmerizing to > view. Thank you very much Mr. Randal. > > My questions are short - > > Has any one tried this list of insertions as provided and what were the > results? > > Is there a way to "#include" this file without copy/paste or any other > common way to get these entries into the spam.assassin.prefs file? The > "#include" option would provide a great way to maintain or test this without > deleting and repasting every time the list changes, if it were to be used. > > Thanks > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers Steve I've been using the full bigevil/popcorn list for the last three weeks or so (cut and paste into the prefs file). Works quite nicely - only had one FP out of it which I trained up the bayes against it and that stopped that. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 84230 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Denis.Beauchemin at USHERBROOKE.CA Fri Dec 19 16:10:45 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:37 2006 Subject: question about logging ... In-Reply-To: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CB5F@midgard.fep.fhg.de> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CB5F@midgard.fep.fhg.de> Message-ID: <1071850245.8290.64.camel@dbeauchemin.sti.usherbrooke.ca> Uwe, If you look at the line: > > myserver MailScanner[6012]: Message h8T9DHO07099 from xxx.xxx.x.xx > > (rsvp@blinddatefun.com) to MYDOMAIN is spam, SpamAssassin > > (score=27.133, required 5, BAYES_99 5.40, BLANK_LINES_70_80 2.13, > > CLICK_BELOW 0.10, DATE_IN_FUTURE_06_12 1.97, DCC_CHECK 2.91, > > FAKE_HELO_HOTMAIL 1.50, FORGED_HOTMAIL_RCVD 0.50, > > INVALID_DATE_TZ_ABSURD 1.78, MSGID_OUTLOOK_INVALID 4.10, > > MSGID_SPAM_ZEROES 4.10, RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK > > 1.05, REMOVE_PAGE 0.50) You get the message ID (in this case it is h8T9DHO07099) that you can grep in your log file to find the sender and destination. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From ugob at CAMO-ROUTE.COM Fri Dec 19 16:32:57 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:37 2006 Subject: Webmin. Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2BC@mtlnt501fs.CAMOROUTE.COM> > The webmin module isnt very usefull (IMO), i reckon your better off > grabbing the guide on Julian's site for MailScanner.conf and changing > the options manually. Post questions to list if you need help - this way > you will actually learn to administer the software. Just my opinion of > course as a newish user. > > Thank you Pete for your information, and you probably are right. It also takes sometimes much time to determine an option in webmin due to lack of knowledge about the certain(s) options. -- IMHO, this is the only strenght, live documentation about the options. Look carefully. Ugo. From eja at URBAKKEN.DK Sat Dec 20 16:57:58 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:37 2006 Subject: Webmin. In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE2BC@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629273AE2BC@mtlnt501fs.CAMOROUTE.COM> Message-ID: <3FE47F96.1080505@urbakken.dk> Ugo Bellavance wrote: >>The webmin module isnt very usefull (IMO), i reckon your better off >>grabbing the guide on Julian's site for MailScanner.conf and changing >>the options manually. Post questions to list if you need help - this way >>you will actually learn to administer the software. Just my opinion of >>course as a newish user. >> >> > > Thank you Pete for your information, and you probably are right. It also > takes sometimes much time to determine an option in webmin due to lack > of knowledge about the certain(s) options. > -- > > IMHO, this is the only strenght, live documentation about the options. Look carefully. > > Ugo. > > Yes Ugo you are quite right :-) -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From mailscanner at SMITS.CO.UK Fri Dec 19 21:29:56 2003 From: mailscanner at SMITS.CO.UK (Bart J. Smit) Date: Thu Jan 12 21:21:37 2006 Subject: Migrate bayes database to new machine References: Message-ID: <000501c3c677$3f666970$8f14a8c0@clumpton.homeip.net> MessageThanks Nathan, I guess the dump / import cycle was ingrained from other database migrations. After a long an arduous dependency walk I managed to install the same version of perl-DB_File rpm on RHES 3 as I had on RH8.0 and the database rebuild went through without errors. Mail latency through MS is now seconds instead of minutes :-) Thanks again, Bart... ----- Original Message ----- From: Nathan Johanson To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, December 16, 2003 5:05 AM Subject: Re: Migrate bayes database to new machine I recently migrated a bayes db to a new server. The following worked for me: 1) Install the same version of SpamAssassin on both machines. You also want to make sure the DB_FIle perl module is at (or near) the same version number, as well as any associated DB3 packages. I migrated from RH 7.2 to RHEL ES 2.1, so my perl installations and other packages were almost identical. 2) Shutdown the MailScanner service and rebuild the bayes db on the old machine. I used the following command: sa-learn -D -p /etc/MailScanner/spam.assassin.prefs.conf --rebuild 3) Copy the bayes db to the same location on the new machine (make sure the permissions match). I store bayes in /var/spool/spamassassin/bayes and indicated this in spam.assassin.prefs.conf. 4) Start the MailScanner services and check the logs for BAYES scores. You can also run the above sa-learn command again (with the -D switch) to check for any possible errors. That's it! Nathan -----Original Message----- From: Bart J. Smit [mailto:mailscanner@SMITS.CO.UK] Sent: Monday, December 15, 2003 4:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Migrate bayes database to new machine I have built a new MS machine to relieve the strain on the humble hardware of the old relay. Prior to cutting over, I would like to migrate the bayes database to give the new box a running start. I tried these commands: on the old box: sa-learn --dump all > /tmp/badump copy this file to the new box and do: sa-learn --import /tmp/badump This comes back with: # bayes upgrade_old_dbm_files: unable to find bayes_toks and bayes_seen, stopping I have tried with pointing both sa-learn commands to their respective database paths (/root/.spammassasin/bayes) and preferences (/etc/MailScanner/spam.assassin.prefs.conf). I have rebuilt the latest spamassasin (2.61-1) from source RPM and upgraded it on both boxes, but still I get the error. I'm obviously missing something simple. Any clues? Bart... From rcooper at DIMENSION-FLM.COM Fri Dec 19 19:27:36 2003 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:21:37 2006 Subject: Include files option in spam.assassin.prefs In-Reply-To: <001401c3c648$250782a0$d401a8c0@cnpapers.net> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Stephe Campbell > Sent: Friday, December 19, 2003 10:53 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Include files option in spam.assassin.prefs > > > Mr. Randal provided a link to a list that provided a > lot of SA rules. I > would assume that it would be a good idea to review > them before inserting > any of them into my files, but anyone who has looked > at the list will > realize that the list is very long and REGEXP is > cryptically mesmerizing to > view. Thank you very much Mr. Randal. > > My questions are short - > > Has any one tried this list of insertions as provided > and what were the > results? > I use bigevillist, FVGT,OACYS, backhair, weeds, chickenpox, popcorn (and some of my own). They seem to do a good job 99.99% of the time, I get a few FPs from the bigevillist, but I just prune those out as they come. > Is there a way to "#include" this file without > copy/paste or any other > common way to get these entries into the > spam.assassin.prefs file? The Put them in /etc/mail/spamassassin as xxx.cf. so weeds might be /etc/mail/spamassassin/weeds.cf, popcorn /etc/mail/spamassassin/popcorn.cf. SA will parse anything located in /etc/mail/spamassassin ending with .cf as a config file. Then replace the file with new contents when ever they change. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew at THEMARSHALLS.CO.UK Fri Dec 19 19:32:18 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:37 2006 Subject: MailScanner/Postfix message duplication - possible fix In-Reply-To: <1071773318.8590.11.camel@localhost.localdomain> References: <229A346E44379140A59A48951B56E0C0D405D6@ARLABML01.DS.ARL.ARMY.MIL> <1071773318.8590.11.camel@localhost.localdomain> Message-ID: <3FE35242.9000607@themarshalls.co.uk> Well it's now in place and working so we'll have to wait and see. I'll let you know what happens. Hopefully this could just be the Postfix solution ;-) Drew Lindsay Snider wrote: >On Thu, 2003-12-18 at 13:21, Kash, Howard (Civ,ARL/CISD) wrote: > > >>I beginning to think you are correct. My patch doesn't seem to help. >>Here's is one method suggested by Peter Bates for putting messages in >>the hold queue: >> >> >> >> >>>I'm using MS with Postfix in a slightly 'non-standard' way, but which >>>is working fine for 13-15K messages we deal with (actually it might be >>>more, I never bothered counting our outgoing email!)... >>> >>>I'm using a 'header_check' like so: >>> >>>In main.cf - >>>header_checks = pcre:/etc/postfix/header_checks >>> >>>In header_checks - >>> >>>/^Received:.*by .*\.lshtm.ac.uk \(Postfix\)/ HOLD >>> >>>This puts the incoming mail in the 'hold' queue, and then >>>I have in MailScanner.conf - >>> >>>Incoming Queue Dir = /var/spool/postfix/hold >>>Outgoing Queue Dir = /var/spool/postfix/incoming >>> >>> >>I think I'll give this a try. >> >> > >We have been using the hold method here since Julian added postfix >support. Our site is rather large and we use it across a couple of >versions of postfix 2.x. So far, it has worked great. > > > >>Howard >> >> >>-----Original Message----- >>From: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] >>Sent: Tuesday, December 16, 2003 5:54 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: MailScanner/Postfix message duplication - possible fix >> >> >>I wonder if this is only part of the story. Not being a programmer (Or >>even someone who 'tinkers with code'!) please forgive me if I am being >>stupid or just plain don't understand :-) >> >>The queue manager runs the queues when it's either called by receipt of >>a 1byte message from another part of Postfix or when it's inactivity >>timer times out (As set in the master.cf file). I had a play with this >>to start with and when I set the idle timer to 28 days I still got >>duplicates and the 'skipped' log entry from when MailScanner happened to >>be picking up a queued file and the queue runner had been called by >>smtpd because it had just received a message. In some instances (One >>larger message of 9Mb) this meant on my slow system that I didn't just >>get duplicates but I got the damn thing 5 times, in various states of >>delivery as it spooled into the deferred queue. >> >>Now my gamble is that moving your times to 40 seconds or even more will >>probably not cure the problem as if your system is fairly busy the queue >>runner will be almost continuously running through the deferred queue as >>it collects mail and checks for messages that are due for attempted >>redelivery (I guess this happens on every visit to the queue to ensure >>that ageing messages are not left in deferred for too long). It's that >>check that could be the problem. If MS is just about to collect the >>message when the queue runner inspects the message for age (Not worth >>locking for? Don't know?) then the two paps collide and cause the >>situation as seen. It won't matter how long you tell MS to leave the >>message there for, the queue runner could still bump into the >>collection. On my much quieter system it will probably work more >>reliably for longer as the queue runner will be called less by smtpd an >>more by the inactivity timer. >> >>One way round this could be to send the messages to the hold queue as >>the queue runner never runs in there. Now just to get the messages >>there... >> >>As I say I could be talking rubbish and I'll go away and keep going with >>what ever experiment people want to fix this issue but I though it was >>worth knocking some thoughts about. >> >>Regards >> >>Drew >> >> >-- >Lindsay Snider > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031219/0505d965/attachment.html From chris at fractalweb.com Fri Dec 19 20:52:50 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:21:37 2006 Subject: spam actions ruleset Message-ID: <1071867170.21839.12.camel@venus.fractal> Hi, I would like to have a little more flexibility with regards to "What to do with spam". Most users wish to receive the spam as an attachment, but now a few users have requested that all spam to them just be deleted. I see in MailScanner.conf that "This can also be the filename of a ruleset." So, what I would like to do is the following: user1@domain1.com delete user5@domain27.com delete user8@domain5.com forward spamarchive@domain5.com everyone else attachment deliver Will this work? Do I have the format correct? Thanks, Chris From campbell at CNPAPERS.COM Fri Dec 19 21:28:36 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:21:37 2006 Subject: Include files option in spam.assassin.prefs References: Message-ID: <000b01c3c677$1000c680$d401a8c0@cnpapers.net> Thank you all for the excellent replies. It never dawned on me to use the /etc/mail/spamassassin folder for "local" stuff since I have tried to stay away from the local.cf file in there. I always thought it was taboo. I have put the EvilList to work and it seems to help quite a bit. Maybe some of the other lists will follow. Everyone have a nice weekend and if I don't break anything else requiring help before next Thursday.....Merry Christmas! Steve Campbell campbell@cnpapers.com Charleston Newspapers From aalsup at USDLA.COM Fri Dec 19 22:35:39 2003 From: aalsup at USDLA.COM (Andy Alsup) Date: Thu Jan 12 21:21:37 2006 Subject: Spam from (forged) whitelist domain Message-ID: <3FE37D3B.3080108@usdla.com> I see a nontirvial volume of Spam that gets through to users using forged headers with my domain as the from. These are typically to: user@mydomain from: user@mydomain My domain is whitelisted, so when a forged header comes along, I get a spam score that would have dealt with the spam, but it is whitelisted, so delivered anyway. Is there a way to deal with this? Thanks. From rzewnickie at RFA.ORG Fri Dec 19 22:51:54 2003 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:21:37 2006 Subject: Spam from (forged) whitelist domain In-Reply-To: <3FE37D3B.3080108@usdla.com> References: <3FE37D3B.3080108@usdla.com> Message-ID: <20031219225154.GB19962@rfa.org> Just a thought, and I'm not sure this is correct, but perhaps you can whitelist your domain by IP instead of by name. -Eric Rz. On Fri, Dec 19, 2003 at 02:35:39PM -0800, Andy Alsup wrote: > I see a nontirvial volume of Spam that gets through to users using > forged headers with my domain as the from. These are typically to: > user@mydomain from: user@mydomain > > My domain is whitelisted, so when a forged header comes along, I get a > spam score that would have dealt with the spam, but it is whitelisted, > so delivered anyway. > > Is there a way to deal with this? > > Thanks. From david at PLATFORMHOSTING.COM Sat Dec 20 02:03:38 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:21:37 2006 Subject: Sig Rulesets not working?! Message-ID: <61460.220.244.85.102.1071885818.squirrel@mail.platformhosting.net> Hi All, I'm running MS 4.25-6 on a RedHat box with Sendmail and have an intermittent issue with signature rulesets not working as expected. I have one customer who gets incredibly irate if our standard footer is stuck on his email so I've setup the following rules pointing to a blank file to stop him getting a footer. sig.txt.rules contains: FromOrTo: *@customer.com /etc/MailScanner/reports/en/grumpy.sig.txt FromOrTo: default /etc/MailScanner/reports/en/inline.sig.txt sig.html.rules contains: FromOrTo: *@customer.com /etc/MailScanner/reports/en/grumpy.sig.html FromOrTo: default /etc/MailScanner/reports/en/inline.sig.html For some reason at the moment it's putting our standard footer on all email going to him, I have spent a lot of time trying to work out why, but for the life of me can't work it out. MailScanner.conf has the following settings: Inline HTML Signature = %rules-dir%/sig.html.rules Inline Text Signature = %rules-dir%/sig.txt.rules Can anyone help? -- Regards, David Hooton ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From jaearick at COLBY.EDU Sat Dec 20 03:09:11 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:37 2006 Subject: bigevil usage... confused Message-ID: Gang, I've been following the "bigevil.cf" thread... I downloaded it and put it into /etc/mail/spamassassin, then did spamassassin -D -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint and saw: debug: using "/opt/perl5/share/spamassassin" for default rules dir debug: using "/etc/opt/mail/spamassassin" for site rules dir debug: using "/home/admin/jaearick/.spamassassin" for user state dir debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file with *no* reference to bigevil.cf anywhere in the output. Hmmm... I looked in /etc/opt/mail/spamassassin and found another local.cf file. So I blew away this directory and made a symlink for this dir pointing to /etc/mail/spamassassin. This directory contains a symlink for local.cf, which points to /opt/MailScanner/etc/spam.assassin.prefs.conf Tried the lint run again, still no reference to bigevil.cf in the output. Should I see one? What have I snarled up here? How to see if bigevil is getting used (no references to BigEvilList in the SA syslogging either). Help. Jeff Earickson Colby College From bnixon at NIXTECH.NET Sat Dec 20 04:25:27 2003 From: bnixon at NIXTECH.NET (bnixon) Date: Thu Jan 12 21:21:37 2006 Subject: bigevil usage... confused In-Reply-To: Message-ID: <000501c3c6b1$4bd61c20$3e00a8c0@nixtech.net> Put it in /etc/mail/spamassassin/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson Sent: Friday, December 19, 2003 7:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: bigevil usage... confused Gang, I've been following the "bigevil.cf" thread... I downloaded it and put it into /etc/mail/spamassassin, then did spamassassin -D -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint and saw: debug: using "/opt/perl5/share/spamassassin" for default rules dir debug: using "/etc/opt/mail/spamassassin" for site rules dir debug: using "/home/admin/jaearick/.spamassassin" for user state dir debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file with *no* reference to bigevil.cf anywhere in the output. Hmmm... I looked in /etc/opt/mail/spamassassin and found another local.cf file. So I blew away this directory and made a symlink for this dir pointing to /etc/mail/spamassassin. This directory contains a symlink for local.cf, which points to /opt/MailScanner/etc/spam.assassin.prefs.conf Tried the lint run again, still no reference to bigevil.cf in the output. Should I see one? What have I snarled up here? How to see if bigevil is getting used (no references to BigEvilList in the SA syslogging either). Help. Jeff Earickson Colby College -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at SMITS.CO.UK Sat Dec 20 11:34:52 2003 From: mailscanner at SMITS.CO.UK (Bart J. Smit) Date: Thu Jan 12 21:21:37 2006 Subject: block message on IP References: <001001c3c636$5cd98a00$8f14a8c0@clumpton.homeip.net> <3FE30938.3070506@eatathome.com.au> Message-ID: <000c01c3c6ed$4900e4d0$0106a8c0@bart> Thanks Pete, How do I set up sendmail to only accept mail for a local mailbox from a set of IP's? E.g. I have spam@mailscanner.mydomain.com and nospam@mailscanner.mydomain.com. These mailboxes are only allowed to receive mail from 61.62.113.114 and 113.165.29.39. I'm sure it is much more efficient to block messages in sendmail but I find MS much easier to configure. Will the block encrypted/block unencrypted rules work as well? Bart... ----- Original Message ----- From: "Pete" To: Sent: Friday, December 19, 2003 2:20 PM Subject: Re: block message on IP > Bart J. Smit wrote: > > > I would like to implement a feedback feature where users can send > > false negatives and positives to a set of mailboxes, say spam and > > nospam. These would be scanned by sa-learn every hour on a cron job. > > > > Of course it is far too easy for a spammer to submit their spam to > > nospam@mailscanner so I want to restrict > > the IP addresses that can submit mail to that box to the mail servers > > where my users are on. > > > > The MailScanner.conf doesn't seem to offer an option for blocking > > messages in a ruleset. The closest I have seen is to block encrypted > > and unencrypted messages on the same ruleset. > > > > Does this indeed block all messages? Is there perhaps an easier way to > > do this in sendmail? > > > > Thanks > > > > Bart... > > Tis the job of the MTA to accept or not accept mail based on IP or > address, not mailscanner? Far more efficiant in your case where you will > probably only want 1 or a small amount of subnets/sender domains to be > able to send to it? > > What mail system your clients using? > From mailscanner at SMITS.CO.UK Sat Dec 20 11:38:15 2003 From: mailscanner at SMITS.CO.UK (Bart J. Smit) Date: Thu Jan 12 21:21:37 2006 Subject: block message on IP References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3FA@jessica.herefordshire.gov.uk> Message-ID: <001201c3c6ed$c1d5a9e0$0106a8c0@bart> Thanks Phil, I use public folders for the local Exchange users, but some external servers either don't use Exchange or won't allow IMAP access from the Internet. Will the header mangling make the message unusable by sa-learn? These are messages that MS has already seen. The purpose of sending them back are only to fine tune the bayesian filter. I would have thought that bayes only cares about tokens in the body, not so much the headers? Bart... ----- Original Message ----- From: Randal, Phil To: MAILSCANNER@JISCMAIL.AC.UK Sent: Friday, December 19, 2003 1:52 PM Subject: Re: block message on IP If you "send" these messages via MS Outlook the headers will be mangled and will be useless for spamassassin training. Drag and drop the messages into public folders on your exchange server and get them via IMAP for spamassassin training. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Bart J. Smit Sent: 19 December 2003 13:45 To: MAILSCANNER@JISCMAIL.AC.UK Subject: block message on IP I would like to implement a feedback feature where users can send false negatives and positives to a set of mailboxes, say spam and nospam. These would be scanned by sa-learn every hour on a cron job. Of course it is far too easy for a spammer to submit their spam to nospam@mailscanner so I want to restrict the IP addresses that can submit mail to that box to the mail servers where my users are on. The MailScanner.conf doesn't seem to offer an option for blocking messages in a ruleset. The closest I have seen is to block encrypted and unencrypted messages on the same ruleset. Does this indeed block all messages? Is there perhaps an easier way to do this in sendmail? Thanks Bart... From mailscanner at ecs.soton.ac.uk Sat Dec 20 11:53:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:37 2006 Subject: spam actions ruleset In-Reply-To: <1071867170.21839.12.camel@venus.fractal> References: <1071867170.21839.12.camel@venus.fractal> Message-ID: <6.0.1.1.2.20031220115124.0280a4c0@imap.ecs.soton.ac.uk> There are docs and examples in /etc/MailScanner/rules. You are nearly right, but you need to specify the direction of the mail to check. And "everyone else" is "default". So your ruleset becomes To: user1@domain1.com delete To: user5@domain27.com delete To: user8@domain5.com forward spamarchive@domain5.com FromOrTo: default attachment deliver At 20:52 19/12/2003, you wrote: >Hi, > >I would like to have a little more flexibility with regards to "What to >do with spam". Most users wish to receive the spam as an attachment, but >now a few users have requested that all spam to them just be deleted. > >I see in MailScanner.conf that "This can also be the filename of a >ruleset." > >So, what I would like to do is the following: > >user1@domain1.com delete >user5@domain27.com delete >user8@domain5.com forward spamarchive@domain5.com >everyone else attachment deliver > >Will this work? Do I have the format correct? > >Thanks, >Chris -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 20 11:59:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:37 2006 Subject: bigevil usage... confused In-Reply-To: References: Message-ID: <6.0.1.1.2.20031220115702.02863cb8@imap.ecs.soton.ac.uk> At 03:09 20/12/2003, you wrote: >Gang, > I've been following the "bigevil.cf" thread... I >downloaded it and put it into /etc/mail/spamassassin, >then did > >spamassassin -D -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint > >and saw: > >debug: using "/opt/perl5/share/spamassassin" for default rules dir >debug: using "/etc/opt/mail/spamassassin" for site rules dir >debug: using "/home/admin/jaearick/.spamassassin" for user state dir >debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user >prefs file > >with *no* reference to bigevil.cf anywhere in the output. > >Hmmm... I looked in /etc/opt/mail/spamassassin and found another >local.cf file. So I blew away this directory and made a symlink for >this dir pointing to /etc/mail/spamassassin. This directory contains >a symlink for local.cf, which points to >/opt/MailScanner/etc/spam.assassin.prefs.conf > >Tried the lint run again, still no reference to bigevil.cf in the output. >Should I see one? What have I snarled up here? How to see if bigevil >is getting used (no references to BigEvilList in the SA syslogging >either). Help. Never forget that Unix filesystems log the time each file was last accessed. So if you wait a couple of minutes, run your lint command, and then do ls -lu /etc/mail/spamassassin then it will print the "last used" time instead of the last modification time. If the datestamp is now and not a couple of minutes ago, then the file has been read by something. Very simple technique, but occasionally extremely useful. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 20 11:54:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:37 2006 Subject: Spam from (forged) whitelist domain In-Reply-To: <20031219225154.GB19962@rfa.org> References: <3FE37D3B.3080108@usdla.com> <20031219225154.GB19962@rfa.org> Message-ID: <6.0.1.1.2.20031220115352.027f7b28@imap.ecs.soton.ac.uk> Exactly what I was about to suggest. You can use pretty much any of the standard/common ways of expressing IP ranges and network subnets. At 22:51 19/12/2003, you wrote: >Just a thought, and I'm not sure this is correct, but perhaps you can >whitelist your domain by IP instead of by name. > >-Eric Rz. > >On Fri, Dec 19, 2003 at 02:35:39PM -0800, Andy Alsup wrote: > > I see a nontirvial volume of Spam that gets through to users using > > forged headers with my domain as the from. These are typically to: > > user@mydomain from: user@mydomain > > > > My domain is whitelisted, so when a forged header comes along, I get a > > spam score that would have dealt with the spam, but it is whitelisted, > > so delivered anyway. > > > > Is there a way to deal with this? > > > > Thanks. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at SMITS.CO.UK Sat Dec 20 13:57:35 2003 From: mailscanner at SMITS.CO.UK (Bart J. Smit) Date: Thu Jan 12 21:21:37 2006 Subject: Rejecting Mail at RCPT References: <6.0.0.22.0.20031218101742.02dd8560@mail.enhtech.com> <6.0.0.22.0.20031218132154.02e10c18@mail.enhtech.com> <6.0.0.22.0.20031218135607.02e0b768@mail.enhtech.com> Message-ID: <01a601c3c701$38a3f5f0$0106a8c0@bart> I am very interested in getting this to work, but I don't have enough sendmail knowledge and I'm not sure where to start. Are there any howto's on this? I checked the sendmail documentation at http://www.sendmail.org/m4/ldap.html and googled for some more but couldn't quite work it out. The scenario I would like to use this in is: - MS filtering mail for several external domains - Sendmail checking the various LDAP servers through SSL (anonymous?) queries - Mail bouncing for anything not found in the directories Any help with this would be very much appreciated. Bart... ----- Original Message ----- From: "Errol Neal" To: Sent: Thursday, December 18, 2003 6:57 PM Subject: Re: Rejecting Mail at RCPT > At 01:37 PM 12/18/2003, you wrote: > >At 12:06 PM 12/18/2003, you wrote: > >>Hi! > >> > >> > >Put your users in LDAP and check with LDAP on your frontend servers. > >> > > > >> > >Bye, > >> > >Raymond > >> > > >> > > >> > I have not tested this, but does this work when sendmail is run in > >> > queueonly delivery mode? > >> > >>Its in queueonly, but still it should check RCPT, thats what it does now > >>also. Your access file also still works :) > > > Along this subject. Can the access, mailertable and the ldaprouting feature > all work together? > > > Errol Neal > > > Errol U. Neal Jr., Systems Administrator > Enhanced Technologies, Inc. - The Business Grade Hosting Specialists > http://www.enhtech.com > 703-924-0301 or 800-368-3249 > 703-997-0839 Fax > From pete at eatathome.com.au Sat Dec 20 12:16:01 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:37 2006 Subject: block message on IP Message-ID: <3FE43D81.3070504@eatathome.com.au> -------- Original Message -------- From: - Sat Dec 20 23:13:58 2003 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00800000 Message-ID: <3FE43D02.6080500@eatathome.com.au> Date: Sat, 20 Dec 2003 23:13:54 +1100 From: Pete Reply-To: pete@eatathome.com.au User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bart J. Smit Subject: Re: block message on IP References: <001001c3c636$5cd98a00$8f14a8c0@clumpton.homeip.net> <3FE30938.3070506@eatathome.com.au> <000c01c3c6ed$4900e4d0$0106a8c0@bart> In-Reply-To: <000c01c3c6ed$4900e4d0$0106a8c0@bart> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Bart J. Smit wrote: >Thanks Pete, > >How do I set up sendmail to only accept mail for a local mailbox from a set >of IP's? > >E.g. I have spam@mailscanner.mydomain.com and >nospam@mailscanner.mydomain.com. These mailboxes are only allowed to receive >mail from 61.62.113.114 and 113.165.29.39. > >I'm sure it is much more efficient to block messages in sendmail but I find >MS much easier to configure. > >Will the block encrypted/block unencrypted rules work as well? > >Bart... > >----- Original Message ----- >From: "Pete" >To: >Sent: Friday, December 19, 2003 2:20 PM >Subject: Re: block message on IP > > > > >>Bart J. Smit wrote: >> >> >> >>>I would like to implement a feedback feature where users can send >>>false negatives and positives to a set of mailboxes, say spam and >>>nospam. These would be scanned by sa-learn every hour on a cron job. >>> >>>Of course it is far too easy for a spammer to submit their spam to >>>nospam@mailscanner so I want to restrict >>>the IP addresses that can submit mail to that box to the mail servers >>>where my users are on. >>> >>>The MailScanner.conf doesn't seem to offer an option for blocking >>>messages in a ruleset. The closest I have seen is to block encrypted >>>and unencrypted messages on the same ruleset. >>> >>>Does this indeed block all messages? Is there perhaps an easier way to >>>do this in sendmail? >>> >>>Thanks >>> >>>Bart... >>> >>> >>Tis the job of the MTA to accept or not accept mail based on IP or >>address, not mailscanner? Far more efficiant in your case where you will >>probably only want 1 or a small amount of subnets/sender domains to be >>able to send to it? >> >>What mail system your clients using? >> >> >> > > > > > > I forget all i knew (which could be written on a rabit turd) about sendmail - i think its called the access table? From pete at eatathome.com.au Sat Dec 20 12:16:23 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:37 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh Message-ID: <3FE43D97.9040402@eatathome.com.au> -------- Original Message -------- From: - Sat Dec 20 22:36:03 2003 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00800000 Message-ID: <3FE4341E.5020900@eatathome.com.au> Date: Sat, 20 Dec 2003 22:35:58 +1100 From: Pete Reply-To: pete@eatathome.com.au User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: peter.peters@utwente.nl Subject: Re: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh References: <3FE2110D.4000804@pacific.net> <3FE26817.5070507@eatathome.com.au> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Peter Peters wrote: >On Fri, 19 Dec 2003 13:53:11 +1100, you wrote: > > > >>I am starting to find that as the bayes DB is getting larger that more >>spam is starting to get through. I have only installed 6 weeks ago and >>in the last 2 weeks i have a steady increase in spam not being trapped - >>is there bayes maintenance i need to do? maybe its something completely >>unrelated, but it seemed logical to me. >> >> > >I save undetected spam and feed that into sa-learn. I am working on >filters that do the same with spam that is detected but has a negative >bayes score. > >-- >Peter Peters, senior netwerkbeheerder >Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) >Universiteit Twente, Postbus 217, 7500 AE Enschede >telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ > > > Hi and thanks - i currently dont have the option for creating spam/notspam mail accounts - and the count of spam being let through is now starting become a huge issue - heaps of spamm is not being trapped, or the reason Nathan pointed out above - Nathan, have you found some type of fix? I am no guru at this and dont want to have a long list of SA custom rules i dont know a lot about. Are these the only 2 options i have? or delete or stop using bayes? From jaearick at COLBY.EDU Sat Dec 20 14:16:55 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:37 2006 Subject: bigevil usage... confused In-Reply-To: <6.0.1.1.2.20031220115702.02863cb8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031220115702.02863cb8@imap.ecs.soton.ac.uk> Message-ID: Julian, "ls -lu" shows that /etc/mail/spamassassin/bigevil.cf (perms = 644) isn't being used, even though the local.cf symlink in /etc/mail/spamassassin (pointing to /opt/MailScanner/etc/spam.assassin.prefs.conf) is. The times differ substantially. But if I run the lint command (below), then both local.cf and bigevil.cf have their times updated, even though the lint output make no explicit mention of bigevil.cf. Still no references to bigevil in the syslog for SA. Running SA 2.61; now I'm very confused. Maybe I missed some incantation when I built/installed 2.61. Or maybe I have to refer to bigevil.cf somehow in spam.assassin.prefs.conf. Any more ideas? Jeff On Sat, 20 Dec 2003, Julian Field wrote: > Date: Sat, 20 Dec 2003 11:59:22 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bigevil usage... confused > > At 03:09 20/12/2003, you wrote: > >Gang, > > I've been following the "bigevil.cf" thread... I > >downloaded it and put it into /etc/mail/spamassassin, > >then did > > > >spamassassin -D -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint > > > >and saw: > > > >debug: using "/opt/perl5/share/spamassassin" for default rules dir > >debug: using "/etc/opt/mail/spamassassin" for site rules dir > >debug: using "/home/admin/jaearick/.spamassassin" for user state dir > >debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user > >prefs file > > > >with *no* reference to bigevil.cf anywhere in the output. > > > >Hmmm... I looked in /etc/opt/mail/spamassassin and found another > >local.cf file. So I blew away this directory and made a symlink for > >this dir pointing to /etc/mail/spamassassin. This directory contains > >a symlink for local.cf, which points to > >/opt/MailScanner/etc/spam.assassin.prefs.conf > > > >Tried the lint run again, still no reference to bigevil.cf in the output. > >Should I see one? What have I snarled up here? How to see if bigevil > >is getting used (no references to BigEvilList in the SA syslogging > >either). Help. > > Never forget that Unix filesystems log the time each file was last accessed. > So if you wait a couple of minutes, run your lint command, and then do > ls -lu /etc/mail/spamassassin > then it will print the "last used" time instead of the last modification > time. If the datestamp is now and not a couple of minutes ago, then the > file has been read by something. > > Very simple technique, but occasionally extremely useful. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From dbird at SGHMS.AC.UK Sat Dec 20 15:12:31 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:37 2006 Subject: bigevil usage... confused In-Reply-To: References: <6.0.1.1.2.20031220115702.02863cb8@imap.ecs.soton.ac.uk> Message-ID: <3FE466DF.3080608@sghms.ac.uk> Jeff A. Earickson wrote: >Julian, > "ls -lu" shows that /etc/mail/spamassassin/bigevil.cf (perms = 644) >isn't being used, even though the local.cf symlink in /etc/mail/spamassassin >(pointing to /opt/MailScanner/etc/spam.assassin.prefs.conf) is. The >times differ substantially. But if I run the lint command (below), >then both local.cf and bigevil.cf have their times updated, even though >the lint output make no explicit mention of bigevil.cf. Still no >references to bigevil in the syslog for SA. Running SA 2.61; now I'm >very confused. Maybe I missed some incantation when I built/installed 2.61. >Or maybe I have to refer to bigevil.cf somehow in spam.assassin.prefs.conf. >Any more ideas? > > > SA will read any .cf file in the following locations (as per man Mail::SpamAsaassin::Conf) /etc/mail/spamassassin /usr/share/spamassassin The latter being where the default cf files live. The default config file read from invoking SA from the command line is local.cf (in /etc/mail/spamassassin). For our install, this is linked to /etc/MailScanner/spam.assassin.prefs.conf, so when sa is run from the command line the MS prefs file is used. Now, the easiest way I've found to check if additional rules are working is to do : spamassassin -D -t < sample-mail-known-to-match-rule> then check the output for the rule name. Here's the output some debug, from a server which I **know** is using evilrules: debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file debug: using "/root/.spamassassin" for user state dir pts rule name description ---- ---------------------- -------------------------------------------------- 3.0 BigEvilList_6 URI: Generated BigEvilList_6 As you can see, also no mention of bigevil, rather just the directories that will be looked in for SA rules, but the sample mail matched on a big evil rule Also, just because I haven't seen it mentioned, don't forget you may need to restart MailScanner. Hope this may help. Dan >Jeff > >On Sat, 20 Dec 2003, Julian Field wrote: > > > >>Date: Sat, 20 Dec 2003 11:59:22 +0000 >>From: Julian Field >>Reply-To: MailScanner mailing list >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: bigevil usage... confused >> >>At 03:09 20/12/2003, you wrote: >> >> >>>Gang, >>> I've been following the "bigevil.cf" thread... I >>>downloaded it and put it into /etc/mail/spamassassin, >>>then did >>> >>>spamassassin -D -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint >>> >>>and saw: >>> >>>debug: using "/opt/perl5/share/spamassassin" for default rules dir >>>debug: using "/etc/opt/mail/spamassassin" for site rules dir >>>debug: using "/home/admin/jaearick/.spamassassin" for user state dir >>>debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user >>>prefs file >>> >>>with *no* reference to bigevil.cf anywhere in the output. >>> >>>Hmmm... I looked in /etc/opt/mail/spamassassin and found another >>>local.cf file. So I blew away this directory and made a symlink for >>>this dir pointing to /etc/mail/spamassassin. This directory contains >>>a symlink for local.cf, which points to >>>/opt/MailScanner/etc/spam.assassin.prefs.conf >>> >>>Tried the lint run again, still no reference to bigevil.cf in the output. >>>Should I see one? What have I snarled up here? How to see if bigevil >>>is getting used (no references to BigEvilList in the SA syslogging >>>either). Help. >>> >>> >>Never forget that Unix filesystems log the time each file was last accessed. >>So if you wait a couple of minutes, run your lint command, and then do >>ls -lu /etc/mail/spamassassin >>then it will print the "last used" time instead of the last modification >>time. If the datestamp is now and not a couple of minutes ago, then the >>file has been read by something. >> >>Very simple technique, but occasionally extremely useful. >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> > > > This message has been scanned for viruses and dangerous content by MailScanner at danbird.net and is believed to be clean. From bnixon at NIXTECH.NET Sat Dec 20 15:26:09 2003 From: bnixon at NIXTECH.NET (bnixon) Date: Thu Jan 12 21:21:37 2006 Subject: bigevil usage... confused In-Reply-To: <000501c3c6b1$4bd61c20$3e00a8c0@nixtech.net> Message-ID: <003b01c3c70d$97e7f7d0$3e00a8c0@nixtech.net> I have several .cf files in /etc/mail/spamassassin ?(my default site location) all of which work. A good test would be to put a typo in the bigevil.cf file and run spamassassin --lint -D and watch for errors. It looks to me that the lint command you are running is forcing spamassassin to use the mailscanner prefs file as its only rule file. Spamassassin will read any .cf file in the site location by default but your debug command is not letting it look there - bn -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of bnixon Sent: Friday, December 19, 2003 8:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: bigevil usage... confused Put it in /etc/mail/spamassassin/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson Sent: Friday, December 19, 2003 7:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: bigevil usage... confused Gang, I've been following the "bigevil.cf" thread... I downloaded it and put it into /etc/mail/spamassassin, then did spamassassin -D -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint and saw: debug: using "/opt/perl5/share/spamassassin" for default rules dir debug: using "/etc/opt/mail/spamassassin" for site rules dir debug: using "/home/admin/jaearick/.spamassassin" for user state dir debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file with *no* reference to bigevil.cf anywhere in the output. Hmmm... I looked in /etc/opt/mail/spamassassin and found another local.cf file. So I blew away this directory and made a symlink for this dir pointing to /etc/mail/spamassassin. This directory contains a symlink for local.cf, which points to /opt/MailScanner/etc/spam.assassin.prefs.conf Tried the lint run again, still no reference to bigevil.cf in the output. Should I see one? What have I snarled up here? How to see if bigevil is getting used (no references to BigEvilList in the SA syslogging either). Help. Jeff Earickson Colby College -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From brose at MED.WAYNE.EDU Sat Dec 20 15:32:10 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:21:37 2006 Subject: bigevil usage... Confused - Solution Message-ID: Search the list. I posted a fixed to MailScanner to get it to read all SA cf files in the site-wide folders. The problem is that SA is configured to call a specific cf file and so that is all it calls. The fix is to have modify the SA.pm and add the site_rules_filename option so that when MailScanner creates the new SA object it will use both the cf file specified in the Mailscanner.conf and the SA site-wide dir. I posted the change in the hopes that Julian would add it to the next release but I don't think he or anyone else realizsed what I was talking about when I posted the initial problem. I'd provide a diff but I already got rid of the original. But here's the line I added to my SA.pm. Before $settings{dont_copy_prefs} = 1; # Removes need for home directory $prefs = MailScanner::Config::Value('spamassassinprefsfile'); After $settings{dont_copy_prefs} = 1; # Removes need for home directory $settings{site_rules_filename} = "/etc/mail/spamassassin"; $prefs = MailScanner::Config::Value('spamassassinprefsfile'); -=Bobby -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of bnixon Sent: Saturday, December 20, 2003 10:26 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: bigevil usage... confused I have several .cf files in /etc/mail/spamassassin ?(my default site location) all of which work. A good test would be to put a typo in the bigevil.cf file and run spamassassin --lint -D and watch for errors. It looks to me that the lint command you are running is forcing spamassassin to use the mailscanner prefs file as its only rule file. Spamassassin will read any .cf file in the site location by default but your debug command is not letting it look there - bn -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of bnixon Sent: Friday, December 19, 2003 8:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: bigevil usage... confused Put it in /etc/mail/spamassassin/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson Sent: Friday, December 19, 2003 7:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: bigevil usage... confused Gang, I've been following the "bigevil.cf" thread... I downloaded it and put it into /etc/mail/spamassassin, then did spamassassin -D -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint and saw: debug: using "/opt/perl5/share/spamassassin" for default rules dir debug: using "/etc/opt/mail/spamassassin" for site rules dir debug: using "/home/admin/jaearick/.spamassassin" for user state dir debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file with *no* reference to bigevil.cf anywhere in the output. Hmmm... I looked in /etc/opt/mail/spamassassin and found another local.cf file. So I blew away this directory and made a symlink for this dir pointing to /etc/mail/spamassassin. This directory contains a symlink for local.cf, which points to /opt/MailScanner/etc/spam.assassin.prefs.conf Tried the lint run again, still no reference to bigevil.cf in the output. Should I see one? What have I snarled up here? How to see if bigevil is getting used (no references to BigEvilList in the SA syslogging either). Help. Jeff Earickson Colby College -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From baldguy33165 at YAHOO.COM Sun Dec 21 01:03:22 2003 From: baldguy33165 at YAHOO.COM (Juan C. Quesada) Date: Thu Jan 12 21:21:37 2006 Subject: unsubscribe Message-ID: <20031221010322.98604.qmail@web20813.mail.yahoo.com> __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From mailing-oit at TTTECH.COM Sun Dec 21 02:11:20 2003 From: mailing-oit at TTTECH.COM (Christoph Resch) Date: Thu Jan 12 21:21:37 2006 Subject: No subject Message-ID: hi ng. have problem:) Mailscanner runs functional with exim4 on debian .. viruses are handled properly .. all is fine .. then i like to run spamassassin with it .. kind of pain in my *ss ... i have strange behavior testing with this testmail: <<<< To: my@hereiam.biz From: G.B. Subject: Test spam mail (GTUBE) *** think here the GTUBE-test string ( would bounce if i do ,-) i guess) ***** >>>> running it with spamassassin < GTUBE.txt.. i get an overwhelming positive: <<<<<< X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on luna.mojo.cc X-Spam-Level: ************************************************** X-Spam-Status: Yes, hits=1001.0 required=5.0 tests=DATE_MISSING,GTUBE autolearn=no version=2.61 >>>>>> parsing this via SMTP says only: <<<<<<< X-MOJO.cc-MailScanner: Found to be clean X-MOJO.cc-MailScanner-SpamCheck: not spam, SpamAssassin (score=0, required 5) >>>>>>> delivered - not recognising my bad spam .. aarg ! .. i simply have no proove that mailscanner pushes SA to work ! ) debug is set for MS and SA-within-MS ) use of SA is enables (all that stuff) ) spamd is not running ) razor , pyzor , dcc* + the pod2*-stuff is installed ) the spamassassin Perl-mods are latest CPAN versions .. i turned on some STDERRs in Mailscanner.pm and the Batches-module and i see this in syslog the same as in mail.log: <<< Dec 21 02:36:47 localhost MailScanner[27667]: New Batch: Scanning 1 messages, 668 bytes Dec 21 02:36:47 localhost MailScanner[27667]: Spam Checks: Starting Dec 21 02:36:51 localhost MailScanner[27667]: Virus and Content Scanning: Starting Dec 21 02:36:51 localhost MailScanner[27667]: Uninfected: Delivered 1 messages >>> so what the ~ ? does someone paleez has an idea what exactly this could be ?? muchas gracias for reply lg -c- From jaearick at COLBY.EDU Sun Dec 21 02:29:43 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:38 2006 Subject: bigevil usage... Confused - Solution In-Reply-To: References: Message-ID: Julian, A huge tip 'o the hat to Bobby Rose for the fix below, which solved most of my issues with bigevil.cf not working. Once I added his fix (and rebuilt SA), I starting getting bigevil tags in my SA mailscanner syslogging. Yea! Mr. Rose's fix should be added to the next version of MailScanner, maybe with a MailScanner.conf variable, instead of a hardwired path. WARNING ABOUT SPAMASSASSIN!!! I wondered why the lint output from my SA used /etc/opt/mail/spamassassin for the site_rules, instead of /etc/mail/spamassassin. Examination of the Makefile.PL for SA 2.61 reveals that if you install perl in /usr/local, then you get /etc for SYSCONFDIR (so local.cf goes into /etc/mail/spamassassin). BUT IF you install perl into /opt (as I do), then SYSCONFDIR gets defined as /etc/opt (so local.cf goes into /etc/opt/mail/spamassassin). This change apparently appeared between SA 2.5x and 2.6x. See lines 560-566 of Makefile.PL. For MS, your SA build step should be: perl Makefile.PL SYSCONFDIR=/etc BEWARE, BEWARE! So the location of the spamassassin rules dir should be defined in MailScanner.conf. Jeff Earickson Colby College On Sat, 20 Dec 2003, Rose, Bobby wrote: > Date: Sat, 20 Dec 2003 10:32:10 -0500 > From: "Rose, Bobby" > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bigevil usage... Confused - Solution > > Search the list. I posted a fixed to MailScanner to get it to read all > SA cf files in the site-wide folders. The problem is that SA is > configured to call a specific cf file and so that is all it calls. The > fix is to have modify the SA.pm and add the site_rules_filename option > so that when MailScanner creates the new SA object it will use both the > cf file specified in the Mailscanner.conf and the SA site-wide dir. > > I posted the change in the hopes that Julian would add it to the next > release but I don't think he or anyone else realizsed what I was talking > about when I posted the initial problem. I'd provide a diff but I > already got rid of the original. But here's the line I added to my > SA.pm. > > Before > $settings{dont_copy_prefs} = 1; # Removes need for home directory > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > After > $settings{dont_copy_prefs} = 1; # Removes need for home directory > $settings{site_rules_filename} = "/etc/mail/spamassassin"; > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > > -=Bobby > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of bnixon > Sent: Saturday, December 20, 2003 10:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bigevil usage... confused > > I have several .cf files in /etc/mail/spamassassin ?(my default site > location) all of which work. A good test would be to put a typo in the > bigevil.cf file and run spamassassin --lint -D and watch for errors. > > It looks to me that the lint command you are running is forcing > spamassassin to use the mailscanner prefs file as its only rule file. > Spamassassin will read any .cf file in the site location by default but > your debug command is not letting it look there - > > bn > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of bnixon > Sent: Friday, December 19, 2003 8:25 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bigevil usage... confused > > Put it in /etc/mail/spamassassin/ > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Jeff A. Earickson > Sent: Friday, December 19, 2003 7:09 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: bigevil usage... confused > > Gang, > I've been following the "bigevil.cf" thread... I downloaded it and > put it into /etc/mail/spamassassin, then did > > spamassassin -D -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint > > and saw: > > debug: using "/opt/perl5/share/spamassassin" for default rules dir > debug: using "/etc/opt/mail/spamassassin" for site rules dir > debug: using "/home/admin/jaearick/.spamassassin" for user state dir > debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user > prefs file > > with *no* reference to bigevil.cf anywhere in the output. > > Hmmm... I looked in /etc/opt/mail/spamassassin and found another > local.cf file. So I blew away this directory and made a symlink for > this dir pointing to /etc/mail/spamassassin. This directory contains a > symlink for local.cf, which points to > /opt/MailScanner/etc/spam.assassin.prefs.conf > > Tried the lint run again, still no reference to bigevil.cf in the > output. > Should I see one? What have I snarled up here? How to see if bigevil > is getting used (no references to BigEvilList in the SA syslogging > either). Help. > > Jeff Earickson > Colby College > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > MailScanner thanks transtec Computers for their support. > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > MailScanner thanks transtec Computers for their support. > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > MailScanner thanks transtec Computers for their support. > From mailscanner at ecs.soton.ac.uk Sun Dec 21 12:14:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:38 2006 Subject: bigevil usage... Confused - Solution In-Reply-To: References: Message-ID: <6.0.1.1.2.20031221121411.028b04b8@imap.ecs.soton.ac.uk> At 02:29 21/12/2003, you wrote: >Julian, > >A huge tip 'o the hat to Bobby Rose for the fix below, which solved >most of my issues with bigevil.cf not working. Once I added his >fix (and rebuilt SA), I starting getting bigevil tags in my SA >mailscanner syslogging. Yea! Mr. Rose's fix should be added to >the next version of MailScanner, maybe with a MailScanner.conf >variable, instead of a hardwired path. Done. "SpamAssassin Site Rules Dir". >WARNING ABOUT SPAMASSASSIN!!! I wondered why the lint output from >my SA used /etc/opt/mail/spamassassin for the site_rules, instead of >/etc/mail/spamassassin. Examination of the Makefile.PL for SA 2.61 >reveals that if you install perl in /usr/local, then you get /etc >for SYSCONFDIR (so local.cf goes into /etc/mail/spamassassin). >BUT IF you install perl into /opt (as I do), then SYSCONFDIR gets >defined as /etc/opt (so local.cf goes into /etc/opt/mail/spamassassin). >This change apparently appeared between SA 2.5x and 2.6x. >See lines 560-566 of Makefile.PL. For MS, your SA build step should be: > >perl Makefile.PL SYSCONFDIR=/etc > >BEWARE, BEWARE! So the location of the spamassassin rules dir >should be defined in MailScanner.conf. > >Jeff Earickson >Colby College > >On Sat, 20 Dec 2003, Rose, Bobby wrote: > > > Date: Sat, 20 Dec 2003 10:32:10 -0500 > > From: "Rose, Bobby" > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: bigevil usage... Confused - Solution > > > > Search the list. I posted a fixed to MailScanner to get it to read all > > SA cf files in the site-wide folders. The problem is that SA is > > configured to call a specific cf file and so that is all it calls. The > > fix is to have modify the SA.pm and add the site_rules_filename option > > so that when MailScanner creates the new SA object it will use both the > > cf file specified in the Mailscanner.conf and the SA site-wide dir. > > > > I posted the change in the hopes that Julian would add it to the next > > release but I don't think he or anyone else realizsed what I was talking > > about when I posted the initial problem. I'd provide a diff but I > > already got rid of the original. But here's the line I added to my > > SA.pm. > > > > Before > > $settings{dont_copy_prefs} = 1; # Removes need for home directory > > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > > After > > $settings{dont_copy_prefs} = 1; # Removes need for home directory > > $settings{site_rules_filename} = "/etc/mail/spamassassin"; > > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > > > > -=Bobby > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of bnixon > > Sent: Saturday, December 20, 2003 10:26 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: bigevil usage... confused > > > > I have several .cf files in /etc/mail/spamassassin ?(my default site > > location) all of which work. A good test would be to put a typo in the > > bigevil.cf file and run spamassassin --lint -D and watch for errors. > > > > It looks to me that the lint command you are running is forcing > > spamassassin to use the mailscanner prefs file as its only rule file. > > Spamassassin will read any .cf file in the site location by default but > > your debug command is not letting it look there - > > > > bn > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of bnixon > > Sent: Friday, December 19, 2003 8:25 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: bigevil usage... confused > > > > Put it in /etc/mail/spamassassin/ > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Jeff A. Earickson > > Sent: Friday, December 19, 2003 7:09 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: bigevil usage... confused > > > > Gang, > > I've been following the "bigevil.cf" thread... I downloaded it and > > put it into /etc/mail/spamassassin, then did > > > > spamassassin -D -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint > > > > and saw: > > > > debug: using "/opt/perl5/share/spamassassin" for default rules dir > > debug: using "/etc/opt/mail/spamassassin" for site rules dir > > debug: using "/home/admin/jaearick/.spamassassin" for user state dir > > debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user > > prefs file > > > > with *no* reference to bigevil.cf anywhere in the output. > > > > Hmmm... I looked in /etc/opt/mail/spamassassin and found another > > local.cf file. So I blew away this directory and made a symlink for > > this dir pointing to /etc/mail/spamassassin. This directory contains a > > symlink for local.cf, which points to > > /opt/MailScanner/etc/spam.assassin.prefs.conf > > > > Tried the lint run again, still no reference to bigevil.cf in the > > output. > > Should I see one? What have I snarled up here? How to see if bigevil > > is getting used (no references to BigEvilList in the SA syslogging > > either). Help. > > > > Jeff Earickson > > Colby College > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > MailScanner thanks transtec Computers for their support. > > > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > MailScanner thanks transtec Computers for their support. > > > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > MailScanner thanks transtec Computers for their support. > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailing-oit at tttech.com Sun Dec 21 02:08:23 2003 From: mailing-oit at tttech.com (Christoph Resch) Date: Thu Jan 12 21:21:38 2006 Subject: ~ Mailscanner wont run spamassassin ? ~ In-Reply-To: References: Message-ID: <200312210300.55551.mailing-oit@tttech.com> hi ng. have problem:) Mailscanner runs functional with exim4 on debian .. viruses are handled properly .. all is fine .. then i like to run spamassassin with it .. kind of pain in my *ss ... i have strange behavior testing with this testmail: <<<< To: my@hereiam.biz From: G.B. Subject: Test spam mail (GTUBE) *** think here the GTUBE-test string ( would bounce if i do ,-) i guess) ***** >>>> running it with spamassassin < GTUBE.txt.. i get an overwhelming positive: <<<<<< X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on luna.mojo.cc X-Spam-Level: ************************************************** X-Spam-Status: Yes, hits=1001.0 required=5.0 tests=DATE_MISSING,GTUBE autolearn=no version=2.61 >>>>>> parsing this via SMTP says only: <<<<<<< X-MOJO.cc-MailScanner: Found to be clean X-MOJO.cc-MailScanner-SpamCheck: not spam, SpamAssassin (score=0, required 5) >>>>>>> delivered - not recognising my bad spam .. aarg ! .. i simply have no proove that mailscanner pushes SA to work ! .) debug is set for MS and SA-within-MS .) use of SA is enables (all that stuff) .) spamd is not running .) razor , pyzor , dcc* + the pod2*-stuff is installed .) the spamassassin Perl-mods are latest CPAN versions ... i turned on some STDERRs in Mailscanner.pm and the Batches-module and i see this in syslog the same as in mail.log: <<< Dec 21 02:36:47 localhost MailScanner[27667]: New Batch: Scanning 1 messages, 668 bytes Dec 21 02:36:47 localhost MailScanner[27667]: Spam Checks: Starting Dec 21 02:36:51 localhost MailScanner[27667]: Virus and Content Scanning: Starting Dec 21 02:36:51 localhost MailScanner[27667]: Uninfected: Delivered 1 messages >>> so what the ~ ? does someone paleez has an idea what exactly this could be ?? muchas gracias for reply lg -c- From martyn at invictawiz.com Sun Dec 21 20:37:02 2003 From: martyn at invictawiz.com (InvictaWiz Customer Support) Date: Thu Jan 12 21:21:38 2006 Subject: Whitelisting Message-ID: These are partial headers for my Daily BBC Email. (envelope-from sm25967-errors+921758@bounce.lodo.exactis.com) Received: from sender57.mail1.experian-ems.com (sender57.mail1.experian-ems.com [64.210.92.57]) by bog59.mail1.experian-ems.com (8.8.8+mm6.6/8.8.8) with ESMTP id hBL19i016551 I have these entries in my spam.whitelist.conf, but the emails still get scored. Where am I going wrong? From: exactis.com yes From: .exactis.com yes From: experian-ems.com yes From: .experian-ems.com yes From: bbc.co.uk yes From: .bbc.co.uk yes X-MailScanner-SpamCheck: spam, SpamAssassin (score=4.305, required 2, FVGT_u_HAS_2LETTERFLDR 0.10, HTML_80_90 3.00, HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.00, MIME_HTML_ONLY 1.00, RM_rb_ANCHOR 0.00, RM_rb_BREAK 0.00, RM_rb_FONT 0.00, RM_rb_HTML 0.00) Martyn Routley Confused of Ashford From kevins at BMRB.CO.UK Sun Dec 21 20:50:21 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:38 2006 Subject: Whitelisting In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188BA25@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188BA25@pascal.priv.bmrb.co.uk> Message-ID: <1072039821.7147.26.camel@bach.kevinspicer.co.uk> On Sun, 2003-12-21 at 20:37, InvictaWiz Customer Support wrote: >These are partial headers for my Daily BBC Email. >(envelope-from sm25967-errors+921758@bounce.lodo.exactis.com) >Received: from sender57.mail1.experian-ems.com >(sender57.mail1.experian-ems.com [64.210.92.57]) >by bog59.mail1.experian-ems.com (8.8.8+mm6.6/8.8.8) with ESMTP id >hBL19i016551 >I have these entries in my spam.whitelist.conf, but the emails still >get scored. Where am I going >wrong? Try... From: /exactis\.com$/ yes From mailscanner at ecs.soton.ac.uk Sun Dec 21 21:22:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:38 2006 Subject: Rejection of Standard Ebay Auction Page In-Reply-To: <003001c3c7c6$8f881ca0$1082daa0@cx361683a> References: <003001c3c7c6$8f881ca0$1082daa0@cx361683a> Message-ID: <6.0.1.1.2.20031221212206.028c46b8@imap.ecs.soton.ac.uk> Please read www.sng.ecs.soton.ac.uk/mailscanner/reject.html At 13:30 21/12/2003, Bruce Birkett wrote: >Your program has consistently rejected pages direct from ebay. When one >wants to track an auction, one wants to be able to email these pages. > >Other email services such as Yahoo do not have YOUR PROBLEMS. It is >UNPROVEN that YOUR PROGRAM is any more effective than any other; yet, >YOURS has a much higher rejection rate - apparently an inability to more >carefully analyze threats. > >Please correct and update your software. > >Regards, > >Bruce Birkett -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031221/c8b0b80d/attachment.html From chris at fractalweb.com Sun Dec 21 21:45:04 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:21:38 2006 Subject: detailed documentation for customconfig? Message-ID: <1072043104.26887.35.camel@venus.fractal> Is there a HowTo or detailed documentation anywhere that gives examples of how to make the best use of the CustomConfig.pm file? I see that I can have per-domain whitelists and blacklists...which is great. Can I have per-user whitelists as well? I would like to give my users the ability to log on to the system and make their own alterations to their whitelists, blacklists, and what they want done with spam and high-scoring spam. Is there any way for MailScanner to use mySQL for lists and rules? If so, then I could write a back-end Perl app that could pull up their current settings and let them make changes. Thanks, Chris From michele at BLACKNIGHTSOLUTIONS.COM Sun Dec 21 21:54:41 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:38 2006 Subject: OT: list configuration Message-ID: I just noticed that some people's messages to the list are defaulting to their own address when I hit reply. Has anybody else had this problem? Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland From michele at BLACKNIGHTSOLUTIONS.COM Sun Dec 21 22:06:22 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:38 2006 Subject: OT: RC on this list???? Message-ID: Oooh lovely. I'm now getting those ****ing RC messages from some charmer who is subscribed. One of my personal hates - and NO I have no intention of replying to it or acknowledging it Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland From aalsup at USDLA.COM Sun Dec 21 22:15:39 2003 From: aalsup at USDLA.COM (Andy Alsup) Date: Thu Jan 12 21:21:38 2006 Subject: Spam from (forged) whitelist domain In-Reply-To: <6.0.1.1.2.20031220115352.027f7b28@imap.ecs.soton.ac.uk> References: <3FE37D3B.3080108@usdla.com> <20031219225154.GB19962@rfa.org> <6.0.1.1.2.20031220115352.027f7b28@imap.ecs.soton.ac.uk> Message-ID: <3FE61B8B.7070404@usdla.com> I was not aware IP was an option. I'll try that. Thanks! Julian Field wrote: > Exactly what I was about to suggest. You can use pretty much any of the > standard/common ways of expressing IP ranges and network subnets. > > At 22:51 19/12/2003, you wrote: > >> Just a thought, and I'm not sure this is correct, but perhaps you can >> whitelist your domain by IP instead of by name. >> >> -Eric Rz. >> >> On Fri, Dec 19, 2003 at 02:35:39PM -0800, Andy Alsup wrote: >> > I see a nontirvial volume of Spam that gets through to users using >> > forged headers with my domain as the from. These are typically to: >> > user@mydomain from: user@mydomain >> > >> > My domain is whitelisted, so when a forged header comes along, I >> get a >> > spam score that would have dealt with the spam, but it is whitelisted, >> > so delivered anyway. >> > >> > Is there a way to deal with this? >> > >> > Thanks. > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From aalsup at USDLA.COM Sun Dec 21 22:47:49 2003 From: aalsup at USDLA.COM (Andy Alsup) Date: Thu Jan 12 21:21:38 2006 Subject: Spam from (forged) whitelist domain In-Reply-To: <6.0.1.1.2.20031220115352.027f7b28@imap.ecs.soton.ac.uk> References: <3FE37D3B.3080108@usdla.com> <20031219225154.GB19962@rfa.org> <6.0.1.1.2.20031220115352.027f7b28@imap.ecs.soton.ac.uk> Message-ID: <3FE62315.4020007@usdla.com> Maybe I'm missunderstanding something, but I don't think IP based whitelist will do what I need. My users send mail from mostly the wild internet through various ISPs, and only occasionally from the office DSL. I would have to whitelist the sending client IP to whitelist in this way right? which means I would have to whitelist the ranges of IPs they connect from? This covers a huge range of IPs. ATT Dialup, Roadrunner Cable, Bellsouth DSL etc. Users are always authenticated to my server to send though. (I think, no SMTP ISP proxies that I know of... AOL etc) What I want to distinguish is spammers sending mail with a forged from header, who are not authenticated to my server as real users, while still protecting my own authenticated users from getting their mail marked as possible spam. Does the whitelist check look at the sending client IP, or the sending server IP? (Assuming the my users only send from my server, and only authenticated users are allowed to send from there.) Thanks. Julian Field wrote: > Exactly what I was about to suggest. You can use pretty much any of the > standard/common ways of expressing IP ranges and network subnets. > > At 22:51 19/12/2003, you wrote: > >> Just a thought, and I'm not sure this is correct, but perhaps you can >> whitelist your domain by IP instead of by name. >> >> -Eric Rz. >> >> On Fri, Dec 19, 2003 at 02:35:39PM -0800, Andy Alsup wrote: >> > I see a nontirvial volume of Spam that gets through to users using >> > forged headers with my domain as the from. These are typically to: >> > user@mydomain from: user@mydomain >> > >> > My domain is whitelisted, so when a forged header comes along, I >> get a >> > spam score that would have dealt with the spam, but it is whitelisted, >> > so delivered anyway. >> > >> > Is there a way to deal with this? >> > >> > Thanks. > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From chris at fractalweb.com Mon Dec 22 01:27:29 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:21:38 2006 Subject: still getting timeouts Message-ID: <1072056449.26887.60.camel@venus.fractal> Hi everyone, Some spam is still sneaking though because something is timing out. The spam report says "not spam, SpamAssassin (timed out)". In spam.assassin.prefs.conf, I have rbl_timeout 10 razor_timeout 10 pyzor_timeout 10 In MailScanner.conf, I have TNEF Timeout = 120 File Timeout = 20 Virus Scanner Timeout = 300 Spam List Timeout = 10 Max Spam List Timeouts = 7 SpamAssassin Timeout = 40 Max SpamAssassin Timeouts = 20 I suspect I should increase "SpamAssassin Timeout"? Or am I better to adjust the timeout values in spam.assassin.conf? This only happens occasionally and would be less than 1% of the time. Still, I'm striving for perfection. Battling spam has become a bit of an obsession, I'm afraid. Cheers, Chris From pete at eatathome.com.au Mon Dec 22 01:56:02 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:38 2006 Subject: OT: list configuration In-Reply-To: References: Message-ID: <3FE64F32.6090303@eatathome.com.au> Michele Neylon :: Blacknight Solutions wrote: >I just noticed that some people's messages to the list are defaulting to >their own address when I hit reply. >Has anybody else had this problem? > > >Mr. Michele Neylon >Blacknight Internet Solutions Ltd >http://www.blacknightsolutions.ie/ >http://www.search.ie/ >Tel. + 353 (0)59 9137101 >Lowest price domains in Ireland > > > > > Yer someone musta pressed a button on the list server - this is configured by the list admin From evertjan at VANRAMSELAAR.NL Mon Dec 22 06:34:26 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:21:38 2006 Subject: OT: list configuration In-Reply-To: References: Message-ID: <2227.194.151.195.222.1072074866.squirrel@mail.vanramselaar.nl> Michele Neylon :: Blacknight Solutions said: > I just noticed that some people's messages to the list are defaulting to > their own address when I hit reply. > Has anybody else had this problem? This usually happens when someone that sends a message to the list has set a Reply-To address in his or her MUA. Please people, when you want replies to be sent to your From address, do NOT set a Reply-To address! Setting a Reply-To address is only needed when you want replies to be sent to another address. Apart from that, it might be possible for the list admin to configure the list to overrule all Reply-Address settings. But again, many people configuring a MUA set the Reply-To address to the same as the From address. This is wrong! Just leave it empty if it the same. Merry TuXmass! -- Evert Jan van Ramselaar Van Ramselaar Info Tech Internet Consultancy & Webdesign Mail pgpkey@vanramselaar.nl to get my G/PGP Public Key. Key fingerprint = 4F2A 56C4 F9C3 FA36 3ED8 DEC8 B50C D425 1202 DA95 From Mathias.Koerber at LIGHTSPEED.COM.SG Mon Dec 22 07:13:55 2003 From: Mathias.Koerber at LIGHTSPEED.COM.SG (Mathias Koerber) Date: Thu Jan 12 21:21:38 2006 Subject: message disposition in admin reports Message-ID: <57060000.1072077235@[172.25.1.99]> I realized that the admin reports do not contain any indication of the message disposition, only whether a virus was detected or not. is there a way to have this status (whole mail/attachment deleted/quarantined/passed/...) into the admin reports too? thanks Mathias K?rber Lightspeed Technologies mathias@lightspeed.com.sg From P.G.M.Peters at utwente.nl Mon Dec 22 08:15:11 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:38 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh In-Reply-To: <3FE43D97.9040402@eatathome.com.au> References: <3FE43D97.9040402@eatathome.com.au> Message-ID: On Sat, 20 Dec 2003 23:16:23 +1100, you wrote: >>>I am starting to find that as the bayes DB is getting larger that more >>>spam is starting to get through. I have only installed 6 weeks ago and >>>in the last 2 weeks i have a steady increase in spam not being trapped - >>>is there bayes maintenance i need to do? maybe its something completely >>>unrelated, but it seemed logical to me. >> >>I save undetected spam and feed that into sa-learn. I am working on >>filters that do the same with spam that is detected but has a negative >>bayes score. > >Hi and thanks - i currently dont have the option for creating >spam/notspam mail accounts I don't have those account either. I just filter in my mailclient and save the undetected spammessages in mbox format. Once a day I copy that file to my mailservers and run sa-learn on all of them. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Mon Dec 22 09:07:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:38 2006 Subject: detailed documentation for customconfig? In-Reply-To: <1072043104.26887.35.camel@venus.fractal> References: <1072043104.26887.35.camel@venus.fractal> Message-ID: <6.0.1.1.2.20031222090453.03940838@imap.ecs.soton.ac.uk> At 21:45 21/12/2003, you wrote: >Is there a HowTo or detailed documentation anywhere that gives examples >of how to make the best use of the CustomConfig.pm file? It's all in the CustomConfig.pm file, I'm afraid. It needs documenting properly, but the commented example at the top of the file should get you started. >I see that I can have per-domain whitelists and blacklists...which is >great. Can I have per-user whitelists as well? Yes, just name the directory after the full email address (in lower case) instead of just the domain name. >I would like to give my users the ability to log on to the system and >make their own alterations to their whitelists, blacklists, and what >they want done with spam and high-scoring spam. > >Is there any way for MailScanner to use mySQL for lists and rules? If >so, then I could write a back-end Perl app that could pull up their >current settings and let them make changes. I believe at least one of the sets of functions in CustomConfig.pm already does this. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 22 09:10:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:38 2006 Subject: Spam from (forged) whitelist domain In-Reply-To: <3FE62315.4020007@usdla.com> References: <3FE37D3B.3080108@usdla.com> <20031219225154.GB19962@rfa.org> <6.0.1.1.2.20031220115352.027f7b28@imap.ecs.soton.ac.uk> <3FE62315.4020007@usdla.com> Message-ID: <6.0.1.1.2.20031222091013.039c4420@imap.ecs.soton.ac.uk> At 22:47 21/12/2003, you wrote: >Does the whitelist check look at the sending client IP, or the sending >server IP? (Assuming the my users only send from my server, and only >authenticated users are allowed to send from there.) It looks at the IP address at the other end of the SMTP connection to the MailScanner server. >Thanks. > > >Julian Field wrote: > >>Exactly what I was about to suggest. You can use pretty much any of the >>standard/common ways of expressing IP ranges and network subnets. >> >>At 22:51 19/12/2003, you wrote: >> >>>Just a thought, and I'm not sure this is correct, but perhaps you can >>>whitelist your domain by IP instead of by name. >>> >>>-Eric Rz. >>> >>>On Fri, Dec 19, 2003 at 02:35:39PM -0800, Andy Alsup wrote: >>> > I see a nontirvial volume of Spam that gets through to users using >>> > forged headers with my domain as the from. These are typically to: >>> > user@mydomain from: user@mydomain >>> > >>> > My domain is whitelisted, so when a forged header comes along, I >>>get a >>> > spam score that would have dealt with the spam, but it is whitelisted, >>> > so delivered anyway. >>> > >>> > Is there a way to deal with this? >>> > >>> > Thanks. >> >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 22 09:58:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:38 2006 Subject: MailScanner/Postfix message duplication - possible fix 2 In-Reply-To: <3FE35242.9000607@themarshalls.co.uk> References: <229A346E44379140A59A48951B56E0C0D405D6@ARLABML01.DS.ARL.ARMY.MIL> <1071773318.8590.11.camel@localhost.localdomain> <3FE35242.9000607@themarshalls.co.uk> Message-ID: <6.0.1.1.2.20031222095531.041d8150@imap.ecs.soton.ac.uk> I came up with another idea. As you know, I can't reproduce the problem on my systems, so you will just have to try this and see what happens. The attached patch is for Postfix.pm cd /usr/lib/MailScanner/MailScanner patch -p0 < /tmp/Postfix.pm.patch Please let me know how you get on with it. At 19:32 19/12/2003, you wrote: >Well it's now in place and working so we'll have to wait and see. I'll let >you know what happens. Hopefully this could just be the Postfix solution ;-) > >Drew > >Lindsay Snider wrote: >> >>On Thu, 2003-12-18 at 13:21, Kash, Howard (Civ,ARL/CISD) wrote: >> >>> >>>I beginning to think you are correct. My patch doesn't seem to help. >>>Here's is one method suggested by Peter Bates for putting messages in >>>the hold queue: >>> >>> >>> >>>> >>>>I'm using MS with Postfix in a slightly 'non-standard' way, but which >>>>is working fine for 13-15K messages we deal with (actually it might be >>>>more, I never bothered counting our outgoing email!)... >>>> >>>>I'm using a 'header_check' like so: >>>> >>>>In main.cf - >>>>header_checks = pcre:/etc/postfix/header_checks >>>> >>>>In header_checks - >>>> >>>>/^Received:.*by .*\.lshtm.ac.uk \(Postfix\)/ HOLD >>>> >>>>This puts the incoming mail in the 'hold' queue, and then >>>>I have in MailScanner.conf - >>>> >>>>Incoming Queue Dir = /var/spool/postfix/hold >>>>Outgoing Queue Dir = /var/spool/postfix/incoming >>>> >>> >>> >>>I think I'll give this a try. >>> >> >> >>We have been using the hold method here since Julian added postfix >>support. Our site is rather large and we use it across a couple of >>versions of postfix 2.x. So far, it has worked great. >> >> >>> >>> >>>Howard >>> >>> >>>-----Original Message----- >>>From: Drew Marshall >>>[mailto:drew@THEMARSHALLS.CO.UK] >>>Sent: Tuesday, December 16, 2003 5:54 PM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: MailScanner/Postfix message duplication - possible fix >>> >>> >>>I wonder if this is only part of the story. Not being a programmer (Or >>>even someone who 'tinkers with code'!) please forgive me if I am being >>>stupid or just plain don't understand :-) >>> >>>The queue manager runs the queues when it's either called by receipt of >>>a 1byte message from another part of Postfix or when it's inactivity >>>timer times out (As set in the master.cf file). I had a play with this >>>to start with and when I set the idle timer to 28 days I still got >>>duplicates and the 'skipped' log entry from when MailScanner happened to >>>be picking up a queued file and the queue runner had been called by >>>smtpd because it had just received a message. In some instances (One >>>larger message of 9Mb) this meant on my slow system that I didn't just >>>get duplicates but I got the damn thing 5 times, in various states of >>>delivery as it spooled into the deferred queue. >>> >>>Now my gamble is that moving your times to 40 seconds or even more will >>>probably not cure the problem as if your system is fairly busy the queue >>>runner will be almost continuously running through the deferred queue as >>>it collects mail and checks for messages that are due for attempted >>>redelivery (I guess this happens on every visit to the queue to ensure >>>that ageing messages are not left in deferred for too long). It's that >>>check that could be the problem. If MS is just about to collect the >>>message when the queue runner inspects the message for age (Not worth >>>locking for? Don't know?) then the two paps collide and cause the >>>situation as seen. It won't matter how long you tell MS to leave the >>>message there for, the queue runner could still bump into the >>>collection. On my much quieter system it will probably work more >>>reliably for longer as the queue runner will be called less by smtpd an >>>more by the inactivity timer. >>> >>>One way round this could be to send the messages to the hold queue as >>>the queue runner never runs in there. Now just to get the messages >>>there... >>> >>>As I say I could be talking rubbish and I'll go away and keep going with >>>what ever experiment people want to fix this issue but I though it was >>>worth knocking some thoughts about. >>> >>>Regards >>> >>>Drew >>> >> >>-- >>Lindsay Snider >> -------------- next part -------------- A non-text attachment was scrubbed... Name: Postfix.pm.patch Type: application/octet-stream Size: 1161 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031222/f5d72d51/Postfix.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From drew at THEMARSHALLS.CO.UK Mon Dec 22 10:53:55 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:38 2006 Subject: MailScanner/Postfix message duplication - possible fix 2 In-Reply-To: <6.0.1.1.2.20031222095531.041d8150@imap.ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C0D405D6@ARLABML01.DS.ARL.ARMY.MIL> <1071773318.8590.11.camel@localhost.localdomain> <3FE35242.9000607@themarshalls.co.uk> <6.0.1.1.2.20031222095531.041d8150@imap.ecs.soton.ac.uk> Message-ID: <46421.194.70.180.170.1072090435.squirrel@net.themarshalls.co.uk> I'll have a look at this patch later. Thanks :-) Interestingly, I had a thought. If the header filter is used to place all messages in the hold queue and allow MailScanner to collect from there, you only need to run one Postfix instance. I have this in operation now since the 19th and not had one duplication (Yet ;-) ) Merry Christmas Drew -- Julian Field said: > I came up with another idea. As you know, I can't reproduce the problem on > my systems, so you will just have to try this and see what happens. > > The attached patch is for Postfix.pm > cd /usr/lib/MailScanner/MailScanner > patch -p0 < /tmp/Postfix.pm.patch > > Please let me know how you get on with it. > > At 19:32 19/12/2003, you wrote: >>Well it's now in place and working so we'll have to wait and see. I'll >> let >>you know what happens. Hopefully this could just be the Postfix solution >> ;-) >> >>Drew >> >>Lindsay Snider wrote: >>> >>>On Thu, 2003-12-18 at 13:21, Kash, Howard (Civ,ARL/CISD) wrote: >>> >>>> >>>>I beginning to think you are correct. My patch doesn't seem to help. >>>>Here's is one method suggested by Peter Bates for putting messages in >>>>the hold queue: >>>> >>>> >>>> >>>>> >>>>>I'm using MS with Postfix in a slightly 'non-standard' way, but which >>>>>is working fine for 13-15K messages we deal with (actually it might be >>>>>more, I never bothered counting our outgoing email!)... >>>>> >>>>>I'm using a 'header_check' like so: >>>>> >>>>>In main.cf - >>>>>header_checks = pcre:/etc/postfix/header_checks >>>>> >>>>>In header_checks - >>>>> >>>>>/^Received:.*by .*\.lshtm.ac.uk \(Postfix\)/ HOLD >>>>> >>>>>This puts the incoming mail in the 'hold' queue, and then >>>>>I have in MailScanner.conf - >>>>> >>>>>Incoming Queue Dir = /var/spool/postfix/hold >>>>>Outgoing Queue Dir = /var/spool/postfix/incoming >>>>> >>>> >>>> >>>>I think I'll give this a try. >>>> >>> >>> >>>We have been using the hold method here since Julian added postfix >>>support. Our site is rather large and we use it across a couple of >>>versions of postfix 2.x. So far, it has worked great. >>> >>> >>>> >>>> >>>>Howard >>>> >>>> >>>>-----Original Message----- >>>>From: Drew Marshall >>>>[mailto:drew@THEMARSHALLS.CO.UK] >>>>Sent: Tuesday, December 16, 2003 5:54 PM >>>>To: MAILSCANNER@JISCMAIL.AC.UK >>>>Subject: Re: MailScanner/Postfix message duplication - possible fix >>>> >>>> >>>>I wonder if this is only part of the story. Not being a programmer (Or >>>>even someone who 'tinkers with code'!) please forgive me if I am being >>>>stupid or just plain don't understand :-) >>>> >>>>The queue manager runs the queues when it's either called by receipt of >>>>a 1byte message from another part of Postfix or when it's inactivity >>>>timer times out (As set in the master.cf file). I had a play with this >>>>to start with and when I set the idle timer to 28 days I still got >>>>duplicates and the 'skipped' log entry from when MailScanner happened >>>> to >>>>be picking up a queued file and the queue runner had been called by >>>>smtpd because it had just received a message. In some instances (One >>>>larger message of 9Mb) this meant on my slow system that I didn't just >>>>get duplicates but I got the damn thing 5 times, in various states of >>>>delivery as it spooled into the deferred queue. >>>> >>>>Now my gamble is that moving your times to 40 seconds or even more will >>>>probably not cure the problem as if your system is fairly busy the >>>> queue >>>>runner will be almost continuously running through the deferred queue >>>> as >>>>it collects mail and checks for messages that are due for attempted >>>>redelivery (I guess this happens on every visit to the queue to ensure >>>>that ageing messages are not left in deferred for too long). It's that >>>>check that could be the problem. If MS is just about to collect the >>>>message when the queue runner inspects the message for age (Not worth >>>>locking for? Don't know?) then the two paps collide and cause the >>>>situation as seen. It won't matter how long you tell MS to leave the >>>>message there for, the queue runner could still bump into the >>>>collection. On my much quieter system it will probably work more >>>>reliably for longer as the queue runner will be called less by smtpd an >>>>more by the inactivity timer. >>>> >>>>One way round this could be to send the messages to the hold queue as >>>>the queue runner never runs in there. Now just to get the messages >>>>there... >>>> >>>>As I say I could be talking rubbish and I'll go away and keep going >>>> with >>>>what ever experiment people want to fix this issue but I though it was >>>>worth knocking some thoughts about. >>>> >>>>Regards >>>> >>>>Drew >>>> >>> >>>-- >>>Lindsay Snider >>> > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From J.M.Pickford-Perry at aston.ac.uk Mon Dec 22 11:24:25 2003 From: J.M.Pickford-Perry at aston.ac.uk (Jim Pickford-Perry) Date: Thu Jan 12 21:21:38 2006 Subject: Unsubscribe In-Reply-To: Message-ID: <3FE6D469.29001.33D495C0@localhost> Jim Pickford-Perry +44 121 359 3611 x 4734 Mobile +44 7789 207 415 Fax +44 121 333 6549 Simple jobs always get put off because there will be time to do them later. From campbell at CNPAPERS.COM Mon Dec 22 14:15:56 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:21:38 2006 Subject: Spam from (forged) whitelist domain References: <3FE37D3B.3080108@usdla.com> <20031219225154.GB19962@rfa.org> <6.0.1.1.2.20031220115352.027f7b28@imap.ecs.soton.ac.uk> <3FE62315.4020007@usdla.com> <6.0.1.1.2.20031222091013.039c4420@imap.ecs.soton.ac.uk> Message-ID: <000f01c3c896$1dda4800$1101a8c0@cnpapers.net> OK, now I'm confused. I, too, am getting these forged from addresses. I have always thought that the envelope 'to' and 'from' were what mattered. But when I look in my maillog, I only see my domain in the envelope 'to' and 'from'. Blocking by IP does not apply here, obviously. So I look at the headers. We use an AV relay in front of our SMTP/MS/SA server. This is the top-most 'Received: from' in the header. I can't block this obviously. The next 'Received: from' listed down in the header may work as this is not one of my IP addresses, but are you saying this is what is being used as comparison? Who is doing the comparison, MS or SA? Are any and all IPs in the header considered? Sorry for the long-winded question, and thanks for any light on this subject you may provide. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: Sent: Monday, December 22, 2003 4:10 AM Subject: Re: Spam from (forged) whitelist domain > At 22:47 21/12/2003, you wrote: > >Does the whitelist check look at the sending client IP, or the sending > >server IP? (Assuming the my users only send from my server, and only > >authenticated users are allowed to send from there.) > > It looks at the IP address at the other end of the SMTP connection to the > MailScanner server. > > > >Thanks. > > > > > >Julian Field wrote: > > > >>Exactly what I was about to suggest. You can use pretty much any of the > >>standard/common ways of expressing IP ranges and network subnets. > >> > >>At 22:51 19/12/2003, you wrote: > >> > >>>Just a thought, and I'm not sure this is correct, but perhaps you can > >>>whitelist your domain by IP instead of by name. > >>> > >>>-Eric Rz. > >>> > >>>On Fri, Dec 19, 2003 at 02:35:39PM -0800, Andy Alsup wrote: > >>> > I see a nontirvial volume of Spam that gets through to users using > >>> > forged headers with my domain as the from. These are typically to: > >>> > user@mydomain from: user@mydomain > >>> > > >>> > My domain is whitelisted, so when a forged header comes along, I > >>>get a > >>> > spam score that would have dealt with the spam, but it is whitelisted, > >>> > so delivered anyway. > >>> > > >>> > Is there a way to deal with this? > >>> > > >>> > Thanks. > >> > >> > >>-- > >>Julian Field > >>www.MailScanner.info > >>Professional Support Services at www.MailScanner.biz > >>MailScanner thanks transtec Computers for their support > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From FStein at THEHILL.ORG Mon Dec 22 14:30:18 2003 From: FStein at THEHILL.ORG (Stein, Mr. Fred) Date: Thu Jan 12 21:21:38 2006 Subject: blocking read and delivery receipts Message-ID: <73F0CEC63C14FC41ACBE35A3E23DB9B303664E@dianna.thehill.org> Is there a way to block read and delivery receipts in MailScanner? RH9 Postfix MailScanner 4.25-14 SA 2.61 Razor 2.0 Fred Stein Network Administrator The Hill School 717 High Street Pottstown, PA 19464 610-326-1000 ext. 7356 fstein@thehill.org www.thehill.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031222/a540cbe0/attachment.html From mailscanner at ecs.soton.ac.uk Mon Dec 22 15:06:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:38 2006 Subject: Spam from (forged) whitelist domain In-Reply-To: <000f01c3c896$1dda4800$1101a8c0@cnpapers.net> References: <3FE37D3B.3080108@usdla.com> <20031219225154.GB19962@rfa.org> <6.0.1.1.2.20031220115352.027f7b28@imap.ecs.soton.ac.uk> <3FE62315.4020007@usdla.com> <6.0.1.1.2.20031222091013.039c4420@imap.ecs.soton.ac.uk> <000f01c3c896$1dda4800$1101a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20031222150352.028926f0@imap.ecs.soton.ac.uk> It's really simple. MailScanner uses the envelope to and from address, as you say. If you want to match on the IP address, then it uses the IP address at the other end of the SMTP connection. In your case, as you forward all mail to MailScanner from an incoming relay machine, the IP address at the other end of the SMTP connection will always be the address of your incoming relay machine. SpamAssassin can look at the (quite possibly forged) IP addresses in the rest of the headers, MailScanner can't on its own. At 14:15 22/12/2003, you wrote: >OK, now I'm confused. > >I, too, am getting these forged from addresses. I have always thought that >the envelope 'to' and 'from' were what mattered. But when I look in my >maillog, I only see my domain in the envelope 'to' and 'from'. Blocking by >IP does not apply here, obviously. > >So I look at the headers. We use an AV relay in front of our SMTP/MS/SA >server. This is the top-most 'Received: from' in the header. I can't block >this obviously. The next 'Received: from' listed down in the header may work >as this is not one of my IP addresses, but are you saying this is what is >being used as comparison? Who is doing the comparison, MS or SA? Are any and >all IPs in the header considered? > >Sorry for the long-winded question, and thanks for any light on this subject >you may provide. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Monday, December 22, 2003 4:10 AM >Subject: Re: Spam from (forged) whitelist domain > > > > At 22:47 21/12/2003, you wrote: > > >Does the whitelist check look at the sending client IP, or the sending > > >server IP? (Assuming the my users only send from my server, and only > > >authenticated users are allowed to send from there.) > > > > It looks at the IP address at the other end of the SMTP connection to the > > MailScanner server. > > > > > > >Thanks. > > > > > > > > >Julian Field wrote: > > > > > >>Exactly what I was about to suggest. You can use pretty much any of the > > >>standard/common ways of expressing IP ranges and network subnets. > > >> > > >>At 22:51 19/12/2003, you wrote: > > >> > > >>>Just a thought, and I'm not sure this is correct, but perhaps you can > > >>>whitelist your domain by IP instead of by name. > > >>> > > >>>-Eric Rz. > > >>> > > >>>On Fri, Dec 19, 2003 at 02:35:39PM -0800, Andy Alsup wrote: > > >>> > I see a nontirvial volume of Spam that gets through to users using > > >>> > forged headers with my domain as the from. These are typically to: > > >>> > user@mydomain from: user@mydomain > > >>> > > > >>> > My domain is whitelisted, so when a forged header comes along, I > > >>>get a > > >>> > spam score that would have dealt with the spam, but it is >whitelisted, > > >>> > so delivered anyway. > > >>> > > > >>> > Is there a way to deal with this? > > >>> > > > >>> > Thanks. > > >> > > >> > > >>-- > > >>Julian Field > > >>www.MailScanner.info > > >>Professional Support Services at www.MailScanner.biz > > >>MailScanner thanks transtec Computers for their support > > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From smilga at MIKROTIK.COM Mon Dec 22 15:21:56 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:38 2006 Subject: Outgoing mail References: <3FE37D3B.3080108@usdla.com> <20031219225154.GB19962@rfa.org> <6.0.1.1.2.20031220115352.027f7b28@imap.ecs.soton.ac.uk> <3FE62315.4020007@usdla.com> <6.0.1.1.2.20031222091013.039c4420@imap.ecs.soton.ac.uk> <000f01c3c896$1dda4800$1101a8c0@cnpapers.net> <6.0.1.1.2.20031222150352.028926f0@imap.ecs.soton.ac.uk> Message-ID: <141301c3c89f$5625a9d0$6700010a@martinsss> Hello, How can I set to not check with spam and antivirus outgoing mails? Thanks Martins From prandal at HEREFORDSHIRE.GOV.UK Mon Dec 22 15:25:01 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:38 2006 Subject: Outgoing mail Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C40E@jessica.herefordshire.gov.uk> You really want to do that? You should virus check everything going through the gateway. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Martins Smilga > Sent: 22 December 2003 15:22 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Outgoing mail > > > Hello, > > How can I set to not check with spam and antivirus outgoing mails? > > Thanks > > Martins > From smilga at MIKROTIK.COM Mon Dec 22 15:26:59 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:38 2006 Subject: Outgoing mail References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C40E@jessica.herefordshire.gov.uk> Message-ID: <141f01c3c8a0$0a98e260$6700010a@martinsss> Yes, It is for testing. I can not find where I can switch it off. ----- Original Message ----- From: "Randal, Phil" To: Sent: Monday, December 22, 2003 5:25 PM Subject: Re: Outgoing mail > You really want to do that? You should virus check everything going > through the gateway. > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Martins Smilga > > Sent: 22 December 2003 15:22 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Outgoing mail > > > > > > Hello, > > > > How can I set to not check with spam and antivirus outgoing mails? > > > > Thanks > > > > Martins > > From P.G.M.Peters at utwente.nl Mon Dec 22 15:47:16 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:38 2006 Subject: difference "spam action" and "high spam action" Message-ID: I stumbled onto a problem with rules for spam action and high spam action. I have had rules vor high spam actions in which a number of addresses have their "highspam" deleted on the server. A number of those addresses where copied to the "spam" rules file thinking it would trigger on messages with SA score of 5 instead of the highscore of 20. But checking the logs it doesn't only delete on SA score. It also triggers on blacklists used in MS. Which I should know it did. But I am using some blacklists for "statistical" purposes (like RFC-IGNORANT-lists and us.countries.nerd.dk). They are also considered spam. Could it be possible to have a low spam actions which only triggers on SA score? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mike at CAMAROSS.NET Mon Dec 22 15:55:55 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:38 2006 Subject: Outgoing mail In-Reply-To: <141301c3c89f$5625a9d0$6700010a@martinsss> Message-ID: <200312221555.hBMFtcfg012242@avwall.bladeware.com> You need to use a ruleset for this: From: *@yourdomain.org no FromTo: default yes > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Martins Smilga > Sent: Monday, December 22, 2003 9:22 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Outgoing mail > > Hello, > > How can I set to not check with spam and antivirus outgoing mails? > > Thanks > > Martins > From Ulysees at ULYSEES.COM Mon Dec 22 16:02:57 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:21:38 2006 Subject: Scanned Modify Subject Message-ID: <000501c3c8a5$11415840$3201010a@nimitz> is it possible to have Scanned Modify Subject = $ruleset unless mail is virus or spam ? or that the virus or spam subject modifiers can either preceed or replace Scanned Subject Text ? uly From mailscanner at ecs.soton.ac.uk Mon Dec 22 16:08:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:38 2006 Subject: Scanned Modify Subject In-Reply-To: <000501c3c8a5$11415840$3201010a@nimitz> References: <000501c3c8a5$11415840$3201010a@nimitz> Message-ID: <6.0.1.1.2.20031222160840.028b6c68@imap.ecs.soton.ac.uk> Please give me a few examples of what you mean. At 16:02 22/12/2003, you wrote: >is it possible to have Scanned Modify Subject = $ruleset unless mail is >virus or spam ? >or that the virus or spam subject modifiers can either preceed or replace >Scanned Subject Text ? > >uly -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From sysadmins at ENHTECH.COM Mon Dec 22 16:17:28 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:38 2006 Subject: Spam/bounce problem In-Reply-To: <6.0.1.1.2.20031218141017.03a26828@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031218141017.03a26828@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20031222111641.02e26d18@mail.enhtech.com> At 09:14 AM 12/18/2003, you wrote: >Then in outgoing.queue.rules put this: > >From: /^$/ /var/spool/mqueue.slow >FromOrTo: default /var/spool/mqueue Forgive my ignorance.. what does the /^$/ mean? Errol Neal Errol U. Neal Jr., Systems Administrator Enhanced Technologies, Inc. - The Business Grade Hosting Specialists http://www.enhtech.com 703-924-0301 or 800-368-3249 703-997-0839 Fax From mailscanner at ecs.soton.ac.uk Mon Dec 22 16:23:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:38 2006 Subject: Spam/bounce problem In-Reply-To: <6.0.0.22.0.20031222111641.02e26d18@mail.enhtech.com> References: <6.0.1.1.2.20031218141017.03a26828@imap.ecs.soton.ac.uk> <6.0.0.22.0.20031222111641.02e26d18@mail.enhtech.com> Message-ID: <6.0.1.1.2.20031222162318.02875798@imap.ecs.soton.ac.uk> At 16:17 22/12/2003, you wrote: >At 09:14 AM 12/18/2003, you wrote: > >>Then in outgoing.queue.rules put this: >> >>From: /^$/ /var/spool/mqueue.slow >>FromOrTo: default /var/spool/mqueue > >Forgive my ignorance.. what does the /^$/ mean? It means "match a totally empty address". -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From sysadmins at ENHTECH.COM Mon Dec 22 16:34:38 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:38 2006 Subject: Spam/bounce problem In-Reply-To: <6.0.1.1.2.20031222162318.02875798@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031218141017.03a26828@imap.ecs.soton.ac.uk> <6.0.0.22.0.20031222111641.02e26d18@mail.enhtech.com> <6.0.1.1.2.20031222162318.02875798@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20031222113401.02e5d498@mail.enhtech.com> At 11:23 AM 12/22/2003, you wrote: >>Forgive my ignorance.. what does the /^$/ mean? > >It means "match a totally empty address". Thanks. As you can probably tell, Reg Expressions are not my expertise. Errol Neal Errol U. Neal Jr., Systems Administrator Enhanced Technologies, Inc. - The Business Grade Hosting Specialists http://www.enhtech.com 703-924-0301 or 800-368-3249 703-997-0839 Fax From Ulysees at ULYSEES.COM Mon Dec 22 16:49:53 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:21:38 2006 Subject: Scanned Modify Subject References: <000501c3c8a5$11415840$3201010a@nimitz> <6.0.1.1.2.20031222160840.028b6c68@imap.ecs.soton.ac.uk> Message-ID: <000a01c3c8ab$9fc73020$3201010a@nimitz> Currently I modify the subject of a certain list of domains using scanned subject modify and a simple ruleset, works a treat. If a mail for one of those domains contains a virus the subject turns into "{scannedsubjectmodifytext !} {Virus?} Whatever the original subject text was" Same kinda thing if it's spam. A lot of the time this results in users not noticing the second tag, so I'd like it to not have the first tag if the subject is being modified by another rule. eg "{Virus?} Whatever the original subject text was" uly > Please give me a few examples of what you mean. > > At 16:02 22/12/2003, you wrote: > >is it possible to have Scanned Modify Subject = $ruleset unless mail is > >virus or spam ? > >or that the virus or spam subject modifiers can either preceed or replace > >Scanned Subject Text ? > > > >uly > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Mon Dec 22 16:54:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:38 2006 Subject: Scanned Modify Subject In-Reply-To: <000a01c3c8ab$9fc73020$3201010a@nimitz> References: <000501c3c8a5$11415840$3201010a@nimitz> <6.0.1.1.2.20031222160840.028b6c68@imap.ecs.soton.ac.uk> <000a01c3c8ab$9fc73020$3201010a@nimitz> Message-ID: <6.0.1.1.2.20031222165356.03c988d8@imap.ecs.soton.ac.uk> At 16:49 22/12/2003, you wrote: >Currently I modify the subject of a certain list of domains using scanned >subject modify and a simple ruleset, works a treat. >If a mail for one of those domains contains a virus the subject turns into >"{scannedsubjectmodifytext !} {Virus?} Whatever the original subject text >was" >Same kinda thing if it's spam. >A lot of the time this results in users not noticing the second tag, so I'd >like it to not have the first tag if the subject is being modified by >another rule. >eg "{Virus?} Whatever the original subject text was" You can move the scannedsubjectmodifytext to the end of the Subject: instead of having it at the beginning. Works better with "Re:" too as you don't collect millions of tags at the start of the Subject:. >uly > > > > > Please give me a few examples of what you mean. > > > > At 16:02 22/12/2003, you wrote: > > >is it possible to have Scanned Modify Subject = $ruleset unless mail is > > >virus or spam ? > > >or that the virus or spam subject modifiers can either preceed or replace > > >Scanned Subject Text ? > > > > > >uly > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Ulysees at ULYSEES.COM Mon Dec 22 17:04:52 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:21:38 2006 Subject: Scanned Modify Subject References: <000501c3c8a5$11415840$3201010a@nimitz> <6.0.1.1.2.20031222160840.028b6c68@imap.ecs.soton.ac.uk> <000a01c3c8ab$9fc73020$3201010a@nimitz> <6.0.1.1.2.20031222165356.03c988d8@imap.ecs.soton.ac.uk> Message-ID: <000f01c3c8ad$b7640a30$3201010a@nimitz> I don't really see the Re: problem as a huge issue, the reason I'm modifying the subject is so as users who are still using some legacy addresses can easily identify whatever mails they actually need to recieve before I kill the old domains. So typically they should be once off mails not normal conversations. Since viruses and spam are unsolicited the user doesn't really need to know what address it went to just that it's a virus or spam. It's not biggie I just thought someone might have had a one liner to do it :) Uly > At 16:49 22/12/2003, you wrote: > >Currently I modify the subject of a certain list of domains using scanned > >subject modify and a simple ruleset, works a treat. > >If a mail for one of those domains contains a virus the subject turns into > >"{scannedsubjectmodifytext !} {Virus?} Whatever the original subject text > >was" > >Same kinda thing if it's spam. > >A lot of the time this results in users not noticing the second tag, so I'd > >like it to not have the first tag if the subject is being modified by > >another rule. > >eg "{Virus?} Whatever the original subject text was" > > You can move the scannedsubjectmodifytext to the end of the Subject: > instead of having it at the beginning. Works better with "Re:" too as you > don't collect millions of tags at the start of the Subject:. > > > >uly > > > > > > > > > Please give me a few examples of what you mean. > > > > > > At 16:02 22/12/2003, you wrote: > > > >is it possible to have Scanned Modify Subject = $ruleset unless mail is > > > >virus or spam ? > > > >or that the virus or spam subject modifiers can either preceed or replace > > > >Scanned Subject Text ? > > > > > > > >uly > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From pmb1 at YORK.AC.UK Mon Dec 22 17:12:36 2003 From: pmb1 at YORK.AC.UK (Mike Brudenell) Date: Thu Jan 12 21:21:38 2006 Subject: Outgoing mail In-Reply-To: <141301c3c89f$5625a9d0$6700010a@martinsss> <200312221555.hBMFtcfg012242@avwall.bladeware.com> References: <3FE37D3B.3080108@usdla.com> <20031219225154.GB19962@rfa.org> <6.0.1.1.2.20031220115352.027f7b28@imap.ecs.soton.ac.uk> <3FE62315.4020007@usdla.com> <6.0.1.1.2.20031222091013.039c4420@imap.ecs.soton.ac.uk> <000f01c3c896$1dda4800$1101a8c0@cnpapers.net> <6.0.1.1.2.20031222150352.028926f0@imap.ecs.soton.ac.uk> <141301c3c89f$5625a9d0$6700010a@martinsss> Message-ID: <2147483647.1072113156@pippin.york.ac.uk> Greetings - Can I ask a bit of a naive question about rulesets that's arisen in my mind after Martins asked this... --On Monday, December 22, 2003 5:21 pm +0200 Martins Smilga wrote: > Hello, > > How can I set to not check with spam and antivirus outgoing mails? > > Thanks > > Martins Mike answered with this... --On Monday, December 22, 2003 9:55 am -0600 Mike Kercher wrote: > You need to use a ruleset for this: > > From: *@yourdomain.org no > FromTo: default yes ...but in a previous message explained that MailScanner does its checks using: * the SMTP "MAIL FROM" details * the SMTP "RCPT TO" details * the IP address of the transmitting server So doesn't this man that an entry of the form From: *@yourdomain.org no is a little unsafe? In particular if the message is arriving from an offsite machine which has forged the MAIL FROM envelope information to be an address within your domain ("xxx@yourdomain.org") then the above rule means it won't get scanned for viruses or spamminess? Wouldn't it be better to use a rule to skip the scan only if the IP address of the sending server is within your netblock of machines? Festive Cheers, Mike B-) -- The Computing Service, University of York, Heslington, York Yo10 5DD, UK Tel:+44-1904-433811 FAX:+44-1904-433740 * Unsolicited commercial e-mail is NOT welcome at this e-mail address. * From dot at DOTAT.AT Mon Dec 22 17:22:53 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:21:38 2006 Subject: Spam/bounce problem In-Reply-To: Message-ID: Tony Johansson wrote: > >1. Spammer sends spam to abc@domain.com, spam has the spoofed return >address xyz@school.com >2. No such user at domain.com/mailbox full/disabled etc >3. Mail bounces to xyz@school.com (with return path "<>") >4. Smtpgate at school.com (running mailscanner) accepts message, forwards >to internal server >5. Internal server sees that the address xyz@school.com is non-existant >6. Internal server tries to bounce the message, to xyz@school.com, but >naturally it cannot be delivered >7. Message is sent to postmaster@school.com, "I tried to deliver a bounce >message to this address, but the bounce bounced!" > >Does anyone have a remedy for this problem? > >I guess I could only accept messages (at #4) for legitimate users but that >would probably attract some directory harvest attacks. Not to mention >keeping the list up to date. Address harvesting from SMTP RCPT verification is a myth, AFAICT. It is MUCH MUCH better to verify addresses before you accept the message. If you are sure that all legitimate messages sent with return addresses pointing to the school are sent via the school's SMTP server, then you can arrange for the server to add a hard-to-forge cookie to the headers of every outgoing message. Bounced legitimate messages will contain the cookie in the body of the bounce. Joe-job bounces will not have the cookie and can be rejected. Tony. -- f.a.n.finch http://dotat.at/ FAEROES: SOUTH OR SOUTHWEST 5 TO 7, VEERING WEST FOR A TIME. RAIN. MODERATE OR POOR. From ugob at CAMO-ROUTE.COM Mon Dec 22 17:57:52 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:38 2006 Subject: Outgoing mail Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2C0@mtlnt501fs.CAMOROUTE.COM> > Mike answered with this... > > --On Monday, December 22, 2003 9:55 am -0600 Mike Kercher > wrote: > > > You need to use a ruleset for this: > > > > From: *@yourdomain.org no > > FromTo: default yes > > ...but in a previous message explained that MailScanner does > its checks > using: > * the SMTP "MAIL FROM" details > * the SMTP "RCPT TO" details > * the IP address of the transmitting server > > So doesn't this man that an entry of the form > > From: *@yourdomain.org no > > is a little unsafe? In particular if the message is arriving from an > offsite machine which has forged the MAIL FROM envelope > information to be > an address within your domain ("xxx@yourdomain.org") then the > above rule > means it won't get scanned for viruses or spamminess? Wouldn't it be > better to use a rule to skip the scan only if the IP address > of the sending > server is within your netblock of machines? If you can use IP add, do so. It is in fact more secure. > > Festive Cheers, > > Mike B-) > > -- > The Computing Service, University of York, Heslington, York > Yo10 5DD, UK > Tel:+44-1904-433811 FAX:+44-1904-433740 > > * Unsolicited commercial e-mail is NOT welcome at this e-mail > address. * > From paul.hamilton at sme-ecom.co.uk Mon Dec 22 19:26:03 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:21:38 2006 Subject: Real time logging to sql database Message-ID: <000001c3c8c1$710e1ee0$fc32000a@4> Hi all, Is there anybody using real time logging for Mailscanner to a sql database per message, rather than generating temporary files and flushing every restart? Regards Paul H. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031222/3451191d/attachment.html From chris at FRACTALWEB.COM Mon Dec 22 19:37:49 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:21:38 2006 Subject: Real time logging to sql database In-Reply-To: <000001c3c8c1$710e1ee0$fc32000a@4> References: <000001c3c8c1$710e1ee0$fc32000a@4> Message-ID: <1072121868.24214.1.camel@venus.fractal> On Mon, 2003-12-22 at 11:26, Paul Hamilton wrote: > Hi all, > Is there anybody using real time logging for Mailscanner to a > sql database per message, rather than generating temporary > files and flushing every restart? Paul, I believe this is exactly what MailWatch does. I implemented MailWatch this past weekend and it ties in with a MySQL database. It also offers amazing statistics. I acquired it from Sourceforge. Check it out. Cheers, Chris From mailscanner at pdscc.com Mon Dec 22 19:58:57 2003 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Thu Jan 12 21:21:38 2006 Subject: dns configuration for natted mailserver Message-ID: <200312222011.MAA03186@sheridan.sibble.net> Okay, just curious if the following is the best way to configure dns for a natted mail server: Background (note: the frontend will be running Mailscanner/SA/F-prot, my concern is this setup running afoul of other mailscanner setup on the net) - external dns will be hosted by isp with their mailserver as the backup MX - internal dns is hosted on the win2k server with a non-real domain (comp- name-intraner.net) name only used internally, dns server is set to forward any queries it can't answer to isp's dns servers - there are 2 mail server's on the lan, one is the frontend/mail scanner and will do virus and spam filtering and act as an in/outbound mail relay. The main workgroup mailserver will not be accessible from the internet except via vpn. it will not be listed in external dns, only the frontend box will be. - sonicwall firewall is set to allow smtp traffic to the single internal frontend box (mailscanner) via port forwarding to the natted box - mailscanner is configured to act as a relay for outbound mail from the lan and for inbound email to the hidden mailserver - the internal dns has entries for both mailservers with their real net accessible names mail.domainname.com and mailscan.domainname.com. So.... This is the plan, anything missing? 1) in the isp's dns servers we add an A, MX and rNDS record for mailscan.domainname.com which points to the wan ip address for the sonicwall which port forwards to the mail relay 2) setup isp's mailserver as seconday mx The only problem I see with this is that mail sent from the hidden mail server will fall afoul of antispam filtering at other sites since there will be no external dns entries for the hidden server itself and a rdns check will fail. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From garry at GLENDOWN.DE Mon Dec 22 20:26:48 2003 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:21:38 2006 Subject: HTML msg quarantined is warning mail instead of content Message-ID: Hi, one of our users just requested the HTML contents of a mail that was filtered by MailScanner (4.25-11). Anyway, the file in the quarantine directory is not the content of the mail, but rather the mail that was sent out instead - the original content is lost. I have checked other HTML files that MailScanner removed from incoming mails - it seems like about half of all the files are the original content, whereas the other half is the warning mails instead. Has anybody else noticed this yet? Tnx, -garry From dh at UPTIME.AT Mon Dec 22 21:09:06 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:38 2006 Subject: Real time logging to sql database In-Reply-To: <000001c3c8c1$710e1ee0$fc32000a@4> References: <000001c3c8c1$710e1ee0$fc32000a@4> Message-ID: <3FE75D72.5080703@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Paul Hamilton wrote: > Hi all, Hello. > > Is there anybody using real time logging for Mailscanner to a > sql database per message, rather than generating temporary > files and flushing every restart? > Just some general thought. I wonder how secure this is and what kind of performance hit one has to take. Theorethically, if I wish to do this "securely" each log message has to be its own transaction. Thus a singular INSERT results ina full transaction within the database. Now, when I imagine I have a fiarly busy MailServer with, let's say, 0.5 or 1 message per second, that might nag on the database a whole lot when I log _directly_ into the Daemon. Maybe it is indeed faster to simply write out SQL INSERT statements into a file, to the disc and sync this file into the database every 15 or 30 minutes. This could be done in a single transaction then. But then again, I am by far no Database guru. - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/5112PMoaMn4kKR4RA9mbAJ4rOPYzjnGcL9kus9eT1poJ/ZSwUQCeN57j 9L4MUB1vnC6x/zh6nRxBtFs= =tSih -----END PGP SIGNATURE----- From chris at TRUDEAU.ORG Mon Dec 22 21:16:41 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:21:38 2006 Subject: Real time logging to sql database References: <000001c3c8c1$710e1ee0$fc32000a@4> <3FE75D72.5080703@uptime.at> Message-ID: <011901c3c8d0$e50f16f0$4e19000a@ATLCPW13671> Yep...exactly the design that Julian/Steve had in mind (I assume). The MailWatch package uses temp files as well I believe...it IS however a great solution... CT ----- Original Message ----- From: "David H." To: Sent: Monday, December 22, 2003 4:09 PM Subject: Re: Real time logging to sql database > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Paul Hamilton wrote: > > > Hi all, > Hello. > > > > Is there anybody using real time logging for Mailscanner to a > > sql database per message, rather than generating temporary > > files and flushing every restart? > > > Just some general thought. I wonder how secure this is and what kind of > performance hit one has to take. Theorethically, if I wish to do this > "securely" each log message has to be its own transaction. Thus a > singular INSERT results ina full transaction within the database. Now, > when I imagine I have a fiarly busy MailServer with, let's say, 0.5 or 1 > message per second, that might nag on the database a whole lot when I > log _directly_ into the Daemon. > > Maybe it is indeed faster to simply write out SQL INSERT statements into > a file, to the disc and sync this file into the database every 15 or 30 > minutes. This could be done in a single transaction then. > > But then again, I am by far no Database guru. > > - -d > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (Darwin) > > iD8DBQE/5112PMoaMn4kKR4RA9mbAJ4rOPYzjnGcL9kus9eT1poJ/ZSwUQCeN57j > 9L4MUB1vnC6x/zh6nRxBtFs= > =tSih > -----END PGP SIGNATURE----- From bpumphrey at WOODMACLAW.COM Mon Dec 22 21:15:45 2003 From: bpumphrey at WOODMACLAW.COM (Billy Pumphrey) Date: Thu Jan 12 21:21:38 2006 Subject: I'm trying to get MailScanner to work Message-ID: Hello Everyone, I have tried plenty o things including reading all that I could find without going insaine :). Pleae help, here are the details. Situation wanted: To have the MailScanner machine sit in front of the exchange machine to do the spam filtering and then relay it to the exchange server. (typical setup) My knowledge leve: Good at windows, not so good at Linux. There is a machine currently setup to do that but I screwed it up some how. The mail will go through the MailScanner machine and pass it to the Exchange server but will not process any spam rules, and send mail won't start unless I tell it to manuall. Anyway, new machine, new install of Red Hat 9 GUI with sendmail and spamassassin off the cd's. - I downloaded MailScanner 4.25.14 - I tried these instructions: http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/1.html and FAQ's and such. I'm sure that I have just missed something some where and hopefully someone can point it out to me. I don't even know how to go about testing to see if the first step was done right. Here are some conflicts or differences that I have seen or made me confused on: - does the ./install.sh make the mqueue.in folder? My experience it didn't and I tried making it manually via somewhere in the instructions above. - I'm still a little confused on the path of the mail. Is it mqueue, mqueue.in then spamassassin and so on? Please any help on this is greatly appreciated on where to start and go. From RKearney at AZERTY.COM Mon Dec 22 21:31:55 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:38 2006 Subject: Real time logging to sql database Message-ID: <210DF55DED65B547896F728FB057F3B2019C4AA5@seaver.ussco.com> Just fyi, This topic came up several times in the list. You might want to research the archives. We modified the perl code to log each message in real time to the SQL database. Our message rate was about 65,000 message per day (.5-1 per sec). We averaged about 25-30% cpu on a Compaq DL360g2 1.4Ghz PIII Xeon, and 1Gb RAM. We used spamassassin with Razor2/pyzor/dcc, no bayes. We did not virus scan. -rob -----Original Message----- From: David H. [mailto:dh@UPTIME.AT] Sent: Monday, December 22, 2003 4:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Real time logging to sql database -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Paul Hamilton wrote: > Hi all, Hello. > > Is there anybody using real time logging for Mailscanner to a > sql database per message, rather than generating temporary > files and flushing every restart? > Just some general thought. I wonder how secure this is and what kind of performance hit one has to take. Theorethically, if I wish to do this "securely" each log message has to be its own transaction. Thus a singular INSERT results ina full transaction within the database. Now, when I imagine I have a fiarly busy MailServer with, let's say, 0.5 or 1 message per second, that might nag on the database a whole lot when I log _directly_ into the Daemon. Maybe it is indeed faster to simply write out SQL INSERT statements into a file, to the disc and sync this file into the database every 15 or 30 minutes. This could be done in a single transaction then. But then again, I am by far no Database guru. - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/5112PMoaMn4kKR4RA9mbAJ4rOPYzjnGcL9kus9eT1poJ/ZSwUQCeN57j 9L4MUB1vnC6x/zh6nRxBtFs= =tSih -----END PGP SIGNATURE----- From RKearney at AZERTY.COM Mon Dec 22 21:49:03 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:38 2006 Subject: I'm trying to get MailScanner to work Message-ID: <210DF55DED65B547896F728FB057F3B2019C4AA6@seaver.ussco.com> 1. You don't want sendmail to start in addition to what mailscanner does. MailScanner will start a sendmail SMTP daemon process, and also a queue runner for outbound mail (destined for you exchange server). Mail is delivered from externally to the /var/spool/mqueue.in directory. MailScanner will "Pick up that mail" and link it to /var/spool/MailScanner/incoming/ when all is said and done, MailScanner will drop it off into /var/spool/mqueue This is where the sendmail Queue Runner will pick it up and deliver to your exchange server. For sendmail, make sure you have something in /etc/mail/mailertable described like this: esmtp:[exchangeserver.domain.com] such that if you receive mail for "mydomain.com" and exchange server is exchange.mydomain.com, the line reads: mydomain.com esmtp:[exchange.mydomain.com] This line says for email destined for mydomain.com, send via ESMTP to server in brackets (brackets prevent DNS lookups on MX records) then in /etc/mail/ type 'make mailertable.db' this creates a file usable by the sendmail queue runner. Stop sendmail and MailScanner service MailScanner stop service sendmail stop disable sendmail in /etc/init.d chkconfig --level 2345 sendmail off enable MailScanner chkconfig --level 2345 MailScanner on start your MailScanner service service MailScanner start By doing ps -auxw |grep -i mail, you should see a "sendmail: accepting connections" line, a "sendmail: Queue Runner" line, and several /usr/bin/perl.... MailScanner lines (it make take several seconds before you see multiple MailScanner processes startup") This all, of course, is assuming your MailScanner config is good with SpamAssassin installed etc. -rob -----Original Message----- From: Billy Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] Sent: Monday, December 22, 2003 4:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: I'm trying to get MailScanner to work Hello Everyone, I have tried plenty o things including reading all that I could find without going insaine :). Pleae help, here are the details. Situation wanted: To have the MailScanner machine sit in front of the exchange machine to do the spam filtering and then relay it to the exchange server. (typical setup) My knowledge leve: Good at windows, not so good at Linux. There is a machine currently setup to do that but I screwed it up some how. The mail will go through the MailScanner machine and pass it to the Exchange server but will not process any spam rules, and send mail won't start unless I tell it to manuall. Anyway, new machine, new install of Red Hat 9 GUI with sendmail and spamassassin off the cd's. - I downloaded MailScanner 4.25.14 - I tried these instructions: http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/1.html and FAQ's and such. I'm sure that I have just missed something some where and hopefully someone can point it out to me. I don't even know how to go about testing to see if the first step was done right. Here are some conflicts or differences that I have seen or made me confused on: - does the ./install.sh make the mqueue.in folder? My experience it didn't and I tried making it manually via somewhere in the instructions above. - I'm still a little confused on the path of the mail. Is it mqueue, mqueue.in then spamassassin and so on? Please any help on this is greatly appreciated on where to start and go. From sysadmins at ENHTECH.COM Mon Dec 22 21:59:34 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:38 2006 Subject: Spam/bounce problem In-Reply-To: <6.0.1.1.2.20031222162318.02875798@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031218141017.03a26828@imap.ecs.soton.ac.uk> <6.0.0.22.0.20031222111641.02e26d18@mail.enhtech.com> <6.0.1.1.2.20031222162318.02875798@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20031222165832.02e61c58@mail.enhtech.com> At 11:23 AM 12/22/2003, you wrote: >At 16:17 22/12/2003, you wrote: >>At 09:14 AM 12/18/2003, you wrote: >> >>>Then in outgoing.queue.rules put this: >>> >>>From: /^$/ /var/spool/mqueue.slow >>>FromOrTo: default /var/spool/mqueue >> >>Forgive my ignorance.. what does the /^$/ mean? > >It means "match a totally empty address". Hi Julian, This is not producing the expected results. /var/spool/mqueue.slow is empty. However I made the modifications to my config per your example. Should I have done anything else? Errol Neal Errol U. Neal Jr., Systems Administrator Enhanced Technologies, Inc. - The Business Grade Hosting Specialists http://www.enhtech.com 703-924-0301 or 800-368-3249 703-997-0839 Fax From bpumphrey at WOODMACLAW.COM Mon Dec 22 22:06:09 2003 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:21:38 2006 Subject: I'm trying to get MailScanner to work Message-ID: That information helped me know what's going on a little better but It didn't help the machine work. Here are the results: Thank You Billy Pumphrey -----Original Message----- mydomain.com esmtp:[exchange.mydomain.com] ------------------------------------------------------ I put woodendc.woodmaclaw.com esmtp:[woodmaclaw.com] I did have .woodmaclaw.com relay:[10.1.1.2] woodmaclaw.com relay:[10.1.1.2] .woodmclaw.com relay:[10.1.1.2] woodmclaw.com relay:[10.1.1.2] ----------------------------------------------- -----------I did so:-------- then in /etc/mail/ type 'make mailertable.db' this creates a file usable by the sendmail queue runner. Stop sendmail and MailScanner service MailScanner stop service sendmail stop ------------ I got = Shutting down sm-client [FAILED] ---------------- disable sendmail in /etc/init.d chkconfig --level 2345 sendmail off enable MailScanner chkconfig --level 2345 MailScanner on start your MailScanner service service MailScanner start By doing ps -auxw |grep -i mail, you should see a "sendmail: accepting connections" line, a "sendmail: Queue Runner" line, and several /usr/bin/perl.... MailScanner lines (it make take several seconds before you see multiple MailScanner processes startup") ------------------------------------------------------------------ I did so and noticed that these line might not be right: Root 29460 1.0 0.0 0 0 0 ? Z 16:58 0:00[MailScanner ] And a lot of these: Root 19460 0.1 0.0 0 0 0 ? Z 16:58 0:0 [MailScanner ] which I guess is about the same of the above. This all, of course, is assuming your MailScanner config is good with SpamAssassin installed etc. Thank You Billy Pumphrey -----Original Message----- From: Kearney, Rob [mailto:RKearney@AZERTY.COM] Sent: Monday, December 22, 2003 4:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work 1. You don't want sendmail to start in addition to what mailscanner does. MailScanner will start a sendmail SMTP daemon process, and also a queue runner for outbound mail (destined for you exchange server). Mail is delivered from externally to the /var/spool/mqueue.in directory. MailScanner will "Pick up that mail" and link it to /var/spool/MailScanner/incoming/ when all is said and done, MailScanner will drop it off into /var/spool/mqueue This is where the sendmail Queue Runner will pick it up and deliver to your exchange server. For sendmail, make sure you have something in /etc/mail/mailertable described like this: esmtp:[exchangeserver.domain.com] such that if you receive mail for "mydomain.com" and exchange server is exchange.mydomain.com, the line reads: mydomain.com esmtp:[exchange.mydomain.com] This line says for email destined for mydomain.com, send via ESMTP to server in brackets (brackets prevent DNS lookups on MX records) then in /etc/mail/ type 'make mailertable.db' this creates a file usable by the sendmail queue runner. Stop sendmail and MailScanner service MailScanner stop service sendmail stop disable sendmail in /etc/init.d chkconfig --level 2345 sendmail off enable MailScanner chkconfig --level 2345 MailScanner on start your MailScanner service service MailScanner start By doing ps -auxw |grep -i mail, you should see a "sendmail: accepting connections" line, a "sendmail: Queue Runner" line, and several /usr/bin/perl.... MailScanner lines (it make take several seconds before you see multiple MailScanner processes startup") This all, of course, is assuming your MailScanner config is good with SpamAssassin installed etc. -rob -----Original Message----- From: Billy Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] Sent: Monday, December 22, 2003 4:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: I'm trying to get MailScanner to work Hello Everyone, I have tried plenty o things including reading all that I could find without going insaine :). Pleae help, here are the details. Situation wanted: To have the MailScanner machine sit in front of the exchange machine to do the spam filtering and then relay it to the exchange server. (typical setup) My knowledge leve: Good at windows, not so good at Linux. There is a machine currently setup to do that but I screwed it up some how. The mail will go through the MailScanner machine and pass it to the Exchange server but will not process any spam rules, and send mail won't start unless I tell it to manuall. Anyway, new machine, new install of Red Hat 9 GUI with sendmail and spamassassin off the cd's. - I downloaded MailScanner 4.25.14 - I tried these instructions: http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/1.html and FAQ's and such. I'm sure that I have just missed something some where and hopefully someone can point it out to me. I don't even know how to go about testing to see if the first step was done right. Here are some conflicts or differences that I have seen or made me confused on: - does the ./install.sh make the mqueue.in folder? My experience it didn't and I tried making it manually via somewhere in the instructions above. - I'm still a little confused on the path of the mail. Is it mqueue, mqueue.in then spamassassin and so on? Please any help on this is greatly appreciated on where to start and go. From ejb at QL.ORG Tue Dec 23 00:15:23 2003 From: ejb at QL.ORG (Jay Berkenbilt) Date: Thu Jan 12 21:21:38 2006 Subject: HTML msg quarantined is warning mail instead of content In-Reply-To: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> (LISTSERV@JISCMAIL.AC.UK) References: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> Message-ID: <200312230015.hBN0FNJQ024482@soup.ads.apexinc.com> > one of our users just requested the HTML contents of a mail that was > filtered by MailScanner (4.25-11). Anyway, the file in the quarantine > directory is not the content of the mail, but rather the mail that was sent > out instead - the original content is lost. I have checked other HTML files > that MailScanner removed from incoming mails - it seems like about half of > all the files are the original content, whereas the other half is the > warning mails instead. > Has anybody else noticed this yet? I noticed this behavior starting with the 4.23-11. (I have not yet upgraded past that.) There should be something on the list archives about that from near the release date of 4.23-11. At the time, some other people had noticed this as well, but others couldn't reproduce it. I had posted relevant portions of my configuration files but never heard anything after that. (I subscribe to the digest, so I could easily have missed a followup -- no accusations intended.) In any case, my workaround is to set "Quarantine Whole Message = yes" in MailScanner.conf since that functionality still appears to be working correctly. -- Jay Berkenbilt http://www.ql.org/q/ From ejb at QL.ORG Tue Dec 23 00:17:01 2003 From: ejb at QL.ORG (Jay Berkenbilt) Date: Thu Jan 12 21:21:38 2006 Subject: HTML msg quarantined is warning mail instead of content In-Reply-To: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> (LISTSERV@JISCMAIL.AC.UK) References: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> Message-ID: <200312230017.hBN0H1FI024507@soup.ads.apexinc.com> sorry -- resent reply with additional information.... ------ > one of our users just requested the HTML contents of a mail that was > filtered by MailScanner (4.25-11). Anyway, the file in the quarantine > directory is not the content of the mail, but rather the mail that was sent > out instead - the original content is lost. I have checked other HTML files > that MailScanner removed from incoming mails - it seems like about half of > all the files are the original content, whereas the other half is the > warning mails instead. > Has anybody else noticed this yet? I noticed this behavior starting with the 4.23-11. (I have not yet upgraded past that.) There should be something on the list archives about that from near the release date of 4.23-11. At the time, some other people had noticed this as well, but others couldn't reproduce it. I had posted relevant portions of my configuration files but never heard anything after that. (I subscribe to the digest, so I could easily have missed a followup -- no accusations intended.) In any case, my workaround is to set "Quarantine Whole Message = yes" and "Quarantine Whole Messages As Queue Files = yes" in MailScanner.conf since that functionality still appears to be working correctly. -- Jay Berkenbilt http://www.ql.org/q/ From garry at GLENDOWN.DE Tue Dec 23 04:41:43 2003 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:21:38 2006 Subject: HTML msg quarantined is warning mail instead of content In-Reply-To: <200312230017.hBN0H1FI024507@soup.ads.apexinc.com> References: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> <200312230017.hBN0H1FI024507@soup.ads.apexinc.com> Message-ID: <3FE7C787.3040108@glendown.de> > In any case, my workaround is to set "Quarantine Whole Message = yes" > and "Quarantine Whole Messages As Queue Files = yes" in > MailScanner.conf since that functionality still appears to be working > correctly. OK, changed that ... only problem is, regular users will then have fun when they d/l quarantined attachments, as they are not as easy to use ... so unless this is fixed in mailscanner, I recon I will have to either code something (I did a small PHP script for users to download their quarantine files), or put some instructions up on how to handle the message files ... Tnx anyway! -garry From jones at ODENSE.KOLLEGIENET.DK Tue Dec 23 08:19:24 2003 From: jones at ODENSE.KOLLEGIENET.DK (Jonas Bardino) Date: Thu Jan 12 21:21:38 2006 Subject: I'm trying to get MailScanner to work In-Reply-To: References: Message-ID: <20031223081924.GB20478@bardino.dk> * Billy A. Pumphrey [Dec 22. 2003 23:06]: > That information helped me know what's going on a little better but It > didn't help the machine work. > Here are the results: > > > Thank You > Billy Pumphrey > > -----Original Message----- > ------------------------------------------------------------------ > I did so and noticed that these line might not be right: > Root 29460 1.0 0.0 0 0 0 ? Z > 16:58 0:00[MailScanner ] > And a lot of these: > Root 19460 0.1 0.0 0 0 0 ? Z > 16:58 0:0 [MailScanner ] which I guess is about the same of the > above. I haven't paid much attention to this thread, so please bear with me if somebody already suggested this: The above "defunct" process may indicate an error in your MailScaner setup. Setting "Debug = yes" in MailScanner.conf and restarting MailScanner might give you some hints if that is the case. > This all, of course, is assuming your MailScanner config is good > with SpamAssassin installed etc. > > Thank You > Billy Pumphrey Regards, Jonas From mailscanner at ecs.soton.ac.uk Tue Dec 23 09:03:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:38 2006 Subject: HTML msg quarantined is warning mail instead of content In-Reply-To: <3FE7C787.3040108@glendown.de> References: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> <200312230017.hBN0H1FI024507@soup.ads.apexinc.com> <3FE7C787.3040108@glendown.de> Message-ID: <6.0.1.1.2.20031223090246.03a1cb90@imap.ecs.soton.ac.uk> What MTA and version? What OS and version? When did it stop working? Exactly what parameters make it work, and what doesn't work? At 04:41 23/12/2003, you wrote: >>In any case, my workaround is to set "Quarantine Whole Message = yes" >>and "Quarantine Whole Messages As Queue Files = yes" in >>MailScanner.conf since that functionality still appears to be working >>correctly. > >OK, changed that ... only problem is, regular users will then have fun >when they d/l quarantined attachments, as they are not as easy to use >... so unless this is fixed in mailscanner, I recon I will have to >either code something (I did a small PHP script for users to download >their quarantine files), or put some instructions up on how to handle >the message files ... > >Tnx anyway! > >-garry -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From garry at GLENDOWN.DE Tue Dec 23 09:43:56 2003 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:21:38 2006 Subject: HTML msg quarantined is warning mail instead of content In-Reply-To: <3FE7C787.3040108@glendown.de> References: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> <200312230017.hBN0H1FI024507@soup.ads.apexinc.com> <3FE7C787.3040108@glendown.de> Message-ID: <3FE80E5C.2010902@glendown.de> Garry Glendown wrote: >> In any case, my workaround is to set "Quarantine Whole Message = yes" >> and "Quarantine Whole Messages As Queue Files = yes" in >> MailScanner.conf since that functionality still appears to be working >> correctly. > > > OK, changed that ... only problem is, regular users will then have fun > when they d/l quarantined attachments, as they are not as easy to use > ... so unless this is fixed in mailscanner, I recon I will have to > either code something (I did a small PHP script for users to download > their quarantine files), or put some instructions up on how to handle > the message files ... OK, changed that ... only problem is, regular users will then have fun when they d/l quarantined attachments, as they are not as easy to use ... so unless this is fixed in mailscanner, I recon I will have to either code something (I did a small PHP script for users to download their quarantine files), or put some instructions up on how to handle the message files ... Tnx anyway! -garry From garry at GLENDOWN.DE Tue Dec 23 09:44:30 2003 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:21:38 2006 Subject: HTML msg quarantined is warning mail instead of content In-Reply-To: <3FE7C787.3040108@glendown.de> References: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> <200312230017.hBN0H1FI024507@soup.ads.apexinc.com> <3FE7C787.3040108@glendown.de> Message-ID: <3FE80E7E.9020403@glendown.de> (Sorry for the wrong repost) > when they d/l quarantined attachments, as they are not as easy to use > ... so unless this is fixed in mailscanner, I recon I will have to > either code something (I did a small PHP script for users to download > their quarantine files), or put some instructions up on how to handle > the message files ... Just noticed on some files that the quarantined parts are - apart from the header and original body - quarantined as simple files, too, so no real problem for the customers there, just some extra storage space ... -garry From garry at GLENDOWN.DE Tue Dec 23 09:44:47 2003 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:21:38 2006 Subject: HTML msg quarantined is warning mail instead of content In-Reply-To: <6.0.1.1.2.20031223090246.03a1cb90@imap.ecs.soton.ac.uk> References: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> <200312230017.hBN0H1FI024507@soup.ads.apexinc.com> <3FE7C787.3040108@glendown.de> <6.0.1.1.2.20031223090246.03a1cb90@imap.ecs.soton.ac.uk> Message-ID: <3FE80E8F.9010903@glendown.de> Julian Field wrote: > What MTA and version? sendmail 8.12.10 > What OS and version? Linux 2.4.21 / SuSE 9.0 > When did it stop working? Can't say - one of our customers just notified me as he was trying to download a quarantined HTML contents ... > Exactly what parameters make it work, and what doesn't work? As mentioned in the original posting, some HTML contents is quarantined correctly, for other, MailScanner stores the message the user receives as the quarantine file ... have not had the time to do some tests ... -garry From kfliong at WOFS.COM Tue Dec 23 10:50:09 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:21:38 2006 Subject: Mailscanner problem after ensim upgrade pls help!!! In-Reply-To: References: Message-ID: <6.0.0.22.0.20031223184746.03af0f40@192.168.10.2> Hi all, I just upgraded my ensim package to 3.5.20-23. Perl is now 5.6.1. But when I try to start MailScanner I get this error : Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: Can't locate MIME/Parser.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 40. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 40. Compilation failed in require at /usr/sbin/MailScanner line 48. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 48. [ OK ] Eventhough it says OK there, MailScanner is not started. Please help!!! Do I need to re-install MailScanner? If yes, then do I need to uninstall the previous MailScanner and MailWatch? Thanks in advance. From mailscanner at ecs.soton.ac.uk Tue Dec 23 12:00:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:39 2006 Subject: Mailscanner problem after ensim upgrade pls help!!! In-Reply-To: <6.0.0.22.0.20031223184746.03af0f40@192.168.10.2> References: <6.0.0.22.0.20031223184746.03af0f40@192.168.10.2> Message-ID: <6.0.1.1.2.20031223115942.037c2218@imap.ecs.soton.ac.uk> Try running MailScanner's install.sh straight over the top of the current installation. Looks like Ensim removed a bunch of modules. At 10:50 23/12/2003, you wrote: >Hi all, > >I just upgraded my ensim package to 3.5.20-23. Perl is now 5.6.1. But when >I try to start MailScanner I get this error : > >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Can't locate MIME/Parser.pm in @INC (@INC >contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux >/usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux >/usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386-linux >/usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl >/usr/lib/perl5/vendor_perl/5.6.1/i386-linux >/usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . >/usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 40. >BEGIN failed--compilation aborted at >/usr/lib/MailScanner/MailScanner/Message.pm line 40. >Compilation failed in require at /usr/sbin/MailScanner line 48. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 48. > [ OK ] > >Eventhough it says OK there, MailScanner is not started. Please help!!! > >Do I need to re-install MailScanner? If yes, then do I need to uninstall >the previous MailScanner and MailWatch? > >Thanks in advance. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bpumphrey at WOODMACLAW.COM Tue Dec 23 13:37:29 2003 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: I have done some more with the help of people. Here is what more I have done. - Initially I edited the sendmail startup script in etc/init.d to meet to as close as the following: You should change this to the following two lines: sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in sendmail -q15m I went and took that out and put it back to the original file. Was that the right thing to do? - I also notice, finally I guess, that I used the tar instructions first with the tar then when I switched to the rpm and the rpm instructions it quite confused me and maybe there is something still wrong left over from the tar instructions. - I tried these also: chkconfig sendmail off chkconfig MailScanner on service sendmail stop service MailScanner restart - Here is more specifically how I am testing the machine. 1. I change the router to deliver port 25 to the new machine ip address 2. I send some mail from outside the network, from yahoo for instance 3. I then refresh a bunch of times on my outlook(inside the network) 4. I don't get the mail 5. I see that this test should work because as soon as I switch the router to forward the port 25 to the old machine I get the mail immediately after sending it from yahoo. 6. So basically I don't know where it is stopping or not getting to. Thank You Billy Pumphrey -----Original Message----- From: Billy A. Pumphrey Sent: Monday, December 22, 2003 5:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work That information helped me know what's going on a little better but It didn't help the machine work. Here are the results: Thank You Billy Pumphrey -----Original Message----- mydomain.com esmtp:[exchange.mydomain.com] ------------------------------------------------------ I put woodendc.woodmaclaw.com esmtp:[woodmaclaw.com] I did have .woodmaclaw.com relay:[10.1.1.2] woodmaclaw.com relay:[10.1.1.2] .woodmclaw.com relay:[10.1.1.2] woodmclaw.com relay:[10.1.1.2] ----------------------------------------------- -----------I did so:-------- then in /etc/mail/ type 'make mailertable.db' this creates a file usable by the sendmail queue runner. Stop sendmail and MailScanner service MailScanner stop service sendmail stop ------------ I got = Shutting down sm-client [FAILED] ---------------- disable sendmail in /etc/init.d chkconfig --level 2345 sendmail off enable MailScanner chkconfig --level 2345 MailScanner on start your MailScanner service service MailScanner start By doing ps -auxw |grep -i mail, you should see a "sendmail: accepting connections" line, a "sendmail: Queue Runner" line, and several /usr/bin/perl.... MailScanner lines (it make take several seconds before you see multiple MailScanner processes startup") ------------------------------------------------------------------ I did so and noticed that these line might not be right: Root 29460 1.0 0.0 0 0 0 ? Z 16:58 0:00[MailScanner ] And a lot of these: Root 19460 0.1 0.0 0 0 0 ? Z 16:58 0:0 [MailScanner ] which I guess is about the same of the above. This all, of course, is assuming your MailScanner config is good with SpamAssassin installed etc. Thank You Billy Pumphrey -----Original Message----- From: Kearney, Rob [mailto:RKearney@AZERTY.COM] Sent: Monday, December 22, 2003 4:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work 1. You don't want sendmail to start in addition to what mailscanner does. MailScanner will start a sendmail SMTP daemon process, and also a queue runner for outbound mail (destined for you exchange server). Mail is delivered from externally to the /var/spool/mqueue.in directory. MailScanner will "Pick up that mail" and link it to /var/spool/MailScanner/incoming/ when all is said and done, MailScanner will drop it off into /var/spool/mqueue This is where the sendmail Queue Runner will pick it up and deliver to your exchange server. For sendmail, make sure you have something in /etc/mail/mailertable described like this: esmtp:[exchangeserver.domain.com] such that if you receive mail for "mydomain.com" and exchange server is exchange.mydomain.com, the line reads: mydomain.com esmtp:[exchange.mydomain.com] This line says for email destined for mydomain.com, send via ESMTP to server in brackets (brackets prevent DNS lookups on MX records) then in /etc/mail/ type 'make mailertable.db' this creates a file usable by the sendmail queue runner. Stop sendmail and MailScanner service MailScanner stop service sendmail stop disable sendmail in /etc/init.d chkconfig --level 2345 sendmail off enable MailScanner chkconfig --level 2345 MailScanner on start your MailScanner service service MailScanner start By doing ps -auxw |grep -i mail, you should see a "sendmail: accepting connections" line, a "sendmail: Queue Runner" line, and several /usr/bin/perl.... MailScanner lines (it make take several seconds before you see multiple MailScanner processes startup") This all, of course, is assuming your MailScanner config is good with SpamAssassin installed etc. -rob -----Original Message----- From: Billy Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] Sent: Monday, December 22, 2003 4:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: I'm trying to get MailScanner to work Hello Everyone, I have tried plenty o things including reading all that I could find without going insaine :). Pleae help, here are the details. Situation wanted: To have the MailScanner machine sit in front of the exchange machine to do the spam filtering and then relay it to the exchange server. (typical setup) My knowledge leve: Good at windows, not so good at Linux. There is a machine currently setup to do that but I screwed it up some how. The mail will go through the MailScanner machine and pass it to the Exchange server but will not process any spam rules, and send mail won't start unless I tell it to manuall. Anyway, new machine, new install of Red Hat 9 GUI with sendmail and spamassassin off the cd's. - I downloaded MailScanner 4.25.14 - I tried these instructions: http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/1.html and FAQ's and such. I'm sure that I have just missed something some where and hopefully someone can point it out to me. I don't even know how to go about testing to see if the first step was done right. Here are some conflicts or differences that I have seen or made me confused on: - does the ./install.sh make the mqueue.in folder? My experience it didn't and I tried making it manually via somewhere in the instructions above. - I'm still a little confused on the path of the mail. Is it mqueue, mqueue.in then spamassassin and so on? Please any help on this is greatly appreciated on where to start and go. From p.vanbrouwershaven at NETWORKING4ALL.COM Tue Dec 23 14:22:38 2003 From: p.vanbrouwershaven at NETWORKING4ALL.COM (Paul van Brouwershaven) Date: Thu Jan 12 21:21:39 2006 Subject: Return-Path: <> In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF02A606FE@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF02A606FE@inex1.herffjones.hj-int> Message-ID: <3FE84FAE.2060403@networking4all.com> All messages now returning to postmaster (@servername.com) But I want they go to noreply@servername.com so I can configure an alias to /dev/null for this address. In previous versions I had the same problem, Julian has fixed that in a new version. But now I have the same problem again. Furnish, Trever G wrote: > The empty return path is intentional and appropriate. Bounce messages are > things for which a "return" - a response from the person receiving the > bounce - would be inappropriate, since they would be responding to a daemon. > > >>-----Original Message----- >>From: Paul van Brouwershaven >>[mailto:p.vanbrouwershaven@NETWORKING4ALL.COM] >>Sent: Thursday, December 18, 2003 2:14 AM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Return-Path: <> >> >> >>Is there a way to set the Return-Path, in all the bounced >>messages that >>MailScanner send the Return-Path is set like this: >> >>Return-Path: <> >> >>Thanks, >> >>Paul >> > > -- Met vriendelijke groet, Paul van Brouwershaven Networking4all B.V. ____________________________________________ Phone: (31) 164 262295 Fax: (31) 164 262983 Email: p.vanbrouwershaven@networking4all.com Internet: http://www.networking4all.com --- ACTIE: .be domeinnaam nu voor maar ? 9,95 kijk voor meer informatie op onze website http://www.networking4all.com --- From RKearney at AZERTY.COM Tue Dec 23 14:57:19 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: <210DF55DED65B547896F728FB057F3B2019C4AA8@seaver.ussco.com> You probably do have a configuration error. Try setting Debug = Yes in MailScanner.conf, and restart MailScanner, then send a message to a mailbox, and see what this states. (Jonas already stated this). Setting Debug = Yes will process only 1 message then exit, but will print alot of debugging messages. >- Initially I edited the sendmail startup script in etc/init.d to meet >to as close as the following: >You should change this to the following two lines: > sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly >-OQueueDirectory=/var/spool/mqueue.in > sendmail -q15m That might work, but I'd use the MailScanner init script provided. -rob -----Original Message----- From: Billy A. Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] Sent: Tuesday, December 23, 2003 8:37 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work I have done some more with the help of people. Here is what more I have done. - Initially I edited the sendmail startup script in etc/init.d to meet to as close as the following: You should change this to the following two lines: sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in sendmail -q15m I went and took that out and put it back to the original file. Was that the right thing to do? - I also notice, finally I guess, that I used the tar instructions first with the tar then when I switched to the rpm and the rpm instructions it quite confused me and maybe there is something still wrong left over from the tar instructions. - I tried these also: chkconfig sendmail off chkconfig MailScanner on service sendmail stop service MailScanner restart - Here is more specifically how I am testing the machine. 1. I change the router to deliver port 25 to the new machine ip address 2. I send some mail from outside the network, from yahoo for instance 3. I then refresh a bunch of times on my outlook(inside the network) 4. I don't get the mail 5. I see that this test should work because as soon as I switch the router to forward the port 25 to the old machine I get the mail immediately after sending it from yahoo. 6. So basically I don't know where it is stopping or not getting to. Thank You Billy Pumphrey -----Original Message----- From: Billy A. Pumphrey Sent: Monday, December 22, 2003 5:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work That information helped me know what's going on a little better but It didn't help the machine work. Here are the results: Thank You Billy Pumphrey -----Original Message----- mydomain.com esmtp:[exchange.mydomain.com] ------------------------------------------------------ I put woodendc.woodmaclaw.com esmtp:[woodmaclaw.com] I did have .woodmaclaw.com relay:[10.1.1.2] woodmaclaw.com relay:[10.1.1.2] .woodmclaw.com relay:[10.1.1.2] woodmclaw.com relay:[10.1.1.2] ----------------------------------------------- -----------I did so:-------- then in /etc/mail/ type 'make mailertable.db' this creates a file usable by the sendmail queue runner. Stop sendmail and MailScanner service MailScanner stop service sendmail stop ------------ I got = Shutting down sm-client [FAILED] ---------------- disable sendmail in /etc/init.d chkconfig --level 2345 sendmail off enable MailScanner chkconfig --level 2345 MailScanner on start your MailScanner service service MailScanner start By doing ps -auxw |grep -i mail, you should see a "sendmail: accepting connections" line, a "sendmail: Queue Runner" line, and several /usr/bin/perl.... MailScanner lines (it make take several seconds before you see multiple MailScanner processes startup") ------------------------------------------------------------------ I did so and noticed that these line might not be right: Root 29460 1.0 0.0 0 0 0 ? Z 16:58 0:00[MailScanner ] And a lot of these: Root 19460 0.1 0.0 0 0 0 ? Z 16:58 0:0 [MailScanner ] which I guess is about the same of the above. This all, of course, is assuming your MailScanner config is good with SpamAssassin installed etc. Thank You Billy Pumphrey -----Original Message----- From: Kearney, Rob [mailto:RKearney@AZERTY.COM] Sent: Monday, December 22, 2003 4:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work 1. You don't want sendmail to start in addition to what mailscanner does. MailScanner will start a sendmail SMTP daemon process, and also a queue runner for outbound mail (destined for you exchange server). Mail is delivered from externally to the /var/spool/mqueue.in directory. MailScanner will "Pick up that mail" and link it to /var/spool/MailScanner/incoming/ when all is said and done, MailScanner will drop it off into /var/spool/mqueue This is where the sendmail Queue Runner will pick it up and deliver to your exchange server. For sendmail, make sure you have something in /etc/mail/mailertable described like this: esmtp:[exchangeserver.domain.com] such that if you receive mail for "mydomain.com" and exchange server is exchange.mydomain.com, the line reads: mydomain.com esmtp:[exchange.mydomain.com] This line says for email destined for mydomain.com, send via ESMTP to server in brackets (brackets prevent DNS lookups on MX records) then in /etc/mail/ type 'make mailertable.db' this creates a file usable by the sendmail queue runner. Stop sendmail and MailScanner service MailScanner stop service sendmail stop disable sendmail in /etc/init.d chkconfig --level 2345 sendmail off enable MailScanner chkconfig --level 2345 MailScanner on start your MailScanner service service MailScanner start By doing ps -auxw |grep -i mail, you should see a "sendmail: accepting connections" line, a "sendmail: Queue Runner" line, and several /usr/bin/perl.... MailScanner lines (it make take several seconds before you see multiple MailScanner processes startup") This all, of course, is assuming your MailScanner config is good with SpamAssassin installed etc. -rob -----Original Message----- From: Billy Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] Sent: Monday, December 22, 2003 4:16 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: I'm trying to get MailScanner to work Hello Everyone, I have tried plenty o things including reading all that I could find without going insaine :). Pleae help, here are the details. Situation wanted: To have the MailScanner machine sit in front of the exchange machine to do the spam filtering and then relay it to the exchange server. (typical setup) My knowledge leve: Good at windows, not so good at Linux. There is a machine currently setup to do that but I screwed it up some how. The mail will go through the MailScanner machine and pass it to the Exchange server but will not process any spam rules, and send mail won't start unless I tell it to manuall. Anyway, new machine, new install of Red Hat 9 GUI with sendmail and spamassassin off the cd's. - I downloaded MailScanner 4.25.14 - I tried these instructions: http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/1.html and FAQ's and such. I'm sure that I have just missed something some where and hopefully someone can point it out to me. I don't even know how to go about testing to see if the first step was done right. Here are some conflicts or differences that I have seen or made me confused on: - does the ./install.sh make the mqueue.in folder? My experience it didn't and I tried making it manually via somewhere in the instructions above. - I'm still a little confused on the path of the mail. Is it mqueue, mqueue.in then spamassassin and so on? Please any help on this is greatly appreciated on where to start and go. From mailscanner at LISTS.COM.AR Tue Dec 23 15:53:00 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:39 2006 Subject: ldap configuration & rulesets Message-ID: <3FE83AAC.31534.5CC9DE18@localhost> Hi Julian, I see that MS 4.25 does support LDAP for configuration and rulesets. I see there are no docs and just browsed a bit in Config.pm, and I have a couple of questions: 1) Are rulesets and configurations settings evaluated only on startup & reload?... it'd be nice to be able to evaluate at least rulesets in a more real-time fashion... 2) Could you provide the ldap schema (attributes and objectclasses) you use for this? (openldap 2.x syntax would be really nice). TIA. -- Mariano Absatz El Baby ---------------------------------------------------------- I must confess, I was born at a very early age. -- Groucho Marx From mkettler at EVI-INC.COM Tue Dec 23 16:41:24 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:39 2006 Subject: Return-Path: <> In-Reply-To: <3FE84FAE.2060403@networking4all.com> References: <8FFC76593085ED4A80D3601BC41EFCDF02A606FE@inex1.herffjones.hj-int> <3FE84FAE.2060403@networking4all.com> Message-ID: <6.0.0.22.0.20031223112924.02466730@xanadu.evi-inc.com> At 09:22 AM 12/23/2003, Paul van Brouwershaven wrote: >All messages now returning to postmaster (@servername.com) > >But I want they go to noreply@servername.com so I can configure an alias >to /dev/null for this address. And that would be an extraordinarily BAD idea AND an RFC violation... there's a reason for the empty return path. DSN's MUST have such a return path, and it's done for a VERY good reason (ie: preventing tripple, quadruple and infinite bounces)... From RFC 1123 section 5.3.3: If there is a delivery failure after acceptance of a message, the receiver-SMTP MUST formulate and mail a notification message. This notification MUST be sent using a null ("<>") reverse path in the envelope; see Section 3.6 of RFC-821. If the double bounces bother you, perhaps you should more carefully consider why you're using bounce in the first place. If it doesn't dawn on you.. consider using procmail or something similar to /dev/null any messages that postmaster gets that are double-bounces of MailScanner messages... From dnsadmin at 1BIGTHINK.COM Tue Dec 23 16:57:28 2003 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work In-Reply-To: Message-ID: <5.2.1.1.0.20031223115443.04e1ee60@mail.1bigthink.com> At 08:37 AM 12/23/2003 -0500, you wrote: >I have done some more with the help of people. Here is what more I have >done. Hi Bill, You did have issues, initially, with the mqueue and mqueue.in folders. Did those get resolved? Do you see any complaints in your logs about them? Do your mqueue* folders jive with the MailScanner.conf file? How about potential permissions on the folders; especially if you had to create them yourself? Cheers! From stahl at soest.hawaii.edu Tue Dec 23 18:52:53 2003 From: stahl at soest.hawaii.edu (No Name) Date: Thu Jan 12 21:21:39 2006 Subject: new MIME-toolsnew MIME-tools Message-ID: <200312231852.hBNIqrPR005861@leka.soest.hawaii.edu> I was wondering if anyone has installed MailScanner using the new PERL MIME-tools-6.200_02 In the install notes it says " I used version 5.411 and I advise against any of the newer versions" ..and I just wanted to make sure that was still the case. There is no date on the notes so wasn't sure that still applies to the latest MIME-tools. Thanks for any info I get and Mele Kalikimaka! Aloha, Sharon Stahl *=============================================================* | UH/SOEST-Research Computer Fac vox: (808) 956-2616 | | 1680 East West Rd- POST820 email: stahl@soest.hawaii.edu | | Honolulu, Hi 96822 fax: (808) 956-5154 | *=============================================================* From bpumphrey at WOODMACLAW.COM Tue Dec 23 19:16:34 2003 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: I got the issues with the mqueue resolved I believe, however I just started over. I have a fresh install of red hat 9 gui now with send mail. I also did not install spamassassin off of the cd this time. Now I get this when I try to run ./install.sh "Your /usr/src/redhat, /usr/src/RPM or /usr/src/packages tree is missing. If you have access to an RPM called rpm-build install it first and come back and try again." I have got this message on one of my installs and never got it resolved. Does anyone know how to get around this so I don't go pocking around again and screwing up my fresh install? Thank You Billy Pumphrey -----Original Message----- From: DNSAdmin [mailto:dnsadmin@1BIGTHINK.COM] Sent: Tuesday, December 23, 2003 11:57 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work At 08:37 AM 12/23/2003 -0500, you wrote: >I have done some more with the help of people. Here is what more I have >done. Hi Bill, You did have issues, initially, with the mqueue and mqueue.in folders. Did those get resolved? Do you see any complaints in your logs about them? Do your mqueue* folders jive with the MailScanner.conf file? How about potential permissions on the folders; especially if you had to create them yourself? Cheers! From RKearney at AZERTY.COM Tue Dec 23 19:28:23 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: <210DF55DED65B547896F728FB057F3B2019C4AAC@seaver.ussco.com> I think we had the same issue one time or another.. as I believe as stated on rpm.org: you can just do: mkdir -p /usr/src/redhat/BUILD mkdir -p /usr/src/redhat/RPMS mkdir -p /usr/src/redhat/SOURCES mkdir -p /usr/src/redhat/SPECS mkdir -p /usr/src/redhat/SRPMS then redo the MailScanner rpm, However, I would recommend using just the tar, (They are both the same thing, and tar is less confusing). -rob -----Original Message----- From: Billy A. Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] Sent: Tuesday, December 23, 2003 2:17 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work I got the issues with the mqueue resolved I believe, however I just started over. I have a fresh install of red hat 9 gui now with send mail. I also did not install spamassassin off of the cd this time. Now I get this when I try to run ./install.sh "Your /usr/src/redhat, /usr/src/RPM or /usr/src/packages tree is missing. If you have access to an RPM called rpm-build install it first and come back and try again." I have got this message on one of my installs and never got it resolved. Does anyone know how to get around this so I don't go pocking around again and screwing up my fresh install? Thank You Billy Pumphrey -----Original Message----- From: DNSAdmin [mailto:dnsadmin@1BIGTHINK.COM] Sent: Tuesday, December 23, 2003 11:57 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work At 08:37 AM 12/23/2003 -0500, you wrote: >I have done some more with the help of people. Here is what more I have >done. Hi Bill, You did have issues, initially, with the mqueue and mqueue.in folders. Did those get resolved? Do you see any complaints in your logs about them? Do your mqueue* folders jive with the MailScanner.conf file? How about potential permissions on the folders; especially if you had to create them yourself? Cheers! From mailscanner at ecs.soton.ac.uk Tue Dec 23 19:41:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:39 2006 Subject: new MIME-toolsnew MIME-tools In-Reply-To: <200312231852.hBNIqrPR005861@leka.soest.hawaii.edu> References: <200312231852.hBNIqrPR005861@leka.soest.hawaii.edu> Message-ID: <6.0.1.1.2.20031223194122.04280e68@imap.ecs.soton.ac.uk> I haven't tested anything more recent than 5.411. Progress to 6.200 at your own peril. At 18:52 23/12/2003, you wrote: >I was wondering if anyone has installed MailScanner using the >new PERL MIME-tools-6.200_02 > >In the install notes it says > " I used version 5.411 and I advise against any of the newer versions" > >..and I just wanted to make sure that was still the case. There is >no date on the notes so wasn't sure that still applies to the latest >MIME-tools. > >Thanks for any info I get and Mele Kalikimaka! > >Aloha, Sharon Stahl > >*=============================================================* >| UH/SOEST-Research Computer Fac vox: (808) 956-2616 | >| 1680 East West Rd- POST820 email: stahl@soest.hawaii.edu | >| Honolulu, Hi 96822 fax: (808) 956-5154 | >*=============================================================* -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 23 19:43:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work In-Reply-To: References: Message-ID: <6.0.1.1.2.20031223194307.042dbd18@imap.ecs.soton.ac.uk> I think there's an RPM called "rpm-build" or something like that. Install that for starters. You should have installed the development tools when you installed RH9. At 19:16 23/12/2003, you wrote: >I got the issues with the mqueue resolved I believe, however I just >started over. > >I have a fresh install of red hat 9 gui now with send mail. I also did >not install spamassassin off of the cd this time. > >Now I get this when I try to run ./install.sh > >"Your /usr/src/redhat, /usr/src/RPM or /usr/src/packages tree is >missing. If you have access to an RPM called rpm-build install it first >and come back and try again." > >I have got this message on one of my installs and never got it resolved. >Does anyone know how to get around this so I don't go pocking around >again and screwing up my fresh install? > > > >Thank You >Billy Pumphrey > >-----Original Message----- >From: DNSAdmin [mailto:dnsadmin@1BIGTHINK.COM] >Sent: Tuesday, December 23, 2003 11:57 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: I'm trying to get MailScanner to work > >At 08:37 AM 12/23/2003 -0500, you wrote: > >I have done some more with the help of people. Here is what more I >have > >done. > >Hi Bill, > >You did have issues, initially, with the mqueue and mqueue.in folders. >Did >those get resolved? Do you see any complaints in your logs about them? >Do >your mqueue* folders jive with the MailScanner.conf file? How about >potential permissions on the folders; especially if you had to create >them >yourself? > >Cheers! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bpumphrey at WOODMACLAW.COM Tue Dec 23 20:07:57 2003 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: Doing that got me past that error, then I got that I need binutils glibc-devel gcc make Which as Julian said I needed to install the development tools. Thanks This is great thanks for everyone's help, I really appreciate it. Its installing the install.sh right now Thank You Billy Pumphrey -----Original Message----- From: Kearney, Rob [mailto:RKearney@AZERTY.COM] Sent: Tuesday, December 23, 2003 2:28 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work I think we had the same issue one time or another.. as I believe as stated on rpm.org: you can just do: mkdir -p /usr/src/redhat/BUILD mkdir -p /usr/src/redhat/RPMS mkdir -p /usr/src/redhat/SOURCES mkdir -p /usr/src/redhat/SPECS mkdir -p /usr/src/redhat/SRPMS then redo the MailScanner rpm, However, I would recommend using just the tar, (They are both the same thing, and tar is less confusing). -rob -----Original Message----- From: Billy A. Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] Sent: Tuesday, December 23, 2003 2:17 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work I got the issues with the mqueue resolved I believe, however I just started over. I have a fresh install of red hat 9 gui now with send mail. I also did not install spamassassin off of the cd this time. Now I get this when I try to run ./install.sh "Your /usr/src/redhat, /usr/src/RPM or /usr/src/packages tree is missing. If you have access to an RPM called rpm-build install it first and come back and try again." I have got this message on one of my installs and never got it resolved. Does anyone know how to get around this so I don't go pocking around again and screwing up my fresh install? Thank You Billy Pumphrey -----Original Message----- From: DNSAdmin [mailto:dnsadmin@1BIGTHINK.COM] Sent: Tuesday, December 23, 2003 11:57 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work At 08:37 AM 12/23/2003 -0500, you wrote: >I have done some more with the help of people. Here is what more I have >done. Hi Bill, You did have issues, initially, with the mqueue and mqueue.in folders. Did those get resolved? Do you see any complaints in your logs about them? Do your mqueue* folders jive with the MailScanner.conf file? How about potential permissions on the folders; especially if you had to create them yourself? Cheers! From mailscan at PRIS.CA Tue Dec 23 20:50:35 2003 From: mailscan at PRIS.CA (MailScanner Mailbox) Date: Thu Jan 12 21:21:39 2006 Subject: Procmail Recipe In-Reply-To: <3FCE312E.3070307@uptime.at> Message-ID: Hello folks I have mailscanner /w spamassasin happily tagging emails as spam, now I need to deal with them. I am running procmail to have a look at the header, specifically "X-MailScanner-SpamScore: 13" What type of recipe would I use to catch all mail with a score of 5 or better and throw it into a spam folder? Thank you for your help Rick From bpumphrey at WOODMACLAW.COM Tue Dec 23 21:03:09 2003 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: List of stuff so far: I installed red hat 9 gui without spamassassin and with sendmail Installed the development tools Installed mailscanner using ./install.sh I edited the mailertable file with this: woodmaclaw.com esmtp:[10.1.1.2] www.woodmaclaw.com esmtp:[10.1.1.2] Then this: make -C /etc/mail Then made sure that the /etc/mail/relay-domains was empty or did not have woodmaclaw in it. That's it so far and no worky. What do you think? Also it seems that I read that if you don't set virus scan = none if you have none that the email won't get delivered, is that true? Thank You Billy Pumphrey -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, December 23, 2003 2:44 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work I think there's an RPM called "rpm-build" or something like that. Install that for starters. You should have installed the development tools when you installed RH9. At 19:16 23/12/2003, you wrote: >I got the issues with the mqueue resolved I believe, however I just >started over. > >I have a fresh install of red hat 9 gui now with send mail. I also did >not install spamassassin off of the cd this time. > >Now I get this when I try to run ./install.sh > >"Your /usr/src/redhat, /usr/src/RPM or /usr/src/packages tree is >missing. If you have access to an RPM called rpm-build install it first >and come back and try again." > >I have got this message on one of my installs and never got it resolved. >Does anyone know how to get around this so I don't go pocking around >again and screwing up my fresh install? > > > >Thank You >Billy Pumphrey > >-----Original Message----- >From: DNSAdmin [mailto:dnsadmin@1BIGTHINK.COM] >Sent: Tuesday, December 23, 2003 11:57 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: I'm trying to get MailScanner to work > >At 08:37 AM 12/23/2003 -0500, you wrote: > >I have done some more with the help of people. Here is what more I >have > >done. > >Hi Bill, > >You did have issues, initially, with the mqueue and mqueue.in folders. >Did >those get resolved? Do you see any complaints in your logs about them? >Do >your mqueue* folders jive with the MailScanner.conf file? How about >potential permissions on the folders; especially if you had to create >them >yourself? > >Cheers! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From wppiphoto at wppi.com Tue Dec 23 21:08:12 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:39 2006 Subject: RBL timing out {Scanned by WPPi.Net} Message-ID: <000901c3c998$dfd0f050$3a95a644@Toshiba> I'm trying to figure out what ip address and port(s) I need to open up on my firewall to allow the use of ORDB-RBL w/ Mailscanner and spamassassin: MailScanner: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 Thanks, SW WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----------------------------------------- From RKearney at AZERTY.COM Tue Dec 23 21:11:48 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: <210DF55DED65B547896F728FB057F3B2019C4AB1@seaver.ussco.com> That could be the case... do you still see on MailScanner Processes after doing service MailScanner start? you might also again what to try setting Debug = Yes, then restart MailScanner (service MailScanner restart) then run a message through, and watch the output for indications of problems. and if memory serves me correctly, since you didn't install SpamAssassin yet, you should also have "Use SpamAssassin = no". -rob -----Original Message----- From: Billy A. Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] Sent: Tuesday, December 23, 2003 4:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work List of stuff so far: I installed red hat 9 gui without spamassassin and with sendmail Installed the development tools Installed mailscanner using ./install.sh I edited the mailertable file with this: woodmaclaw.com esmtp:[10.1.1.2] www.woodmaclaw.com esmtp:[10.1.1.2] Then this: make -C /etc/mail Then made sure that the /etc/mail/relay-domains was empty or did not have woodmaclaw in it. That's it so far and no worky. What do you think? Also it seems that I read that if you don't set virus scan = none if you have none that the email won't get delivered, is that true? Thank You Billy Pumphrey -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, December 23, 2003 2:44 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work I think there's an RPM called "rpm-build" or something like that. Install that for starters. You should have installed the development tools when you installed RH9. At 19:16 23/12/2003, you wrote: >I got the issues with the mqueue resolved I believe, however I just >started over. > >I have a fresh install of red hat 9 gui now with send mail. I also did >not install spamassassin off of the cd this time. > >Now I get this when I try to run ./install.sh > >"Your /usr/src/redhat, /usr/src/RPM or /usr/src/packages tree is >missing. If you have access to an RPM called rpm-build install it first >and come back and try again." > >I have got this message on one of my installs and never got it resolved. >Does anyone know how to get around this so I don't go pocking around >again and screwing up my fresh install? > > > >Thank You >Billy Pumphrey > >-----Original Message----- >From: DNSAdmin [mailto:dnsadmin@1BIGTHINK.COM] >Sent: Tuesday, December 23, 2003 11:57 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: I'm trying to get MailScanner to work > >At 08:37 AM 12/23/2003 -0500, you wrote: > >I have done some more with the help of people. Here is what more I >have > >done. > >Hi Bill, > >You did have issues, initially, with the mqueue and mqueue.in folders. >Did >those get resolved? Do you see any complaints in your logs about them? >Do >your mqueue* folders jive with the MailScanner.conf file? How about >potential permissions on the folders; especially if you had to create >them >yourself? > >Cheers! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkettler at EVI-INC.COM Tue Dec 23 21:20:10 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:39 2006 Subject: RBL timing out In-Reply-To: <000901c3c998$dfd0f050$3a95a644@Toshiba> References: <000901c3c998$dfd0f050$3a95a644@Toshiba> Message-ID: <6.0.0.22.0.20031223161737.01fb4b90@xanadu.evi-inc.com> At 04:08 PM 12/23/2003, SW wrote: >I'm trying to figure out what ip address and port(s) I need to open up on my >firewall to allow the use of ORDB-RBL w/ Mailscanner and spamassassin: > >MailScanner: RBL Check ORDB-RBL timed out and was killed, consecutive >failure 1 of 7 It's a DNS query. You need to be able to do DNS resolution. If your MS/SA machine is it's own resolving server, then it needs to be able to query to arbitrary DNS servers. If your MS/SA machine uses another server for resolution it needs to be able to talk to that DNS server, and that DNS server needs to be able to talk to query DNS servers. You can tell what machine is being used as a resolver by looking at /etc/resolv.conf. A machine that's it's own resolver will have "localhost" From bpumphrey at WOODMACLAW.COM Tue Dec 23 21:20:28 2003 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: Also there is in the faq this: Sendmail doesn't recieve mail from the network Saids to do this: netstat -ln | grep 25 And should get this: tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN And if you get this: 0 127.0.0.1:25 *:* its wrong Well I get the 127.0.0.1:25 one. Where is the error at? Thank You Billy Pumphrey -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, December 23, 2003 2:44 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work I think there's an RPM called "rpm-build" or something like that. Install that for starters. You should have installed the development tools when you installed RH9. At 19:16 23/12/2003, you wrote: >I got the issues with the mqueue resolved I believe, however I just >started over. > >I have a fresh install of red hat 9 gui now with send mail. I also did >not install spamassassin off of the cd this time. > >Now I get this when I try to run ./install.sh > >"Your /usr/src/redhat, /usr/src/RPM or /usr/src/packages tree is >missing. If you have access to an RPM called rpm-build install it first >and come back and try again." > >I have got this message on one of my installs and never got it resolved. >Does anyone know how to get around this so I don't go pocking around >again and screwing up my fresh install? > > > >Thank You >Billy Pumphrey > >-----Original Message----- >From: DNSAdmin [mailto:dnsadmin@1BIGTHINK.COM] >Sent: Tuesday, December 23, 2003 11:57 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: I'm trying to get MailScanner to work > >At 08:37 AM 12/23/2003 -0500, you wrote: > >I have done some more with the help of people. Here is what more I >have > >done. > >Hi Bill, > >You did have issues, initially, with the mqueue and mqueue.in folders. >Did >those get resolved? Do you see any complaints in your logs about them? >Do >your mqueue* folders jive with the MailScanner.conf file? How about >potential permissions on the folders; especially if you had to create >them >yourself? > >Cheers! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ugob at CAMO-ROUTE.COM Tue Dec 23 21:25:38 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: <54C38A0B814C8E438EF73FC76F3629273132C5@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Billy A. Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] > Envoy? : Tuesday, December 23, 2003 4:20 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: I'm trying to get MailScanner to work > > > Also there is in the faq this: > Sendmail doesn't recieve mail from the network > Saids to do this: netstat -ln | grep 25 > And should get this: tcp 0 0 0.0.0.0:25 0.0.0.0:* > LISTEN > > And if you get this: 0 127.0.0.1:25 *:* its wrong > > Well I get the 127.0.0.1:25 one. This means your sendmail only listens to localhost, so it won't accept mail from external machines. Where is the error at? sendmail.cf (generated by sendmail.mc) See that part of sendmain.mc. It must be commented out, otherwise sendmail only listens to localhost. dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl dnl # > > Thank You > Billy Pumphrey > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, December 23, 2003 2:44 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: I'm trying to get MailScanner to work > > I think there's an RPM called "rpm-build" or something like that. > Install > that for starters. You should have installed the development > tools when > you > installed RH9. > > At 19:16 23/12/2003, you wrote: > >I got the issues with the mqueue resolved I believe, however I just > >started over. > > > >I have a fresh install of red hat 9 gui now with send mail. > I also did > >not install spamassassin off of the cd this time. > > > >Now I get this when I try to run ./install.sh > > > >"Your /usr/src/redhat, /usr/src/RPM or /usr/src/packages tree is > >missing. If you have access to an RPM called rpm-build install it > first > >and come back and try again." > > > >I have got this message on one of my installs and never got it > resolved. > >Does anyone know how to get around this so I don't go pocking around > >again and screwing up my fresh install? > > > > > > > >Thank You > >Billy Pumphrey > > > >-----Original Message----- > >From: DNSAdmin [mailto:dnsadmin@1BIGTHINK.COM] > >Sent: Tuesday, December 23, 2003 11:57 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: I'm trying to get MailScanner to work > > > >At 08:37 AM 12/23/2003 -0500, you wrote: > > >I have done some more with the help of people. Here is what more I > >have > > >done. > > > >Hi Bill, > > > >You did have issues, initially, with the mqueue and > mqueue.in folders. > >Did > >those get resolved? Do you see any complaints in your logs > about them? > >Do > >your mqueue* folders jive with the MailScanner.conf file? How about > >potential permissions on the folders; especially if you had to create > >them > >yourself? > > > >Cheers! > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 23 21:27:55 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work In-Reply-To: Message-ID: <003801c3c99b$a1356210$0501a8c0@darkside> > >Well I get the 127.0.0.1:25 one. Where is the error at? I'm guessing you need to take out (comment out) the O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA line that RedHat likes to put in their default sendmail.cf. It makes sendmail only listen to localhost:25. HTH, --J(K) From RKearney at AZERTY.COM Tue Dec 23 21:39:37 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: <210DF55DED65B547896F728FB057F3B2019C4AB2@seaver.ussco.com> oh.. yes, the default sendmail config.. Actually, your supposed to modify sendmail.mc make the line look like this in sendmail.mc: dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl and recommended if you have a busy server to increase the max connections on the listen call by adding another line (128 is the linux kernel limit btw): DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA, Listen=128') save sendmail.mc, then do make again. this will modify sendmail.cf for you . -rob -----Original Message----- From: Jason Balicki [mailto:kodak@FRONTIERHOMEMORTGAGE.COM] Sent: Tuesday, December 23, 2003 4:28 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work > >Well I get the 127.0.0.1:25 one. Where is the error at? I'm guessing you need to take out (comment out) the O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA line that RedHat likes to put in their default sendmail.cf. It makes sendmail only listen to localhost:25. HTH, --J(K) From wppiphoto at wppi.com Tue Dec 23 21:46:15 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:39 2006 Subject: RBL timing out {Scanned by WPPi.Net} References: <000901c3c998$dfd0f050$3a95a644@Toshiba> <6.0.0.22.0.20031223161737.01fb4b90@xanadu.evi-inc.com> Message-ID: <002301c3c99e$30d33670$3a95a644@Toshiba> Matt, Our firewall blocks entire IP blocks with no traffic coming-in or going-out. DNS is premitted to go out but only to those IP blocks which are not blocked. The only way I see I can get RBL to work is by inputting an IP address/range for the ORDB-RBL servers that mailscanner/spamassassin contact. Thanks, SW ----- Original Message ----- From: "Matt Kettler" To: Sent: Tuesday, December 23, 2003 4:20 PM Subject: Re: RBL timing out {Scanned by WPPi.Net} At 04:08 PM 12/23/2003, SW wrote: >I'm trying to figure out what ip address and port(s) I need to open up on my >firewall to allow the use of ORDB-RBL w/ Mailscanner and spamassassin: > >MailScanner: RBL Check ORDB-RBL timed out and was killed, consecutive >failure 1 of 7 It's a DNS query. You need to be able to do DNS resolution. If your MS/SA machine is it's own resolving server, then it needs to be able to query to arbitrary DNS servers. If your MS/SA machine uses another server for resolution it needs to be able to talk to that DNS server, and that DNS server needs to be able to talk to query DNS servers. You can tell what machine is being used as a resolver by looking at /etc/resolv.conf. A machine that's it's own resolver will have "localhost" WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----------------------------------------- From bpumphrey at WOODMACLAW.COM Tue Dec 23 21:56:57 2003 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:21:39 2006 Subject: I'm trying to get MailScanner to work Message-ID: Nope, no defunct. :) I commented the 127 thing out and got the tcp 0 0 0.0.0.0:25 0.0.0.0:* Spamassasing is already set to no I set virus scanning to none Restarted MailScanner Still no luck I added a file in /etc/mail called relay-domains and put in: woodmaclaw.com www.woodmaclaw.com restartmailscanner no luck With your directions on watching the output, I don't really know where to watch at. Run a message through do you mean from outside to inside? Thank You Billy Pumphrey -----Original Message----- From: Kearney, Rob [mailto:RKearney@AZERTY.COM] Sent: Tuesday, December 23, 2003 4:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work That could be the case... do you still see on MailScanner Processes after doing service MailScanner start? you might also again what to try setting Debug = Yes, then restart MailScanner (service MailScanner restart) then run a message through, and watch the output for indications of problems. and if memory serves me correctly, since you didn't install SpamAssassin yet, you should also have "Use SpamAssassin = no". -rob -----Original Message----- From: Billy A. Pumphrey [mailto:bpumphrey@WOODMACLAW.COM] Sent: Tuesday, December 23, 2003 4:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work List of stuff so far: I installed red hat 9 gui without spamassassin and with sendmail Installed the development tools Installed mailscanner using ./install.sh I edited the mailertable file with this: woodmaclaw.com esmtp:[10.1.1.2] www.woodmaclaw.com esmtp:[10.1.1.2] Then this: make -C /etc/mail Then made sure that the /etc/mail/relay-domains was empty or did not have woodmaclaw in it. That's it so far and no worky. What do you think? Also it seems that I read that if you don't set virus scan = none if you have none that the email won't get delivered, is that true? Thank You Billy Pumphrey -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, December 23, 2003 2:44 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: I'm trying to get MailScanner to work I think there's an RPM called "rpm-build" or something like that. Install that for starters. You should have installed the development tools when you installed RH9. At 19:16 23/12/2003, you wrote: >I got the issues with the mqueue resolved I believe, however I just >started over. > >I have a fresh install of red hat 9 gui now with send mail. I also did >not install spamassassin off of the cd this time. > >Now I get this when I try to run ./install.sh > >"Your /usr/src/redhat, /usr/src/RPM or /usr/src/packages tree is >missing. If you have access to an RPM called rpm-build install it first >and come back and try again." > >I have got this message on one of my installs and never got it resolved. >Does anyone know how to get around this so I don't go pocking around >again and screwing up my fresh install? > > > >Thank You >Billy Pumphrey > >-----Original Message----- >From: DNSAdmin [mailto:dnsadmin@1BIGTHINK.COM] >Sent: Tuesday, December 23, 2003 11:57 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: I'm trying to get MailScanner to work > >At 08:37 AM 12/23/2003 -0500, you wrote: > >I have done some more with the help of people. Here is what more I >have > >done. > >Hi Bill, > >You did have issues, initially, with the mqueue and mqueue.in folders. >Did >those get resolved? Do you see any complaints in your logs about them? >Do >your mqueue* folders jive with the MailScanner.conf file? How about >potential permissions on the folders; especially if you had to create >them >yourself? > >Cheers! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From TGFurnish at HERFF-JONES.COM Tue Dec 23 22:27:25 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:21:39 2006 Subject: RBL timing out {Scanned by WPPi.Net} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF037335E2@inex1.herffjones.hj-int> If that were true and a complete picture of your dns setup, then you would have to explicitely add dns servers for every site that you browse to - therefore I suspect you're confused about your own setup. Anything's possible of course... I'm betting that you currently allow your dns servers to either: 1) connect to any other server for dns queries or 2) connect to a couple of ISP dns servers that do recursive queries for you. You didn't answer the question of whether your system is its own DNS server (ie /etc/resolv.conf contains only one nameserver entry and that entry lists the system's own ip address), but what it comes down to is that you just need to be able to do dns lookups from this system and whatever DNS server you query must in turn be able to query the RBL zones that you want to use. Once that's working, you'll be good to go. Typical set-up for most firewalled companies would be: Mailscanner | | V Internal DNS server | | V -------- Firewall / Access Lists ---------- | | V ISP DNS servers | | V RBL DNS servers In that set-up, your internal dns server only needs network access to the ISP dns servers, which handle the query against the RBL name servers on your behalf. What "nameserver" lines do you have in your /etc/resolv.conf? Localhost, internal dns servers, or isp dns servers? -- Trever > -----Original Message----- > From: SW [mailto:wppiphoto@wppi.com] > Sent: Tuesday, December 23, 2003 4:46 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: RBL timing out {Scanned by WPPi.Net} > > > Matt, > > Our firewall blocks entire IP blocks with no traffic > coming-in or going-out. > DNS is premitted to go out but only to those IP blocks which are not > blocked. The only way I see I can get RBL to work is by > inputting an IP > address/range for the ORDB-RBL servers that mailscanner/spamassassin > contact. > > Thanks, > > SW > ----- Original Message ----- > From: "Matt Kettler" > To: > Sent: Tuesday, December 23, 2003 4:20 PM > Subject: Re: RBL timing out {Scanned by WPPi.Net} > > > At 04:08 PM 12/23/2003, SW wrote: > >I'm trying to figure out what ip address and port(s) I need > to open up on > my > >firewall to allow the use of ORDB-RBL w/ Mailscanner and > spamassassin: > > > >MailScanner: RBL Check ORDB-RBL timed out and was killed, consecutive > >failure 1 of 7 > > It's a DNS query. You need to be able to do DNS resolution. > > If your MS/SA machine is it's own resolving server, then it > needs to be > able to query to arbitrary DNS servers. > > If your MS/SA machine uses another server for resolution it > needs to be > able to talk to that DNS server, and that DNS server needs to > be able to > talk to query DNS servers. > > You can tell what machine is being used as a resolver by looking at > /etc/resolv.conf. A machine that's it's own resolver will > have "localhost" > > > > > > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by MailScanner, and > is believed to be clean. > ----------------------------------------- > From TGFurnish at HERFF-JONES.COM Tue Dec 23 22:41:27 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:21:39 2006 Subject: dns configuration for natted mailserver Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF037335E3@inex1.herffjones.hj-int> > From: Harondel J. Sibble [mailto:mailscanner@pdscc.com] > Sent: Monday, December 22, 2003 2:59 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: dns configuration for natted mailserver > > The only problem I see with this is that mail sent from the > hidden mail > server will fall afoul of antispam filtering at other sites > since there will > be no external dns entries for the hidden server itself and a > rdns check will > fail. You should have rdns entries for your firewall, since that's where the smtp connections to destination mail servers will really be coming from. -- Trever From TGFurnish at HERFF-JONES.COM Tue Dec 23 23:05:52 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:21:39 2006 Subject: Rejecting Mail at RCPT Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A60737@inex1.herffjones.hj-int> Anyone got a copy of Pete's script that they can share? > -----Original Message----- > From: Pete [mailto:pete@eatathome.com.au] > Sent: Thursday, December 18, 2003 5:57 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Rejecting Mail at RCPT > > I have a great perl script that will pull all the email addresses from > AD and make an access map for postfix - "user@domain.com OK" is the > ... From smhickel at chartermi.net Wed Dec 24 02:51:04 2003 From: smhickel at chartermi.net (smhickel) Date: Thu Jan 12 21:21:39 2006 Subject: RBL timing out {Scanned by WPPi.Net} In-Reply-To: <002301c3c99e$30d33670$3a95a644@Toshiba> References: <000901c3c998$dfd0f050$3a95a644@Toshiba> <6.0.0.22.0.20031223161737.01fb4b90@xanadu.evi-inc.com> <002301c3c99e$30d33670$3a95a644@Toshiba> Message-ID: <3FE8FF18.7050206@chartermi.net> This is a great question. Just this evening I asked myself the same question. I locked down my mailscanner with IPTABLES and tried to figure out what port the RDBL's were using and what port the clamav service used to update itself? Steve SW wrote: >Matt, > >Our firewall blocks entire IP blocks with no traffic coming-in or going-out. >DNS is premitted to go out but only to those IP blocks which are not >blocked. The only way I see I can get RBL to work is by inputting an IP >address/range for the ORDB-RBL servers that mailscanner/spamassassin >contact. > >Thanks, > >SW >----- Original Message ----- >From: "Matt Kettler" >To: >Sent: Tuesday, December 23, 2003 4:20 PM >Subject: Re: RBL timing out {Scanned by WPPi.Net} > > >At 04:08 PM 12/23/2003, SW wrote: > > >>I'm trying to figure out what ip address and port(s) I need to open up on >> >> >my > > >>firewall to allow the use of ORDB-RBL w/ Mailscanner and spamassassin: >> >>MailScanner: RBL Check ORDB-RBL timed out and was killed, consecutive >>failure 1 of 7 >> >> > >It's a DNS query. You need to be able to do DNS resolution. > >If your MS/SA machine is it's own resolving server, then it needs to be >able to query to arbitrary DNS servers. > >If your MS/SA machine uses another server for resolution it needs to be >able to talk to that DNS server, and that DNS server needs to be able to >talk to query DNS servers. > >You can tell what machine is being used as a resolver by looking at >/etc/resolv.conf. A machine that's it's own resolver will have "localhost" > > > > > >WPPi.com & WPPi.Net MailScanner Signature >This message has been scanned for viruses >and dangerous content by MailScanner, and >is believed to be clean. >----------------------------------------- > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From wppiphoto at wppi.com Wed Dec 24 03:09:18 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:39 2006 Subject: RBL timing out {Scanned by WPPi.Net} {Scanned} Message-ID: <006401c3c9cb$57e8e250$3a95a644@Toshiba> Trever, Thanks for the info.! Please see below for some answers to your questions: > You didn't answer the question of whether your system is its own DNS server Yes, this system is one of our DNS servers which mailscanner/spamassassin runs on. > then you would have to explicitely add dns servers for every site that you browse to no, we don't have to add dns servers for every site we visit. Sites that our DNS server can't reach due to our firewall blocking incoming packets from that IP block just don't show up. > What "nameserver" lines do you have in your /etc/resolv.conf? nameserver nameserver > your internal dns server only needs network access to the ISP dns servers Our internal DNS server speak directly with the root DNS servers ( InterNIC) who then point us to the DNS server responsible for a particular domain (ie ordb.org). So, there is no ISP dns server between our dns server and the Internet. Imagine a network which sits behind a firewall which blocks an entire IP block (ex 45.0.0.0) and a DNS server sits behind this firewall. Lets say that a user behind this firewall wants to get to a domain mysite.com. The DNS server behind the firewall goes out to the root DNS servers of InterNIC to try to find out who is handeling name resolution for mysite.com domain. When InterNIC root DNS server respond to the DNS server behind the firewall that the domain mysite.com records are located at DNS server 45.0.0.1 , the DNS server (which is behind the firewall) will never be able to get to the mysite.com DNS server because the firewall has blocked all traffic coming-in from the 45.0.0.0 IP block therefore failing to resolve it. This is what is happening in our situation. Basically, to get around this, we have to open up a particular IP number and TCP or UDP port 53 to allow traffic to come in from mysite.com DNS server at 45.0.0.1 for the DNS server to work and then open up another IP address and TCP port 80 for the domain mysite.com. Hope this makes sense or not. :-) Thanks, SW ----- Original Message ----- From: "Furnish, Trever G" To: "'SW'" ; Sent: Tuesday, December 23, 2003 5:27 PM Subject: RE: RBL timing out {Scanned by WPPi.Net} If that were true and a complete picture of your dns setup, then you would have to explicitely add dns servers for every site that you browse to - therefore I suspect you're confused about your own setup. Anything's possible of course... I'm betting that you currently allow your dns servers to either: 1) connect to any other server for dns queries or 2) connect to a couple of ISP dns servers that do recursive queries for you. You didn't answer the question of whether your system is its own DNS server (ie /etc/resolv.conf contains only one nameserver entry and that entry lists the system's own ip address), but what it comes down to is that you just need to be able to do dns lookups from this system and whatever DNS server you query must in turn be able to query the RBL zones that you want to use. Once that's working, you'll be good to go. Typical set-up for most firewalled companies would be: Mailscanner | | V Internal DNS server | | V -------- Firewall / Access Lists ---------- | | V ISP DNS servers | | V RBL DNS servers In that set-up, your internal dns server only needs network access to the ISP dns servers, which handle the query against the RBL name servers on your behalf. What "nameserver" lines do you have in your /etc/resolv.conf? Localhost, internal dns servers, or isp dns servers? -- Trever > -----Original Message----- > From: SW [mailto:wppiphoto@wppi.com] > Sent: Tuesday, December 23, 2003 4:46 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: RBL timing out {Scanned by WPPi.Net} > > > Matt, > > Our firewall blocks entire IP blocks with no traffic > coming-in or going-out. > DNS is premitted to go out but only to those IP blocks which are not > blocked. The only way I see I can get RBL to work is by > inputting an IP > address/range for the ORDB-RBL servers that mailscanner/spamassassin > contact. > > Thanks, > > SW > ----- Original Message ----- > From: "Matt Kettler" > To: > Sent: Tuesday, December 23, 2003 4:20 PM > Subject: Re: RBL timing out {Scanned by WPPi.Net} > > > At 04:08 PM 12/23/2003, SW wrote: > >I'm trying to figure out what ip address and port(s) I need > to open up on > my > >firewall to allow the use of ORDB-RBL w/ Mailscanner and > spamassassin: > > > >MailScanner: RBL Check ORDB-RBL timed out and was killed, consecutive > >failure 1 of 7 > > It's a DNS query. You need to be able to do DNS resolution. > > If your MS/SA machine is it's own resolving server, then it > needs to be > able to query to arbitrary DNS servers. > > If your MS/SA machine uses another server for resolution it > needs to be > able to talk to that DNS server, and that DNS server needs to > be able to > talk to query DNS servers. > > You can tell what machine is being used as a resolver by looking at > /etc/resolv.conf. A machine that's it's own resolver will > have "localhost" > > > > > > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by MailScanner, and > is believed to be clean. > ----------------------------------------- > WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----------------------------------------- From kfliong at WOFS.COM Tue Dec 23 13:09:02 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:21:39 2006 Subject: Mailscanner problem after ensim upgrade pls help!!! In-Reply-To: <6.0.1.1.2.20031223115942.037c2218@imap.ecs.soton.ac.uk> References: <6.0.0.22.0.20031223184746.03af0f40@192.168.10.2> <6.0.1.1.2.20031223115942.037c2218@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20031223210723.03ba8d10@192.168.10.2> Tried reinstalling over it but still have the same error when try to start MailScanner. Can you tell me how i could remove all traces of existing MailScanner? Thanks in advance. At 08:00 PM 12/23/2003, you wrote: >Try running MailScanner's install.sh straight over the top of the current >installation. Looks like Ensim removed a bunch of modules. > >At 10:50 23/12/2003, you wrote: >>Hi all, >> >>I just upgraded my ensim package to 3.5.20-23. Perl is now 5.6.1. But when >>I try to start MailScanner I get this error : >> >>Starting MailScanner daemons: >> incoming sendmail: [ OK ] >> outgoing sendmail: [ OK ] >> MailScanner: Can't locate MIME/Parser.pm in @INC (@INC >>contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux >>/usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux >>/usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386-linux >>/usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl >>/usr/lib/perl5/vendor_perl/5.6.1/i386-linux >>/usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . >>/usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 40. >>BEGIN failed--compilation aborted at >>/usr/lib/MailScanner/MailScanner/Message.pm line 40. >>Compilation failed in require at /usr/sbin/MailScanner line 48. >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 48. >> [ OK ] >> >>Eventhough it says OK there, MailScanner is not started. Please help!!! >> >>Do I need to re-install MailScanner? If yes, then do I need to uninstall >>the previous MailScanner and MailWatch? >> >>Thanks in advance. > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 thanks From kfliong at WOFS.COM Wed Dec 24 09:42:59 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:21:39 2006 Subject: spamassassin timeout again... Message-ID: <6.0.0.22.0.20031224174138.03b07b20@192.168.10.2> Hi, I am sure a lot of ppl have asked this question before..but i just re-installed and updated mailscanner and spamassassin but keep getting spamassassing timeout error in the maillog. I have tried changing the timeout to 90 which a lot of ppl says will solve the problem but i still get the timeout error. What can i do? thanks From kfliong at WOFS.COM Wed Dec 24 10:11:35 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:21:39 2006 Subject: high cpu usage!!! Message-ID: <6.0.0.22.0.20031224181037.03b45f20@192.168.10.2> I am getting very high cpu usage by mailscanner. 177 processes: 163 sleeping, 3 running, 0 zombie, 11 stopped CPU states: 18.2% user, 4.0% system, 1.0% nice, 31.5% idle Mem: 504792K av, 474500K used, 30292K free, 1508K shrd, 42668K buff Swap: 1020116K av, 137800K used, 882316K free 99664K cached PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 31972 root 14 0 25432 20M 12324 R 85.0 4.2 0:19 MailScanner 32019 apache 9 0 10200 7456 5636 S 7.5 1.4 0:00 httpd 32081 root 9 0 1104 1104 804 R 3.7 0.2 0:00 top 32028 apache 9 0 9024 6280 5516 S 0.9 1.2 0:00 httpd Please help! thanks From mailscanner at ecs.soton.ac.uk Wed Dec 24 11:16:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:39 2006 Subject: high cpu usage!!! In-Reply-To: <6.0.0.22.0.20031224181037.03b45f20@192.168.10.2> References: <6.0.0.22.0.20031224181037.03b45f20@192.168.10.2> Message-ID: <6.0.1.1.2.20031224111632.03dce168@imap.ecs.soton.ac.uk> Check your mail log for any reports from MailScanner. At 10:11 24/12/2003, you wrote: >I am getting very high cpu usage by mailscanner. > >177 processes: 163 sleeping, 3 running, 0 zombie, 11 stopped >CPU states: 18.2% user, 4.0% system, 1.0% nice, 31.5% idle >Mem: 504792K av, 474500K used, 30292K free, 1508K shrd, 42668K buff >Swap: 1020116K av, 137800K used, 882316K free 99664K >cached > > PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND >31972 root 14 0 25432 20M 12324 R 85.0 4.2 0:19 MailScanner >32019 apache 9 0 10200 7456 5636 S 7.5 1.4 0:00 httpd >32081 root 9 0 1104 1104 804 R 3.7 0.2 0:00 top >32028 apache 9 0 9024 6280 5516 S 0.9 1.2 0:00 httpd > > >Please help! > >thanks -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kfliong at WOFS.COM Wed Dec 24 11:24:29 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:21:39 2006 Subject: high cpu usage!!! In-Reply-To: <6.0.1.1.2.20031224111632.03dce168@imap.ecs.soton.ac.uk> References: <6.0.0.22.0.20031224181037.03b45f20@192.168.10.2> <6.0.1.1.2.20031224111632.03dce168@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20031224192240.02e9dff0@192.168.10.2> I can check but most of the time i am clueless about the logs entry Dec 24 19:16:13 ensim virthostmail[12899]: Chrooting to /home/virtual/site9/fst Dec 24 19:16:13 ensim sendmail[12901]: hBP0GDi12901: from=, size=1336, class=0, nrcpts=1, msgid=<200312250016.hBP0G9p12888@ensim.wofsproperties.com>, proto=ESMTP, relay=root@localhost Dec 24 19:16:13 ensim sendmail[12897]: hBP0G9p12888: to=, delay=00:00:04, xdelay=00:00:00, mailer=virthostmail, pri=120871, relay=worldoffengshui.com, dsn=2.0.0, stat=Sent (hBP0GDi12901 Message accepted for delivery) Dec 24 19:16:14 ensim MailScanner[10992]: Virus and Content Scanning: Starting Dec 24 19:16:14 ensim sendmail[12902]: hBP0GDi12901: to=/dev/null, ctladdr=site_blackhole (513/0), delay=00:00:01, xdelay=00:00:00, mailer=*file*, pri=30653, dsn=2.0.0, stat=Sent Dec 24 19:16:15 ensim MailScanner[10992]: Uninfected: Delivered 1 messages Dec 24 19:16:15 ensim virthostmail[12910]: Chrooting to /home/virtual/site9/fst Dec 24 19:16:15 ensim sendmail[12912]: hBP0GFO12912: from=, size=1327, class=0, nrcpts=1, msgid=<200312250016.hBP0G7p12885@ensim.wofsproperties.com>, proto=ESMTP, relay=root@localhost Dec 24 19:16:15 ensim sendmail[12908]: hBP0G7p12885: to=, delay=00:00:07, xdelay=00:00:00, mailer=virthostmail, pri=120862, relay=worldoffengshui.com, dsn=2.0.0, stat=Sent (hBP0GFO12912 Message accepted for delivery) Dec 24 19:16:15 ensim sendmail[12913]: hBP0GFO12912: to=/dev/null, ctladdr=site_blackhole (513/0), delay=00:00:00, xdelay=00:00:00, mailer=*file*, pri=30655, dsn=2.0.0, stat=Sent Dec 24 19:16:20 ensim sendmail[12915]: hBP0GGp12915: from=, size=1750, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, relay=CPE0050bf919e82-CM0000394a0266.cpe.net.cable.rogers.com [63.139.225.125] Dec 24 19:16:20 ensim sendmail[12915]: hBP0GGp12915: to=, delay=00:00:03, mailer=virthostmail, pri=31750, stat=queued Dec 24 19:16:22 ensim MailScanner[10928]: New Batch: Found 2 messages waiting Dec 24 19:16:22 ensim MailScanner[10928]: New Batch: Scanning 1 messages, 2407 bytes Dec 24 19:16:22 ensim MailScanner[10928]: Spam Checks: Starting Dec 24 19:16:27 ensim sendmail[12924]: hBP0GQp12924: from=, size=10549, class=0, nrcpts=1, msgid=<200312250016.hBP0GQp12924@ensim.wofsproperties.com>, proto=SMTP, daemon=MTA, relay=[211.208.160.118] Dec 24 19:16:27 ensim sendmail[12924]: hBP0GQp12924: to=, delay=00:00:01, mailer=virthostmail, pri=40549, stat=queued Dec 24 19:16:28 ensim MailScanner[10910]: New Batch: Found 3 messages waiting Dec 24 19:16:28 ensim MailScanner[10910]: New Batch: Scanning 1 messages, 11079 bytes Dec 24 19:16:28 ensim MailScanner[10910]: Spam Checks: Starting Dec 24 19:16:29 ensim sendmail[12926]: hBP0GRp12926: from=, size=871, class=0, nrcpts=1, msgid=<200312250016.hBP0GRp12926@ensim.wofsproperties.com>, proto=ESMTP, daemon=MTA, relay=200-153-194-224.dsl.telesp.net.br [200.153.194.224] Dec 24 19:16:29 ensim sendmail[12926]: hBP0GRp12926: to=, delay=00:00:01, mailer=virthostmail, pri=30871, stat=queued Dec 24 19:16:30 ensim MailScanner[10992]: New Batch: Found 4 messages waiting Dec 24 19:16:30 ensim MailScanner[10992]: New Batch: Scanning 1 messages, 1456 bytes Dec 24 19:16:30 ensim MailScanner[10992]: Spam Checks: Starting Dec 24 19:16:31 ensim sendmail[12931]: hBP0GTp12931: from=, size=869, class=0, nrcpts=1, msgid=<200312250016.hBP0GTp12931@ensim.wofsproperties.com>, proto=ESMTP, daemon=MTA, relay=200-153-194-224.dsl.telesp.net.br [200.153.194.224] Dec 24 19:16:31 ensim sendmail[12931]: hBP0GTp12931: to=, delay=00:00:01, mailer=virthostmail, pri=30869, stat=queued Dec 24 19:16:31 ensim MailScanner[10928]: Message hBP0GGp12915 from 63.139.225.125 (ap2didwof@easynet.fr) to worldoffengshui.com is spam, SpamAssassin (score=18.783, required 5, BAYES_90 2.10, CLICK_BELOW 0.10, DATE_IN_PAST_12_24 0.75, FORGED_MUA_OIMO 2.40, FORGED_OUTLOOK_TAGS 1.00, HTML_FONT_BIG 0.27, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MIME_HTML_ONLY_MULTI 1.10, ONLINE_PHARMACY 3.77, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 2.60, RCVD_IN_SORBS 0.10, X_PRIORITY_HIGH 1.30) Dec 24 19:16:31 ensim MailScanner[10928]: Spam Checks: Found 1 spam messages Dec 24 19:16:31 ensim MailScanner[10928]: Spam Actions: message hBP0GGp12915 actions are delete Dec 24 19:16:31 ensim MailScanner[10928]: Virus and Content Scanning: Starting Dec 24 19:16:32 ensim MailScanner[10984]: New Batch: Found 4 messages waiting Dec 24 19:16:32 ensim MailScanner[10984]: New Batch: Scanning 1 messages, 1460 bytes Dec 24 19:16:32 ensim MailScanner[10984]: Spam Checks: Starting Dec 24 19:16:33 ensim MailScanner[10984]: Message hBP0GTp12931 from 200.153.194.224 (tmcdowellgr@greenapple.com) to worldoffengshui.com is spam, SpamAssassin (score=6.652, required 5, BAYES_30 -0.90, BIZ_TLD 0.10, DATE_IN_PAST_12_24 0.75, HTML_MESSAGE 0.10, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MSGID_FROM_MTA_SHORT 3.03, RCVD_IN_DYNABLOCK 2.60, RCVD_IN_SORBS 0.10) Dec 24 19:16:34 ensim MailScanner[10984]: Spam Checks: Found 1 spam messages Dec 24 19:16:34 ensim MailScanner[10984]: Spam Actions: message hBP0GTp12931 actions are delete Dec 24 19:16:34 ensim MailScanner[10984]: Virus and Content Scanning: Starting Dec 24 19:16:34 ensim sendmail[12938]: hBP0GWp12938: from=, size=4545, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, relay=modemcable076.176-131-66.mc.videotron.ca [66.131.176.76] Dec 24 19:16:34 ensim sendmail[12938]: hBP0GWp12938: to=, delay=00:00:02, mailer=virthostmail, pri=34545, stat=queued Dec 24 19:16:34 ensim sendmail[12930]: hBP0GTp12930: from=, size=1378, class=0, nrcpts=1, msgid=<200312250016.hBP0GTp12930@ensim.wofsproperties.com>, proto=ESMTP, daemon=MTA, relay=cable-228-56.inter.net.il [80.230.228.56] Dec 24 19:16:34 ensim sendmail[12930]: hBP0GTp12930: to=, delay=00:00:02, mailer=virthostmail, pri=31378, stat=queued Dec 24 19:16:35 ensim MailScanner[10992]: Virus and Content Scanning: Starting Dec 24 19:16:35 ensim MailScanner[10984]: New Batch: Found 5 messages waiting Dec 24 19:16:35 ensim MailScanner[10984]: New Batch: Scanning 2 messages, 7074 bytes Dec 24 19:16:35 ensim MailScanner[10984]: Spam Checks: Starting Dec 24 19:16:36 ensim MailScanner[10984]: Message hBP0GTp12930 from 80.230.228.56 (kbarber_ul@ccd.vol.at) to worldoffengshui.com is spam, SpamAssassin (score=9.354, required 5, BAYES_50 0.00, BIZ_TLD 0.10, HTML_MESSAGE 0.10, MIME_HTML_MOSTLY 1.24, MSGID_FROM_MTA_HEADER 0.70, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 2.60, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_HTTP 1.10, RCVD_IN_SORBS_SOCKS 1.20) Dec 24 19:16:36 ensim MailScanner[10992]: Uninfected: Delivered 1 messages Dec 24 19:16:36 ensim sendmail[12941]: hBP0GXp12941: from=, size=1394, class=0, nrcpts=2, msgid=, proto=SMTP, daemon=MTA, relay=h24-86-167-208.vs.shawcable.net [24.86.167.208] Dec 24 19:16:36 ensim sendmail[12941]: hBP0GXp12941: to=, delay=00:00:02, mailer=virthostmail, pri=61394, stat=queued Dec 24 19:16:36 ensim sendmail[12941]: hBP0GXp12941: to=, delay=00:00:02, mailer=virthostmail, pri=61394, stat=queued Dec 24 19:16:36 ensim virthostmail[12958]: Chrooting to /home/virtual/site9/fst Dec 24 19:16:36 ensim sendmail[12961]: hBP0Gak12961: from=, size=1342, class=0, nrcpts=1, msgid=<200312250016.hBP0GRp12926@ensim.wofsproperties.com>, proto=ESMTP, relay=root@localhost Dec 24 19:16:36 ensim sendmail[12956]: hBP0GRp12926: to=, delay=00:00:08, xdelay=00:00:00, mailer=virthostmail, pri=120871, relay=worldoffengshui.com, dsn=2.0.0, stat=Sent (hBP0Gak12961 Message accepted for delivery) Dec 24 19:16:37 ensim sendmail[12962]: hBP0Gak12961: to=/dev/null, ctladdr=site_blackhole (513/0), delay=00:00:01, xdelay=00:00:00, mailer=*file*, pri=30660, dsn=2.0.0, stat=Sent Dec 24 19:16:37 ensim sendmail[12953]: hBP0GZp12953: from=, size=2733, class=0, nrcpts=1, msgid=<3zpiw$v-h08a03$78$9ws2cb353m0v@avo2g>, proto=SMTP, daemon=MTA, relay=[61.74.12.125] Dec 24 19:16:37 ensim sendmail[12953]: hBP0GZp12953: to=, delay=00:00:02, mailer=virthostmail, pri=32733, stat=queued Dec 24 19:16:37 ensim MailScanner[10984]: Message hBP0GWp12938 from 66.131.176.76 (brqhfg@web.de) to worldoffengshui.com is spam, SpamAssassin (score=14.337, required 5, BAYES_99 5.40, DATE_IN_PAST_12_24 0.75, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A 0.20, MIME_BASE64_TEXT 1.01, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MIME_HTML_ONLY_MULTI 1.10, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 2.60, RCVD_IN_SORBS 0.10) Dec 24 19:16:37 ensim MailScanner[10984]: Spam Checks: Found 2 spam messages Dec 24 19:16:37 ensim MailScanner[10984]: Spam Actions: message hBP0GTp12930 actions are delete Dec 24 19:16:37 ensim MailScanner[10984]: Spam Actions: message hBP0GWp12938 actions are delete Dec 24 19:16:37 ensim MailScanner[10984]: Virus and Content Scanning: Starting Dec 24 19:16:37 ensim sendmail[12951]: hBP0GZp12951: from=, size=1387, class=0, nrcpts=1, msgid=<200312250016.hBP0GZp12951@ensim.wofsproperties.com>, proto=ESMTP, daemon=MTA, relay=cable-228-56.inter.net.il [80.230.228.56] Dec 24 19:16:37 ensim sendmail[12951]: hBP0GZp12951: to=, delay=00:00:02, mailer=virthostmail, pri=31387, stat=queued Dec 24 19:16:38 ensim MailScanner[10928]: New Batch: Found 5 messages waiting Dec 24 19:16:38 ensim MailScanner[10928]: New Batch: Scanning 3 messages, 7090 bytes Dec 24 19:16:38 ensim MailScanner[10928]: Spam Checks: Starting Dec 24 19:16:39 ensim MailScanner[10928]: Message hBP0GZp12951 from 80.230.228.56 (rblevins_kt@onetelnet.nl) to worldoffengshui.com is spam, SpamAssassin (score=9.354, required 5, BAYES_50 0.00, BIZ_TLD 0.10, HTML_MESSAGE 0.10, MIME_HTML_MOSTLY 1.24, MSGID_FROM_MTA_HEADER 0.70, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 2.60, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_HTTP 1.10, RCVD_IN_SORBS_SOCKS 1.20) I am getting tons of mails in mqueue.in. I have deleted them and now they are building up again.... At 07:16 PM 12/24/2003, you wrote: >Check your mail log for any reports from MailScanner. > >At 10:11 24/12/2003, you wrote: >>I am getting very high cpu usage by mailscanner. >> >>177 processes: 163 sleeping, 3 running, 0 zombie, 11 stopped >>CPU states: 18.2% user, 4.0% system, 1.0% nice, 31.5% idle >>Mem: 504792K av, 474500K used, 30292K free, 1508K shrd, 42668K buff >>Swap: 1020116K av, 137800K used, 882316K free 99664K >>cached >> >> PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND >>31972 root 14 0 25432 20M 12324 R 85.0 4.2 0:19 MailScanner >>32019 apache 9 0 10200 7456 5636 S 7.5 1.4 0:00 httpd >>32081 root 9 0 1104 1104 804 R 3.7 0.2 0:00 top >>32028 apache 9 0 9024 6280 5516 S 0.9 1.2 0:00 httpd >> >> >>Please help! >> >>thanks > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 thanks From mailscan at PRIS.CA Wed Dec 24 16:55:08 2003 From: mailscan at PRIS.CA (MailScanner Mailbox) Date: Thu Jan 12 21:21:39 2006 Subject: Help with spam placement Message-ID: Hello folks I know that this is sort of off topic, but it's the very last thing I need to do before the holidays. I have looked in the Mailscaner Faq as well as the spamassasin faq and can not find a way to do this. I have also been to the procmail site but quite frankly I don't understand regular expressions so... I have mailscanner /w spamassasin happily tagging emails as spam, now I need to deal with them. I am running procmail to have a look at the header, specifically "X-MailScanner-SpamScore: 13" What type of recipe would I use to catch all mail with a score of 5 or better and throw it into a spam folder? I tried this in my .procmailrc but of course it does not work. :0: * ^X-MailScanner-SpamScore:.*(>5) caughtspam Thank you for your help Rick From faq at mailscanner.info Sun Dec 28 00:28:01 2003 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:21:39 2006 Subject: Faq-O-Matic Error Log Message-ID: <200312280028.hBS0S1S2030323@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2003-12-21-12-05-21 2.717 error editPart 908 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 2; in item: 3) 2003-12-21-12-35-23 2.717 error faq 3964 <(noID)> The file (16>) doesn't exist. From bnixon at NIXTECH.NET Wed Dec 24 14:44:50 2003 From: bnixon at NIXTECH.NET (bnixon) Date: Thu Jan 12 21:21:39 2006 Subject: RBL timing out In-Reply-To: <3FE8FF18.7050206@chartermi.net> Message-ID: <000001c3ca2c$7c4fc440$3e00a8c0@nixtech.net> I had similar problems with both the rdbl's and my virus software. Itables can be a statefull firewall (see post from last week) but has to be properly set up to do so. All of my firewall problems went away when I did this and my tables are much smaller. Basically statefull means that if the server makes an outside request then the answer to that request will be allowed back through the firewall automatically. I used shorewall firewall and the webmin interface to set this up. The default single network card template set the firewall up as statefull by default and all I had to do was open up SMTP and some management ports. You would not believe how much smoother things run now. B Nixon -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of smhickel Sent: Tuesday, December 23, 2003 6:51 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: RBL timing out {Scanned by WPPi.Net} This is a great question. Just this evening I asked myself the same question. I locked down my mailscanner with IPTABLES and tried to figure out what port the RDBL's were using and what port the clamav service used to update itself? Steve SW wrote: >Matt, > >Our firewall blocks entire IP blocks with no traffic coming-in or going-out. >DNS is premitted to go out but only to those IP blocks which are not >blocked. The only way I see I can get RBL to work is by inputting an IP >address/range for the ORDB-RBL servers that mailscanner/spamassassin >contact. > >Thanks, > >SW >----- Original Message ----- >From: "Matt Kettler" >To: >Sent: Tuesday, December 23, 2003 4:20 PM >Subject: Re: RBL timing out {Scanned by WPPi.Net} > > >At 04:08 PM 12/23/2003, SW wrote: > > >>I'm trying to figure out what ip address and port(s) I need to open up on >> >> >my > > >>firewall to allow the use of ORDB-RBL w/ Mailscanner and spamassassin: >> >>MailScanner: RBL Check ORDB-RBL timed out and was killed, consecutive >>failure 1 of 7 >> >> > >It's a DNS query. You need to be able to do DNS resolution. > >If your MS/SA machine is it's own resolving server, then it needs to be >able to query to arbitrary DNS servers. > >If your MS/SA machine uses another server for resolution it needs to be >able to talk to that DNS server, and that DNS server needs to be able to >talk to query DNS servers. > >You can tell what machine is being used as a resolver by looking at >/etc/resolv.conf. A machine that's it's own resolver will have "localhost" > > > > > >WPPi.com & WPPi.Net MailScanner Signature >This message has been scanned for viruses >and dangerous content by MailScanner, and >is believed to be clean. >----------------------------------------- > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From usergroups at THEARGONCOMPANY.COM Wed Dec 24 15:41:54 2003 From: usergroups at THEARGONCOMPANY.COM (usergroups) Date: Thu Jan 12 21:21:39 2006 Subject: MailScanner slow on my RaQ550 when I access Site or Server Admininstration via Browser... Message-ID: <00cd01c3ca34$75149860$ec00a8c0@fort.theargoncompany.com> Hi I am currently running the following software versions on my Cobalt RaQ550 - mailscanner-4.14-9 - ClamAV version 0.60 - SpamAssassin version 2.55 - sendmail-8.11.6-1C7stackguard Hardware Configuration model name : Pentium III (Coppermine) cpu MHz : 997.194 cache size : 256 KB RAM: 256 MB As long as I don't access the Cobalt Admin GUI, my server works just fine... However, the moment I try to login and add/remove users or sites........ BANG... my load average just shoots up to 6-10 and sometimes more.. And ofcouse the GUI takes forever to display list of users and sites.... However, if I just kill sendmail and MailScanner (killall -9 sendmail ; killall -9 MailScanner), the GUI loads up immediately and the load average drops below 2 and I can work normally. The moment I'm done with adding and removing users or sites, I restart MailScanner/Sendmail and I'm fine. Any ideas how to fine tune MailScanner so that the load average does not shoot up when accessing the Cobalt RaQ GUI? Regards Rishi From ugob at CAMO-ROUTE.COM Wed Dec 24 15:55:36 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:39 2006 Subject: MailScanner slow on my RaQ550 when I access Site or Server Admininstration via Browser... Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2C8@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : usergroups [mailto:usergroups@THEARGONCOMPANY.COM] > Envoy? : Wednesday, December 24, 2003 10:42 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : MailScanner slow on my RaQ550 when I access Site or Server > Admininstration via Browser... > > > Hi > > I am currently running the following software versions on my > Cobalt RaQ550 > - mailscanner-4.14-9 > - ClamAV version 0.60 > - SpamAssassin version 2.55 > - sendmail-8.11.6-1C7stackguard > > Hardware Configuration > model name : Pentium III (Coppermine) > cpu MHz : 997.194 > cache size : 256 KB > RAM: 256 MB > > As long as I don't access the Cobalt Admin GUI, my server > works just fine... > However, the moment I try to login and add/remove users or > sites........ > BANG... my load average just shoots up to 6-10 and sometimes > more.. And > ofcouse the GUI takes forever to display list of users and sites.... > > However, if I just kill sendmail and MailScanner (killall -9 > sendmail ; > killall -9 MailScanner), the GUI loads up immediately and the > load average > drops below 2 and I can work normally. The moment I'm done > with adding and > removing users or sites, I restart MailScanner/Sendmail and I'm fine. > > Any ideas how to fine tune MailScanner so that the load > average does not > shoot up when accessing the Cobalt RaQ GUI? I think you'll need to determine what is the bottleneck. Can you run top while loading the GUI? Is the CPU usage going up to 100%, if so, what is the process responsible for that? If not, do you see the swap usage going up a lot? Can you run vmstat 5 while loading the GUI? I think you might begin swapping when loading the GUI, > > Regards > > Rishi > From sysadmin at FLEETONE.COM Wed Dec 24 15:58:56 2003 From: sysadmin at FLEETONE.COM (Rob Freeman) Date: Thu Jan 12 21:21:39 2006 Subject: Move tagged spam to folder Message-ID: <088b01c3ca36$d5f14730$45a610ac@fleetone.com> I am sure I am just missing something here, but I have not been able to figure it out. Before I moved to MailScanner, I used Spamassassin and in my user's procmail file, I would move all email tagged as spam to their IMAP spam folder. My users file looks like this: LOGFILE=$HOME/.log.procmail `test -d $VHOME/Maildir/.Spam` if ( $RETURNCODE == 1 ) { `/usr/local/bin/maildirmake -f Spam $VHOME/Maildir` `echo Inbox.Spam >> $VHOME/Maildir/courierimapsubscribed` } DROPPRIVS=yes :0 * ^^rom[ ] { LOG="*** Dropped F off From_ header! Fixing up. " :0 fhw | sed -e '1s/^/F/' } :0: * ^X-Spam-Status: Yes mail/Spam Now, I have MailScanner running with Spamassassin turned on. If Spamassassin tags the message, it still goes into the Spam folder. If MailScanner tags it, it goes into the Inbox. I tried changing the tag in the MailScanner.conf file to look like the Spamassassin one of SPAM, but that did not work. I still get a few FP on email, so I do not just want to delete the spam before it is reviewed. Thanks Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031224/f1563806/attachment.html From nathan at TCPNETWORKS.NET Wed Dec 24 16:07:38 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:21:39 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh Message-ID: Yep, I continue to see lots of SPAM getting through due to negative hits on Bayes. SpamAssassin (score=0.801, required 4, BAYES_00 -4.90, FORGED_RCVD_NET_HELO 4.10, HTML_MESSAGE 0.10, RCVD_NUMERIC_HELO 1.50) This is my game plan. I plan to implement these modifications in stages: (1) Upgrade to SpamAssassin 2.61. Already done and made no difference. (2) Implement the bigevil.cf and other rulesets available at the "Spamassassin Custom Rule Emporium" http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm (3) Experiment with some different blacklists. Many of these messages are still getting tagged by NJABL, but not all of them. (4) I have been collecting a sampling of the offending spam and noticed that the majority of these messages are originating from one IP address (with a domain I recognize and one I've blacklisted in the past). I plan to add this IP to our Sendmail access list and reject mail from the offending source. However, this will reduce the amount but not stop it completetly. (5) Create some spam trap accounts (sales@ or webmaster@) and start training the bayes databases manually. I have been relying on the autolearning mechanism up to this point and it's clear that this isn't enough. I figure that if I feed some of these offending messages in to the system as SPAM, it should help resolve the problem. However, I am a little worried that this may tip the scales the other direction and cause more false positives. **Note: Anyone with some good pointers on this strategy, please send me your advise** (6) Join the SpamAssassin mailing list and report the problems there. I already searched the archives and did note a few references to this issue, but no concrete resolutions. (7) Disable Bayes altogether and see what happens. (8) Shrug my shoulders and write this off as just another example of the "cold war" between spammers and those who want to stop them. The spammers have the upper hand and call me skeptical, but there will never be 100% reliability. Nathan -----Original Message----- From: Pete [mailto:pete@eatathome.com.au] Sent: Saturday, December 20, 2003 4:16 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh -------- Original Message -------- From: - Sat Dec 20 22:36:03 2003 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00800000 Message-ID: <3FE4341E.5020900@eatathome.com.au> Date: Sat, 20 Dec 2003 22:35:58 +1100 From: Pete Reply-To: pete@eatathome.com.au User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: peter.peters@utwente.nl Subject: Re: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh References: <3FE2110D.4000804@pacific.net> <3FE26817.5070507@eatathome.com.au> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Peter Peters wrote: >On Fri, 19 Dec 2003 13:53:11 +1100, you wrote: > > > >>I am starting to find that as the bayes DB is getting larger that more >>spam is starting to get through. I have only installed 6 weeks ago and >>in the last 2 weeks i have a steady increase in spam not being trapped - >>is there bayes maintenance i need to do? maybe its something completely >>unrelated, but it seemed logical to me. >> >> > >I save undetected spam and feed that into sa-learn. I am working on >filters that do the same with spam that is detected but has a negative >bayes score. > >-- >Peter Peters, senior netwerkbeheerder >Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) >Universiteit Twente, Postbus 217, 7500 AE Enschede >telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ > > > Hi and thanks - i currently dont have the option for creating spam/notspam mail accounts - and the count of spam being let through is now starting become a huge issue - heaps of spamm is not being trapped, or the reason Nathan pointed out above - Nathan, have you found some type of fix? I am no guru at this and dont want to have a long list of SA custom rules i dont know a lot about. Are these the only 2 options i have? or delete or stop using bayes? From damian at WORKGROUPSOLUTIONS.COM Wed Dec 24 16:36:40 2003 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:21:39 2006 Subject: spamassassin timeout again... Message-ID: if you find a solution, let me know. I've given up trying to eliminate all spamassassin Timed out errors. I just live with the 200 timed out errors we receive each day - 200 spams Is not bad for 5,000 messages per day. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of kfliong Sent: Wednesday, December 24, 2003 1:43 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: spamassassin timeout again... Hi, I am sure a lot of ppl have asked this question before..but i just re-installed and updated mailscanner and spamassassin but keep getting spamassassing timeout error in the maillog. I have tried changing the timeout to 90 which a lot of ppl says will solve the problem but i still get the timeout error. What can i do? thanks From mkettler at EVI-INC.COM Wed Dec 24 16:50:21 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:39 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh In-Reply-To: References: Message-ID: <6.0.0.22.0.20031224113446.02d46d88@xanadu.evi-inc.com> Short summary: Do not rely on autolearning as a sole source of bayes training. It doesn't work. At 11:07 AM 12/24/2003, Nathan Johanson wrote: >Yep, I continue to see lots of SPAM getting through due to negative hits >on Bayes. > >SpamAssassin (score=0.801, >required 4, BAYES_00 -4.90, FORGED_RCVD_NET_HELO 4.10, >HTML_MESSAGE 0.10, RCVD_NUMERIC_HELO 1.50) > >This is my game plan. I plan to implement these modifications in stages: >(5) Create some spam trap accounts (sales@ or webmaster@) and start >training the bayes databases manually. I have been relying on the >autolearning mechanism up to this point and it's clear that this isn't >enough. I figure that if I feed some of these offending messages in to >the system as SPAM, it should help resolve the problem. However, I am a >little worried that this may tip the scales the other direction and >cause more false positives. **Note: Anyone with some good pointers on >this strategy, please send me your advise** YES! Do this ASAP. SpamAssassin's bayes engine MUST be manually trained to be effective.. bayes databases resulting from auto-learning only do not work well, as you've seen. The autolearn function is intended to be a supplement to, but not a replacement for, manual training. If you don't have any good source of ham trianing, set up some "anti-spamtraps" too, create an account, and subscribe it to some legitimate newsletters.. feed it's mail as --ham training. A good, healthy bayes database that's well fed avoids a lot of these bayes misclassifications. I still get a few in the BAYES_44 or so range, but I've not gotten many BAYES_00 spams. Out of 3191 tagged spams and 319 false negatives I have on-hand only 11 matched BAYES_00. (Note: that's not representative of my FN rate.... the false negatives are ALL of my FN's going back to 2002. I discard old tagged spam regularly. All 3191 tagged spams are fresh enough to have been run against bayes) From robin at PRIMUS.CA Wed Dec 24 17:01:25 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:39 2006 Subject: Help with spam placement In-Reply-To: References: Message-ID: On Wed, 24 Dec 2003, MailScanner Mailbox wrote: > What type of recipe would I use to catch all mail with a score of 5 or > better and throw it into a spam folder? > Here is an example using Maildirs :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* $MAILDIR/.spam.definitely/ :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\* $MAILDIR/.spam.probably/ :0 * ^X-Spam-Level: \*\*\*\*\*\* $MAILDIR/.spam.maybe/ From mark at TIPPINGMAR.COM Wed Dec 24 17:55:33 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:21:39 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh In-Reply-To: <6.0.0.22.0.20031224113446.02d46d88@xanadu.evi-inc.com> References: Message-ID: <3FE96295.27818.476D3A86@localhost> I finally decided to modify the scores for Bayes probabilities less than 50%, so Bayes will not reduce overall spam scores anymore. If Bayes thinks the message is spam, it will increase the score as always. If it thinks it is not spam, there will be no significant reduction in score. Here is what I put in spam.assassin.prefs.conf. score BAYES_00 0 0 -0.05 -0.05 score BAYES_01 0 0 -0.04 -0.04 score BAYES_10 0 0 -0.03 -0.03 score BAYES_20 0 0 -0.02 -0.02 score BAYES_30 0 0 -0.01 -0.01 Most of the spam where I see Bayes erroneously giving low probabilities consists of a single html image (with the real message) and then a bunch of random dictionary words, probably intended to trigger a negative Bayes score. I don't think training Bayes on these spam messages is going to help any. Won't it just tokenize the random dictionary words and begin to associate them with spam? Mark From mark at TIPPINGMAR.COM Wed Dec 24 18:09:26 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:21:39 2006 Subject: Move tagged spam to folder In-Reply-To: <088b01c3ca36$d5f14730$45a610ac@fleetone.com> Message-ID: <3FE965D6.10915.4779EF86@localhost> Probably the most common setup is to use MailScanners two-level scoring approach, where you specify a minimum value to be considered spam (usually 5) and a minimum value to be considered "high-scoring" spam (I use 12, I think the default is 15). Then allow MailScanner to delete the "high-scoring" spam and tell it to deliver the rest of the spam, but first alter the subject line. By default the subject line is altered to include "{Spam?}" at the beginning. That is something that can be filtered on very simply in procmail. Details of all this can be found in the MailScanner.conf file. Mark On 24 Dec 2003 at 9:58, Rob Freeman wrote: > > I am sure I am just missing something here, but I have not been able to figure it out. > > Before I moved to MailScanner, I used Spamassassin and in my user's procmail file, I would > move all email tagged as spam to their IMAP spam folder. My users file looks like this: > > LOGFILE=$HOME/.log.procmail > `test -d $VHOME/Maildir/.Spam` > if ( $RETURNCODE == 1 ) > { > `/usr/local/bin/maildirmake -f Spam $VHOME/Maildir` > `echo Inbox.Spam >> $VHOME/Maildir/courierimapsubscribed` > } > > DROPPRIVS=yes > > :0 > * ^^rom[ ] > { > LOG="*** Dropped F off From_ header! Fixing up. " > > :0 fhw > | sed -e '1s/^/F/' > } > > :0: > * ^X-Spam-Status: Yes > mail/Spam > Now, I have MailScanner running with Spamassassin turned on. If Spamassassin tags the > message, it still goes into the Spam folder. If MailScanner tags it, it goes into the Inbox. I tried > changing the tag in the MailScanner.conf file to look like the Spamassassin one of SPAM, but that > did not work. I still get a few FP on email, so I do not just want to delete the spam before it is > reviewed. > > Thanks > > Rob > -- Mark W. Nienberg, SE Tipping Mar + associates 1906 Shattuck Ave, Berkeley, CA 94704 visit our website at http://www.tippingmar.com From nathan at TCPNETWORKS.NET Wed Dec 24 18:36:19 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:21:39 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh Message-ID: > Most of the spam where I see Bayes erroneously giving low probabilities consists of > a single html image (with the real message) and then a bunch of random dictionary > words, probably intended to trigger a negative Bayes score. I don't think training > Bayes on these spam messages is going to help any. Won't it just tokenize the > random dictionary words and begin to associate them with spam? This is a perfect description of the kinds of SPAM I've seen recently. And I'm with you, I'm a little concerned that "learning" these messages would tip the scales in the other direction and perhaps lead to false positives. However, I do think I will start catching these messages and learning them manually (on at least one of my production boxes). I do like the idea behind reducing the Bayes probabilities. Please let me know how this works for you. I'm curious if it's enough to fix the problem, or if it impacts your filtering in some other unforseen way. Nathan -----Original Message----- From: Mark Nienberg [mailto:mark@TIPPINGMAR.COM] Sent: Wednesday, December 24, 2003 9:56 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh I finally decided to modify the scores for Bayes probabilities less than 50%, so Bayes will not reduce overall spam scores anymore. If Bayes thinks the message is spam, it will increase the score as always. If it thinks it is not spam, there will be no significant reduction in score. Here is what I put in spam.assassin.prefs.conf. score BAYES_00 0 0 -0.05 -0.05 score BAYES_01 0 0 -0.04 -0.04 score BAYES_10 0 0 -0.03 -0.03 score BAYES_20 0 0 -0.02 -0.02 score BAYES_30 0 0 -0.01 -0.01 Most of the spam where I see Bayes erroneously giving low probabilities consists of a single html image (with the real message) and then a bunch of random dictionary words, probably intended to trigger a negative Bayes score. I don't think training Bayes on these spam messages is going to help any. Won't it just tokenize the random dictionary words and begin to associate them with spam? Mark From chris at FRACTALWEB.COM Wed Dec 24 18:42:55 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:21:39 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh In-Reply-To: References: Message-ID: <1072291375.8679.16.camel@venus.fractal> On Wed, 2003-12-24 at 10:36, Nathan Johanson wrote: > This is a perfect description of the kinds of SPAM I've seen recently. > And I'm with you, I'm a little concerned that "learning" these messages > would tip the scales in the other direction and perhaps lead to false > positives. However, I do think I will start catching these messages and > learning them manually (on at least one of my production boxes). > > I do like the idea behind reducing the Bayes probabilities. Please let > me know how this works for you. I'm curious if it's enough to fix the > problem, or if it impacts your filtering in some other unforseen way. Would it be useful, or even possible, to have MailScanner store messages that have certain SpamAssassin rule hits? That way, we could keep an archive of any messages that come in with a negative Bayes score. Chris From nerijus at USERS.SOURCEFORGE.NET Wed Dec 24 19:25:20 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:21:39 2006 Subject: new TNEF Message-ID: <20031224192910.797F970B5@mail.ktv.lt> Hello, New tnef 1.2.3 from tnef.sourceforge.net has the following changes: Added maxsize command line option to only allow allocations of memory for objects up to a specified size. Maybe now there is no need to use patched tnef rpm? Regards, Nerijus From wppiphoto at wppi.com Wed Dec 24 21:07:18 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:39 2006 Subject: Spam Messages not being delivered {Scanned} Message-ID: <009201c3ca61$f31df0d0$3a95a644@Toshiba> It appears that something is not right in my mailscanner.conf file because I have it setup to put spam messages as attachments and I thought it was suppose to still deliver them on but then are not coming in. The only thing I see is in my logs which state: Dec 24 14:38:06 ns1 MailScanner[7428]: New Batch: Scanning 1 messages, 2976 bytes Dec 24 14:38:06 ns1 MailScanner[7428]: Spam Checks: Starting Dec 24 14:38:08 ns1 MailScanner[7428]: Message hBOJbpd07648 from 200.90.104.106 (nyadwor@mail.plugged.com.lb) to wppi.com is spam, SpamAssassin (score=36.642, required 6, AS_SEEN_ON 1.87, BANG_EXERCISE 1.22, BANG_GUARANTEE 1.10, BANG_OPRAH 2.16, BIZ_TLD 0.78, CLICK_BELOW 0.00, COMPLETELY_FREE 0.74, DATE_SPAMWARE_Y2K 4.40, FORGED_MUA_OUTLOOK 1.58, FORGED_OUTLOOK_TAGS 1.10, HTML_30_40 0.81, HTML_FONTCOLOR_UNKNOWN 0.10, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, LOSEBODYFAT 3.31, MIME_HTML_NO_CHARSET 0.72, MIME_HTML_ONLY 0.10, MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, OPT_IN_CAPS 0.29, REVERSE_AGING 4.30, WE_HONOR_ALL 4.30, WHILE_YOU_SLEEP 1.10, WRINKLES 4.30) Dec 24 14:38:08 ns1 MailScanner[7428]: Spam Checks: Found 1 spam messages Dec 24 14:38:08 ns1 MailScanner[7428]: Spam Actions: message hBOJbpd07648 actions are attachment Any ideas what I did wrong? Thanks, SW ------------------------------------------------- WPPi.com | WPPi.Net ------------------------------------------------- http://www.wppi.com | http://www.wppi.net ------------------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by WPPi MailScanner, and has been found to be clean. ------------------------------------------------- From wppiphoto at wppi.com Wed Dec 24 21:31:08 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:39 2006 Subject: Spam Messages not being delivered {Scanned} References: <54C38A0B814C8E438EF73FC76F3629273AE2C9@mtlnt501fs.CAMOROUTE.COM> Message-ID: <00a001c3ca65$4a9b5f70$3a95a644@Toshiba> Ugo, Where would I put that? Here is what I have in my mailscanner.conf file: Spam Actions = attachment High Scoring Spam Actions = attachment Do I need to add something to the above lines? Thanks, SW ----- Original Message ----- From: "Ugo Bellavance" To: "SW" Sent: Wednesday, December 24, 2003 4:16 PM Subject: RE: Spam Messages not being delivered {Scanned} Did you try puttin attachment deliver instead of just attachment ? Ugo > -----Message d'origine----- > De : SW [mailto:wppiphoto@wppi.com] > Envoy? : Wednesday, December 24, 2003 4:07 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Spam Messages not being delivered {Scanned} > > > It appears that something is not right in my mailscanner.conf > file because I > have it setup to put spam messages as attachments and I thought it was > suppose to still deliver them on but then are not coming in. > The only thing > I see is in my logs which state: > > Dec 24 14:38:06 ns1 MailScanner[7428]: New Batch: Scanning 1 > messages, 2976 > bytes > Dec 24 14:38:06 ns1 MailScanner[7428]: Spam Checks: Starting > Dec 24 14:38:08 ns1 MailScanner[7428]: Message hBOJbpd07648 from > 200.90.104.106 (nyadwor@mail.plugged.com.lb) to wppi.com is spam, > SpamAssassin (score=36.642, required 6, AS_SEEN_ON 1.87, > BANG_EXERCISE 1.22, > BANG_GUARANTEE 1.10, BANG_OPRAH 2.16, BIZ_TLD 0.78, CLICK_BELOW 0.00, > COMPLETELY_FREE 0.74, DATE_SPAMWARE_Y2K 4.40, FORGED_MUA_OUTLOOK 1.58, > FORGED_OUTLOOK_TAGS 1.10, HTML_30_40 0.81, > HTML_FONTCOLOR_UNKNOWN 0.10, > HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, LOSEBODYFAT 3.31, > MIME_HTML_NO_CHARSET 0.72, MIME_HTML_ONLY 0.10, > MIME_HTML_ONLY_MULTI 1.10, > MISSING_MIMEOLE 1.15, OPT_IN_CAPS 0.29, REVERSE_AGING 4.30, > WE_HONOR_ALL > 4.30, WHILE_YOU_SLEEP 1.10, WRINKLES 4.30) > Dec 24 14:38:08 ns1 MailScanner[7428]: Spam Checks: Found 1 > spam messages > Dec 24 14:38:08 ns1 MailScanner[7428]: Spam Actions: message > hBOJbpd07648 > actions are attachment > > Any ideas what I did wrong? > > Thanks, > > SW > > > > ------------------------------------------------- > WPPi.com | WPPi.Net > ------------------------------------------------- > http://www.wppi.com | http://www.wppi.net > ------------------------------------------------- > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by WPPi MailScanner, > and has been found to be clean. > ------------------------------------------------- > ------------------------------------------------- WPPi.com | WPPi.Net ------------------------------------------------- http://www.wppi.com | http://www.wppi.net ------------------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by WPPi MailScanner, and has been found to be clean. ------------------------------------------------- ------------------------------------------------- WPPi.com | WPPi.Net ------------------------------------------------- http://www.wppi.com | http://www.wppi.net ------------------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by WPPi MailScanner, and has been found to be clean. ------------------------------------------------- From ugob at CAMO-ROUTE.COM Wed Dec 24 21:32:45 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:39 2006 Subject: Spam Messages not being delivered {Scanned} Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2CA@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : SW [mailto:wppiphoto@wppi.com] > Envoy? : Wednesday, December 24, 2003 4:31 PM > ? : Ugo Bellavance > Cc : Mailscanner Usergroup > Objet : Re: Spam Messages not being delivered {Scanned} > > > Ugo, > > Where would I put that? > > Here is what I have in my mailscanner.conf file: > > Spam Actions = attachment > > High Scoring Spam Actions = attachment > > Do I need to add something to the above lines? Yes Spam Actions = attachment deliver > High Scoring Spam Actions = attachment deliver > > Thanks, > > SW > ----- Original Message ----- > From: "Ugo Bellavance" > To: "SW" > Sent: Wednesday, December 24, 2003 4:16 PM > Subject: RE: Spam Messages not being delivered {Scanned} > > > Did you try puttin > > attachment deliver > > instead of just > > attachment > > ? > > Ugo > > > -----Message d'origine----- > > De : SW [mailto:wppiphoto@wppi.com] > > Envoy? : Wednesday, December 24, 2003 4:07 PM > > ? : MAILSCANNER@JISCMAIL.AC.UK > > Objet : Spam Messages not being delivered {Scanned} > > > > > > It appears that something is not right in my mailscanner.conf > > file because I > > have it setup to put spam messages as attachments and I > thought it was > > suppose to still deliver them on but then are not coming in. > > The only thing > > I see is in my logs which state: > > > > Dec 24 14:38:06 ns1 MailScanner[7428]: New Batch: Scanning 1 > > messages, 2976 > > bytes > > Dec 24 14:38:06 ns1 MailScanner[7428]: Spam Checks: Starting > > Dec 24 14:38:08 ns1 MailScanner[7428]: Message hBOJbpd07648 from > > 200.90.104.106 (nyadwor@mail.plugged.com.lb) to wppi.com is spam, > > SpamAssassin (score=36.642, required 6, AS_SEEN_ON 1.87, > > BANG_EXERCISE 1.22, > > BANG_GUARANTEE 1.10, BANG_OPRAH 2.16, BIZ_TLD 0.78, > CLICK_BELOW 0.00, > > COMPLETELY_FREE 0.74, DATE_SPAMWARE_Y2K 4.40, > FORGED_MUA_OUTLOOK 1.58, > > FORGED_OUTLOOK_TAGS 1.10, HTML_30_40 0.81, > > HTML_FONTCOLOR_UNKNOWN 0.10, > > HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, LOSEBODYFAT 3.31, > > MIME_HTML_NO_CHARSET 0.72, MIME_HTML_ONLY 0.10, > > MIME_HTML_ONLY_MULTI 1.10, > > MISSING_MIMEOLE 1.15, OPT_IN_CAPS 0.29, REVERSE_AGING 4.30, > > WE_HONOR_ALL > > 4.30, WHILE_YOU_SLEEP 1.10, WRINKLES 4.30) > > Dec 24 14:38:08 ns1 MailScanner[7428]: Spam Checks: Found 1 > > spam messages > > Dec 24 14:38:08 ns1 MailScanner[7428]: Spam Actions: message > > hBOJbpd07648 > > actions are attachment > > > > Any ideas what I did wrong? > > > > Thanks, > > > > SW > > > > > > > > ------------------------------------------------- > > WPPi.com | WPPi.Net > > ------------------------------------------------- > > http://www.wppi.com | http://www.wppi.net > > ------------------------------------------------- > > WPPi.com & WPPi.Net MailScanner Signature > > This message has been scanned for viruses > > and dangerous content by WPPi MailScanner, > > and has been found to be clean. > > ------------------------------------------------- > > > > ------------------------------------------------- > WPPi.com | WPPi.Net > ------------------------------------------------- > http://www.wppi.com | http://www.wppi.net > ------------------------------------------------- > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by WPPi MailScanner, > and has been found to be clean. > ------------------------------------------------- > > > > > ------------------------------------------------- > WPPi.com | WPPi.Net > ------------------------------------------------- > http://www.wppi.com | http://www.wppi.net > ------------------------------------------------- > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by WPPi MailScanner, > and has been found to be clean. > ------------------------------------------------- > > From ugob at CAMO-ROUTE.COM Wed Dec 24 21:38:24 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:39 2006 Subject: Spam Messages not being delivered {Scanned} Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2CB@mtlnt501fs.CAMOROUTE.COM> Good. > -----Message d'origine----- > De : SW [mailto:wppiphoto@wppi.com] > Envoy? : Wednesday, December 24, 2003 4:37 PM > ? : Ugo Bellavance > Objet : Re: Spam Messages not being delivered {Scanned} > > > Ugo, > > Thank you!!! That did it. > > SW > ----- Original Message ----- > From: "Ugo Bellavance" > To: "SW" > Cc: "MailScanner List (E-mail)" > Sent: Wednesday, December 24, 2003 4:32 PM > Subject: RE: Spam Messages not being delivered {Scanned} > > > > > > -----Message d'origine----- > > De : SW [mailto:wppiphoto@wppi.com] > > Envoy? : Wednesday, December 24, 2003 4:31 PM > > ? : Ugo Bellavance > > Cc : Mailscanner Usergroup > > Objet : Re: Spam Messages not being delivered {Scanned} > > > > > > Ugo, > > > > Where would I put that? > > > > Here is what I have in my mailscanner.conf file: > > > > Spam Actions = attachment > > > > High Scoring Spam Actions = attachment > > > > Do I need to add something to the above lines? > > > Yes > > Spam Actions = attachment deliver > > > High Scoring Spam Actions = attachment deliver > > > > Thanks, > > > > SW > > ----- Original Message ----- > > From: "Ugo Bellavance" > > To: "SW" > > Sent: Wednesday, December 24, 2003 4:16 PM > > Subject: RE: Spam Messages not being delivered {Scanned} > > > > > > Did you try puttin > > > > attachment deliver > > > > instead of just > > > > attachment > > > > ? > > > > Ugo > > > > > -----Message d'origine----- > > > De : SW [mailto:wppiphoto@wppi.com] > > > Envoy? : Wednesday, December 24, 2003 4:07 PM > > > ? : MAILSCANNER@JISCMAIL.AC.UK > > > Objet : Spam Messages not being delivered {Scanned} > > > > > > > > > It appears that something is not right in my mailscanner.conf > > > file because I > > > have it setup to put spam messages as attachments and I > > thought it was > > > suppose to still deliver them on but then are not coming in. > > > The only thing > > > I see is in my logs which state: > > > > > > Dec 24 14:38:06 ns1 MailScanner[7428]: New Batch: Scanning 1 > > > messages, 2976 > > > bytes > > > Dec 24 14:38:06 ns1 MailScanner[7428]: Spam Checks: Starting > > > Dec 24 14:38:08 ns1 MailScanner[7428]: Message hBOJbpd07648 from > > > 200.90.104.106 (nyadwor@mail.plugged.com.lb) to wppi.com is spam, > > > SpamAssassin (score=36.642, required 6, AS_SEEN_ON 1.87, > > > BANG_EXERCISE 1.22, > > > BANG_GUARANTEE 1.10, BANG_OPRAH 2.16, BIZ_TLD 0.78, > > CLICK_BELOW 0.00, > > > COMPLETELY_FREE 0.74, DATE_SPAMWARE_Y2K 4.40, > > FORGED_MUA_OUTLOOK 1.58, > > > FORGED_OUTLOOK_TAGS 1.10, HTML_30_40 0.81, > > > HTML_FONTCOLOR_UNKNOWN 0.10, > > > HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, LOSEBODYFAT 3.31, > > > MIME_HTML_NO_CHARSET 0.72, MIME_HTML_ONLY 0.10, > > > MIME_HTML_ONLY_MULTI 1.10, > > > MISSING_MIMEOLE 1.15, OPT_IN_CAPS 0.29, REVERSE_AGING 4.30, > > > WE_HONOR_ALL > > > 4.30, WHILE_YOU_SLEEP 1.10, WRINKLES 4.30) > > > Dec 24 14:38:08 ns1 MailScanner[7428]: Spam Checks: Found 1 > > > spam messages > > > Dec 24 14:38:08 ns1 MailScanner[7428]: Spam Actions: message > > > hBOJbpd07648 > > > actions are attachment > > > > > > Any ideas what I did wrong? > > > > > > Thanks, > > > > > > SW > > > > > > > > > > > > ------------------------------------------------- > > > WPPi.com | WPPi.Net > > > ------------------------------------------------- > > > http://www.wppi.com | http://www.wppi.net > > > ------------------------------------------------- > > > WPPi.com & WPPi.Net MailScanner Signature > > > This message has been scanned for viruses > > > and dangerous content by WPPi MailScanner, > > > and has been found to be clean. > > > ------------------------------------------------- > > > > > > > ------------------------------------------------- > > WPPi.com | WPPi.Net > > ------------------------------------------------- > > http://www.wppi.com | http://www.wppi.net > > ------------------------------------------------- > > WPPi.com & WPPi.Net MailScanner Signature > > This message has been scanned for viruses > > and dangerous content by WPPi MailScanner, > > and has been found to be clean. > > ------------------------------------------------- > > > > > > > > > > ------------------------------------------------- > > WPPi.com | WPPi.Net > > ------------------------------------------------- > > http://www.wppi.com | http://www.wppi.net > > ------------------------------------------------- > > WPPi.com & WPPi.Net MailScanner Signature > > This message has been scanned for viruses > > and dangerous content by WPPi MailScanner, > > and has been found to be clean. > > ------------------------------------------------- > > > > > > ------------------------------------------------- > WPPi.com | WPPi.Net > ------------------------------------------------- > http://www.wppi.com | http://www.wppi.net > ------------------------------------------------- > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by WPPi MailScanner, > and has been found to be clean. > ------------------------------------------------- > > > > ------------------------------------------------- > WPPi.com | WPPi.Net > ------------------------------------------------- > http://www.wppi.com | http://www.wppi.net > ------------------------------------------------- > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by WPPi MailScanner, > and has been found to be clean. > ------------------------------------------------- > > From sysadmins at ENHTECH.COM Wed Dec 24 22:08:35 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:39 2006 Subject: high cpu usage!!! In-Reply-To: <6.0.0.22.0.20031224192240.02e9dff0@192.168.10.2> References: <6.0.0.22.0.20031224181037.03b45f20@192.168.10.2> <6.0.1.1.2.20031224111632.03dce168@imap.ecs.soton.ac.uk> <6.0.0.22.0.20031224192240.02e9dff0@192.168.10.2> Message-ID: <6.0.0.22.0.20031224170652.03b38008@mail.enhtech.com> At 06:24 AM 12/24/2003, you wrote: >I can check but most of the time i am clueless about the logs entry > > > >I am getting tons of mails in mqueue.in. I have deleted them and now they >are building up again.... > > >At 07:16 PM 12/24/2003, you wrote: > >>Check your mail log for any reports from MailScanner. >> >>At 10:11 24/12/2003, you wrote: >>>I am getting very high cpu usage by mailscanner. >>> >>>177 processes: 163 sleeping, 3 running, 0 zombie, 11 stopped >>>CPU states: 18.2% user, 4.0% system, 1.0% nice, 31.5% idle >>>Mem: 504792K av, 474500K used, 30292K free, 1508K shrd, 42668K >>>buff >>>Swap: 1020116K av, 137800K used, 882316K free 99664K >>>cached >>> >>> PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND >>>31972 root 14 0 25432 20M 12324 R 85.0 4.2 0:19 MailScanner >>>32019 apache 9 0 10200 7456 5636 S 7.5 1.4 0:00 httpd >>>32081 root 9 0 1104 1104 804 R 3.7 0.2 0:00 top >>>32028 apache 9 0 9024 6280 5516 S 0.9 1.2 0:00 httpd >>> >>> >>>Please help! >>> >>>thanks >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >thanks Deleting messages in mqueue.in is deleting your real mail. That is where sendmail queues messages to be scanned by mailscanner. Please provide the your hardware, OS and version of mailscanner you are running. Errol Neal Errol U. Neal Jr., Systems Administrator Enhanced Technologies, Inc. - The Business Grade Hosting Specialists http://www.enhtech.com 703-924-0301 or 800-368-3249 703-997-0839 Fax From mark at TIPPINGMAR.COM Wed Dec 24 22:52:42 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:21:39 2006 Subject: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh In-Reply-To: Message-ID: <3FE9A83A.10794.487D43CC@localhost> On 24 Dec 2003 at 10:36, Nathan Johanson wrote: > I do like the idea behind reducing the Bayes probabilities. Please let > me know how this works for you. I'm curious if it's enough to fix the > problem, or if it impacts your filtering in some other unforseen way. I've had this in place for about a week now, and I haven't had any problems. The only potential problem I can see is if you regularly receive legitimate messages that for some reason score higher than your spam threshold and require the Bayes negative score to reduce the total below the threshold. It's a trade-off between tagging more spam and the possibility of some false positives. I haven't seen any false positives yet. That said, the SpamAssassin purists might be horrified at this kind of tweaking, because it messes up the careful statistical analysis on which the scoring is based. I understand that, and generally agree with it, but I guess there is nothing wrong with trying to tweak SpamAssassin to work best with the type of mail that my site receives. I can't say that this has fixed the problem entirely though, because this type of spam often doesn't trigger enough other points to go above the threshold, even without the Bayes score to bring it down. Mark From tristanr at CI.GRANDJCT.CO.US Wed Dec 24 22:10:34 2003 From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes) Date: Thu Jan 12 21:21:39 2006 Subject: OpenProtect Message-ID: Has anyone tried OpenProtect? It combines most of the applications we use to filter mail. I'm suprised I haven't heard of it before. http://opencomputing.sourceforge.net/ "Opencomputing's bundle of E-Mail Filters consisting of two Anti-Viruses, Kaspersky Anti-Virus and Clam Anti-Virus, SpamAssassin and MailScanner with support for sendmail, postfix, exim and qmail(qmail support is still beta, so if you encounter any problems, you can mail us the error logs with a description to email@opencompt.com)." From kfliong at WOFS.COM Fri Dec 26 02:16:53 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:21:40 2006 Subject: high cpu usage!!! In-Reply-To: <6.0.0.22.0.20031224192240.02e9dff0@192.168.10.2> References: <6.0.0.22.0.20031224181037.03b45f20@192.168.10.2> <6.0.1.1.2.20031224111632.03dce168@imap.ecs.soton.ac.uk> <6.0.0.22.0.20031224192240.02e9dff0@192.168.10.2> Message-ID: <6.0.0.22.0.20031226101427.03b44e70@192.168.10.2> I already tried changing "Notify Senders = No" but still the load is very high. My idle is always at 0%. What else can I do to make the cpu load goes lower from MailScanner? FYI, my system is using P3 1ghz with 512mb RAM which I think is good enough to run MailScanner or is it not? Thanks in advance. At 07:24 PM 12/24/2003, you wrote: >I can check but most of the time i am clueless about the logs entry > >Dec 24 19:16:13 ensim virthostmail[12899]: Chrooting to >/home/virtual/site9/fst >Dec 24 19:16:13 ensim sendmail[12901]: hBP0GDi12901: >from=, size=1336, class=0, nrcpts=1, >msgid=<200312250016.hBP0G9p12888@ensim.wofsproperties.com>, proto=ESMTP, >relay=root@localhost >Dec 24 19:16:13 ensim sendmail[12897]: hBP0G9p12888: >to=, delay=00:00:04, xdelay=00:00:00, >mailer=virthostmail, pri=120871, relay=worldoffengshui.com, dsn=2.0.0, >stat=Sent (hBP0GDi12901 Message accepted for delivery) >Dec 24 19:16:14 ensim MailScanner[10992]: Virus and Content Scanning: Starting >Dec 24 19:16:14 ensim sendmail[12902]: hBP0GDi12901: to=/dev/null, >ctladdr=site_blackhole (513/0), delay=00:00:01, xdelay=00:00:00, >mailer=*file*, pri=30653, dsn=2.0.0, stat=Sent >Dec 24 19:16:15 ensim MailScanner[10992]: Uninfected: Delivered 1 messages >Dec 24 19:16:15 ensim virthostmail[12910]: Chrooting to >/home/virtual/site9/fst >Dec 24 19:16:15 ensim sendmail[12912]: hBP0GFO12912: >from=, size=1327, class=0, nrcpts=1, >msgid=<200312250016.hBP0G7p12885@ensim.wofsproperties.com>, proto=ESMTP, >relay=root@localhost >Dec 24 19:16:15 ensim sendmail[12908]: hBP0G7p12885: >to=, delay=00:00:07, xdelay=00:00:00, >mailer=virthostmail, pri=120862, relay=worldoffengshui.com, dsn=2.0.0, >stat=Sent (hBP0GFO12912 Message accepted for delivery) >Dec 24 19:16:15 ensim sendmail[12913]: hBP0GFO12912: to=/dev/null, >ctladdr=site_blackhole (513/0), delay=00:00:00, xdelay=00:00:00, >mailer=*file*, pri=30655, dsn=2.0.0, stat=Sent >Dec 24 19:16:20 ensim sendmail[12915]: hBP0GGp12915: >from=, size=1750, class=0, nrcpts=1, >msgid=, proto=SMTP, daemon=MTA, >relay=CPE0050bf919e82-CM0000394a0266.cpe.net.cable.rogers.com [63.139.225.125] >Dec 24 19:16:20 ensim sendmail[12915]: hBP0GGp12915: >to=, delay=00:00:03, mailer=virthostmail, >pri=31750, stat=queued >Dec 24 19:16:22 ensim MailScanner[10928]: New Batch: Found 2 messages waiting >Dec 24 19:16:22 ensim MailScanner[10928]: New Batch: Scanning 1 messages, >2407 bytes >Dec 24 19:16:22 ensim MailScanner[10928]: Spam Checks: Starting >Dec 24 19:16:27 ensim sendmail[12924]: hBP0GQp12924: from=, >size=10549, class=0, nrcpts=1, >msgid=<200312250016.hBP0GQp12924@ensim.wofsproperties.com>, proto=SMTP, >daemon=MTA, relay=[211.208.160.118] >Dec 24 19:16:27 ensim sendmail[12924]: hBP0GQp12924: >to=, delay=00:00:01, mailer=virthostmail, >pri=40549, stat=queued >Dec 24 19:16:28 ensim MailScanner[10910]: New Batch: Found 3 messages waiting >Dec 24 19:16:28 ensim MailScanner[10910]: New Batch: Scanning 1 messages, >11079 bytes >Dec 24 19:16:28 ensim MailScanner[10910]: Spam Checks: Starting >Dec 24 19:16:29 ensim sendmail[12926]: hBP0GRp12926: >from=, size=871, class=0, nrcpts=1, >msgid=<200312250016.hBP0GRp12926@ensim.wofsproperties.com>, proto=ESMTP, >daemon=MTA, relay=200-153-194-224.dsl.telesp.net.br [200.153.194.224] >Dec 24 19:16:29 ensim sendmail[12926]: hBP0GRp12926: >to=, delay=00:00:01, mailer=virthostmail, >pri=30871, stat=queued >Dec 24 19:16:30 ensim MailScanner[10992]: New Batch: Found 4 messages waiting >Dec 24 19:16:30 ensim MailScanner[10992]: New Batch: Scanning 1 messages, >1456 bytes >Dec 24 19:16:30 ensim MailScanner[10992]: Spam Checks: Starting >Dec 24 19:16:31 ensim sendmail[12931]: hBP0GTp12931: >from=, size=869, class=0, nrcpts=1, >msgid=<200312250016.hBP0GTp12931@ensim.wofsproperties.com>, proto=ESMTP, >daemon=MTA, relay=200-153-194-224.dsl.telesp.net.br [200.153.194.224] >Dec 24 19:16:31 ensim sendmail[12931]: hBP0GTp12931: >to=, delay=00:00:01, mailer=virthostmail, >pri=30869, stat=queued >Dec 24 19:16:31 ensim MailScanner[10928]: Message hBP0GGp12915 from >63.139.225.125 (ap2didwof@easynet.fr) to worldoffengshui.com is spam, >SpamAssassin (score=18.783, required 5, BAYES_90 2.10, CLICK_BELOW 0.10, >DATE_IN_PAST_12_24 0.75, FORGED_MUA_OIMO 2.40, FORGED_OUTLOOK_TAGS 1.00, >HTML_FONT_BIG 0.27, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10, >MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MIME_HTML_ONLY_MULTI 1.10, >ONLINE_PHARMACY 3.77, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, >RCVD_IN_DYNABLOCK 2.60, RCVD_IN_SORBS 0.10, X_PRIORITY_HIGH 1.30) >Dec 24 19:16:31 ensim MailScanner[10928]: Spam Checks: Found 1 spam messages >Dec 24 19:16:31 ensim MailScanner[10928]: Spam Actions: message >hBP0GGp12915 actions are delete >Dec 24 19:16:31 ensim MailScanner[10928]: Virus and Content Scanning: Starting >Dec 24 19:16:32 ensim MailScanner[10984]: New Batch: Found 4 messages waiting >Dec 24 19:16:32 ensim MailScanner[10984]: New Batch: Scanning 1 messages, >1460 bytes >Dec 24 19:16:32 ensim MailScanner[10984]: Spam Checks: Starting >Dec 24 19:16:33 ensim MailScanner[10984]: Message hBP0GTp12931 from >200.153.194.224 (tmcdowellgr@greenapple.com) to worldoffengshui.com is >spam, SpamAssassin (score=6.652, required 5, BAYES_30 -0.90, BIZ_TLD 0.10, >DATE_IN_PAST_12_24 0.75, HTML_MESSAGE 0.10, MIME_HTML_NO_CHARSET 0.56, >MIME_HTML_ONLY 0.32, MSGID_FROM_MTA_SHORT 3.03, RCVD_IN_DYNABLOCK 2.60, >RCVD_IN_SORBS 0.10) >Dec 24 19:16:34 ensim MailScanner[10984]: Spam Checks: Found 1 spam messages >Dec 24 19:16:34 ensim MailScanner[10984]: Spam Actions: message >hBP0GTp12931 actions are delete >Dec 24 19:16:34 ensim MailScanner[10984]: Virus and Content Scanning: Starting >Dec 24 19:16:34 ensim sendmail[12938]: hBP0GWp12938: from=, >size=4545, class=0, nrcpts=1, msgid=, >proto=SMTP, daemon=MTA, relay=modemcable076.176-131-66.mc.videotron.ca >[66.131.176.76] >Dec 24 19:16:34 ensim sendmail[12938]: hBP0GWp12938: >to=, delay=00:00:02, mailer=virthostmail, >pri=34545, stat=queued >Dec 24 19:16:34 ensim sendmail[12930]: hBP0GTp12930: >from=, size=1378, class=0, nrcpts=1, >msgid=<200312250016.hBP0GTp12930@ensim.wofsproperties.com>, proto=ESMTP, >daemon=MTA, relay=cable-228-56.inter.net.il [80.230.228.56] >Dec 24 19:16:34 ensim sendmail[12930]: hBP0GTp12930: >to=, delay=00:00:02, mailer=virthostmail, >pri=31378, stat=queued >Dec 24 19:16:35 ensim MailScanner[10992]: Virus and Content Scanning: Starting >Dec 24 19:16:35 ensim MailScanner[10984]: New Batch: Found 5 messages waiting >Dec 24 19:16:35 ensim MailScanner[10984]: New Batch: Scanning 2 messages, >7074 bytes >Dec 24 19:16:35 ensim MailScanner[10984]: Spam Checks: Starting >Dec 24 19:16:36 ensim MailScanner[10984]: Message hBP0GTp12930 from >80.230.228.56 (kbarber_ul@ccd.vol.at) to worldoffengshui.com is spam, >SpamAssassin (score=9.354, required 5, BAYES_50 0.00, BIZ_TLD 0.10, >HTML_MESSAGE 0.10, MIME_HTML_MOSTLY 1.24, MSGID_FROM_MTA_HEADER 0.70, >RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 2.60, >RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_HTTP 1.10, RCVD_IN_SORBS_SOCKS 1.20) >Dec 24 19:16:36 ensim MailScanner[10992]: Uninfected: Delivered 1 messages >Dec 24 19:16:36 ensim sendmail[12941]: hBP0GXp12941: >from=, size=1394, class=0, nrcpts=2, >msgid=, proto=SMTP, daemon=MTA, >relay=h24-86-167-208.vs.shawcable.net [24.86.167.208] >Dec 24 19:16:36 ensim sendmail[12941]: hBP0GXp12941: >to=, delay=00:00:02, mailer=virthostmail, >pri=61394, stat=queued >Dec 24 19:16:36 ensim sendmail[12941]: hBP0GXp12941: >to=, delay=00:00:02, mailer=virthostmail, >pri=61394, stat=queued >Dec 24 19:16:36 ensim virthostmail[12958]: Chrooting to >/home/virtual/site9/fst >Dec 24 19:16:36 ensim sendmail[12961]: hBP0Gak12961: >from=, size=1342, class=0, nrcpts=1, >msgid=<200312250016.hBP0GRp12926@ensim.wofsproperties.com>, proto=ESMTP, >relay=root@localhost >Dec 24 19:16:36 ensim sendmail[12956]: hBP0GRp12926: >to=, delay=00:00:08, xdelay=00:00:00, >mailer=virthostmail, pri=120871, relay=worldoffengshui.com, dsn=2.0.0, >stat=Sent (hBP0Gak12961 Message accepted for delivery) >Dec 24 19:16:37 ensim sendmail[12962]: hBP0Gak12961: to=/dev/null, >ctladdr=site_blackhole (513/0), delay=00:00:01, xdelay=00:00:00, >mailer=*file*, pri=30660, dsn=2.0.0, stat=Sent >Dec 24 19:16:37 ensim sendmail[12953]: hBP0GZp12953: >from=, size=2733, class=0, nrcpts=1, >msgid=<3zpiw$v-h08a03$78$9ws2cb353m0v@avo2g>, proto=SMTP, daemon=MTA, >relay=[61.74.12.125] >Dec 24 19:16:37 ensim sendmail[12953]: hBP0GZp12953: >to=, delay=00:00:02, mailer=virthostmail, pri=32733, >stat=queued >Dec 24 19:16:37 ensim MailScanner[10984]: Message hBP0GWp12938 from >66.131.176.76 (brqhfg@web.de) to worldoffengshui.com is spam, SpamAssassin >(score=14.337, required 5, BAYES_99 5.40, DATE_IN_PAST_12_24 0.75, >HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A 0.20, MIME_BASE64_TEXT 1.01, >MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MIME_HTML_ONLY_MULTI 1.10, >RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 2.60, >RCVD_IN_SORBS 0.10) >Dec 24 19:16:37 ensim MailScanner[10984]: Spam Checks: Found 2 spam messages >Dec 24 19:16:37 ensim MailScanner[10984]: Spam Actions: message >hBP0GTp12930 actions are delete >Dec 24 19:16:37 ensim MailScanner[10984]: Spam Actions: message >hBP0GWp12938 actions are delete >Dec 24 19:16:37 ensim MailScanner[10984]: Virus and Content Scanning: Starting >Dec 24 19:16:37 ensim sendmail[12951]: hBP0GZp12951: >from=, size=1387, class=0, nrcpts=1, >msgid=<200312250016.hBP0GZp12951@ensim.wofsproperties.com>, proto=ESMTP, >daemon=MTA, relay=cable-228-56.inter.net.il [80.230.228.56] >Dec 24 19:16:37 ensim sendmail[12951]: hBP0GZp12951: >to=, delay=00:00:02, mailer=virthostmail, >pri=31387, stat=queued >Dec 24 19:16:38 ensim MailScanner[10928]: New Batch: Found 5 messages waiting >Dec 24 19:16:38 ensim MailScanner[10928]: New Batch: Scanning 3 messages, >7090 bytes >Dec 24 19:16:38 ensim MailScanner[10928]: Spam Checks: Starting >Dec 24 19:16:39 ensim MailScanner[10928]: Message hBP0GZp12951 from >80.230.228.56 (rblevins_kt@onetelnet.nl) to worldoffengshui.com is spam, >SpamAssassin (score=9.354, required 5, BAYES_50 0.00, BIZ_TLD 0.10, >HTML_MESSAGE 0.10, MIME_HTML_MOSTLY 1.24, MSGID_FROM_MTA_HEADER 0.70, >RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 2.60, >RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_HTTP 1.10, RCVD_IN_SORBS_SOCKS 1.20) > >I am getting tons of mails in mqueue.in. I have deleted them and now they >are building up again.... > > >At 07:16 PM 12/24/2003, you wrote: > >>Check your mail log for any reports from MailScanner. >> >>At 10:11 24/12/2003, you wrote: >>>I am getting very high cpu usage by mailscanner. >>> >>>177 processes: 163 sleeping, 3 running, 0 zombie, 11 stopped >>>CPU states: 18.2% user, 4.0% system, 1.0% nice, 31.5% idle >>>Mem: 504792K av, 474500K used, 30292K free, 1508K shrd, 42668K >>>buff >>>Swap: 1020116K av, 137800K used, 882316K free 99664K >>>cached >>> >>> PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND >>>31972 root 14 0 25432 20M 12324 R 85.0 4.2 0:19 MailScanner >>>32019 apache 9 0 10200 7456 5636 S 7.5 1.4 0:00 httpd >>>32081 root 9 0 1104 1104 804 R 3.7 0.2 0:00 top >>>32028 apache 9 0 9024 6280 5516 S 0.9 1.2 0:00 httpd >>> >>> >>>Please help! >>> >>>thanks >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >thanks thanks From kfliong at WOFS.COM Fri Dec 26 03:52:42 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:21:40 2006 Subject: Allowing files whitelist In-Reply-To: <3FE9A83A.10794.487D43CC@localhost> References: <3FE9A83A.10794.487D43CC@localhost> Message-ID: <6.0.0.22.0.20031226115025.03b54978@192.168.10.2> Hi, How do I allow this file, EODSmt(doc).exe, to go through MailScanner? As I know, brackets were not allowed in Perl scripts as file name. So, how do I make sure that this file can go through MailScanner as any .exe files are filtered. Can I put EODSmt*.exe ? Thanks in advance. From wppiphoto at wppi.com Fri Dec 26 18:24:33 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:40 2006 Subject: Bounced e-mail returning back {Scanned} Message-ID: <000f01c3cbdd$8ee09640$3a95a644@Toshiba> I've setup in MailScanner.conf the Spam Action = bounce which I thought should not cause them to come back to me: --- The following addresses had permanent fatal errors --- etc. (reason: 553 Message-ID: <00b701c3cbdf$652c3f50$4e19000a@ATLCPW13671> Loop me in too. I can't replicate the problem, and am not having the problem on a machine that is faster, running on the same pipe with an older version of mailscanner and SA running.... I have posted several times and attempted every direction provided to no avail... CT ----- Original Message ----- From: "Damian Mendoza" To: Sent: Wednesday, December 24, 2003 11:36 AM Subject: Re: spamassassin timeout again... if you find a solution, let me know. I've given up trying to eliminate all spamassassin Timed out errors. I just live with the 200 timed out errors we receive each day - 200 spams Is not bad for 5,000 messages per day. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of kfliong Sent: Wednesday, December 24, 2003 1:43 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: spamassassin timeout again... Hi, I am sure a lot of ppl have asked this question before..but i just re-installed and updated mailscanner and spamassassin but keep getting spamassassing timeout error in the maillog. I have tried changing the timeout to 90 which a lot of ppl says will solve the problem but i still get the timeout error. What can i do? thanks From raymond at PROLOCATION.NET Fri Dec 26 18:42:19 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:40 2006 Subject: Bounced e-mail returning back {Scanned} In-Reply-To: <000f01c3cbdd$8ee09640$3a95a644@Toshiba> Message-ID: Hi! > which I thought should not cause them to come back to me: > > --- The following addresses had permanent fatal errors --- etc. > (reason: 553 > I know spammers use fake e-mails so how do I prevent from getting these > messages back? Dont bounce spam, you only make the problem worse. Bye, Raymond. From raymond at PROLOCATION.NET Fri Dec 26 18:51:49 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:40 2006 Subject: Misc: Please drop rbl.rope.net (fwd) Message-ID: FYI. If people were using this list, please unconfigure. ---------- Forwarded message ---------- Date: Fri, 26 Dec 2003 08:59:58 -0700 From: System Administrator a.k.a. The Root of the Problem To: SPAM-L@peach.ease.lsoft.com Subject: Misc: Please drop rbl.rope.net Just spoke to the rope.net admin. rbl.rope.net is to be considered dead. From wppiphoto at wppi.com Fri Dec 26 19:12:01 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:40 2006 Subject: Bounced e-mail returning back {Scanned} References: Message-ID: <002801c3cbe4$246a63c0$3a95a644@Toshiba> Raymond, The reason I wanted to bounce spam is just incase it is a ligitamate e-mail for one of our users which gets tagged as spam. I have to 'delete' the High Scoring Spam option but for the 'spam action' directive. What should I do? Thanks, SW ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Friday, December 26, 2003 1:42 PM Subject: Re: Bounced e-mail returning back {Scanned} Hi! > which I thought should not cause them to come back to me: > > --- The following addresses had permanent fatal errors --- etc. > (reason: 553 > I know spammers use fake e-mails so how do I prevent from getting these > messages back? Dont bounce spam, you only make the problem worse. Bye, Raymond. ------------------------------------------------- WPPi.com | WPPi.Net ------------------------------------------------- http://www.wppi.com | http://www.wppi.net ------------------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by WPPi MailScanner, and has been found to be clean. ------------------------------------------------- ------------------------------------------------- WPPi.com | WPPi.Net ------------------------------------------------- http://www.wppi.com | http://www.wppi.net ------------------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by WPPi MailScanner, and has been found to be clean. ------------------------------------------------- From wppiphoto at wppi.com Fri Dec 26 19:13:03 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:40 2006 Subject: Spam still coming through :-( {Scanned} Message-ID: <002d01c3cbe4$49386300$3a95a644@Toshiba> Ok, everything is working correctly with MailScanner and Spamassassin but we are still getting about 25% of spam in. What else can I do to lower this amount without causing ligitamate e-mails to get taged as spam. Thanks, SW ------------------------------------------------- WPPi.com | WPPi.Net ------------------------------------------------- http://www.wppi.com | http://www.wppi.net ------------------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by WPPi MailScanner, and has been found to be clean. ------------------------------------------------- From raymond at PROLOCATION.NET Fri Dec 26 20:22:29 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:40 2006 Subject: Spam still coming through :-( {Scanned} In-Reply-To: <002d01c3cbe4$49386300$3a95a644@Toshiba> Message-ID: Hi! > Ok, everything is working correctly with MailScanner and Spamassassin but we > are still getting about 25% of spam in. What else can I do to lower this > amount without causing ligitamate e-mails to get taged as spam. At times we get over 50% spam in, to stop this you most likely have to stop the people who are sending in spam, not the other (your) end :) Bye, Raymond. From mark at TIPPINGMAR.COM Sat Dec 27 00:45:02 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:21:40 2006 Subject: Spam still coming through :-( {Scanned} In-Reply-To: <002d01c3cbe4$49386300$3a95a644@Toshiba> Message-ID: If you haven't already done so, it helps a lot to add DCC, Pyzor, and Razor to your setup and configure SpamAssassin to use them. Also, as time goes on, your Bayes trigger will probably get more accurate. Mark On Friday, December 26, 2003, at 11:13 AM, SW wrote: > Ok, everything is working correctly with MailScanner and Spamassassin > but we > are still getting about 25% of spam in. What else can I do to lower > this > amount without causing ligitamate e-mails to get taged as spam. > > Thanks, > > SW > > > > ------------------------------------------------- > WPPi.com | WPPi.Net > ------------------------------------------------- > http://www.wppi.com | http://www.wppi.net > ------------------------------------------------- > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by WPPi MailScanner, > and has been found to be clean. > ------------------------------------------------- From wppiphoto at wppi.com Sat Dec 27 21:35:12 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner autoupdate of Clamav {Scanned} Message-ID: <001b01c3ccc1$5b6a8d90$3795a644@Toshiba> I'm trying to figure out if the /usr/sbin/update_virus_scanner will update clamav or should I use clamav 'freshclam' to update the virus scanner and definitions. Thanks, SW ------------------------------------------------- WPPi.com | WPPi.Net ------------------------------------------------- http://www.wppi.com | http://www.wppi.net ------------------------------------------------- WPPi.com & WPPi.Net MailScanner Signature This message has been scanned for viruses and dangerous content by WPPi MailScanner, and has been found to be clean. ------------------------------------------------- From ugob at CAMO-ROUTE.COM Sat Dec 27 23:41:57 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner autoupdate of Clamav {Scanned} Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2D2@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : SW [mailto:wppiphoto@wppi.com] > Envoy? : Saturday, December 27, 2003 4:35 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Mailscanner autoupdate of Clamav {Scanned} > > > I'm trying to figure out if the > /usr/sbin/update_virus_scanner will update > clamav or should I use clamav 'freshclam' to update the virus > scanner and > definitions. Both only refresh definitions. No need to do anything for definitions, mailscanner updates them hourly. When a new version of clamAV goes out, you'll probably hear of it here, or register to the clamAV-announce mailing list. > > Thanks, > > SW > > > > ------------------------------------------------- > WPPi.com | WPPi.Net > ------------------------------------------------- > http://www.wppi.com | http://www.wppi.net > ------------------------------------------------- > WPPi.com & WPPi.Net MailScanner Signature > This message has been scanned for viruses > and dangerous content by WPPi MailScanner, > and has been found to be clean. > ------------------------------------------------- > From Antony at SOFT-SOLUTIONS.CO.UK Sun Dec 28 01:21:52 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:40 2006 Subject: RBL timing out {Scanned by WPPi.Net} In-Reply-To: <3FE8FF18.7050206@chartermi.net> References: <000901c3c998$dfd0f050$3a95a644@Toshiba> <002301c3c99e$30d33670$3a95a644@Toshiba> <3FE8FF18.7050206@chartermi.net> Message-ID: <200312280121.52696.Antony@Soft-Solutions.co.uk> On Wednesday 24 December 2003 2:51 am, smhickel wrote: > This is a great question. Just this evening I asked myself the same > question. I locked down my mailscanner with IPTABLES and tried to figure > out what port the RDBL's were using and what port the clamav service > used to update itself? All RDBLs I know of use DNS (TCP/UDP ports 53). ClamAV updates use HTTP (TCP port 80). Antony. -- 90% of networking problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. Please reply to the list; please don't CC me. From mailscanner at ecs.soton.ac.uk Sun Dec 28 15:28:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:40 2006 Subject: Spam still coming through :-( {Scanned} In-Reply-To: References: <002d01c3cbe4$49386300$3a95a644@Toshiba> Message-ID: <6.0.1.1.2.20031228152250.041c6818@imap.ecs.soton.ac.uk> >On Friday, December 26, 2003, at 11:13 AM, SW wrote: > >>Ok, everything is working correctly with MailScanner and Spamassassin >>but we >>are still getting about 25% of spam in. What else can I do to lower >>this >>amount without causing ligitamate e-mails to get taged as spam. Do you have the Perl module Net::DNS intalled? What does this produce: perl -MNet::DNS -e 'print $Net::DNS::VERSION;' If it prints out a number, you're fine. If it prints out an error message to do with Net, DNS or DNS.pm then you haven't got it installed. Installing it from CPAN is theoretically very simple, but you need to stop CPAN if it tries to upgrade your entire Perl distribution. perl -MCPAN -e shell o conf prerequisites_policy ask install Net::DNS and watch carefully. If you start seeing it reinstalling Perl (probably version 5.8.2) then thump Ctrl-C a lot. If you get that, come back here and we will try to walk you through it. You don't actually need to upgrade all the modules that CPAN thinks you do; it is just being a bit idealistic, which is the cause of the problem. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Dec 28 15:49:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:40 2006 Subject: Allowing files whitelist In-Reply-To: <6.0.0.22.0.20031226115025.03b54978@192.168.10.2> References: <3FE9A83A.10794.487D43CC@localhost> <6.0.0.22.0.20031226115025.03b54978@192.168.10.2> Message-ID: <6.0.1.1.2.20031228154913.0463fec0@imap.ecs.soton.ac.uk> At 03:52 26/12/2003, you wrote: >Hi, > >How do I allow this file, EODSmt(doc).exe, to go through MailScanner? As I >know, brackets were not allowed in Perl scripts as file name. So, how do I >make sure that this file can go through MailScanner as any .exe files are >filtered. > >Can I put EODSmt*.exe ? > >Thanks in advance. allow eodsmt.*\.exe$ - - (separated with tabs, not spaces) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lindsay at pa.net Sun Dec 28 16:05:31 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:21:40 2006 Subject: spamassassin timeout again... In-Reply-To: <00b701c3cbdf$652c3f50$4e19000a@ATLCPW13671> References: <00b701c3cbdf$652c3f50$4e19000a@ATLCPW13671> Message-ID: <1072627530.17869.2.camel@localhost.localdomain> I've found razor checks to be a common source of timeouts. If you can catch a period when SA is timing out, try running: spamassassin -D < emailmessage.txt The debug output of spamassassin is helpful in figuring out what is causing it to timeout. -lindsay On Fri, 2003-12-26 at 13:38, Chris Trudeau wrote: > Loop me in too. I can't replicate the problem, and am not having the > problem on a machine that is faster, running on the same pipe with an older > version of mailscanner and SA running.... > > I have posted several times and attempted every direction provided to no > avail... > > CT > > > ----- Original Message ----- > From: "Damian Mendoza" > To: > Sent: Wednesday, December 24, 2003 11:36 AM > Subject: Re: spamassassin timeout again... > > > if you find a solution, let me know. I've given up trying to eliminate > all spamassassin > Timed out errors. I just live with the 200 timed out errors we receive > each day - 200 spams > Is not bad for 5,000 messages per day. > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of kfliong > Sent: Wednesday, December 24, 2003 1:43 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: spamassassin timeout again... > > Hi, > > I am sure a lot of ppl have asked this question before..but i just > re-installed and updated mailscanner and spamassassin but keep getting > spamassassing timeout error in the maillog. > > I have tried changing the timeout to 90 which a lot of ppl says will > solve the problem but i still get the timeout error. > > What can i do? > > thanks -- Lindsay Snider From taxi at ARMORY.COM Sun Dec 28 21:07:00 2003 From: taxi at ARMORY.COM (E. Fehrenbach) Date: Thu Jan 12 21:21:40 2006 Subject: --Please Help.. can't open tmpfile: Invalid argument Message-ID: ---- Please Help! We have used MailScanner with no problem until we upgraded to FreeBSD 5.0 from 4.8. Now we are getting this message in our logs and outgoing email is not delivered. We searched the archives and have seen several others with similar problem. Please advise if there is any solution to this problem, MailScanner has been a fantastic solution for us but downgrading back to 4.8 is not an option. Cannot parse /var/spool/MailScanner/incoming/15871/hBSKjl87015878.header and , MIME::Parser: can't open tmpfile: Invalid argument Any advice is greatly appreciated! From mailscanner at pdscc.com Sun Dec 28 22:21:13 2003 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Thu Jan 12 21:21:40 2006 Subject: /var/spool/MailScanner/incoming In-Reply-To: <5.2.0.9.2.20030917152402.043b06c0@imap.ecs.soton.ac.uk> References: <000701c37d21$2f84f020$0c02a8c0@itech.dom> Message-ID: <200312282235.OAA01944@sheridan.sibble.net> On 17 Sep 2003 at 15:25, Julian Field wrote: > >Cannot create temporary Work Dir /var/spool/MailScanner/incoming/502693. Are > >the permissions and ownership of /var/spool/MailScanner/incoming correct? > 1) Temporary storage used by MailScanner while working > 2) > Stop MailScanner. > rm -rf /var/spool/MailScanner/incoming > mkdir /var/spool/MailScanner/incoming I just setup MS on a Mandrake 9.2 box and am getting the same error messages, I tried Julian's suggestions of shutting down MS and then deleting and recreating the incoming directory, then restart MS, however, I still have the same errors in /var/log/mail/errors. The orginal permissions on the incoming directory were 700, now it's 755. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From mailscanner at pdscc.com Sun Dec 28 22:32:00 2003 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Thu Jan 12 21:21:40 2006 Subject: /var/spool/MailScanner/incoming In-Reply-To: <200312282235.OAA01944@sheridan.sibble.net> References: <5.2.0.9.2.20030917152402.043b06c0@imap.ecs.soton.ac.uk> Message-ID: <200312282246.OAA01997@sheridan.sibble.net> On 28 Dec 2003 at 14:21, Harondel J. Sibble wrote: > I just setup MS on a Mandrake 9.2 box and am getting the same error messages, Forgot to mention All current updates installed for MDK9.2 MS 4.25.14 installed via rpm Postfix 2.0.13.3mdk Also I see a bunch of defunct MS processes in the ps list. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From mailscanner at pdscc.com Mon Dec 29 02:05:13 2003 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Thu Jan 12 21:21:40 2006 Subject: postfix, mailscanner, mail relay Message-ID: <200312290219.SAA02723@sheridan.sibble.net> Okay, configuring a box (mdk9.2) running mailscanner, SA and f-prot to protect an internal mailserver that is not directly accessible from the net (local lan usage only). The net accessible box running mailscanner will be configured to relay all inbound mail to the internal mailserver. The internal mailserver will use the mailscanner box as it's outbound relay. The mailscanner box is listed as the primary mx for the domain and only relays in/outbound while scanning mail for spam and viruses. Now as part of Mailscanner's setup, one sets up 2 instances of postfix, with mailscanner doing it's work in between the 2 instances. In a single instance (standard) setup of postfix, setup to relay for the internal server would be accomplished by setting (as per Blum's Open Source Email Security) set postfix to no accept any messges even for localhost relay_domains = setup a transport table mydomain.net smtp:internal-mailserver.mydomain.net create the transport database postmap hash: /etc/postfix/transport add to main.cf transport_maps = hash:/etc/postfix/transport reload postfix and all should be okay Just want to make sure, in conjunction with Mailscanner, these modifcations should be done for the outgoing postfix instance, correct? ie the /etc/postfix dir ather than /etc/postfix.in -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From mailscanner at pdscc.com Mon Dec 29 04:17:12 2003 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Thu Jan 12 21:21:40 2006 Subject: postfix, mailscanner, mail relay In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273132C8@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200312290431.UAA03171@sheridan.sibble.net> On 28 Dec 2003 at 22:17, Ugo Bellavance wrote: > never reload postfix, reload mailscanner. You don't want to see standalone > postfix instances wandering around. I am aware of that, the text above was paraphrased from Richard Blum's book, which I noted at the beginning of the description of those steps. > Have you read the faqs? Obviously not the relevant ones ;-) > http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/152.html Thanks, that's just what I needed. Wasn't quite sure which main.cf file to edit. In hindsight it's obvious that it should be the sending instance on postfix. > http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml Heh, that's the one I used to set it up in the beginning. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From sanjay.patel at REXWIRE.COM Mon Dec 29 00:42:13 2003 From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner and aol Message-ID: <200312290052.hBT0qWPC027047@mx.sargam.com> Is anyone having issues sending mail to AOL? Mail leaves our server but users at aol never get them. I was wondering if AOL was doing something to header with Mailscanner. Just covering all bases SKP From ugob at CAMO-ROUTE.COM Mon Dec 29 00:44:16 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner and aol Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2D8@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Sanjay K. Patel [mailto:sanjay.patel@REXWIRE.COM] > Envoy? : Sunday, December 28, 2003 7:42 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Mailscanner and aol > > > Is anyone having issues sending mail to AOL? Mail leaves our > server but > users at aol never get them. I was wondering if AOL was doing > something to > header with Mailscanner. > Do you hava accurate reverse DNS records? > Just covering all bases > > SKP > From ugob at CAMO-ROUTE.COM Mon Dec 29 03:17:51 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:40 2006 Subject: postfix, mailscanner, mail relay Message-ID: <54C38A0B814C8E438EF73FC76F3629273132C8@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Harondel J. Sibble [mailto:mailscanner@pdscc.com] > Envoy? : Sunday, December 28, 2003 9:05 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : postfix, mailscanner, mail relay > > > Okay, configuring a box (mdk9.2) running mailscanner, SA and f-prot to > protect an internal mailserver that is not directly > accessible from the net > (local lan usage only). The net accessible box running > mailscanner will be > configured to relay all inbound mail to the internal > mailserver. The internal > mailserver will use the mailscanner box as it's outbound relay. The > mailscanner box is listed as the primary mx for the domain > and only relays > in/outbound while scanning mail for spam and viruses. > > Now as part of Mailscanner's setup, one sets up 2 instances > of postfix, with > mailscanner doing it's work in between the 2 instances. In a > single instance > (standard) setup of postfix, setup to relay for the internal > server would be > accomplished by setting (as per Blum's Open Source Email Security) > > set postfix to no accept any messges even for localhost > relay_domains = > > setup a transport table > mydomain.net smtp:internal-mailserver.mydomain.net > > create the transport database > postmap hash: /etc/postfix/transport > > add to main.cf > transport_maps = hash:/etc/postfix/transport > > reload postfix and all should be okay never reload postfix, reload mailscanner. You don't want to see standalone postfix instances wandering around. > > Just want to make sure, in conjunction with Mailscanner, > these modifcations > should be done for the outgoing postfix instance, correct? ie the > /etc/postfix dir ather than /etc/postfix.in Have you read the faqs? http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/152.html http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml hth Thanks Ugo > > > -- > Harondel J. Sibble > Sibble Computer Consulting > Creating solutions for the small business and home computer user. > help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com > (604) 739-3709 (voice/fax) (604) 686-2253 (pager) > From drew at THEMARSHALLS.CO.UK Mon Dec 29 09:43:32 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner and aol In-Reply-To: <200312290052.hBT0qWPC027047@mx.sargam.com> References: <200312290052.hBT0qWPC027047@mx.sargam.com> Message-ID: <3FEFF744.20507@themarshalls.co.uk> No, it's nothing to do with MailScanner but AOL's latest attempt to reduce their spam levels. They have put in place a block on all mail servers that do not have the correct DNS details set up (Including PTR, EHLO/HELO name etc). Further details can be obtained by manually telnetting on port 25 to one of their MX's. There was also some talk of AOL having obtained the IP addresses of their mail relays and business accounts and only allowing connections from them. I am not sure how successful this has been as for example my ISP allocates IP addresses as they are required and not by type from specific blocks, so I would run with the information as given by their mail servers ;-) Happy New Year Drew Sanjay K. Patel wrote: >Is anyone having issues sending mail to AOL? Mail leaves our server but >users at aol never get them. I was wondering if AOL was doing something to >header with Mailscanner. > >Just covering all bases > >SKP > > From juan at SAREL.CO.IL Mon Dec 29 10:03:11 2003 From: juan at SAREL.CO.IL (=?windows-1255?Q?=E7=E5=E0=EF?=) Date: Thu Jan 12 21:21:40 2006 Subject: Two questios about MailScanner Message-ID: Hi !! I installed mail scanner I want to know how can I check that I configured it fine? second whan I restart Mailscanner service I see the following: root@mr MailScanner]# /etc/init.d/MailScanner restart Shutting down MailScanner daemons: MailScanner: [FAILED] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] Starting MailScanner daemons: incoming sendmail: WARNING: Xclimiter'': local socket name /var/run/climiter.sock' missing [ OK ] outgoing sendmail: [ OK ] MailScanner: [ OK ] What is the line : incoming sendmail: WARNING: Xclimiter'': local socket name /var/run/climiter.sock' missing. Is it critical? thanks very much!! From mailscanner at ecs.soton.ac.uk Mon Dec 29 12:24:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:40 2006 Subject: /var/spool/MailScanner/incoming In-Reply-To: <200312282246.OAA01997@sheridan.sibble.net> References: <5.2.0.9.2.20030917152402.043b06c0@imap.ecs.soton.ac.uk> <200312282246.OAA01997@sheridan.sibble.net> Message-ID: <6.0.1.1.2.20031229122300.0405dec0@imap.ecs.soton.ac.uk> At 22:32 28/12/2003, you wrote: >On 28 Dec 2003 at 14:21, Harondel J. Sibble wrote: > > I just setup MS on a Mandrake 9.2 box and am getting the same error > messages, For some reason it can't create the directory. Are you running it as something other than root, i.e. are you using the "Run As User" and/or "Run As Group" settings? It's just a permissions problem. >Forgot to mention > >All current updates installed for MDK9.2 >MS 4.25.14 installed via rpm >Postfix 2.0.13.3mdk > >Also I see a bunch of defunct MS processes in the ps list. Check your maillog for errors from MS. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From TGFurnish at HERFF-JONES.COM Mon Dec 29 15:59:12 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:21:40 2006 Subject: OT: spammers using temporary dns? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A6073F@inex1.herffjones.hj-int> I have a feeling that this is an ignorant question and my mind is just in a stupor from the holidays, but I'm still stumped so I'll go ahead and ask it... Anyone noticed spammers using temporary dns records? By "temporary", I mean *really* temporary - ie only a few minutes of existance. My mailscanner system relays to one domain that does its own dns checks in sendmail and I'm seeing a large increase during the last couple of weeks in the number of messages that are accepted by the mailscanner (ie dns checks succeed) and then rejected by the next hop a few minutes later (ie due to missing dns records). One of the domains in question is mx59.experta4.biz - dns worked when the message was accepted, but a few minutes later the records were gone. At this point I just became aware of it, so it could be just one particular spammer who's having dns problems. Besides, I'm not sure what the motivation would be for the spammer - if you can successfully get the dns records created for your sender domain, why bother making them short-lived? Either way, the mail isn't getting through, but it's causing DSNs to be generated on my mailscanner system when the next hop rejects the message. Just wondering if others maybe already know about this and consider it typical or if it's new or if I have something screwy going on. :-) -- Trever Those who do not understand Unix are condemned to reinvent it, poorly. -- Henry Spencer From Antony at SOFT-SOLUTIONS.CO.UK Mon Dec 29 16:11:31 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:40 2006 Subject: OT: spammers using temporary dns? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF02A6073F@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF02A6073F@inex1.herffjones.hj-int> Message-ID: <200312291611.31415.Antony@Soft-Solutions.co.uk> On Monday 29 December 2003 3:59 pm, Furnish, Trever G wrote: > I have a feeling that this is an ignorant question and my mind is just in a > stupor from the holidays, but I'm still stumped so I'll go ahead and ask > it... > > Anyone noticed spammers using temporary dns records? By "temporary", I > mean *really* temporary - ie only a few minutes of existance. I can't say I've noticed this myself, but as you say, it takes a fairly specific setup at your end of the system to be able to notice it... > Besides, I'm not sure what the > motivation would be for the spammer - if you can successfully get the dns > records created for your sender domain, why bother making them short-lived? Sounds to me like they're trying to come up with a mechanism which passes the "does DNS seem to work okay" tests, but which can't be (easily) blacklisted because names and/or IPs keep on changing. If they don't do the DNS records, they'll get rejected for non-compliance, but if they leave them in place, the server/domain names will get blocked. That's my interpretation, anyway... Antony. -- Most people are aware that the Universe is big. - Paul Davies, Professor of Theoretical Physics Please reply to the list; please don't CC me. From taz at AZTEK-ENG.COM Mon Dec 29 16:13:22 2003 From: taz at AZTEK-ENG.COM (Travis Zadikem) Date: Thu Jan 12 21:21:40 2006 Subject: Quarantine cleaner script problem Message-ID: <001e01c3ce26$aea19510$e90200bf@tazpc> I have the quarantine cleaner script, but it fails under solaris with the following error: syntax error at line 18: `year=$' unexpected can someone please give me an idea of how to fix it. Thanks. From mailscanner at ecs.soton.ac.uk Mon Dec 29 16:37:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:40 2006 Subject: Quarantine cleaner script problem In-Reply-To: <001e01c3ce26$aea19510$e90200bf@tazpc> References: <001e01c3ce26$aea19510$e90200bf@tazpc> Message-ID: <6.0.1.1.2.20031229163603.02d77310@imap.ecs.soton.ac.uk> At 16:13 29/12/2003, you wrote: >I have the quarantine cleaner script, but it fails under solaris with >the following error: syntax error at line 18: `year=$' unexpected can >someone please give me an idea of how to fix it. What quarantine cleaner are you using? Mine doesn't contain "year" anywhere. If /bin/bash exists, try changing the first line to say #!/bin/bash instead of referring to /bin/sh. If, of course, it is a shell script and not a perl script! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From taz at AZTEK-ENG.COM Mon Dec 29 16:49:19 2003 From: taz at AZTEK-ENG.COM (Travis Zadikem) Date: Thu Jan 12 21:21:40 2006 Subject: Quarantine cleaner script problem In-Reply-To: <6.0.1.1.2.20031229163603.02d77310@imap.ecs.soton.ac.uk> Message-ID: <000001c3ce2b$b484bf20$e90200bf@tazpc> Do you have a copy of it that I could look at? Thanks, T -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Monday, December 29, 2003 9:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Quarantine cleaner script problem At 16:13 29/12/2003, you wrote: >I have the quarantine cleaner script, but it fails under solaris with >the following error: syntax error at line 18: `year=$' unexpected can >someone please give me an idea of how to fix it. What quarantine cleaner are you using? Mine doesn't contain "year" anywhere. If /bin/bash exists, try changing the first line to say #!/bin/bash instead of referring to /bin/sh. If, of course, it is a shell script and not a perl script! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 29 17:05:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:40 2006 Subject: Quarantine cleaner script problem In-Reply-To: <000001c3ce2b$b484bf20$e90200bf@tazpc> References: <6.0.1.1.2.20031229163603.02d77310@imap.ecs.soton.ac.uk> <000001c3ce2b$b484bf20$e90200bf@tazpc> Message-ID: <6.0.1.1.2.20031229170454.02d73170@imap.ecs.soton.ac.uk> Attached. At 16:49 29/12/2003, you wrote: >Do you have a copy of it that I could look at? > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Monday, December 29, 2003 9:38 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Quarantine cleaner script problem > > >At 16:13 29/12/2003, you wrote: > >I have the quarantine cleaner script, but it fails under solaris with > >the following error: syntax error at line 18: `year=$' unexpected can > >someone please give me an idea of how to fix it. > >What quarantine cleaner are you using? Mine doesn't contain "year" >anywhere. If /bin/bash exists, try changing the first line to say >#!/bin/bash instead of referring to /bin/sh. If, of course, it is a >shell script and not a perl script! -------------- next part -------------- A non-text attachment was scrubbed... Name: clean.quarantine Type: application/octet-stream Size: 997 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031229/5fdd4416/clean.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lindsay at pa.net Mon Dec 29 17:56:18 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:21:40 2006 Subject: Quarantine cleaner script problem In-Reply-To: <6.0.1.1.2.20031229170454.02d73170@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031229163603.02d77310@imap.ecs.soton.ac.uk> <000001c3ce2b$b484bf20$e90200bf@tazpc> <6.0.1.1.2.20031229170454.02d73170@imap.ecs.soton.ac.uk> Message-ID: <1072720578.21178.7.camel@localhost.localdomain> Here is an alternate solution if you have tmpwatch: cron: /usr/sbin/tmpwatch --mtime 720 /var/spool/MailScanner/quarantine -lindsay On Mon, 2003-12-29 at 12:05, Julian Field wrote: > Attached. > > At 16:49 29/12/2003, you wrote: > >Do you have a copy of it that I could look at? > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Julian Field > >Sent: Monday, December 29, 2003 9:38 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Quarantine cleaner script problem > > > > > >At 16:13 29/12/2003, you wrote: > > >I have the quarantine cleaner script, but it fails under solaris with > > >the following error: syntax error at line 18: `year=$' unexpected can > > >someone please give me an idea of how to fix it. > > > >What quarantine cleaner are you using? Mine doesn't contain "year" > >anywhere. If /bin/bash exists, try changing the first line to say > >#!/bin/bash instead of referring to /bin/sh. If, of course, it is a > >shell script and not a perl script! > > ______________________________________________________________________ > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Lindsay Snider From taz at AZTEK-ENG.COM Mon Dec 29 18:26:56 2003 From: taz at AZTEK-ENG.COM (Travis Zadikem) Date: Thu Jan 12 21:21:40 2006 Subject: Quarantine cleaner script problem In-Reply-To: <6.0.1.1.2.20031229170454.02d73170@imap.ecs.soton.ac.uk> Message-ID: <000701c3ce39$5726e390$e90200bf@tazpc> That took care of the problem. I must have had a junk one. Thanks. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Monday, December 29, 2003 10:05 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Quarantine cleaner script problem Attached. At 16:49 29/12/2003, you wrote: >Do you have a copy of it that I could look at? > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Monday, December 29, 2003 9:38 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Quarantine cleaner script problem > > >At 16:13 29/12/2003, you wrote: > >I have the quarantine cleaner script, but it fails under solaris with > >the following error: syntax error at line 18: `year=$' unexpected can > >someone please give me an idea of how to fix it. > >What quarantine cleaner are you using? Mine doesn't contain "year" >anywhere. If /bin/bash exists, try changing the first line to say >#!/bin/bash instead of referring to /bin/sh. If, of course, it is a >shell script and not a perl script! From campbell at CNPAPERS.COM Mon Dec 29 21:08:35 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:21:40 2006 Subject: HTML msg quarantined is warning mail instead of content References: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> <200312230017.hBN0H1FI024507@soup.ads.apexinc.com> <3FE7C787.3040108@glendown.de> <6.0.1.1.2.20031223090246.03a1cb90@imap.ecs.soton.ac.uk> <3FE80E8F.9010903@glendown.de> Message-ID: <005901c3ce4f$ec2e4760$d401a8c0@cnpapers.net> Did this ever get resolved? I too have seen this happen, but not consistently. The archives show nothing following the post below. Fortunately, not many people ask for release of quarantined files here. Thanks. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Garry Glendown" To: Sent: Tuesday, December 23, 2003 4:44 AM Subject: Re: HTML msg quarantined is warning mail instead of content > Julian Field wrote: > > > What MTA and version? > > > sendmail 8.12.10 > > > What OS and version? > > > Linux 2.4.21 / SuSE 9.0 > > > When did it stop working? > > > Can't say - one of our customers just notified me as he was trying to > download a quarantined HTML contents ... > > > Exactly what parameters make it work, and what doesn't work? > > > As mentioned in the original posting, some HTML contents is quarantined > correctly, for other, MailScanner stores the message the user receives > as the quarantine file ... have not had the time to do some tests ... > > -garry From garry at GLENDOWN.DE Mon Dec 29 21:16:25 2003 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:21:40 2006 Subject: HTML msg quarantined is warning mail instead of content In-Reply-To: <005901c3ce4f$ec2e4760$d401a8c0@cnpapers.net> References: <200312230000.hBN00GuJ030965@through.ads.apexinc.com> <200312230017.hBN0H1FI024507@soup.ads.apexinc.com> <3FE7C787.3040108@glendown.de> <6.0.1.1.2.20031223090246.03a1cb90@imap.ecs.soton.ac.uk> <3FE80E8F.9010903@glendown.de> <005901c3ce4f$ec2e4760$d401a8c0@cnpapers.net> Message-ID: <3FF099A9.6030500@glendown.de> Stephe Campbell wrote: > Did this ever get resolved? I too have seen this happen, but not > consistently. The archives show nothing following the post below. > Fortunately, not many people ask for release of quarantined files here. Nope, nothing yet - though the kludge mentioned to make MailScanner store both the original message and header did help here ... As to consistency ... I still haven't been able to reconstruct when the contents and when mail message are stored, e.g. some rejected "FORM" contents will have the "correct" contents saved, while other FORM messages are falsely stored as the warning mail ... I have not had the time to try and feed test mails to MailScanner and see if I can find two messages that will (at least for me) consistently result in one being sorted out correctly, the other incorrectly ... -garry From matt at FILEHOLDER.NET Mon Dec 29 21:34:49 2003 From: matt at FILEHOLDER.NET (Matt) Date: Thu Jan 12 21:21:40 2006 Subject: Pyzor Message-ID: <02a701c3ce53$971355a0$7801a8c0@matthew> Anyone using Pyzor with MailScanner? Does it work very well? How did you get it to work? Matt From ugob at CAMO-ROUTE.COM Mon Dec 29 21:36:52 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:40 2006 Subject: Pyzor Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2EC@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Matt [mailto:matt@FILEHOLDER.NET] > Envoy? : Monday, December 29, 2003 4:35 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Pyzor > > > Anyone using Pyzor with MailScanner? I, and most of us on the list do > Does it work very well? Yes > How did you > get it to work? By following the instructions. > > Matt > If you have a problem, please explain it. Thanks Ugo From lindsay at pa.net Mon Dec 29 21:48:53 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:21:40 2006 Subject: Pyzor In-Reply-To: <02a701c3ce53$971355a0$7801a8c0@matthew> References: <02a701c3ce53$971355a0$7801a8c0@matthew> Message-ID: <1072734533.21178.15.camel@localhost.localdomain> On Mon, 2003-12-29 at 16:34, Matt wrote: > Anyone using Pyzor with MailScanner? Does it work very well? It works well for us. Razor probably gives us the most trouble in the form of timeouts. > How did you > get it to work? I think its pretty straight forward: -Download from http://pyzor.sourceforge.net/ -python setup.py build -python setup.py install -pyzor discover > > Matt -- Lindsay Snider From mkettler at EVI-INC.COM Mon Dec 29 22:06:31 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:40 2006 Subject: Pyzor In-Reply-To: <1072734533.21178.15.camel@localhost.localdomain> References: <02a701c3ce53$971355a0$7801a8c0@matthew> <1072734533.21178.15.camel@localhost.localdomain> Message-ID: <6.0.0.22.0.20031229170217.023d1bd0@xanadu.evi-inc.com> At 04:48 PM 12/29/2003, Lindsay Snider wrote: > > How did you > > get it to work? > >I think its pretty straight forward: Note: all of these "just download it and install it" assumptions are assuming you use SpamAssassin. But, assuming that you're using SpamAssassin with MailScanner, getting pyzor to run should be as simple as downloading, installing and running discover, as described. Without SpamAssassin MailScanner doesn't have any hooks to call razor, pyzor or DCC directly, like it can for DNSBLs. (unless Julian added that too and I missed it... which has been known to happen... Julian's quick enough he's hard to keep pace with) From Stephane.Lentz at ANSF.ALCATEL.FR Mon Dec 29 22:18:26 2003 From: Stephane.Lentz at ANSF.ALCATEL.FR (Stephane Lentz) Date: Thu Jan 12 21:21:40 2006 Subject: Pyzor In-Reply-To: <1072734533.21178.15.camel@localhost.localdomain> References: <02a701c3ce53$971355a0$7801a8c0@matthew> <1072734533.21178.15.camel@localhost.localdomain> Message-ID: <20031229221826.GB23370@iww.netfr.alcatel.fr> On Mon, Dec 29, 2003 at 04:48:53PM -0500, Lindsay Snider wrote: > On Mon, 2003-12-29 at 16:34, Matt wrote: > > Anyone using Pyzor with MailScanner? Does it work very well? > > It works well for us. Razor probably gives us the most trouble in the > form of timeouts. > ... Lindsay & other Pyzor users, did you experience a lot of false positives ? I just did some small tests and it looks pretty reliable and uptodate. It seems however to suffer from some timeout from time to time - less than Razor apparently. The default SA score for Pyzor checks seems way too low. Which one do you recommend ? Best regards, SL/ From ugob at CAMO-ROUTE.COM Mon Dec 29 22:25:46 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:40 2006 Subject: Pyzor Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2EE@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Stephane Lentz [mailto:Stephane.Lentz@ANSF.ALCATEL.FR] > Envoy? : Monday, December 29, 2003 5:18 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Pyzor > > > On Mon, Dec 29, 2003 at 04:48:53PM -0500, Lindsay Snider wrote: > > On Mon, 2003-12-29 at 16:34, Matt wrote: > > > Anyone using Pyzor with MailScanner? Does it work very well? > > > > It works well for us. Razor probably gives us the most > trouble in the > > form of timeouts. > > ... > > Lindsay & other Pyzor users, > > did you experience a lot of false positives ? Hard to correlate false positives only with Pyzor, since the added score is low, but I guess not. > I just did some small tests and it looks pretty reliable and uptodate. > It seems however to suffer from some timeout from time to > time - less than > Razor apparently. > The default SA score for Pyzor checks seems way too low. I don't think so. Don't forget that people at spamassassin, who are specialists and have stats about each test, decided of that score. The strenght of Spamassassin is not only one test, but the results of all the tests. > Which one do you recommend ? > > Best regards, > > SL/ > From alc at TLYNX.COM Mon Dec 29 22:38:54 2003 From: alc at TLYNX.COM (Al Cooper) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner setup (sendmail start script) Message-ID: I am setting up mailscanner on a Redhat 9 box. I am following the instructions provided by Julian Field at the following link: http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml I am at the point of modifying the sendmail start script in /etc/rc.d/init.d. The instructions are as follows: "Currently, your copy of sendmail will be started by a script such as /etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script will be the command to start sendmail itself. This should look like this: sendmail -bd -q15m You should change this to the following two lines: sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirecto ry=/var/spool/mqueue.in sendmail -q15m" Here is the "start" section of my sendmail start script start() { # Start daemons. echo -n $"Starting $prog: " /usr/bin/newaliases > /dev/null 2>&1 if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then make all -C /etc/mail -s else for i in virtusertable access domaintable mailertable ; do if [ -f /etc/mail/$i ] ; then makemap hash /etc/mail/$i < /etc/mail/$i fi done fi daemon /usr/sbin/sendmail $([ "x$DAEMON" = xyes ] && echo -bd) \ $([ -n "$QUEUE" ] && echo -q$QUEUE) RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail if ! test -f /var/run/sm-client.pid ; then echo -n $"Starting sm-client: " touch /var/run/sm-client.pid chown smmsp:smmsp /var/run/sm-client.pid daemon --check sm-client /usr/sbin/sendmail -L sm-msp-queue -Ac \ -q$SMQUEUE RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sm-client fi return $RETVAL } I am not a programmer. Can someone help me modify my start script or point me to a more Redhat friendly install guide? Thanks, Al Cooper From matt at FILEHOLDER.NET Tue Dec 30 00:47:49 2003 From: matt at FILEHOLDER.NET (Matt) Date: Thu Jan 12 21:21:40 2006 Subject: Pyzor Message-ID: <02ec01c3ce6e$8cef8e20$7801a8c0@matthew> Alright, a better question. I am running MS and SA on a RAQ 550. I am now debating between DCC and Pyzor. I am leaning towards DCC since it does not require that I mess with Python. Perhaps even Razor but it looks like more work. Any pros or cons of one or the other? Do not want the trouble of installing and maintaining both at this time. Matt > Anyone using Pyzor with MailScanner? I, and most of us on the list do > Does it work very well? Yes > How did you > get it to work? By following the instructions. > > Matt > If you have a problem, please explain it. Thanks Ugo From ugob at CAMO-ROUTE.COM Tue Dec 30 01:48:25 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:40 2006 Subject: Pyzor Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2F2@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Matt [mailto:matt@FILEHOLDER.NET] > Envoy? : Monday, December 29, 2003 7:48 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Pyzor > > > Alright, a better question. I am running MS and SA on a RAQ > 550. I am now > debating between DCC and Pyzor. I am leaning towards DCC > since it does not > require that I mess with Python. Perhaps even Razor but it > looks like more > work. > > Any pros or cons of one or the other? Do not want the > trouble of installing > and maintaining both at this time. I don't know for a RAQ, but installing DCC, Pyzor, and Razor on a redhat 9 took me 5 minutes. Maybe if you would just explain what is your problem we could help you. If you want a pure, straight, personal advice: In order: Razor, DCC, Pyzor. Hth Ugo > > Matt > > > > Anyone using Pyzor with MailScanner? > I, and most of us on the list do > > > Does it work very well? > > Yes > > How did you > > get it to work? > > By following the instructions. > > > > Matt > > > > If you have a problem, please explain it. > > Thanks > > Ugo > From kfliong at WOFS.COM Tue Dec 30 01:35:04 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:21:40 2006 Subject: Allowing files whitelist In-Reply-To: <6.0.0.22.0.20031226115025.03b54978@192.168.10.2> References: <3FE9A83A.10794.487D43CC@localhost> <6.0.0.22.0.20031226115025.03b54978@192.168.10.2> Message-ID: <6.0.0.22.0.20031230093247.02e811d0@192.168.10.2> I have tried putting this line in filename.rules.conf allow \QEODSmt(doc).exe\E$ - - But the file is still getting through. Is it because filetype.rules.conf is processed first? As filetype.rules.conf also filter out anything with .exe extension. Or is my line there wrong? Thanks in advance. At 11:52 AM 12/26/2003, you wrote: >Hi, > >How do I allow this file, EODSmt(doc).exe, to go through MailScanner? As I >know, brackets were not allowed in Perl scripts as file name. So, how do I >make sure that this file can go through MailScanner as any .exe files are >filtered. > >Can I put EODSmt*.exe ? > >Thanks in advance. thanks From ugob at CAMO-ROUTE.COM Tue Dec 30 01:55:55 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:40 2006 Subject: Allowing files whitelist Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2F5@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : kfliong [mailto:kfliong@WOFS.COM] > Envoy? : Monday, December 29, 2003 8:35 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Allowing files whitelist > > > I have tried putting this line in filename.rules.conf > > allow \QEODSmt(doc).exe\E$ - - > > But the file is still getting through. Is it because > filetype.rules.conf is > processed first? As filetype.rules.conf also filter out > anything with .exe > extension. Or is my line there wrong? filetype filters out files based on type. If your file is an executable, and you have the default settings, it will be blocked. filetype setting uses the file commands that uses the 'magic bits', usually at the beginning of a file, to determine its type. hth Ugo > > Thanks in advance. > > At 11:52 AM 12/26/2003, you wrote: > >Hi, > > > >How do I allow this file, EODSmt(doc).exe, to go through > MailScanner? As I > >know, brackets were not allowed in Perl scripts as file > name. So, how do I > >make sure that this file can go through MailScanner as any > .exe files are > >filtered. > > > >Can I put EODSmt*.exe ? > > > >Thanks in advance. > > thanks > From kfliong at WOFS.COM Tue Dec 30 02:32:06 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:21:40 2006 Subject: Allowing files whitelist In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE2F5@mtlnt501fs.CAMOROUT E.COM> References: <54C38A0B814C8E438EF73FC76F3629273AE2F5@mtlnt501fs.CAMOROUTE.COM> Message-ID: <6.0.0.22.0.20031230103056.02e8d090@192.168.10.2> So, in other word, i have to allow in both section in filename.rules.conf and filetype.rules.conf in order to allow an EXE file to get through? At 09:55 AM 12/30/2003, you wrote: > > -----Message d'origine----- > > De : kfliong [mailto:kfliong@WOFS.COM] > > Envoy? : Monday, December 29, 2003 8:35 PM > > ? : MAILSCANNER@JISCMAIL.AC.UK > > Objet : Re: Allowing files whitelist > > > > > > I have tried putting this line in filename.rules.conf > > > > allow \QEODSmt(doc).exe\E$ - - > > > > But the file is still getting through. Is it because > > filetype.rules.conf is > > processed first? As filetype.rules.conf also filter out > > anything with .exe > > extension. Or is my line there wrong? >filetype filters out files based on type. If your file is an executable, >and you have the default settings, it will be blocked. filetype setting >uses the file commands that uses the 'magic bits', usually at the >beginning of a file, to determine its type. > >hth >Ugo > > > > > Thanks in advance. > > > > At 11:52 AM 12/26/2003, you wrote: > > >Hi, > > > > > >How do I allow this file, EODSmt(doc).exe, to go through > > MailScanner? As I > > >know, brackets were not allowed in Perl scripts as file > > name. So, how do I > > >make sure that this file can go through MailScanner as any > > .exe files are > > >filtered. > > > > > >Can I put EODSmt*.exe ? > > > > > >Thanks in advance. > > > > thanks > > thanks From darren at CONCEPTTECHNOLOGYINC.COM Tue Dec 30 06:02:25 2003 From: darren at CONCEPTTECHNOLOGYINC.COM (Darren Fulton - Concept Technology) Date: Thu Jan 12 21:21:40 2006 Subject: MCP bug? Mcp only reading last rule .cf file Message-ID: <3FF114F1.7080505@concepttechnologyinc.com> Hello, I think this is a bug and would like input if it can be replicated by others and suggestions on how I can fix this whether it is a bug or if I've just screwed something up. Upgraded to latest revision which contained some mcp fixes. Issue: mcp checker uses only the last rule and not the other .cf rules located in /etc/MailScanner/mcp/ Meaning, it gives MCP scores to messages that apply to the last rule (alphabetically) in the directory but to the rules above it. MTA is postfix Info copied from terminal: [root@mailgateway mcp]# hostname mailgateway.healthleaders.com [root@mailgateway mcp]# uname -a Linux mailgateway.healthleaders.com 2.4.20-24.9 #1 Mon Dec 1 11:35:51 EST 2003 i686 i686 i386 GNU/Linux [root@mailgateway mcp]# pwd /etc/MailScanner/mcp [root@mailgateway mcp]# ls -la total 24 drwxr-xr-x 2 root root 4096 Dec 29 23:24 . drwxr-xr-x 6 root root 4096 Dec 29 22:58 .. -rw-r--r-- 1 root root 598 Dec 29 23:02 10_example.cf -rw-r--r-- 1 root root 111 Dec 29 23:31 11_penis_banned.cf -rw-r--r-- 1 root root 112 Dec 29 23:31 12_valium_banned.cf -rw-r--r-- 1 root root 1256 Dec 29 10:25 mcp.spam.assassin.prefs.conf [root@mailgateway mcp]# cat *.cf header BANNED Subject =~ /banned/i describe BANNED Banned Subject score BANNED 22 body BANNED_BODY /this text is banned/i describe BANNED_BODY Banned body text score BANNED_BODY 5 header BANNED Subject =~ /penis/i describe BANNED Banned Subject score BANNED 10 header BANNED Subject =~ /valium/i describe BANNED Banned Subject score BANNED 10 Some examples from the /var/log/maillog: Here is the valium one that worked: Dec 29 23:54:48 mailgateway postfix/cleanup[8909]: CD7073FEE: message-id=<20031230055417.CD7073FEE@mailgateway.healthleaders.com> Dec 29 23:54:48 mailgateway postfix/nqmgr[8768]: CD7073FEE: from=, size=440, nrcpt=1 (queue active) Dec 29 23:54:48 mailgateway postfix/nqmgr[8768]: CD7073FEE: to=, relay=none, delay=31, status=deferred (deferred transport) Dec 29 23:54:51 mailgateway MailScanner[8853]: New Batch: Scanning 1 messages, 613 bytes Dec 29 23:54:51 mailgateway MailScanner[8853]: MCP Checks: Starting Dec 29 23:54:51 mailgateway MailScanner[8853]: Message CD7073FEE from 127.0.0.1 (darren@internav.dyndns.org) to concepttechnologyinc.com is MCP, MCP-Checker (score=10, required 1, BANNED 10.00) Dec 29 23:54:51 mailgateway MailScanner[8853]: MCP Actions: message CD7073FEE actions are delete Here is the penis one that didn't work: Dec 29 23:36:27 mailgateway postfix/nqmgr[8768]: 3E71F3FEE: to=, relay=none, delay=44, status=deferred (deferred transport) Dec 29 23:36:27 mailgateway MailScanner[8859]: New Batch: Scanning 1 messages, 632 bytes Dec 29 23:36:27 mailgateway MailScanner[8859]: MCP Checks: Starting Dec 29 23:36:27 mailgateway MailScanner[8859]: Spam Checks: Starting Dec 29 23:36:28 mailgateway MailScanner[8859]: Virus and Content Scanning: Starting Dec 29 23:36:28 mailgateway postfix/nqmgr[8838]: 3D9181A7339: from=, size=720, nrcpt=1 (queue active) Dec 29 23:36:28 mailgateway MailScanner[8859]: Uninfected: Delivered 1 messages Dec 29 23:36:29 mailgateway postfix/smtp[8878]: 3D9181A7339: to=, relay=local.concepttechnologyinc.com[192.168.1.10], delay=46, status=sent (250 ok 1072763854 qp 21046) What do you think? Do you need more info? Best Regards, Darren Fulton Concept Technology, Inc. From mailscanner at ecs.soton.ac.uk Tue Dec 30 09:28:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner setup (sendmail start script) In-Reply-To: References: Message-ID: <6.0.1.1.2.20031230092527.02d06dd0@imap.ecs.soton.ac.uk> If you are using it on a RedHat 9 box, you should be using the distribution clearly labelled "for RedHat Linux". If you did that, you would not need to ask this question as it would all be done for you. You should then be following the instructions for the RPM distribution which are here: http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml At 22:38 29/12/2003, you wrote: >I am setting up mailscanner on a Redhat 9 box. I am following the >instructions provided by Julian Field at the following link: >http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml > >I am at the point of modifying the sendmail start script in >/etc/rc.d/init.d. The instructions are as follows: > >"Currently, your copy of sendmail will be started by a script such as >/etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script will >be the command to start sendmail itself. This should look like this: > > sendmail -bd -q15m > >You should change this to the following two lines: -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 30 09:31:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:40 2006 Subject: MCP bug? Mcp only reading last rule .cf file In-Reply-To: <3FF114F1.7080505@concepttechnologyinc.com> References: <3FF114F1.7080505@concepttechnologyinc.com> Message-ID: <6.0.1.1.2.20031230093045.0418d390@imap.ecs.soton.ac.uk> At 06:02 30/12/2003, you wrote: >Hello, >I think this is a bug and would like input if it can be replicated by >others and suggestions on how I can fix this whether it is a bug or if >I've just screwed something up. Upgraded to latest revision which >contained some mcp fixes. > >Issue: mcp checker uses only the last rule and not the other .cf rules >located in /etc/MailScanner/mcp/ >Meaning, it gives MCP scores to messages that apply to the last rule >(alphabetically) in the directory but to the rules above it. > >MTA is postfix > >Info copied from terminal: > >[root@mailgateway mcp]# hostname >mailgateway.healthleaders.com >[root@mailgateway mcp]# uname -a >Linux mailgateway.healthleaders.com 2.4.20-24.9 #1 Mon Dec 1 11:35:51 >EST 2003 i686 i686 i386 GNU/Linux >[root@mailgateway mcp]# pwd >/etc/MailScanner/mcp >[root@mailgateway mcp]# ls -la >total 24 >drwxr-xr-x 2 root root 4096 Dec 29 23:24 . >drwxr-xr-x 6 root root 4096 Dec 29 22:58 .. >-rw-r--r-- 1 root root 598 Dec 29 23:02 10_example.cf >-rw-r--r-- 1 root root 111 Dec 29 23:31 11_penis_banned.cf >-rw-r--r-- 1 root root 112 Dec 29 23:31 12_valium_banned.cf >-rw-r--r-- 1 root root 1256 Dec 29 10:25 >mcp.spam.assassin.prefs.conf > >[root@mailgateway mcp]# cat *.cf > >header BANNED Subject =~ /banned/i >describe BANNED Banned Subject >score BANNED 22 > >body BANNED_BODY /this text is banned/i >describe BANNED_BODY Banned body text >score BANNED_BODY 5 > >header BANNED Subject =~ /penis/i >describe BANNED Banned Subject >score BANNED 10 > >header BANNED Subject =~ /valium/i >describe BANNED Banned Subject >score BANNED 10 You have given 3 of your rules the same name. All rules must have different names. >Some examples from the /var/log/maillog: > >Here is the valium one that worked: >Dec 29 23:54:48 mailgateway postfix/cleanup[8909]: CD7073FEE: >message-id=<20031230055417.CD7073FEE@mailgateway.healthleaders.com> >Dec 29 23:54:48 mailgateway postfix/nqmgr[8768]: CD7073FEE: >from=, size=440, nrcpt=1 (queue active) >Dec 29 23:54:48 mailgateway postfix/nqmgr[8768]: CD7073FEE: >to=, relay=none, delay=31, >status=deferred (deferred transport) >Dec 29 23:54:51 mailgateway MailScanner[8853]: New Batch: Scanning 1 >messages, 613 bytes >Dec 29 23:54:51 mailgateway MailScanner[8853]: MCP Checks: Starting >Dec 29 23:54:51 mailgateway MailScanner[8853]: Message CD7073FEE from >127.0.0.1 (darren@internav.dyndns.org) to concepttechnologyinc.com is >MCP, MCP-Checker (score=10, required 1, BANNED 10.00) >Dec 29 23:54:51 mailgateway MailScanner[8853]: MCP Actions: message >CD7073FEE actions are delete > >Here is the penis one that didn't work: >Dec 29 23:36:27 mailgateway postfix/nqmgr[8768]: 3E71F3FEE: >to=, relay=none, delay=44, >status=deferred (deferred transport) >Dec 29 23:36:27 mailgateway MailScanner[8859]: New Batch: Scanning 1 >messages, 632 bytes >Dec 29 23:36:27 mailgateway MailScanner[8859]: MCP Checks: Starting >Dec 29 23:36:27 mailgateway MailScanner[8859]: Spam Checks: Starting >Dec 29 23:36:28 mailgateway MailScanner[8859]: Virus and Content >Scanning: Starting >Dec 29 23:36:28 mailgateway postfix/nqmgr[8838]: 3D9181A7339: >from=, size=720, nrcpt=1 (queue active) >Dec 29 23:36:28 mailgateway MailScanner[8859]: Uninfected: Delivered 1 >messages >Dec 29 23:36:29 mailgateway postfix/smtp[8878]: 3D9181A7339: >to=, >relay=local.concepttechnologyinc.com[192.168.1.10], delay=46, >status=sent (250 ok 1072763854 qp 21046) > >What do you think? Do you need more info? > >Best Regards, > >Darren Fulton >Concept Technology, Inc. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 30 09:30:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:40 2006 Subject: Allowing files whitelist In-Reply-To: <6.0.0.22.0.20031230103056.02e8d090@192.168.10.2> References: <54C38A0B814C8E438EF73FC76F3629273AE2F5@mtlnt501fs.CAMOROUTE.COM> <6.0.0.22.0.20031230103056.02e8d090@192.168.10.2> Message-ID: <6.0.1.1.2.20031230092931.02d6c328@imap.ecs.soton.ac.uk> At 02:32 30/12/2003, you wrote: >So, in other word, i have to allow in both section in filename.rules.conf >and filetype.rules.conf in order to allow an EXE file to get through? Correct. "deny" takes effect immediately, "allow" lets it through to the next check. >At 09:55 AM 12/30/2003, you wrote: > >> > -----Message d'origine----- >> > De : kfliong [mailto:kfliong@WOFS.COM] >> > Envoy? : Monday, December 29, 2003 8:35 PM >> > ? : MAILSCANNER@JISCMAIL.AC.UK >> > Objet : Re: Allowing files whitelist >> > >> > >> > I have tried putting this line in filename.rules.conf >> > >> > allow \QEODSmt(doc).exe\E$ - - >> > >> > But the file is still getting through. Is it because >> > filetype.rules.conf is >> > processed first? As filetype.rules.conf also filter out >> > anything with .exe >> > extension. Or is my line there wrong? >>filetype filters out files based on type. If your file is an executable, >>and you have the default settings, it will be blocked. filetype setting >>uses the file commands that uses the 'magic bits', usually at the >>beginning of a file, to determine its type. >> >>hth >>Ugo >> >> > >> > Thanks in advance. >> > >> > At 11:52 AM 12/26/2003, you wrote: >> > >Hi, >> > > >> > >How do I allow this file, EODSmt(doc).exe, to go through >> > MailScanner? As I >> > >know, brackets were not allowed in Perl scripts as file >> > name. So, how do I >> > >make sure that this file can go through MailScanner as any >> > .exe files are >> > >filtered. >> > > >> > >Can I put EODSmt*.exe ? >> > > >> > >Thanks in advance. >> > >> > thanks >> > > >thanks -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Wilfred.Bolten at TOMMY-EUROPE.COM Tue Dec 30 10:08:34 2003 From: Wilfred.Bolten at TOMMY-EUROPE.COM (Wilfred Bolten) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner setup (sendmail start script) Message-ID: <022DE3728F924649909E989B955E68F888B4AD@NLDAMS0139.Tommy-Europe.com> Hi, Same problem here. SuseLinux 9 with sendmail. Even when you change the line mentioned at the page and restart sendmail the scanner does not seem to be present. Havent been able to figure this out yet. WB -----Original Message----- From: Al Cooper [mailto:alc@TLYNX.COM] Sent: Monday, December 29, 2003 11:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailscanner setup (sendmail start script) I am setting up mailscanner on a Redhat 9 box. I am following the instructions provided by Julian Field at the following link: http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml I am at the point of modifying the sendmail start script in /etc/rc.d/init.d. The instructions are as follows: "Currently, your copy of sendmail will be started by a script such as /etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script will be the command to start sendmail itself. This should look like this: sendmail -bd -q15m You should change this to the following two lines: sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirecto ry=/var/spool/mqueue.in sendmail -q15m" Here is the "start" section of my sendmail start script start() { # Start daemons. echo -n $"Starting $prog: " /usr/bin/newaliases > /dev/null 2>&1 if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then make all -C /etc/mail -s else for i in virtusertable access domaintable mailertable ; do if [ -f /etc/mail/$i ] ; then makemap hash /etc/mail/$i < /etc/mail/$i fi done fi daemon /usr/sbin/sendmail $([ "x$DAEMON" = xyes ] && echo -bd) \ $([ -n "$QUEUE" ] && echo -q$QUEUE) RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail if ! test -f /var/run/sm-client.pid ; then echo -n $"Starting sm-client: " touch /var/run/sm-client.pid chown smmsp:smmsp /var/run/sm-client.pid daemon --check sm-client /usr/sbin/sendmail -L sm-msp-queue -Ac \ -q$SMQUEUE RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sm-client fi return $RETVAL } I am not a programmer. Can someone help me modify my start script or point me to a more Redhat friendly install guide? Thanks, Al Cooper ******************************************************* Confidentiality: This e-mail and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please reply to this e-mail and highlight the error. Security Warning: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and observe this lack of security when e-mailing us. Viruses: Although we have taken steps to ensure that this e-mail and attachments are free from any virus. We advise that in keeping with good computing practice the recipient should ensure they are actually virus free. From mailscanner at ecs.soton.ac.uk Tue Dec 30 10:28:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner setup (sendmail start script) In-Reply-To: <022DE3728F924649909E989B955E68F888B4AD@NLDAMS0139.Tommy-Eu rope.com> References: <022DE3728F924649909E989B955E68F888B4AD@NLDAMS0139.Tommy-Europe.com> Message-ID: <6.0.1.1.2.20031230102818.02d0b928@imap.ecs.soton.ac.uk> And there is a SuSE distribution which you should be using, rather than doing it the hard way. At 10:08 30/12/2003, you wrote: >Hi, > >Same problem here. SuseLinux 9 with sendmail. Even when you change the >line mentioned at the page and restart sendmail the scanner does not seem >to be present. Havent been able to figure this out yet. > >WB > >-----Original Message----- >From: Al Cooper [mailto:alc@TLYNX.COM] >Sent: Monday, December 29, 2003 11:39 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Mailscanner setup (sendmail start script) > > >I am setting up mailscanner on a Redhat 9 box. I am following the >instructions provided by Julian Field at the following link: >http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml > >I am at the point of modifying the sendmail start script in >/etc/rc.d/init.d. The instructions are as follows: > >"Currently, your copy of sendmail will be started by a script such as >/etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script will >be the command to start sendmail itself. This should look like this: > > sendmail -bd -q15m > >You should change this to the following two lines: > > > > > >sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirecto >ry=/var/spool/mqueue.in > sendmail -q15m" > > >Here is the "start" section of my sendmail start script > >start() { > # Start daemons. > > echo -n $"Starting $prog: " > /usr/bin/newaliases > /dev/null 2>&1 > if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then > make all -C /etc/mail -s > else > for i in virtusertable access domaintable mailertable ; do > if [ -f /etc/mail/$i ] ; then > makemap hash /etc/mail/$i < /etc/mail/$i > fi > done > fi > daemon /usr/sbin/sendmail $([ "x$DAEMON" = xyes ] && echo -bd) \ > $([ -n "$QUEUE" ] && echo -q$QUEUE) > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > > if ! test -f /var/run/sm-client.pid ; then > echo -n $"Starting sm-client: " > touch /var/run/sm-client.pid > chown smmsp:smmsp /var/run/sm-client.pid > daemon --check sm-client /usr/sbin/sendmail -L sm-msp-queue -Ac \ > -q$SMQUEUE > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sm-client > fi > > return $RETVAL >} > > >I am not a programmer. Can someone help me modify my start script or point >me to a more Redhat friendly install guide? > >Thanks, > >Al Cooper > >******************************************************* > >Confidentiality: This e-mail and its attachments are intended for the >above named only and may be confidential. >If they have come to you in error you must take no action based on them, >nor must you copy or show them to anyone. >Please reply to this e-mail and highlight the error. > >Security Warning: Please note that this e-mail has been created in the >knowledge that Internet e-mail is not a 100% secure communications medium. >We advise that you understand and observe this lack of security when >e-mailing us. > >Viruses: Although we have taken steps to ensure that this e-mail and >attachments are free from any virus. >We advise that in keeping with good computing practice the recipient >should ensure they are actually virus free. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From taz at AZTEK-ENG.COM Tue Dec 30 13:50:29 2003 From: taz at AZTEK-ENG.COM (Travis Zadikem) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner setup (sendmail start script) In-Reply-To: <6.0.1.1.2.20031230092527.02d06dd0@imap.ecs.soton.ac.uk> Message-ID: <000201c3cedb$e32617b0$e90200bf@tazpc> I have enclosed one that I am using under Solaris that I MODIFIED from what I had gotten a while back from Julian Field. It has start/stop/restart/status. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Tuesday, December 30, 2003 2:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner setup (sendmail start script) If you are using it on a RedHat 9 box, you should be using the distribution clearly labelled "for RedHat Linux". If you did that, you would not need to ask this question as it would all be done for you. You should then be following the instructions for the RPM distribution which are here: http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml At 22:38 29/12/2003, you wrote: >I am setting up mailscanner on a Redhat 9 box. I am following the >instructions provided by Julian Field at the following link: >http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml > >I am at the point of modifying the sendmail start script in >/etc/rc.d/init.d. The instructions are as follows: > >"Currently, your copy of sendmail will be started by a script such as >/etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script >will be the command to start sendmail itself. This should look like >this: > > sendmail -bd -q15m > >You should change this to the following two lines: -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner Type: application/octet-stream Size: 3254 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031230/a99e89c2/mailscanner.obj From mailscanner at LISTS.COM.AR Tue Dec 30 15:43:00 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:40 2006 Subject: tag & pass viruses Message-ID: <3FF172D4.16861.80CDBC6D@localhost> Hi, I know this will sound strange (or plain stupid, to be more precise), but I do need to verify this... Can I configure MailScanner so that it identifies & tags viruses but... lets them pass?? (let's say something like "attachment deliver") Regards and a nice year for all! -- Mariano Absatz El Baby ---------------------------------------------------------- Allow me to introduce my selves. From ugob at CAMO-ROUTE.COM Tue Dec 30 15:52:15 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:40 2006 Subject: tag & pass viruses Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2F8@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Mariano Absatz [mailto:mailscanner@LISTS.COM.AR] > Envoy? : Tuesday, December 30, 2003 10:43 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : tag & pass viruses > > > Hi, > > I know this will sound strange (or plain stupid, to be more > precise), but > I do need to verify this... > > Can I configure MailScanner so that it identifies & tags > viruses but... > lets them pass?? (let's say something like "attachment deliver") As long as you have "deliver", it will pass, tagged. hth Ugo > > Regards and a nice year for all! > > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > Allow me to introduce my selves. > From chris at TRUDEAU.ORG Tue Dec 30 16:05:38 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:21:40 2006 Subject: Reporting/Summary References: <022DE3728F924649909E989B955E68F888B4AD@NLDAMS0139.Tommy-Europe.com> Message-ID: <04ef01c3ceee$c45af720$4e19000a@ATLCPW13671> I'm sure it has been mentioned here, but I can't find it in the archives... What tools are you using (home-grown or not) on Sendmail MS systems to provide daily summary statistics related to message volume spam percetnage etc...Anything out there? CT From mailscanner at ecs.soton.ac.uk Tue Dec 30 16:12:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:40 2006 Subject: Reporting/Summary In-Reply-To: <04ef01c3ceee$c45af720$4e19000a@ATLCPW13671> References: <022DE3728F924649909E989B955E68F888B4AD@NLDAMS0139.Tommy-Europe.com> <04ef01c3ceee$c45af720$4e19000a@ATLCPW13671> Message-ID: <6.0.1.1.2.20031230161203.0468fd18@imap.ecs.soton.ac.uk> MailWatch. Find it with Google. At 16:05 30/12/2003, you wrote: >I'm sure it has been mentioned here, but I can't find it in the archives... > >What tools are you using (home-grown or not) on Sendmail MS systems to >provide daily summary statistics related to message volume spam percetnage >etc...Anything out there? > >CT -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin_Miller at CI.JUNEAU.AK.US Tue Dec 30 16:09:06 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:40 2006 Subject: Mailscanner setup (sendmail start script) Message-ID: <08146035CA49D6119A36009027AC822A0264EC13@CITY-EXCH-NTS> Don't modify the sendmail script. You'll find a MailScanner script in the /etc/init.d directory with all the right pixie dust already in it. As root, do: chkconfig sendmail off (or 'chkconfig postfix off' if one is running that instead of sendmail - it being the current SuSE default MTA) then: chkconfig MailScanner on That will turn off the default sendmail script at startup, and configure MailScanner to start. It's a bit confusing at first. With different distros doing things different ways it almost begs for a seperate install instruction page for each but that would be pretty tedious and hard to maintain. Guess that's the beauty of the mailing list. There's more pieces to the puzzle in /etc/sysconfig/MailScanner. Look in there, make sure the MTA is set to sendmail (it defaults to postfix), and try again... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Wilfred Bolten [mailto:Wilfred.Bolten@TOMMY-EUROPE.COM] >Sent: Tuesday, December 30, 2003 1:09 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Mailscanner setup (sendmail start script) > > >Hi, > >Same problem here. SuseLinux 9 with sendmail. Even when you >change the line mentioned at the page and restart sendmail the >scanner does not seem to be present. Havent been able to >figure this out yet. > >WB > >-----Original Message----- >From: Al Cooper [mailto:alc@TLYNX.COM] >Sent: Monday, December 29, 2003 11:39 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Mailscanner setup (sendmail start script) > > >I am setting up mailscanner on a Redhat 9 box. I am following the >instructions provided by Julian Field at the following link: >http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml > >I am at the point of modifying the sendmail start script in >/etc/rc.d/init.d. The instructions are as follows: > >"Currently, your copy of sendmail will be started by a script such as >/etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in >this script will >be the command to start sendmail itself. This should look like this: > > sendmail -bd -q15m > >You should change this to the following two lines: > > > > > >sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly >-OQueueDirecto >ry=/var/spool/mqueue.in > sendmail -q15m" > > >Here is the "start" section of my sendmail start script > >start() { > # Start daemons. > > echo -n $"Starting $prog: " > /usr/bin/newaliases > /dev/null 2>&1 > if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then > make all -C /etc/mail -s > else > for i in virtusertable access domaintable mailertable ; do > if [ -f /etc/mail/$i ] ; then > makemap hash /etc/mail/$i < /etc/mail/$i > fi > done > fi > daemon /usr/sbin/sendmail $([ "x$DAEMON" = xyes ] && >echo -bd) \ > $([ -n "$QUEUE" ] && echo -q$QUEUE) > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail > > if ! test -f /var/run/sm-client.pid ; then > echo -n $"Starting sm-client: " > touch /var/run/sm-client.pid > chown smmsp:smmsp /var/run/sm-client.pid > daemon --check sm-client /usr/sbin/sendmail -L >sm-msp-queue -Ac \ > -q$SMQUEUE > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sm-client > fi > > return $RETVAL >} > > >I am not a programmer. Can someone help me modify my start >script or point >me to a more Redhat friendly install guide? > >Thanks, > >Al Cooper > >******************************************************* > >Confidentiality: This e-mail and its attachments are intended >for the above named only and may be confidential. >If they have come to you in error you must take no action >based on them, nor must you copy or show them to anyone. >Please reply to this e-mail and highlight the error. > >Security Warning: Please note that this e-mail has been >created in the knowledge that Internet e-mail is not a 100% >secure communications medium. >We advise that you understand and observe this lack of >security when e-mailing us. > >Viruses: Although we have taken steps to ensure that this >e-mail and attachments are free from any virus. >We advise that in keeping with good computing practice the >recipient should ensure they are actually virus free. > From taz at AZTEK-ENG.COM Tue Dec 30 16:10:34 2003 From: taz at AZTEK-ENG.COM (Travis Zadikem) Date: Thu Jan 12 21:21:40 2006 Subject: Reporting/Summary In-Reply-To: <04ef01c3ceee$c45af720$4e19000a@ATLCPW13671> Message-ID: <001201c3ceef$74cf3cb0$e90200bf@tazpc> I am using MRTG -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Trudeau Sent: Tuesday, December 30, 2003 9:06 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Reporting/Summary I'm sure it has been mentioned here, but I can't find it in the archives... What tools are you using (home-grown or not) on Sendmail MS systems to provide daily summary statistics related to message volume spam percetnage etc...Anything out there? CT From ugob at CAMO-ROUTE.COM Tue Dec 30 16:12:34 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:40 2006 Subject: Reporting/Summary Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2F9@mtlnt501fs.CAMOROUTE.COM> > > > I am using MRTG Mailstats is also very good. > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Chris Trudeau > Sent: Tuesday, December 30, 2003 9:06 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Reporting/Summary > > > I'm sure it has been mentioned here, but I can't find it in the > archives... > > What tools are you using (home-grown or not) on Sendmail MS systems to > provide daily summary statistics related to message volume spam > percetnage etc...Anything out there? > > CT > From ugob at CAMO-ROUTE.COM Tue Dec 30 16:13:47 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:40 2006 Subject: Reporting/Summary Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2FA@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Envoy? : Tuesday, December 30, 2003 11:12 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Reporting/Summary > > > MailWatch. Find it with Google. http://sourceforge.net/projects/mailwatch/ > > At 16:05 30/12/2003, you wrote: > >I'm sure it has been mentioned here, but I can't find it in > the archives... > > > >What tools are you using (home-grown or not) on Sendmail MS > systems to > >provide daily summary statistics related to message volume > spam percetnage > >etc...Anything out there? > > > >CT > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From christopher.albert at MCGILL.CA Tue Dec 30 16:16:21 2003 From: christopher.albert at MCGILL.CA (chris albert) Date: Thu Jan 12 21:21:41 2006 Subject: Reporting/Summary In-Reply-To: <04ef01c3ceee$c45af720$4e19000a@ATLCPW13671> References: <022DE3728F924649909E989B955E68F888B4AD@NLDAMS0139.Tommy-Europe.com> <04ef01c3ceee$c45af720$4e19000a@ATLCPW13671> Message-ID: <3FF1A4D5.3010202@mcgill.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Trudeau wrote: >I'm sure it has been mentioned here, but I can't find it in the archives... > >What tools are you using (home-grown or not) on Sendmail MS systems to >provide daily summary statistics related to message volume spam percetnage >etc...Anything out there? > >CT Have you looked at Mail::Graph which can generate pages like: http://bloodgate.com/spams/stats.html ? C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/8aTVkRKXIlZkCr8RAgRkAJ9+vQsO0H1wdU4q8ahTV4gyhlHxvwCfa8Uw b9kC6pUAKscZlaepHASj3J4= =lxJV -----END PGP SIGNATURE----- From darren at concepttechnologyinc.com Tue Dec 30 16:45:45 2003 From: darren at concepttechnologyinc.com (Darren Fulton - Concept Technology) Date: Thu Jan 12 21:21:41 2006 Subject: MCP bug? Mcp only reading last rule .cf file In-Reply-To: <6.0.1.1.2.20031230093045.0418d390@imap.ecs.soton.ac.uk> References: <3FF114F1.7080505@concepttechnologyinc.com> <6.0.1.1.2.20031230093045.0418d390@imap.ecs.soton.ac.uk> Message-ID: <63866.65.107.156.90.1072802745.squirrel@host1.concepttechnologyinc.com> > At 06:02 30/12/2003, you wrote: >>Hello, >>I think this is a bug and would like input if it can be replicated by >>others and suggestions on how I can fix this whether it is a bug or if >>I've just screwed something up. Upgraded to latest revision which >>contained some mcp fixes. >> >>Issue: mcp checker uses only the last rule and not the other .cf rules >>located in /etc/MailScanner/mcp/ >>Meaning, it gives MCP scores to messages that apply to the last rule >>(alphabetically) in the directory but to the rules above it. >> >>MTA is postfix >> >>Info copied from terminal: >> >>[root@mailgateway mcp]# hostname >>mailgateway.healthleaders.com >>[root@mailgateway mcp]# uname -a >>Linux mailgateway.healthleaders.com 2.4.20-24.9 #1 Mon Dec 1 11:35:51 >>EST 2003 i686 i686 i386 GNU/Linux >>[root@mailgateway mcp]# pwd >>/etc/MailScanner/mcp >>[root@mailgateway mcp]# ls -la >>total 24 >>drwxr-xr-x 2 root root 4096 Dec 29 23:24 . >>drwxr-xr-x 6 root root 4096 Dec 29 22:58 .. >>-rw-r--r-- 1 root root 598 Dec 29 23:02 10_example.cf >>-rw-r--r-- 1 root root 111 Dec 29 23:31 >> 11_penis_banned.cf >>-rw-r--r-- 1 root root 112 Dec 29 23:31 >> 12_valium_banned.cf >>-rw-r--r-- 1 root root 1256 Dec 29 10:25 >>mcp.spam.assassin.prefs.conf >> >>[root@mailgateway mcp]# cat *.cf >> >>header BANNED Subject =~ /banned/i >>describe BANNED Banned Subject >>score BANNED 22 >> >>body BANNED_BODY /this text is banned/i >>describe BANNED_BODY Banned body text >>score BANNED_BODY 5 >> >>header BANNED Subject =~ /penis/i >>describe BANNED Banned Subject >>score BANNED 10 >> >>header BANNED Subject =~ /valium/i >>describe BANNED Banned Subject >>score BANNED 10 > > You have given 3 of your rules the same name. All rules must have > different > names. > > >>Some examples from the /var/log/maillog: >> >>Here is the valium one that worked: >>Dec 29 23:54:48 mailgateway postfix/cleanup[8909]: CD7073FEE: >>message-id=<20031230055417.CD7073FEE@mailgateway.healthleaders.com> >>Dec 29 23:54:48 mailgateway postfix/nqmgr[8768]: CD7073FEE: >>from=, size=440, nrcpt=1 (queue active) >>Dec 29 23:54:48 mailgateway postfix/nqmgr[8768]: CD7073FEE: >>to=, relay=none, delay=31, >>status=deferred (deferred transport) >>Dec 29 23:54:51 mailgateway MailScanner[8853]: New Batch: Scanning 1 >>messages, 613 bytes >>Dec 29 23:54:51 mailgateway MailScanner[8853]: MCP Checks: Starting >>Dec 29 23:54:51 mailgateway MailScanner[8853]: Message CD7073FEE from >>127.0.0.1 (darren@internav.dyndns.org) to concepttechnologyinc.com is >>MCP, MCP-Checker (score=10, required 1, BANNED 10.00) >>Dec 29 23:54:51 mailgateway MailScanner[8853]: MCP Actions: message >>CD7073FEE actions are delete >> >>Here is the penis one that didn't work: >>Dec 29 23:36:27 mailgateway postfix/nqmgr[8768]: 3E71F3FEE: >>to=, relay=none, delay=44, >>status=deferred (deferred transport) >>Dec 29 23:36:27 mailgateway MailScanner[8859]: New Batch: Scanning 1 >>messages, 632 bytes >>Dec 29 23:36:27 mailgateway MailScanner[8859]: MCP Checks: Starting >>Dec 29 23:36:27 mailgateway MailScanner[8859]: Spam Checks: Starting >>Dec 29 23:36:28 mailgateway MailScanner[8859]: Virus and Content >>Scanning: Starting >>Dec 29 23:36:28 mailgateway postfix/nqmgr[8838]: 3D9181A7339: >>from=, size=720, nrcpt=1 (queue active) >>Dec 29 23:36:28 mailgateway MailScanner[8859]: Uninfected: Delivered 1 >>messages >>Dec 29 23:36:29 mailgateway postfix/smtp[8878]: 3D9181A7339: >>to=, >>relay=local.concepttechnologyinc.com[192.168.1.10], delay=46, >>status=sent (250 ok 1072763854 qp 21046) >> >>What do you think? Do you need more info? >> >>Best Regards, >> >>Darren Fulton >>Concept Technology, Inc. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > ---------------- Do you mean the word "BANNED" as in, header BANNED Subject =~ /valium/i describe BANNED Banned Subject score BANNED 10 ? Or are you talking about something else? That makes sense, but the example text maybe should make that clear that "BANNED" is descriptive statement and cannot be the same in any two rules. Thanks for the help and the great support. Best Regards, Darren Fulton Concept Technology, Inc. From mailscanner at ecs.soton.ac.uk Tue Dec 30 16:30:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:41 2006 Subject: FIXED: Re: can't open tmpfile: Invalid argument In-Reply-To: References: Message-ID: <6.0.1.1.2.20031230162604.04692eb0@imap.ecs.soton.ac.uk> I have finally found a workaround for this problem. It appears to be a bug in some BSD systems where the new_tmpfile call doesn't work properly, and gives an "invalid argument" error in some circumstances. The solution for now is to patch your Message.pm as follows: --- Message.pm.old 2003-12-30 15:24:48.000000000 +0000 +++ Message.pm 2003-12-30 15:25:43.000000000 +0000 @@ -820,6 +820,7 @@ $parser->filer($filer); $parser->extract_uuencode(1); # uue is off by default $parser->output_to_core('NONE'); # everything into files + $parser->tmp_to_core(1); # For machines with buggy IO::File::new_tmpfile() # Create the message stream # NOTE: This still uses the real path of the message body file. @@ -838,7 +839,7 @@ $pipe->close(); waitpid $pid, 0; MailScanner::Log::WarnLog("Cannot parse " . $this->{headerspath} . " and " . - $this->{dpath} . ", $@"); + $this->{store}{dpath} . ", $@"); $this->{entity} = $entity; # In case it failed due to too many attachments $this->{cantparse} = 1; $this->{otherinfected} = 1; The first change is the actual patch, the 2nd change fixes the error message so it says what I intended. The only drawback is that unpacking a large attachment may use a lot of virtual memory temporarily, so make sure you have plenty of swap configured in your system. I have tested the patch briefly and it doesn't appear to cause any other problems with other MailScanner functionality. So if you keep getting these "Cannot parse" errors, apply the patch above. Should work with virtually any revision of MailScanner version 4. Jules. At 21:07 28/12/2003, you wrote: >---- >Please Help! > >We have used MailScanner with no problem until we upgraded to FreeBSD 5.0 >from 4.8. > >Now we are getting this message in our logs and outgoing email is not >delivered. We searched the archives and have seen several others with >similar problem. Please advise if there is any solution to this problem, >MailScanner has been a fantastic solution for us but downgrading back to >4.8 is not an option. > >Cannot parse /var/spool/MailScanner/incoming/15871/hBSKjl87015878.header >and , MIME::Parser: can't open tmpfile: Invalid argument > >Any advice is greatly appreciated! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 30 16:32:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:41 2006 Subject: MCP bug? Mcp only reading last rule .cf file In-Reply-To: <63866.65.107.156.90.1072802745.squirrel@host1.concepttechn ologyinc.com> References: <3FF114F1.7080505@concepttechnologyinc.com> <6.0.1.1.2.20031230093045.0418d390@imap.ecs.soton.ac.uk> <63866.65.107.156.90.1072802745.squirrel@host1.concepttechnologyinc.com> Message-ID: <6.0.1.1.2.20031230163037.04733db8@imap.ecs.soton.ac.uk> At 16:45 30/12/2003, you wrote: > > At 06:02 30/12/2003, you wrote: > >>Hello, > >>I think this is a bug and would like input if it can be replicated by > >>others and suggestions on how I can fix this whether it is a bug or if > >>I've just screwed something up. Upgraded to latest revision which > >>contained some mcp fixes. > >> > >>Issue: mcp checker uses only the last rule and not the other .cf rules > >>located in /etc/MailScanner/mcp/ > >>Meaning, it gives MCP scores to messages that apply to the last rule > >>(alphabetically) in the directory but to the rules above it. > >> > >>MTA is postfix > >> > >>Info copied from terminal: > >> > >>[root@mailgateway mcp]# hostname > >>mailgateway.healthleaders.com > >>[root@mailgateway mcp]# uname -a > >>Linux mailgateway.healthleaders.com 2.4.20-24.9 #1 Mon Dec 1 11:35:51 > >>EST 2003 i686 i686 i386 GNU/Linux > >>[root@mailgateway mcp]# pwd > >>/etc/MailScanner/mcp > >>[root@mailgateway mcp]# ls -la > >>total 24 > >>drwxr-xr-x 2 root root 4096 Dec 29 23:24 . > >>drwxr-xr-x 6 root root 4096 Dec 29 22:58 .. > >>-rw-r--r-- 1 root root 598 Dec 29 23:02 10_example.cf > >>-rw-r--r-- 1 root root 111 Dec 29 23:31 > >> 11_penis_banned.cf > >>-rw-r--r-- 1 root root 112 Dec 29 23:31 > >> 12_valium_banned.cf > >>-rw-r--r-- 1 root root 1256 Dec 29 10:25 > >>mcp.spam.assassin.prefs.conf > >> > >>[root@mailgateway mcp]# cat *.cf > >> > >>header BANNED Subject =~ /banned/i > >>describe BANNED Banned Subject > >>score BANNED 22 > >> > >>body BANNED_BODY /this text is banned/i > >>describe BANNED_BODY Banned body text > >>score BANNED_BODY 5 > >> > >>header BANNED Subject =~ /penis/i > >>describe BANNED Banned Subject > >>score BANNED 10 > >> > >>header BANNED Subject =~ /valium/i > >>describe BANNED Banned Subject > >>score BANNED 10 > > > > You have given 3 of your rules the same name. All rules must have > > different > > names. > > > > > >>Some examples from the /var/log/maillog: > >> > >>Here is the valium one that worked: > >>Dec 29 23:54:48 mailgateway postfix/cleanup[8909]: CD7073FEE: > >>message-id=<20031230055417.CD7073FEE@mailgateway.healthleaders.com> > >>Dec 29 23:54:48 mailgateway postfix/nqmgr[8768]: CD7073FEE: > >>from=, size=440, nrcpt=1 (queue active) > >>Dec 29 23:54:48 mailgateway postfix/nqmgr[8768]: CD7073FEE: > >>to=, relay=none, delay=31, > >>status=deferred (deferred transport) > >>Dec 29 23:54:51 mailgateway MailScanner[8853]: New Batch: Scanning 1 > >>messages, 613 bytes > >>Dec 29 23:54:51 mailgateway MailScanner[8853]: MCP Checks: Starting > >>Dec 29 23:54:51 mailgateway MailScanner[8853]: Message CD7073FEE from > >>127.0.0.1 (darren@internav.dyndns.org) to concepttechnologyinc.com is > >>MCP, MCP-Checker (score=10, required 1, BANNED 10.00) > >>Dec 29 23:54:51 mailgateway MailScanner[8853]: MCP Actions: message > >>CD7073FEE actions are delete > >> > >>Here is the penis one that didn't work: > >>Dec 29 23:36:27 mailgateway postfix/nqmgr[8768]: 3E71F3FEE: > >>to=, relay=none, delay=44, > >>status=deferred (deferred transport) > >>Dec 29 23:36:27 mailgateway MailScanner[8859]: New Batch: Scanning 1 > >>messages, 632 bytes > >>Dec 29 23:36:27 mailgateway MailScanner[8859]: MCP Checks: Starting > >>Dec 29 23:36:27 mailgateway MailScanner[8859]: Spam Checks: Starting > >>Dec 29 23:36:28 mailgateway MailScanner[8859]: Virus and Content > >>Scanning: Starting > >>Dec 29 23:36:28 mailgateway postfix/nqmgr[8838]: 3D9181A7339: > >>from=, size=720, nrcpt=1 (queue active) > >>Dec 29 23:36:28 mailgateway MailScanner[8859]: Uninfected: Delivered 1 > >>messages > >>Dec 29 23:36:29 mailgateway postfix/smtp[8878]: 3D9181A7339: > >>to=, > >>relay=local.concepttechnologyinc.com[192.168.1.10], delay=46, > >>status=sent (250 ok 1072763854 qp 21046) > >> > >>What do you think? Do you need more info? > >> > >>Best Regards, > >> > >>Darren Fulton > >>Concept Technology, Inc. > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > >---------------- >Do you mean the word "BANNED" as in, > >header BANNED Subject =~ /valium/i >describe BANNED Banned Subject >score BANNED 10 > >? Yes. I assumed anyone trying to write rules would read man Mail::SpamAssassin::Conf which explains how to write them and (I think) makes it fairly obvious. But yes, choosing "BANNED" as the name of the rule was probably the worst word I could have chosen. I'll change the sample to something else. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Antony at SOFT-SOLUTIONS.CO.UK Tue Dec 30 16:35:58 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:41 2006 Subject: MCP bug? Mcp only reading last rule .cf file In-Reply-To: <63866.65.107.156.90.1072802745.squirrel@host1.concepttechnologyinc.com> References: <3FF114F1.7080505@concepttechnologyinc.com> <6.0.1.1.2.20031230093045.0418d390@imap.ecs.soton.ac.uk> <63866.65.107.156.90.1072802745.squirrel@host1.concepttechnologyinc.com> Message-ID: <200312301635.58946.Antony@Soft-Solutions.co.uk> On Tuesday 30 December 2003 4:45 pm, Darren Fulton - Concept Technology wrote: > > >header BANNED Subject =~ /banned/i > > >describe BANNED Banned Subject > > >score BANNED 22 > > > > > >body BANNED_BODY /this text is banned/i > > >describe BANNED_BODY Banned body text > > >score BANNED_BODY 5 > > > > > >header BANNED Subject =~ /penis/i > > >describe BANNED Banned Subject > > >score BANNED 10 > > > > > >header BANNED Subject =~ /valium/i > > >describe BANNED Banned Subject > > >score BANNED 10 > > You have given 3 of your rules the same name. All rules must have > > different > > names. > Do you mean the word "BANNED" as in, > > header BANNED Subject =~ /valium/i > describe BANNED Banned Subject > score BANNED 10 > > ? Indeed, yes. Try "BANNED", "BANNED_P", and "BANNED_V" or some such distinction. > Or are you talking about something else? That makes sense, but the > example text maybe should make that clear that "BANNED" is descriptive > statement and cannot be the same in any two rules. All SpamAssassin rules must have unique names. This is therefore true for MailScanner's MCP because it is simply a special instance of MailScanner with a select ruleset. Antony. -- The idea that Bill Gates appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams in The Guardian, 25th August 1995 Please reply to the list; please don't CC me. From mailscanner at LISTS.COM.AR Tue Dec 30 17:11:10 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:41 2006 Subject: tag & pass viruses In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE2F8@mtlnt501fs.CAMOROUTE.COM> Message-ID: <3FF1877E.4370.811E766F@localhost> El 30 Dec 2003 a las 10:52, Ugo Bellavance escribi?: > > Can I configure MailScanner so that it identifies & tags > > viruses but... > > lets them pass?? (let's say something like "attachment deliver") > > As long as you have "deliver", it will pass, tagged. But... where? I don't see any "virus actions" that I can directly configure... only "spam actions", "high scoring spam actions" and "non spam actions" "virus actions" and "non virus actions" would be orthogonal to those but there's no such thing... what I have is: Virus Scanning= (which must be set to yes in order to do the actual scanning) and then: Deliver Disinfected Files = Still Deliver Silent Viruses = Allow Partial Messages = Allow External Message Bodies = Allow IFrame Tags = Allow Form Tags = Allow Object Codebase Tags = Quarantine Infections = Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Mark Infected Messages = Deliver Cleaned Messages = Warning Is Attachment = That is... I'd need something like Clean Messages = no & attach Disinfect Messages = no & attach Allow Partial Messages = yes & attach Allow External Message Bodies = yes & attach ... -- Mariano Absatz El Baby ---------------------------------------------------------- If knowledge can create problems, it is not through ignorance that we can solve them. -- Isaac Asimov From mailscanner at ecs.soton.ac.uk Tue Dec 30 17:15:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:41 2006 Subject: tag & pass viruses In-Reply-To: <3FF172D4.16861.80CDBC6D@localhost> References: <3FF172D4.16861.80CDBC6D@localhost> Message-ID: <6.0.1.1.2.20031230171433.0452a980@imap.ecs.soton.ac.uk> At 15:43 30/12/2003, you wrote: >I know this will sound strange (or plain stupid, to be more precise), but >I do need to verify this... > >Can I configure MailScanner so that it identifies & tags viruses but... >lets them pass?? (let's say something like "attachment deliver") No. MailScanner will (currently) always remove virus-infected attachments it finds. Do lots of people want to be able to do this? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at LISTS.COM.AR Tue Dec 30 17:21:19 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:41 2006 Subject: tag & pass viruses In-Reply-To: <6.0.1.1.2.20031230171433.0452a980@imap.ecs.soton.ac.uk> References: <3FF172D4.16861.80CDBC6D@localhost> Message-ID: <3FF189DF.22242.8127C2C5@localhost> El 30 Dec 2003 a las 17:15, Julian Field escribi?: > At 15:43 30/12/2003, you wrote: > >I know this will sound strange (or plain stupid, to be more precise), but > >I do need to verify this... > > > >Can I configure MailScanner so that it identifies & tags viruses but... > >lets them pass?? (let's say something like "attachment deliver") > > No. MailScanner will (currently) always remove virus-infected attachments > it finds. > > Do lots of people want to be able to do this? No... and I'll try to convince that particular customer that that is not such a good idea without convincing them that I know they're totally jerks. :-D Have a nice year and thanx for all your support. -- Mariano Absatz El Baby ---------------------------------------------------------- Maintenance-free: When it breaks, it can't be fixed... From Antony at SOFT-SOLUTIONS.CO.UK Tue Dec 30 17:22:59 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:41 2006 Subject: tag & pass viruses In-Reply-To: <6.0.1.1.2.20031230171433.0452a980@imap.ecs.soton.ac.uk> References: <3FF172D4.16861.80CDBC6D@localhost> <6.0.1.1.2.20031230171433.0452a980@imap.ecs.soton.ac.uk> Message-ID: <200312301722.59870.Antony@Soft-Solutions.co.uk> On Tuesday 30 December 2003 5:15 pm, Julian Field wrote: > At 15:43 30/12/2003, you wrote: > >I know this will sound strange (or plain stupid, to be more precise), but > >I do need to verify this... > > > >Can I configure MailScanner so that it identifies & tags viruses but... > >lets them pass?? (let's say something like "attachment deliver") > > No. MailScanner will (currently) always remove virus-infected attachments > it finds. > > Do lots of people want to be able to do this? I think it might be useful as an option which can be turned on for specific addresses - then people can send suspicious files to tech support for investigation without them being swallowed by MS and having to be retreived from quarantine. In general, I doubt very much whether many people would want to pass viruses through (even with a subject change etc) however I think it would be a good option to include in the choices available. Antony. -- Your work is both good and original. Unfortunately the parts that are good aren't original, and the parts that are original aren't good. - Samuel Johnson Please reply to the list; please don't CC me. From raymond at PROLOCATION.NET Tue Dec 30 17:23:59 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:41 2006 Subject: tag & pass viruses In-Reply-To: <3FF189DF.22242.8127C2C5@localhost> Message-ID: Hi! > > No. MailScanner will (currently) always remove virus-infected attachments > > it finds. > > Do lots of people want to be able to do this? > No... and I'll try to convince that particular customer that that is not > such a good idea without convincing them that I know they're totally > jerks :-D Same here, wont use that. > Have a nice year and thanx for all your support. Yeah. Julian, thanks for all support and efford put into the project! Bye, Raymond. From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 30 17:25:41 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:41 2006 Subject: tag & pass viruses In-Reply-To: <6.0.1.1.2.20031230171433.0452a980@imap.ecs.soton.ac.uk> Message-ID: <003d01c3cef9$f31edad0$0501a8c0@darkside> >Do lots of people want to be able to do this? It would be nice as an add on. So, one vote in the "Hey Julian, 1000 configuration directives *aren't* enough" camp. :) --J(K) From mailscanner at LISTS.COM.AR Tue Dec 30 17:36:45 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:41 2006 Subject: tag & pass viruses In-Reply-To: <003d01c3cef9$f31edad0$0501a8c0@darkside> References: <6.0.1.1.2.20031230171433.0452a980@imap.ecs.soton.ac.uk> Message-ID: <3FF18D7D.16948.8135E447@localhost> talking about the devil... y'know what'd be nice? some syntax for "including" config files within a config file... don't confuse this with rules, but plain old m4 like '#include "xxxxx"'. In this way, we could make configurations more manegeable... sometimes I'd like to allow a customer to edit some simple parts of the configuration file and not others, some other times, i want to find something within MailScanner.conf and I find myself /searchin' within it... I know it's a complex issue... but I can always dream to steer your thinkin' into more useful stuff than "let the virus pass" thing I myself asked :-) El 30 Dec 2003 a las 11:25, Jason Balicki escribi?: > >Do lots of people want to be able to do this? > > It would be nice as an add on. So, one vote in the "Hey Julian, 1000 > configuration directives *aren't* enough" camp. :) > -- Mariano Absatz El Baby ---------------------------------------------------------- --------------------------------------------------------------------------| 1 1 2 3 4 5 6 7 7 0 0 0 0 0 0 0 5 --------------------------------------------------------------------------| -- The 75 column-o-meter From raymond at PROLOCATION.NET Tue Dec 30 17:40:25 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:41 2006 Subject: tag & pass viruses In-Reply-To: <3FF18D7D.16948.8135E447@localhost> Message-ID: Hi! > In this way, we could make configurations more manegeable... sometimes > I'd like to allow a customer to edit some simple parts of the > configuration file and not others, some other times, i want to find > something within MailScanner.conf and I find myself /searchin' within > it... > > I know it's a complex issue... but I can always dream to steer your > thinkin' into more useful stuff than "let the virus pass" thing I myself > asked :-) What about a simple sql frontend that will allow your customers to alter things, dump those to a static config, or use them directly and go :) Bye, Raymond. From mailscanner at CARLO65.DE Tue Dec 30 20:04:23 2003 From: mailscanner at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you Message-ID: <3FF1DA47.8030505@carlo65.de> Hi, by end of the year 2003 I would like to express my special thanks to Julian for the work and hours he spent for the benefit of us all. Thanks to his effort MailScanner is a really competive product. I wish you all a successful and happy new year 2004. Kind regards, Roland From mailscanner at ecs.soton.ac.uk Wed Dec 31 08:05:37 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:41 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312310805.hBV85bHc001851@seer.ecs.soton.ac.uk> New Guestbook-Entry from LuxHosting Networks Fantastic tool !

Thanks a lot.

Best regards

LuxHosting From chris at FRACTALWEB.COM Tue Dec 30 18:15:43 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:21:41 2006 Subject: Reporting/Summary In-Reply-To: <6.0.1.1.2.20031230161203.0468fd18@imap.ecs.soton.ac.uk> References: <022DE3728F924649909E989B955E68F888B4AD@NLDAMS0139.Tommy-Europe.com> <04ef01c3ceee$c45af720$4e19000a@ATLCPW13671> <6.0.1.1.2.20031230161203.0468fd18@imap.ecs.soton.ac.uk> Message-ID: <1072808143.10564.19.camel@venus.fractal> On Tue, 2003-12-30 at 08:12, Julian Field wrote: > MailWatch. Find it with Google. I'll second that. I have MailWatch, Mailstats, and MailScanner-MRTG running, and the only one I ever actually use is MailWatch. Print the install instructions and follow them to the letter...it works great! Cheers, Chris From drew at THEMARSHALLS.CO.UK Tue Dec 30 20:22:33 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you In-Reply-To: <3FF1DA47.8030505@carlo65.de> References: <3FF1DA47.8030505@carlo65.de> Message-ID: <3FF1DE89.4070201@themarshalls.co.uk> Hear, hear! Roland Ehle wrote: > Hi, > > by end of the year 2003 I would like to express my special thanks to > Julian for the work and hours he spent for the benefit of us all. Thanks > to his effort MailScanner is a really competive product. > > I wish you all a successful and happy new year 2004. > > Kind regards, > > Roland From dh at UPTIME.AT Tue Dec 30 20:23:12 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you In-Reply-To: <3FF1DA47.8030505@carlo65.de> References: <3FF1DA47.8030505@carlo65.de> Message-ID: <3FF1DEB0.1030209@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Roland Ehle wrote: > Hi, > > by end of the year 2003 I would like to express my special thanks to > Julian for the work and hours he spent for the benefit of us all. Thanks > to his effort MailScanner is a really competive product. > > I wish you all a successful and happy new year 2004. > I can only concurr. Let us hope this becomes the longest thread this email List has ever seen. Thank you Julian for all the work, effort and thought you have put into your Software. Thank you for not making it commercial. Thank yo9u for being who you are. - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/8d60PMoaMn4kKR4RA+ffAJ0cbt6JIbo0aAeJ2isTfZHcc4nGJgCdGUnr y/oXGE8O2SeyWBtDhuwFOxk= =fgXa -----END PGP SIGNATURE----- From stahl at soest.hawaii.edu Tue Dec 30 20:46:14 2003 From: stahl at soest.hawaii.edu (No Name) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you Message-ID: <200312302046.hBUKkEPq023977@leka.soest.hawaii.edu> And here is a heartfelt mahalo from Hawaii. Hauoli Makahiki Hou Julian and may the new year bring you lots of laughter and joy. Aloha, Sharon Stahl *=============================================================* | UH/SOEST-Research Computer Fac vox: (808) 956-2616 | | 1680 East West Rd- POST820 email: stahl@soest.hawaii.edu | | Honolulu, Hi 96822 fax: (808) 956-5154 | *=============================================================* > Roland Ehle wrote: > > > Hi, > > > > by end of the year 2003 I would like to express my special thanks to > > Julian for the work and hours he spent for the benefit of us all. Thanks > > to his effort MailScanner is a really competive product. > > > > I wish you all a successful and happy new year 2004. > > > I can only concurr. Let us hope this becomes the longest thread this > email List has ever seen. Thank you Julian for all the work, effort and > thought you have put into your Software. Thank you for not making it > commercial. Thank yo9u for being who you are. > > - -d > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (Darwin) > > iD8DBQE/8d60PMoaMn4kKR4RA+ffAJ0cbt6JIbo0aAeJ2isTfZHcc4nGJgCdGUnr > y/oXGE8O2SeyWBtDhuwFOxk= > =fgXa > -----END PGP SIGNATURE----- From Cleveland at WINNEFOX.ORG Tue Dec 30 20:40:18 2003 From: Cleveland at WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you Message-ID: <7D3DDF19D93C3642931C3EB8803165A959F5FB@MAIL> Ditto! > Thank you Julian for all the work, effort and > thought you have put into your Software. Thank you for not making it > commercial. Thank yo9u for being who you are. -- Jody Cleveland (cleveland@winnefox.org) From bpumphrey at WOODMACLAW.COM Tue Dec 30 20:53:11 2003 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you Message-ID: I thank you Julian and everyone in the list that email back and forth and helped me out with MailScanner. Thank You Billy Pumphrey -----Original Message----- From: Jody Cleveland [mailto:Cleveland@WINNEFOX.ORG] Sent: Tuesday, December 30, 2003 3:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: OT: Thank you Ditto! > Thank you Julian for all the work, effort and > thought you have put into your Software. Thank you for not making it > commercial. Thank yo9u for being who you are. -- Jody Cleveland (cleveland@winnefox.org) From danielk at AVALONPUB.COM Tue Dec 30 21:36:40 2003 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you In-Reply-To: References: Message-ID: <3FF1EFE8.5050204@avalonpub.com> Thanks Julian! Just chiming in to show my appreciation. MailScanner is great. Happy New Year everyone! Daniel Kleinsinger Billy A. Pumphrey wrote: > I thank you Julian and everyone in the list that email back and forth > and helped me out with MailScanner. > > Thank You > Billy Pumphrey > > -----Original Message----- > From: Jody Cleveland [mailto:Cleveland@WINNEFOX.ORG] > Sent: Tuesday, December 30, 2003 3:40 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: OT: Thank you > > Ditto! > > > Thank you Julian for all the work, effort and > > thought you have put into your Software. Thank you for not making it > > commercial. Thank yo9u for being who you are. > > > -- > Jody Cleveland > (cleveland@winnefox.org) > From cwharris at MORGAN.NET Tue Dec 30 21:44:28 2003 From: cwharris at MORGAN.NET (Chris) Date: Thu Jan 12 21:21:41 2006 Subject: DCC and Razor Message-ID: <000f01c3cf1e$1a0f3a80$1b9922d0@pub.morgan.net> Hello all, Im new to mailscanner and spamassassin and would like to be sure SA is using DCC and Razor. How can I be sure of this? Chris From greyhair at GREYHAIR.NET Tue Dec 30 22:03:42 2003 From: greyhair at GREYHAIR.NET (greyhair) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you In-Reply-To: <3FF1DA47.8030505@carlo65.de> References: <3FF1DA47.8030505@carlo65.de> Message-ID: <3FF1F63E.9060807@greyhair.net> Same Here !! Thank you, Thank you greyhair Roland Ehle wrote: > Hi, > > by end of the year 2003 I would like to express my special thanks to > Julian for the work and hours he spent for the benefit of us all. Thanks > to his effort MailScanner is a really competive product. > > I wish you all a successful and happy new year 2004. > > Kind regards, > > Roland > > From stahl at soest.hawaii.edu Tue Dec 30 23:00:53 2003 From: stahl at soest.hawaii.edu (No Name) Date: Thu Jan 12 21:21:41 2006 Subject: patching MIME-tools-5.411 Message-ID: <200312302300.hBUN0rPq001319@leka.soest.hawaii.edu> Hi everyone, I have a Solaris 9 system and am trying to install all the perl modules for MailScanner. I have done this on Solaris 7 and Solaris 8, but when I try to patch the MIME-tools-5.411 with the patches that I downloaded from the installation page on the Solaris 9 system I keep getting errors. I am sitting in /usr/local/perl_src directory with the mimetools-patches in that directory as well as the MIME-tools-5.411 directory. I followed the Solaris 9 install notes on the website but can't get the files patched. ex.1 leka2# ls -ld [M/m]* drwxr-xr-x 8 root other 512 Jan 16 2001 MIME-tools-5.411/ -rw-r--r-- 1 root other 467432 Dec 23 14:34 MIME-tools-5.411.tar.gz -rw-r--r-- 1 root other 9182 Dec 30 11:09 mime-tools-patch.txt -rw-r--r-- 1 root other 1670 Dec 30 11:09 mime-tools-patch2.txt -rw-r--r-- 1 root other 962 Dec 30 11:09 mime-tools-patch3.txt -rw-r--r-- 1 root other 1471 Dec 30 11:09 mime-tools-patch4.txt leka2# leka2# patch -p0 < mime-tools-patch.txt Looks like a new-style context diff. Reversed (or previously applied) patch detected! Assume -R [yes] Apply anyway? [no] Hunk #1 ignored at line 0. Hunk #2 ignored at line -1. Hunk #3 ignored at line -1. Hunk #4 ignored at line -1. Hunk #5 ignored at line -1. Hunk #6 ignored at line -1. Hunk #7 ignored at line -1. Hunk #8 ignored at line -1. 8 out of 8 hunks ignored: saving rejects to MIME-tools-5.411/lib/MIME/Field/ParamVal.pm.rej The next patch looks like a new-style context diff. Reversed (or previously applied) patch detected! Assume -R [yes] Apply anyway? [no] Hunk #1 ignored at line 0. 1 out of 1 hunks ignored: saving rejects to MIME-tools-5.411/lib/MIME/Words.pm.rej I can't seem to find a patch in there anywhere. leka2# leka2# leka2# patch -c -p0 < mime-tools-patch.txt Looks like a new-style context diff. Reversed (or previously applied) patch detected! Assume -R [yes] n Apply anyway? [no] y Hunk #2 failed at line 100. Hunk #3 failed at line 108. Hunk #4 failed at line 133. Hunk #5 failed at line 160. Hunk #6 failed at line 181. Hunk #7 failed at line 200. Hunk #8 failed at line 227. 7 out of 8 hunks failed: saving rejects to MIME-tools-5.411/lib/MIME/Field/ParamVal.pm.rej Does anyone have any clues? Aloha, Sharon *=============================================================* | UH/SOEST-Research Computer Fac vox: (808) 956-2616 | | 1680 East West Rd- POST820 email: stahl@soest.hawaii.edu | | Honolulu, Hi 96822 fax: (808) 956-5154 | *=============================================================* From robert at FENLANARENA.CO.UK Wed Dec 31 00:16:21 2003 From: robert at FENLANARENA.CO.UK (Robert Harpham) Date: Thu Jan 12 21:21:41 2006 Subject: Thank you References: <3FF1DA47.8030505@carlo65.de> Message-ID: <001f01c3cf33$52e49660$2101a8c0@robert> same here, this is by fare the best free peace of software i have ever ran on my server for a good use :) top stuff happy new year all > Hi, > > by end of the year 2003 I would like to express my special thanks to > Julian for the work and hours he spent for the benefit of us all. Thanks > to his effort MailScanner is a really competive product. > > I wish you all a successful and happy new year 2004. > > Kind regards, > > Roland > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > From isp-list at TULSACONNECT.COM Wed Dec 31 04:54:08 2003 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:21:41 2006 Subject: Exim - Using ACLs to verify RCPT TO Message-ID: <5.2.1.1.2.20031230224625.083975e0@securemail.tulsaconnect.com> We're running MailScanner on several load-balanced inbound SMTP / MX handling machines running exim 4.x as the MTA. These machines do a MySQL lookup to verify the "allowed relay" domains for each message, and then we use a SMTP "smart route" to send all scanned mail to the final destination mail server (which is also determined by a SQL lookup). The problem with this approach is that we cannot generate "550 user unknown" errors during the SMTP negotiation phase because the MailScanner boxes don't have any local accounts, so they don't know if the address exists or not. This results in the "accept and bounce" behavior for non-existant mailboxes, which then results in a *large* number of bounce messages being sent to hotmail, yahoo, msn and others due to spammers forging the From: address (which then results in them tarpitting our SMTP connections). So, what I would like exim to do is to be able to do a LDAP or SQL lookup during the SMTP negotiation phase (following the RCPT TO) to determine if the recipient address is valid or not. Based on my research, using exim 4.x's ACL facility seems to be the best approach, but I'm a little unclear on the proper syntax as the manual does not give any examples. Any pointers would be much appreciated. --------------------------------------- Mike Bacher / mike@sparklogic.com SparkLogic Development / ISP Consulting Use OptiGold ISP? Check out OptiSkin! http://www.sparklogic.com/optiskin/ --------------------------------------- From ugob at CAMO-ROUTE.COM Wed Dec 31 05:37:11 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:41 2006 Subject: tag & pass viruses Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2FD@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Mariano Absatz [mailto:mailscanner@LISTS.COM.AR] > Envoy? : Tuesday, December 30, 2003 12:11 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: tag & pass viruses > > > El 30 Dec 2003 a las 10:52, Ugo Bellavance escribi?: > > > > Can I configure MailScanner so that it identifies & tags > > > viruses but... > > > lets them pass?? (let's say something like "attachment deliver") > > > > As long as you have "deliver", it will pass, tagged. > But... where? Sorry, I thought you meant spam... > I don't see any "virus actions" that I can directly configure... only > "spam actions", "high scoring spam actions" and "non spam actions" > > "virus actions" and "non virus actions" would be orthogonal > to those but > there's no such thing... what I have is: > Virus Scanning= (which must be set to yes in order to do the actual > scanning) > and then: > Deliver Disinfected Files = > Still Deliver Silent Viruses = > Allow Partial Messages = > Allow External Message Bodies = > Allow IFrame Tags = > Allow Form Tags = > Allow Object Codebase Tags = > Quarantine Infections = > Clean Header Value = Found to be clean > Infected Header Value = Found to be infected > Disinfected Header Value = Disinfected > Mark Infected Messages = > Deliver Cleaned Messages = > Warning Is Attachment = > > That is... I'd need something like > > Clean Messages = no & attach > Disinfect Messages = no & attach > Allow Partial Messages = yes & attach > Allow External Message Bodies = yes & attach > ... > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > If knowledge can create problems, it is not through > ignorance that we can solve them. > -- Isaac Asimov > From ugob at CAMO-ROUTE.COM Wed Dec 31 05:42:10 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:41 2006 Subject: DCC and Razor Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2FE@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Chris [mailto:cwharris@MORGAN.NET] > Envoy? : Tuesday, December 30, 2003 4:44 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : DCC and Razor > > > Hello all, > > Im new to mailscanner and spamassassin and would like to be > sure SA is using > DCC and Razor. > > How can I be sure of this? Run MailScanner in debug mode. set Debug = yes in MailScanner.conf restart mailscanner look at the output (on the console), try to understand it If it is still not clear, write back here, with, if possible, your output. (don't forget to set back Debug to no and restart mailscanner, to put it back in a working order. hth Ugo > > Chris > From ugob at CAMO-ROUTE.COM Wed Dec 31 05:44:38 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:41 2006 Subject: Thank you Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE2FF@mtlnt501fs.CAMOROUTE.COM> I totally agree. I am personnaly proud of seeing so many people cooperate this way. MailScanner is the most trouble-free and usefull program I've ever used (apart maybe from vi :)) Thanks everyone and special thanks to Julian. Ugo > -----Message d'origine----- > De : Robert Harpham [mailto:robert@FENLANARENA.CO.UK] > Envoy? : Tuesday, December 30, 2003 7:16 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Thank you > > > same here, this is by fare the best free peace of software i > have ever ran > on my server for a good use :) > > top stuff > happy new year all > > > > > > Hi, > > > > by end of the year 2003 I would like to express my special thanks to > > Julian for the work and hours he spent for the benefit of > us all. Thanks > > to his effort MailScanner is a really competive product. > > > > I wish you all a successful and happy new year 2004. > > > > Kind regards, > > > > Roland > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > MailScanner thanks transtec Computers for their support. > > > From raymond at PROLOCATION.NET Wed Dec 31 09:04:21 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:41 2006 Subject: Exim - Using ACLs to verify RCPT TO In-Reply-To: <5.2.1.1.2.20031230224625.083975e0@securemail.tulsaconnect.com> Message-ID: Hi! > So, what I would like exim to do is to be able to do a LDAP or SQL lookup > during the SMTP negotiation phase (following the RCPT TO) to determine if > the recipient address is valid or not. Based on my research, using exim > 4.x's ACL facility seems to be the best approach, but I'm a little unclear > on the proper syntax as the manual does not give any examples. Please post this on the Exim mailinglist. Thanks, Raymond. From mailscanner at ecs.soton.ac.uk Wed Dec 31 12:29:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:41 2006 Subject: Thank you In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE2FF@mtlnt501fs.CAMOROUT E.COM> References: <54C38A0B814C8E438EF73FC76F3629273AE2FF@mtlnt501fs.CAMOROUTE.COM> Message-ID: <6.0.1.1.2.20031231122813.03f14ed8@imap.ecs.soton.ac.uk> Thankyou all for your very kind comments. Made my day. Thanks again folks! Jules. P.S. If any of you are interested, I have a wishlist at www.amazon.co.uk :-) At 05:44 31/12/2003, you wrote: >I totally agree. I am personnaly proud of seeing so many people cooperate >this way. >MailScanner is the most trouble-free and usefull program I've ever used >(apart maybe from vi :)) >Thanks everyone and special thanks to Julian. > >Ugo > > > -----Message d'origine----- > > De : Robert Harpham [mailto:robert@FENLANARENA.CO.UK] > > Envoy? : Tuesday, December 30, 2003 7:16 PM > > ? : MAILSCANNER@JISCMAIL.AC.UK > > Objet : Re: Thank you > > > > > > same here, this is by fare the best free peace of software i > > have ever ran > > on my server for a good use :) > > > > top stuff > > happy new year all > > > > > > > > > > > Hi, > > > > > > by end of the year 2003 I would like to express my special thanks to > > > Julian for the work and hours he spent for the benefit of > > us all. Thanks > > > to his effort MailScanner is a really competive product. > > > > > > I wish you all a successful and happy new year 2004. > > > > > > Kind regards, > > > > > > Roland -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 31 12:30:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:41 2006 Subject: DCC and Razor In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE2FE@mtlnt501fs.CAMOROUT E.COM> References: <54C38A0B814C8E438EF73FC76F3629273AE2FE@mtlnt501fs.CAMOROUTE.COM> Message-ID: <6.0.1.1.2.20031231123000.03c27330@imap.ecs.soton.ac.uk> At 05:42 31/12/2003, you wrote: > > -----Message d'origine----- > > De : Chris [mailto:cwharris@MORGAN.NET] > > Envoy? : Tuesday, December 30, 2003 4:44 PM > > ? : MAILSCANNER@JISCMAIL.AC.UK > > Objet : DCC and Razor > > > > > > Hello all, > > > > Im new to mailscanner and spamassassin and would like to be > > sure SA is using > > DCC and Razor. > > > > How can I be sure of this? > >Run MailScanner in debug mode. > >set Debug = yes and Debug SpamAssassin = yes >in MailScanner.conf > >restart mailscanner > >look at the output (on the console), try to understand it > >If it is still not clear, write back here, with, if possible, your output. > >(don't forget to set back Debug to no and restart mailscanner, to put it >back in a working order. > >hth > >Ugo > > > > Chris > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From john at ZOL.CO.ZW Wed Dec 31 12:39:45 2003 From: john at ZOL.CO.ZW (John Sheppard) Date: Thu Jan 12 21:21:41 2006 Subject: OT Thank you In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE2FF@mtlnt501fs.CAMOROUTE.COM> Message-ID: <3FF2DFB1.5554.131B66@localhost> Julian Thanks for your time and a great piece of software. Happy New Year. Regards John Sheppard -- John Sheppard john@zol.co.zw 211 Harare Drive Cell: 011 704 220 Mount Pleasant Phone (263 4) 884783 HARARE Fax: (263 4) 850653 Zimbabwe From isp-list at TULSACONNECT.COM Wed Dec 31 13:54:19 2003 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:21:41 2006 Subject: Exim - Using ACLs to verify RCPT TO In-Reply-To: References: <5.2.1.1.2.20031230224625.083975e0@securemail.tulsaconnect.com> Message-ID: <5.2.1.1.2.20031231075257.05344c38@securemail.tulsaconnect.com> At 10:04 AM 12/31/2003 +0100, you wrote: >Hi! > > > So, what I would like exim to do is to be able to do a LDAP or SQL lookup > > during the SMTP negotiation phase (following the RCPT TO) to determine if > > the recipient address is valid or not. Based on my research, using exim > > 4.x's ACL facility seems to be the best approach, but I'm a little unclear > > on the proper syntax as the manual does not give any examples. > >Please post this on the Exim mailinglist. > >Thanks, >Raymond. Raymond, I posted it here because it is directly relevant to the way Exim is set up with MailScanner, and I know several Exim folks lurk on this list (and, because I'm not subscribed to any Exim lists). --------------------------------------- Mike Bacher / mike@sparklogic.com SparkLogic Development / ISP Consulting Use OptiGold ISP? Check out OptiSkin! http://www.sparklogic.com/optiskin/ --------------------------------------- From mailscanner at ecs.soton.ac.uk Wed Dec 31 14:35:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:41 2006 Subject: OT Exim - Using ACLs to verify RCPT TO In-Reply-To: <5.2.1.1.2.20031231075257.05344c38@securemail.tulsaconnect. com> References: <5.2.1.1.2.20031230224625.083975e0@securemail.tulsaconnect.com> <5.2.1.1.2.20031231075257.05344c38@securemail.tulsaconnect.com> Message-ID: <6.0.1.1.2.20031231143448.02dcf008@imap.ecs.soton.ac.uk> At 13:54 31/12/2003, you wrote: >At 10:04 AM 12/31/2003 +0100, you wrote: >>Hi! >> >> > So, what I would like exim to do is to be able to do a LDAP or SQL lookup >> > during the SMTP negotiation phase (following the RCPT TO) to determine if >> > the recipient address is valid or not. Based on my research, using exim >> > 4.x's ACL facility seems to be the best approach, but I'm a little unclear >> > on the proper syntax as the manual does not give any examples. >> >>Please post this on the Exim mailinglist. >> >>Thanks, >>Raymond. > >Raymond, > >I posted it here because it is directly relevant to the way Exim is set up >with MailScanner, and I know several Exim folks lurk on this list (and, >because I'm not subscribed to any Exim lists). Can I suggest an "OT" flag here? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From cwharris at MORGAN.NET Wed Dec 31 15:15:12 2003 From: cwharris at MORGAN.NET (Chris) Date: Thu Jan 12 21:21:41 2006 Subject: DCC and Razor References: <54C38A0B814C8E438EF73FC76F3629273AE2FE@mtlnt501fs.CAMOROUTE.COM> Message-ID: <006601c3cfb0$e32a4da0$1b9922d0@pub.morgan.net> Ugo, I am getting a few errors it seems: Dec 31 08:38:00.197038 check[26404]: [ 1] [bootup] Logging initiated LogDebugLev el=9 to stdout Dec 31 08:38:00.197708 check[26404]: [ 5] computed razorhome=, conf=/etc/razor/r azor-agent.conf, ident=identity Dec 31 08:38:00.198184 check[26404]: [ 8] Client supported_engines: 1 2 3 4 Dec 31 08:38:00.198965 check[26404]: [ 8] prep_mail done: mail 1 headers=563, m ime0=656 Dec 31 08:38:00.199446 check[26404]: [ 7] Can't read file servers.discovery.lst, looking relatve to Dec 31 08:38:00.199726 check[26404]: [ 5] Can't read file /servers.discovery.lst : No such file or directory Dec 31 08:38:00.199906 check[26404]: [ 7] Can't read file servers.nomination.lst , looking relatve to Dec 31 08:38:00.200064 check[26404]: [ 5] Can't read file /servers.nomination.ls t: No such file or directory Dec 31 08:38:00.200220 check[26404]: [ 7] Can't read file servers.catalogue.lst, looking relatve to Dec 31 08:38:00.200400 check[26404]: [ 5] Can't read file /servers.catalogue.lst : No such file or directory Dec 31 08:38:00.200744 check[26404]: [ 5] no listfile: servers.catalogue.lst Dec 31 08:38:00.200945 check[26404]: [ 6] no discovery listfile: servers.discove ry.lst Dec 31 08:38:00.201108 check[26404]: [ 5] Finding Discovery Servers via DNS in t he razor2.cloudmark.com zone Dec 31 08:38:00.209575 check[26404]: [ 6] Found 1 Discovery Servers via DNS in t he razor2.cloudmark.com zone Dec 31 08:38:00.209945 check[26404]: [ 8] Checking with Razor Discovery Server 6 6.151.150.11 Dec 31 08:38:00.210208 check[26404]: [ 6] No port specified, using 2703 Dec 31 08:38:00.210378 check[26404]: [ 5] Connecting to 66.151.150.11 ... Dec 31 08:38:00.303616 check[26404]: [ 8] Connection established Dec 31 08:38:00.303910 check[26404]: [ 4] 66.151.150.11 >> 35 server greeting: s n=D&srl=196&ep4=7542-10&a=l&a=cg Dec 31 08:38:00.304220 check[26404]: [ 4] 66.151.150.11 << 12 Dec 31 08:38:00.304418 check[26404]: [ 6] a=g&pm=csl Dec 31 08:38:00.351630 check[26404]: [ 4] 66.151.150.11 >> 54 Dec 31 08:38:00.351796 check[26404]: [ 6] response to sent.1 -csl=? stress.cloudmark.com pride.cloudmark.com . Dec 31 08:38:00.352285 check[26404]: [ 8] Discovery Server 66.151.150.11 replyin g with csl=stress.cloudmark.com Dec 31 08:38:00.352461 check[26404]: [ 8] Discovery Server 66.151.150.11 replyin g with csl=pride.cloudmark.com Dec 31 08:38:00.352728 check[26404]: [ 4] 66.151.150.11 << 12 Dec 31 08:38:00.352878 check[26404]: [ 6] a=g&pm=nsl Dec 31 08:38:00.400511 check[26404]: [ 4] 66.151.150.11 >> 51 Dec 31 08:38:00.400703 check[26404]: [ 6] response to sent.2 -nsl=? joy.cloudmark.com folly.cloudmark.com . Dec 31 08:38:00.401113 check[26404]: [ 8] Discovery Server 66.151.150.11 replyin g with nsl=joy.cloudmark.com Dec 31 08:38:00.401266 check[26404]: [ 8] Discovery Server 66.151.150.11 replyin g with nsl=folly.cloudmark.com Dec 31 08:38:00.401627 check[26404]: [ 5] no razorhome, not caching server info to disk Dec 31 08:38:00.401896 check[26404]: [ 6] losing old server connection, 66.151.1 50.11, for new server, pride.cloudmark.com Dec 31 08:38:00.402063 check[26404]: [ 5] disconnecting from server 66.151.150.1 1 Dec 31 08:38:00.402280 check[26404]: [ 4] 66.151.150.11 << 5 Dec 31 08:38:00.402419 check[26404]: [ 6] a=q Dec 31 08:38:00.402628 check[26404]: [ 5] Connecting to pride.cloudmark.com ... Dec 31 08:38:00.498892 check[26404]: [ 8] Connection established Dec 31 08:38:00.499225 check[26404]: [ 4] pride.cloudmark.com >> 30 server greet ing: sn=C&srl=141&ep4=7542-10&a=l Dec 31 08:38:00.499669 check[26404]: [ 4] pride.cloudmark.com << 14 Dec 31 08:38:00.499880 check[26404]: [ 6] a=g&pm=state Dec 31 08:38:00.547209 check[26404]: [ 4] pride.cloudmark.com >> 106 Dec 31 08:38:00.547361 check[26404]: [ 6] response to sent.4 -sv=3.35 sn=C zone=razor2.cloudmark.com ac=6 srl=141 lm=4 bql=50 bqs=129 dre=4 se=58 srf=FF . Dec 31 08:38:00.548473 check[26404]: [ 5] Updated to new server state srl 141 fo r server pride.cloudmark.com Dec 31 08:38:00.548697 check[26404]: [ 6] pride.cloudmark.com is a Catalogue Ser ver srl 141; computed min_cf=6, Server se: 58 Dec 31 08:38:00.549090 check[26404]: [ 8] Computed supported_engines: 4 Dec 31 08:38:00.549298 check[26404]: [ 5] no razorhome, not caching server info to disk Dec 31 08:38:00.549434 check[26404]: [ 5] srl was updated, forcing discovery ... Dec 31 08:38:00.549644 check[26404]: [ 5] no listfile: servers.catalogue.lst Dec 31 08:38:00.549810 check[26404]: [ 8] already have 1 discovery servers Dec 31 08:38:00.549982 check[26404]: [ 8] Checking with Razor Discovery Server 6 6.151.150.11 Dec 31 08:38:00.550140 check[26404]: [ 6] losing old server connection, pride.cl oudmark.com, for new server, 66.151.150.11 Dec 31 08:38:00.550300 check[26404]: [ 5] disconnecting from server pride.cloudm ark.com Dec 31 08:38:00.550513 check[26404]: [ 4] pride.cloudmark.com << 5 Dec 31 08:38:00.550674 check[26404]: [ 6] a=q Dec 31 08:38:00.550879 check[26404]: [ 5] Connecting to 66.151.150.11 ... Dec 31 08:38:00.647758 check[26404]: [ 8] Connection established Dec 31 08:38:00.648052 check[26404]: [ 4] 66.151.150.11 >> 35 server greeting: s n=D&srl=196&ep4=7542-10&a=l&a=cg Dec 31 08:38:00.648299 check[26404]: [ 4] 66.151.150.11 << 12 Dec 31 08:38:00.648469 check[26404]: [ 6] a=g&pm=csl Dec 31 08:38:00.695740 check[26404]: [ 4] 66.151.150.11 >> 54 Dec 31 08:38:00.695893 check[26404]: [ 6] response to sent.6 -csl=? stress.cloudmark.com pride.cloudmark.com . Dec 31 08:38:00.696303 check[26404]: [ 8] Discovery Server 66.151.150.11 replyin g with csl=stress.cloudmark.com Dec 31 08:38:00.696486 check[26404]: [ 8] Discovery Server 66.151.150.11 replyin g with csl=pride.cloudmark.com Dec 31 08:38:00.696701 check[26404]: [ 4] 66.151.150.11 << 12 Dec 31 08:38:00.696855 check[26404]: [ 6] a=g&pm=nsl Dec 31 08:38:00.743972 check[26404]: [ 4] 66.151.150.11 >> 51 Dec 31 08:38:00.744122 check[26404]: [ 6] response to sent.7 -nsl=? folly.cloudmark.com joy.cloudmark.com . Dec 31 08:38:00.744531 check[26404]: [ 8] Discovery Server 66.151.150.11 replyin g with nsl=folly.cloudmark.com Dec 31 08:38:00.744686 check[26404]: [ 8] Discovery Server 66.151.150.11 replyin g with nsl=joy.cloudmark.com Dec 31 08:38:00.744966 check[26404]: [ 5] no razorhome, not caching server info to disk Dec 31 08:38:00.745221 check[26404]: [ 5] no razorhome, not caching server info to disk Dec 31 08:38:00.745375 check[26404]: [ 8] Using next closest server pride.cloudm ark.com:2703, cached info srl 141 Dec 31 08:38:00.745650 check[26404]: [ 8] mail 1 Subject: Start growing younger now Dec 31 08:38:00.746763 check[26404]: [ 6] preproc: mail 1.0 went from 656 bytes to 593 Dec 31 08:38:00.747043 check[26404]: [ 6] computing sigs for mail 1.0, len 593 Dec 31 08:38:00.748384 check[26404]: [ 6] skipping whitelist file (empty?): razo r-whitelist Dec 31 08:38:00.748646 check[26404]: [ 6] losing old server connection, 66.151.1 50.11, for new server, pride.cloudmark.com Dec 31 08:38:00.748796 check[26404]: [ 5] disconnecting from server 66.151.150.1 1 Dec 31 08:38:00.749013 check[26404]: [ 4] 66.151.150.11 << 5 Dec 31 08:38:00.749186 check[26404]: [ 6] a=q Dec 31 08:38:00.749381 check[26404]: [ 5] Connecting to pride.cloudmark.com ... Dec 31 08:38:00.844882 check[26404]: [ 8] Connection established Dec 31 08:38:00.845194 check[26404]: [ 4] pride.cloudmark.com >> 30 server greet ing: sn=C&srl=141&ep4=7542-10&a=l Dec 31 08:38:00.845519 check[26404]: [ 6] pride.cloudmark.com is a Catalogue Ser ver srl 141; computed min_cf=6, Server se: 58 Dec 31 08:38:00.845814 check[26404]: [ 8] Computed supported_engines: 4 Dec 31 08:38:00.846113 check[26404]: [ 8] mail 1.0 e4 sig: sQRxg9yNwHjA81ODyc3i0 0Gl3MIA Dec 31 08:38:00.846411 check[26404]: [ 8] preparing 1 queries Dec 31 08:38:00.846709 check[26404]: [ 8] sending 1 batches Dec 31 08:38:00.846939 check[26404]: [ 4] pride.cloudmark.com << 52 Dec 31 08:38:00.847083 check[26404]: [ 6] a=c&e=4&ep4=7542-10&s=sQRxg9yNwHjA81OD yc3i00Gl3MIA Dec 31 08:38:00.937385 check[26404]: [ 4] pride.cloudmark.com >> 5 Dec 31 08:38:00.937561 check[26404]: [ 6] response to sent.9 p=0 Dec 31 08:38:00.938030 check[26404]: [ 6] mail 1.0 e=4 sig=sQRxg9yNwHjA81ODyc3i0 0Gl3MIA: sig not found. Dec 31 08:38:00.938300 check[26404]: [ 7] method 4: mail 1.0: no-contention part , spam=0 Dec 31 08:38:00.938448 check[26404]: [ 7] method 4: mail 1: all non-contention p arts not spam, mail not spam Dec 31 08:38:00.938583 check[26404]: [ 3] mail 1 is not known spam. Dec 31 08:38:00.938752 check[26404]: [ 5] disconnecting from server pride.cloudm ark.com Dec 31 08:38:00.938966 check[26404]: [ 4] pride.cloudmark.com << 5 Dec 31 08:38:00.939123 check[26404]: [ 6] a=q debug: Using results from Razor v2.36 debug: Found Razor2 part: part=0 engine=4 ct=0 cf=0 debug: leaving helper-app run mode debug: Razor2 results: spam? 0 highest cf score: 0 debug: running raw-body-text per-line regexp tests; score so far=0 debug: running uri tests; score so far=0 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0 debug: Razor2 is available debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc Should I give it the path to /etc/razor in one of my config files? According to my google search DCCifd is a daemon...I don't need this since im using dccproc, right? Chris ----- Original Message ----- From: "Ugo Bellavance" To: Sent: Tuesday, December 30, 2003 11:42 PM Subject: Re: DCC and Razor > > -----Message d'origine----- > > De : Chris [mailto:cwharris@MORGAN.NET] > > Envoy? : Tuesday, December 30, 2003 4:44 PM > > ? : MAILSCANNER@JISCMAIL.AC.UK > > Objet : DCC and Razor > > > > > > Hello all, > > > > Im new to mailscanner and spamassassin and would like to be > > sure SA is using > > DCC and Razor. > > > > How can I be sure of this? > > Run MailScanner in debug mode. > > set Debug = yes > > in MailScanner.conf > > restart mailscanner > > look at the output (on the console), try to understand it > > If it is still not clear, write back here, with, if possible, your output. > > (don't forget to set back Debug to no and restart mailscanner, to put it back in a working order. > > hth > > Ugo > > > > Chris > > > > > From ugob at CAMO-ROUTE.COM Wed Dec 31 15:19:08 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:41 2006 Subject: DCC and Razor Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE305@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Chris [mailto:cwharris@MORGAN.NET] > Envoy? : Wednesday, December 31, 2003 10:15 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: DCC and Razor > > > Ugo, > > I am getting a few errors it seems: > > Dec 31 08:38:00.197038 check[26404]: [ 1] [bootup] Logging initiated > LogDebugLev > > el=9 to stdout > > Dec 31 08:38:00.197708 check[26404]: [ 5] computed razorhome=, > conf=/etc/razor/r > > azor-agent.conf, ident=identity > > Dec 31 08:38:00.198184 check[26404]: [ 8] Client > supported_engines: 1 2 3 4 > > Dec 31 08:38:00.198965 check[26404]: [ 8] prep_mail done: mail 1 > headers=563, m > > ime0=656 > > Dec 31 08:38:00.199446 check[26404]: [ 7] Can't read file > servers.discovery.lst, > > looking relatve to > > Dec 31 08:38:00.199726 check[26404]: [ 5] Can't read file > /servers.discovery.lst > > : No such file or directory > > Dec 31 08:38:00.199906 check[26404]: [ 7] Can't read file > servers.nomination.lst > > , looking relatve to > > Dec 31 08:38:00.200064 check[26404]: [ 5] Can't read file > /servers.nomination.ls > > t: No such file or directory > > Dec 31 08:38:00.200220 check[26404]: [ 7] Can't read file > servers.catalogue.lst, > > looking relatve to > > Dec 31 08:38:00.200400 check[26404]: [ 5] Can't read file > /servers.catalogue.lst > > : No such file or directory > > Dec 31 08:38:00.200744 check[26404]: [ 5] no listfile: > servers.catalogue.lst > > Dec 31 08:38:00.200945 check[26404]: [ 6] no discovery listfile: > servers.discove > > ry.lst > > Dec 31 08:38:00.201108 check[26404]: [ 5] Finding Discovery > Servers via DNS > in t > > he razor2.cloudmark.com zone > > Dec 31 08:38:00.209575 check[26404]: [ 6] Found 1 Discovery > Servers via DNS > in t > > he razor2.cloudmark.com zone > > Dec 31 08:38:00.209945 check[26404]: [ 8] Checking with Razor > Discovery > Server 6 > > 6.151.150.11 > > Dec 31 08:38:00.210208 check[26404]: [ 6] No port specified, > using 2703 > > Dec 31 08:38:00.210378 check[26404]: [ 5] Connecting to > 66.151.150.11 ... > > Dec 31 08:38:00.303616 check[26404]: [ 8] Connection established > > Dec 31 08:38:00.303910 check[26404]: [ 4] 66.151.150.11 >> 35 server > greeting: s > > n=D&srl=196&ep4=7542-10&a=l&a=cg > > Dec 31 08:38:00.304220 check[26404]: [ 4] 66.151.150.11 << 12 > > Dec 31 08:38:00.304418 check[26404]: [ 6] a=g&pm=csl > > Dec 31 08:38:00.351630 check[26404]: [ 4] 66.151.150.11 >> 54 > > Dec 31 08:38:00.351796 check[26404]: [ 6] response to sent.1 > > -csl=? > > stress.cloudmark.com > > pride.cloudmark.com > > . > > Dec 31 08:38:00.352285 check[26404]: [ 8] Discovery Server > 66.151.150.11 > replyin > > g with csl=stress.cloudmark.com > > Dec 31 08:38:00.352461 check[26404]: [ 8] Discovery Server > 66.151.150.11 > replyin > > g with csl=pride.cloudmark.com > > Dec 31 08:38:00.352728 check[26404]: [ 4] 66.151.150.11 << 12 > > Dec 31 08:38:00.352878 check[26404]: [ 6] a=g&pm=nsl > > Dec 31 08:38:00.400511 check[26404]: [ 4] 66.151.150.11 >> 51 > > Dec 31 08:38:00.400703 check[26404]: [ 6] response to sent.2 > > -nsl=? > > joy.cloudmark.com > > folly.cloudmark.com > > . > > Dec 31 08:38:00.401113 check[26404]: [ 8] Discovery Server > 66.151.150.11 > replyin > > g with nsl=joy.cloudmark.com > > Dec 31 08:38:00.401266 check[26404]: [ 8] Discovery Server > 66.151.150.11 > replyin > > g with nsl=folly.cloudmark.com > > Dec 31 08:38:00.401627 check[26404]: [ 5] no razorhome, not > caching server > info > > to disk > > Dec 31 08:38:00.401896 check[26404]: [ 6] losing old server > connection, > 66.151.1 > > 50.11, for new server, pride.cloudmark.com > > Dec 31 08:38:00.402063 check[26404]: [ 5] disconnecting from server > 66.151.150.1 > > 1 > > Dec 31 08:38:00.402280 check[26404]: [ 4] 66.151.150.11 << 5 > > Dec 31 08:38:00.402419 check[26404]: [ 6] a=q > > Dec 31 08:38:00.402628 check[26404]: [ 5] Connecting to > pride.cloudmark.com > ... > > Dec 31 08:38:00.498892 check[26404]: [ 8] Connection established > > Dec 31 08:38:00.499225 check[26404]: [ 4] pride.cloudmark.com > >> 30 server > greet > > ing: sn=C&srl=141&ep4=7542-10&a=l > > Dec 31 08:38:00.499669 check[26404]: [ 4] pride.cloudmark.com << 14 > > Dec 31 08:38:00.499880 check[26404]: [ 6] a=g&pm=state > > Dec 31 08:38:00.547209 check[26404]: [ 4] pride.cloudmark.com >> 106 > > Dec 31 08:38:00.547361 check[26404]: [ 6] response to sent.4 > > -sv=3.35 > > sn=C > > zone=razor2.cloudmark.com > > ac=6 > > srl=141 > > lm=4 > > bql=50 > > bqs=129 > > dre=4 > > se=58 > > srf=FF > > . > > Dec 31 08:38:00.548473 check[26404]: [ 5] Updated to new > server state srl > 141 fo > > r server pride.cloudmark.com > > Dec 31 08:38:00.548697 check[26404]: [ 6] pride.cloudmark.com > is a Catalogue > Ser > > ver srl 141; computed min_cf=6, Server se: 58 > > Dec 31 08:38:00.549090 check[26404]: [ 8] Computed > supported_engines: 4 > > Dec 31 08:38:00.549298 check[26404]: [ 5] no razorhome, not > caching server > info > > to disk > > Dec 31 08:38:00.549434 check[26404]: [ 5] srl was updated, > forcing discovery > ... > > > > Dec 31 08:38:00.549644 check[26404]: [ 5] no listfile: > servers.catalogue.lst > > Dec 31 08:38:00.549810 check[26404]: [ 8] already have 1 > discovery servers > > Dec 31 08:38:00.549982 check[26404]: [ 8] Checking with Razor > Discovery > Server 6 > > 6.151.150.11 > > Dec 31 08:38:00.550140 check[26404]: [ 6] losing old server > connection, > pride.cl > > oudmark.com, for new server, 66.151.150.11 > > Dec 31 08:38:00.550300 check[26404]: [ 5] disconnecting from server > pride.cloudm > > ark.com > > Dec 31 08:38:00.550513 check[26404]: [ 4] pride.cloudmark.com << 5 > > Dec 31 08:38:00.550674 check[26404]: [ 6] a=q > > Dec 31 08:38:00.550879 check[26404]: [ 5] Connecting to > 66.151.150.11 ... > > Dec 31 08:38:00.647758 check[26404]: [ 8] Connection established > > Dec 31 08:38:00.648052 check[26404]: [ 4] 66.151.150.11 >> 35 server > greeting: s > > n=D&srl=196&ep4=7542-10&a=l&a=cg > > Dec 31 08:38:00.648299 check[26404]: [ 4] 66.151.150.11 << 12 > > Dec 31 08:38:00.648469 check[26404]: [ 6] a=g&pm=csl > > Dec 31 08:38:00.695740 check[26404]: [ 4] 66.151.150.11 >> 54 > > Dec 31 08:38:00.695893 check[26404]: [ 6] response to sent.6 > > -csl=? > > stress.cloudmark.com > > pride.cloudmark.com > > . > > Dec 31 08:38:00.696303 check[26404]: [ 8] Discovery Server > 66.151.150.11 > replyin > > g with csl=stress.cloudmark.com > > Dec 31 08:38:00.696486 check[26404]: [ 8] Discovery Server > 66.151.150.11 > replyin > > g with csl=pride.cloudmark.com > > Dec 31 08:38:00.696701 check[26404]: [ 4] 66.151.150.11 << 12 > > Dec 31 08:38:00.696855 check[26404]: [ 6] a=g&pm=nsl > > Dec 31 08:38:00.743972 check[26404]: [ 4] 66.151.150.11 >> 51 > > Dec 31 08:38:00.744122 check[26404]: [ 6] response to sent.7 > > -nsl=? > > folly.cloudmark.com > > joy.cloudmark.com > > . > > Dec 31 08:38:00.744531 check[26404]: [ 8] Discovery Server > 66.151.150.11 > replyin > > g with nsl=folly.cloudmark.com > > Dec 31 08:38:00.744686 check[26404]: [ 8] Discovery Server > 66.151.150.11 > replyin > > g with nsl=joy.cloudmark.com > > Dec 31 08:38:00.744966 check[26404]: [ 5] no razorhome, not > caching server > info > > to disk > > Dec 31 08:38:00.745221 check[26404]: [ 5] no razorhome, not > caching server > info > > to disk > > Dec 31 08:38:00.745375 check[26404]: [ 8] Using next closest server > pride.cloudm > > ark.com:2703, cached info srl 141 > > Dec 31 08:38:00.745650 check[26404]: [ 8] mail 1 Subject: > Start growing > younger > > now > > Dec 31 08:38:00.746763 check[26404]: [ 6] preproc: mail 1.0 > went from 656 > bytes > > to 593 > > Dec 31 08:38:00.747043 check[26404]: [ 6] computing sigs for > mail 1.0, len > 593 > > Dec 31 08:38:00.748384 check[26404]: [ 6] skipping whitelist > file (empty?): > razo > > r-whitelist > > Dec 31 08:38:00.748646 check[26404]: [ 6] losing old server > connection, > 66.151.1 > > 50.11, for new server, pride.cloudmark.com > > Dec 31 08:38:00.748796 check[26404]: [ 5] disconnecting from server > 66.151.150.1 > > 1 > > Dec 31 08:38:00.749013 check[26404]: [ 4] 66.151.150.11 << 5 > > Dec 31 08:38:00.749186 check[26404]: [ 6] a=q > > Dec 31 08:38:00.749381 check[26404]: [ 5] Connecting to > pride.cloudmark.com > ... > > Dec 31 08:38:00.844882 check[26404]: [ 8] Connection established > > Dec 31 08:38:00.845194 check[26404]: [ 4] pride.cloudmark.com > >> 30 server > greet > > ing: sn=C&srl=141&ep4=7542-10&a=l > > Dec 31 08:38:00.845519 check[26404]: [ 6] pride.cloudmark.com > is a Catalogue > Ser > > ver srl 141; computed min_cf=6, Server se: 58 > > Dec 31 08:38:00.845814 check[26404]: [ 8] Computed > supported_engines: 4 > > Dec 31 08:38:00.846113 check[26404]: [ 8] mail 1.0 e4 sig: > sQRxg9yNwHjA81ODyc3i0 > > 0Gl3MIA > > Dec 31 08:38:00.846411 check[26404]: [ 8] preparing 1 queries > > Dec 31 08:38:00.846709 check[26404]: [ 8] sending 1 batches > > Dec 31 08:38:00.846939 check[26404]: [ 4] pride.cloudmark.com << 52 > > Dec 31 08:38:00.847083 check[26404]: [ 6] > a=c&e=4&ep4=7542-10&s=sQRxg9yNwHjA81OD > > yc3i00Gl3MIA > > Dec 31 08:38:00.937385 check[26404]: [ 4] pride.cloudmark.com >> 5 > > Dec 31 08:38:00.937561 check[26404]: [ 6] response to sent.9 > > p=0 > > Dec 31 08:38:00.938030 check[26404]: [ 6] mail 1.0 e=4 > sig=sQRxg9yNwHjA81ODyc3i0 > > 0Gl3MIA: sig not found. > > Dec 31 08:38:00.938300 check[26404]: [ 7] method 4: mail 1.0: > no-contention > part > > , spam=0 > > Dec 31 08:38:00.938448 check[26404]: [ 7] method 4: mail 1: all > non-contention p > > arts not spam, mail not spam > > Dec 31 08:38:00.938583 check[26404]: [ 3] mail 1 is not known spam. > > Dec 31 08:38:00.938752 check[26404]: [ 5] disconnecting from server > pride.cloudm > > ark.com > > Dec 31 08:38:00.938966 check[26404]: [ 4] pride.cloudmark.com << 5 > > Dec 31 08:38:00.939123 check[26404]: [ 6] a=q > > debug: Using results from Razor v2.36 > > debug: Found Razor2 part: part=0 engine=4 ct=0 cf=0 > > debug: leaving helper-app run mode > > debug: Razor2 results: spam? 0 highest cf score: 0 > > debug: running raw-body-text per-line regexp tests; score so far=0 > > debug: running uri tests; score so far=0 > > debug: uri tests: Done uriRE > > debug: running full-text regexp tests; score so far=0 > > debug: Razor2 is available > > debug: DCCifd is not available: no r/w dccifd socket found. > > debug: DCC is available: /usr/local/bin/dccproc > > > All of this seems ok to me. Don't forget that a lot of tests are done and if failed, it falls back to another test. > > > Should I give it the path to /etc/razor in one of my config files? I don't think so. Razor communicates with its servers. > > > > According to my google search DCCifd is a daemon...I don't > need this since > im using dccproc, right? You could use DCCifd, but if it is not there, it will fall back to dccproc, and we see here that you have it. hth Ugo > > > > Chris > > > > ----- Original Message ----- > From: "Ugo Bellavance" > To: > Sent: Tuesday, December 30, 2003 11:42 PM > Subject: Re: DCC and Razor > > > > > -----Message d'origine----- > > > De : Chris [mailto:cwharris@MORGAN.NET] > > > Envoy? : Tuesday, December 30, 2003 4:44 PM > > > ? : MAILSCANNER@JISCMAIL.AC.UK > > > Objet : DCC and Razor > > > > > > > > > Hello all, > > > > > > Im new to mailscanner and spamassassin and would like to be > > > sure SA is using > > > DCC and Razor. > > > > > > How can I be sure of this? > > > > Run MailScanner in debug mode. > > > > set Debug = yes > > > > in MailScanner.conf > > > > restart mailscanner > > > > look at the output (on the console), try to understand it > > > > If it is still not clear, write back here, with, if > possible, your output. > > > > (don't forget to set back Debug to no and restart > mailscanner, to put it > back in a working order. > > > > hth > > > > Ugo > > > > > > Chris > > > > > > > > > > From cwharris at MORGAN.NET Wed Dec 31 15:33:56 2003 From: cwharris at MORGAN.NET (Chris) Date: Thu Jan 12 21:21:41 2006 Subject: DCC and Razor References: <54C38A0B814C8E438EF73FC76F3629273AE305@mtlnt501fs.CAMOROUTE.COM> Message-ID: <007801c3cfb3$811f17a0$1b9922d0@pub.morgan.net> Thanks for your help! Chris ----- Original Message ----- From: "Ugo Bellavance" To: Sent: Wednesday, December 31, 2003 9:19 AM Subject: Re: DCC and Razor > > All of this seems ok to me. Don't forget that a lot of tests are done and if failed, it falls back to another test. > > > > > > Should I give it the path to /etc/razor in one of my config files? > I don't think so. Razor communicates with its servers. > > > > > > > > According to my google search DCCifd is a daemon...I don't > > need this since > > im using dccproc, right? > > You could use DCCifd, but if it is not there, it will fall back to dccproc, and we see here that you have it. > hth > > Ugo > > > From ka at PACIFIC.NET Wed Dec 31 16:04:46 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you In-Reply-To: <3FF1EFE8.5050204@avalonpub.com> References: <3FF1EFE8.5050204@avalonpub.com> Message-ID: <3FF2F39E.9090605@pacific.net> Many thanks to Julian and others for your hard work, and may you have _many_ more enjoyable years working on MailScanner! ;-) MailScanner is the mothership of antispam tools! Ken A. Pacific.Net Daniel Kleinsinger wrote: > Thanks Julian! Just chiming in to show my appreciation. MailScanner is > great. > Happy New Year everyone! > > Daniel Kleinsinger > > Billy A. Pumphrey wrote: > >> I thank you Julian and everyone in the list that email back and forth >> and helped me out with MailScanner. >> >> Thank You >> Billy Pumphrey >> >> -----Original Message----- >> From: Jody Cleveland [mailto:Cleveland@WINNEFOX.ORG] >> Sent: Tuesday, December 30, 2003 3:40 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: OT: Thank you >> >> Ditto! >> >> > Thank you Julian for all the work, effort and >> > thought you have put into your Software. Thank you for not making it >> > commercial. Thank yo9u for being who you are. >> >> >> -- >> Jody Cleveland >> (cleveland@winnefox.org) >> > > From mailscanner at ecs.soton.ac.uk Wed Dec 31 16:30:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:41 2006 Subject: Linux World interview Message-ID: <6.0.1.1.2.20031231162802.04350af0@imap.ecs.soton.ac.uk> If any of you are interested, I did an interview with Linuxworld magazine a month or two back, which they have just published. It's also on-line here: http://www.linuxworld.com/story/38287.htm?DE=1 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.swaney at FSL.COM Wed Dec 31 16:39:21 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:41 2006 Subject: DCC and Razor In-Reply-To: <006601c3cfb0$e32a4da0$1b9922d0@pub.morgan.net> Message-ID: <20031231163906.7C52D21C2CB@mail.fsl.com> Looks like you might have an incomplete installation. Check out: http://razor.sourceforge.net/docs/install.php Be sure to run Step 5. Run `razor-admin -create' Also check your razor-agent.conf file. By default Razor creates massive log files. Typically in /root/.razor. In razor-agent.conf, change these parameters to suit your system. My defaults are shown below: debuglevel = 0 logfile = /var/log/razor-agent.log Also you might want to add the attached script to your daily cron jobs. Updates the list of razor servers. Steve steve.swaney@fsl.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Chris > Sent: Wednesday, December 31, 2003 10:15 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DCC and Razor > > Ugo, > > I am getting a few errors it seems: > > Dec 31 08:38:00.197038 check[26404]: [ 1] [bootup] Logging initiated > LogDebugLev > > el=9 to stdout > > Dec 31 08:38:00.197708 check[26404]: [ 5] computed razorhome=, > conf=/etc/razor/r > > azor-agent.conf, ident=identity > > Dec 31 08:38:00.198184 check[26404]: [ 8] Client supported_engines: 1 2 3 > 4 > > Dec 31 08:38:00.198965 check[26404]: [ 8] prep_mail done: mail 1 > headers=563, m > > ime0=656 > > Dec 31 08:38:00.199446 check[26404]: [ 7] Can't read file > servers.discovery.lst, > > looking relatve to > > Dec 31 08:38:00.199726 check[26404]: [ 5] Can't read file > /servers.discovery.lst > > : No such file or directory > > Dec 31 08:38:00.199906 check[26404]: [ 7] Can't read file > servers.nomination.lst > > , looking relatve to > > Dec 31 08:38:00.200064 check[26404]: [ 5] Can't read file > /servers.nomination.ls > > t: No such file or directory > > Dec 31 08:38:00.200220 check[26404]: [ 7] Can't read file > servers.catalogue.lst, > > looking relatve to > > Dec 31 08:38:00.200400 check[26404]: [ 5] Can't read file > /servers.catalogue.lst > > : No such file or directory > > Dec 31 08:38:00.200744 check[26404]: [ 5] no listfile: > servers.catalogue.lst > > Dec 31 08:38:00.200945 check[26404]: [ 6] no discovery listfile: > servers.discove > > ry.lst > > Dec 31 08:38:00.201108 check[26404]: [ 5] Finding Discovery Servers via > DNS > in t > > he razor2.cloudmark.com zone > > Dec 31 08:38:00.209575 check[26404]: [ 6] Found 1 Discovery Servers via > DNS > in t > > he razor2.cloudmark.com zone > > Dec 31 08:38:00.209945 check[26404]: [ 8] Checking with Razor Discovery > Server 6 > > 6.151.150.11 > > Dec 31 08:38:00.210208 check[26404]: [ 6] No port specified, using 2703 > > Dec 31 08:38:00.210378 check[26404]: [ 5] Connecting to 66.151.150.11 ... > > Dec 31 08:38:00.303616 check[26404]: [ 8] Connection established > > Dec 31 08:38:00.303910 check[26404]: [ 4] 66.151.150.11 >> 35 server > greeting: s > > n=D&srl=196&ep4=7542-10&a=l&a=cg > > Dec 31 08:38:00.304220 check[26404]: [ 4] 66.151.150.11 << 12 > > Dec 31 08:38:00.304418 check[26404]: [ 6] a=g&pm=csl > > Dec 31 08:38:00.351630 check[26404]: [ 4] 66.151.150.11 >> 54 > > Dec 31 08:38:00.351796 check[26404]: [ 6] response to sent.1 > > -csl=? > > stress.cloudmark.com > > pride.cloudmark.com > > . > > Dec 31 08:38:00.352285 check[26404]: [ 8] Discovery Server 66.151.150.11 > replyin > > g with csl=stress.cloudmark.com > > Dec 31 08:38:00.352461 check[26404]: [ 8] Discovery Server 66.151.150.11 > replyin > > g with csl=pride.cloudmark.com > > Dec 31 08:38:00.352728 check[26404]: [ 4] 66.151.150.11 << 12 > > Dec 31 08:38:00.352878 check[26404]: [ 6] a=g&pm=nsl > > Dec 31 08:38:00.400511 check[26404]: [ 4] 66.151.150.11 >> 51 > > Dec 31 08:38:00.400703 check[26404]: [ 6] response to sent.2 > > -nsl=? > > joy.cloudmark.com > > folly.cloudmark.com > > . > > Dec 31 08:38:00.401113 check[26404]: [ 8] Discovery Server 66.151.150.11 > replyin > > g with nsl=joy.cloudmark.com > > Dec 31 08:38:00.401266 check[26404]: [ 8] Discovery Server 66.151.150.11 > replyin > > g with nsl=folly.cloudmark.com > > Dec 31 08:38:00.401627 check[26404]: [ 5] no razorhome, not caching server > info > > to disk > > Dec 31 08:38:00.401896 check[26404]: [ 6] losing old server connection, > 66.151.1 > > 50.11, for new server, pride.cloudmark.com > > Dec 31 08:38:00.402063 check[26404]: [ 5] disconnecting from server > 66.151.150.1 > > 1 > > Dec 31 08:38:00.402280 check[26404]: [ 4] 66.151.150.11 << 5 > > Dec 31 08:38:00.402419 check[26404]: [ 6] a=q > > Dec 31 08:38:00.402628 check[26404]: [ 5] Connecting to > pride.cloudmark.com > ... > > Dec 31 08:38:00.498892 check[26404]: [ 8] Connection established > > Dec 31 08:38:00.499225 check[26404]: [ 4] pride.cloudmark.com >> 30 server > greet > > ing: sn=C&srl=141&ep4=7542-10&a=l > > Dec 31 08:38:00.499669 check[26404]: [ 4] pride.cloudmark.com << 14 > > Dec 31 08:38:00.499880 check[26404]: [ 6] a=g&pm=state > > Dec 31 08:38:00.547209 check[26404]: [ 4] pride.cloudmark.com >> 106 > > Dec 31 08:38:00.547361 check[26404]: [ 6] response to sent.4 > > -sv=3.35 > > sn=C > > zone=razor2.cloudmark.com > > ac=6 > > srl=141 > > lm=4 > > bql=50 > > bqs=129 > > dre=4 > > se=58 > > srf=FF > > . > > Dec 31 08:38:00.548473 check[26404]: [ 5] Updated to new server state srl > 141 fo > > r server pride.cloudmark.com > > Dec 31 08:38:00.548697 check[26404]: [ 6] pride.cloudmark.com is a > Catalogue > Ser > > ver srl 141; computed min_cf=6, Server se: 58 > > Dec 31 08:38:00.549090 check[26404]: [ 8] Computed supported_engines: 4 > > Dec 31 08:38:00.549298 check[26404]: [ 5] no razorhome, not caching server > info > > to disk > > Dec 31 08:38:00.549434 check[26404]: [ 5] srl was updated, forcing > discovery > ... > > > > Dec 31 08:38:00.549644 check[26404]: [ 5] no listfile: > servers.catalogue.lst > > Dec 31 08:38:00.549810 check[26404]: [ 8] already have 1 discovery servers > > Dec 31 08:38:00.549982 check[26404]: [ 8] Checking with Razor Discovery > Server 6 > > 6.151.150.11 > > Dec 31 08:38:00.550140 check[26404]: [ 6] losing old server connection, > pride.cl > > oudmark.com, for new server, 66.151.150.11 > > Dec 31 08:38:00.550300 check[26404]: [ 5] disconnecting from server > pride.cloudm > > ark.com > > Dec 31 08:38:00.550513 check[26404]: [ 4] pride.cloudmark.com << 5 > > Dec 31 08:38:00.550674 check[26404]: [ 6] a=q > > Dec 31 08:38:00.550879 check[26404]: [ 5] Connecting to 66.151.150.11 ... > > Dec 31 08:38:00.647758 check[26404]: [ 8] Connection established > > Dec 31 08:38:00.648052 check[26404]: [ 4] 66.151.150.11 >> 35 server > greeting: s > > n=D&srl=196&ep4=7542-10&a=l&a=cg > > Dec 31 08:38:00.648299 check[26404]: [ 4] 66.151.150.11 << 12 > > Dec 31 08:38:00.648469 check[26404]: [ 6] a=g&pm=csl > > Dec 31 08:38:00.695740 check[26404]: [ 4] 66.151.150.11 >> 54 > > Dec 31 08:38:00.695893 check[26404]: [ 6] response to sent.6 > > -csl=? > > stress.cloudmark.com > > pride.cloudmark.com > > . > > Dec 31 08:38:00.696303 check[26404]: [ 8] Discovery Server 66.151.150.11 > replyin > > g with csl=stress.cloudmark.com > > Dec 31 08:38:00.696486 check[26404]: [ 8] Discovery Server 66.151.150.11 > replyin > > g with csl=pride.cloudmark.com > > Dec 31 08:38:00.696701 check[26404]: [ 4] 66.151.150.11 << 12 > > Dec 31 08:38:00.696855 check[26404]: [ 6] a=g&pm=nsl > > Dec 31 08:38:00.743972 check[26404]: [ 4] 66.151.150.11 >> 51 > > Dec 31 08:38:00.744122 check[26404]: [ 6] response to sent.7 > > -nsl=? > > folly.cloudmark.com > > joy.cloudmark.com > > . > > Dec 31 08:38:00.744531 check[26404]: [ 8] Discovery Server 66.151.150.11 > replyin > > g with nsl=folly.cloudmark.com > > Dec 31 08:38:00.744686 check[26404]: [ 8] Discovery Server 66.151.150.11 > replyin > > g with nsl=joy.cloudmark.com > > Dec 31 08:38:00.744966 check[26404]: [ 5] no razorhome, not caching server > info > > to disk > > Dec 31 08:38:00.745221 check[26404]: [ 5] no razorhome, not caching server > info > > to disk > > Dec 31 08:38:00.745375 check[26404]: [ 8] Using next closest server > pride.cloudm > > ark.com:2703, cached info srl 141 > > Dec 31 08:38:00.745650 check[26404]: [ 8] mail 1 Subject: Start growing > younger > > now > > Dec 31 08:38:00.746763 check[26404]: [ 6] preproc: mail 1.0 went from 656 > bytes > > to 593 > > Dec 31 08:38:00.747043 check[26404]: [ 6] computing sigs for mail 1.0, len > 593 > > Dec 31 08:38:00.748384 check[26404]: [ 6] skipping whitelist file > (empty?): > razo > > r-whitelist > > Dec 31 08:38:00.748646 check[26404]: [ 6] losing old server connection, > 66.151.1 > > 50.11, for new server, pride.cloudmark.com > > Dec 31 08:38:00.748796 check[26404]: [ 5] disconnecting from server > 66.151.150.1 > > 1 > > Dec 31 08:38:00.749013 check[26404]: [ 4] 66.151.150.11 << 5 > > Dec 31 08:38:00.749186 check[26404]: [ 6] a=q > > Dec 31 08:38:00.749381 check[26404]: [ 5] Connecting to > pride.cloudmark.com > ... > > Dec 31 08:38:00.844882 check[26404]: [ 8] Connection established > > Dec 31 08:38:00.845194 check[26404]: [ 4] pride.cloudmark.com >> 30 server > greet > > ing: sn=C&srl=141&ep4=7542-10&a=l > > Dec 31 08:38:00.845519 check[26404]: [ 6] pride.cloudmark.com is a > Catalogue > Ser > > ver srl 141; computed min_cf=6, Server se: 58 > > Dec 31 08:38:00.845814 check[26404]: [ 8] Computed supported_engines: 4 > > Dec 31 08:38:00.846113 check[26404]: [ 8] mail 1.0 e4 sig: > sQRxg9yNwHjA81ODyc3i0 > > 0Gl3MIA > > Dec 31 08:38:00.846411 check[26404]: [ 8] preparing 1 queries > > Dec 31 08:38:00.846709 check[26404]: [ 8] sending 1 batches > > Dec 31 08:38:00.846939 check[26404]: [ 4] pride.cloudmark.com << 52 > > Dec 31 08:38:00.847083 check[26404]: [ 6] > a=c&e=4&ep4=7542-10&s=sQRxg9yNwHjA81OD > > yc3i00Gl3MIA > > Dec 31 08:38:00.937385 check[26404]: [ 4] pride.cloudmark.com >> 5 > > Dec 31 08:38:00.937561 check[26404]: [ 6] response to sent.9 > > p=0 > > Dec 31 08:38:00.938030 check[26404]: [ 6] mail 1.0 e=4 > sig=sQRxg9yNwHjA81ODyc3i0 > > 0Gl3MIA: sig not found. > > Dec 31 08:38:00.938300 check[26404]: [ 7] method 4: mail 1.0: no- > contention > part > > , spam=0 > > Dec 31 08:38:00.938448 check[26404]: [ 7] method 4: mail 1: all > non-contention p > > arts not spam, mail not spam > > Dec 31 08:38:00.938583 check[26404]: [ 3] mail 1 is not known spam. > > Dec 31 08:38:00.938752 check[26404]: [ 5] disconnecting from server > pride.cloudm > > ark.com > > Dec 31 08:38:00.938966 check[26404]: [ 4] pride.cloudmark.com << 5 > > Dec 31 08:38:00.939123 check[26404]: [ 6] a=q > > debug: Using results from Razor v2.36 > > debug: Found Razor2 part: part=0 engine=4 ct=0 cf=0 > > debug: leaving helper-app run mode > > debug: Razor2 results: spam? 0 highest cf score: 0 > > debug: running raw-body-text per-line regexp tests; score so far=0 > > debug: running uri tests; score so far=0 > > debug: uri tests: Done uriRE > > debug: running full-text regexp tests; score so far=0 > > debug: Razor2 is available > > debug: DCCifd is not available: no r/w dccifd socket found. > > debug: DCC is available: /usr/local/bin/dccproc > > > > > > Should I give it the path to /etc/razor in one of my config files? > > > > According to my google search DCCifd is a daemon...I don't need this since > im using dccproc, right? > > > > Chris > > > > ----- Original Message ----- > From: "Ugo Bellavance" > To: > Sent: Tuesday, December 30, 2003 11:42 PM > Subject: Re: DCC and Razor > > > > > -----Message d'origine----- > > > De : Chris [mailto:cwharris@MORGAN.NET] > > > Envoy? : Tuesday, December 30, 2003 4:44 PM > > > ? : MAILSCANNER@JISCMAIL.AC.UK > > > Objet : DCC and Razor > > > > > > > > > Hello all, > > > > > > Im new to mailscanner and spamassassin and would like to be > > > sure SA is using > > > DCC and Razor. > > > > > > How can I be sure of this? > > > > Run MailScanner in debug mode. > > > > set Debug = yes > > > > in MailScanner.conf > > > > restart mailscanner > > > > look at the output (on the console), try to understand it > > > > If it is still not clear, write back here, with, if possible, your > output. > > > > (don't forget to set back Debug to no and restart mailscanner, to put it > back in a working order. > > > > hth > > > > Ugo > > > > > > Chris > > > > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: razor-discover Type: application/octet-stream Size: 60 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031231/04b61336/razor-discover.obj From mikew at crucis.net Wed Dec 31 17:03:49 2003 From: mikew at crucis.net (Mike Watson) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you In-Reply-To: <3FF1DA47.8030505@carlo65.de> References: <3FF1DA47.8030505@carlo65.de> Message-ID: <200312311103.52971.mikew@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 30 December 2003 02:04 pm, you wrote: > Hi, > > by end of the year 2003 I would like to express my special thanks to > Julian for the work and hours he spent for the benefit of us all. > Thanks to his effort MailScanner is a really competive product. > > I wish you all a successful and happy new year 2004. > > Kind regards, > > Roland And I'll second that. I'm not using the most recent release, but that's my fault for not having sufficient time. Thank you, Julian. Mike Watson Raymore, MO - -- Registered Linux - 256979 (http://counter.il.org for more information) NRA Life ARS: W0TMW -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/8wF45fq6h2uDDlQRAmOHAKCUNel78l7h+Bsj2y/c4VW7w7Ip1wCgrd/u D+4pmY5I4ZfV6S3RyefK3fA= =Szn8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From FCaen at CI.LAKEWOOD.WA.US Wed Dec 31 17:30:31 2003 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you Message-ID: I don't have much to add, but still wanted to chime in to thank you, Julian, as well as all the kind people who make this such a great Open Source community. Francois Caen President, Tacoma Linux Users Group, Washington NOTICE: The Information contained in this transmission is privileged and confidential. It is intended for the use of the individual or entity named above. If the reader of this message is not the intended addressee or other legitimate recipient, the reader is hereby notified that any consideration, dissemination or duplication of this communication is strictly prohibited. If the addressee has received this communication in error, please return it to the above address by mail and notify this office by telephone. City of Lakewood From Kevin_Miller at CI.JUNEAU.AK.US Wed Dec 31 17:39:15 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:41 2006 Subject: Linux World interview Message-ID: <08146035CA49D6119A36009027AC822A0264EC27@CITY-EXCH-NTS> Way rad! Interesting article & some well deserved kudos. Have a great new year... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Wednesday, December 31, 2003 7:30 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Linux World interview > > >If any of you are interested, I did an interview with >Linuxworld magazine a >month or two back, which they have just published. It's also >on-line here: >http://www.linuxworld.com/story/38287.htm?DE=1 >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at pdscc.com Wed Dec 31 23:47:44 2003 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Thu Jan 12 21:21:41 2006 Subject: postfix, mailscanner, mail relay In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273132C8@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200401010002.QAA03146@sheridan.sibble.net> On 28 Dec 2003 at 22:17, Ugo Bellavance wrote: > never reload postfix, reload mailscanner. You don't want to see standalone > postfix instances wandering around. > > Just want to make sure, in conjunction > with Mailscanner, > these modifcations > should be done for the outgoing > postfix instance, correct? ie the > /etc/postfix dir ather than > /etc/postfix.in > > Have you read the faqs? > > http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/152.html I've tried the directions as above for postfix, however any mail sent through this server to internal mailserver doesn't get there, it gets rejected: notes: mailscan is the hostname of this machine, is it natted behind a sonicwall appliance, domain.com replaces the real domain name in the logs below. Sibbleh@mailscan.domain.com is an exising account (and only uers account other than root) on this relay box. Harondel.J.Sibble@domain.com is an existing account on the internal mailserver that mailscan relays to. The mailscan box does not have an MX record currently, just an A record as it is just in testing phase and which is why I am emailing to username@mailscan.domain.com rather than username@domain.com. Dec 31 18:04:42 mailscan postfix/smtpd[5149]: 80D3E3FA7: reject: RCPT from outbound03.telus.net[199.185.220.222]: 450 : User unknown in local recipient table; from= to= proto=ESMTP helo= However if mail is sent to a local account that exists on this relay box, then all is good... Dec 31 15:21:37 mailscan MailScanner[5542]: Uninfected: Delivered 1 messages Dec 31 18:21:37 mailscan postfix/nqmgr[5528]: 428F46F58A: from=, size=1607, nrcpt=1 (queue active) Dec 31 15:21:37 mailscan postfix/local[5557]: 428F46F58A: to=, relay=local, delay=24, status=sent ("|/usr/bin/procmail -Y -a $DOMAIN") The relevant lines from my /etc/postfix/main.cf local_recipient_maps = relay_domains = transport_maps = hash:/etc/postfix/transport the contents of transport are domain.com smtp:nat ip address of internal mail server The second problem is mail sent from the internal mailserver gets relayed properly except for mail addressed to domain.com addresses. These get bounced back by the relay box to the internal mail server with a 550 spam block message. Any suggestions on where I should be looking to resolve these 2 issues? -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From Cleveland at WINNEFOX.ORG Wed Dec 31 17:47:54 2003 From: Cleveland at WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you Message-ID: <7D3DDF19D93C3642931C3EB8803165A959F607@mail.winnefox.org> I also wanted to chime in to send a huge thank you to Steve for all his work with Mailwatch. -- Jody Cleveland (cleveland@winnefox.org) > -----Original Message----- > From: Francois Caen [mailto:FCaen@CI.LAKEWOOD.WA.US] > Sent: Wednesday, December 31, 2003 11:31 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: OT: Thank you > > I don't have much to add, but still wanted to chime in to thank you, > Julian, as well as all the kind people who make this such a great Open > Source community. > > Francois Caen > President, Tacoma Linux Users Group, Washington > > > > NOTICE: The Information contained in this transmission is > privileged and confidential. It is intended for the use of > the individual or entity named above. If the reader of this > message is not the intended addressee or other legitimate > recipient, the reader is hereby notified that any > consideration, dissemination or duplication of this > communication is strictly prohibited. If the addressee has > received this communication in error, please return it to the > above address by mail and notify this office by telephone. > > > > > > City of Lakewood > > From bpumphrey at WOODMACLAW.COM Wed Dec 31 17:51:52 2003 From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey) Date: Thu Jan 12 21:21:41 2006 Subject: Linux World interview Message-ID: That's awesome, great interview and I'm glad that the product is getting promoted. The MailScanner box would be awesome. Just plug it in and tell it the few settings that it needs and go. Thank You Billy Pumphrey -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, December 31, 2003 11:30 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Linux World interview If any of you are interested, I did an interview with Linuxworld magazine a month or two back, which they have just published. It's also on-line here: http://www.linuxworld.com/story/38287.htm?DE=1 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Wed Dec 31 17:54:56 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:41 2006 Subject: New Year. Message-ID: <3FF30D70.9030807@urbakken.dk> With this I want to pass a Happy New Year to all members of the list here. Also I want to thank you Julian for your huge job with MailScanner. Its a nice piece of software, and you have done it good for all of us, but the spammers. Cheers, Erik. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From Kevin_Miller at CI.JUNEAU.AK.US Wed Dec 31 18:19:35 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:41 2006 Subject: OT: FW: Verification required for kfliong@wofs.com, protected by 0Spam.com. Message-ID: <08146035CA49D6119A36009027AC822A0264EC29@CITY-EXCH-NTS> kfliong: I have received two of these after posting to the MailScanner mailing list. If you want to use this service, I suggest you configure it to accept mail from the MailScanner mailing list w/o each person that sends to MailScanner having to verify their address. Very poor form! I went ahead and verified so that I could send you this note; I suspect many that post on the list probably just blow it off. I did the first one. Frankly, I don't care if you get the MailScanner list mail or not, but I don't want to receive a confirm notice everytime I send to it. Since I "verified" I won't get those any more, but I'm sure others are, thus you should fix it. Or perhaps the list administrator would be so kind as to unsubscribe you. I'm cc:ing the mailscanner list so that others that are getting these messages don't have to bother verifying, assuming that you go ahead and configure it to accept list mail automatically w/o bother the other posters... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: verify@0spam.com [mailto:verify@0spam.com] Sent: Wednesday, December 31, 2003 9:02 AM To: Kevin Miller Subject: Verification required for kfliong@wofs.com, protected by 0Spam.com. ATTENTION! A message you recently sent to a 0Spam.com user with the subject "Re: Linux World interview" was not delivered because they are using the 0Spam.com anti-spam service. Please click the link below to confirm that this is not spam. When you confirm, this message and all future messages you send will automatically be accepted. http://www.0spam.com/verify.cgi?user=1071389052&verify=480120 ======================================== This is an automated message from 0Spam.com. Please do not reply to this Email. Looking for a free anti-spam service? Visit us at http://www.0spam.com to find out more. From chris at FRACTALWEB.COM Wed Dec 31 19:02:24 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A959F607@mail.winnefox.org> References: <7D3DDF19D93C3642931C3EB8803165A959F607@mail.winnefox.org> Message-ID: <1072897344.16052.89.camel@venus.fractal> A big THANK YOU to Julian for MailScanner. This is much better than sliced bread. Thank you too to Steve for MailWatch, that mother of all MailScanner stats programs. Thanks too to everyone on this list. Without everyone's help I would have never been able to deal with spam this well. Let's keep killing spam and viruses in the new year. Cheers, Chris From dan.farmer at PHONEDIR.COM Wed Dec 31 20:20:29 2003 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:21:41 2006 Subject: OT: Thank you In-Reply-To: <1072897344.16052.89.camel@venus.fractal> References: <7D3DDF19D93C3642931C3EB8803165A959F607@mail.winnefox.org> <1072897344.16052.89.camel@venus.fractal> Message-ID: thank you Julian, as well as the others on this list who've spent time helping myself and all the other new MailScanner users get up and running. what a great product and a great community of users! happy new year, dan From michele at BLACKNIGHTSOLUTIONS.COM Wed Dec 31 22:08:35 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:41 2006 Subject: OT: FW: Verification required for kfliong@wofs.com, protected by 0Spam.com. In-Reply-To: <08146035CA49D6119A36009027AC822A0264EC29@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EC29@CITY-EXCH-NTS> Message-ID: <1395.159.134.205.208.1072908515.squirrel@www.blacknightsolutions.com> Kevin You have a hell of a lot more patience than me. I've noticed a number of these subscribers with their anti-spam junk on other lists recently and refuse pointblank to 'verify' myself. I really don't care whether they get my mail or not and as most of them never contribute in any form to the lists they are subscribed to not receiving their mail is not too painful for me. Happy New Year to all :) M > -- Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ Tel. 059-9139897 .ie registration from ?45! From harryh at CET.COM Wed Dec 31 22:41:27 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:41 2006 Subject: Resend quarantined file? In-Reply-To: <1395.159.134.205.208.1072908515.squirrel@www.blacknightsolutions.com> Message-ID: <200312312241.hBVMfgVU030342@fili.jiscmail.ac.uk> Dec 31 04:58:27 mx01 MailScanner[38749]: Saved infected "new_year3.exe" to /var/spool/MailScanner/quarantine/20031231/hBVCvaS3053144 The recipient requested we send the mail, but how do I accomplish that (can't simply move to outgoing queue as it gets a "not a regular file" error)? Thanks. From ugob at CAMO-ROUTE.COM Wed Dec 31 22:45:23 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:41 2006 Subject: Resend quarantined file? Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE308@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Harry Hanson [mailto:harryh@CET.COM] > Envoy? : Wednesday, December 31, 2003 5:41 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Resend quarantined file? > > > Dec 31 04:58:27 mx01 MailScanner[38749]: Saved infected > "new_year3.exe" to > /var/spool/MailScanner/quarantine/20031231/hBVCvaS3053144 > > > The recipient requested we send the mail, but how do I accomplish that > (can't simply move to outgoing queue as it gets a "not a regular file" > error)? What is your mailer? sendmail, postfix, exim...? > > Thanks. > From garry at GLENDOWN.DE Wed Dec 31 22:52:01 2003 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:21:41 2006 Subject: Resend quarantined file? In-Reply-To: <200312312241.hBVMfgVU030342@fili.jiscmail.ac.uk> References: <200312312241.hBVMfgVU030342@fili.jiscmail.ac.uk> Message-ID: <3FF35311.7080900@glendown.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Harry Hanson wrote: | Dec 31 04:58:27 mx01 MailScanner[38749]: Saved infected "new_year3.exe" to | /var/spool/MailScanner/quarantine/20031231/hBVCvaS3053144 | | | The recipient requested we send the mail, but how do I accomplish that | (can't simply move to outgoing queue as it gets a "not a regular file" | error)? I've written a PHP script that allows users to directly select any attachment that's quarantined ... mailing to the user has the problem that the file will most likely be filtered again ;) Authorization is done via the date and directory name (should be sufficient ...), and either by filling the form, or directly via the URL. What's the best way to circulate the script? (still need to write some readme/info for it) Is there some place that collects user contributions to MailScanner? Bye & happy new year, -garry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBP/NTEW4pGa4IZ+YbAQLZXAgAzCgBIh14ws39n158LfbGqzwHGRkkI15u mPBBVCaxfQBtm1gpg+geTF4mkrKsS5j+KlJOwrdagm7N2tGk9zidTxX5DvdBHLWw KIMhlVWCexAqoCu/H95I7eRfrseh3exmzx6NmmxWBOwEoFgo6Tqmn7dz8vWjZ+Ej txkMQZ8x/T9fyeXAiYTWxrqjKj6ehtfx014sluf0QSwDR2OGKlouZqP4dXR3arSC xDg2WndIZna+q/odip7wFXWQp0WLr7CETy3IEf7Zi1n25YUB8uxnna08fzG+H8cw 9ySEkjJecdX4gcCEVF/ykgFzaVbpMNKaKWWY2JPkw8ylsGyHuFE0QA== =rgO4 -----END PGP SIGNATURE----- From harryh at CET.COM Wed Dec 31 23:46:55 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:41 2006 Subject: Resend quarantined file? In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE308@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200312312347.hBVNlKVU031227@fili.jiscmail.ac.uk> sendmail > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance > Sent: Wednesday, December 31, 2003 2:45 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Resend quarantined file? > > > -----Message d'origine----- > > De : Harry Hanson [mailto:harryh@CET.COM] Envoy? : > Wednesday, December > > 31, 2003 5:41 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Resend > > quarantined file? > > > > > > Dec 31 04:58:27 mx01 MailScanner[38749]: Saved infected > > "new_year3.exe" to > > /var/spool/MailScanner/quarantine/20031231/hBVCvaS3053144 > > > > > > The recipient requested we send the mail, but how do I > accomplish that > > (can't simply move to outgoing queue as it gets a "not a > regular file" > > error)? > > > What is your mailer? sendmail, postfix, exim...? > > > > Thanks. > > > From pz at CHRIST-NET.SK Wed Dec 10 12:02:19 2003 From: pz at CHRIST-NET.SK (Peter Zimen) Date: Thu Jan 12 21:21:44 2006 Subject: rules not work with postfix In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefordshire.gov.uk> Message-ID: Hello, i have installed last verson of mailscanner. With sendmail work good, but i convert my MTA on all servers to postfix and rules feautre dont work propertly. Spam Check rules = don't work Spam Whitelist/Blacklist = dont work Only what work is: FromTo: default yes Peter From gioia at bclink.it Mon Dec 15 15:01:56 2003 From: gioia at bclink.it (gioia@bclink.it) Date: Thu Jan 12 21:21:44 2006 Subject: R: F-prot update script In-Reply-To: <6.0.1.1.2.20031215142347.037d2530@imap.ecs.soton.ac.uk> Message-ID: I'm running the f-prot-autoupdate script, if I run the update_virus_scanners script I receive no emails, but I wish to use the f-prot-autoupdate script directly to run separately the updates for both f-prot and Antivir .. -----Messaggio originale----- Da: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Inviato: luned? 15 dicembre 2003 15.25 A: gioia@bclink.it Cc: mailscanner@jiscmail.ac.uk Oggetto: Re: F-prot update script At 13:52 15/12/2003, you wrote: >Hi all! > >how can I disable the f-prot-autoupdate script option to not send email >notifications if it did not need to be updated ? >I wouldn't receive this every hour.. > >------------------------ >FTP address for retrieving files is ftp://us-3.updates.f-prot.com/pub/ >File SIGN.DEF is already up to date. >File SIGN2.DEF is already up to date. >File MACRO.DEF is already up to date. >Nothing to be done. >------------------------ Is your cron job calling update_virus_scanners or calling f-prot-autoupdate directly? >I've had some experiences with Sophos Antivirus too, and I noticed that it >downloads new ide files as soon as they were realeased .. >it's not possible to have the same feature with other Antivirus software as >f-prot and Antivir ?! My sophos-autoupdate script just updates hourly, the same as all the others. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654